registry - Powershell - last logged on user - same input, different output -
update
@ hal9256
your answer made me think!
i did more googling, , found website offers approach
so far, works!
i remote server run powershell script displays last logged on user.
several things
- it works when run in context of service account, not administrator
- it takes several minutes output
but when run in contenxt of service account, different output same input
$line_array = @() $multi_array = @() [hashtable]$my_hash = @{} foreach ($i in $args){ $line_array+= $i.split(" ") } foreach ($j in $line_array){ $multi_array += ,@($j.split("=")) } foreach ($k in $multi_array){ $my_hash.add($k[0],$k[1]) } $sender_ip = $my_hash.get_item("sender-ip") $eventlist = @() get-eventlog "security" -computername $sender_ip ` | -filterscript {$_.eventid -eq 4624 -and $_.replacementstrings[4].length -gt 10 -and $_.replacementstrings[5] -notlike "*$"} ` | select-object -first 2 ` | foreach-object { $row = "" | select username, logintime $row.username = $_.replacementstrings[5] $row.logintime = $_.timegenerated $eventlist += $row } $userid = $eventlist[0].username $userid for instance, invoke script on commandline with
script.ps1 "sender-ip=10.10.10.10" the first time run it, outputs user's window's logon name
the second time run same script same input, outputs same service account used run powershell script
and when try run same script same input, output of same service account.
~~~~~~~
next, try run script ip address
first time run script outputs window's logon name
second time run script, outputs same service account powershell script running
~~~~~~~
this seems pattern. first time script run, return correct input, second time run, returns service account.
why happening?
how make script return correct output no matter how many times invoked?
how troubleshoot this?
this because of how script gets information last logged on user.
you getting last logged on user security event log. logs "logs on" computer... including accesses wmi, service accounts, etc.
what's happening is:
- before script runs
- contoso\user1 logs onto computer
- eventid 4624 - logon success - contoso\user1 logged
- run script first time
- script runs contoso\serviceaccount
- script access computer via wmi pull security event log
- security event log shows last logged on user contoso\user1
- eventid 4624 - logon success - contoso\serviceaccount logged
- eventid 4634 - logoff success - contoso\serviceaccount logged
- run script second time
- script runs contoso\serviceaccount
- script access computer via wmi pull security event log
- security event log shows last logged on user contoso\serviceaccount
- eventid 4624 - logon success - contoso\serviceaccount logged
- eventid 4634 - logoff success - contoso\serviceaccount logged
this because in order access wmi, have authenticate on computer. essentially, wmi uses service account "log onto" computer, access information needs, returns information, , logs off.
this why getting weird results.
to fix this, have 3 options:
1.continue use same script pull out event log entries. add code filter out service account name. i.e. use username:
[system.security.principal.windowsidentity]::getcurrent().name then use "where -filterscript" filter out user script running as.
the downside method, there lot of other service accounts running various scheduled tasks, or startup scripts change "last" logged on user was. may better pull last 5 logged on users, , have better idea of what's going on.
2.use code logged on user:
(gwmi -class win32_computersystem -computer "computername").username 3.a different , unique way of getting last logged on user use last write access time on user profile file (ntuser.dat). typically user logging in "interactively" have user profile created.
(get-childitem c:\users\*\ntuser.dat -force | select @{e={(split-path $_.directory -leaf)}},last* | sort lastwritetime -descending
Comments
Post a Comment