Computer and IT knowledge - things to know - All
<#
.SYNOPSIS
Script to display Windows login, logout, lock, and unlock events with usernames.
.DESCRIPTION
Reads security events and displays human-readable usernames instead of SIDs.
- Using -UserName <name> filters events for that user.
- If no parameters are provided, shows usage.
.NOTES
Run as administrator.
#>
param(
[string]$UserName
)
function Show-Usage {
Write-Host "Usage:" -ForegroundColor Yellow
Write-Host " .\Get-WindowsLoginEvents.ps1 -UserName <name>" -ForegroundColor Yellow
Write-Host "Example:" -ForegroundColor Yellow
Write-Host " .\Get-WindowsLoginEvents.ps1 -UserName 'Max'" -ForegroundColor Yellow
}
if (-not $UserName) {
Show-Usage
exit
}
# Save original execution policy
$originalPolicy = Get-ExecutionPolicy
if ($originalPolicy -ne 'Bypass') {
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
}
# Function to get events by IDs
function Get-EventsById {
param (
[int[]]$EventIds
)
try {
return Get-WinEvent -FilterHashtable @{LogName='Security';ID=$EventIds} -ErrorAction SilentlyContinue
} catch {
Write-Host "Error reading events: $_" -ForegroundColor Red
return @()
}
}
# Resolve SID to username
function Get-UsernameFromSid {
param ($Sid)
try {
$ntAccount = New-Object System.Security.Principal.SecurityIdentifier($Sid)
return $ntAccount.Translate([System.Security.Principal.NTAccount]).Value
} catch {
return $Sid # fallback to SID if translation fails
}
}
# Event IDs
$logonId = 4624
$logoffId = 4634
$lockId = 4800
$unlockId = 4801
# Retrieve logon and logoff events
$logons = Get-EventsById -EventIds @($logonId)
$logoffs = Get-EventsById -EventIds @($logoffId)
# Filter events for specified user
$logonsFiltered = $logons | Where-Object {
$_.Properties | Where-Object { $_.Value -like "*$UserName*" }
}
$logoffsFiltered = $logoffs | Where-Object {
$_.Properties | Where-Object { $_.Value -like "*$UserName*" }
}
$events = @()
$events += $logonsFiltered
$events += $logoffsFiltered
# Display events with username resolution
Write-Host "User Activity Log" -ForegroundColor Cyan
Write-Host "------------------------------" -ForegroundColor Cyan
$events | Sort-Object TimeCreated | ForEach-Object {
$time = $_.TimeCreated
$eventType = switch ($_.Id) {
4624 { 'Logon' }
4634 { 'Logoff' }
4800 { 'Locked' }
4801 { 'Unlocked' }
default { "EventID $($_.Id)" }
}
# Attempt to get username from properties
$userSid = if ($_.Id -eq 4624) {
# Logon event, username usually in Properties[5]
if ($_.Properties.Count -ge 6) {
$_.Properties[5].Value
} else {
$null
}
} elseif ($_.Id -eq 4634) {
# Logoff event, username in Properties[0]
$_.Properties[0].Value
} elseif ($_.Id -eq 4800 -or $_.Id -eq 4801) {
# Lock/Unlock, username may not be in properties
$null
} else {
$null
}
$userName = if ($userSid) {
Get-UsernameFromSid -Sid $userSid
} else {
'N/A'
}
[PSCustomObject]@{
Time = $time
EventType = $eventType
User = $userName
}
} | Format-Table -AutoSize
# Restore original execution policy
if ($originalPolicy -ne 'Bypass') {
Set-ExecutionPolicy -Scope Process -ExecutionPolicy $originalPolicy -Force
} computer2know :: thank you for your visit :: have a nice day :: © 2026