Encontrei um script que pode atender às suas necessidades:
Option Explicit
Dim strComputer, objWMIService, colEvents, objEvent
Dim dtmStart, dtmEnd, strUser
strComputer = "West204"
dtmStart = "20091228000000.000000-360"
dtmEnd = "20100101000000.000000-360"
strUser = "MyDomain\jsmith"
strUser = "jsmith"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,authenticationLevel=Pkt,(Security)}!\" _
& strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND " _
& "TimeWritten >= '" & dtmStart & "' AND TimeWritten < '" _
& dtmEnd & "' AND " _
& "(EventCode = '528' OR EventCode = '540' OR EventCode = '538')")
For Each objEvent In colEvents
Wscript.Echo "---------------------------"
Wscript.Echo "Computer: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Time: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.EventType
Wscript.Echo "User: " & objEvent.User
Next
Basta substituir as strComputer
, dtmStart
, dtmEnd
, strUser
e strUser
pelas suas informações.
These queries are always slow. I tried to add a WHERE clause for the user, but could not get it to work, so the output will include all logon/logoff events between the dates. I also expected more WHERE clauses to make the query faster, but it doesn't seem to work that way. Run the script at a command prompt and redirect the output to a text file. The date format is yyyymmddhhmmss.ssssss-zzz, were -zzz is your local time zone bias in minutes (from UTC)