Get user's last logon from sccm with powershell - powershell

I'm trying to create wmi query to sccm to get PC, where was user's last logon.
Something like:
Get-WmiObject -namespace $SCCMNameSpace -computer $SCCMServer -query "select lastlogon, PCname from sms_? where LastLogonUserName='$SamAccountName'" | select lastlogon, PCname.
I can see this information in sccm report, but I don't know what class I have to use for a query. I'm using sms_r_system for getting IP and computer name.
Is anyone knew sccm class with this information or sql queries will be better for me?

Which report are you viewing the data with? You might want to open up the report's SQL code, figure out which ConfigMgr SQL views it's referencing, and then translate that to the SCCM WMI class names. The WMI class names closely correlate to the SQL view names.
Use a WMI browser like SAPIEN's free WMI Explorer GUI tool to help explore the root\sms\site_xyz WMI namespace and discover which class you are looking for. You can also use Windows PowerShell to help discover which class contains this property:
gwmi -name root\cimv2 -list | ? { ($_.Properties.Name -join ',') -match 'lastlogon' }
Note: Make sure you're using PowerShell version 3.0 Release Preview for the above command, otherwise it won't work right.

Related

Querying Windows Update Errors using PowerShell Get-WinEvent or Get-WMIObject

Trying to create a simple Windows Update error query using Get-WinEvent (although I would prefer querying a WMI Object for use with SCUP):
get-winevent -logname System| Where-Object {$_.ProviderName -eq "Microsoft-Windows-WindowsUpdateClient"}
This seems to work for the most part. However, it only returns informational events and not errors. Are these located somewhere else and, if so, how would I query them? For some background, there is a specific update failure occurring on approximately 10% of Windows 10 machines in my environment (missing assembly file) and I want to target it so that I can deploy a solution.
A solution using Get-WinEvent is fine, though I would prefer using Get-WMIObject if possible.
You can use the Win32_NTLogEvent like this:
Get-WmiObject Win32_NTLogEvent |?{($_.LogFile -eq 'System') -and ($_.SourceName -eq 'Microsoft-Windows-WindowsUpdateClient') }
Note: You can further filter with Type which will tell you about information or error or warning.
Hope it helps.
I cannot find anything that actually states this but it looks like Get-WinEvent by default only returns information messages. If you want to see the other then you need to tell it to return those. One way to do it is with -FilterHashtable.
Get-WinEvent -FilterHashtable #{LogName='System';Level=1,2}
That would return only warnings and error.
1 - Error
2 - Warning
4 - Information
You can look at the enum [System.Diagnostics.EventLogEntryType] to see where I got the numbers from.
Looking at MS you can see what the hashtable filter supports..
LogName=<String[]>
ProviderName=<String[]>
Path=<String[]>
Keywords=<Long[]>
ID=<Int32[]>
Level=<Int32[]>
StartTime=<DateTime>
EndTime=<DataTime>
UserID=<SID>
Data=<String[]>
*=<String[]>
If your WMI queries are having similar issues then you can do something like this
Get-WmiObject -class Win32_NTLogEvent -filter "(logfile='Application') AND (type='error')"
You can find some tangential examples here
Write a WMI query (this overrides weird event type filters):
Get-WmiObject -Query "Select * from Win32_NTLogEvent" |?{(($_.LogFile -eq 'System') -and ($_.Type -in ("Error", "Warning"))) -and ($_.SourceName -eq 'Microsoft-Windows-WindowsUpdateClient') }
Okay, so after doing some additional research, I stumbled upon this website that sheds some light on the issue I'm running into. Essentially, while most, if not all Windows Events are logged in the C:\Windows\System32\Winevt\logs folder, not all Windows Events are replicated in WMI by default.
In PowerShell, Get-WinEvent appears to use the above folder when querying its event data, whereas Get-EventLog uses the Win32_WinNTLogEvent WMI class.
In my original question, I mentioned that I was unable to query Windows Update error events using Get-WinEvent. This is because I was pointing to the System log file, which does not contain the information. The Microsoft-Windows-WindowsUpdateClient/Operational log file (literal path being C:\Windows\System32\Winevt\logs\Microsoft-Windows-UpdateClient%4Operational.evtx) does contain this information, so my query can simply be changed up using something similar to the following:
Get-WinEvent -logname "Microsoft-Windows-WindowsUpdateClient/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"}
In order to query the same data returned by Get-WinEvent using the Win32_NTLogEvent WMI class, the registry must first be modified. Again, the link I posted in this answer describes the process in greater detail, but essentially I performed the following registry mod:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-WindowsUpdateClient/Operational]
"File"="%SystemRoot%\\System32\\Winevt\\Logs\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx"
"Primary Module"="Microsoft-Windows-WindowsUpdateClient/Operational"
"Microsoft-Windows-WindowsUpdateClient/Operational"=hex(2):25,00,53,00,79,00,73,00,74,\
00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,\
65,00,6d,00,33,00,32,00,5c,00,77,00,65,00,76,00,74,00,61,00,70,00,69,00,2e,\
00,64,00,6c,00,6c,00,00,00
Note: The "Microsoft-Windows-WindowsUpdateClient/Operational" Expanded String (REG_EXPAND_SZ) at the end there is pointing to %SystemRoot%\system32\wevtapi.dll
Once the registry was modified, I was able to query the error events as follows:
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Microsoft-Windows-WindowsUpdateClient/Operational' AND Type='Error'"
Somewhat of a pain considering that Windows Update errors should probably be present in the Win32_NTLogEvent WMI class by default (ah, Microsoft). Still, this essentially resolves my question.
One additional point to mention. The website above states that, upon editing the registry, you'd be able to query the new events immediately. I had to reboot my machine first.

