eventlog Archives - IT-Admins

Search the Windows Security Eventlog for a string / text

Lately I had to search a lot through logs – as you can tell by all my postings… I just had to create yet another script that allows you to search through the Windows Security Eventlog – while the script is easily adjustable to other log types like application log or system log.

It’s not the most pretty script – but it certainly works. Don’t be surprised if the script takes it sweet time – it might be it needs to read through a lot of eventlog entries.

param(
    [string] $RemoteComputer = "",
    [string] $SearchString = "",
	[int] 	 $MaxAgeHours = 24,
    [bool]   $FullDetails = $false
)

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*</Select>
  </Query>
</QueryList>
"@

if ($RemoteComputer.Length -gt 0){
	if ($FullDetails) {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |fl
	} else {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |ft
	}
} else {
	if ($FullDetails) {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |fl
	} else {
		Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |ft
	}
}

param(

[string] $RemoteComputer = "",

[string] $SearchString = "",

[int] $MaxAgeHours = 24,

[bool] $FullDetails = $false

)

$Query = @"

</Query>

</QueryList>

if ($RemoteComputer.Length -gt 0){

if ($FullDetails) {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |fl

} else {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) -ComputerName $RemoteComputer |ft

}

} else {

if ($FullDetails) {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |fl

} else {

Get-EventLog -LogName Security -Message "*$SearchString*" -After (Get-Date).AddHours(-$MaxAgeHours) |ft

}

Active Directory password reset events and group change events

The script below uses the security event log on defined DCs within your Active Directory to export events related to certain activities. Eventually the script will export this even to an email and send it to you as a report – if needed.

As is – the script will specifically look for those events

4724 – a user password was reset by an administrator respective via Active Directory Users and Groups MMC (or similar)
4728 – a user was added to a security group
4729 – a user was removed from a security group

There are more events – specifically events related to adding/removing users from distribution groups etc. – for the purpose of for what I wrote the script, I did not need this. Still, I thought it is worth publishing this, as others might find it helpful.

To add more events – just adjust line 19 – eventually just add more “or EventID=1234” statements – should be rather easy… in theory you could build that out as a parameter as well and inject it via the script.

param(
    [string] $DomainControllers = "",
    [bool]   $FullDetails = $false,
    [int]    $HoursInThePast = 24,
    [bool]   $SendMail = $false,
    [string] $SMTPfrom = "",
    [string] $SMTPto = "",
    [string] $SMTPsubject = "",
    [string] $SMTPserver = ""
)

#4724 - user PW reset by admin
#4728 - user added to security group
#4729 - user removed from security group

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>
  </Query>
</QueryList>
"@

If ($DomainControllers.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        $OutPut += "Export from DC: $DC" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
} Else {
    $DCs = $DomainControllers.Split(',')
    foreach ($DomainController in $DCs) {
        Write-Host "checking DC: $DomainController"
        $OutPut += "Export from DC: $DomainController" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
}

$OutPut

if ($SendMail) {
    Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver
}

param(

[string] $DomainControllers = "",

[bool] $FullDetails = $false,

[int] $HoursInThePast = 24,

[bool] $SendMail = $false,

[string] $SMTPfrom = "",

[string] $SMTPto = "",

[string] $SMTPsubject = "",

[string] $SMTPserver = ""

)

#4724 - user PW reset by admin

#4728 - user added to security group

#4729 - user removed from security group

$Query = @"

<Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>

</Query>

</QueryList>

If ($DomainControllers.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

$OutPut += "Export from DC: $DC"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

} Else {

$DCs = $DomainControllers.Split(',')

foreach ($DomainController in $DCs) {

Write-Host "checking DC: $DomainController"

$OutPut += "Export from DC: $DomainController"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

$OutPut

if ($SendMail) {

Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver

}

August 1, 2019 by Florian Rossmark scripts security server

Find user account lockout events

There are various ways and tools to tackle this – in the end it boils down to a few facts

account lockouts are logged per domain controller – to be more specific – only on the DC where the lockout happened
- this can be complicated in bigger environments
the lockout event 4771 does not necessarily reveal the initial reason – but it should give you enough information about where it occurred to further investigate

The manual way via Eventlog / Eventviewer in Windows on a DC

right click on the SECURITY eventlog
select Filter Current Log
go to the register card XML
check the box Edit query manually
Insert the XML code below – make sure you replace the USERNAMEHERE value with the actual username
1. no domain
2. exact username
3. NOT case sensitive

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>
  </Query>
</QueryList>

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='USERNAMEHERE')]]</Select>

</Query>

</QueryList>

This results in to a filtered eventlog view for the event id 4771 and the username you specified.

Using PowerShell to automate this

PowerShell can execute a script that would give you the same output – I wrote the script below. It expects at least the parameter UserName – see below for more information.

UserName
- this parameter is mandatory – the exact username without the domain, this is NOT case sensitive
DomainController
- specify this to narrow it down to a single DC – otherwise all domain controllers will be contacted (might take a while)
FullDetails
- set it to $true if you want to see details – otherwise you get only the table format
Example
- Find-AccountLockoutOnDCForUser.ps1 -FullDetails $true -UserName JDoe

param(
    [string] $DomainController = "",
    [string] $UserName = "",
    [bool]   $FullDetails = $false
)

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>
  </Query>
</QueryList>
"@

If ($DomainController.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        If ($FullDetails) {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl
        } Else {
            Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft
        }
    }
} Else {
    If ($FullDetails) {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl
    } Else {
        Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft
    }
}

param(

[string] $DomainController = "",

[string] $UserName = "",

[bool] $FullDetails = $false

)

$Query = @"

<Select Path="Security">*[System[(EventID=4771)]][EventData[Data[@Name='TargetUserName'] and (Data='$UserName')]]</Select>

</Query>

</QueryList>

If ($DomainController.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

If ($FullDetails) {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

} Else {

If ($FullDetails) {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | fl

} Else {

Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | ft

}

February 20, 2019 by Florian Rossmark scripts security server

eventlog

Search the Windows Security Eventlog for a string / text

Active Directory password reset events and group change events

Find user account lockout events

Recent blog posts

Blog Archives

eventlog

Recent blog posts

Blog Archives

Tags