Parsing Get-WinEvent "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

i'm trying to get the logon,logoff,connect, disconnect info from the above log.  Here is what i have so far:
Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25" -OR $_.Id -eq "23")} | Export-Csv C:\RDS.csv
Then I just wanted these columns and i put them in a diff csv:
Import-Csv C:\RDS.csv | select Message,TimeCreated | Export-Csv -Path c:\FixedRDS.csv –NoTypeInformation
Now i have two columns:
Message TimeCreated
Message consists of multi-line, and Timcreated is just a single.
There's probably a better way that two diff .csv files to get to this point, but i'm just starting out here.  The objective is to parse out the Message line into muliple columns: I'd like the first column to be Message and the value in the above example
to be "Sesseion has been disconnected" I suppose that could just say "disconnected", but eitherway that value.  The next column would be "User", then I don't need the "Session ID" or "Source Network Address"
(though this doesn't eve show up on each record). The last column would be "TimeCreated" like this:
The end result of this is to insert into a SQL server table. Maybe there is even a better way of doing all of that in one shot. 
Thanks

There are probably better ways to do this, but this should work for you:
$Events = Get-WinEvent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | where {($_.Id -eq "21" -OR $_.Id -eq "24" -OR $_.Id -eq "25" -OR $_.Id -eq "23")}
Foreach ($Event in $Events) {
$Result = "" | Select Message,User,TimeCreated
$Result.TimeCreated = $Event.TimeCreated
Foreach ($MsgElement in ($Event.Message -split "`n")) {
$Element = $MsgElement -split ":"
If ($Element[0] -like "User") {$Result.User = $Element[1].Trim(" ")}
If ($Element[0] -like "Remote Desktop*") {$Result.Message = $Element[1].Trim(" ")}
$Result
} | Select Message,User,TimeCreated | Export-Csv C:\RDS.csv
The message has a newline character between the bits that you're looking for, so I split that at the newline, represented by `n.  The backtick is an escape character so that powershell treats special characters literally.  But it also indicates
a special character when used with n (newline), t (tab), and r ( carriage return), and probably others I haven't used yet.
I then loop through all of those elements, split them at the :, and check for the first element to determine if the 2nd element is important.  No 2nd file needed.
I hope this post has helped!

Similar Messages

  • How to i get back microsoft Windows xp after trashing it on my mac

    Help! How do I get back Microsoft Windows XP after trashing it on my Mac?

    XP is 'dead' without support from Microsoft or Apple and with Mavericks  you want Windows 7 64-bit OEM or 8.1.

  • ICloud has stopped working continuously get the message windows 8.1 operating system

    iCloud has stopped working continuously get the message windows 8.1 operating system

    Hi Fe-Can,
    If you are having difficulties with iCloud you may want to use the steps in this article to troubleshoot -
    iCloud: Account troubleshooting
    http://support.apple.com/kb/TS3988
    Thanks for using Apple Support Communities.
    Best,
    Brett L

  • Where do I get the "Microsoft Windows Media Services"? Can't use my Ipod without it.

    Firefox Plugin Site doesn't HAVE the "Microsoft® Windows Media Services", which allows the use of Ipod Music.
    == URL of affected sites ==
    http://

    Have you looked thru the Microsoft website for that Microsoft plugin?

  • How do I resolve this error in windows server 2012 MANTENIMIENTOTS_1306_Error_Microsoft-Windows-TerminalServices-SessionBroker-Client_Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational_03/03/2014 8:09:18 a. m.

    Como solucionar error 
    MANTENIMIENTOTS
    1306
    Error
    Microsoft-Windows-TerminalServices-SessionBroker-Client
    Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
    03/03/2014 8:09:18 a. m.
    de windows server 2012

    What exactly you are asking? Please use English language so we can start helping you out. I believe this error seems to be related to Terminal Server. You have to ask your question in appropriate forum in that case. All in all you have to clarify your question
    or the thread will not moved or answered. :)
    Regards.
    Mahdi Tehrani Loves Powershell
    Please kindly click on Propose As Answer or to mark this post as
    and helpfull to other poeple.

