### ハッシュテーブル
# ログオンタイプ
$LogonTypeHash = @{
2 = "Interactive"
3 = "ネットワーク"
4 = "Batch"
5 = "サービス"
7 = "ロック解除"
8 = "Network Cleartext"
9 = "New Credentials"
10 = "RDP"
11 = "Cached Interactive"
}
# ステータスコード
$StatusCodeHash = @{
"0xc000005e" = "There are currently no logon servers available to service the logon request."
"0xc0000064" = "User logon with misspelled or bad user account"
"0xc000006a" = "User logon with misspelled or bad password"
"0xc000006d" = "This is either due to a bad username or authentication information"
"0xc000006e" = "Unknown user name or bad password."
"0xc000006f" = "User logon outside authorized hours"
"0xc0000070" = "User logon from unauthorized workstation"
"0xc0000071" = "User logon with expired password"
"0xc0000072" = "User logon to account disabled by administrator"
"0xc00000dc" = "Indicates the Sam Server was in the wrong state to perform the desired operation."
"0xc0000133" = "Clocks between DC and other computer too far out of sync"
"0xc000015b" = "The user has not been granted the requested logon type (aka logon right) at this machine"
"0xc000018c" = "The logon request failed because the trust relationship between the primary domain and the trusted domain failed."
"0xc0000192" = "An attempt was made to logon, but the Netlogon service was not started."
"0xc0000193" = "User logon with expired account"
"0xc0000224" = "User is required to change password at next logon"
"0xc0000225" = "Evidently a bug in Windows and not a risk"
"0xc0000234" = "User logon with account locked"
"0xc00002ee" = "Failure Reason: An Error occurred during Logon"
"0xc0000413" = "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine."
"0x0" = "Status OK."
}
################################################
# ログオン履歴取得
################################################
function GetLogonHistry(){
# ログオン成功
$LogonSuccess = 4624
# ログオン失敗
$LogonFail = 4625
# ログオンイベントの抽出
$LogonEvents = Get-WinEvent -LogName Security | ? {($_.Id -eq $LogonSuccess) -or ($_.Id -eq $LogonFail)}
# ログオン履歴
$LogonHistry = @()
foreach( $LogonEvent in $LogonEvents ){
$LogonStatus = New-Object PSObject | Select-Object `
EventTime, # ログオン時刻
Success, # ログオン成功?
LogonUser, # ユーザー
Domain, # ドメイン
LogonTypeCode, # ログオンタイプ コード
LogonTypeName, # ログオンタイプ名
IpAddress, # IP アドレス
StatusCode, # ステータス
StatusName, # ステータス内容
SubStatusCode, # サブステータス
SubStatusName # サブステータス内容
# ログオン時刻
$LogonStatus.EventTime = $LogonEvent.TimeCreated
# ログオン成功?
$LogonStatus.Success = $LogonEvent.Id -eq $LogonSuccess
$LogonEventXml = [XML]$LogonEvent.ToXml()
# ログオンユーザー
$LogonStatus.LogonUser = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "TargetUserName"}).'#text'
# ドメイン
$LogonStatus.Domain = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "TargetDomainName"}).'#text'
# 接続元 IP
$LogonStatus.IpAddress = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "IpAddress"}).'#text'
# ログオンタイプ
[int]$LogonType = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "LogonType"}).'#text'
$LogonStatus.LogonTypeCode = $LogonType
if($LogonTypeHash.ContainsKey($LogonType)){
$LogonStatus.LogonTypeName = $LogonTypeHash[$LogonType]
}
else{
$LogonStatus.LogonTypeName = "unknown"
}
# ステータス
try {
$MainStatusCode = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "Status"}).'#text'
}
catch{
$MainStatusCode = "0x0"
}
if($MainStatusCode -eq $null ){
$MainStatusCode = "0x0"
}
$LogonStatus.StatusCode = $MainStatusCode
if($StatusCodeHash.ContainsKey($MainStatusCode)){
$LogonStatus.StatusName = $StatusCodeHash[$MainStatusCode]
}
else{
$LogonStatus.StatusName = "unknown"
}
# サブステータス
try {
$SubStatusCode = ($LogonEventXml.Event.EventData.Data | ? {$_.Name -eq "SubStatus"}).'#text'
}
catch{
$SubStatusCode = "0x0"
}
if($SubStatusCode -eq $null ){
$SubStatusCode = "0x0"
}
$LogonStatus.SubStatusCode = $SubStatusCode
if($StatusCodeHash.ContainsKey($SubStatusCode)){
$LogonStatus.SubStatusName = $StatusCodeHash[$SubStatusCode]
}
else{
$LogonStatus.StatusName = "unknown"
}
$LogonHistry += $LogonStatus
}
return $LogonHistry
}
|
