+ Post New Thread
Results 1 to 13 of 13
Windows Server 2000/2003 Thread, How to find out which user last logged onto a PC (PC has gone missing) in Technical; Hi there, We have had a PC go missing from a room and I'd like to find out who was ...
  1. #1
    bodminman's Avatar
    Join Date
    Apr 2007
    Location
    Sunny Suffolk
    Posts
    1,153
    Thank Post
    724
    Thanked 224 Times in 116 Posts
    Rep Power
    85

    How to find out which user last logged onto a PC (PC has gone missing)

    Hi there,

    We have had a PC go missing from a room and I'd like to find out who was the last user to log on to it.

    How can I do this using the server event viewer (or anything else)? I have the IP/pc name but going through the event logs will take hours. Is there a tool I could use or a slicker method for detecting activity between the server and this particular PC?

    Thanks

  2. #2
    Patrickv's Avatar
    Join Date
    Jan 2012
    Location
    New Zealand
    Posts
    59
    Thank Post
    4
    Thanked 3 Times in 3 Posts
    Rep Power
    6
    If it was the PC itself then we could use this cool program that must be execute from command prompt. I keep forgetting the name of that one. However, you are stuck with event viewer unless you installed logging software on your network. I have done this sort of thing before and can work on very small scale and when all computers are off. Maybe restrict the time-frame will help narrow down and what type of event ID you are looking for. Might I suggest you bolt down the PC's to the desk. I have helped someone in the past with that. Thats the way to stop future thefts.

  3. #3

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,136
    Thank Post
    1,913
    Thanked 1,345 Times in 743 Posts
    Blog Entries
    3
    Rep Power
    395
    Unless you use something like Policy Central, etc as Patrickv has said you're stuffed if you can't find anything in the event logs (printing by the user, etc). We usually track down the culprits by dragging all the suspects in until one of them either confesses or dobs on the one that was guilty.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,650
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Unless you're already managing your event logs (with something like Splunk, Ossec etc) I'm afraid you're stuck with EventCombMT.exe (google) which is better than manually filtering event logs.

    EventCombMT.exe - A Good Tool To Collect Event Logs - Nuo Yan (still works on 2008R2, just be aware of new security events)

    Take note of: Description of security events in Windows Vista and in Windows Server 2008

  5. #5
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,506
    Thank Post
    337
    Thanked 310 Times in 238 Posts
    Rep Power
    110
    How do you know the person last logged on was the person that nicked it?

  6. #6

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    This any good?

    Code:
    Const HKEY_LOCAL_MACHINE = &H80000002
    
    strComputer = "."
     
    Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
     
    strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon"
    strValueName = "DefaultUserName"
    
    objRegistry.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
    
    Wscript.Echo strValue
    Source =
    Hey, Scripting Guy! How Can I Get the Name of the Last User to Log on to a Computer? - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs

  7. #7
    bodminman's Avatar
    Join Date
    Apr 2007
    Location
    Sunny Suffolk
    Posts
    1,153
    Thank Post
    724
    Thanked 224 Times in 116 Posts
    Rep Power
    85
    Quote Originally Posted by rad View Post
    How do you know the person last logged on was the person that nicked it?
    Fact finding!

    We don't but at least well know when it was last used so that we can be more accurate with the timeframe in which it was taken. Also we can then see who was teaching in the room at that point as they are responsible for opening/locking it up.

    People who are using the room are also responsible for making sure everything is in order before they leave.

