Powershell 脚本 RDP 连接数据
Powershell script RDP connection data
我正在尝试获取 RDP 连接的源网络地址,以便在用户连接到服务器时发送电子邮件。除了源地址,我什么都有。我的脚本由 RemoteConnectionManager 操作日志中的事件 1149 触发。我只需要从系统访问事件数据或源地址。
$SmtpClient = new-object system.net.mail.smtpClient
$MailMessage = New-Object system.net.mail.mailmessage
$SmtpClient.Host = "mail.scomage.com"
$mailmessage.from = ("BWAQBW@BWAServer.com")
$mailmessage.To.add("support@scomage.com")
$mailmessage.Subject = “BWAQB RDP”
$mailmessage.Body = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name + “ logged into BWA QB Server”
$smtpclient.Send($mailmessage)
在 Steven 的大力帮助下最终脚本:
$LastEvent = Get-WinEvent -FilterHashtable `
@{ LogName = "Microsoft-Windows-TerminalServices-
RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = `
{ if ($_.Properties[0].Value) { $_.Properties[0].Value } else { "Administrator" } } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-Object -Last 1
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB RDP " + $LastEvent.UserName + " " + $LastEvent.SourceIP
Body = $LastEvent.UserName + " logged into BWA QB Server at " + `
$LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}
Send-MailMessage @MailParams
发送登录电子邮件的脚本:
$Event = Get-WinEvent -FilterHashTable @{
LogName='Security'; ID=4624; StartTime=$DateLess10; } |
Where-Object{$_.Properties[8].Value -eq 10 } |
Sort-Object TimeCreated |
Select-Object -Last 1
if( $Event.Properties[8].Value -eq 10 )
{
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB Remote Login " + $Event.Properties[5].Value + " " + $Event.Properties[18].Value
Body = $Event.Properties[5].Value + " logged into BWA QB Server at " + `
$Event.TimeCreated.ToString('g') + " From: " + $Event.Properties[18].Value
}
Send-MailMessage @MailParams
}
根据评论更新
看起来连接的源地址在事件 1149 中被记录为第 3 个 属性。属性是一个 [System.Diagnostics.Eventing.Reader.EventProperty[]] 类型的对象数组,这意味着您必须访问子 属性 .Value .
获取最后一个事件的示例:
$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-object -Last 1
由于我不确定 Get-WinEvent 是否会保证时间顺序,因此使用了 Sort-Object cmdlet。所以它应该导致最后一个 1149 事件。但是,它不保证它将用于 System.Security.Principal.WindowsIdentity]::GetCurrent().Name 返回的用户。不知道这是什么机器,什么情况下脚本会运行。例如,如果它是一个多用户系统(由终端服务器暗示),我怀疑存在最后一个事件可能不适用于当前用户的边缘情况。
所以,我猜我们应该隔离该用户的最后一个事件。我们可以使用以下示例之一来做到这一点:
选项 1:
$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]
$Events =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Group-Object -Property UserName -AsHashTable -AsString
$LastEvent = ($Events[$UserName] | Sort-Object TimeGenerated)[-1]
选项 2:
$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]
$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Where-Object{ $_.UserName -eq $UserName } |
Sort-Object TimeCreated |
Select-Object -Last 1
在这两种情况下,$LastEvent 应该有当前用户的最后一个 1149 事件。第一个选项排序较少,因为它只是为特定用户排序事件。您可以使用 $LastEvent.SourceIP 作为电子邮件地址。
辅助说明:您不需要使用 System.Net.Mail.SMTPClient。您可以将 Send-MailMessage 与可能如下所示的命令拼接结合使用:
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB RDP"
Body = $UserName + " logged into BWA QB Server at " + $LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}
Send-MailMessage @MailParams
注意:以上内容也在您发表评论后进行了更新,以利用较新的修订版。注意:.ToString('g') 结果的日期格式类似于 '6/30/2020 9:17 PM'
我不确定正文或主题是否完全正确,但你可以解决这个问题。
我正在尝试获取 RDP 连接的源网络地址,以便在用户连接到服务器时发送电子邮件。除了源地址,我什么都有。我的脚本由 RemoteConnectionManager 操作日志中的事件 1149 触发。我只需要从系统访问事件数据或源地址。
