PaulDotCom mailing list archives
Something like the Last command for Windows
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Mon, 6 Apr 2009 14:51:43 -0400
Thanks, that first one may be good enough. On Mon, Apr 6, 2009 at 2:34 PM, <byte.bucket at 4a44.com> wrote:
See if the following does what you are looking for: wmic netlogin get name,lastlogon You may also find this handy: wmic netlogin get name,lastlogon,badpasswordcount This information as well as other WMIC tips/tricks was featured in Episode 141 - http://www.pauldotcom.com/wiki/index.php/Episode141 -- byte_bucketWell, this works in vista: wmic ntevent where "EventIdentifier = '4624' OR EventIdentifier='4634'ANDLogfile = 'Security'" GET Message,TimeGenerated /format:htable >crap.htmlBut it has so much extra data it's hard to read though. I'd just like to know about user logons, but this show system logons as well. Thanks, Adrian On Mon, Apr 6, 2009 at 11:57 AM, Nick Baronian <nbaronian at gmail.com> wrote:If you don't mind, let me know if it works on Vista. I would like to update my personal notes. On Mon, Apr 6, 2009 at 10:13 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:Thanks, I'll give it a try. Adrian On Mon, Apr 6, 2009 at 9:57 AM, Nick Baronian <nbaronian at gmail.com>wrote:I don't have access to a Vista machine right now and I believe they changed the EventID numbers but a wmic query should still work. wmic ntevent where "EventIdentifier = '540' OR EventIdentifier ='528' AND Logfile = 'Security'" GET Message,TimeGenerated /format:htable > users.html For Vista and 2k8, I think 528 is now be 4624 and 540 is now 4636. You might want to double check that. On Mon, Apr 6, 2009 at 12:11 AM, Adrian Crenshaw <irongeek at irongeek.com>wrote:I just noticed the Windows Vista event log has changed a lot of stuff about how it logs logon events. The stuff I wrote way back when no longer works. Anyone know a way to get an easy to read list of logon/logoffs with the associated user names? Something like the *nix last command. Thanks, Adrian _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090406/d348130a/attachment.htm
Current thread:
- Something like the Last command for Windows Adrian Crenshaw (Apr 05)
- Message not available
- Message not available
- Message not available
- Something like the Last command for Windows Adrian Crenshaw (Apr 06)
- Something like the Last command for Windows byte.bucket at 4a44.com (Apr 06)
- Something like the Last command for Windows Adrian Crenshaw (Apr 06)
- Message not available
- Message not available