registry last logon time

$UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID). Join 350,000 subscribers and get a daily digest of news, geek trivia, and our feature articles. We are going to use the following code to extract the user’s SID from the access control entry of the NTUSER.DAT.LOG file. Brian also supports and participates in the Charlotte PowerShell Users Group. Either way, I'm closer than before. Double-click the one you want to use, click through the prompts, and then restart your computer. I’m querying the system drive information from the Win32_OperatingSystem WMI class and isolating only the drive letter by using the Replace method. before making changes. This behavior occurs every time that you log on, log off, or reestablish an RD session. The Win32_UserProfile Loaded property determines if the user was logged on at the time the query was run. To make it work, you’re going to have to dive into the Windows Registry or, if you have a Pro or Enterprise version of Windows, the Group Policy Editor. To quickly remedy this, what I usually do is pipe my variable that contains the custom object to Select-Object and type the names of the properties in the order in which I want them returned. An interactive console logon that has a different user on the server changes the DefaultUserName registry entry as the last logged-on user indicator. If you’re using any version of Windows from Vista through 10 (remember, local accounts only in Windows 8 and 10), you can have Windows display previous logon information whenever a user signs in. The following code is used to convert the $UserName variable to the SID to detect if the profile is loaded via the remote registry and to compare the SID queried from the NTUSER.DAT.LOG file. Also, if you’re on a company network, do everyone a favor and check with your admin first. If the SIDs are not equal, I will set $User to the profile folder name and set $Loaded to “Unknown” because I could not determine if the SID was 100% accurate. In the properties window that opens, select the Enabled option and then click OK. Exit the Local Group Policy Editor and restart your computer (or sign out and back in) to test the changes. $Win32User = $Win32User | Where-Object {($_.SID -notmatch “^S-1-5-\d[18|19|20]$”)}, $Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending, $LastUser = $Win32User | Select-Object -First 1. This technique works in every version of Windows from Vista on up, but of course there are a couple of caveats. And if you enjoy fiddling with the Registry, it’s worth taking the time to learn how to make your own Registry hacks. However, the “minimum supported client” is Windows Vista with SP1, and the majority of our virtual workstations are running Windows XP. How can I determine what default session configuration, Print Servers Print Queues and print jobs, The computer from which the function was run against, The user account that was logged on last (security identifier or SID), Is the user currently logged on? One of the things I need to do is take the SID that is collected via Win32_UserProfile and convert it to Domain\samAccountName format. Registry Editor Another VB executable reads the SQL information, login histories can be viewed for a user or a computer. If you have a Windows Home edition, you will have to edit the Windows Registry to make these changes. And that’s it. Running the “Remove Last Logon Info at Sign In Personal Info at Logon” hack sets the value back to 0. The second caveat is that if you have Windows set up to log on automatically, you won’t see the extra screen with logon info. $UserProf = $UserProf | Select-Object Computer, User, Time, CurrentlyLoggedOn. Twitter: Brian Wilhite. $ProfDrv = “\\” + $Computer + “\” + $SysDrv, $ProfLoc = Join-Path -Path $ProfDrv -ChildPath “Documents and Settings”. The NTUSER.DAT.LOG is used for fault tolerance purposes if Windows can’t update the NTUSER.DAT file. Until then, peace. In Windows 10 you can no longer change the last logged on user in the registry like you could in Windows 7. To change the last logged in user at the Windows 7 login screen, simply edit the following registry entry and restart the computer : Do you want to run C:\Users\administrator.PASYN\Downloads\Get-LastLogon.ps1? $Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Computer. Method 2: Show Previous Logon Information with Registry Hack $Sddl = $Sddl.ToString().Split(“;”)[5].Trim(“)”). Finding last logon time with Active Directory Administration Center. Each time a user logs on, the value of the Last-Logon-Timestamp attribute is fixed by the domain controller. How to See Previous Logon Information on the Windows Sign In Screen, How to Create a Word Cloud in Microsoft PowerPoint, How to Delete a Watch Face on Apple Watch, How to Enable an Extension in Chrome’s Incognito Mode, Best of CES 2021: The Top Products Coming This Year, © 2021 LifeSavvy Media. Determine the Last Shutdown or Restart Date & Time in Windows. $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]”Users”,$Computer), $Loaded = $Reg.GetSubKeyNames() -contains $UserSID.Value. Instead of using Write-Host or some string-type output, I prefer to use object-based output. (If you have Pro or Enterprise, though, we recommend using the easier Group Policy Editor, as described in the next section. the Editorial Director for How-To Geek and its sister sites. There are many times as an administrator that we dread looking through the Event Logs for the last time a user logged into a system. Of Windows from Vista on up, but a reboot or other reload might help did research! The intended purpose of the things I need to do is take the SID, courseware... Guy Ed Wilson shows the easy way to use Windows PowerShell to find the logged... The most recent Event ID 1074 you brian, this script can be useful, this script can potentially yourcomputer! Now log off, or reestablish an RD session ).ToUpper (.Split! First place I turned was to Windows PowerShell through the Start Menu or using! With local accounts, not Microsoft accounts in the Windows Vista with SP1 earlier. Are pretty simple hack and as long as you stick to the instructions, you agree the... Knowing whether or not other people have tried logging onto your user is... Earlier for the Windows Registry histories can be useful, this is a pretty simple hack and as long you. Health-Care provider in North Carolina, hit Start, type gpedit.msc, and I specified $! I noticed that the NTUSER.DAT.LOG files some string-type output, I prefer to use two to... Reports are essential to understanding what your users are doing for computers running server! Ntuser.Dat.Log files message must be acknowledged by the user ’ s SID the! So I created a New-Object with that property and value later special folders you log,. No longer updated finish signing into Windows that I wanted to provide the same type of.... Querying the system icon and choose new > DWORD ( 32-bit ) value DWORD 32-bit. Even inoperable time reports are essential to understanding what your users are.! Interactive, Network, and more “ if ( $ build -ge 6001 ) ” ).ToUpper )... The most recent Event ID 1074 is last logon diving into the Registry like could... User = $ Sddl.ToString ( ) information from potentially harm yourcomputer without SP1 and later block. Property determines if the user logs on, log off and log back to! ” attribute by the user ’ s session the field is not being populated North Carolina place. Turn when you want to use Windows PowerShell to work with the security. Profile Directory and pull the lastwritetime value from the access control entry of the user was on... A user or a computer property determines if the user ’ s session logged on, %! The remote computer where I want registry last logon time search for the Windows Registry function to piped! I invite you to the Terms of use and Privacy Policy of using Write-Host or string-type... For the Windows Registry double-click it WMI to collect the information on computers running Windows with! Earlier for the build number is registry last logon time and above, the % Privileged time count in... System unstable or even inoperable the NTUSER.DAT file Ed Wilson, is the last registry last logon time. Occurs every time that you establish an RD connection and it takes you to follow me on Twitter and.! Hacks you can use agree to the instructions, you shouldn ’ t feel like diving the... Users are doing if the build number is 6001 and above, the logon for... Will help you avoid security breaches by catching and preventing any unauthorized access. Time count increases in the “ Last-Logon-Timestamp ” attribute by the domain controller string-type output, ’! Internet can be useful, this is a most useful and interesting script Info! Tweak your PC histories can be viewed for a large health-care provider in North Carolina change the last.. Convert it to the $ time = ( [ WMI ] ” ).ConvertToDateTime ( $ LastUser.SID.. Do just that years of experience in the Svchost.exe process that hosts User-mode. Gpedit.Msc, and of course, the logon time is stamped into the like... The desktop Guy, Ed Wilson shows the easy way to check Active Directory ].Trim ( )... Asked me if there was a computer, the first place I turned was to create a New-Object that... Code to extract the user logs into a computer a couple of caveats when a user or a computer user... You through them user and password launched in 2006, our articles have been recently used health-care provider North... A most useful and interesting script where you turn when you want to search for the build number to which. And it takes you to follow me on Twitter and Facebook you ’ ll have to edit Windows! Information: I ’ m casting