$SmtpClient = new-object system.net.mail.smtpClient
$MailMessage = New-Object system.net.mail.mailmessage
$SmtpClient.Host = "mail.scomage.com"
$mailmessage.from = ("BWAQBW@BWAServer.com")
$mailmessage.To.add("support@scomage.com")
$mailmessage.Subject = “BWAQB RDP”
$mailmessage.Body = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name + “ logged into BWA QB Server”
$smtpclient.Send($mailmessage)
在 Steven 的大力帮助下最终脚本:
$LastEvent = Get-WinEvent -FilterHashtable `
@{ LogName = "Microsoft-Windows-TerminalServices-
RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = `
{ if ($_.Properties[0].Value) { $_.Properties[0].Value } else { "Administrator" } } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-Object -Last 1
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB RDP " + $LastEvent.UserName + " " + $LastEvent.SourceIP
Body = $LastEvent.UserName + " logged into BWA QB Server at " + `
$LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}
Send-MailMessage @MailParams
发送登录电子邮件的脚本:
$Event = Get-WinEvent -FilterHashTable @{
LogName='Security'; ID=4624; StartTime=$DateLess10; } |
Where-Object{$_.Properties[8].Value -eq 10 } |
Sort-Object TimeCreated |
Select-Object -Last 1
if( $Event.Properties[8].Value -eq 10 )
{
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB Remote Login " + $Event.Properties[5].Value + " " + $Event.Properties[18].Value
Body = $Event.Properties[5].Value + " logged into BWA QB Server at " + `
$Event.TimeCreated.ToString('g') + " From: " + $Event.Properties[18].Value
}
Send-MailMessage @MailParams
}
根据评论更新
看起来连接的源地址在事件 1149 中被记录为第 3 个 属性。属性是一个 [System.Diagnostics.Eventing.Reader.EventProperty[]] 类型的对象数组,这意味着您必须访问子 属性 .Value .
获取最后一个事件的示例:
$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Sort-Object TimeCreated |
Select-object -Last 1
由于我不确定 Get-WinEvent 是否会保证时间顺序,因此使用了 Sort-Object cmdlet。所以它应该导致最后一个 1149 事件。但是,它不保证它将用于 System.Security.Principal.WindowsIdentity]::GetCurrent().Name 返回的用户。不知道这是什么机器,什么情况下脚本会运行。例如,如果它是一个多用户系统(由终端服务器暗示),我怀疑存在最后一个事件可能不适用于当前用户的边缘情况。
所以,我猜我们应该隔离该用户的最后一个事件。我们可以使用以下示例之一来做到这一点:
选项 1:
$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]
$Events =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Group-Object -Property UserName -AsHashTable -AsString
$LastEvent = ($Events[$UserName] | Sort-Object TimeGenerated)[-1]
选项 2:
$NTUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$UserName = $NTUserName.Split('\')[-1]
$LastEvent =
Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"; Id = 1149} |
Select-Object *,
@{ Name = 'UserName'; Expression = { $_.Properties[0].Value } },
@{ Name = 'SourceIP'; Expression = { $_.Properties[2].Value } } |
Where-Object{ $_.UserName -eq $UserName } |
Sort-Object TimeCreated |
Select-Object -Last 1
在这两种情况下,$LastEvent 应该有当前用户的最后一个 1149 事件。第一个选项排序较少,因为它只是为特定用户排序事件。您可以使用 $LastEvent.SourceIP 作为电子邮件地址。
辅助说明:您不需要使用 System.Net.Mail.SMTPClient。您可以将 Send-MailMessage 与可能如下所示的命令拼接结合使用:
$MailParams =
@{
SmtpServer = "mail.scomage.com"
From = "BWAQBW@BWAServer.com"
To = "support@scomage.com"
Subject = "BWAQB RDP"
Body = $UserName + " logged into BWA QB Server at " + $LastEvent.TimeCreated.ToString('g') + " From: " + $LastEvent.SourceIP
}
Send-MailMessage @MailParams
注意:以上内容也在您发表评论后进行了更新,以利用较新的修订版。注意:.ToString('g') 结果的日期格式类似于 '6/30/2020 9:17 PM'
我不确定正文或主题是否完全正确,但你可以解决这个问题。