As the description, I need to write a powershell script that watches over a folder. And when changes have been made(creation of file, delete, modification) I need to get these changes to get to the windows application log.
This is my code:
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Users\Administrator\Desktop\delete-file-event"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
$action = {
New-EventLog -LogName Application -source "logs"
Write-EventLog -LogName Application -Source "logs" -EntryType Information -EventId 1 -Message "nothing in here"
$path = $Event.SourceEventArgs.FullPath
$changeType = $Event.SourceEventArgs.ChangeType
$logline = "$(Get-Date), $changeType, $path"
Add-content "C:\Users\Administrator\Desktop\delete-file-event\log.txt" -value $logline
}
Register-ObjectEvent $watcher "Created" -Action $action
Register-ObjectEvent $watcher "Deleted" -Action $action
Register-ObjectEvent $watcher "Renamed" -Action $action
while ($true) {sleep 5}
At this moment it will get to the application logs but that's because of
Code:
New-EventLog -LogName Application -source "logs"
Write-EventLog -LogName Application -Source "logs" -EntryType Information -EventId 1 -Message "nothing in here"
I would really appreciate some help here. Thanks in advance.
Related
We have a few computers that are used in a lab for processing and users can log in directly on-site or via remote desktop. We are trying to clean up the machines and decided to remove user folders for those who have not logged on in the past year. I am able to use windows event viewer to find the information, but I haven't figured out a way to export the information I need.
I found this script which seems to do exactly what I need, except I'm getting the following error when I run it: https://github.com/adbertram/Random-PowerShell-Work/blob/master/ActiveDirectory/Get-UserLogonSessionHistory.ps1
PS C:\Users\vmc\Documents> .\userevents.ps1
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
operation..
At C:\Users\vmc\Documents\userevents.ps1:48 char:29
+ ... ($events = Get-WinEvent -ComputerName $computer -LogName $logNames - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
Get-WinEvent : There is not an event log on the BIGBERTHA computer that matches "Security".
At C:\Users\vmc\Documents\userevents.ps1:48 char:29
+ ... ($events = Get-WinEvent -ComputerName $computer -LogName $logNames - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Security:String) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
C:\Users\vmc\Documents\userevents.ps1 : A positional parameter cannot be found that accepts argument '.'.
At line:1 char:1
+ .\userevents.ps1
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [userevents.ps1], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,userevents.ps1
I do have a log called 'Security' when I look at the Windows Event Viewer, so I'm not sure why I can't query this log?
Thank you for any help- suggestions to get this script to run or another way to compile this list are very much appreciated!
Script from the link (saved to userevents.ps1, called from powershell above)
<#
.SYNOPSIS
This script finds all logon, logoff and total active session times of all users on all computers specified. For this script
to function as expected, the advanced AD policies; Audit Logon, Audit Logoff and Audit Other Logon/Logoff Events must be
enabled and targeted to the appropriate computers via GPO or local policy.
.EXAMPLE
.PARAMETER ComputerName
An array of computer names to search for events on. If this is not provided, the script will search the local computer.
.INPUTS
None. You cannot pipe objects to Get-ActiveDirectoryUserActivity.ps1.
.OUTPUTS
None. If successful, this script does not output anything.
