Open PowerShell, run as administrator, and type the following command
Get-EventLog -LogName Security -InstanceId 4624 -Newest 50 |
Where-Object { $_.ReplacementStrings[8] -eq 10 } |
Select-Object TimeGenerated,
@{Name="User"; Expression = { $_.ReplacementStrings[5] }},
@{Name="Source IP"; Expression = { $_.ReplacementStrings[18] }} |
Format-Table -AutoSize
đź§© Step-by-Step Breakdown:
1. Get-EventLog -LogName Security -InstanceId 4624 -Newest 50
- Get-EventLog: Fetches events from the Windows Event Log.
-LogName Security: Targets the Security log.-InstanceId 4624: Filters only Event ID 4624 → Successful Logon.-Newest 50: Fetches the latest 50 matching entries.
2. Where-Object { $_.ReplacementStrings[8] -eq 10 }
- Filters the results to only include events where Logon Type is 10.
ReplacementStrings[8] = Logon Type in the 4624 event.
10 = RemoteInteractive (RDP, Terminal Services)
ReplacementStrings[8] = Logon Type in the 4624 event. 10 = RemoteInteractive (RDP, Terminal Services)3. Select-Object
This chooses which fields to display:
TimeGenerated: The time the logon occurred.User: Extracted from ReplacementStrings[5] → TargetUserNameSource IP: Extracted from ReplacementStrings[18] → IP address of the client
4. Format-Table -AutoSize
- Formats the output as a clean table with adjusted column widths.
✅ Final Output Example:
TimeGenerated User Source IP
-------------- ------- ---------------
7/31/2025 10:05 AM jsmith 192.168.1.101
7/31/2025 10:07 AM admin 10.0.0.5
You can group the logins and check the first login Time
Get-EventLog -LogName Security -InstanceId 4624 -Newest 1000 |
Select-Object TimeGenerated,
@{Name="User"; Expression = { $_.ReplacementStrings[5] }},
@{Name="LogonType"; Expression = { $_.ReplacementStrings[8] }} |
Where-Object { $_.LogonType -eq '10' } |
Sort-Object User, TimeGenerated |
Group-Object User |
ForEach-Object { $_.Group | Select-Object -First 1 } |
Format-Table -AutoSize
Using this command, you can group the users and check the first login times. It will more simpler to understand the output than before command
| Logon Type Number | Meaning | Typical Scenario |
|---|---|---|
2 |
Interactive | User logged on physically (keyboard/mouse) |
3 |
Network | Access over network (e.g., RDP, SMB, file share) |
4 |
Batch | Scheduled Task |
5 |
Service | A service started automatically (e.g., SYSTEM services) |
7 |
Unlock | User unlocked session |
10 |
RemoteInteractive | RDP or Terminal Services |
11 |
CachedInteractive | Cached domain credentials (offline logon) |
🛡️ Useful For:
- Checking who logged in via RDP
- Viewing remote login attempts
- Auditing recent successful logins with IP and user info