Announcement

Collapse
No announcement yet.

View all users who was logged into particular computer during last day

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • View all users who was logged into particular computer during last day

    I have Windows 2000 SP4 on a computer networked into a Windows 2003 AD network.
    Is there a way I can determine who was logged into this machine besides me during last 24 hours?
    I have tried Administrative Tools-Computer Management-Event Viewer-Security, and can sort by user,
    But - some of the users it lists make no sense, and the detail it lists when double-clicking on an event is gobbelty-gook to me...
    Sometime I've found useful utility PsLoggedOn, but it show only current logged in user. In additional I found powershell script:

    Code:
     
    $a = read-host "Please input computer name here" 
    
    $data = @() 
    
    $NetLogs = Get-WmiObject Win32_NetworkLoginProfile -ComputerName $a
    foreach ($NetLog in $NetLogs) { 
    if ($NetLog.LastLogon -match "(\d{14})") { 
    $row = "" | Select Name,LogonTime 
    $row.Name = $NetLog.Name 
    $row.LogonTime=[datetime]::ParseExact($matches[0], "yyyyMMddHHmmss", $null) 
    $data += $row 
    } 
    } 
    $data
    This script can retrive login info from remote computer, but still... somehow it show less info that I need...:



    I know that users make logon/logoff to all our computers at least twice in a day...
    Is there a better way to determine successful logins to this machine?
    Thank you in advance,
    Igor
    Attached Files
    Last edited by igor7; 10th May 2011, 21:17.

  • #2
    Re: View all users who was logged into particular computer during last day

    Igor,

    Try EventcombMT. Will let you search through event logs for specific ID's, etc. You may find that useful.

    http://support.microsoft.com/kb/824209

    Comment


    • #3
      Re: View all users who was logged into particular computer during last day

      Originally posted by igor7 View Post
      Is there a way I can determine who was logged into this machine besides me during last 24 hours?
      Maybe this vbscript,
      Code:
      Option explicit
      
      ' List Last logins on a client
      ' By Remco Simons [NL] 2011
      ' http://forums.petri.com/showthread.php?t=55222
      
      ' (Note !,
      '  also a remote WMI session to the computer and other
      '  types of remote logon can be Registered User Logins too! )
      
      Const HKEY_LOCAL_MACHINE = &H80000002
      Dim strComputer, oReg, oWMISvc, regEx, dt
      
      strComputer = "computername"  'for local computer enter "."
      
      Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
          strComputer & "\root\default:StdRegProv")
      Set oWMISvc = GetObject("winmgmts:\root\cimv2")
      Set regEx = New RegExp
      dt = now
      
      call LastLogons(getLocalBIAS)
      
      
      Sub LastLogons(lngBias)
         Dim strKeyPath, arrSubKeys, subkey, strValueName
         Dim sUsr, LastLogon, TimeHigh, TimeLow
      
         On Error Resume Next
         regEx.Pattern = "^S-1-5-21-[0-9]*-[0-9]*-[0-9]*-[0-9]*$"
         regEx.IgnoreCase = TRUE
      
         strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
         oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
      
         For Each subkey In arrSubKeys
           If regEx.Test(subkey)=TRUE Then
             sUsr = resolveSID(subkey)
      
             strValueName = "ProfileLoadTimeHigh"
             oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
               & "\" & subkey, strValueName,TimeHigh
      
             strValueName = "ProfileLoadTimeLow"
             oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
               & "\" & subkey, strValueName,TimeLow
      
             LastLogon = getDT(TimeHigh, TimeLow, lngBias)
      
             If sUsr = Empty Then
               strValueName = "ProfileImagePath"
               oReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath _
                 & "\" & subkey, strValueName,sUsr
             End If
      
             ' last 24 hours only,
         rem    If DateDiff("n",LastLogon, dt)/60 =< 24 Then
      
             ' one particular user only,
         rem    If InStr(1,sUsr,"Igor",1) Then
      
               MsgBox sUsr & vbNewline _
                 & "LastLogon: " & LastLogon, _
                 ,"Computer: " & strComputer
      
         rem    End If
         rem    End If
      
           End If
         Next
      End Sub
      
      Function getLocalBIAS
         ' Obtain local Time Zone bias from machine registry.
         ' (= the time-zone + daylight saving offset)
         ' This bias changes with Daylight Savings Time.
         Dim strKeyPath, strValueName, lngBiasKey
      
         strKeyPath = "System\CurrentControlSet\Control\TimeZoneInformation"
         strValueName = "ActiveTimeBias"
         oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,lngBiasKey
         If (UCase(TypeName(lngBiasKey)) = "LONG") Then
           getLocalBIAS = lngBiasKey
         ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
           getLocalBIAS = -0
           For k = 0 To UBound(lngBiasKey)
             getLocalBIAS = getLocalBIAS + (lngBiasKey(k) * 256^k)
           Next
         End If
      End Function
      