#>
[CmdletBinding()]
param
(
[Parameter()]
[ValidateNotNullOrEmpty()]
[string[]]$ComputerName = $Env:COMPUTERNAME
)
try {
#region Defie all of the events to indicate session start or top
$sessionEvents = #(
#{ 'Label' = 'Logon'; 'EventType' = 'SessionStart'; 'LogName' = 'Security'; 'ID' = 4624 } ## Advanced Audit Policy --> Audit Logon
#{ 'Label' = 'Logoff'; 'EventType' = 'SessionStop'; 'LogName' = 'Security'; 'ID' = 4647 } ## Advanced Audit Policy --> Audit Logoff
#{ 'Label' = 'Startup'; 'EventType' = 'SessionStop'; 'LogName' = 'System'; 'ID' = 6005 }
#{ 'Label' = 'RdpSessionReconnect'; 'EventType' = 'SessionStart'; 'LogName' = 'Security'; 'ID' = 4778 } ## Advanced Audit Policy --> Audit Other Logon/Logoff Events
#{ 'Label' = 'RdpSessionDisconnect'; 'EventType' = 'SessionStop'; 'LogName' = 'Security'; 'ID' = 4779 } ## Advanced Audit Policy --> Audit Other Logon/Logoff Events
#{ 'Label' = 'Locked'; 'EventType' = 'SessionStop'; 'LogName' = 'Security'; 'ID' = 4800 } ## Advanced Audit Policy --> Audit Other Logon/Logoff Events
#{ 'Label' = 'Unlocked'; 'EventType' = 'SessionStart'; 'LogName' = 'Security'; 'ID' = 4801 } ## Advanced Audit Policy --> Audit Other Logon/Logoff Events
)
## All of the IDs that designate when user activity starts
$sessionStartIds = ($sessionEvents | where { $_.EventType -eq 'SessionStart' }).ID
## All of the IDs that designate when user activity stops
$sessionStopIds = ($sessionEvents | where { $_.EventType -eq 'SessionStop' }).ID
#endregion
## Define all of the log names we'll be querying
$logNames = ($sessionEvents.LogName | select -Unique)
## Grab all of the interesting IDs we'll be looking for
$ids = $sessionEvents.Id
## Build the insane XPath query for the security event log in order to query events as fast as possible
$logonXPath = "Event[System[EventID=4624]] and Event[EventData[Data[#Name='TargetDomainName'] != 'Window Manager']] and Event[EventData[Data[#Name='TargetDomainName'] != 'NT AUTHORITY']] and (Event[EventData[Data[#Name='LogonType'] = '2']] or Event[EventData[Data[#Name='LogonType'] = '11']])"
$otherXpath = 'Event[System[({0})]]' -f "EventID=$((#($ids).where({ $_ -ne '4624' })) -join ' or EventID=')"
$xPath = '({0}) or ({1})' -f $logonXPath, $otherXpath
foreach ($computer in $ComputerName) {
## Query each computer's event logs using the Xpath filter
if (-not ($events = Get-WinEvent -ComputerName $computer -LogName $logNames -FilterXPath $xPath)) {
Write-Warning -Message 'No logon events found'.
} else {
Write-Verbose -Message "Found [$($events.Count)] events to look through"
## Set up the output object
$output = [ordered]#{
'ComputerName' = $computer
'Username' = $null
'StartTime' = $null
'StartAction' = $null
'StopTime' = $null
'StopAction' = $null
'Session Active (Days)' = $null
'Session Active (Min)' = $null
}
## Need current users because if no stop time, they're still probably logged in
$getGimInstanceParams = #{
ClassName = 'Win32_ComputerSystem'
}
if ($computer -ne $Env:COMPUTERNAME) {
$getGimInstanceParams.ComputerName = $computer
}
$loggedInUsers = Get-CimInstance #getGimInstanceParams | Select-Object -ExpandProperty UserName | foreach { $_.split('\')[1] }
## Find all user start activity events and begin parsing
#($events).where({ $_.Id -in $sessionStartIds }).foreach({
try {
$logonEvtId = $_.Id
$output.StartAction = #($sessionEvents).where({ $_.ID -eq $logonEvtId }).Label
$xEvt = [xml]$_.ToXml()
## Figure out the login session ID
$output.Username = ($xEvt.Event.EventData.Data | where { $_.Name -eq 'TargetUserName' }).'#text'
$logonId = ($xEvt.Event.EventData.Data | where { $_.Name -eq 'TargetLogonId' }).'#text'
if (-not $logonId) {
$logonId = ($xEvt.Event.EventData.Data | where { $_.Name -eq 'LogonId' }).'#text'
}
$output.StartTime = $_.TimeCreated
Write-Verbose -Message "New session start event found: event ID [$($logonEvtId)] username [$($output.Username)] logonID [$($logonId)] time [$($output.StartTime)]"
## Try to match up the user activity end event with the start event we're processing
if (-not ($sessionEndEvent = #($Events).where({ ## If a user activity end event could not be found, assume the user is still logged on
$_.TimeCreated -gt $output.StartTime -and
$_.ID -in $sessionStopIds -and
(([xml]$_.ToXml()).Event.EventData.Data | where { $_.Name -eq 'TargetLogonId' }).'#text' -eq $logonId
})) | select -last 1) {
if ($output.UserName -in $loggedInUsers) {
$output.StopTime = Get-Date
$output.StopAction = 'Still logged in'
} else {
throw "Could not find a session end event for logon ID [$($logonId)]."
