Windows Event Log Monitoring and Alerting via PowerShell
Overview
This project focuses on building a PowerShell-based automation to monitor Windows Event Logs — specifically targeting failed login attempts (Event ID 4625
). The script reads the Security log, extracts recent failed logins, and sends a real-time email alert if any are found. It runs silently in the background every 5 minutes using Task Scheduler.
This project showcases scripting, secure credential handling, system internals, and process automation — essential skills for any cybersecurity or IT professional.
🛠️ Applications
-
Detect brute-force or unauthorized login attempts
-
Build a lightweight Host Intrusion Detection System (HIDS)
-
Integrate into enterprise monitoring pipelines
-
Demonstrate scripting, automation, and alerting skills on a resume or portfolio
🧪 Tools & Technologies Used
-
PowerShell (Core logic + SecureString handling)
-
Windows Event Viewer (source for logs)
-
Task Scheduler (for background automation)
-
Gmail SMTP (for sending alerts)
-
Secure credential storage with
Export-Clixml
/Import-Clixml
⚙️ Script Behavior (How It Works)
-
Sets a rolling time window (last 5 minutes)
-
Queries the Security log for Event ID
4625
(failed login attempts) -
If any are found:
-
Builds an alert email with details like timestamp and attempted account
-
Sends the email via Gmail SMTP
-
-
Scheduled to run automatically every 5 minutes using Windows Task Scheduler
🔐 Securing Your Gmail Password
Instead of hardcoding sensitive information like SMTP credentials, I used PowerShell’s secure string encryption.
🕒 Automating with Task Scheduler
To ensure this runs every 5 minutes:
-
Created a Task in Task Scheduler with:
-
“Run whether user is logged on or not”
-
“Run with highest privileges”
-
Scheduled to repeat every 5 minutes indefinitely
-
-
Set execution policy to Bypass so PowerShell could run without interruption:
powershell.exe -ExecutionPolicy Bypass -File "C:PathToScript.ps1"
❗ Challenges I Faced
-
Task Scheduler doesn’t accept PINs — I had to use my Microsoft account password
-
Windows wouldn’t allow me to reset my user password (
System error 8646
) because the account was tied to Microsoft -
Couldn’t use my Microsoft email (
@outlook.com
) directly in Task Scheduler — had to use the local alias -
SMTP errors (
Send-MailMessage: Unable to connect to remote server
) required Gmail App Passwords and secure connection setup
What I Learned from this project
-
Deepened my understanding of Windows log architecture
-
Built secure, automated alerting workflows using PowerShell
-
Learned the difference between local vs Microsoft accounts in system contexts
-
Understood secure credential handling for scripting environments
Description
June 28, 2025