Enumerate Security Event Log for Event Code 529 (Unknown user/bad pwd)

internet.commerce

Be a Commerce Partner
Online Degrees
T-Shirts
Memory
Memory Upgrades
Televisions
Shopping Carts
KVM Switches
Help Desks
Air Conditioners AC
Server Racks
Mp3 Player Reviews
Promotional Items
SEO Software
Cheap Airline Tickets

internet.com

Developer
International
Internet Lists
Internet News
Internet Resources
IT
Linux/Open Source
Personal Technology
Small Business
Windows Technology
xSP Resources
Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

November 17, 2004

Author: Shane Boudreaux
Platform: Windows
Type: Windows Script

Description:

Prompts for location for output file. Output file will contain results of Security Event Log query. The Query is for Event Code 529 which equates to Unknown User and/or Bad Password. This allows for quick determination of failed logon attempts.

PLATFORMS TESTED: Windows 2000 and XP

Scroll down to view the script.

''=============================== '' Query Security Event Log on local box '' Export Event Code 529 (Unknown user /bad pwd) '' FILENAME FORMAT = COMPUTERNAME.log ''=============================== '' Declare Globals Dim strScriptName Dim strPCName Dim strSecLogs Dim strPath strPath = Inputbox("Enter Path To Location to Save Log File") strScriptName = "SecLogs" GetPCName SecLogs Private Sub GetPCName() '' GET COMPUTER NAME strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colSettings = objWMIService.ExecQuery _ ("SELECT * FROM Win32_ComputerSystem") For Each objComputer in colSettings strPCName = objComputer.Name Next End Sub Private Sub SecLogs() strComputer = "." Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2") Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = ''Security''") For Each objEvent in colLoggedEvents '' YOU MAY CHANGE THE EVENT CODE HERE, IF YOU''D LIKE TO SEARCH FOR ANOTHER EVENT If objEvent.EventCode = 529 Then If objEvent.Category = 2 Then strSecLogs = strSecLogs & "," & objEvent.TimeWritten & "," & objEvent.Message & "," & "Host:" & strPCName & vbcrlf End If '' call WriteToFile WriteToFile strSecLogs, strScriptName, strPath End If Next End Sub ''=============================== '' WRITE LOG TO FILE '' FILENAME FORMAT = COMPUTERNAME ''=============================== Private Sub WriteToFile(strTextToWrite, strScriptName, strFilePath) Dim i '' Variable for computer name ''On Error Resume Next '' GET COMPUTER NAME strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colSettings = objWMIService.ExecQuery _ ("SELECT * FROM Win32_ComputerSystem") For Each objComputer in colSettings i = objComputer.Name Next ''CODE TO WRITE FILE Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile(strFilePath & i & ".log") objFile.WriteLine (strTextToWrite) End Sub

Disclaimer: We hope that the information in these pages is valuable to you. Your use of the information contained in these pages, however, is at your sole risk. All information on these pages is provided "as - is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by me. I shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.