Delete user profile using Powershell

I am wondering how I can delete user profile by using Powershell?
I know the command of Get-WmiObject Win32_UserProfile which will give me the whole users on the computer.
I have 2 variables of $computername and $username.
So I wants to use the above command to delete on a remote computer (which is $computername) the profile of $username.
How I can do it?
Thanks.
Get-WMIObject can retrieve objects from remote computers with no problem, and not only does the Win32_UserProfile class have a (poorly documented) delete() method, a Win32_UserProfile object can be passed to Remove-WMIObject. This will, to all appearances, properly clean up the registry and files, and does in fact work on remote computers.
References:
Get-Help Get-WMIObject
Get-Help Remove-WMIObject
Win32_UserProfile: https://msdn.microsoft.com/en-us/library/ee886409(v=vs.85).aspx and https://msdn.microsoft.com/en-us/library/windows/desktop/hh830632(v=vs.85).aspx
My own question on this topic

Using WQL query from SCCM in powershell

I have a query in SCCM that will take a printer IP address and return all workstations in SCCM that have the printer installed on it. I am wanting to create a powershell script that will take said query and use the workstations that it returns to then list current print jobs in the print queue on the workstation.
I know that you can use Get-CIMInstance -query to query different things in WMI. That works well if I am trying to find out information locally. However if I dump the WQL query into a Here-String and assign it to a variable and then call it with Get-CIMInstance -query it returns an error saying invalid query. The same thing happens when I use Get-WmiObject -Namespace "root\wmi" -Query $WQlquery
So how would I be able to use the WQL query from SCCM in powershell? Here is an example of what I have so far:
$WQLquery = #"
select SMS_R_System.Name from
SMS_R_System inner join
SMS_G_System_PRINTER_DEVICE on
SMS_G_System_PRINTER_DEVICE.ResourceID =
SMS_R_System.ResourceId where
SMS_G_System_PRINTER_DEVICE.PortName like "10.10.10.10"
"#
Get-CIMInstance -query $WQLquery
Assuming that worked and returned a list of workstation ids, I would then use Get-Printjob cmdlet to list current jobs in each workstations print queue. I have found a few questions posted here already that have helped me get this far. Any additional help would be appreciated. Go easy on me, still a newb here.
You need to specify the namespace for the sccm site root\sms\site_SITECODE and the sccm-server if you're running it from a remote computer. Ex:
$WQLquery = #"
select SMS_R_System.Name from
SMS_R_System inner join
SMS_G_System_PRINTER_DEVICE on
SMS_G_System_PRINTER_DEVICE.ResourceID =
SMS_R_System.ResourceId where
SMS_G_System_PRINTER_DEVICE.PortName like "10.10.10.10"
"#
Get-WmiObject -Query $WQLquery -ComputerName "SCCMSERVER" -Namespace "root\sms\site_PRI"

