Introduction to Checking Administrator Logons with WMI
This purpose of this script is to check the Security Log for instances where someone has tried to guess the administrator's password. The WMI / VBScript searches for Event ID 675 messages and
writes them to a text file. Whilst I love to give my scripts a clear goal, I also encourage you to amend the examples for your own needs. In this instance, you could amend my variables to check
other accounts, or even other Event IDs. If you have not read my: Interrogate Event Log page, I suggest you start there, else read on!
Topics for Checking Administrator Logon
♣
 The Microsoft Windows account called Administrator is a magnet for
hackers. Indeed many professionals rename this builtin account to blend in with the other user names. If you wish to check a username other than administrator, then just search and replace
references to Administrator.
Whenever you plan a script it is always worth walking through the manual steps before you create the VBScript code. Not only does this walk-through help
discover the precise names and Event ID numbers, but it also gives you ideas for additional properties to include in your VBScript. To research my WMI / VBScript, what I did was to masquerade
as a hacker and typed 'Administrator' in the logon box but then deliberately entered the wrong password. Here is the crucial information that I uncovered in the Security Log, Event ID 675.
Incidentally, if you look in the message Description, Failure Code 0x18 means the account exists, but the password is incorrect.
This script
interrogates the event logs and outputs the results to a text file. For instance, we may want to discover how many illegal attempts have been made to logon as administrator. Our mission emphasises the ability of scripts to automate boring
and time-consuming tasks, such as scouring the logs for one particular Event ID. This script also illustrates my mantra of how a manual walk through of the task, helps us understand the commands and thus build
a better script.
Real work v Getting started In the real world, we would concentrate on detecting illegal attempts to logon as administrator. As this is unlikely to have happened on
your test system, therefore, purely to get some action in the output file, I substituted Event ID 680 success for 675 failure. Walk-through A walk through is important not only for understanding my script, but also to
amend the Event IDs for your scenario. Frankly, if you take my advice then you will gain control of this script; whereas if you don't have a walk through of the Event Viewer, I fear that all which follows, will seem as clear as mud.
- Open Event Viewer
- Match what you see in the security log with variables, strLogType, intNumberID and intEventType in my script.
- Select Security Log (Not System)
WMI variable strLogType = "'Security'" Note one set of single quotes, inside one set of double quotes, no spaces.
- Event ID number intNumberID value = 680. Feel free to research our own numbers
- Filter for Event 680 (Substitute 675 for illegal logon)
- Filter for Success intEventType = 4 (Substitute intEventType = 5 for failures)
Guy
Recommends: WMI Monitor and It's Free!
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems. Fortunately, Solarwinds
have created the
WMI Monitor so that you can examine these gems of
performance information for free. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
Download your free copy of
WMI Monitor
WMI Script to Check the Event Log
Normally I prefer to build WMI scripts in stages but on this occasion, I created only the final script. I am assuming that you have a grounding in VBScript in general and FSO in particular.
When we ask WMI to interrogate the Event Logs, the key Win32 object is called, Win32_NTLogEvent. Take care with the spelling as there other objects beginning with Win32_NTLog.... As
ever, my script will get you started, but it is worth understanding where you could change the values to suit your Windows network.
Instructions for Creating your VBScript to Check Administrator Logons
- Pre-requisites. For this script to work, you need access to a Windows computer with a Security Log.
- To reduce the chance of an authentication problem, I would first run this script at a Domain Controller. If that is not possible, run the script from a member server on an XP machine and edit
strComputer on line 15.
- Check the strFolder and strFile values. Where do you wish the script to appear?
- Copy and paste into notepad, or a good script editor.
- Press OK when confronted by a message box, which says "Press OK and Wait 30 seconds (ish)"
- Just open your text file from the folder displayed by Explorer!
' EventLogFSO.vbs
' Sample VBScript to write event log data to text file
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.7 - May 2006
'
-----------------------------------------------------------'
Option Explicit
Dim objFSO, objFolder, objFile, objWMI, objItem, objShell
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
Dim intEventType, strLogType
' --------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\Event680.txt"
strFolder = "e:\logs"
strPath = strFolder & strFileName
' Set numbers
intNumberID = 680 ' Event ID Number
intEventType = 4
strLogType = "'Security'"
intRecordNum = 0
' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO =
CreateObject("Scripting.FileSystemObject")
' Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder =
objFSO.CreateFolder(strFolder)
WScript.Echo "Just created " & strFolder
End If
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set
objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder & strFileName
End If
' --------------------------------------------------
' Two tiny but vital
commands (Try script without)
set objFile = nothing
set objFolder = nothing
' ----------------------------------------------------
' Write the information to the file
Wscript.Echo " Press OK
and Wait 30 seconds (ish)"
Set strFileOpen = objFso.CreateTextFile(strPath, True)
' ----------------------------------------------------------
' WMI Core Section
Set objWMI =
GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile =" &
strLogType)
' ----------------------------------------------------------
' Next section loops through ID properties
For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID
Then
If objItem.EventType = intEventType Then
strFileOpen.WriteLine("Category: " & objItem.Category _
& " string " & objItem.CategoryString)
strFileOpen.WriteLine("ComputerName: " &
objItem.ComputerName)
strFileOpen.WriteLine("Logfile: " & objItem.Logfile _
& " source " & objItem.SourceName)
strFileOpen.WriteLine("EventCode: " & objItem.EventCode)
strFileOpen.WriteLine("EventType: " & objItem.EventType)
strFileOpen.WriteLine("Type: " & objItem.Type)
strFileOpen.WriteLine("User: " & objItem.User)
strFileOpen.WriteLine("Message: " &
objItem.Message)
strFileOpen.WriteLine (" ")
intRecordNum = intRecordNum +1
End If
End If
Next
' Confirms the script has completed and opens the file
Set objShell =
CreateObject("WScript.Shell")
objShell.run ("Explorer" &" " & strPath & "\" )
WScript.Quit
' End of Guy's FSO sample VBScript
VBScript Tutorial - Learning Points1) Begin by checking the variables. Experiment not only with strComputer, but also with intNumberID. Double check Win32_ object
name. 2) Here is a tiny addition to join two output properties and then write them on the
same line. strFile.WriteLine("Category: " & objItem.Category _
& " string " & objItem.CategoryString) A tiny improvement to save space in the output file.
3) Another cosmetic VBScript effect is to name the file after the Event Log ID,
strFileName = "\Event" & intNumberID & ".txt". Although such improvements are minor, each contributes to a
more professional script. 4) Although the VBScript example was
getting rather long, I still could not resist adding a command to open the folder when the script creates the output file.
Set objShell = CreateObject("WScript.Shell")
objShell.run ("Explorer" &" " & strPath & "\" ). 5) I admit that I have ignored the FSO (File System Object) section, which writes the information to
the file. However, I do cover this important feature of VBScript in other ezines and pages on my website. 6) Note (Security) I thank Yitzchok Lavi for adding (Security). The first task for WMI is to connect to the CIM namespace with:
GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer &
"\root\cimv2") Research indicates that you should always (Security) here in impersonationLevel=impersonate,(Security), even if you change the log to 'Application'.
Remember that the operating system
knows everything. Thank Microsoft for providing a library of WMI commands with which to interrogate systems like the Event Logs. WMI scripting is tricky because there are so many elements.
Take the time to have a walk through of how you examine an Event Log property sheet. In particular, match the Event ID, Success or Failure and type of Log with variables in my script.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
See Also
● Similar, but more Basic Event Log WMI Script ● WMI Home ● Simple WMI Script |
