Windows - Filter Latest Logged On User

elgarsh · December 8, 2025, 2:03pm

Hello All,

With PowerShell I was able to return the information quite quickly -

# Get the latest interactive or RDP logon username

(Get-WinEvent -LogName Security `

-FilterXPath '(\*\[System\[(EventID=4624)\]\] and \*\[EventData\[Data\[@Name="LogonType"\]="2"\]\])

              or

              (\*\[System\[(EventID=4624)\]\] and \*\[EventData\[Data\[@Name="LogonType"\]="10"\]\])' \`

-MaxEvents 1 |

ForEach-Object {

    $xml = \[xml\]$\_.ToXml()

    $xml.Event.EventData.Data |

        Where-Object { $\_.Name -eq 'TargetUserName' } |

        Select-Object -ExpandProperty '#text'

})

I’ve tried to use the security event log inspector - event log | BigFix Developer

The options there to filter out objects by the EventData and then return the Lastest one are taking a very long time.

Here are additional Resources that I’ve tried to use - Relevance Windows Event Log get last occurrence

JonL · December 8, 2025, 4:43pm

Welcome to the forum!

Did you find the Track Primary User task? And the analysis? In our environment, we use the task linked above in conjunction with the following custom property. We can then expose the property as a column in the console.

if (exists ( key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" whose (exists value "LogonHistory" of it) of registry)) then (concatenation ";" of  unique values whose (multiplicity of it = (maximum of  multiplicities  of unique values  of preceding texts whose (it != "none") of firsts ";;" of substrings separated by "::" of (value "LogonHistory" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)))of preceding texts whose (it != "none") of firsts ";;" of substrings separated by "::" of (value "LogonHistory" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\userstats" of registry as string)) else ("no user stats")

D.Dean · December 8, 2025, 5:47pm

Welcome to the forums.

We had a team member create these two properties a while back, for windows. They work for us.

Log on name...

values "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of ((x64 registries; x32 registries))

Display name...

values "LastLoggedOnDisplayName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (if x64 of operating system then (x64 registry;x32 registry) else registry)

I would use native registry myself.

elgarsh · December 9, 2025, 6:56am

Hi!

Thanks, I’ll try that approach, haven’t seen that task before.

elgarsh · December 9, 2025, 6:59am

Hi!

Tried that relevance, but it only gives the user who logged on the computer physically and not including remote desktop users, which we have a lot of them who are only connecting remotely, and that will show me not accurate results unfortunately.

vk.khurava · December 9, 2025, 7:59am

You can use below relevance as RP, it will help you with users which are connected remotely:

Q: (name of it & " || " & (remote of it as string)) of logged on users
A: My_ID || False
A: Remote_User || True
T: 16.000 ms

orbiton · December 9, 2025, 10:14pm

Hi @elgarsh !

If I understand correctly, you have the following scenario:

You are deploying the BigFix Client to an existing Windows system and require an immediate report of the last logged-on user (whether by RDP or physical console)

You can retrieve the necessary details from the Windows Event Log using PowerShell, store the resulting data in a persistent location (such as the Registry or a dedicated file), and finally, create a BigFix Analysis to consume this stored information.

Pros: The PowerShell execution is pretty quick for gathering that information
Cons: You need to find the correct Interval for execution of the action - there are new properties with 11.0.5 - https://developer.bigfix.com/relevance/reference/logged-on-user.html

While BigFix Relevance offers options to expose the Event Log record's XML (via https://developer.bigfix.com/relevance/reference/event-log.html ) and provides XML DOM parsing capabilities (via https://developer.bigfix.com/relevance/reference/xml-dom-node.html), I recall potential inefficiencies or issues specifically when using XPath to filter and extract data from the security event log's EventData XML content. Given this, the PowerShell method might be more performant and reliable.

Has anyone successfully implemented filtering and data extraction from the security event log's EventData XML using BigFix Relevance?

elgarsh · December 10, 2025, 6:42am

Hi @orbiton

Yes, that is what i meant.

Whether the last person who used the computer was logged in physically or was logged through RDP, i want to know who was the last person who used the computer.

elgarsh · December 14, 2025, 10:23am

Alright,

So, we went on a different approach:

instead of trying to use bigfix relevance to get the security event logs and filter the latest logged on user, no matter if from rdp or phisycally logon, we used a task to create a client setting value in the registry.

if the client setting name “lastlogonuser” does not exists, it will create and execute a powershell script with the script I mentioned in the top post, and will write the output of the script as the value.

if the client setting exists, it will check if the value equals to the username who is currently logged on, and if not, bigfix will update the value to the current logged on user.

so if no one is currently logged on, the value will stay as the last user who logged on according to the event logs.

the task runs as a policy.

here is the relevance used in the task:

computers which match ANY of the conditions below

not exists values of settings "lastloggedonuser" of client

if (exists logged on users) then if (exists values of settings "lastloggedonuser" of client) then (value of setting "lastloggedonuser" of client != (it as string as lowercase) of sid of logged on user whose (active of it)) else true else false

the actionscript:

// Check if the client setting exists in the registry, and if not - execute PS script to get the last logged on user from event log
if {not exists values of settings "lastloggedonuser" of client}
delete lastlogon.ps1
createfile until __end__
$lastlogonvalue = (Get-WinEvent -LogName Security `
    -FilterXPath '(*[System[(EventID=4624)]] and *[EventData[Data[@Name="LogonType"]="2"]]) 
                  or 
                  (*[System[(EventID=4624)]] and *[EventData[Data[@Name="LogonType"]="10"]])' `
    -MaxEvents 1 |
    ForEach-Object {{
        $xml = [xml]$_.ToXml()
        $($xml.Event.EventData.Data[6].'#text' + "\" + $xml.Event.EventData.Data[5].'#text').ToLower()
    }) 

    New-Item -Path "HKLM:\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client" -Name "lastloggedonuser" -Force
    New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client\lastloggedonuser" -Name "value" -Value $lastlogonvalue -Force
__end__
move __createfile lastlogon.ps1
action uses wow64 redirection false
wait "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy Bypass -File ".\lastlogon.ps1"
else
// Update the value of client settings with the current logged on user
setting "lastloggedonuser"="{(it as string as lowercase) of sid of logged on user whose (active of it)}" on "{now}" for client
endif

thanks everybody!

orbiton · December 14, 2025, 10:34am

@elgarsh wow looks great! Thanks for sharing