1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
$user_name = read-host "имя пользователя" $start = read-host "дней назад" [datetime]$StartTime = (Get-date).adddays(-$start) $xls = Join-Path $env:USERPROFILE\Desktop "output.xlsx" $FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP.csv" $LogFilter = @{ LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' ID = 21, 23, 24, 25 StartTime = $StartTime } $AllEntries = Get-WinEvent -FilterHashtable $LogFilter $AllEntries | Foreach { $entry = [xml]$_.ToXml() if ($entry.Event.UserData.EventXML.User -like "DOMAIN\$user_name") { [array]$Output += New-Object PSObject -Property @{ TimeCreated = $_.TimeCreated User = $entry.Event.UserData.EventXML.User IPAddress = $entry.Event.UserData.EventXML.Address EventID = $entry.Event.System.EventID } } } $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={ if ($_.EventID -eq '21'){"Вход"} if ($_.EventID -eq '22'){"Запуск"} if ($_.EventID -eq '23'){"Выход"} if ($_.EventID -eq '24'){"Отключение"} if ($_.EventID -eq '25'){"Подключение"} } } $excel = New-Object -ComObject excel.application $workbook = $excel.workbooks.add() $sheet = $workBook.worksheets.Item(1) $i = 1 foreach($row in $FilteredOutput | Sort TimeCreated -Descending) { $excel.cells.item($i,1) = $row.TimeCreated $excel.cells.item($i,2) = $row.User $excel.cells.item($i,3) = $row.IPAddress $excel.cells.item($i,4) = $row.Action $i++ } $range = $sheet.UsedRange [void] $range.EntireColumn.Autofit() $excel.visible = $true $workbook.SaveAs($xls, 51) $workbook.Close() $excel.Quit() [System.Runtime.Interopservices.Marshal]::ReleaseComObject($excel) |