Home page logo

pauldotcom logo PaulDotCom mailing list archives

Something like the Last command for Windows
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Mon, 6 Apr 2009 13:09:12 -0400

Well, this works in vista:
wmic ntevent where "EventIdentifier = '4624' OR EventIdentifier='4634' AND
Logfile = 'Security'" GET Message,TimeGenerated /format:htable > crap.html

But it has so much extra data it's hard to read though. I'd just like to
know about user logons, but this show system logons as well.


On Mon, Apr 6, 2009 at 11:57 AM, Nick Baronian <nbaronian at gmail.com> wrote:

If you don't mind, let me know if it works on Vista.  I would like to
update my personal notes.

On Mon, Apr 6, 2009 at 10:13 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

Thanks,  I'll give it a try.

On Mon, Apr 6, 2009 at 9:57 AM, Nick Baronian <nbaronian at gmail.com>wrote:

I don't have access to a Vista machine right now and I believe they
changed the EventID numbers but a wmic query should still work.

wmic ntevent where "EventIdentifier = '540' OR EventIdentifier ='528' AND
Logfile = 'Security'" GET Message,TimeGenerated /format:htable > users.html

For Vista and 2k8, I think 528 is now be 4624 and 540 is now 4636.  You
might want to double check that.

On Mon, Apr 6, 2009 at 12:11 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

I just noticed the Windows Vista event log has changed a lot of stuff
about how it logs logon events. The stuff I wrote way back when no longer
works.  Anyone know a way to get an easy to read list of logon/logoffs with
the associated user names? Something like the *nix last command.


Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090406/988f7b85/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]