PS script to read password viewed by users
0 vote
Hello, I need to read the passwords that were viewed the day before by users with a powershell script.
I can get list of credential with :
Get-RDMSession | where {$_.ConnectionType -eq "Credential"}
Is there a method to get only viewed password by users ?
Regards
All Comments (8)
Hello,
Sadly it is not possible to get a list of viewed passwords with the RDM PowerShell module. This information is not located in the entry's object properties but in another table in the database that is not available through PowerShell.
Best regards,
Érica Poirier
Hello,
After a discussion with an engineer, this has been added on our to do list to create a RDM PowerShell cmdlet to get the activity logs of an entry. This thread will be updated once the cmdlet will be available.
I am moving this thread in the Feature Request section.
Best regards,
Érica Poirier
very happy to hear this.
Thank you very much
Hello,
If you cannot wait for the feature to be delivered, reading our logs is really easy.
a simple select statement in our ConnectionLog table will do the trick. There is a MessageType field which contains a numerical value, the password Viewed event is number 5.
If you are using SQL Server, with Powershell you can use the Invoke-Sqlcmd cmdlet to easily run a query.
Just drop me a PM if you want to pursue that track.
Maurice
Hello Maurice, thank you for your suggestion.
I tried to extract the data with the query you suggested but I found some differences from those in your post, the MessageType code for the displayed passwords are 4 and 43 and not 5.
It's right ?
what is the difference between code 4 and code 44?
Regards
Marco
Hello,
Indeed I made a mistake between two enums, here is the full list,
ConnectionLogMesage
Info = 1,
Warning = 2,
Error = 3,
OpenConnection = 4,
AddConnection = 5,
EditConnection = 6,
DeleteConnection = 7,
OpenVPN = 8,
CloseVPN = 9,
CredentialsSentToPlugin = 10,
Comment = 11,
ExportedConnection = 12,
UserAdded = 13,
UserDeleted = 14,
UserEdited = 15,
SecurityGroupAdded = 16,
SecurityGroupDeleted = 17,
SecurityGroupEdited = 18,
RoleAdded = 19,
RoleDeleted = 20,
RoleEdited = 21,
MacroScriptTool = 22,
ExportedDocuments = 23,
KeyAgentKeyUsed = 24,
ReportOpened = 25,
RepositoryAdded = 26,
RepositoryDeleted = 27,
RepositoryEdited = 28,
AttachmentAdded = 29,
AttachmentDeleted = 30,
AttachmentEdited = 31,
AttachmentDocumentUpdated = 32,
AttachmentOpened = 33,
ActivityLogCleared = 34,
DeletedEntryCleared = 35,
EntryHistoryCleared = 36,
DataSourcePermissionChanged = 37,
ServerPropertiesViewed = 38,
ServerPropertiesEdited = 39,
ServerUpdated = 40,
DocumentUpdated = 41,
PasswordViewed = 43,
PasswordChanged = 44,
ConnectionStringViewed = 45,
PasswordHistoryCleared = 46,
ConnectionViewed = 47,
ShortcutAdded = 48,
ShortcutDeleted = 49,
PasswordTemplateAdded = 50,
PasswordTemplateEdited = 51,
PasswordTemplateDeleted = 52,
ResetPassword = 53,
Checkout = 54,
Checkin = 55,
PermissionChanged = 56,
Validation = 57,
PamPasswordViewed = 58,
PamCredentialAdded = 59,
PamCredentialEdited = 60,
PamCredentialDeleted = 61,
TypingMacroExecuted = 62,
TerminalScriptExecuted = 63,
ConnectionCopied = 64,
ConnectionHistoryVersionReset = 65,
AccessDenied = 66,
PamCertificateViewed = 67,
PamTagAdded = 68,
PamTagRead = 69,
PamTagEdited = 70,
PamTagDeleted = 71,
PamTagDeleteAssociatedTags = 72,
PamTagDeleteUnusedTags = 73,
PamResetPasswordScheduleAdded = 74,
PamResetPasswordScheduleRead = 75,
PamResetPasswordScheduleEdited = 76,
PamResetPasswordScheduleDeleted = 77,
PamPasswordUpdated = 78,
PamFolderAdded = 79,
PamFolderRead = 80,
PamFolderEdited = 81,
PamFolderDeleted = 82,
PamCredentialRead = 83,
PamCheckoutAdded = 84,
PamCheckoutRead = 85,
PamCheckoutEdited = 86,
PamCheckoutDeleted = 87,
PamCheckoutStatusChanged = 88,
PamCheckoutAborted = 89,
PamCheckoutExpired = 90,
UserResetPassword = 91,
PamPasswordHistoryViewed = 92,
LicenseAdded = 93,
LicenseDeleted = 94,
LicenseEdited = 95,
PamCheckoutEnded = 96,
PamCheckoutApproved = 97,
PamCheckoutDenied = 98,
PamCheckoutActive = 99,
SessionRecordingViewed = 100,
UsernameViewed = 101,
DomainViewed = 102,
UserLicenseAssigned = 103,
UserLicenseUnassigned = 104,
PamCredentialSync = 105,
PamPasswordReset = 106,
PamPasswordBrokering = 107,
RecordingInterrupted = 108,
ExportedAllConnections = 109,
PamFolderExported = 110,
VaultMasterPasswordChanged = 111,
OneTimePasswordViewed = 112,
PamCheckoutCancelled = 113,
PamCheckoutForcedCheckin = 114,
UserLocked = 115,
TemporaryAccessRequestSent = 116,
TemporaryAccessRequestApproved = 117,
TemporaryAccessRequestCancelled = 118,
TemporaryAccessRequestDenied = 119
If you use Devolutions Password Server as a backend, there is also the MessageSubType that is used, but I wont pollute this response with details that you may not need.