  • For unknown reason, why would I be getting many new re-directs to Ads via FiuneDeaalSuoft which seem to come through Microsoft Windows webpages?

    A program from FiuneDeaalSuoft somehow appeared in my Firefox Add-0ns as of 2 days ago (08212014) according to Control Panel-Programs. I don't recognize it, but possibly I mistakenly clicked on an acceptance interface without realizing it. The ad re-directs which it caused were onerous and invasive. The re-directs first started appearing when I received a message advising me to update some other programs. I have a list of most of them. It seemed to start I went onto a Windows web page, for Windows Live Movie Maker,
    < http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
    which had 3 block ads at the top from FiuneDeaalSuoft. The links for those three ads were:
    < Microsoft.iYogi.com > phone 855-558-2498,
    < Microsoft-Windows.iYogi.com > phone 855-558-2498, and
    < Microsoft-Support.pchelpdesk.co > with no phone showing in my screenshot of the ad but it is probably the same as given later herein, 855-677-5531.
    I removed the FiuneDeaalSuoft program from Add-ons, but I still seem to be getting some pop-ups and re-directs. Looking in Control Panel, I see that the program name is slightly different: FuineDealSOfti from FineDealSofT. This program was extremely aggressive and persistent. In Control Panel, I see other programs which I am also concerned about. IDT Audio from IDT has been on my computer a while, but I can't remember much about it. Pinger from Pinger, Inc. shows that it was installed in Dec. 2013 before I bought the computer. WidgetServ 1.0 from Softomate, LLC. is through Firefox. WinSpeed from 24soft installed in April 2014 is another program which I don't know much about. Can anyone offer further analysis and review or comment of any of these programs, please, with advice as to whether you have found them useful or problematic?
    The software from FiuneDeaalSuoft will be uninstalled from Control Panel since I am convinced that it is very invasive and a lot of trouble. An Install Manager from dwnllistsoft.com was part of the pathway. It wanted to re-direct to < http://uhi.inureknittingrectrix.com >, which had code sections referring to < plh.tractionize.com >; < WhiteLabelBidRequestHandlerServlet >; < www.srv2trking.com >; < LTSanitizer.aspx >; and < www.ascentive.com >.
    The original message seemed to be one which advised that "Video Update Recommended".
    Another had the Firefox logo and advised that "You are currently browsing the web with Firefox and your Video Player might be outdated". The webpage address was:
    < http://www.lpmxp2129.com /7655407A3F26415F243E342D4D472B54AE35515F1068A175E1CFD6181CD0B859E09383E5EAA7EDFE90932B3B86A7E9D8?tgu_src_lp_domain=
    www.dnwyoursoft.com&ClickID=426139843&PubID=1258 > (which could have a small editing error).
    A smaller front screen appeared as an overlay which said "Recommended" and then " You are currently browsing the web with Firefox and it is recommended that you update your video player to the fastest version available. Please update to continue."
    Some other urls which appeared were:
    < http://www.srv2trking.com/LTSanitizer.aspx?u=http%3a%2f%2fwww.ascentive.com%2frun%2fclick%2fSEC_CPA%2fgo%2fFFTV%3fc1%3d08_107761803_ed31ad73-fc16-40f5-9cad-cccc044ea1f4
    %26c2%3da-0-2464-2418-27346-0-223-0_177593 >;
    < https://interyield.jmp9.com/InterYield/optout.do >;
    < http://download1181bucket.com/go/windowsupdate?_alc=1&_cb=1&_ep=1&_sd=1&adprovider=advertisecom&source=advertisecom_driverupdater-us-dt-ron6&
    subid=66385-1017_1008_us&subid2=interyield+jmp9&servpixel=1408768365016_1408768324035_109_469_5987611_1 >
    which offered a Windows 8 update with a small front screen overlay message saying "WARNING! Please Install Update To Continue." while the main screen had a message that it was a "Windows 8 Update" with the admonition that "You are currently using - Windows 8 - which is now outdated... Please install the latest update to enhance your computer's security and performance." (part of the window screen capture was missing the full text, so I had to guess part of the message);
    (NOTE that the previous entry may have a disconnect between the url and actual screen, since i could not reproduce the result);
