Cyber Security

Monitor Local User Logons on Windows Operating Systems

By on ( Leave a comment )

User Logons on Microsoft Windows operating systems are called Logon Events. In this short blog post I will show you a PowerShell One-Liner which retrieves all user logons of a particular user.

PowerShell Code

Successful user logons are logged with Event ID 4648. The code below rertrieves all successful logon events of user patri. The output is formatted with the Format-Table cmdlet for better readability.

Get-EventLog -LogName Security -InstanceId 4648 | 
Where-Object Message -match "patri" |
Format-Table TimeGenerated,Message -AutoSize -Wrap

To be more precise, and to avoid extensive output, I restrict the output to show only the last successful login.

Get-EventLog -LogName Security -InstanceId 4648 | 
Where-Object Message -match "patri" | 
Select-Object -First 1 |
Format-Table TimeGenerated,Message -AutoSize -Wrap

Have fun monitoring your systems with PowerShell!

Categories: Cyber Security, PowerShell, Windows 10, Windows 11, Windows Server

Tagged as: , , , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2023], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.