Announcement

Collapse
No announcement yet.

user logged in within 24 hours

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • user logged in within 24 hours

    Hello everyone!

    This script is to show User that Logged in to a machine/ server within 24 Hours or more


    This VBscript was first written by Remco Simmon. It does work for me and I don't know why it
    is not sending the output to a text file.

    I used------ cmd /c cscript.exe /nologo "userlogged.vbs" >>output.txt

    to call the path in CMD prompt per Techamel.

    Before I ran the codes I tried to use Wscript.Echo it didn't work for maybe I used it wrongly. Some of my problems was
    that I always get the same time for all the users on that local computer. It is almost like it is a made up time just to show something:
    It has no relationship with the date enumerated.

    The second was that I am not able to use this code on remote computers. To this end I ask, "What code needs to be written to
    make it work remotely?"I have attached the snap shots of my solution. I don't know how to fix this timing
    issue any help will be highly appreciated.

    ****Another thing I will like to do will be to change MsgBox to Wscript.Echo so that I can easily get an out put in a .txt file.********

    Thanks.

    Code:
    ' https://www.petri.com/forums/node/56086
    
    Option explicit
    
    ' List Last logins on a client
    ' By Remco Simons [NL] 2011
    ' (Note !,
    '  also a remote WMI session to the computer and other
    '  types of remote logon can be Registered User Logins too! )
    
    Const HKEY_LOCAL_MACHINE = &H80000002
    Dim strComputer, oReg, oWMISvc, regEx, dt
    Dim strFile, arrComputers 
    
    strComputer = "."  'for local computer enter ".
    
    strFile = "List Logons over the last 24 hours.txt"
    Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
        strComputer & "\root\default:StdRegProv")
    Set oWMISvc = GetObject("winmgmts:\root\cimv2")
    Set regEx = New RegExp
    dt = now
    
    call LastLogons(getLocalBIAS)
    Sub LastLogons(lngBias)
       Dim strKeyPath, arrSubKeys, subkey, strValueName
       Dim sUsr, LastLogon, TimeHigh, TimeLow
    
       On Error Resume Next
       regEx.Pattern = "^S-1-5-21-[0-9]*-[0-9]*-[0-9]*-[0-9]*$"
       regEx.IgnoreCase = TRUE
    
       strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
       oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
    
       For Each subkey In arrSubKeys
         If regEx.Test(subkey)=TRUE Then
           sUsr = resolveSID(subkey)
    
           strValueName = "ProfileLoadTimeHigh"
           oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
             & "\" & subkey, strValueName,TimeHigh
    
           strValueName = "ProfileLoadTimeLow"
           oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath _
             & "\" & subkey, strValueName,TimeLow
    
           LastLogon = getDT(TimeHigh, TimeLow, lngBias)
    
           If sUsr = Empty Then
             strValueName = "ProfileImagePath"
             oReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath _
               & "\" & subkey, strValueName,sUsr
           End If
    
           ' last 24 hours only,
       rem    If DateDiff("n",LastLogon, dt)/60 =< 24 Then
    
           ' one particular user only,
       rem    If InStr(1,sUsr,"m112559",1) Then
          MsgBox sUsr & vbNewline _               
             & "LastLogon: " & LastLogon, _
             ,"Computer: " & strComputer
    
             'Wscript.Echo "LastLogon:" & LastLogon_
              ',"Computer: " & strComputer 
    
       rem    End If
       rem    End If
    
         End If
       Next
    End Sub
    
    Function getLocalBIAS
       ' Obtain local Time Zone bias from machine registry.
       ' (= the time-zone + daylight saving offset)
       ' This bias changes with Daylight Savings Time.
       Dim strKeyPath, strValueName, lngBiasKey
    
       strKeyPath = "System\CurrentControlSet\Control\TimeZoneInformation"
       strValueName = "ActiveTimeBias"
       oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,lngBiasKey
       If (UCase(TypeName(lngBiasKey)) = "LONG") Then
         getLocalBIAS = lngBiasKey
       ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
         getLocalBIAS = -0
         For k = 0 To UBound(lngBiasKey)
           getLocalBIAS = getLocalBIAS + (lngBiasKey(k) * 256^k)
         Next
       End If
    End Function
    
    Function getDT(H, L, Bias)
       On Error Resume Next
       Dim HexVal, Highpart, Lowpart, lngDate
    
       'HexVal = H
       'HexVal = Replace(HexVal, "0x", "")
       'HexVal = Replace(HexVal, "&H", "")
       'Highpart = CLng("&H" & HexVal)
       Highpart = H ' 
    
       'HexVal = L
       'HexVal = Replace(HexVal, "0x", "")
       'HexVal = Replace(HexVal, "&H", "")
       'Lowpart = CLng("&H" & HexVal)
       Lowpart = L
    
       '# unite the HighPart and LowPart
       lngDate = Highpart * 2^32 + L
    
       '# convert the number of 100-Nanosecond intervals to days
       lngDate = ((lngDate*1E-7/60) -Bias)/1440  'days
    
       '# Add the number of days to the "zero" date
       getDT = CDate( #11/15/2012# + lngDate )
    End Function
    
    Function resolveSID(sid)
       Dim strUser, strDomain
       On Error Resume Next
       With oWMISvc
             With .Get("Win32_SID.SID='" & sid & "'")
               strUser = .AccountName
               strDomain = .ReferencedDomainName
             End With
         End With
       If len(strUser) = 0 Then
         resolveSID = Empty
       Else
         resolveSID = strDomain & "\" & strUser
       End If
    End function
    Last edited by Rems; 21st December 2012, 23:55.

  • #2
    Re: user logged in within 24 hours

    Moved from Powershell forum
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: user logged in within 24 hours

      Rem if you are there make a contribution after all it is your code. Is not working for the time sake. Thanks.

      Comment


      • #4
        Re: user logged in within 24 hours

        PLEASE remember that members of this forum give up their free time to post solution -- you have no right to DEMAND a solution in less than 24 hours. If you need that level of ssupport, PAY a consultant to do the job
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: user logged in within 24 hours

          I think you are right my appologies.

          Comment


          • #6
            If anything want something nice that does the same thing.

            $a = read-host "."

            $data = @()

            $NetLogs = Get-WmiObject Win32_NetworkLoginProfile -ComputerName $a
            foreach ($NetLog in $NetLogs) {
            if ($NetLog.LastLogon -match "(\d{14})") {
            $row = "" | Select Name,LogonTime
            $row.Name = $NetLog.Name
            $row.LogonTime=[datetime]::ParseExact($matches[0], "yyyyMMddHHmmss", $null)
            $data += $row
            }
            }
            $data

            Comment


            • #7
              Re: user logged in within 24 hours

              Nice and clean powershell jumezurike. Thanks.
              I may recommend changing the first line to something like
              $a = read-host "Input hostname"
              though just to make it easier to understand what is happening.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: user logged in within 24 hours

                Originally posted by AndyJG247 View Post
                Nice and clean powershell jumezurike. Thanks.
                I may recommend changing the first line to something like
                $a = read-host "Input hostname"
                though just to make it easier to understand what is happening.

                Thanks a lot for your recognition. Well if now none wants to help. You will have no choice but to help others. Of course by first helping yourself.

                Comment

                Working...
                X