Sorry about the error
Maurice
Hey Maurice,
Can you post a code snippet for me to work off please. I need to do something similar to the above.
Where I see all the connection information for opening a session and/or viewing a password for a specific vault.
Thanks
Hi Neil,
You are a DPS user and reports like this are on the roadmap, even with the possibility of scheduling them
For the Vaults, you must query the Repository table to locate their IDs (the default one has the id 00000000-0000-0000-0000-000000000000),
as for the events you are looking for, they are 4 and 43
The big ugly query that translates codes into human readable strings is therefore (please adapt for the repository Id field) :
SELECT [ID]
,[Username]
,[MachineName]
,[Message]
,CASE
WHEN [MessageType] = 0 THEN 'Unknown'
WHEN [MessageType] = 1 THEN 'Info'
WHEN [MessageType] = 2 THEN 'Warning'
WHEN [MessageType] = 3 THEN 'Error'
WHEN [MessageType] = 4 THEN 'OpenConnection'
WHEN [MessageType] = 5 THEN 'AddConnection'
WHEN [MessageType] = 6 THEN 'EditConnection'
WHEN [MessageType] = 7 THEN 'DeleteConnection'
WHEN [MessageType] = 8 THEN 'OpenVPN'
WHEN [MessageType] = 9 THEN 'CloseVPN'
WHEN [MessageType] = 10 THEN 'CredentialsSentToPlugin'
WHEN [MessageType] = 11 THEN 'Comment'
WHEN [MessageType] = 12 THEN 'ExportedConnection'
WHEN [MessageType] = 13 THEN 'UserAdded'
WHEN [MessageType] = 14 THEN 'UserDeleted'
WHEN [MessageType] = 15 THEN 'UserEdited'
WHEN [MessageType] = 16 THEN 'SecurityGroupAdded'
WHEN [MessageType] = 17 THEN 'SecurityGroupDeleted'
WHEN [MessageType] = 18 THEN 'SecurityGroupEdited'
WHEN [MessageType] = 19 THEN 'RoleAdded'
WHEN [MessageType] = 20 THEN 'RoleDeleted'
WHEN [MessageType] = 21 THEN 'RoleEdited'
WHEN [MessageType] = 22 THEN 'MacroScriptTool'
WHEN [MessageType] = 23 THEN 'ExportedDocuments'
WHEN [MessageType] = 24 THEN 'KeyAgentKeyUsed'
WHEN [MessageType] = 25 THEN 'ReportOpened'
WHEN [MessageType] = 26 THEN 'RepositoryAdded'
WHEN [MessageType] = 27 THEN 'RepositoryDeleted'
WHEN [MessageType] = 28 THEN 'RepositoryEdited'
WHEN [MessageType] = 29 THEN 'AttachmentAdded'
WHEN [MessageType] = 30 THEN 'AttachmentDeleted'
WHEN [MessageType] = 31 THEN 'AttachmentEdited'
WHEN [MessageType] = 32 THEN 'AttachmentDocumentUpdated'
WHEN [MessageType] = 33 THEN 'AttachmentOpened'
WHEN [MessageType] = 34 THEN 'ActivityLogCleared'
WHEN [MessageType] = 35 THEN 'DeletedEntryCleared'
WHEN [MessageType] = 36 THEN 'EntryHistoryCleared'
WHEN [MessageType] = 37 THEN 'DataSourcePermissionChanged'
WHEN [MessageType] = 38 THEN 'ServerPropertiesViewed'
WHEN [MessageType] = 39 THEN 'ServerPropertiesEdited'
WHEN [MessageType] = 40 THEN 'ServerUpdated'
WHEN [MessageType] = 41 THEN 'DocumentUpdated'
WHEN [MessageType] = 43 THEN 'PasswordViewed'
WHEN [MessageType] = 44 THEN 'PasswordChanged'
WHEN [MessageType] = 45 THEN 'ConnectionStringViewed'
WHEN [MessageType] = 46 THEN 'PasswordHistoryCleared'
WHEN [MessageType] = 47 THEN 'ConnectionViewed'