  8. #8

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I find this dulo.bat useful as well for curently logged on users... you just need PSTools installed on your workstation and you can pipe the bat > to a log file

    Code:
    @echo off
    setlocal
    for /f "Tokens=1" %%c in ('net view /domain:"%USERDOMAIN%"^|Findstr /L /C:"\\"') do (
     for /f "Tokens=*" %%u in ('PsLoggedOn -L %%c^|find /i "%USERDOMAIN%\"') do (
      call :report %%c "%%u"
     )
    )
    endlocal
    goto :EOF
    :report
    set work=%1
    set comp=%work:~2%
    set user=%2
    set user=%user:"=%
    call set user=%%user:*%USERDOMAIN%\=%%
    @echo %comp% %user%
    Source =
    http://www.windowsitpro.com/article/...ain-computers-

  9. #9

    Join Date
    Feb 2012
    Posts
    13
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Sorry bodminman I did not read your question properly - you don't have the client to run the command on. Doh

  10. #10
    bodminman's Avatar
    Join Date
    Apr 2007
    Location
    Sunny Suffolk
    Posts
    1,153
    Thank Post
    724
    Thanked 224 Times in 116 Posts
    Rep Power
    85
    Quote Originally Posted by purkle_turkle View Post
    Sorry bodminman I did not read your question properly - you don't have the client to run the command on. Doh
    LOL - No probs! Although I did think you may have been taking the pi$$ for a second there.

  11. Thanks to bodminman from:

    mac_shinobi (3rd February 2012)

  12. #11

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,807
    Thank Post
    3,320
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365
    On your server through the security event viewer section

    Tracking Logon and Logoff Activity in Windows 2000

    Event ID 528 ??

  13. #12
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,220
    Thank Post
    216
    Thanked 226 Times in 195 Posts
    Rep Power
    73
    We have a REALLY old kix script that runs at login but does the job. First a logon .bat file runs this command:

    Code:
    %0\..\Kix32.exe \\servername\share\logthem.kix $usergroup="student"
    And then the logthem.kix file looks like this:

    Code:
    Gosub "LOGTHEM"
    Exit
    
    :LOGTHEM
    
    $logfile = "\\servername\share\logs\" + @MDAYNO +"."+ @MONTHNO +"."+ @YEAR +".log"
    $logentry = "[" + @time + "]  " + 
                $usergroup + SubStr( "                ", 1, 12 - Len( $usergroup ) ) +
                @UserID    + SubStr( "                ", 1, 16 - Len( @UserID ) ) +
                @WKSTA     + SubStr( "                ", 1, 16 - Len( @WKSTA ) ) +
                "(" +
                Val( SubStr( @IPADDRESS0, 1, 3) ) + "." +
                Val( SubStr( @IPADDRESS0, 5, 3) ) + "." +
                Val( SubStr( @IPADDRESS0, 9, 3) ) + "." +
                Val( SubStr( @IPADDRESS0, 13, 3) ) + 
                ") " + 
                Chr( 13 ) + Chr( 10 )
    
    $ret = Open( 1, $logfile, 5 )
    If $ret <> 0
      ? ""
    Else
      $ret = WriteLine( 1, $logentry )
    EndIf
    
    Return
    This logs the time, user catagory (replace with $usergroup="staff"), username, machine name and IP address. It creates a fresh text file each day based on the date i.e. 3.2.2012.log

  14. #13

    JJonas's Avatar
    Join Date
    Jan 2008
    Location
    North Walsham, Norfolk
    Posts
    3,115
    Thank Post
    389
    Thanked 438 Times in 326 Posts
    Rep Power
    384
    adding this to a logon script is handy - but no use to you now

    echo %date% %time% %computername% %username% >>\\yourserver\logon$\logons.txt

SHARE:
+ Post New Thread

Similar Threads

  1. How to find out which machine a student logged onto, & when
    By indiegirl in forum How do you do....it?
    Replies: 32
    Last Post: 16th March 2012, 01:17 PM
  2. Replies: 9
    Last Post: 7th July 2011, 03:21 PM
  3. How to tell which users are logged on
    By Little-Miss in forum Wireless Networks
    Replies: 5
    Last Post: 5th January 2009, 03:59 PM
  4. How to find out who deleted what
    By Chrish5 in forum Windows
    Replies: 9
    Last Post: 17th October 2008, 10:37 AM
  5. How to find out a preferred bidder
    By MK-2 in forum BSF
    Replies: 26
    Last Post: 8th January 2008, 09:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •