Solved

How one can tell if and when anyone has logged on to a Windows PC?

Posted on 2011-09-06
7
247 Views
Last Modified: 2012-06-27
Hello:

I have a user that swears that he turned off his Windows XP Professional PC over the weekend.  And that this morning, it was logged on and a web page was minimized(that he never openned).  Additionally, the windows screen was not locked.  I walked the user through changing his password and we took a look at the event viewer logs together.

The user's PC is a Windows XP Professional SP3 OS installed.  The PC is set to go to 'standy by' mode after 15 minutes of innactivity.  I did not see anything in the 'System' logs to indicate that his PC was turned on over the weekend.  It appears that it was never tunred off actually.

I say this becasue I only see a 'The Event log service was started.' entry in the system logs after he restarted the PC today(after he came in).

My questions are:

1.  How can I verify when the last time the PC was turned off?
2.  How can I verify when the PC was turned on last?
3.  How can I verify if the PC was locked (becasue of stand by mode) and then un-locked?
       a.  Unlocked by entering a username and password?

4.  When I initiated a shutdown and start up right in front of the user, I was able to see the new system logs indicating a new restart. 'The Event log service was started.'
0
Comment
Question by:Pkafkas
7 Comments
 
LVL 11

Expert Comment

by:madhatter5501
Comment Utility
I think the way I would do it is by going through the success audit logs in event viewer which it sounds like you are already doing.  I think you can filter by date range.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
You can use audit log as well as query last logon & lastlogintimestamp attribute. You can use script of richard or OLDCMP tool from joe richards.
http://www.rlmueller.net/Last%20Logon.htm
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Oldcmp can be download.
http://www.joeware.net/freetools/tools/oldcmp/

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
0
 

Author Comment

by:Pkafkas
Comment Utility
Hello Awinish:

Will that download file, just create another set of logs in the Event viewers?  can you elaborate what is included?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Accepted Solution

by:
Navdeep earned 500 total points
Comment Utility
Hi,

You can give this tool a try EventCombMT. You can run a search across multiple machine's event viwer based on the event id supplied. Pretty handy with gui interface.

Regards,
v-2nas
0
 

Author Comment

by:Pkafkas
Comment Utility
I just tested that if a user has the 'stand by' setting set, it doe snot password protect the pc every time.

I will recommend to the user to check the box (to password protect) in the display-settings/screensaver tab.  In this case, I believe the user was mistaken; but, going forward it is a good idea to have some proof.

I will look into the ' EventCombMT' command tomorrow.  Thank you   v-2nas

http://support.microsoft.com/kb/824209
0
 

Author Comment

by:Pkafkas
Comment Utility
http://support.microsoft.com/kb/824209  this worked pretty good.

The outlput.;

Find Events After: Thu Sep 01 15:27:54 2011
Find Events Before: Sun Sep 04 15:27:54 2011
Event IDs:   529 644 675 676 681
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
XXX
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: XXX
Thread Running for: XXX
All threads Scheduled to run are running.
Exiting thread for: XXX
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Sep 07 15:31:00 2011
Finish time: Wed Sep 07 15:31:00 2011
True records per second: 0.00
0
 
LVL 4

Expert Comment

by:ZeevM333
Comment Utility
Open command prompt and type this:
systeminfo| find "System Up Time"

will pretty much answer your question
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now