Whenever someone logs on with invalid credentials, there will be a log entry in the security log.
Here is a function that can read these events from the security log (Admin privileges needed). It will then list all the invalid logons found in the log: | | | function Get-LogonFailure | | { | | param($ComputerName) | | try | | { | | Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4625 -ErrorAction Stop @PSBoundParameters | | | ForEach-Object { | | $domain, $user = $_.ReplacementStrings[5,6] | | $time = $_.TimeGenerated | | "Logon Failure: $domain\$user at $time" | | } | | } | | catch | | { | | if ($_.CategoryInfo.Category -eq 'ObjectNotFound') | | { | | Write-Host "No logon failures found." -ForegroundColor Green | | } | | else | | { | | Write-Warning "Error occured: $_" | | } | | | | } | | | | }COPY |
Note that this function can work remotely, too. Use the -ComputerName parameter to query a remote system. The remote system needs the running RemoteRegistry service, and you need local administrator privileges on the target machine.
http://powershell.com/cs/blogs/tips/archive/2014/01/13/finding-logon-failures.aspx | 
发表于 2014-1-17 13:27
|