Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Something like the Last command for Windows
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Mon, 6 Apr 2009 14:51:43 -0400

Thanks, that first one may be good enough.

On Mon, Apr 6, 2009 at 2:34 PM, <byte.bucket at 4a44.com> wrote:

See if the following does what you are looking for:
   wmic netlogin get name,lastlogon

You may also find this handy:
   wmic netlogin get name,lastlogon,badpasswordcount


This information as well as other WMIC tips/tricks was featured in Episode
141 - http://www.pauldotcom.com/wiki/index.php/Episode141

--
byte_bucket

Well, this works in vista:
wmic ntevent where "EventIdentifier = '4624' OR EventIdentifier='4634'
AND
Logfile = 'Security'" GET Message,TimeGenerated /format:htable >
crap.html

But it has so much extra data it's hard to read though. I'd just like to
know about user logons, but this show system logons as well.

Thanks,
Adrian

On Mon, Apr 6, 2009 at 11:57 AM, Nick Baronian <nbaronian at gmail.com>
wrote:

If you don't mind, let me know if it works on Vista.  I would like to
update my personal notes.


On Mon, Apr 6, 2009 at 10:13 AM, Adrian Crenshaw
<irongeek at irongeek.com>wrote:

Thanks,  I'll give it a try.
Adrian


On Mon, Apr 6, 2009 at 9:57 AM, Nick Baronian
<nbaronian at gmail.com>wrote:

I don't have access to a Vista machine right now and I believe they
changed the EventID numbers but a wmic query should still work.

wmic ntevent where "EventIdentifier = '540' OR EventIdentifier ='528'
AND
Logfile = 'Security'" GET Message,TimeGenerated /format:htable >
users.html

For Vista and 2k8, I think 528 is now be 4624 and 540 is now 4636.
You
might want to double check that.




On Mon, Apr 6, 2009 at 12:11 AM, Adrian Crenshaw
<irongeek at irongeek.com>wrote:

I just noticed the Windows Vista event log has changed a lot of stuff
about how it logs logon events. The stuff I wrote way back when no
longer
works.  Anyone know a way to get an easy to read list of
logon/logoffs with
the associated user names? Something like the *nix last command.

Thanks,
Adrian

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090406/d348130a/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]