WHEN [MessageType] = 48 THEN 'ShortcutAdded'
WHEN [MessageType] = 49 THEN 'ShortcutDeleted'
WHEN [MessageType] = 50 THEN 'PasswordTemplateAdded'
WHEN [MessageType] = 51 THEN 'PasswordTemplateEdited'
WHEN [MessageType] = 52 THEN 'PasswordTemplateDeleted'
WHEN [MessageType] = 53 THEN 'ResetPassword'
WHEN [MessageType] = 54 THEN 'Checkout'
WHEN [MessageType] = 55 THEN 'Checkin'
WHEN [MessageType] = 56 THEN 'PermissionChanged'
WHEN [MessageType] = 57 THEN 'Validation'
WHEN [MessageType] = 58 THEN 'PamPasswordViewed'
WHEN [MessageType] = 59 THEN 'PamCredentialAdded'
WHEN [MessageType] = 60 THEN 'PamCredentialEdited'
WHEN [MessageType] = 61 THEN 'PamCredentialDeleted'
WHEN [MessageType] = 62 THEN 'TypingMacroExecuted'
WHEN [MessageType] = 63 THEN 'TerminalScriptExecuted'
WHEN [MessageType] = 64 THEN 'ConnectionCopied'
WHEN [MessageType] = 65 THEN 'ConnectionHistoryVersionReset'
WHEN [MessageType] = 66 THEN 'AccessDenied'
WHEN [MessageType] = 67 THEN 'PamCertificateViewed'
WHEN [MessageType] = 68 THEN 'PamTagAdded'
WHEN [MessageType] = 69 THEN 'PamTagRead'
WHEN [MessageType] = 70 THEN 'PamTagEdited'
WHEN [MessageType] = 71 THEN 'PamTagDeleted'
WHEN [MessageType] = 72 THEN 'PamTagDeleteAssociatedTags'
WHEN [MessageType] = 73 THEN 'PamTagDeleteUnusedTags'
WHEN [MessageType] = 74 THEN 'PamResetPasswordScheduleAdded'
WHEN [MessageType] = 75 THEN 'PamResetPasswordScheduleRead'
WHEN [MessageType] = 76 THEN 'PamResetPasswordScheduleEdited'
WHEN [MessageType] = 77 THEN 'PamResetPasswordScheduleDeleted'
WHEN [MessageType] = 78 THEN 'PamPasswordUpdated'
WHEN [MessageType] = 79 THEN 'PamFolderAdded'
WHEN [MessageType] = 80 THEN 'PamFolderRead'
WHEN [MessageType] = 81 THEN 'PamFolderEdited'
WHEN [MessageType] = 82 THEN 'PamFolderDeleted'
WHEN [MessageType] = 83 THEN 'PamCredentialRead'
WHEN [MessageType] = 84 THEN 'PamCheckoutAdded'
WHEN [MessageType] = 85 THEN 'PamCheckoutRead'
WHEN [MessageType] = 86 THEN 'PamCheckoutEdited'
WHEN [MessageType] = 87 THEN 'PamCheckoutDeleted'
WHEN [MessageType] = 88 THEN 'PamCheckoutStatusChanged'
WHEN [MessageType] = 89 THEN 'PamCheckoutAborted'
WHEN [MessageType] = 90 THEN 'PamCheckoutExpired'
WHEN [MessageType] = 91 THEN 'UserResetPassword'
WHEN [MessageType] = 92 THEN 'PamPasswordHistoryViewed'
WHEN [MessageType] = 93 THEN 'LicenseAdded'
WHEN [MessageType] = 94 THEN 'LicenseDeleted'
WHEN [MessageType] = 95 THEN 'LicenseEdited'
WHEN [MessageType] = 96 THEN 'PamCheckoutEnded'
WHEN [MessageType] = 97 THEN 'PamCheckoutApproved'
WHEN [MessageType] = 98 THEN 'PamCheckoutDenied'
WHEN [MessageType] = 99 THEN 'PamCheckoutActive'
WHEN [MessageType] = 100 THEN 'SessionRecordingViewed'
WHEN [MessageType] = 101 THEN 'UsernameViewed'
WHEN [MessageType] = 102 THEN 'DomainViewed'
WHEN [MessageType] = 103 THEN 'UserLicenseAssigned'
WHEN [MessageType] = 104 THEN 'UserLicenseUnassigned'
WHEN [MessageType] = 105 THEN 'PamCredentialSync'
