?
Solved

How one can tell if and when anyone has logged on to a Windows PC?

Posted on 2011-09-06
7
Medium Priority
?
256 Views
Last Modified: 2012-06-27
Hello:

I have a user that swears that he turned off his Windows XP Professional PC over the weekend.  And that this morning, it was logged on and a web page was minimized(that he never openned).  Additionally, the windows screen was not locked.  I walked the user through changing his password and we took a look at the event viewer logs together.

The user's PC is a Windows XP Professional SP3 OS installed.  The PC is set to go to 'standy by' mode after 15 minutes of innactivity.  I did not see anything in the 'System' logs to indicate that his PC was turned on over the weekend.  It appears that it was never tunred off actually.

I say this becasue I only see a 'The Event log service was started.' entry in the system logs after he restarted the PC today(after he came in).

My questions are:

1.  How can I verify when the last time the PC was turned off?
2.  How can I verify when the PC was turned on last?
3.  How can I verify if the PC was locked (becasue of stand by mode) and then un-locked?
       a.  Unlocked by entering a username and password?

4.  When I initiated a shutdown and start up right in front of the user, I was able to see the new system logs indicating a new restart. 'The Event log service was started.'
0
Comment
Question by:Pkafkas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36489856
I think the way I would do it is by going through the success audit logs in event viewer which it sounds like you are already doing.  I think you can filter by date range.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 36490342
You can use audit log as well as query last logon & lastlogintimestamp attribute. You can use script of richard or OLDCMP tool from joe richards.
http://www.rlmueller.net/Last%20Logon.htm
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Oldcmp can be download.
http://www.joeware.net/freetools/tools/oldcmp/

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36490766
Hello Awinish:

Will that download file, just create another set of logs in the Event viewers?  can you elaborate what is included?
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 12

Accepted Solution

by:
Navdeep earned 2000 total points
ID: 36491151
Hi,

You can give this tool a try EventCombMT. You can run a search across multiple machine's event viwer based on the event id supplied. Pretty handy with gui interface.

Regards,
v-2nas
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36491844
I just tested that if a user has the 'stand by' setting set, it doe snot password protect the pc every time.

I will recommend to the user to check the box (to password protect) in the display-settings/screensaver tab.  In this case, I believe the user was mistaken; but, going forward it is a good idea to have some proof.

I will look into the ' EventCombMT' command tomorrow.  Thank you   v-2nas

http://support.microsoft.com/kb/824209
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36498911
http://support.microsoft.com/kb/824209  this worked pretty good.

The outlput.;

Find Events After: Thu Sep 01 15:27:54 2011
Find Events Before: Sun Sep 04 15:27:54 2011
Event IDs:   529 644 675 676 681
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
XXX
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: XXX
Thread Running for: XXX
All threads Scheduled to run are running.
Exiting thread for: XXX
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Sep 07 15:31:00 2011
Finish time: Wed Sep 07 15:31:00 2011
True records per second: 0.00
0
 
LVL 4

Expert Comment

by:ZeevM333
ID: 36498954
Open command prompt and type this:
systeminfo| find "System Up Time"

will pretty much answer your question
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question