Windows系统通过powershell脚本收集远程登录IP地址和登录信息

Menahem

已于 2024-09-30 15:50:10 修改

阅读量218

点赞数 3

文章标签： windows tcp/ip 网络协议

于 2024-09-30 15:47:00 首次发布

本文链接：https://blog.csdn.net/qq_42179736/article/details/142658258

版权

通过powershell脚本收集IP地址和登录信息

Param(
    [array]$ServersToQuery = (hostname),
    [datetime]$StartTime = "January 1, 1970"
)
 
    foreach ($Server in $ServersToQuery) {
 
        $LogFilter = @{
            LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
            ID = 21, 23, 24, 25
            StartTime = $StartTime
            }
 
        $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server
 
        $AllEntries | Foreach { 
            $entry = [xml]$_.ToXml()
            [array]$Output += New-Object PSObject -Property @{
                TimeCreated = $_.TimeCreated
                User = $entry.Event.UserData.EventXML.User
                IPAddress = $entry.Event.UserData.EventXML.Address
                EventID = $entry.Event.System.EventID
                ServerName = $Server
                }        
            } 
 
    }
 
    $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
                if ($_.EventID -eq '21'){"logon"}
                if ($_.EventID -eq '22'){"Shell start"}
                if ($_.EventID -eq '23'){"logoff"}
                if ($_.EventID -eq '24'){"disconnected"}
                if ($_.EventID -eq '25'){"reconnection"}
                }
            }
 
    $Date = (Get-Date -Format s) -replace ":", "."
    $FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP_Report.csv"
    $FilteredOutput | Sort TimeCreated | Export-Csv $FilePath -NoTypeInformation
 
Write-host "Writing File: $FilePath" -ForegroundColor Cyan
Write-host "Done!" -ForegroundColor Cyan
 
 
#End

将脚本写入“查看远程登录IP地址.ps1”的脚本，然后右击脚本选择“使用powershell运行”即可，运行完会生成一个csv的文件，效果如下：