Solved

How one can tell if and when anyone has logged on to a Windows PC?

Posted on 2011-09-06
7
251 Views
Last Modified: 2012-06-27
Hello:

I have a user that swears that he turned off his Windows XP Professional PC over the weekend.  And that this morning, it was logged on and a web page was minimized(that he never openned).  Additionally, the windows screen was not locked.  I walked the user through changing his password and we took a look at the event viewer logs together.

The user's PC is a Windows XP Professional SP3 OS installed.  The PC is set to go to 'standy by' mode after 15 minutes of innactivity.  I did not see anything in the 'System' logs to indicate that his PC was turned on over the weekend.  It appears that it was never tunred off actually.

I say this becasue I only see a 'The Event log service was started.' entry in the system logs after he restarted the PC today(after he came in).

My questions are:

1.  How can I verify when the last time the PC was turned off?
2.  How can I verify when the PC was turned on last?
3.  How can I verify if the PC was locked (becasue of stand by mode) and then un-locked?
       a.  Unlocked by entering a username and password?

4.  When I initiated a shutdown and start up right in front of the user, I was able to see the new system logs indicating a new restart. 'The Event log service was started.'
0
Comment
Question by:Pkafkas
7 Comments
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36489856
I think the way I would do it is by going through the success audit logs in event viewer which it sounds like you are already doing.  I think you can filter by date range.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 36490342
You can use audit log as well as query last logon & lastlogintimestamp attribute. You can use script of richard or OLDCMP tool from joe richards.
http://www.rlmueller.net/Last%20Logon.htm
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Oldcmp can be download.
http://www.joeware.net/freetools/tools/oldcmp/

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36490766
Hello Awinish:

Will that download file, just create another set of logs in the Event viewers?  can you elaborate what is included?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 12

Accepted Solution

by:
Navdeep earned 500 total points
ID: 36491151
Hi,

You can give this tool a try EventCombMT. You can run a search across multiple machine's event viwer based on the event id supplied. Pretty handy with gui interface.

Regards,
v-2nas
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36491844
I just tested that if a user has the 'stand by' setting set, it doe snot password protect the pc every time.

I will recommend to the user to check the box (to password protect) in the display-settings/screensaver tab.  In this case, I believe the user was mistaken; but, going forward it is a good idea to have some proof.

I will look into the ' EventCombMT' command tomorrow.  Thank you   v-2nas

http://support.microsoft.com/kb/824209
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36498911
http://support.microsoft.com/kb/824209  this worked pretty good.

The outlput.;

Find Events After: Thu Sep 01 15:27:54 2011
Find Events Before: Sun Sep 04 15:27:54 2011
Event IDs:   529 644 675 676 681
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
XXX
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: XXX
Thread Running for: XXX
All threads Scheduled to run are running.
Exiting thread for: XXX
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Sep 07 15:31:00 2011
Finish time: Wed Sep 07 15:31:00 2011
True records per second: 0.00
0
 
LVL 4

Expert Comment

by:ZeevM333
ID: 36498954
Open command prompt and type this:
systeminfo| find "System Up Time"

will pretty much answer your question
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question