Advertisement
guyrleech

Create session lock/unlock data from event log

Nov 29th, 2023
1,667
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 0.80 KB | Cybersecurity | 0 0
  1. ## Needs screen lock/unlock auditing enabled which then generates events for lock and unlock which we process to produce
  2. ##   a single event per lock/unlock event with a duration. Must run elevated as accesses Security event log
  3.  
  4. ## Will only work for single user OS but can be enhanced to monitor per username for multi-user RDS,AVD,Citrix,Parallels RAS, etc
  5.  
  6. $lastlock = $null;get-winevent -Oldest -FilterHashtable @{ ProviderName = 'Microsoft-Windows-Security-Auditing' ; Id = 4800, 4801 }|select TimeCreated,Id,@{n='username';e={$_.properties[1].value}},Message|ForEach-Object { if( $_.id -eq 4800 ) { $lastlock = $_.TimeCreated } else { if( $lastlock ) { [pscustomobject]@{ Locked = $lastlock ; Unlocked = $_.TimeCreated ; LockMinutes = ( $_.TimeCreated - $lastlock ).TotalMinutes }} ; $lastlock = $null } }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement