Laad de volgende functie…
function Get-FailedLogons {
[CmdletBinding()]
param(
[datetime] $StartTime = (Get-Date).AddDays(-1),
[datetime] $EndTime = (Get-Date),
[int] $MaxEvents = 10000,
[string] $ComputerName = $env:COMPUTERNAME,
[switch] $ExportCsv,
[string] $CsvPath = "$env:TEMP\FailedLogons_$($ComputerName)_$(Get-Date -Format yyyyMMddHHmmss).csv"
)
# Filter for failed logon events
$filter = @{
LogName = 'Security'
Id = 4625
StartTime = $StartTime
EndTime = $EndTime
}
try {
$events = Get-WinEvent -ComputerName $ComputerName -FilterHashtable $filter -MaxEvents $MaxEvents -ErrorAction Stop
}
catch {
Throw "Failed to read event log on ${ComputerName}: $_"
}
$out = foreach ($evt in $events) {
$xml = [xml]$evt.ToXml()
$dataPairs = @{}
foreach ($d in $xml.Event.EventData.Data) {
$name = if ($d.Name) { $d.Name } else { 'Data' }
$dataPairs[$name] = $d.'#text'
}
# Extract IP address
$ip = ''
foreach ($key in 'IpAddress','Ip','SourceNetworkAddress','SourceIp','NetworkAddress','Address') {
if ($dataPairs[$key]) {
$ip = $dataPairs[$key]
break
}
}
if ($ip -eq '-' -or $ip -eq '::1') { $ip = '' }
# Extract workstation / client name (if provided)
$client = ''
foreach ($key in 'WorkstationName','Workstation','SourceHost','ClientName','ComputerName') {
if ($dataPairs[$key]) {
$client = $dataPairs[$key]
break
}
}
[pscustomobject]@{
TimeCreated = $evt.TimeCreated
TargetUserName = $dataPairs['TargetUserName']
TargetDomainName = $dataPairs['TargetDomainName']
FailureReason = $dataPairs['FailureReason']
Status = $dataPairs['Status']
SubStatus = $dataPairs['SubStatus']
LogonType = $dataPairs['LogonType']
IpAddress = $ip
ClientName = $client
ProcessName = $dataPairs['ProcessName']
EventRecordId = $evt.RecordId
EventComputer = $ComputerName
}
}
if ($ExportCsv) {
$out | Export-Csv -Path $CsvPath -NoTypeInformation -Encoding UTF8
Write-Host "Exported $($out.Count) events to $CsvPath"
}
return $out
}
Voer vervolgens onderstaand uit…
Get-FailedLogons | Format-Table TimeCreated, TargetUserName, IpAddress, ClientName, FailureReason -AutoSize