    < http://pmptrk.com/t/o/12/ > was another redirect;
    < http://updatingdriversnow.com/ujp1/?source=MG_EBT-RED&kw=ubid >
    another which offered a Java Update (13?) which had a front screen "Java Recommended" and "It is recommended to have Java in order to proceed.";
    checking on a contact link for the Video Update,
    < http://www.lpmxp2129.com/eQBQL8o9/videoupdater/contact.html >
    was the url;
    < http://pcupgradenow.com/su/en/4/a9551d18bc46aa01436d6fbb3caf46adc84f910f073379322921d15717c8caa4:1408769323/?a=anothervars&b=39500638&sid=ADV-sft-555&filename=Software_Update&uid=1408769323444_1408768975263_125_415_5966399_1 >
    appeared with a front screen overlay message saying "UPDATES RECOMMENDED! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue.";
    the previous link had "Transferring data from static.getclicky.com" in the bottom left corner of the screen;
    another screen with url
    < http://pckeeperapp.zeobit.com/land/7.13/index.php?affid=mzb_196.8233409.1408767556.2.mzb&utm_source=ldmpcts&utm_medium=popunder&utm_campaign=pck_ldmpcts_15aug_ff&utm_term=&utm_content=&userDefiner=mzb_2380&installer=&trt=33_22526071&alert=301&tid_ext=antivirus >
    was very realistic (and for all I know is legitimate), showing a logo for PCKeeper, a front screen block titled "Important Message" with "Your PC Performance is Poor." and a "Fix Now" selector button;
    the main screen of the previous url had the overhead title of "How to Fix The Windows 8.1 error" which is somewhat peculiar since "The" is capitalized while "error" is not;
    also the previous screen had 1. a picture of an attractive smiling young man with a reference book titled "Microsoft Certified Technology Specialist", 2. several links for various PCKeeper options, and 3. at the bottom, block ads for AAA and alleged referrals from "The Wall Street Journal", "MAXIMUMPC", and "Business Wire" and 4. a warning that "You may be presented with an optional offer(s) during INSTALLATION" which was the link followed another link for "learn more";
    < http://pchelpdesk.co/cp/support-for-microsoft.php?affiliate=63783-86_777 >
    was a web page for pchelpdesk.co which gave a phone number of 855-677-5531 for "Instant Tech Support for Microsoft r-copyright Products by Expert Technician";
    < http://techieschoice.com/l2/support-for-microsoft.php >
    gave a phone number 855-677-9945 with another convincing webpage which even had several testimonials;
    < http://windows.microsoft.com/en-us/windows-live/movie-maker-file-types-faq?wlexpid=FC1B09C67C184525852C59C15A0F465E >
    was one of the original webpages from which this
    detour first began with a header of "What kind of files can I use in Movie Maker?";
    < http://aff2click.com/?a=939&c=8108&s1=14714782&s2=w.ascentive >
    which I do not have a screenshot for;
    < http://apps4u.pw/v14/?entry=&exit=&i=eyJ0IjoxNDA4NzcwOTQ1Mjk5MTU4MzA4LCJjIjoiNTM4ZWQzZGNiYjMyMTM2ZDE3YzI3ZWUwIiwidSI6IjA5MzQ4ZWM2
    IiwiZSI6MC4wMjEsIjEiOiJ2MTQtQ29udHJvbCJ9&url=gt.penga.info >
    had the header "Recommended Download!" followed by "You are currently browsing on Chrome 35" and "Please Install the RECOMMENDED SOFTWARE -< which was the link > to Confirm You are Using the Recommended Version." along with other embedded links, options and disclaimers;
    < http://landing.driverrestore.com/ldimp/02/en/?brand=Windows&subid=US|EN|windows*download >
    for which I have no screenshot;
    < http://lp.get-soft.com/mpc____________/?o=42&campid=14403&creaid=6104&reqid=571734621 >
    with no screenshot;
    < http://trk8.com/base.php?c=109&key=5555c230910ebedab5128d543147c7c6&keyword=.ascentive.co > with no screenshot; and
    < http://downloadjust4u.com/download/firefox3/ > with no screenshot.
    I may have missed a couple or so urls, especially the intermediate transition urls, since they tended to change very quickly. Any of my screenshots are freely available if they can offer any further value.
    Since you probably have too many emails and too few volunteers, I don't expect that anyone has time to send me a personal individual response, but a universal message or warning (if appropriate) to all users would be great. I am still uncertain if I am making this a bigger deal than it actually is.
    Thanks to everyone at Firefox. It has been my favorite browser for a few years now.
    James

