Loginsearch.ps1 – What is it?
The script is attached to the bottom of this article. The information gathered can be used for troubleshooting either by yourself or by Umbrella Support.
How do I run the script?
Easy! Download the text file attached and rename the extension from '.txt' to '.ps1'.
Then from a Windows server, open a new PowerShell window that was started by 'Right-Click >Run as Administrator'. Be careful of double extensions, and don't accidentally name it .txt.ps1. Navigate to the location you saved the script to (for example, 'cd C:\Users\admin\Downloads') and execute the script by typing ' .\loginsearch.ps1 '
The script prompt you for the username you want to search the Windows security event logs for and then for a specific IP address if you prefer to search by IP. You'll just need to follow the on-screen prompts. Either one or the other (Username or IP) searches can be used individually, or both can be used at the same time, should you want to limit search results to a specific User AND IP address at the same time.
The script is quick to run. When it has finished you should see the output both on the screen, which contains time stamps. Additionally complete export of each event log entry represented on the screen located in 'C:\%hostname%.txt'. This can be useful should you want to dig further into a specific event.