WHEN [MessageType] = 106 THEN 'PamPasswordReset'
WHEN [MessageType] = 107 THEN 'PamPasswordBrokering'
WHEN [MessageType] = 108 THEN 'RecordingInterrupted'
WHEN [MessageType] = 109 THEN 'ExportedAllConnections'
WHEN [MessageType] = 110 THEN 'PamFolderExported'
WHEN [MessageType] = 111 THEN 'VaultMasterPasswordChanged'
WHEN [MessageType] = 112 THEN 'OneTimePasswordViewed'
WHEN [MessageType] = 113 THEN 'PamCheckoutCancelled'
WHEN [MessageType] = 114 THEN 'PamCheckoutForcedCheckin'
WHEN [MessageType] = 115 THEN 'UserLocked'
WHEN [MessageType] = 116 THEN 'TemporaryAccessRequestSent'
WHEN [MessageType] = 117 THEN 'TemporaryAccessRequestApproved'
WHEN [MessageType] = 118 THEN 'TemporaryAccessRequestCancelled'
WHEN [MessageType] = 119 THEN 'TemporaryAccessRequestDenied'
ELSE 'Unknown MessageType, enum ConnectionLogMessage'
END AS [MessageType]
,[ConnectionName]
,[ConnectionTypeName]
,[ConnectionID]
,[StartDateTime]
,[EndDateTime]
,[LoggedUserName]
,[GroupName]
,[StartDateTimeUTC]
,[EndDateTimeUTC]
,[Cost]
,[Comment]
,[Prompt]
,[Data]
,[ManualEndDateTime]
,[UserInfoID]
,[ManualClosedBy]
,[SecurityGroup]
,[SupportClose]
,[OpenMode]
,[CloseMode]
,[HostName]
,[IsEmbedded]
,[ClosePrompt]
,[Status]
,[ActivityDuration]
,[CreationDate]
,[ActiveTime]
,[Application]
,[Version]
,[IsPrivate]
,[PrivateUserID]
,[CustomerID]
,[ConnectionUsername]
,[RepositoryID]
,[CustomField1]
,[CustomField2]
,[CustomField3]
,[CredentialConnectionID]
,[Details]
,[DetailsID]
,[OriginalRepositoryID]
,[PamCredentialID]
,[HasRecording]
,[TicketNumber]
,[MessageData]
,[OriginalCulture]
,CASE
WHEN [MessageSubType] is null THEN ''
WHEN [MessageSubType] = 2501 THEN 'PasswordAnalyzer'
WHEN [MessageSubType] = 2502 THEN 'AdministrationLogs'
WHEN [MessageSubType] = 2503 THEN 'ConnectedUserList'
WHEN [MessageSubType] = 2504 THEN 'ConnectionExpiredEntry'
WHEN [MessageSubType] = 2505 THEN 'DeletedEntries'
WHEN [MessageSubType] = 2506 THEN 'LastUsageLog'
WHEN [MessageSubType] = 2507 THEN 'SharedConnectionLog'
WHEN [MessageSubType] = 2508 THEN 'LoginHistory'
WHEN [MessageSubType] = 2509 THEN 'LoginAttempt'
WHEN [MessageSubType] = 2510 THEN 'ServerLogs'
WHEN [MessageSubType] = 2511 THEN 'OpenedConnections'
WHEN [MessageSubType] = 4301 THEN 'CopiedPasswordToClipboard'
WHEN [MessageSubType] = 4302 THEN 'RequestedForWebEdit'
WHEN [MessageSubType] = 6600 THEN 'DontHaveRight'
WHEN [MessageSubType] = 6601 THEN 'UserIsNotFoundOrIncorrectPassword'
WHEN [MessageSubType] = 6602 THEN 'InvalidAttachmentId'
WHEN [MessageSubType] = 6603 THEN 'CantAccessAnotherUsersRoamingSetting'
WHEN [MessageSubType] = 6604 THEN 'DatabaseUsersAreNotAllowed'
WHEN [MessageSubType] = 6605 THEN 'DomainUsersAreNotAllowed'
WHEN [MessageSubType] = 6606 THEN 'CustomUsersAreNotAllowed'
WHEN [MessageSubType] = 6607 THEN 'LocalMachineUsersAreNotAllowed'
WHEN [MessageSubType] = 6608 THEN 'NotAllowedToSaveUser'
WHEN [MessageSubType] = 6609 THEN 'CannotDeleteEntry'