    The ONLY support for Mozilla programs are web sites like this.
    The people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
    If you want to leave feedback for Firefox developers, you can go to the Firefox ''Help'' menu and select ''Submit Feedback...'' or use [https://input.mozilla.org/feedback this link]. Your feedback gets collected at http://input.mozilla.org/, where a team of people read it and gather data about the most common issues.

  • When i try to install itunes 10.6.3 for windows vista i get "error microsoft VC*80.CRT,type="win32",version="8.0.50727.6195".publicKey token="1fc8b3b9a1e18e3b",ProcessorArchitecture="x86"   what should i do?

    when i try to install itunes 10.6.3 for windows vista i get "error microsoft VC*80.CRT,type="win32",version="8.0.50727.6195".publicKey token="1fc8b3b9a1e18e3b",ProcessorArchitecture="x86"   what should i do?

    same problem. tried the ff fixes from microsoft but no joy
    http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/gett ing-error-message-an-error-occurred-during-the/10122022-2d88-4266-a695-6c6ddeafd 019?tab=AllReplies&page=1
    http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/ windows-vista-unable-to-install-itunes-an-error/19b48df7-54c8-47f3-8854-d34118fa a79a
    http://support.microsoft.com/mats/system_maintenance_for_windows/en-us
    other ideas would be appreciated.
    cheers

  • ITunes crashes when doing a power search. I get a Microsoft Visual C   Runtime Library Error message: Program C:\Program Files (x86)\iTunes\iTunes.exe R6025.  Pure virtual functional call.  If I select ok, Windows 7 pops up with iTunes has stopped working

    iTunes crashes when doing a power search. I get a Microsoft Visual C   Runtime Library Error message: Program C:\Program Files (x86)\iTunes\iTunes.exe R6025.  Pure virtual functional call.  If I select ok, Windows 7 pops up with iTunes has stopped working and then it shuts iTunes down.  Anyone else every have this issue.  Any ideas on a fix?
    Thanks,

    For general advice see Troubleshooting issues with iTunes for Windows updates.
    The steps in the second box are a guide to removing everything related to iTunes and then rebuilding it which is often a good starting point unless the symptoms indicate a more specific approach. Review the other boxes and the list of support documents further down page in case one of them applies.
    Your library should be unaffected by these steps but there is backup and recovery advice elsewhere in the user tip.
    tt2

  • I'm trying to load photoshop elements 12 on my mac os x and when i click setup.exe i get :    You can't open the application "Setup.exe" because Microsoft Windows applications are not supported on OS X.

    i'm trying to load photoshop elements 12 on my mac os x and when i click setup.exe i get : You can’t open the application “Setup.exe” because Microsoft Windows applications are not supported on OS X.  The premiere elements 12 out of the same box loaded just fine.

    An .exe file means you have the windows version. Go get the mac version:
    Download Photoshop Elements products | 12, 11, 10
    but I hope you have a mac serial number.

  • Servername_ID 30620 Warning_Microsoft-Windows-SMBClient Microsoft-Windows-SMBClient/Operational - Connection to server \servername IP Address x.x.x.x:445 was aborted.

