检测注销并登录Powershell [英] Detect logging off and logging in powershell

问题描述

如何使用Powershell检测用户是否已从Windows系统(最好是与Win7，Vista或XP一起使用)登录或注销?

How can I detect if a user has logged on or off from a windows system (preferably that works with win7, vista or XP) using powershell?

我想注册每次登录和注销机器的日期和时间.

I want to register the date and time of each logging on and off of the machine.

提前谢谢

推荐答案

您可以从事件日志中获取以下信息:

You can get this infromation from the event log:

Get-EventLog System -Source Microsoft-Windows-Winlogon

登录的InstanceId为7001，注销的为7002.用户帐户是ReplacementStrings中的SID.

Logons have an InstanceId of 7001, logoffs have 7002. The user account is a SID in ReplacementStrings.

这是一些对您有用的代码.

Here is some more useful code for you.

$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProeprty = @{n="Time";e={$_.TimeGenerated}}
Get-EventLog System -Source Microsoft-Windows-Winlogon | select $UserProperty,$TypeProperty,$TimeProeprty

您还可以通过将"-ComputerName"参数添加到Get-EventLog来从远程计算机获取这些事件.

You can also get these events from a remote computer by adding the "-ComputerName" parameter to Get-EventLog.

这篇关于检测注销并登录Powershell的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！