}
} else {
## Capture the user activity end time
$output.StopTime = $sessionEndEvent.TimeCreated
Write-Verbose -Message "Session stop ID is [$($sessionEndEvent.Id)]"
$output.StopAction = #($sessionEvents).where({ $_.ID -eq $sessionEndEvent.Id }).Label
}
$sessionTimespan = New-TimeSpan -Start $output.StartTime -End $output.StopTime
$output.'Session Active (Days)' = [math]::Round($sessionTimespan.TotalDays, 2)
$output.'Session Active (Min)' = [math]::Round($sessionTimespan.TotalMinutes, 2)
[pscustomobject]$output
} catch {
Write-Warning -Message $_.Exception.Message
}
})
}
}
} catch {
$PSCmdlet.ThrowTerminatingError($_)
}
First you got this error:
Attempted to perform an unauthorized
And:
There is not an event log on the BIGBERTHA computer that matches "Security"
This clearly indicates that the account used to run the query against the remote computer does not have the necesssary permission. You can't access the and/or find the Security Log because of insufficient acces rights.
In your 2nd run with the right account and elevated shell you did get further, because you now get the error:
The specified query is invalid
That means you have been able to connect to the remote computer and read the security log but get-winevent could not execute the operation because the query syntax is invalid.
This part of the code builds the filter:
$logonXPath = "Event[System[EventID=4624]] and Event[EventData[Data[#Name='TargetDomainName'] != 'Window Manager']] and Event[EventData[Data[#Name='TargetDomainName'] != 'NT AUTHORITY']] and (Event[EventData[Data[#Name='LogonType'] = '2']] or Event[EventData[Data[#Name='LogonType'] = '11']])"
$otherXpath = 'Event[System[({0})]]' -f "EventID=$((#($ids).where({ $_ -ne '4624' })) -join ' or EventID=')"
$xPath = '({0}) or ({1})' -f $logonXPath, $otherXpath
The scripts works for me... but in the end you do not need the whole functionality, think this will help:
#Query
$XPath = "Event[System[EventID=4624]] and Event[EventData[Data[#Name='TargetDomainName'] != 'Window Manager']] and Event[EventData[Data[#Name='TargetDomainName'] != 'NT AUTHORITY']] and (Event[EventData[Data[#Name='LogonType'] = '2']] or Event[EventData[Data[#Name='LogonType'] = '11']])"
#Get List containing the dnsHostNames of the computers to query
$computer = gc [path]
#Run Query against computers and gather result
$result = #(
foreach ($computer in $computers){
#run query
$events = get-winevent -LogName security -FilterXPath $XPath -ComputerName $computer
#parse events as xml and extract necessary information, return object
$eventobj = #(
foreach ($event in $events){
[xml]$xml = $event.toxml()
$attrsht = [ordered]#{
TimeCreated=$xml.event.system.TimeCreated.SystemTime
eventId=$xml.event.system.eventId
SubjectUserSid=$xml.event.EventData.data[0].'#text'
SubjectUserName=$xml.event.EventData.data[1].'#text'
SubjectDomainName=$xml.event.EventData.data[2].'#text'
TargetUserSid=$xml.event.EventData.data[4].'#text'
TargetUserName=$xml.event.EventData.data[5].'#text'
TargetDomainName=$xml.event.EventData.data[6].'#text'
LogonType=$xml.event.EventData.data[8].'#text'
LogonProcessName=$xml.event.EventData.data[9].'#text'
ipAdress=$xml.event.EventData.data[18].'#text'
}
#return event object
new-object -TypeName psobject -Property $attrsht
}
)
$attrsht = #{
Computer=$computer
Events=$eventobj
}
#return object per computer containing all events
new-object -TypeName psobject -Property $attrsht
}
)
#As the property events is an array you can export it by using json
$result | ConvertTo-Json | set-content [path]
#If you want a csv we have to flattern the array
$result = #(
