This is another quick post about how to quickly check the contents of the User32 System event log remotely from a management server, that as a bonus will give you lots of other handy one line commands.
Get-WinEvent -ComputerName "<remote-server>" -FilterHashtable {LogName='System';ProviderName='User32'}
This will return all the valid events for that server as below:
TimeCreated : 23/12/2024 12:37:35
ProviderName : User32
Id : 1074
Message : The process C:\Windows\system32\wbem\wmiprvse.exe (rebooting.server) has initiated the restart of computer rebooting.server on behalf of user NT AUTHORITY\SYSTEM for the
following reason: No title for this reason could be found
Reason Code: 0x80070015
Shutdown Type: restart
Comment:
TimeCreated : 12/12/2024 11:22:20
ProviderName : User32
Id : 1074
Message : The process C:\Windows\Explorer.EXE (remote.server) has initiated the power off of computer remote.server on behalf of user <user> for the following reason:
Other (Unplanned)
Reason Code: 0x0
Shutdown Type: Power Off
Comment:
If you then want to look more at the WMI activity log remotely to see if you have errors about that process then you can use this command:
Get-WinEvent -ComputerName "<remote_server>" -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational';ProviderName='Microsoft-Windows-WMI-Activity'}
Lockout Events
However let look at more commands not specific options for account lockout events (which will only show you the lockout event) you can query a single DC for basic data with:
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4740} -MaxEvents 10
If you wish to format this so you can see the "login ID" and the "caller computer" then you can use this command:
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4740} -MaxEvents 10 | Select-Object TimeCreated,@{N='LockedAccount';E={$_.Properties[0].Value}},@{N='CallerComputer';E={$_.Properties[1].Value}}
Various other commands
These are various other commands I use a daily basis
Last 10 system errors
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';Level=2} -MaxEvents 10
Last 10 Service starts/stops
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';ID=7036} -MaxEvents 10
Last Failed logon attempts
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 10
Last 10 Program installations
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Application';ID=11707} -MaxEvents 10
Last 10 System restarts/shutdowns
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='System';ID=1074,6006,6008} -MaxEvents 10
Last 10 OS errors
Get-WinEvent -ComputerName "<server>" -FilterHashtable @{LogName='Application';Level=2} -MaxEvents 10