This script is part of a bigger solution. 

With the more recent vulnerabilities identified with SMBv1 and the urgent recommendation by Microsoft to disable the protocol. There have been a slew are articles out there on how to disable the SMBv1 protocol. There is also some good information out there on auditing however I did not have much luck with the built in functionality to audit as I needed this information from all of the infrastructure and I needed it to be centralized.

After looking at the tools that were given to us out of the box by Microsoft I came up with something that could grab the data and store it somewhere that could be reviewed centrally for all devices using SMBv1 to make connections. This data includes Server Name, Share Name, User Name, Credentials, and the Dialect (Version of SMB).

The Full Solution Article can be found here:


    To Identify SMB connections less than version 2 and log them for centralized review. 
    This script Uses the Get-SMBConnection CMDLet to check for connection dialects (Versions) less than 2. 
    Matches from this check are logged into a Custom WMI Class. Only New connections are logged. 
    Previous connections remain in WMI for historical purposes. They are not overwritten. 
    Log file: 
    SMB Connection Info: 
        ServerName : Server1 
        ShareName  : Share1 
        UserName   : Domain\User 
        Credential : Domain\User 
        Dialect    : 1.5 
        NumOpens   : 1 
    The idea on how this SYNOPSIS could be accomplished is original as far as I know. 
    However I did use and modify some of the code I found in the links below 
    in addition with my own to create and populate the Custom WMI Class 
    Creating / Populating the Custom WMI Class: 
    Version:        1.0 
    Author:         Joseph Buckley 
    Creation Date:  06/08/2017 
    Purpose/Change: Initial script development