I attempted to create an analysis that shows the current and last user for my workstations and servers. However it is only reporting the correct info within WinXP and Win2000/2003. In Win7/8 and Win2008 it displays, “Results Unknown” for the last user login…
if (exists values “DefaultUserName” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry) then (if (value “DefaultUserName” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry as string != “”) then (value “DefaultUserName” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry as string) else “Results Unknown”) else “No Recent Login”
if (name of operating system = “Win2008R2”) or (name of operating system = “Win7”)or (name of operating system = “Win2012”)and (exists keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” whose (exists values whose(name of it = “LastLoggedOnUser” ) of it) of native registry) then value “LastLoggedOnUser” of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of native registry as string else if (name of operating system = “WinXP”) or (name of operating system = “Win2003”)and (exists keys “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon” whose (exists values whose(name of it = “DefaultUserName”) of it) of native registry) then value “DefaultUserName” of key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon” of native registry as string else “NoID”
if (name of operating system = “WinVista”) or (name of operating system = “Win7”) or (name of operating system = “Win8”) or (name of operating system = “Win2008”) or (name of operating system = “Win2008R2”) or (name of operating system = “Win2012”) then ((name of parent folder of it, modification time of it) of files “NTUSER.DAT” of folders of folder “c:\users”) as string else if (name of operating system = “WinXP”) or (name of operating system = “WinXP-2003”) or (name of operating system = “Win2003”) or (name of operating system = “Win2003R2”) then ((name of parent folder of it, modification time of it) of files “NTUSER.DAT” of folders of folder “c:\Documents and Settings”) as string else (“No Login Info Found”)
This is weird because we have a ton of native inspectors that already look at information about last logon, including last logon of , logon count of user, etc. If there isn’t a native way to do this I think there should be an enhancement request.