      Function getDT(H, L, Bias)
         ' http://forums.petri.com/showpost.php?p=182526&postcount=2
         On Error Resume Next
      
         Dim HexVal, Highpart, Lowpart, lngDate
      
         'HexVal = H
         'HexVal = Replace(HexVal, "0x", "")
         'HexVal = Replace(HexVal, "&H", "")
         'Highpart = CLng("&H" & HexVal)
         Highpart = H ' 
      
         'HexVal = L
         'HexVal = Replace(HexVal, "0x", "")
         'HexVal = Replace(HexVal, "&H", "")
         'Lowpart = CLng("&H" & HexVal)
         Lowpart = L
      
         '# unite the HighPart and LowPart
         lngDate = Highpart * 2^32 + L
      
         '# convert the number of 100-Nanosecond intervals to days
         lngDate = ((lngDate*1E-7/60) -Bias)/1440  'days
      
         '# Add the number of days to the "zero" date
         getDT = CDate( #1/1/1601# + lngDate )
      End Function
      
      Function resolveSID(sid)
         Dim strUser, strDomain
         On Error Resume Next
         With oWMISvc
      		 With .Get("Win32_SID.SID='" & sid & "'")
      		   strUser = .AccountName
      		   strDomain = .ReferencedDomainName
      		 End With
      	 End With
         If len(strUser) = 0 Then
           resolveSID = Empty
         Else
           resolveSID = strDomain & "\" & strUser
         End If
      End function
      /Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: View all users who was logged into particular computer during last day

        falbanese,
        Thank for help.
        I'll check your solution.

        Rems,
        As always... this is it!!! Working good for remote mashine as well as for local.
        Little question... It is posiible to save otput into txt file in same directory where this script running?
        Last edited by igor7; 12th May 2011, 11:31.

        Comment


        • #5
          Re: View all users who was logged into particular computer during last day

          Originally posted by igor7 View Post
          falbanese,
          Thank for help.
          I'll check your solution.

          Rems,
          As always... this is it!!! Working good for remote mashine as as for local.
          Little question... It is posiible to save otput into txt file in same directory where this script running?

          scriptname.vbs > out.txt
          should do that
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: View all users who was logged into particular computer during last day

            NICE! That's definitely going into my arsenal!!!

            Originally posted by Rems View Post
            Maybe this vbscript,
            Code:
            Option explicit
            
            ' List Last logins on a client
            ' By Remco Simons [NL] 2011
            ' http://forums.petri.com/showthread.php?t=55222
            
            ' (Note !,
            '  also a remote WMI session to the computer and other
            '  types of remote logon can be Registered User Logins too! )
            
            Const HKEY_LOCAL_MACHINE = &H80000002
            Dim strComputer, oReg, oWMISvc, regEx, dt
            
            strComputer = "computername"  'for local computer enter "."
            
            Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
                strComputer & "\root\default:StdRegProv")
            Set oWMISvc = GetObject("winmgmts:\root\cimv2")
            Set regEx = New RegExp
            dt = now
            
            call LastLogons(getLocalBIAS)
            
            
            Sub LastLogons(lngBias)
               Dim strKeyPath, arrSubKeys, subkey, strValueName
               Dim sUsr, LastLogon, TimeHigh, TimeLow
            
               On Error Resume Next
               regEx.Pattern = "^S-1-5-21-[0-9]*-[0-9]*-[0-9]*-[0-9]*$"
               regEx.IgnoreCase = TRUE
            
               strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
               oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
            
               For Each subkey In arrSubKeys
                 If regEx.Test(subkey)=TRUE Then
                   sUsr = resolveSID(subkey)
            
                   strValueName = "ProfileLoadTimeHigh"
                   oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
                     & "\" & subkey, strValueName,TimeHigh
            
                   strValueName = "ProfileLoadTimeLow"
                   oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
                     & "\" & subkey, strValueName,TimeLow
            
                   LastLogon = getDT(TimeHigh, TimeLow, lngBias)
            
                   If sUsr = Empty Then
                     strValueName = "ProfileImagePath"
                     oReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath _
                       & "\" & subkey, strValueName,sUsr
                   End If
            
                   ' last 24 hours only,
               rem    If DateDiff("n",LastLogon, dt)/60 =< 24 Then
            
                   ' one particular user only,
               rem    If InStr(1,sUsr,"Igor",1) Then
            
                     MsgBox sUsr & vbNewline _
                       & "LastLogon: " & LastLogon, _
                       ,"Computer: " & strComputer
            
               rem    End If
               rem    End If
            
                 End If
               Next
            End Sub
            
            Function getLocalBIAS
               ' Obtain local Time Zone bias from machine registry.
               ' (= the time-zone + daylight saving offset)
               ' This bias changes with Daylight Savings Time.
               Dim strKeyPath, strValueName, lngBiasKey
            
               strKeyPath = "System\CurrentControlSet\Control\TimeZoneInformation"
               strValueName = "ActiveTimeBias"
               oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,lngBiasKey
               If (UCase(TypeName(lngBiasKey)) = "LONG") Then
                 getLocalBIAS = lngBiasKey
               ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
                 getLocalBIAS = -0
                 For k = 0 To UBound(lngBiasKey)
                   getLocalBIAS = getLocalBIAS + (lngBiasKey(k) * 256^k)
                 Next
               End If
            End Function
            
            Function getDT(H, L, Bias)
               ' http://forums.petri.com/showpost.php?p=182526&postcount=2
               On Error Resume Next
            
               Dim HexVal, Highpart, Lowpart, lngDate
            
               'HexVal = H
               'HexVal = Replace(HexVal, "0x", "")
               'HexVal = Replace(HexVal, "&H", "")
               'Highpart = CLng("&H" & HexVal)
               Highpart = H ' 
            
               'HexVal = L
               'HexVal = Replace(HexVal, "0x", "")
               'HexVal = Replace(HexVal, "&H", "")
               'Lowpart = CLng("&H" & HexVal)
               Lowpart = L
            
               '# unite the HighPart and LowPart
               lngDate = Highpart * 2^32 + L
            
               '# convert the number of 100-Nanosecond intervals to days
               lngDate = ((lngDate*1E-7/60) -Bias)/1440  'days
            
               '# Add the number of days to the "zero" date
               getDT = CDate( #1/1/1601# + lngDate )
            End Function
            
            Function resolveSID(sid)
               Dim strUser, strDomain
               On Error Resume Next
               With oWMISvc
                     With .Get("Win32_SID.SID='" & sid & "'")
                       strUser = .AccountName
                       strDomain = .ReferencedDomainName
                     End With
                 End With
               If len(strUser) = 0 Then
                 resolveSID = Empty
               Else
                 resolveSID = strDomain & "\" & strUser
               End If
            End function
            /Rems

            Comment


            • #7
              Re: View all users who was logged into particular computer during last day

              Originally posted by igor7 View Post
              It is posiible to save otput into txt file in same directory where this script running?
              Tehcamel's solution to run the script like:
              cmd /c cscript.exe /nologo "scriptname.vbs" >>output.txt
              Will work fine, but only if you convert the MsgBox statement in the script to wscript.echo statements first.

              Here's an alternative solution,
              Code:
              Option explicit
              
              ' List Last logins on a client
              ' By Remco Simons [NL] 2011
              ' http://forums.petri.com/showthread.php?t=55222
              
              ' (Note !,
              '  also a remote WMI session to the computer and other
              '  types of remote logon can be Registered User Logins too! )
              
              Const HKEY_LOCAL_MACHINE = &H80000002
              Const ForAppending = 8
              Dim strComputer, oReg, oWMISvc, regEx, dt
              Dim fso, objTextFile, strFile, strPath
              
              strComputer = "computername"  'for local computer enter "."
              
              strFile = "List Logons over the last 24 hours.txt"
              
              Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
                  strComputer & "\root\default:StdRegProv")
              Set oWMISvc = GetObject("winmgmts:\root\cimv2")
              Set regEx = New RegExp
              dt = now
              Set fso = CreateObject("Scripting.FileSystemObject")
              strPath = fso.GetParentFolderName( Wscript.ScriptFullName )
              Set objTextFile = fso.OpenTextFile _
                 (strPath & "\" & strFile, ForAppending, True)
              
              objTextFile.WriteLine
              objTextFile.Write dt & " * "
              objTextFile.WriteLine "Target computer: " & strComputer
              
              
              call LastLogons(getLocalBIAS)
              
              objTextFile.WriteLine
              objTextFile.WriteLine "-------"
              objTextFile.Close '!
              
              
              Sub LastLogons(lngBias)
                 Dim strKeyPath, arrSubKeys, subkey, strValueName
                 Dim sUsr, LastLogon, TimeHigh, TimeLow
              
                 On Error Resume Next
                 regEx.Pattern = "^S-1-5-21-[0-9]*-[0-9]*-[0-9]*-[0-9]*$"
                 regEx.IgnoreCase = TRUE
              
                 strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
                 oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
              
                 For Each subkey In arrSubKeys
                   If regEx.Test(subkey)=TRUE Then
                     sUsr = resolveSID(subkey)
              
                     strValueName = "ProfileLoadTimeHigh"
                     oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
                       & "\" & subkey, strValueName,TimeHigh
              
                     strValueName = "ProfileLoadTimeLow"
                     oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
                       & "\" & subkey, strValueName,TimeLow
              
                     LastLogon = getDT(TimeHigh, TimeLow, lngBias)
              
                     If sUsr = Empty Then
                       strValueName = "ProfileImagePath"
                       oReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath _
                         & "\" & subkey, strValueName,sUsr
                     End If
              
                     ' last 24 hours only,
                     If DateDiff("n",LastLogon, dt)/60 =< 24 Then
              
                     ' one particular user only,
                 rem    If InStr(1,sUsr,"Igor",1) > 0 Then
              
                 rem      MsgBox sUsr & vbNewline _
                 rem        & "LastLogon: " & LastLogon, _
                 rem        ,"Computer: " & strComputer
              
                       objTextFile.WriteLine
                       objTextFile.WriteLine(sUsr & vbNewline _
                           & "LastLogon: " & LastLogon)
              
                 rem    End If
                     End If
              
                   End If
                 Next
              End Sub
              
              Function getLocalBIAS
                 ' Obtain local Time Zone bias from machine registry.
                 ' (= the time-zone + daylight saving offset)
                 ' This bias changes with Daylight Savings Time.
                 Dim strKeyPath, strValueName, lngBiasKey
              
                 strKeyPath = "System\CurrentControlSet\Control\TimeZoneInformation"
                 strValueName = "ActiveTimeBias"
                 oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,lngBiasKey
                 If (UCase(TypeName(lngBiasKey)) = "LONG") Then
                   getLocalBIAS = lngBiasKey
                 ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
                   getLocalBIAS = -0
                   For k = 0 To UBound(lngBiasKey)
                     getLocalBIAS = getLocalBIAS + (lngBiasKey(k) * 256^k)
                   Next
                 End If
              End Function
              
              Function getDT(H, L, Bias)
                 ' http://forums.petri.com/showpost.php?p=182526&postcount=2
                 On Error Resume Next
              
                 Dim HexVal, Highpart, Lowpart, lngDate
              
                 Highpart = H
                 'HexVal = H
                 'HexVal = Replace(HexVal, "0x", "")
                 'HexVal = Replace(HexVal, "&H", "")
                 'Highpart = CLng("&H" & HexVal)
               
                 Lowpart = L
                 'HexVal = L
                 'HexVal = Replace(HexVal, "0x", "")
                 'HexVal = Replace(HexVal, "&H", "")
                 'Lowpart = CLng("&H" & HexVal)
              
                 '# unite the HighPart and LowPart
                 lngDate = Highpart * 2^32 + L
              
                 '# convert the number of 100-Nanosecond intervals to days
                 lngDate = ((lngDate*1E-7/60) -BIAS)/1440  'days
              
                 '# Add the number of days to the "zero" date
                 getDT = CDate( #1/1/1601# + lngDate )
              End Function
              
              Function resolveSID(sid)
                 Dim strUser, strDomain
                 On Error Resume Next
                 With oWMISvc
                   With .Get("Win32_SID.SID='" & sid & "'")
                     strUser = .AccountName
                     strDomain = .ReferencedDomainName
                   End With
                 End With
                 If len(strUser) = 0 Then
                   resolveSID = Empty
                 Else
                   resolveSID = strDomain & "\" & strUser
                 End If
              End function
              You can schedule this script to run every 24 hours.

