Provided you audit logon/logoff events in the Windows guest, you could run the following script through Invoke-VMScript
$test = [RegEx]"(?smi)Logon Type:\s*(?<type>\d*).*?New Logon:.*?Account Name:\s*(?<user>\w*)"
$events = Get-EventLog -LogName Security -InstanceId 4624
$events | %{
$result = $test.Match($_.Message)
$_ | Select TimeGenerated,
@{N="LogonType";E={$result.Groups["type"].Value}},
@{N="User";E={$result.Groups["user"].Value}} |
Where {$_.LogonType -eq 2}
}
You have to update the Get-EventLog line with a date or the number of events to limit the number of data that is returned