Last user to logn to a computer?

Snojack 2018-09-18 19:31:32 UTC #1

I need a quick Analyses to tell me the last user profile that logged in to a computer. Our Windows 10 user profiles are in c:\users, if that helps any. Thanks for any support.

tasaif 2018-09-18 19:49:38 UTC #2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Snojack 2018-09-19 20:16:54 UTC #3

that’s not the syntax for an Analyses, but rather the location of a registry key. But thanks!

alinder 2018-09-19 20:39:01 UTC #4

It actually gets you most of the way there, though. Now you can just use regular old relevance to pull the information you want out of the key. So let’s figure out the available values:

q: names of values of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registries;x64 registries)
A: ShowTabletKeyboard
A: ShowTabletKeyboard
A: LastLoggedOnDisplayName
A: LastLoggedOnProvider
A: LastLoggedOnSAMUser
A: LastLoggedOnUser
A: LastLoggedOnUserSID
A: SelectedUserSID
A: IdleTime
A: NetworkStatusType
A: IsFirstLogonAfterSignOut
T: 0.508 ms
I: plural string

Looks like we want the value “LastLoggedOnUser”

value "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registries;x64 registries)

That seems to work in my environment. If you aren’t already familiar with the syntax to pull basic information out of the registry, it is a very useful tool to have, so you might want to play with my simple example above to try to pull information out of other keys. This thread (which as it turns out, you submitted!) was my starting point for getting comfortable with using relevance and the registry: Getting Uninstall Strings from Registry

Snojack 2018-09-20 14:25:26 UTC #5

Thanks so much, I’m no BigFix pro, but I love love love coming here to get help from people like you. Again, thanks!