Early filtering within the root\ccm\cliensdk namespace

I recently wrote a script that updates registry values on remote desktops after checking, for instance, that a certain application, MyApp, is properly installed.
The aforementioned application is installed/deployed by SCCM (2012, not R2 for the moment).
In the process of optimizing the script, I wanted to change the test of the install state of MyApp (from late to early filtering).
So far, no luck and so far, no explanation either.
I can't properly understand why it seems not possible to do some early filtering with the following command :
gwmi -ComputerName myserver -Namespace root\ccm\clientsdk -query "select * from ccm_application where Fullname='MyApp'"
Of course, nor can we use :
gwmi -ComputerName myserver -Namespace root\ccm\clientsdk -class ccm_application -filter "Fullname='MyApp'"
Late filtering, of course, works but I wanted (and expected) early filtering to work, especially since I am checking the Install state of an app for quite a lot of remote desktops.
Of course, I do know that I could (can) use SCCM for that purpose (executing a script only if ...) but that still does not explain why I can't do early filtering.
Whenever I try to query that class with my installation while specifying either properties or a filter, I get the error "Provider is not capable of the attempted operation". It doesn't matter if I use Get-WmiObject or Get-CimInstance.
I get the same error when I run this:
PS C:\> WMIC.EXE /NAMESPACE:\\root\ccm\clientsdk PATH ccm_application GET FullName
Node - <SERVERNAME>
ERROR:
Description = Provider is not capable of the attempted operation
PS C:\> wmic /NAMESPACE:\\root\ccm\clientsdk PATH ccm_application WHERE "FullName='Java 32-bit'"
Node - <SERVERNAME>
ERROR:
Description = Provider is not capable of the attempted operation
Although this works just fine:
WMIC.EXE /NAMESPACE:\\root\ccm\clientsdk PATH ccm_application
Seems like a limitation of the provider then, not a problem with your code. -Filter and -Property don't work by design.
Note that I am using 2012 R2 SP1 (5.00.8239.1000), so this may not perfectly apply. However, it seems unlikely that they would remove the functionality from the provider moving from 2012 to 2012 R2.

How can i take a user dump using powershell

I want to take user dump of a process using powershell How can i do it?
The same I get on rightclicking the process in Taskmanager
Based on this article (archived) from Risksense.
MiniDump function from native comsvcs.dll Windows dll could be used.
Like:
Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump {ID-of-the-process} $Env:TEMP\my_dump_file.bin full
The easiest way is to use Procdump from Sysinternals toolkit. Use Get-Process to get process id, which you can pass to Procdump for actual dumping.
Edit:
I'd still rather use readily available tools instead of the hard way. Have you got a valid business reason? Since you insist, there is a Win32 API call that creates user mode memory dumps. It can be invoked from .Net code, so either use P/Invoke or embed C# into your Powershell code. This is left as an exercise to the reader.
Hi sorry I'm not much help. I've never used a DUP file before. But there is a WMI class called Win32_Process:
Get-WMIObject -Class Win32_Process
Not sure if that's the info you are looking for. Has different properties than Get-Process.
I had a similar use case where I needed to create a dump for an IIS process. Granted I could have used DebugDiag, but I ended up going down this path. Here's what I used (and works pretty well, I should add):
$procid = Get-Process | Where-Object {$_.ProcessName -eq 'w3wp'} | Select-Object ProcessName,Id
New-Item -Path "c:\temp\Dumps" -Type directory -Force
cmd.exe /c "c:\temp\procdump64.exe" $procid.id -accepteula -mp "c:\temp\Dumps"
Furthermore, you could use these dump files for analysis using DebugDiag too. So it's a win-win in my opinion.
PS: Theoretically, one could also get the Process ID using the Get-CimInstance cmdlet. So something like this would also work:
Get-CimInstance -Query "SELECT * from Win32_Process WHERE name LIKE 'w3wp%'"