June 17, 2019 by Trevor Jones

Retrieving Local Logon Events from the SCCM Client WMI

Usually when querying the logon history of a Windows system you might query the Security event log or a domain controller. But if you’re using SCCM, the SCCM client also logs user logon events and stores them in WMI. Here’s a quick PowerShell script to retrieve those events and translate them into meaningful values.

You can run it against the local or a remote computer and optionally specify the maximum number of events to retrieve.

Note that for remote computers the date/time values will be displayed in your local time zone, not necessarily the timezone of the remote system.

Get-CMUserLogonEvents | Sort LogonTime -Descending | Out-GridView

      
        Function Get-CMUserLogonEvents {
      
            [CmdletBinding()]
      
            Param
      
            (
      
                [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
      
                $ComputerName,
      
                [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
      
                $MaximumEvents = 50
      
            )
      
            If ($ComputerName)
      
            {
      
                [array]$LastLogons = Get-WmiObject –ComputerName $ComputerName –Namespace ROOT\CCM –Class CCM_UserLogonEvents | Select –last $MaximumEvents
      
            }
      
            Else
      
            {
      
                [array]$LastLogons = Get-WmiObject –Namespace ROOT\CCM –Class CCM_UserLogonEvents | Select –last $MaximumEvents
      
            }
      
            Foreach ($Logon in $LastLogons)
      
            {
      
                If ($Logon.LogoffTime -ne $null)
      
                {
      
                    [pscustomobject]@{
      
                        LogonTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local)
      
                        LogoffTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogoffTime),[System.TimeZoneInfo]::Local)
      
                        User = [System.Security.Principal.SecurityIdentifier]::new($Logon.UserSID).Translate([System.Security.Principal.NTAccount]).Value
      
                        DurationInHours = [math]::Round([System.TimeSpan]::FromSeconds(($Logon.LogoffTime – $Logon.LogonTime)).TotalHours,2)
      
                    }
      
                }
      
                Else
      
                {
      
                    [pscustomobject]@{
      
                        LogonTime = [System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local)
      
                        LogoffTime = $null
      
                        User = [System.Security.Principal.SecurityIdentifier]::new($Logon.UserSID).Translate([System.Security.Principal.NTAccount]).Value
      
                        DurationInHours = [math]::Round(((Get-Date) – ([System.TimeZoneInfo]::ConvertTimeFromUtc(([datetime]::new(1970,01,01,00,00,00,[System.DateTimeKind]::Utc)).AddSeconds($Logon.LogonTime),[System.TimeZoneInfo]::Local))).TotalHours,2)
      
                    }
      
                }
      
            }
      
        }

view raw Get-CMUserLogonEvents.ps1 hosted with ❤ by GitHub

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: