Script to resolve user logon failure based on event id

Download JSON Download Python

Ratings

Release Time

09/01/2022

Downloads

458 times

Update Time

04/05/2025

Views

322 times

Share-it:

Tags

NUMsp

Description:

This script file fix the event id 1500 user logon failure if its occured in fixed time frame.

Note:

Run as Local Sytem User.

Procedure's Instructions

ps_content=r'''
$path = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*'

Get-ItemProperty -Path $path |
  Select-Object -Property PSChildName, ProfileImagePath

'''
import collections
import os
def ecmd(command):
    import ctypes
    from subprocess import PIPE, Popen
    
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    
    with disable_file_system_redirection():
        obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = obj.communicate()
    ret=obj.returncode
    if ret==0:
        if out:
            return out.strip()
        else:
            return ret
    else:
        if err:
            return err.strip()
        else:
            return ret

file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
    wr.write(ps_content)

ecmd('powershell "Set-ExecutionPolicy RemoteSigned"')
output_str=ecmd('powershell "%s"'%file_path)
ls=output_str.split()[4:]
n_ls=[]
for i in ls:
    if ".bak" in i:
        n_ls.append(i)
        n_ls.append(i.replace(".bak",""))
#distinct=([item for item, count in collections.Counter(ls[::2]).items() if count > 1])
if not in n_ls:
    print pass
else:
    cmd1="""REG delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"""
    print os.popen(cmd1+"\%s /f"%n_ls[0])
    cmd2="""REG export HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"""
    print os.popen(cmd2+"\%s C:\Windows\Temp\%s.reg"%(n_ls[1],n_ls[1]).read()
    print os.popen(cmd1+"\%s /f"%n_ls[1])
    print os.popen("REG import C:\Windows\Temp\%s.reg"%n_ls[1])
    print "Restart The system to take effect "
os.remove(file_path)

 
ps_content=r'''
$path = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*'
​
Get-ItemProperty -Path $path |
  Select-Object -Property PSChildName, ProfileImagePath
​
'''
import collections
import os
def ecmd(command):
    import ctypes
    from subprocess import PIPE, Popen
    
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    
    with disable_file_system_redirection():
        obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = obj.communicate()
    ret=obj.returncode
    if ret==0:
        if out:
            return out.strip()
        else:
            return ret
    else:
        if err:
            return err.strip()
        else:
            return ret
​
file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
    wr.write(ps_content)
​
    
ecmd('powershell "Set-ExecutionPolicy RemoteSigned"')
output_str=ecmd('powershell "%s"'%file_path)
ls=output_str.split()[4:]
n_ls=[]
for i in ls:
    if ".bak" in i:
        n_ls.append(i)
        n_ls.append(i.replace(".bak",""))
#distinct=([item for item, count in collections.Counter(ls[::2]).items() if count > 1])
if not in n_ls:
    print pass
else:
    cmd1="""REG delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"""
    print os.popen(cmd1+"\%s /f"%n_ls[0])
    cmd2="""REG export HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"""
    print os.popen(cmd2+"\%s C:\Windows\Temp\%s.reg"%(n_ls[1],n_ls[1]).read()
    print os.popen(cmd1+"\%s /f"%n_ls[1])
    print os.popen("REG import C:\Windows\Temp\%s.reg"%n_ls[1])
    print "Restart The system to take effect "
os.remove(file_path)
​

Comments

No Comments.

Script to resolve user logon failure based on event id

Comments

Leave a Comment