foreach ($computer in $computers){
#run query
$events = get-winevent -LogName security -FilterXPath $XPath -ComputerName $computer
#parse events as xml and extract necessary information, return object
foreach ($event in $events){
[xml]$xml = $event.toxml()
$attrsht = [ordered]#{
computername=$computer
TimeCreated=$xml.event.system.TimeCreated.SystemTime
eventId=$xml.event.system.eventId
SubjectUserSid=$xml.event.EventData.data[0].'#text'
SubjectUserName=$xml.event.EventData.data[1].'#text'
SubjectDomainName=$xml.event.EventData.data[2].'#text'
TargetUserSid=$xml.event.EventData.data[4].'#text'
TargetUserName=$xml.event.EventData.data[5].'#text'
TargetDomainName=$xml.event.EventData.data[6].'#text'
LogonType=$xml.event.EventData.data[8].'#text'
LogonProcessName=$xml.event.EventData.data[9].'#text'
ipAdress=$xml.event.EventData.data[18].'#text'
}
#return event object
new-object -TypeName psobject -Property $attrsht
}
}
)
$result | export-csv [path] -NoClobber -NoTypeInformation -Delimiter ";"
I am trying to resume BitLocker protection on remote devices. See the below code:
$computers = Get-Content "C:\Users\admin_jr\Documents\bitlockerlist.txt"
$credentials = Get-Credential
foreach($computer in $computers) {
Try {
$Session = New-PSSession $computer -Credential $credentials
if (-Not ($Session)) {
Write-Error "No session is made with the specified computer, please try again"
}
Invoke-Command -Session $Session -ScriptBlock {Get-BitLockerVolume | Resume-BitLocker -Verbose}
} Catch {
Write-Error "Something went wrong"
}
}
I get the following error message:
The TPM returned an unexpected result. (Exception from HRESULT: 0x8029010C)
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Resume-BitLocker
+ PSComputerName : *pcname*
I am currently testing this on a laptop whereby I can manually resume and suspend the Bitlocker protection but essentially want to emulate and automate this via a script on multiple pcs.
Any advice on this?
I want to get event delails like the event type and drive letter from a Windows Powershell event.
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange -Action {
param($event)
$eventType = $event.SourceEventArgs.NewEvent.EventType # don't work
write-host $eventType
}
while (1-eq1) {} # don't exit program
This is what i want to achieve. It works on a Windows computer, but because of performance problems it don't work on a Windows tablet:
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange
do {
$newEvent = Wait-Event -SourceIdentifier volumeChange
$eventType = $newEvent.SourceEventArgs.NewEvent.EventType
$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName
write-host $eventType
Remove-Event -SourceIdentifier volumeChange
} while (1-eq1) # Loop until next event
Unregister-Event -SourceIdentifier volumeChange
I found out that multiple params are submitted:
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange -Action {
param($event, $sourceEventArgs)
$eventType= $sourceEventArgs.NewEvent.EventType
write-host $eventType
}
while (1-eq1) {} # don't exit program
May I know how to properly export this script to CSV?
Try {
Invoke-Command -scriptblock {Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where-Object {$_.EventID -eq "50" -or $_.EventID -eq "51" -or $_.EventID -eq "55" -or $_.EventID -eq "57" -or $_.EventID -eq "6008"} |
FT -Property Machinename, TimeWritten, EntryType, Source, EventID, Message -AutoSize -wrap } -computername $computer -ErrorAction Stop
}
Catch {
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}
Result:
Export-CSV command is not working properly when added at the end. It outputs a different set of data.
