Logged on Users and the Endpoints they are logged onto

(imported topic written by TJessee)

I have been asked to create a report that would list all users and the endpoints they are logged into. They are wanting the report to look like

UserName Workstation IP OS

I have been unable to figure out the session relevance to retrieve the correct information. Any help would be greatly appreciated.

(imported comment written by liuhoting)

So actually, I wouldn’t actually use session relevance to try to figure out this information. I’d use just good old fashioned normal relevance. I’d basically throw this sort of stuff in an analysis that had a bunch of properties defined:

Logged on username:

Q: names of logged on users

Workstation IP:

Q: addresses of adapters of network as string

OS Name:

Q: Name of operating system

(imported comment written by TJessee)

I was able to take your thought process and create a property that reports on the last logged on user. I can now run a report from that and display all the information that was requested. Here is the relevance I used.

if

(name

of

operating system

as

lowercase

contains

“win”
)

then

(
if

((name

of

operating system

as

lowercase

contains

“xp”
)

or

(name

of

operating system

as

lowercase

contains

“win2003”
))

then

(
if

not

exist

keys

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName”

of

(
if

x64

of

operating system

then

(x64 registry
;
x32 registry)

else

registry)

then

values

“DefaultUserName”

of

keys

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”

of

(
if

x64

of

operating system

then

(x64 registry
;
x32 registry)

else

registry)

as

string

else

“No User Logged”
)

else

(
if

NOT

exist

keys

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser”

of

(
if

x64

of

operating system

then

(x64 registry
;
x32 registry)

else

registry)

then

values

“LastLoggedOnUser”

of

keys

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI”

of

(
if

x64

of

operating system

then

(x64 registry
;
x32 registry)

else

registry)

as

string

else

“No User Logged”
))

else

(
“Not Win”
)

(imported comment written by liuhoting)

Awesome. I’m glad that worked.