Workstation Status

Posted on 1998-11-10
Last Modified: 2013-12-23
I would like to remotely scan the logon status on all the NT workstation on our current network: how long the computer has been logged on to and the computers idle time. Is there a command or a script I can use to retrieve this information. I have already tried USRSTAT.EXE from the Server Resource Kit, but all the stats I get is when the user first logged on, not the duration period.
Question by:George5B

Expert Comment

ID: 1565521
Here is at least part of it:
SS ID Number: Q189541
Article last modified on 08-28-1998

The information in this article applies to:
 - Microsoft Windows, versions 95, 98
 - Microsoft Windows NT Server version 4.0
 - Microsoft Windows NT Server, Enterprise Edition version 4.0
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information on how to do this, view the "Restoring
the Registry" online Help topic in Regedit.exe or the "Restoring a Registry
Key" online Help topic in Regedt32.exe.
Account lockouts can be very difficult to track for several reasons. One
reason is that the bad password attempts are only recorded on the domain
controller that processed the logon attempt (this is for Windows 95 and
Windows 98 clients). Another problem is that, because Windows NT clients
are capable of recording the information locally, a log entry is not
recorded on any domain controller.
A relatively easy way to track bad password attempts in a domain is to
install the checked build of Netlogon.dll on the primary domain controller
(PDC). This will create a text file on the PDC that can be examined to
determine which clients are generating the bad password attempts, for both
Windows NT and Windows 95 clients.
The checked build of Netlogon.dll can be obtained from Microsoft Technical
Support and also in the Microsoft DDK.
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys And
Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" online Help
topics in Regedt32.exe. Note that you should back up the registry before
you edit it.
To install the checked build of Netlogon.dll on Windows NT 4.0:
1. Go to the %windir%\System32 folder.
2. Rename Netlogon.dll to Netlogon.fre.
3. Copy the checked version of Netlogon.dll to the System32 folder.
4. Start Regedt32, and go to the following key:
   NOTE: The above registry key is one path; it has been wrapped for
5. Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
   \Parameters\DBFlag to 0x4 and quit Regedt32.
   NOTE: Setting DBFlag to 0x4 will only record logon processing. Setting
   it to 0x20000004 will record the time stamp in addition to the logon
6. Restart the server
7. Confirm that the debug directory was created under the %windir% folder
   and contains a Netlogon.log file.
In the examples below:
PORSCHE\example = User Account
TARGA =           BDC
928S4 =           Windows NT Workstation
928WIN95 =        Windows 95
911Turbo =        PDC
Different clients will log different messages.
Windows NT Workstation:
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC000006A
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Entered
[LOGON] SamLogon: Interactive logon of PORSCHE\example from 928S4 (via
   TARGA) Returns 0xC0000234
In the above example, you can see where we try to log on, fail with a bad
password, try to log on again, and then fail with a locked out account.
The only difference with Windows 95 and Windows 98 is the omission of the
domain name:
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC000006A
LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Entered
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 (via
   TARGA) Returns 0xC0000234
A successful account logon will look like:
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Entered
[LOGON] SamLogon: Network logon of (null)\EXAMPLE from \\928WIN95 Returns
[LOGON] NetrLogonUasLogon of EXAMPLE from 928WIN95 returns 0
The errors you will most likely receive will be:
   0xC0000234      User logon with Account Locked
   0xC000006A      User logon with Misspelled or bad Password
   0xC0000072      User logon to account disabled by Administrator
   0xC0000193      User logon with Expired Account
   0xC0000070      User logon from unauthorized workstation
   0xC000006F      User logon Outside authorized hours
   0xC0000224      User logon with "Change Password at Next Logon"
   0xC0000071      User logon with Expired Password
   0xC0000064      User logon with Misspelled or Bad User Account
To track user account lockouts, only the 234 and 6A errors are important to
After the workstation sending the bad passwords has been identified, the
workstation can be configured correctly or the user can be informed of the
correct password.
Additional query words: pass thru through authentication
Version           : Windows:95,98;WinNT:4.0
Platform          : WINDOWS winnt
Issue type        : kbhowto
Copyright Microsoft Corporation 1998.



Author Comment

ID: 1565522
I am trying to get the up time of each workstation logged on to the network, the password logon proposal will not achieve the up time of each logged on workstation.

