I'm new to scripting and I'm running into some headaches with a particular script. (still on the drawing board.)


I would like to capture information about the last user. I know the typing "Net User Username" will tell me when the last user logged on to the machine. I would like to write a logon script to compare this to when the user logs off.

Does windows write this information to the registry?
If it does, then where?

If not, How can I verify the logoff process?

Any help would be greatly appreciated.

I didn't know the answer to this before reading your post, so thank you for teaching me something new

I ran the "net user" command under Sysinternals' excellent Regmon tool:
http://www.sysinternals.com/utilities/regmon.html

(I also used Filemon but the results weren't edifying at all).

Try it yourself and see if you see something I don't, but it appears to me that the information is being queried (as one might have expected) from the Security Accounts Manager (SAM) portion of the registry at HKLM\SAM\SAM , which is locked by the kernel even from read access for obvious security reasons.

There might be a better way to hack together what you are looking for, if you give me some more information about what you actually want to do. You want to see how long a given user has been logged in for? Or you just want to know when the user last logged in, and out, or what?

I don't understand what you mean by "Locked by the Kernel." To my limited knowledge, the Kernel has FULL CONTROL over the SAM portion of the registry. I gave control to The Administrators Group, and I can read the file fine. All-be it, the File appears to be in binary, which might be difficult to ascertain specifics such as the Logoff event for a user.

You are familiar with NTFS permissions, are you not?

Furthermore, I just want to read the Logoff event with the User's name. Eventually i would use a loop to determine when the user logged on and how long it was before they logged off. Heck, it may be easier just to write the loggoff info and compare it to the NET USER command and do some basic math.

tell me what you think

That is interesting, because even if I try to give FULL CONTROL to administrators it won't show much...

Did you mean you tried to read the SAM registry hive directly from the hive file?

If all you are interested in is logon and logoff times, I would recommend writing small scripts --- one to execute at logon and read the current time and write it to a file somewhere, and one to execute at logoff and read the current time, subtract it from the saved logon time, and do whatever you want with the results (probably add it to some list somewhere).

First of all, I read the SAM KEYs using RUNAS from a power users logon. Logged as the local admin, Right clicked on SAM and gave Control to Admin and Power Users and voila... didn't have to touch the file itself, rather the Hive from within the reg.

As far as the Logoff script, I just want to know how to read the User and Time that they are logging off.

There are well-documented functions for reading the current system time. What scripting language are you looking to use? In C (probably not ideal for your purpose), you have:
http://msdn.microsoft.com/library/default....e_functions.asp

If you are using simple batch scripting, %time% will give you the current local time in hours:minutes:seconds.ticks, but without the date.

Getting the currently logged in user is even easier --- the environmental variable %username% contains this information.

I like your idea about using %username%. Simple and easy the way I like it. I'm prolly not gonna use "C."

I think what I may end up doing is simply writing a script with VBscript or something similar, save someplace appropriate, and enter the Full path to the script in Logoff scripts for the specified user or group.
Now there is one other little ditty. I need to write the Output to a notepad "txt" file and save the file someplace in Admin Folders.


Never Done that before. Writing Output to a text file that is. Any Ideas?

PS. What will give me the Date? %date% ?

shoot maybe getting over my head a bit, but I may want to have the File Digitally signed as well

I don't know vbscript, but in batch scripts you can echo out to a text file in just the same way as you would redirect output on the command line. e.g.:

echo This will be saved to the file >> somefile.txt

Yes, %date% will give the date. So if you want to save this to a file, you could do:

echo Date: %date% | Time: %time% | User: %username% >> log.txt

and this would output all the text to log.txt. Reading from a file in a batch script is not so easy, is the problem... for this I usually use a third-party tool like the Windows port of Unix sed:
http://www.gnu.org/software/sed/sed.html

But I am sure there is an easier solution in vbscript, but unfortunately I cannot help you there....

As an afterthought, I am not sure why I didn't think of this earlier

You can also read from a text file in a batch using the 'for /f ' construction in Windows 2000/XP, as long as command extensions are enabled.