Find User Logon Duration

Introduction

This script could be used to collect user logon duration from multiple computers. You can also use the data to generate a report. The user logon duration calculation is based on the general algorithm, Logon duration = Logoff date time - Logon date time.

Scenarios

In a real world, IT Administrators may need to collect user logon duration from multiple computers. User logon duration data can be useful when IT Administrators are troubleshooting some issues.

Script

This script contains one advanced function, Get-OSCUserLogonDuration. You should run this script in an elevated Windows PowerShell console. Also, you should have administrative privilege on local or remote computers. You can use this script in following ways:

Method 1:

1. Download the script and copy it to a Windows Server 2008 R2 or Windows 7 machine.
2. Open the script file with Notepad or any other script editors.
3. Scroll down to the end of the file and add the commands which are listed in the Examples section.
4. Save the file then run the script.

Method 2:

1. Rename scriptname.ps1 to scriptname.psm1 (PowerShell Module file)
2. Run Import-Module cmdlet to import this module file.
   Import-Module filepath\scriptname.psm1

- PowerShell code snippet -

if ($wmiEvent.EventCode -eq 4624) {
    #By default, remote interactive logon entries will not be collected.
    #2 - Interactive Logon; 10 - RemoteInteractive Logon
    if ($IncludeRemoteInteractive) {
        $logonTypeFlag = ($wmiEvent.InsertionStrings[8] -match "2|10")
    } else {
        $logonTypeFlag = ($wmiEvent.InsertionStrings[8] -eq "2")
    }
    #Keep user logon event entries only
    if (($wmiEvent.InsertionStrings[4].Length -gt 12) -and $logonTypeFlag) {
        $rawEntry | Add-Member -MemberType NoteProperty -Name "EventCode" -Value $($wmiEvent.EventCode)
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TimeGenerated" -Value $dtTimeGenerated
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserID" -Value $($wmiEvent.InsertionStrings[4])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserName" -Value $($wmiEvent.InsertionStrings[5])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetDomainName" -Value $($wmiEvent.InsertionStrings[6])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonID" -Value $($wmiEvent.InsertionStrings[7])
        #Translate logon type from number to meaningful words
        if ($wmiEvent.InsertionStrings[8] -ne "") {
            Switch ($wmiEvent.InsertionStrings[8]) {
                2 {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "Interactive"}
                10 {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "RemoteInteractive"}
                Default {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value $($wmiEvent.InsertionStrings[8])}
            }
            #Add each logon event entry to the temporary array object
            $rawEntries += $rawEntry
        } else {
            $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "N/A"
        }
    }
} elseif ($wmiEvent.EventCode -eq 4647) {
    if (($wmiEvent.InsertionStrings[0].Length -gt 12)) {
        $rawEntry | Add-Member -MemberType NoteProperty -Name "EventCode" -Value $($wmiEvent.EventCode)
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TimeGenerated" -Value $dtTimeGenerated
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserID" -Value $($wmiEvent.InsertionStrings[0])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserName" -Value $($wmiEvent.InsertionStrings[1])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetDomainName" -Value $($wmiEvent.InsertionStrings[2])
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonID" -Value $($wmiEvent.InsertionStrings[3])
        $rawEntries += $rawEntry
    }
}

- end -

- PowerShell code snippet - 
 
if ($wmiEvent.EventCode -eq 4624) { 
    #By default, remote interactive logon entries will not be collected. 
    #2 - Interactive Logon; 10 - RemoteInteractive Logon 
    if ($IncludeRemoteInteractive) { 
        $logonTypeFlag = ($wmiEvent.InsertionStrings[8] -match "2|10") 
    } else { 
        $logonTypeFlag = ($wmiEvent.InsertionStrings[8] -eq "2") 
    } 
    #Keep user logon event entries only 
    if (($wmiEvent.InsertionStrings[4].Length -gt 12) -and $logonTypeFlag) { 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "EventCode" -Value $($wmiEvent.EventCode) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TimeGenerated" -Value $dtTimeGenerated 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserID" -Value $($wmiEvent.InsertionStrings[4]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserName" -Value $($wmiEvent.InsertionStrings[5]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetDomainName" -Value $($wmiEvent.InsertionStrings[6]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonID" -Value $($wmiEvent.InsertionStrings[7]) 
        #Translate logon type from number to meaningful words 
        if ($wmiEvent.InsertionStrings[8] -ne "") { 
            Switch ($wmiEvent.InsertionStrings[8]) { 
                2 {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "Interactive"} 
                10 {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "RemoteInteractive"} 
                Default {$rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value $($wmiEvent.InsertionStrings[8])} 
            } 
            #Add each logon event entry to the temporary array object 
            $rawEntries += $rawEntry 
        } else { 
            $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonType" -Value "N/A" 
        } 
    } 
} elseif ($wmiEvent.EventCode -eq 4647) { 
    if (($wmiEvent.InsertionStrings[0].Length -gt 12)) { 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "EventCode" -Value $($wmiEvent.EventCode) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TimeGenerated" -Value $dtTimeGenerated 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserID" -Value $($wmiEvent.InsertionStrings[0]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetUserName" -Value $($wmiEvent.InsertionStrings[1]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetDomainName" -Value $($wmiEvent.InsertionStrings[2]) 
        $rawEntry | Add-Member -MemberType NoteProperty -Name "TargetLogonID" -Value $($wmiEvent.InsertionStrings[3]) 
        $rawEntries += $rawEntry 
    } 
} 
 
- end - 

Examples

Example 01: Displays help about Get-OSCUserLogonDuration
Command: Get-Help Get-OSCUserLogonDuration -Full
Screenshot:

Example 02: Get user logon duration data from last 30 dayson local computer.
Command: Get-OSCUserLogonDuration-Verbose | FT -Autosize
Screenshot:

Example 03: Get user logon duration data from a remote domaincomputer, remote interactive logon events will be collected.
Command: Get-OSCUserLogonDuration -ComputerName "computerName" -IncludeRemoteInteractive -Verbose | FT -AutoSize
Screenshot:

Example 04: Get user logon duration from a remote workgroup computer or another domain computer, remote interactive logon events will not be collected.
Command: $cred = Get-Credential "computername\username"
Get-OSCUserLogonDuration -ComputerName "computername" -Credential $cred -StartDate (Get-Date -Date "2012/02/01 00:00:00") -EndDate (Get-Date -Date "2012/02/29 23:59:59") -Verbose | FT -AutoSize
Screenshot:

Example 05: Get user logon duration from a remote computer, including orphaned logon/logoff events.
Command: Get-OSCUserLogonDuration -ComputerName "computername" -StartDate (Get-Date -Date "2012/02/01 00:00:00") -EndDate (Get-Date -Date "2012/02/14 23:59:59") -IncludeOrphanedEvents -Verbose | FT -AutoSize
Screenshot:

Example 06: Get user logon duration from multiple computers and export to a CSV file.
Command:
$computers = "computername01","computername02"
$reports = @()
foreach ($computer in $computers) {
                $report = Get-OSCUserLogonDuration -Computer $computer -IncludeRemoteInteractive -StartDate (Get-Date -Date "2012/02/01 00:00:00") -EndDate (Get-Date -Date "2012/02/14 23:59:59") -Verbose
                $reports += $report
}
$reports | Format-Table -AutoSize
$reports | Export-csv -Path C:\Scripts\report.csv -NoTypeInformation
Screenshot:

Additional Resources

Technical Resource:
Windows PowerShell Advanced Function
http://technet.microsoft.com/en-us/library/dd315326.aspx
Description of security events in Windows 7 and in Windows Server 2008 R2
http://support.microsoft.com/kb/977519
Description of security events in Windows Vista and in Windows Server
http://support.microsoft.com/kb/947226
Tracking User Logon Activity Using Logon Events
http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx

Forum Threads:
Auditing User Login Duration
http://social.technet.microsoft.com/Forums/en/winservergen/thread/a8f9e33a-1c9c-41ab-8387-6686c35808eb
I want to log session duration for each user who log on to windows server 2003
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a4ed7a47-b91d-4029-a167-3613cde3d098
Logon Duration in Active Directory
http://www.techrepublic.com/forum/discussions/39-176272
Script to time user login duration
http://forums.overclockers.com.au/showthread.php?t=767177