Powershell 脚本 RDP 连接数据 [英] Powershell script RDP connection data

问题描述

我正在尝试获取 RDP 连接的源网络地址，以便在用户连接到服务器时发送电子邮件.除了源地址，我什么都有.我的脚本是由 RemoteConnectionManager 操作日志中的事件 1149 触发的.我只需要从系统访问事件数据或源地址.

$SmtpClient = 新对象 system.net.mail.smtpClient$MailMessage = 新对象 system.net.mail.mailmessage$SmtpClient.Host = "mail.scomage.com";$mailmessage.from = (BWAQBW@BWAServer.com")$mailmessage.To.add("support@scomage.com")$mailmessage.Subject = BWAQB RDP"$mailmessage.Body = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name + 登录 BWA QB 服务器"$smtpclient.Send($mailmessage)

史蒂文出色帮助后的最终脚本:

$LastEvent = Get-WinEvent -FilterHashtable `@{ LogName = "Microsoft-Windows-TerminalServices-远程连接管理器/操作"；编号 = 1149} |选择对象 *,@{ 姓名 = '用户名';表达式 = `{ if ($_.Properties[0].Value) { $_.Properties[0].Value } else { "Administrator";} } },@{ 名称 = '源IP';表达式 = { $_.Properties[2].Value } } |Sort-Object TimeCreated |选择对象 - 最后 1$MailParams =@{SmtpServer = "mail.scomage.com";来自 =BWAQBW@BWAServer.com"To =support@scomage.com"主题 =BWAQB RDP"+ $LastEvent.UserName + ""+ $LastEvent.SourceIP正文 = $LastEvent.UserName + "在登录 BWA QB 服务器"+`$LastEvent.TimeCreated.ToString('g') + "来自:"+ $LastEvent.SourceIP}发送邮件消息@MailParams

发送登录电子邮件的脚本:

$Event = Get-WinEvent -FilterHashTable @{日志名称=安全"；ID=4624；开始时间=$DateLess10;} |Where-Object{$_.Properties[8].Value -eq 10 } |Sort-Object TimeCreated |选择对象 - 最后 1if( $Event.Properties[8].Value -eq 10 ){$MailParams =@{SmtpServer = "mail.scomage.com";来自 =BWAQBW@BWAServer.com"To =support@scomage.com"主题 = BWAQB 远程登录"+ $Event.Properties[5].Value + ""+ $Event.Properties[18].ValueBody = $Event.Properties[5].Value + "在登录 BWA QB 服务器"+`$Event.TimeCreated.ToString('g') + "来自:"+ $Event.Properties[18].Value}发送邮件消息@MailParams}

解决方案

根据评论更新

看起来连接的源地址被记录为事件 1149 中的第三个属性.属性是一个类型为 [System.Diagnostics.Eventing.Reader.EventProperty[]] 的对象数组，它只是意味着您必须访问子属性 .Value .

获取最后一个事件的示例:

$LastEvent =Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";编号 = 1149} |选择对象 *,@{ 姓名 = '用户名';表达式 = { $_.Properties[0].Value } },@{ 名称 = '源IP';表达式 = { $_.Properties[2].Value } } |Sort-Object TimeCreated |选择对象 - 最后 1

由于我不确定 Get-WinEvent 是否能保证时间顺序，所以使用 Sort-Object cmdlet.所以它应该导致最后一个 1149 事件.但是，它不保证它适用于由 System.Security.Principal.WindowsIdentity]::GetCurrent().Name 返回的用户.我不知道这是什么类型的机器，也不知道脚本会在什么情况下运行.例如，如果它是一个多用户系统(由终端服务器暗示)，我怀疑存在一个边缘情况，即最后一个事件可能不适用于当前用户.

所以，我猜我们应该隔离该用户的最后一个事件.我们可以使用以下示例之一来做到这一点:

选项 1:

$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name$UserName = $NTUserName.Split('\')[-1]$事件 =Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";编号 = 1149} |选择对象 *,@{ 姓名 = '用户名';表达式 = { $_.Properties[0].Value } },@{ 名称 = '源IP';表达式 = { $_.Properties[2].Value } } |组对象 - 属性用户名 -AsHashTable -AsString$LastEvent = ($Events[$UserName] | Sort-Object TimeGenerated)[-1]

选项 2:

$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name$UserName = $NTUserName.Split('\')[-1]$LastEvent =Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";编号 = 1149} |选择对象 *,@{ 姓名 = '用户名';表达式 = { $_.Properties[0].Value } },@{ 名称 = '源IP';表达式 = { $_.Properties[2].Value } } |Where-Object{ $_.UserName -eq $UserName } |Sort-Object TimeCreated |选择对象 - 最后 1

在这两种情况下，$LastEvent 都应该有当前用户的最后一个 1149 事件.第一个选项排序较少，因为它只为特定用户排序事件.您可以将 $LastEvent.SourceIP 用于电子邮件.

