Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Event Log - Logon/Logoff Event WMI script

  • 26-02-2008 4:57am
    #1
    Closed Accounts Posts: 1,567 ✭✭✭


    Not sure if i should post this here or in programming forum..but there isn't really a problem with the script itself, just trying to figure out why it won't work.

    [PHP]strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
    & "EventCode = '540'")
    For Each objEvent in colLoggedEvents
    strTimeWritten = objEvent.TimeWritten

    dtmTimeWritten = CDate(Mid(strTimeWritten, 5, 2) & "/" & _
    Mid(strTimeWritten, 7, 2) & "/" & Left(strTimeWritten, 4) _
    & " " & Mid (strTimeWritten, 9, 2) & ":" & _
    Mid(strTimeWritten, 11, 2) & ":" & Mid(strTimeWritten, 13, 2))

    dtmDate = FormatDateTime(dtmTimeWritten, vbShortDate)
    dtmTime = FormatDateTime(dtmTimeWritten, vbLongTime)

    Wscript.Echo "Username: " & objEvent.User
    WScript.Echo "Date: " & dtmDate
    WScript.Echo "Time: " & dtmTime
    Next[/PHP]

    all it does is enumerate logon/logoff events and display time/date with username..well, its supposed to, but doesn't work on my system, even though close to a hundred of these events can be seen in Event Viewer or MMC.

    its running on Windows XP SP2 as administrator, any ideas?

    EDIT: Nevermind, problem solved..had to modify GetObject() with:

    [PHP]Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")[/PHP]


Comments

  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    Looks interesting - thanks for posting


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    Average Joe, What do you use the script for? (Just Curious)


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    i am writing a small script to work like the 'last' command on unix.

    so.. it displays the people who logged on / logged off and whoever is currently logged in, the type of login (interactive,remote,network..etc), success/failure - its been updated a good bit since i posted that snippet, don't have here at the moment, but will post later if you would like a look at its current state, and the type of output it gives.

    just want it to work for remote computers also - its quite useful for windows administrators.


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    Yeah, that could be really helpful!

    Would be great if you could post it, thanks.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    yes very useful
    Another way of doing this is to have the logon script

    echo %computername% %date %time% >>\\server\share\%username% .txt

    There is an option in group policy to run a logoff script too


  • Advertisement
  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    There is an option in group policy to run a logoff script too

    this would be better on some systems i think because the script here, i've only tested on winxp, and it could give different results on older/newer systems AFAIK

    i didn't finish this script yet, but its attached if you want a look at it..i'm also only picking up a little vbscript lately, so excuse the style of coding or possibility for errors - i'm not that familiar with it.

    script doesn't work exactly like 'last' command on unix..you also need SeSecurityPrivilege enabled which is only available to administrators usually..

    it doesn't say what session is still active, just if username is logged on, and displays true or false.

    [PHP] Set colComputer = objSWbemServices.ExecQuery _
    ("Select * from Win32_ComputerSystem")

    For Each objComputer in colComputer
    If(StrComp(LCase(objEvent.User),LCase(objComputer.UserName),vbTextCompare) <> 0) Then
    LoggedIn = false
    Else
    LoggedIn = true
    Exit For
    End If
    Next[/PHP]

    there is probably better way to do this using Win32_LogonSession - or maybe another way?

    sample output for local machine:
    DOMAIN\USERNAME    DATE       TIME         TYPE               EVENT   LOGGEDIN
    
    kdevin4            2/27/2008  9:19:12 PM   Unlock             Logoff  True
    kdevin4            2/27/2008  9:19:12 PM   Unlock             Logon   True
    kdevin4            2/27/2008  8:57:59 PM   Network            Logoff  True
    kdevin4            2/27/2008  8:56:22 PM   Network            Logon   True
    kdevin4            2/27/2008  8:55:47 PM   Interactive        Logoff  True
    kdevin4            2/27/2008  8:55:47 PM   Interactive        Logon   True
    kdevin4            2/27/2008  8:55:46 PM   CachedInteractive  Logon   True
    kdevin4            2/26/2008  10:47:59 PM  Network            Logoff  True
    kdevin4            2/26/2008  10:46:12 PM  Network            Logon   True
    kdevin4            2/26/2008  10:45:53 PM  Interactive        Logon   True
    scamp38            2/26/2008  10:41:34 PM  Network            Logoff  False
    scamp38            2/26/2008  10:38:25 PM  Network            Logon   False
    scamp38            2/26/2008  10:37:55 PM  RemoteInteractive  Logon   False
    scamp38            2/26/2008  6:48:46 AM   Network            Logon   False
    

    you can connect to remote machine using some parameters:
    cscript last.vbs REMOTECOMPUTER USERNAME PASSWORD
    

    it is very slow though..this partly due to the enumeration of user name each time an entry is displayed, which is why it should probably be removed.

    if only machine is specified, you're prompted for username and password
    you can enter domain such as MS\userid and the script will ..recognise this.


Advertisement