Failed sign-ins are Security event 4625. Reading the Security log requires an elevated prompt.
Last 50 failed logons
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625 } -MaxEvents 50 |
Select-Object TimeCreated, @{Name='Account'; Expression={ $_.Properties[5].Value }},
@{Name='SourceIP'; Expression={ $_.Properties[19].Value }}
Failed logons in the last 24 hours
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1) } |
Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}}
Count attempts per account (find the brute-forced one)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1) } |
Group-Object { $_.Properties[5].Value } |
Sort-Object Count -Descending |
Select-Object Count, Name
Related: account lockouts (event 4740, on the DC)
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4740 } -MaxEvents 20 |
Select-Object TimeCreated, @{n='Account';e={$_.Properties[0].Value}}, @{n='Source';e={$_.Properties[1].Value}}
Notes: the account name and source IP live in the event’s Properties array — index 5
(target account) and 19 (source network address) for 4625. Indexes are stable for this event ID
but differ per event, so confirm with ($evt.Properties).Count if a field looks wrong. Run elevated;
4740 lockout events are recorded on the domain controller.