Last user to logn to a computer?

I need a quick Analyses to tell me the last user profile that logged in to a computer. Our Windows 10 user profiles are in c:\users, if that helps any. Thanks for any support.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

1 Like

that’s not the syntax for an Analyses, but rather the location of a registry key. But thanks!

It actually gets you most of the way there, though. Now you can just use regular old relevance to pull the information you want out of the key. So let’s figure out the available values:

q: names of values of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registries;x64 registries)
A: ShowTabletKeyboard
A: ShowTabletKeyboard
A: LastLoggedOnDisplayName
A: LastLoggedOnProvider
A: LastLoggedOnSAMUser
A: LastLoggedOnUser
A: LastLoggedOnUserSID
A: SelectedUserSID
A: IdleTime
A: NetworkStatusType
A: IsFirstLogonAfterSignOut
T: 0.508 ms
I: plural string

Looks like we want the value “LastLoggedOnUser”

value "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registries;x64 registries)

That seems to work in my environment. If you aren’t already familiar with the syntax to pull basic information out of the registry, it is a very useful tool to have, so you might want to play with my simple example above to try to pull information out of other keys. This thread (which as it turns out, you submitted!) was my starting point for getting comfortable with using relevance and the registry: Getting Uninstall Strings from Registry

3 Likes

Thanks so much, I’m no BigFix pro, but I love love love coming here to get help from people like you. Again, thanks!

1 Like