{"id":63763,"date":"2007-10-19T22:37:00","date_gmt":"2007-10-19T22:37:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2007\/10\/19\/hey-scripting-guy-how-can-i-retrieve-a-list-of-unique-users-from-the-security-event-log\/"},"modified":"2007-10-19T22:37:00","modified_gmt":"2007-10-19T22:37:00","slug":"hey-scripting-guy-how-can-i-retrieve-a-list-of-unique-users-from-the-security-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-retrieve-a-list-of-unique-users-from-the-security-event-log\/","title":{"rendered":"Hey, Scripting Guy! How Can I Retrieve a List of Unique Users from the Security Event Log?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! How can I retrieve a list of unique users from the Security event log?

— KM<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, KM. Before we tackle your question we should probably address a question sent in by another reader:<\/P>\n\n<\/THEAD>\n\n\n
\n

Hey, Scripting Guy! Whatever happened to Monday?<\/P>\n

Having been gone on vacation all last week, I was combing through the Hey, Scripting Guy! archive<\/B><\/A>, and I find that last week was only four days long.<\/P>\n

I’m familiar with the adage “time flies when you’re having fun,” (and the frogger version “time’s fun when you’re having flies”) but I hadn’t realized there had been an anti-leap year calendar adjustment. There was no announcement in the newspapers. Maybe it was lost among all the stories about firing the Univ. of Nebraska A.D. (or as he’s known in the Cornhusker State, “The Pope”).<\/P>\n

Even my favorite Internet search engine won’t reveal the missing column.<\/P>\n

What gives?<\/P>\n

— TP<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

Hey, TP. Ah, yes The Case of the Missing Monday. (Oh, by the way, nice letter. Although it is<\/I> kind of sad when the letters about a column are funnier and better written than the column itself.) As it turns out, there actually was<\/I> a column last Monday, albeit briefly. Shortly after the column appeared, however, we had to take it down. Why? Well, that particular column mentioned a third-party software company, and we were asked to \u201crework\u201d the article by removing all references to that company.<\/P>\n\n<\/THEAD>\n\n\n
\n

Note<\/B>. But hey, no big deal; after all, if you write 800+ columns you\u2019re bound to write one sooner or later that someone<\/I> takes issue with. Considering some of the other columns we\u2019ve written, however, we\u2019re just surprised that that one was the one someone took issue with!<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

And in case you\u2019re wondering, no, the Scripting Guys did not<\/I> make a lot of cruel and cutting remarks at the expense of that software company; in fact, we actually had a lot of nice<\/I> things to say about this particular company. (After all, when you get in as much trouble as the Scripting Guys do you can\u2019t afford to make even more<\/I> enemies.) Nevertheless, we have complied with the request, removed everything from the column except the code (and an explanation of how that code works), and reposted the article<\/B><\/A>. Which, in turn, means that not only did Monday actually happen, but we even have a Monday column to prove it. <\/P>\n

So does that mean that you\u2019re not<\/I> going crazy, TP? Well, we\u2019re not sure; after all, you do<\/I> live in Nebraska.<\/P>\n\n<\/THEAD>\n\n\n
\n

Note<\/B>. Which, we hasten to add, has always been the Scripting Guys\u2019 favorite state.<\/P>\n

Well, OK: it\u2019s tied for our favorite state with all the other 49 states. What\u2019s that? Even Delaware<\/I>? You know what? We\u2019ll have to get back to you on that one .\u2026<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

Anyway, so much for The Case of the Missing Monday. If anyone out there saw the column before it was removed and was offended by the content, well, we sincerely apologize. The truth is, the Scripting Guys never intentionally set out to offend anyone; after all, if we did then today\u2019s column would be all about the University of Nebraska\u2019s football program. <\/P>\n

But it\u2019s not. Instead, it\u2019s all about retrieving a list of unique users from the Security event log. (Which is really more a reminder to ourselves than to any of our readers.)<\/P>\n

In addition, if any of you thought that Monday really had<\/I> disappeared, well, we apologize for any inconvenience that might have caused. As we noted, the Scripting Guys did not<\/I> make Monday disappear. It would have been a bit ironic if we had; after all, we\u2019ve actually been working on a project to make the week longer<\/I>, primarily by inserting a few extra Saturdays here and there. But now that we think about it, removing Monday might be a little easier. We\u2019ll put that on to the to-do list.<\/P>\n

But today\u2019s column isn\u2019t about messing with the space-time continuum, either. Instead, it\u2019s all about retrieving a list of unique users from the Security event log:<\/P>

