Notice: Due to size constraints and loading performance considerations, scripts referenced in blog posts are not attached directly. To request access, please complete the following form: Script Request Form Note: A Google account is required to access the form.
Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Single Command : Handy Single Line Diagnostic Commands

byartic6 -
0

This is another quick post about how to quickly check the contents of the User32 System event log remotely from a management server, that as a bonus will give you lots of other handy one line commands.

Get-WinEvent -ComputerName "<remote-server>" -FilterHashtable  {LogName='System';ProviderName='User32'}

This will return all the valid events for that server as below:

TimeCreated  : 23/12/2024 12:37:35
ProviderName : User32
Id           : 1074
Message      : The process C:\Windows\system32\wbem\wmiprvse.exe (rebooting.server) has initiated the restart of computer rebooting.server on behalf of user NT AUTHORITY\SYSTEM for the
               following reason: No title for this reason could be found
                Reason Code: 0x80070015
                Shutdown Type: restart
                Comment:

TimeCreated  : 12/12/2024 11:22:20
ProviderName : User32
Id           : 1074
Message      : The process C:\Windows\Explorer.EXE (remote.server) has initiated the power off of computer remote.server on behalf of user <user> for the following reason:
               Other (Unplanned)
                Reason Code: 0x0
                Shutdown Type: Power Off
                Comment:

If you then want to look more at the WMI activity log remotely to see if you have errors about that process then you can use this command:

Get-WinEvent -ComputerName "<remote_server>" -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational';ProviderName='Microsoft-Windows-WMI-Activity'}

Lockout Events

However let look at more commands not specific options for account lockout events (which will only show you the lockout event) you can query a single DC for basic data with:

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4740} -MaxEvents 10

If you wish to format this so you can see the "login ID" and the "caller computer" then you can use this command:

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4740} -MaxEvents 10 | Select-Object TimeCreated,@{N='LockedAccount';E={$_.Properties[0].Value}},@{N='CallerComputer';E={$_.Properties[1].Value}}

Various other commands

These are various other commands I use a daily basis

Last 10 system errors

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';Level=2} -MaxEvents 10

Last 10 Service starts/stops

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';ID=7036} -MaxEvents 10

Last Failed logon attempts

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 10

Last 10 Program installations

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Application';ID=11707} -MaxEvents 10

Last 10 System restarts/shutdowns

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';ID=1074,6006,6008} -MaxEvents 10

Last 10 OS errors

Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Application';Level=2} -MaxEvents 10

Tags
Previous Post Next Post

نموذج الاتصال