Whenever someone logs on with invalid credentials, there will be a log entry in the security log.
Here is a function that can read these events from the security log (Admin privileges needed). It will then list all the invalid logons found in the log:- # requires Admin privileges!
- function Get-LogonFailure
- {
- param($ComputerName)
- try
- {
- Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4625 -ErrorAction Stop @PSBoundParameters |
- ForEach-Object {
- $domain, $user = $_.ReplacementStrings[5,6]
- $time = $_.TimeGenerated
- "Logon Failure: $domain\$user at $time"
- }
- }
- catch
- {
- if ($_.CategoryInfo.Category -eq 'ObjectNotFound')
- {
- Write-Host "No logon failures found." -ForegroundColor Green
- }
- else
- {
- Write-Warning "Error occured: $_"
- }
-
- }
-
- }
Note that this function can work remotely, too. Use the -ComputerName parameter to query a remote system. The remote system needs the running RemoteRegistry service, and you need local administrator privileges on the target machine.
http://powershell.com/cs/blogs/tips/archive/2014/01/13/finding-logon-failures.aspx | 
发表于 2014-1-17 13:27
|