Jump to content

[Event Viewer] Get failed login attempts.

BinaryBrother

By BinaryBrother
in AutoIt Example Scripts

 Share

Recommended Posts

BinaryBrother Universalist

BinaryBrother

Posted
Posted

Firstly, I'd like to inform everyone that I did not create this wonderful piece of code that saved me some time. It wasn't on the forums and I feel that it deserves a post. It's all public code.

Credit: geekcomputers on GitHub

My modifications:

Added #RequireAdmin
Changed the Event ID to 4625.
Commented out the lines that modify or back up the logs.

As of right now, it only shows failed login attempts on the local machine. 

; Script Name   : eventlog_security.au3
; Author        : Craig Richards
; Created       : 3rd February 2012
; Last Modified :
; Version       : 1.0

; Modifications :

; Description   : This will show you the last failed login attempt, it then outputs all failed login attempts to a file, then clears all the Security part of the event log

#Include <EventLog.au3>             ; Include the Eventlog header file
#Include <String.au3>               ; Include the String header file
#Include <Array.au3>                ; Include the Array header file
#Include <GUIConstantsEx.au3>       ; Include the GUIConstantsEx header file
#Include <Date.au3>                 ; Include the Date header file
#Include <File.au3>                 ; Include the File header file
#RequireAdmin
Global $iMemo                       ; Set the Global Variable iMemo

_Main()                             ; Call the Function _Main

Func _Main()                        ; Start of the Main function
    Local $hEventLog, $aEvent       ; Set some Local variables

    GUICreate("EventLog", 400, 300) ; Create a Window to display the last record
    $iMemo = GUICtrlCreateEdit("", 2, 2, 396, 300, 0)
    GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
    GUISetState()

$hEventLog = _EventLog__Open( "", "Security")   ; Create the variable hEventLog, this opens the Security Event Log
$x=_EventLog__Count ($hEventLog)                ; Get a count of all the records
MsgBox(4096,"Security events", "You Have " & $x & " events, displaying the last failure event") ; Display the Count of events
For $i=0 To $x                                              ; For all events
    $aEvent = _EventLog__Read($hEventLog, True, False)      ; Display just the last event
    if $aEvent[6] = "4625" then                             ; If the Error code is 529
        ; Display all the information
        MemoWrite("Result ............: " & $aEvent[ 0])
        MemoWrite("Record number .....: " & $aEvent[ 1])
        MemoWrite("Submitted .........: " & $aEvent[ 2] & " " & $aEvent[ 3])
        MemoWrite("Generated .........: " & $aEvent[ 4] & " " & $aEvent[ 5])
        MemoWrite("Event ID ..........: " & $aEvent[ 6])
        MemoWrite("Type ..............: " & $aEvent[ 8])
        MemoWrite("Category ..........: " & $aEvent[ 9])
        MemoWrite("Source ............: " & $aEvent[10])
        MemoWrite("Computer ..........: " & $aEvent[11])
        MemoWrite("Username ..........: " & $aEvent[12])
        MemoWrite("Description .......: " & $aEvent[13])
        ; Write out all the records to a log file and date stamp the file
        ;_FileWriteLog(@UserProfileDir & "\login_failure_attempts.log." & StringReplace(_DateTimeFormat( _NowCalc(),2), "/", "-"), $aEvent[10] & " " & $aEvent[11] & " " & $aEvent[12] & " " & $aEvent[13] & " " & $aEvent[4] & " " & $aEvent[5])
    endif                                                   ; End of the loop
    Next
;_EventLog__Backup($hEventLog, "C:\Security_EventLog.bak." & StringReplace(_DateTimeFormat( _NowCalc(),2), "/", "-"))   ; Backup the Security Event log
;_EventLog__Clear($hEventLog, "")                                                                                       ; Clear the event log
_EventLog__Close($hEventLog)                                                                                            ; Close the event log

    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ; End of the Main Function

Func MemoWrite($sMessage)                           ; Start of the Memowrite Function, to display the messages
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)    ; Display the messages
EndFunc   ;==>MemoWrite                             ; End of the Function

 

SIGNATURE_0X800007D NOT FOUND

argumentum Universalist

argumentum

Posted
Posted (edited)
51 minutes ago, BinaryBrother said:

It wasn't on the forums

https://www.autoitscript.com/autoit3/docs/libfunctions/EventLog Management.htm

Also, https://www.autoitscript.com/forum/files/file/500-ondebugmsgbox/ adds the event when an oops :)
https://www.autoitscript.com/forum/topic/202832-ondebugmsgbox-for-the-dreaded-autoit-error-msgbox/?do=findComment&comment=1456271 )

Edited by argumentum
more

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...