It is faster to get events from the Security log locally then it is remotely. Get-LogonEvents.ps1 gets event 4624 using an XPath syntax query remotely executed with Invoke-Command:
<#
This is used to get interactive logon and unlock events from a remote PC
Alan Kaplan, www.akaplan.com 4/14/2020
Public version 12/24/21
#>
Param (
[Parameter(Mandatory = $True)]
[string]$ComputerName = $env:Computername
)
$Xpath = @"
*[System[(EventID='4624')]]
and *[EventData[Data[@Name='LogonType']
and (Data=`"2`" or Data=`"7`" or Data=`"10`" or Data=`"11`")]]
"@
Write-Host "Getting interactive logon and unlock events from $ComputerName" -ForegroundColor green
Try {
#run the command on the remote machine for huge speed improvement
$events = invoke-command -ErrorAction stop -computername $ComputerName {
#Define Logon types
$LogonTypes = @{
2 = "Interactive"
3 = "Network"
4 = "Batch"
5 = "ServiceStart"
7 = "Unlock"
8 = "NetworkCleartext"
9 = "NewCredentials"
10 = "RemoteInteractive"
11 = "CachedInteractive"
}
$params = @{
ProviderName = 'Microsoft-Windows-Security-Auditing'
FilterXPath = $using:Xpath
ErrorAction = 'Stop'
}
Get-WinEvent @params | ForEach-Object {
$dom = [string]$_.Properties[6].value.ToString()
$UserName = $dom + '\' + $_.Properties[5].value.ToString()
If (($username -inotmatch 'Window Manager') -and ($dom -notmatch ' ') ) {
$origin = $_.Properties[18].value
if ($origin -in ('::1', '127.0.0.1')) {
$from = 'Local Logon'
}
Else {
$from = $origin
}
[PSCustomObject]@{
LogonTime = $_.TimeCreated
From = $From
UserName = $UserName
LogonType = $LogonTypes.Item([int]$_.Properties[8].value)
}
}
}
}
if ($events.count -eq 0) {
Write-Host "No interactive or cached logon events found on $computername"
}
Else {
$events | Where-Object {$_.From -ne '-'} | Select-Object * -ExcludeProperty psComputerName, RunspaceID |
Out-GridView -Title "Logon Events for $ComputerName. Selected are copied to the clipboard" -PassThru | Set-clipboard
}
}
Catch {
Write-Warning $error[0].exception.message
Pause
}