WHEN [MessageSubType] = 6610 THEN 'InvalidRepositoryId'
WHEN [MessageSubType] = 6611 THEN 'CannotSaveRole'
WHEN [MessageSubType] = 6612 THEN 'NotAllowedToChangePassword'
WHEN [MessageSubType] = 6613 THEN 'NotAllowedToSaveRole'
WHEN [MessageSubType] = 6614 THEN 'IncorrectUserType'
WHEN [MessageSubType] = 6615 THEN 'NotAllowedToManageAttachments'
WHEN [MessageSubType] = 6616 THEN 'NotAllowedToAddInFolder'
WHEN [MessageSubType] = 6617 THEN 'NotAllowedToSaveEntry'
WHEN [MessageSubType] = 6618 THEN 'NotAllowedToDeleteEntry'
WHEN [MessageSubType] = 6619 THEN 'NotAllowedToCheckin'
WHEN [MessageSubType] = 6620 THEN 'NotAllowedToGetTwoFactorInformation'
WHEN [MessageSubType] = 6621 THEN 'NotAllowedToViewAttachment'
WHEN [MessageSubType] = 6622 THEN 'NotTheUsersPrivateVault'
WHEN [MessageSubType] = 6623 THEN 'NotAllowedToDeleteEntryHistory'
WHEN [MessageSubType] = 6624 THEN 'LicenseDoesNotAllowEntryInteraction'
WHEN [MessageSubType] = 6625 THEN 'MustBeAnAdministrator'
WHEN [MessageSubType] = 6626 THEN 'NotAllowedToViewEntry'
WHEN [MessageSubType] = 6627 THEN 'EntryNotFound'
WHEN [MessageSubType] = 6628 THEN 'NoAllowedToViewEntryHistory'
WHEN [MessageSubType] = 6629 THEN 'NotAllowedToCheckoutEntry'
WHEN [MessageSubType] = 6630 THEN 'NotAllowedToGetCheckoutInformation'
WHEN [MessageSubType] = 6631 THEN 'NotAllowedToGetCheckoutsForUser'
WHEN [MessageSubType] = 6632 THEN 'NotAllowedToManageHandbooks'
WHEN [MessageSubType] = 6633 THEN 'NotAllowedToGetHandbookPages'
WHEN [MessageSubType] = 6634 THEN 'NotAllowedToViewLogs'
WHEN [MessageSubType] = 6635 THEN 'NotAllowedToViewPasswordHistory'
WHEN [MessageSubType] = 6636 THEN 'UserSpecificSettingsNotAllowed'
WHEN [MessageSubType] = 6637 THEN 'InvalidConnectionId'
WHEN [MessageSubType] = 6638 THEN 'NotAllowedToViewDeletedEntries'
WHEN [MessageSubType] = 6639 THEN 'NotAllowedToViewTemplates'
WHEN [MessageSubType] = 6640 THEN 'NotAllowedToCopyToClipboard'
WHEN [MessageSubType] = 6641 THEN 'NotAllowedToViewPassword'
WHEN [MessageSubType] = 6642 THEN 'NotAllowedToManageUsers'
WHEN [MessageSubType] = 6643 THEN 'NotAllowedToResetPassword'
WHEN [MessageSubType] = 6644 THEN 'OnlyRecipientCanDeleteAttachement'
WHEN [MessageSubType] = 6645 THEN 'InvalidAccessToken'
WHEN [MessageSubType] = 6646 THEN 'CantReleaseAnotherUsersLock'
WHEN [MessageSubType] = 6647 THEN 'UserDoesNotHaveAccessToVault'
WHEN [MessageSubType] = 6648 THEN 'OnlyRecipientCanSaveSecureAttachment'
WHEN [MessageSubType] = 6649 THEN 'OnlyRecipientCanReadSecureMessage'
WHEN [MessageSubType] = 6650 THEN 'TwoFactorNotConfigured'
ELSE 'Unknown MessageSubType, enum ConnectionLogMessageSubType'
END AS [MessageSubType]
FROM [dbo].[ConnectionLog]
where RepositoryID = '00000000-0000-0000-0000-000000000000'
and (MessageType = 4 OR MessageType = 43)
Please note that this is to date well... most likely only this week! These enumerations change over time and this explains why built in reports are better than these queries
Maurice