Shell – View User Login History with WindowsLogon [Powershell]

powershell

I am currently trying to figure out how to view a users login history to a specific machine. This command is meant to be ran locally to view how long consultant spends logged into a server.

I currently only have knowledge to this command that pulls the full EventLog but I need to filter it so it can display per-user or a specific user.

Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-5) -ComputerName $env:computername

Best Answer

Going off of the discussion in the comments, you can search the Event Log using Powershell.

Get-EventLog security | Where-Object {$_.TimeGenerated -gt '9/15/16'} | Where-Object {($_.InstanceID -eq 4634) -or ($_.InstanceID -eq 4624)} | Select-Object Index,TimeGenerated,InstanceID,Message

Get-EventLog allows you to access the Event Log, specifically the Security logs
The first Where-Object specifies that you want any records that are newer than the provided date
The second Where-Object specifies the two Event IDs you're interested in
Select-Object lets us only return columns we're interested having in the output

You will likely need to run this from an elevated instance of Powershell since this is accessing the Windows registry.

Related Solutions

PowerShell: history enhancements (readline)

For (3), you can write it as a function in your profile (e.g. %USERPROFILE%\My Documents\WindowsPowerShell\profile.ps1):

function hh ([string] $word) {
    Get-History -c 1000 | where {$_.commandline.contains($word)}
}

Then:

hh foo

But Powershell is best thought of as a scripting language than as an interactive shell, because the underlying console is still cmd.exe with all its limitations.

So it's F7 for interactive history, F3 to copy the previous command, F1 to copy a single character, F2 to copy the previous command up to a particular character, etc, etc.

Windows PowerShell – How to view commands history date/time

On Windows 10, the PS extension PsReadline comes with PowerShell 5 by default. Get-Content on the following to view your full command history.

C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

To make it available on Windows 7, you have to make sure you have the latest Framework and PowerShell 5 installed. Then you can install the PsReadline module.

I just did on a Windows 7 (64) machine:

(executionpolicy : remotesigned)

Install-Module PSReadLine ( I was asked to install NuGet-anycpu.exe, and answered yes).

Import-Module PsReadLine

Your history will now be stored in the file mentionned above (verified)

Run Get-PSReadlineKeyHandler to have a list of PSReadline Key bindings.

Best Answer

Related Solutions

PowerShell: history enhancements (readline)

Windows PowerShell – How to view commands history date/time

Related Question