Description
Retrieves authentication event logs (Event ID 4624, 4634) from a target system, processes login attempts, and aggregates logon type counts per user and IP address.
Overview
The script queries Windows Security logs from a specified target system, retrieving login-related events (successful and logoff attempts). It supports two authentication methods:
- Impersonation: Uses the current session’s credentials.
- Username/Password: Explicitly provides login credentials.
The script extracts key details from the logs, such as:
- Usernames, domains, and workstation names
- IP addresses of logins
- Logon types (e.g., interactive, network, batch, etc.)
It then organizes the data into a hashtable, grouping login events by user, domain, and IP address. The logon types (0-11) are counted per user and displayed in a structured output sorted by key (user & IP). This provides a clear summary of login activity per system.
| Logon Type | Description |
|---|---|
| 0 | Unknown – An invalid or undefined logon type. May indicate a malformed event. |
| 1 | System – Used for system-level logons like Windows startup processes. |
| 2 | Interactive – A user logged on at the keyboard and screen of the system. |
| 3 | Network – A user or computer logged on to this computer from the network. |
| 4 | Batch – Used for batch servers, where processes may run without user input. |
| 5 | Service – A service was started by the Service Control Manager. |
| 6 | Proxy – A proxy logon occurred. Used internally by services like IIS. |
| 7 | Unlock – This workstation was unlocked. |
| 8 | NetworkCleartext – A user logged on with network credentials sent in cleartext. |
| 9 | NewCredentials – A user logged on with alternate credentials (e.g., RunAs). |
| 10 | RemoteInteractive – A user logged on using Remote Desktop. |
| 11 | CachedInteractive – A user logged on with cached domain credentials. |
Parameters
| Name | Type | Description |
|---|---|---|
| Target | string | The IP address or hostname of the system to query. |
| Username | string | The local or domain username to authenticate with. |
| Password | string | The password for the specified user. |
| Max | int | The maximum number of events to retrieve. |
| ExcludeUserFilter | string[] | A set of filters to remove users from the output. |
Example Output
WorkstationName IpAddress TargetDomainName TargetUserName 0 1 2 3 4 5 6 7 8 9 10 11
--------------- --------- ---------------- -------------- - - - - - - - - - - -- --
DESKTOP-835KS5V defaultuser0 0 0 2 0 0 0 0 0 0 0 0 0
WIN-F739KPIIAPP - DESKTOP-835KS5V defaultuser0 0 0 2 0 0 0 0 0 0 0 0 0
WIN-F739KPIIAPP 127.0.0.1 DESKTOP-835KS5V defaultuser0 0 0 2 0 0 0 0 0 0 0 0 0
DESKTOP-835KS5V helpdesk 0 0 6 0 0 0 0 0 0 0 0 0
WIN-F739KPIIAPP - DESKTOP-835KS5V helpdesk 0 0 2 0 0 0 0 0 0 0 0 0
WIN-F739KPIIAPP 127.0.0.1 DESKTOP-835KS5V helpdesk 0 0 10 0 0 0 0 0 0 0 0 0
WKST-001 127.0.0.1 LAB administrator 0 0 2 0 0 0 0 0 0 0 0 0
WKST-001 helpdesk 0 0 2 0 0 0 0 0 0 0 0 0
WKST-001 127.0.0.1 WKST-001 helpdesk 0 0 6 0 0 0 0 0 0 0 0 0