Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How one can tell if and when anyone has logged on to a Windows PC?

Posted on 2011-09-06
7
Medium Priority
?
260 Views
Last Modified: 2012-06-27
Hello:

I have a user that swears that he turned off his Windows XP Professional PC over the weekend.  And that this morning, it was logged on and a web page was minimized(that he never openned).  Additionally, the windows screen was not locked.  I walked the user through changing his password and we took a look at the event viewer logs together.

The user's PC is a Windows XP Professional SP3 OS installed.  The PC is set to go to 'standy by' mode after 15 minutes of innactivity.  I did not see anything in the 'System' logs to indicate that his PC was turned on over the weekend.  It appears that it was never tunred off actually.

I say this becasue I only see a 'The Event log service was started.' entry in the system logs after he restarted the PC today(after he came in).

My questions are:

1.  How can I verify when the last time the PC was turned off?
2.  How can I verify when the PC was turned on last?
3.  How can I verify if the PC was locked (becasue of stand by mode) and then un-locked?
       a.  Unlocked by entering a username and password?

4.  When I initiated a shutdown and start up right in front of the user, I was able to see the new system logs indicating a new restart. 'The Event log service was started.'
0
Comment
Question by:Pkafkas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36489856
I think the way I would do it is by going through the success audit logs in event viewer which it sounds like you are already doing.  I think you can filter by date range.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 36490342
You can use audit log as well as query last logon & lastlogintimestamp attribute. You can use script of richard or OLDCMP tool from joe richards.
http://www.rlmueller.net/Last%20Logon.htm
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Oldcmp can be download.
http://www.joeware.net/freetools/tools/oldcmp/

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36490766
Hello Awinish:

Will that download file, just create another set of logs in the Event viewers?  can you elaborate what is included?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 12

Accepted Solution

by:
Navdeep earned 2000 total points
ID: 36491151
Hi,

You can give this tool a try EventCombMT. You can run a search across multiple machine's event viwer based on the event id supplied. Pretty handy with gui interface.

Regards,
v-2nas
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36491844
I just tested that if a user has the 'stand by' setting set, it doe snot password protect the pc every time.

I will recommend to the user to check the box (to password protect) in the display-settings/screensaver tab.  In this case, I believe the user was mistaken; but, going forward it is a good idea to have some proof.

I will look into the ' EventCombMT' command tomorrow.  Thank you   v-2nas

http://support.microsoft.com/kb/824209
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 36498911
http://support.microsoft.com/kb/824209  this worked pretty good.

The outlput.;

Find Events After: Thu Sep 01 15:27:54 2011
Find Events Before: Sun Sep 04 15:27:54 2011
Event IDs:   529 644 675 676 681
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
XXX
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: XXX
Thread Running for: XXX
All threads Scheduled to run are running.
Exiting thread for: XXX
Total events searched: 0
Total matches found: 0
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Wed Sep 07 15:31:00 2011
Finish time: Wed Sep 07 15:31:00 2011
True records per second: 0.00
0
 
LVL 4

Expert Comment

by:ZeevM333
ID: 36498954
Open command prompt and type this:
systeminfo| find "System Up Time"

will pretty much answer your question
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question