Tag Archives: powershell

PowerShell- Get Usernames from Windows Security Log

This snippet takes the export of the Windows Security log and returns a list of user ids from within it.

Exporting the Logs

  1. Open Event Viewer in Windows, select the Security Log and choose “Save All Events As….” – save the file as a Comma Delimited CSV.
  2. Open the exported file in Notepad and add “,Description” to the end of the first line (PowerShell won’t import the description field otherwise)

PowerShell Manipulation

$events=Import-CSV securitylog.csv
$result= foreach ($event in $events) {
(((($event.Description) -Split "`r`n" |
Where-Object {$_ -like '*Account Name:*'}) -Split ":")[1]).trim() }
$result | Sort-Object –Unique

The result is a list of the Account Names found in the file. See GitHub for further info and updates.

Check Azure WebApps have Backup Configured

Azure WebApps (depending on tier) come with an optional native backup service. This quick PowerShell snippet looks at all the WebApps in the current subscription and reports back on whether Backup has been set up. This should be helpful for spotting where a configuration has been missed.

Use Set-AzContext to set the subscription in advance, and to restrict to an individual Resource Group use the –ResourceGroupName on the Get-WebApp cmdlet in the first line.

foreach($WebApp in Get-AzWebApp ){
  if (Get-AzWebAppBackupConfiguration `
      -ResourceGroupName $WebApp.ResourceGroup `
      -Name $WebApp.Name `
      -ErrorAction SilentlyContinue) {
  $WebApp.Name+" Backup Configured"
  } else {
  if( (Get-Error -Last 1).Exception.Response.Content `
      -like "*Backup configuration not found for site*")
    {$WebApp.Name+" Backup Not Configured"}

Using New-AzureFirewallRule with multiple ports or IP ranges

When creating an Azure Firewall rule with multiple ports or IP ranges using the PowerShell “New-AzureFirewallRule” cmdlet, you may get an error like this:

Invalid IP address value or range or Service Tag,
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallRuleInvalidIpAddressOrRangeFormat


Invalid port value or range. User ports must be in [1, 65535]
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallRuleInvalidPortOrRangeFormat

The incorrect code causing these messages refers to the Source Address or Destination Port as a comma-delimited string as you would use in the Azure Portal, as shown here:

#Incorrect Code
$netRule = New-AzFirewallNetworkRule `
     -Name "FirewallRule1" `
     -Description "Rule for HTTP,SMB traffic" `
     -Protocol "TCP" `
     -SourceAddress "," `
     -DestinationAddress "" `
     -DestinationPort "139,445,80"

However, the cmdlet wants an array of strings to be passed here rather than a comma-delimited string value, so (“″,””) rather than “,”. The correct version of the above code snippet is as follows:

#Corrected Code
$netRule = New-AzFirewallNetworkRule `
     -Name "FirewallRule1" `
     -Description "Rule for HTTP,SMB traffic " `
     -Protocol "TCP" `
     -SourceAddress ("","") `
     -DestinationAddress "" `
     -DestinationPort ("139","445","80")

Checking Hybrid Benefits in Azure with PowerShell

When using Windows-based Virtual Machines on Microsoft Azure, there’s an option to use “Azure Hybrid Benefit” to re-use existing Windows licenses you own on-premises for workloads now running in the public cloud.


If you don’t select this option then your Azure bill will include the cost of a new Windows license for that virtual machine, so it’s important to ensure it is used where you are entitled to do so. If you have a site license, or campus agreement, you may find that you are allowed Hybrid Benefit on all your workloads in Azure.

This PowerShell snippet will list all the Windows Virtual machines (in the current subscription- use Set-AzContext to change that) which are not making use of the Hybrid Benefits- giving you a quick list of VMs to check the settings on.

Get-AzVM | Where-Object {$_.OSProfile.WindowsConfiguration -and !($_.LicenseType)}

PowerShell Get-Command: finding the cmdlet

A recent Slack chat reminded me that PowerShell’s Get-Command cmdlet is a good way of finding what commands to use when you encounter a new problem. However it goes beyond typing “Get-Command” and just getting a huge list back- my laptop just gave me 7659 commands to choose from – as this can be unusable. Here’s some quick tips on focussing your search by using the built in arguments.

1. –module

PowerShell and it’s extensions are comprised of modules. If you want to use the cmdlets for interacting with a VMware environment you install their “PowerCLI” module. Get-Command can return just the cmdlets from a specific module, for example we can list all the cmdlets from the VMware modules

Get-Command –Module VMware.*

Or we can list the commands in the Azure Compute PowerShell module

Get-Command –Module Az.Compute

2. –verb

If you’ve used PowerShell before, you’ll know that cmdlet names are all of the format verb (“a doing word” as I was taught at school), followed by a dash,  followed by a noun. So we have Measure-Object, Remove-Disk, and even Get-Command itself. The “-verb” argument can be used to only show us cmdlets with this verb, for example to only see the “Get” cmdlets we use

Get-Command –Verb Get

3. –noun

So, after the dash we have the noun. A disk, network connection, user account, and so on. So to find out all the cmdlets that work on or with services:

Get-Command –Noun Service

4. Combining the above

Of course we can make this even more powerful by combining these arguments together and with wildcards. Let’s say we want to know all the cmdlets for working with VMware vSphere tags?

Get-Command –Module VMware* –Noun *Tag*

Or if we want to find all the get Azure get commands for working with resources, resource groups, resource locks and so on.

Get-Command -Module Az.* -Verb Get -Noun *resource*