第二个注意事项:您不需要使用 System.Net.Mail.SMTPClient.您可以将 Send-MailMessage 与可能如下所示的命令拼写结合使用:

$MailParams =@{SmtpServer = "mail.scomage.com";来自 =BWAQBW@BWAServer.com"To =support@scomage.com"主题 = BWAQB RDP"正文 = $用户名 + "在登录 BWA QB 服务器"+ $LastEvent.TimeCreated.ToString('g') + "来自:"+ $LastEvent.SourceIP}发送邮件消息@MailParams

<块引用>

注意:以上内容也在您发表评论后更新以利用较新的修订版.注意:.ToString('g') 导致日期格式类似于 '6/30/2020 9:17 PM'

我不确定正文或主题是否完全正确，但您可以解决这个问题.

告诉我进展如何.谢谢.

I am trying to get the source network address for an RDP connection to send an email when a user connects to the server. I have everything but the source address. My script is triggered by event 1149 in the RemoteConnectionManager Operational log. I only need to access either the event data or source address from the system.

$SmtpClient = new-object system.net.mail.smtpClient
$MailMessage = New-Object system.net.mail.mailmessage
$SmtpClient.Host = "mail.scomage.com"
$mailmessage.from = ("BWAQBW@BWAServer.com")
$mailmessage.To.add("support@scomage.com")
$mailmessage.Subject = "BWAQB RDP"
$mailmessage.Body = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name + " logged into BWA QB Server"
$smtpclient.Send($mailmessage)

Final script after excellent help by Steven:

$LastEvent = Get-WinEvent -FilterHashtable `
    @{ LogName = "Microsoft-Windows-TerminalServices- 
RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
    @{ Name = 'UserName'; Expression = `
        { if ($_.Properties[0].Value) { $_.Properties[0].Value } else { "Administrator" } } },
    @{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-Object -Last 1

$MailParams = 
@{
    SmtpServer = "mail.scomage.com"
    From       = "BWAQBW@BWAServer.com"
    To         = "support@scomage.com"
    Subject    = "BWAQB RDP " + $LastEvent.UserName + " " + $LastEvent.SourceIP
    Body       = $LastEvent.UserName + " logged into BWA QB Server at " + `
    $LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}

Send-MailMessage @MailParams

Script to send logon email:

$Event = Get-WinEvent -FilterHashTable @{
    LogName='Security'; ID=4624; StartTime=$DateLess10; } |
    Where-Object{$_.Properties[8].Value -eq 10 } | 
    Sort-Object TimeCreated |
    Select-Object -Last 1 

if( $Event.Properties[8].Value -eq 10 )
{
    $MailParams = 
    @{
        SmtpServer = "mail.scomage.com"
        From       = "BWAQBW@BWAServer.com"
        To         = "support@scomage.com"
        Subject    = "BWAQB Remote Login " + $Event.Properties[5].Value + " " + $Event.Properties[18].Value
        Body       = $Event.Properties[5].Value + " logged into BWA QB Server at " + `
        $Event.TimeCreated.ToString('g') + " From: " + $Event.Properties[18].Value
    }
    Send-MailMessage @MailParams
}

解决方案

Updated Based on Comments

Looks like the source address for the connection is recorded as the 3rd property in event 1149. Properties are an object array of type [System.Diagnostics.Eventing.Reader.EventProperty[]] which just means you have to access the sub-property .Value .

An Example to get the last event:

$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
    @{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
    @{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-object -Last 1

Since I'm not sure Get-WinEvent will guarantee chronological order the the Sort-Object cmdlet is used. So it should result in the the last 1149 event. However, it doesn't guarantee it will be for the user that was returned by System.Security.Principal.WindowsIdentity]::GetCurrent().Name. I don't know what kind of machine this is or under what circumstances the script will be run. For example if it's a multi-user system (implied by Terminal Server) I suspect there's an edge case where last event may not be for the current user.

So, I'm guessing that we should isolate the last event for that user. We can do that with one of these samples:

Option 1:

$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]

$Events =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
    @{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
    @{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Group-Object -Property UserName -AsHashTable -AsString

$LastEvent = ($Events[$UserName] | Sort-Object TimeGenerated)[-1]

Option 2:

$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]

$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
    @{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
    @{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Where-Object{ $_.UserName -eq $UserName } |
Sort-Object TimeCreated |
Select-Object -Last 1

In both cases $LastEvent should have the last 1149 event for the current user. The first option has less sorting, because it is only sorting events for the specific user. you can use $LastEvent.SourceIP for the email.

A secondary note: You don't need to use System.Net.Mail.SMTPClient. you can use Send-MailMessage combined with command splatting that might look like:

$MailParams = 
@{
    SmtpServer = "mail.scomage.com"
    From       = "BWAQBW@BWAServer.com"
    To         = "support@scomage.com"
    Subject    = "BWAQB RDP"
    Body       = $UserName + " logged into BWA QB Server at " + $LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}

Send-MailMessage @MailParams

Note: Above was also updated after your comments to take advantage of the newer revisions. Note: .ToString('g') results in date format like '6/30/2020 9:17 PM'

I'm not sure if the body or subject is exactly right, but you can work that out.

Let me know how it goes. Thanks.

这篇关于Powershell 脚本 RDP 连接数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！