博主写了一个小脚本/工具(Github下载地址包含全部源码及pyinstaller转的exe可执行程序),用来获取域环境内所有用户登录信息,大家觉得不错就收下吧,欢迎交流提建议。
EventLogonStat.bat
@echo off
cd %~dp0
wevtutil qe security /format:text /q:"Event[System[(EventID=4624 or EventID=4634)]]" > EvtLogon.dat
EventLogonStat.exe EvtLogon.dat
del /F EvtLogon.dat
EventLogonStat.py
# -- coding:utf-8 --
# Python v2.7.10
# EventLogonStat.py
# Written by Gaearrow
import sys
# Logon Type Dictionary
logontypedic = {
0 :'Unknown 0',
1 :'Unknown 1',
2 :'Interactive',
3 :'Network',
4 :'Batch',
5 :'Service',
6 :'Unknown 6',
7 :'Unlock',
8 :'NetworkCleartext',
9 :'NewCredentials',
10:'RemoteInteractive',
11:'CachedInteractive',
}
# Logon ID Set
logonidset = set()
# Process Input
if len(sys.argv) != 2:
print 'Usage: '
print 'wevtutil qe security /format:text /q:"Event[System[(EventID=4624 or EventID=4634)]]