Author Comment

ID: 1565523
I am trying to get the up time of each workstaion logged on to the network. I have tried Srvinfo.exe from the resource kit, although it gives me the up time of a workstation it also gives me additional information, which takes up to 10 minutes to retrieve, with 168 workstations this is mot acceptable. Is there a script or command I can use? I appreciate all the help I can get.
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Expert Comment

ID: 1565524
Here's another approach than above (which was some pretty cool info, even if it didn't answer the right question!):

Consider asking the question against each of your NT file servers using the command "net session>netsession.rpt". Run this command on each server using something like a periodic batch file launched by the schedule service on each server. You can then have a second script from a master computer which retrieves the reports from each of the servers.

   This is certainly not a fail-safe approach and requires that an NT workstation (or 95/98 for that matter) map at least one drive to a server which you are tracking. However, it does provide approximate idle-time tracking (each client will have an idle time associated with each drive mapped to each different server).

   The other drawback to this approach is that it requires some effort on your part to derive meaningful information from the various generated reports, and the more servers you need to monitor, the more massaging your routine may have to do. However, if you have a couple of file servers which everyone uses, you can fairly easily see if a person is currently logged on.

   Another piecemeal utility is nbtstat -a {computername}, through which you can easily determine whether a person is logged into a particular NT workstation (or 95 with winpopup running). This one is more suited to a single user than to 100 users (obviously!).


Expert Comment

ID: 1565525
At the PDC you can test under control panel the applet called server and there is a button users.
It will show you who is logged in and how long.


Author Comment

ID: 1565526
This was great information as you mentioned, but it does not resolve my problem, which is to determine a workstations UP TIME. I do appreciate the help.

Accepted Solution

morgan1 earned 50 total points
ID: 1565527
  Ok, here's another approach which would benefit from a full-featured scripting language such as Perl, but could be done in a rough fashion using strictly NT batch files. This is a situation where you can achieve 100% parrallelism in the info gathering phase of the process to reduce the total runtime and effort any particular computer has to do.

   Figure out how to make a single NT workstation get the answers you need (see below) and script that solution (script local_stats.cmd). Have that script generate a local text file (local_stats.rpt) with the answers to the questions. Try to parse the answers to make this file contain a one line report which includes the name of the workstation as the first field and the rest of the answers separated by spaces, commas, etc.

   Next, write a second script (script get_stats.cmd) that will run from a central server/workstation which uses either at or rcmd to START local_stats.cmd for each workstation. You will need domain admin rights on the process which starts get_stats.cmd in order to have sufficient rights on each workstation in the domain. Provided that all of your NT workstations are browsable, you can use NET VIEW /DOMAIN:MYDOMAIN to dynamically generate a list of computers which need to be queried. When you request the start local_stats.cmd on a particular workstation, do NOT wait for the answer before proceeding to the next workstation. Within get_stats.cmd, send a fresh copy of local_stats.cmd to each workstation before starting it up. If you choose to use at or soon, make sure that you've got good time sync so you don't wind up scheduling the job for TOMORROW instead of 1 minute from now.

   Once you have started local_stats.cmd on each computer, sleep for twice the interval needed for the last started workstation to execute local_stats.cmd (to allow for a person banging on that computer, or others). Following this, revisit each workstation, collecting local_stats.rpt off of it's hard drive and append that file to a master report on the central server/workstation called get_stats.rpt. If you've built each local_stats.rpt correctly, you won't need to do any further parsing. You could then use the schedule service on the central server/workstation to periodically run get_stats.cmd on an appropriate interval. If you do this, perhaps adjust the name of the master report to include date/time, for arhival purposes.

   Having said all of that, here are some ideas on commands which can retrieve the info you need. All of these commands can be run on NT workstation or NT server, but not 95/98.

   NET STATISTICS SERVER will report staticstics since the last boot, and will include the computername in the report. Line 4 of the report gives you system uptime (but NOT logintime!).

   You can use NBTSTAT -n to determine if a person is CURRENTLY logged into the box, and the account name of that person, if you are interested in this. Filter for <03> and discard the entry which matches the computer name. If there is a second entry, this will be the account name of the person. Again, you won't get login time, but what you do get may be of value to you.

   There is an idle time reported in NET CONFIG SERVER (near the bottom of the report) which may or may not be beneficial to you.

   So...what do you think?

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD health monitoring 2 76
How to fix the time service on domain controller 6 53
FTP output from Wireshak 6 88
Independent domain networks for setup 6 116
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question