    Hi everybody.
    I have this problem on a Windows Server 2012 Datacenter, offering SCOM2012 and VMM2012 SP1  services.
    If I try to access to \\servername\c$ , or vmm agent on a server try to access it, in the "Server Manager , File and Storage Services, Servers" console I can see the message, every minutes:
    servername ID 30620 Warning
    Microsoft-Windows-SMBClient Microsoft-Windows-SMBClient/Operational - Connection to server \servername IP Address x.x.x.x:445 was aborted.
    I alreday apply the registry update:
    LocalAccountTokenFilterPolicy QWORD = 1
    UAC and firewall on the server are disabled.
    Anyone have some suggestion for me ?
    Thanks.
    Gabriel

    Two HP DL Servers - a DL380 G5 and a DL 360 G5 - running Server 2012 Standard with Hyper-V.  Both servers have HP NC373i onboard Gigabit NICs.
    NIC 1 is for Management OS, NIC 2 is dedicated to Hyper-V.  The latest/greatest HP Management software, drivers, firmware for Server 2012 are installed on both servers.
    Could copy files to/from other servers with no problem, and near gigabit speed.  All other networking appeared normal.
    Could not copy files to each other. Could ping each other though.
    Ran the above command and rebooted both servers - issue has gone away.
    I've got a few more of these older HP servers that I'm going to test with Server 2012.

  • HT1926 trying to download itunes 10.6 on w7 64-bit, getting error msg: this installer has insufficient privileges to access this directory: C:\program data\microsoft\windows\start menu\programs ITunes.  Log on as administrator.  (I already am!)

    Can't install latest itunes. error msg: "This installer has insufficient priviliges to access this directory:  C:\ProgramData\Microsoft\Windows\StartMenu\Programs\ITunes. Log on as administrator or contact your system administrator."  I am logged on as administrator and have been since i've owned this laptop.  Any suggestions?

    That one's consistent with disk/file damage. The first thing I'd try with that is running a disk check (chkdsk) over your C drive.
    XP instructions in the following document: How to perform disk error checking in Windows XP
    Vista instructions in the following document: Check your hard disk for errors
    Windows 7 instructions in the following document: How to use CHKDSK (Check Disk)
    Select both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, or use chkdsk /r (depending on which way you decide to go about doing this). You'll almost certainly have to schedule the chkdsk to run on startup. The scan should take quite a while ... if it quits after a few minutes or seconds, something's interfering with the scan.
    Does the chkdsk find/repair any damage? If so, can you get an install to go through properly afterwards?

  • I've just tried to open Auroara and am only getting a small window stating... XML Parsing Error: undefined entity Location: chrome://browser/content/browser.xu

    I've just tried to open Auroara and am only getting a small window stating...
    XML Parsing Error: undefined entity
    Location: chrome://browser/content/browser.xul
    Line Number 540, Column 9: <button default="true"

    Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
    *Do not click the Reset button on the Safe mode start window or otherwise make changes.
    *https://support.mozilla.org/kb/Safe+Mode
    *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

  • Since I downloaded Apple's latest operating system, whenever I try to open Illustrator I get a message that I need to install legacy Java SE6 runtime and to click "more info" to do this. When I click "more info" I get a blank window. What should I do

    Since I downloaded Apple's latest operating system, whenever I try to open Illustrator I get a message that I need to install legacy Java SE6 runtime and to click "more info" to do this. When I click "more info" I get a blank window. What should I do

    Hi,
    I had the same problem after upgrading to Yosemite. Illustrator CS6 wouldn't open. I got a message saying I should 'install legacy Java SE6 runtime'.
    The link didn't work - it lead to a blank page.
    So I downloaded Java8 (latest version) from Oracle but didn't install it. Something told me this was not the right way to go (the problem was with Java SE6, not 8). I then called Apple (in the Netherlands, were I live) for help. I got none. The best they could do was blaming Adobe for the problem or me, for not having the latest Adobe CC app. Rubbish.
    And then, magic. I tried to open Illustrator again, got the pop up message but this time the link worked. It took me to an official Apple page, with a link to download Java for OS X 2014-001. The problem is now solved.
    If curious, this is the explanation Apple gives for the problem:
    'Java for OS X 2014-001 includes installation improvements, and supersedes all previous versions of Java for OS X. This package installs the same version of Java 6 included in Java for OS X 2013-005. On systems that have not already installed Java for OS X 2012-006 or later, this update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled 'missing plug-in' to download the latest version of the Java applet plug-in from Oracle.'
    See http://support.apple.com/kb/HT6133 for more details about this update.
    See http://support.apple.com/kb/HT1222 for information about the security content of this update.