              /Rems
              Last edited by Rems; 12th May 2011, 13:51.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: View all users who was logged into particular computer during last day

                hah.. whoops
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: View all users who was logged into particular computer during last day

                  easiest way I know of, check in c:\users or docs and settings. For the changed date on users profiles..
                  Please give points where appropriate

                  <I dont create ready scripts for you, but I'm willing to point you in the right direction>

                  Comment


                  • #10
                    Re: View all users who was logged into particular computer during last day

                    Originally posted by Rems View Post
                    Tehcamel's solution to run the script like:
                    cmd /c cscript.exe /nologo "scriptname.vbs" >>output.txt
                    Will work fine, but only if you convert the MsgBox statement in the script to wscript.echo statements first.

                    Here's an alternative solution...

                    /Rems
                    Rems,
                    No word... awesome! But in last script you missed "rem" before
                    Code:
                     
                    If DateDiff("n",LastLogon, dt)/60 =< 24 Then
                    and onother one "rem" before second End if

                    Otherwice outpoot has only one line:

                    Code:
                     
                    5/12/2011 4:24:35 PM * Target computer: Kiev
                     
                    -------
                    Or probably it's simple no one was logged on during last 24 hours...
                    Last edited by igor7; 12th May 2011, 18:37.

                    Comment


                    • #11
                      Re: View all users who was logged into particular computer during last day

                      Originally posted by igor7 View Post
                      Or probably it's simple no one was logged on during last 24 hours...
                      That is what I think. I had removed REM leading these lines so the script only show users logged on the last 24 hours, like you asked the script should do.

                      There is however also an other reason to check only for the last 24 hours!
                      The script is using the value of 'ActiveTimeBias' from the registry on the target computer. It is read only once.
                      It is using the value to calculate the "exact" logon time, however the TimeBias that should be used for every separate registered logon depends whether or not DST was active during that date and time.

                      So the login times of previous days may not always be exact when DST is used for the time zone on the target computer.


                      'Bias' is the number of minutes that a time zone is offset from coordinated universal time (UTC). So if the time zone is GMT +1 the BIAS is -60.

                      'DaylightBias' is the number of minutes that will be added to the BIAS during DST.

                      'ActiveTimeBias' is the sum of BIAS and DaylightBias currently on that computer.


                      This problem can be corrected! by using the values of the two TZ entries 'DaylightStart' and 'StandardStart' from the registry.
                      • Read the two TZ entries on the target computer. These are BinaryValues that you can read in to an array.
                        The values to use are Month=array(2), dayofWeek=array(4), weekDay=array(14), Hour=array(6), Minute=array(8), Second=array(10)

                        'dayofWeek' - can be 1 to 5, where 5 indicates the final occurrence during the month if that day of the week does not occur 5 times
                        'weekDay' - can be 0 (sunday) to 6 (Saturday)

                      • Get the year of the user logon.
                      • For every logon - Determine the date and time the DST started in the year the user logged in. Compare dates to find out DST was active at that time.

                      If the user logged on during DST -AND 'DisableAutoDaylightTimeSet' is not set THEN- use the value of 'BIAS' added by the value of 'DaylightBias' to get the exact logon time.
                      If the user logged on not during DST then just use the value of 'BIAS' to get the exact logon date and time.


                      If I find the time to write the updated script it will be posted it here.


                      /Rems

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: View all users who was logged into particular computer during last day

                        There is however also an other reason to check only for the last 24 hours!
                        Rems, thank you for explanation. In Israel we have DST changes twice at year, so all you said above is very important.
                        I wrote some article about DST changes (it use some scripts to make DST changes on client computers) and I think I'll post this article in Petri forum also,
                        but it different story... Anyway thank you very mach for help, it’s much appreciated.

                        Comment


                        • #13
                          I know this is OLD but i'm trying to make this script work. I'm using the last one Rems posted that pipes the output to a file. However all I get is a list of users who have logged in but the date and times read 1/1/1601 at 7 AM for every user. I'm not sure how to fix this, any ideas? I read Rems last post about DST related stuff but I don't understand it. I've done some searching online as well but no luck... I don't know what to look for I guess.

                          Comment


                          • #14
                            No one has any ideas here?

                            Comment


                            • #15
                              Which script and what errors are you getting??

                              Comment

                              Working...
                              X