Want to quickly get a list of logon/logoff events for a Windows computer? It's pretty easy with a quick PowerShell query! The query below can either be run directly from PowerShell if you're looking for local computer logon/logoff events, or saved as a PS1 script and then pass the "-ComputerName" parameter.
param(
[alias("CN")]
$ComputerName = $env:COMPUTERNAME
)
$UserProperty = @{n="User";e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}
$TypeProperty = @{n="Action";e={if($_.EventID -eq 7001) {"Logon"} else {"Logoff"}}}
$TimeProperty = @{n="Time";e={$_.TimeGenerated}}
$MachineNameProperty = @{n="MachineName";e={$_.MachineName}}
foreach ($computer in $ComputerName) {
$logonEvents = Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty
$logonEvents | Sort Time -Descending
}
}
