-
Notifications
You must be signed in to change notification settings - Fork 51
/
Copy pathFailedLogons.ps1
37 lines (25 loc) · 925 Bytes
/
FailedLogons.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$myObject = @()
$EventLogs = Get-WinEvent -ComputerName localhost -FilterHashtable @{
LogName = 'Security'
ID = 4625
}
Foreach ($event in $EventLogs)
{
[string]$Item = $Event.Message
$AccountName = $Item.SubString($Item.IndexOf("Account For Which Logon Failed:"))
$AccountName = $AccountName.SubString($AccountName.IndexOf(" Account Name:"))
$AccountName = ($AccountName -split ':')[1]
$AccountName = ($AccountName -split '\n')[0]
$AccountName = $AccountName.trim()
$Reason = $Item.SubString($Item.IndexOf("Failure Reason:"))
$Reason = $Reason.SubString($Reason.IndexOf("Failure Reason:"))
$Reason = ($Reason -split ':')[1]
$Reason = ($Reason -split '\n')[0]
$Reason = $Reason.trim()
$myObject += [PSCustomObject]@{
TimeCreated = $($Event.TimeCreated)
ID = $($Event.ID)
User = $AccountName
Reason = $Reason
}
}