Formatting cmdlets like Format-Table don't just change the way the object is displayed, it changes the object itself into something that will display how you want it to. This is part of why it's commonly recommended not to use the formatting cmdlets in scripts or functions.
Instead, you should use the Select-Object cmdlet to limit the number of properties passed to Export-Csv.
Invoke-Command -ComputerName $computer -ErrorAction Stop -ScriptBlock {
Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where-Object { 50, 51, 55, 57, 6008 -contains $_.EventID } |
Select-Object -Property MachineName, TimeWritten, EntryType, Source, EventID, Message
}
try this
Try {
Invoke-Command -scriptblock {Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where EventID -in ("50", "51", "55", "57", "6008") |
select Machinename, TimeWritten, EntryType, Source, EventID, Message } -computername $computer -ErrorAction Stop |export-csv "c:\temp\result.csv"
}
Catch {
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}
or may be simply like this :
Try
{
Get-EventLog System -After "7/8/2017" -Before "07/28/2017" -ComputerName $computer |
Where EventID -in ("50", "51", "55", "57", "6008") |
select Machinename, TimeWritten, EntryType, Source, EventID, Message |export-csv "c:\temp\result.csv" -NoType
}
Catch
{
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}
I have this delete profile script that prompts for a username and deletes it from each of the computers listed. The delete profile and "user is logged in" parts are both working but the part that says “No profiles found on $Computer with Name $UserName” is not. I ran my script on two computers and it successfully deleted my profile on both. I recreated my profile (logged in) and stayed logged on to one and not the other. I run it again and it gives me the message "user is logged in". For the other computer it just deleted the profile on does not display the "no profile found" message. It just skips over it and displays nothing. I have changed the "if" to an "else" but, when I do that it displays multiple lines of "no profiles found" including the computer it previously deleted the profile on.
Here is the link where most of the script is derived from.
http://techibee.com/powershell/powershell-script-to-delete-windows-user-profiles-on-windows-7windows-2008-r2/1556. Looking through the comments, no one else seemed to have any issues with that part of it.
I do not have much knowledge in PowerShell and this has just been pieced together from other scripts I have found based on our needs. Our environment is Windows 7 and Server 2008 R2. Any assistance is greatly appreciated.
$UserName=Read-host "Please Enter Username: "
$ComputerName= #("computer1","computer2")
foreach($Computer in $ComputerName) {
Write-Verbose "Working on $Computer"
if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
$Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0
foreach ($profile in $profiles) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier($profile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = $true
try {
$profile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
if(!$profilefound) {
Write-Host -ForegroundColor Cyan "No profiles found on $Computer with Name $UserName"
}
} else {
write-verbose "$Computer Not reachable"
}
}
PowerShell has a number of automatic variables that you should avoid re-using.
$Profile is one of these, it contains the paths to the Profile scripts applicable to the current session.
Use any other variable name (ie. $userprofile) and you'll be fine:
foreach ($userprofile in $profiles) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier($userprofile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = $true
try {
$userprofile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
I was able to get it working by changing the "$profilefound=$false" and making it a global variable. Also the reason why it was displaying multiple lines of "profile not found when i changed it to an else statement is because of where it was placed. It was checking against every profile on the server. When it touched every profile on the computer it displayed "profile not found".
Here is the working script.
$UserName=Read-host "Please Enter Username: "
$ComputerName= #("computer1","computer2")
$profilefound = "false"
foreach($Computer in $ComputerName) {
Write-Verbose "Working on $Computer"
if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
$Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0
foreach($userprofile in $profiles){
$objSID = New-Object System.Security.Principal.SecurityIdentifier($userprofile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = "true"
try {
$userprofile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
}
else {
write-verbose "$Computer Not reachable"
}
if ($profilefound -eq "false") {
Write-Host -ForegroundColor Cyan "No profiles found on $Computer with Name $UserName"
}
}