  • How do we get mac to catch up to microsoft windows "window resizing"

    This mac windows resizing stinks, you have to find the bottom right corner?!! what a joke!
    I have had my g5 for 9 months and still can't get past this major flaw!
    Microsoft windows is so far ahead!!
    if you don't know what I mean (i.e. how easy microsoft has always allowed you to resize windows) you are really in the dark. any corner or window wall is "alive" for you to grab and resize
    However, since I am new, perhaps I'm just missing something.
    so here's my 2 part question
    (1) Am i missing something basic?
    (2) If the mac really stinks like I think it does (with window resizing), then how do we get them to change it?

    Actually, Sam. I agree on the window sizing thing. In OS 9 you could grab the edges to resize a window, not just the lower corner. While it's not that big a deal to be limited to using the lower right corner, it's just not as convenient as being able to grab most anywhere.
    While OS X has been around for a few years now, each major release adds things that were in OS 9 (and earlier) that weren't in the initial release. It has to be a heck of a job taking what at the start was the generic BSD distribution of Unix and try to make the well know Apple GUI of before work on top of it seamlessly.
    So far, I think they're doing a great job. But there are still some things that haven't made it back into the new OS. Window resizing is one of 'em.

  • This is going to sound dumb but I just got a call from someone claiming to be with Microsoft Windows tech dept. Apparently something malicious attacking my computer.  I hung up because I don't believe Mac uses Microsoft Window Operating System - right?

    This is going to sound dumb but I just got a call from someone claiming to be with Microsoft Windows tech dept. Apparently something malicious attacking my computer.  I hung up because Mac doesn't use Microsoft Window Operating System - right?  I have Mac OS X.  I have loaded Microsoft Office 2011.  Can that allow something malicious or is this guy a scammer and I was right to hang up???

    Actually you can install Windows on your MBP via Bootcamp.
    You should have kept the individual on the phone for as long as you can tolerate.  The time he wastes with you is time he cannot spend scamming an innocent victim. 
    You can always politely ask the caller to hold while you 'answer the front door' or the like and just set down the phone and go about your business.  The caller will eventually hang up. 
    But your analysis was 100% correct.
    Ciao.

Maybe you are looking for

  • Modifying version 6 VIs in version 8

    I am trying to modify a VI that was created using labview v6.0.  I am modifying it in v8.0.  The old program uses the Analogue input VI called 'AI Acquire Waveforms'.  It uses a device number to decide which instrument to use along with the appropria

  • Authorizaton Group for MB51

    Hi, We want to limit users to only seeing movements for a custom material type ZRSA. .  There are  5 storage locations currently that we have for Maintenance and that authorization object M_MSEG_LGO is set to those types. I went in transaction SU24 (

  • How to select a row from duplicate set of records?

    I want to select a row from a duplicate set of records. below is the explanation of my requirement. select * from test_dup; COL_BILL     COL_SERV     COL_SYS b1     s1     c b1     s1     g b1     s2     c b1     s2     g b2     s2     g b2     s3   

  • Fetching fields from Purchase Order - ME21N

    Hi, I need to fetch the 'Delivery Date', 'Scheduled Qty', 'Committed Date', 'Committed Quantity', 'Material Availability Date' ' Goods issue Date' for a Purchase order. The tcode is ME21N. From which table can i get these fields, as F1 help on these

  • Script busy or not working

    FF or Google or Extreme Security cause? Upon opening FF, it crashes occasionally. I have version 3.6.23 with a Google FF search page and I use Zone Alarm Extreme Security's latest firewall, etc. When it does crash, I get a message as follows: A scrip