Retrieving Local Logon Events from the SCCM Client WMI

Usually when querying the logon history of a Windows system you might query the Security event log or a domain controller. But if you’re using SCCM, the SCCM client also logs user logon events and stores them in WMI. Here’s a quick PowerShell script to retrieve those events and translate them into meaningful values.

You can run it against the local or a remote computer and optionally specify the maximum number of events to retrieve.

Note that for remote computers the date/time values will be displayed in your local time zone, not necessarily the timezone of the remote system.

Get-CMUserLogonEvents | Sort LogonTime -Descending | Out-GridView
Function Get-CMUserLogonEvents {
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
$ComputerName,
[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
$MaximumEvents = 50
)
If ($ComputerName)
{
[array]$LastLogons = Get-WmiObject ComputerName $ComputerName Namespace ROOT\CCM Class CCM_UserLogonEvents | Select last $MaximumEvents
}
Else
{
[array]$LastLogons = Get-WmiObject Namespace ROOT\CCM Class CCM_UserLogonEvents | Select last $MaximumEvents
}
Foreach ($Logon in $LastLogons)
{
If ($Logon.LogoffTime -ne $null)
{
[pscustomobject]@{
LogonTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local)
LogoffTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogoffTime),[System.TimeZoneInfo]::Local)
User = [System.Security.Principal.SecurityIdentifier]::new($Logon.UserSID).Translate([System.Security.Principal.NTAccount]).Value
DurationInHours = [math]::Round([System.TimeSpan]::FromSeconds(($Logon.LogoffTime $Logon.LogonTime)).TotalHours,2)
}
}
Else
{
[pscustomobject]@{
LogonTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local)
LogoffTime = $null
User = [System.Security.Principal.SecurityIdentifier]::new($Logon.UserSID).Translate([System.Security.Principal.NTAccount]).Value
DurationInHours = [math]::Round(((Get-Date) ([System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local))).TotalHours,2)
}
}
}
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.