On Error Resume Next<\/p>\n
strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘Security'”)<\/p>\n
Set objDictionary = CreateObject(“Scripting.Dictionary”)<\/p>\n
For Each objEvent in colEvents\n    If Not objDictionary.Exists(objEvent.User) Then\n        objDictionary.Add objEvent.User, objEvent.User   \n    End If\nNext<\/p>\n
For Each strKey in objDictionary.Keys\n    Wscript.Echo strKey\nNext\n<\/PRE>\n
OK, let\u2019s see if we can figure out how this script works. To begin with, we connect to the WMI service on the local computer; if we wanted to, however, we could just as easily run this script against a remote computer. (How? By assigning the name of the remote computer to the variable strComputer.) When you make the connection to the WMI service, make sure your GetObject call looks like this:<\/P>\n
GetObject(“winmgmts:{(Security)}<\/B>\\\\” & strComputer & “\\root\\cimv2”)<\/P>\n
As you can see, we\u2019ve included the Security<\/B> privilege in this script, enclosing it in parentheses and curly braces, and tacking it on immediately after the winmgmts:<\/B> moniker. Why? Well, unlike many of the things the Scripting Guys do, there\u2019s actually a good reason for this: without this privilege the script will not return any data. (You won\u2019t get an error message, but you won\u2019t get back any information, either.) The Security privilege must be present any time you try to access the Security event log. If it isn\u2019t, well, don\u2019t say we didn\u2019t warn you.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. Check that: don\u2019t say that we did<\/I> warn you; we don\u2019t want to get in trouble for ordering people around, and for telling them what they can and cannot do in their script. But make sure you use the Security privilege anyway, OK? Pretty please? With sugar on it?<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
After we connect to the WMI service we then use this line of code to return a collection of all the events found in the Security event log:<\/P>
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘Security'”)\n<\/PRE>\n
One thing to keep in mind here: depending on the number of records in your Security event log, this script could take a minute or two (or even more) to complete. The Scripting Guy who writes this column clears his event log about as often as he cleans his gutters; with over 51,000 events in his<\/I> security event log, this script took about 90 seconds to finish.<\/P>\n
The gutters will likely require a bit more time and effort.<\/P>\n
Sooner or later, though, we will<\/I> get back a collection of all the events in the Security event log. Once we do we next create an instance of the Scripting.Dictionary<\/B> object; we\u2019re going to use this object to keep track of the unique users found in the event log. And then we\u2019re ready to roll up our sleeves and get to work.<\/P>\n
To begin with, we set up a For Each loop that loops through all the events in our collection. Inside that loop, the first thing we do is run this line of code:<\/P>
If Not objDictionary.Exists(objEvent.User) Then\n<\/PRE>\n
What are we doing here? We\u2019re simply checking to see if the user specified in the event\u2019s User<\/B> property already exists in the Dictionary. If he or she does, then we\u2019re going to loop around and repeat this test with the next event in the collection; after all, because we\u2019re interested only in unique users there\u2019s no need to add this user a second time. (Besides, the Dictionary object doesn\u2019t allow for duplicate items.) If the user isn\u2019t<\/I> in the Dictionary, then we use this line of code to add that user, specifying the value of the User property as both the Dictionary Item<\/B> and Key<\/B>:<\/P>
objDictionary.Add objEvent.User, objEvent.User\n<\/PRE>\n
And then it back to the top of the loop to try again with the next event in the collection.<\/P>\n
After we exit the loop, we use this block of code to echo back our collection of unique users:<\/P>
For Each strKey in objDictionary.Keys\n    Wscript.Echo strKey\nNext\n<\/PRE>\n
That\u2019s going to result in output similar to this:<\/P>
NT AUTHORITY\\NETWORK SERVICE\nNT AUTHORITY\\LOCAL SERVICE\nNT AUTHORITY\\SYSTEM\nFABRIKAM\\kmyer\nNT AUTHORITY\\ANONYMOUS LOGON\nFABRIKAM\\packerman\n<\/PRE>\n
And then what? Well, to quote Porky Pig, that\u2019s \u2013 well, maybe it\u2019s best if we don\u2019t go around quoting third-party cartoon animals. So let\u2019s just say, \u201cThat\u2019s all, uh \u2026 people.\u201d <\/P>\n
Before we go, however, yes, we know: you\u2019re all dying<\/I> to learn the name of the company mentioned in our original Monday article. As it turns out, that was \u2013 uh, well, never mind. We\u2019re not going to slip up and tell you the name; after all, the Scripting Guys never make the same mistake twice. (Mainly because we make so many other<\/I> mistakes that we never get around to making the same mistake twice.) So, no, we can\u2019t \u2013 and won\u2019t \u2013 tell you the name of the company. But you could always try visiting your favorite Internet search engine and figuring it out for yourself.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I retrieve a list of unique users from the Security event log?— KM Hey, KM. Before we tackle your question we should probably address a question sent in by another reader: Hey, Scripting Guy! Whatever happened to Monday? Having been gone on vacation all last week, I was combing through […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,3,63,5],"class_list":["post-63763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-scripting-guy","tag-security","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I retrieve a list of unique users from the Security event log?— KM Hey, KM. Before we tackle your question we should probably address a question sent in by another reader: Hey, Scripting Guy! Whatever happened to Monday? Having been gone on vacation all last week, I was combing through […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=63763"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63763\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=63763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=63763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=63763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}