Topic
  • 4 replies
  • Latest Post - ‏2013-11-07T21:01:40Z by liuhoting
Casino_Ed
Casino_Ed
2 Posts

Pinned topic Last logged in user

‏2013-06-10T17:41:12Z |

I attempted to create an analysis that shows the current and last user for my workstations and servers. However it is only reporting the correct info within WinXP and Win2000/2003. In Win7/8 and Win2008 it displays, "Results Unknown" for the last user login...

 

if (exists values "DefaultUserName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry) then (if (value "DefaultUserName" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry as string != "") then (value "DefaultUserName" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of registry as string) else "Results Unknown") else "No Recent Login"

 

Any help is appreciated.

  • zpt8mjs
    zpt8mjs
    6 Posts
    ACCEPTED ANSWER

    Re: Last logged in user

    ‏2013-06-28T20:58:56Z  

    Greetings,

    This is an analysis that we are using:

    if (name of operating system = "Win2008R2") or (name of operating system = "Win7")or (name of operating system = "Win2012")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" whose (exists values whose(name of it = "LastLoggedOnUser" ) of it) of native registry) then value "LastLoggedOnUser" of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of native registry as string else if (name of operating system = "WinXP") or (name of operating system = "Win2003")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" whose (exists values whose(name of it = "DefaultUserName") of it) of native registry) then value "DefaultUserName" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" of native registry as string else "NoID"

    See if this helps

    Updated on 2013-06-28T21:03:21Z at 2013-06-28T21:03:21Z by zpt8mjs
  • zpt8mjs
    zpt8mjs
    6 Posts

    Re: Last logged in user

    ‏2013-06-28T20:58:56Z  

    Greetings,

    This is an analysis that we are using:

    if (name of operating system = "Win2008R2") or (name of operating system = "Win7")or (name of operating system = "Win2012")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" whose (exists values whose(name of it = "LastLoggedOnUser" ) of it) of native registry) then value "LastLoggedOnUser" of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of native registry as string else if (name of operating system = "WinXP") or (name of operating system = "Win2003")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" whose (exists values whose(name of it = "DefaultUserName") of it) of native registry) then value "DefaultUserName" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" of native registry as string else "NoID"

    See if this helps

    Updated on 2013-06-28T21:03:21Z at 2013-06-28T21:03:21Z by zpt8mjs
  • Casino_Ed
    Casino_Ed
    2 Posts

    Re: Last logged in user

    ‏2013-07-01T03:13:00Z  
    • zpt8mjs
    • ‏2013-06-28T20:58:56Z

    Greetings,

    This is an analysis that we are using:

    if (name of operating system = "Win2008R2") or (name of operating system = "Win7")or (name of operating system = "Win2012")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" whose (exists values whose(name of it = "LastLoggedOnUser" ) of it) of native registry) then value "LastLoggedOnUser" of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of native registry as string else if (name of operating system = "WinXP") or (name of operating system = "Win2003")and (exists keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" whose (exists values whose(name of it = "DefaultUserName") of it) of native registry) then value "DefaultUserName" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" of native registry as string else "NoID"

    See if this helps

    Many thanks, that worked perfectly.

    It was driving me crazy because I was not looking in the correct place.

    - Ed

  • JasonBigham91
    JasonBigham91
    3 Posts

    Re: Last logged in user

    ‏2013-11-01T16:31:25Z  

    if (name of operating system = "WinVista") or (name of operating system = "Win7") or (name of operating system = "Win8") or (name of operating system = "Win2008") or (name of operating system = "Win2008R2") or (name of operating system = "Win2012") then ((name of parent folder of it, modification time of it) of files "NTUSER.DAT" of folders of folder "c:\users") as string else if (name of operating system = "WinXP") or (name of operating system = "WinXP-2003") or (name of operating system = "Win2003") or (name of operating system = "Win2003R2") then ((name of parent folder of it, modification time of it) of files "NTUSER.DAT" of folders of folder "c:\Documents and Settings") as string else ("No Login Info Found")

  • liuhoting
    liuhoting
    19 Posts

    Re: Last logged in user

    ‏2013-11-07T21:01:40Z  

    This is weird because we have a ton of native inspectors that already look at information about last logon, including last logon of <user>, logon count of user, etc. If there isn't a native way to do this I think there should be an enhancement request.