Security Basics mailing list archives

RE: Windows User Logon Times

From: Dave Kleiman <dave () davekleiman com>
Date: Thu, 7 Jan 2010 11:22:47 -0600

If you have logging enabled, use LogParser (free from MS). 

---------------logon.sql---------------

SELECT
TimeGenerated AS TimeGenerated,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
INTO SecEvtLogon.csv
FROM security
WHERE
(EventID IN (528; 538; 540))
GROUP BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated
ORDER BY TimeGenerated ASC

---------------logon.sql---------------

At the prompt 

C:\>logparser file:logon.sql


Respectfully,

Dave Kleiman - http://www.ComputerForensicExaminer.com - http://www.DigitalForensicExpert.com 

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steven Bonici
Sent: Thursday, January 07, 2010 10:20
To: security-basics () securityfocus com
Subject: Windows User Logon Times


I did some searching, but I cannot seem to find an easy way of getting a
list of a user logon times, not the most recent, but past.  I need to
try and produce some kind of report to get 1 particular user logon
times.  Can someone please help.


Thanks - Steven 

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Windows User Logon Times Steven Bonici (Jan 07)
- RE: Windows User Logon Times Dave Kleiman (Jan 07)
- Re: Windows User Logon Times Jeffrey Walton (Jan 07)
- Re: Windows User Logon Times Ali Asghar Toraby Parizy (Jan 07)
- Re: Windows User Logon Times securityalert1st (Jan 11)