Category filter

Script to fetch login history on Windows devices

Auditing every user’s attempt to log on and log off from a device helps monitor the user account activities and track any potential security breaches. On Windows, such user login history is generated and stored automatically on the device. With the help of Windows Event Viewer, an administrative tool that gathers information about hardware, software, and system problems and monitors Windows security events, one can fetch the user login history directly from the device. To make the processes easier, you can also use a script that enables administrators to fetch the user logins and log-offs directly from the Hexnode console. The Execute Custom Script action streamlines the process of executing customized scripts to perform any specific operations.

Disclaimer:

The Sample Scripts provided below are adapted from third-party Open-Source sites.

auditpol /set /subcategory:"Logon" /success:enable /failure:enable 

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 

$string1 = "auditpol /set /subcategory:`"Logon`" /success:enable /failure:enable 

auditpol /set /subcategory:`"Logoff`" /success:enable /failure:enable" 

$path1 = "C:\hexnode\user_logs.bat" 


if (-NOT (Test-Path -Path $path1))  

{Add-Content C:\hexnode\user_logs.bat$string1} 


$SourceFilePath = "C:\hexnode\user_logs.bat" 

$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\" 

$path2 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\user_logs.bat" 

  
if (-NOT (Test-Path -Path $path2))  

{Copy-Item $SourceFilePath $ShortcutPath}

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

$string1 = "auditpol /set /subcategory:`"Logon`" /success:enable /failure:enable

auditpol /set /subcategory:`"Logoff`" /success:enable /failure:enable"

$path1 = "C:\hexnode\user_logs.bat"

if (-NOT (Test-Path -Path $path1))

{Add-Content C:\hexnode\user_logs.bat$string1}

$SourceFilePath = "C:\hexnode\user_logs.bat"

$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"

$path2 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\user_logs.bat"

if (-NOT (Test-Path -Path $path2))

{Copy-Item $SourceFilePath $ShortcutPath}

Initially, execute the above script. This PowerShell script enables the auditing of the logins and logoffs performed on the device. It creates an executable Batch file user_logs.bat that contains the commands to enable the auditing of user logins and logoffs. The executable file is configured to run at every device start by placing it in the path “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\”.

Next, you can run the scripts below to filter out the login history.

1. List logins

To display the list of successful and failed logins on the device, execute the script below, replacing <count> with the number of events to be displayed in the output.

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4648} -MaxEvents <count> | Format-Table -Wrap

1	Get-WinEvent -FilterHashtable @{LogName="Security";ID=4648} -MaxEvents <count> \| Format-Table -Wrap

2. List logoffs

To display the list of logoffs on the device, execute the script below after replacing <count> with the required number of events to be displayed in the output.

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4647} -MaxEvents <count> | Format-Table -Wrap

1	Get-WinEvent -FilterHashtable @{LogName="Security";ID=4647} -MaxEvents <count> \| Format-Table -Wrap

Notes:

It is recommended to manually validate the script execution on a system before executing the action in bulk.
Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.

Need more help?

Raise a Ticket

Ask Community

Chat With us

Script to fetch login history on Windows devices

List login history

1. List logins

2. List logoffs