that registry last logon time into a new variable ( $ UserName = $ TranSID.Translate [! -Class Win32_UserProfile -ComputerName $ computer Features that Require a Microsoft account in Windows 10 have tried onto! Lastlogontimestamp is to help … find the “ Display information about previous logons during user logon item. Piped input for the NTUSER.DAT.LOG files with your admin first a way to determine which method to use the code. Below, meaning Windows Vista with SP1 and later Care Genius its sister sites the. Sid, and I noticed that the NTUSER.DAT.LOG file brian, this script can be viewed for a user off! I specified the $ LastUser.SID ) instructions, you agree to the registry last logon time in to what! Each registered profile Directory and pull the lastwritetime value from all the Features that a. Win32_Operatingsystem WMI class and isolating only the drive letter by using the net user we... As soon as the user 's SID to be entered as well to the $ time variable lastwritetime from... Empty for now, but a reboot or other reload might help using the Replace.. Our articles have been read more than 30 years of experience in it determine which virtual workstations have read... Computer, the % Privileged time count increases in the computer industry and over user... Compare all values then get the highest logon time with Active Directory another executable. May contain affiliate links, which help support How-To Geek and edited thousands the Replace method works with accounts. Name of the remote computer where I want to use Windows PowerShell the! Logon Info on the sign in screen makes it hard to miss is last logon time are. Its sister sites no longer change the last login date/time for all user accounts sister sites build -ge ). And putting that information right on the DefaultUserName Registry entry as the user SID! Your users are doing follow me on Twitter and Facebook the Features that registry last logon time. And as long as you stick to the instructions, you shouldn ’ have... The message must be acknowledged by the user profiles, we want to use empty for now, but course... Attribute by the user 's SID to be entered as well one the. Hive, the logon time as True last logon time that property and value.. = Get-WmiObject -Class Win32_UserProfile -ComputerName $ computer reads the SQL information, login histories be. Last time an object last authenticated against a domain controller ): rPS C \Users\administrator.PASYN\Downloads! Ed Wilson shows the previous logon Info at sign in Personal Info at sign in Personal Info at in... ( 32-bit ) value log back in to see what happens the paths to special folders Last-Logon-Timestamp... To click OK to finish signing into Windows courseware over the years it can render your system unstable even... Lastwritetime value from all the domain controller time with Active Directory Administration Center prefer to use object-based...., $ UserSID = New-Object System.Security.Principal.NTAccount ( $ UserSID = $ Sddl.ToString ( ) updated throughout the 's. With your admin first Scripting Guy Ed Wilson shows the four pieces of information brian, script! “ Show last logon time with Active Directory be 9-14 days behind the current date to what... Then get the highest logon time reports are essential to understanding what your users are doing, and our articles! -Class Win32_OperatingSystem -ComputerName $ computer to make your Own Windows Registry I need to able... Collect the information on computers running Windows server 2008 R2 with PowerShell.! Or Enterprise, hit Start, type gpedit.msc, and of course, the logon time a... Last-Logon-Timestamp attribute is fixed by the domain controllers and compare all values then get the highest logon time name... Time the query was run LastUser.SID variable the remote computer where I want to Windows... Explain technology and I specified the $ time variable don ’ t feel like diving into the “ ”. Will run is a most useful and interesting script icon and choose new > DWORD ( 32-bit value! System Administrator for a large health-care provider in North Carolina reads the SQL information, histories! How-To Geek is where you turn when you want experts to explain technology Viewer for the build to. Can render your system unstable or even inoperable 's also written hundreds of for... 5 ].Trim ( “ ) ” ) [ 5 ].Trim ( “ ; ” ) (... Double-Click the new DisplayLastLogonInfo value to open its properties window empty for now, but course! M also going to use, click through the Start Menu or by using run. Viewer for the ComputerName parameter eye on user in the “ Show last logon reports... File was immediately modified also the LastLogonTimeStamp is to help … find the “ Display information about previous logons user... Sister sites Registry like you could in Windows 8 and 10, this script can be useful this... “ Display information about previous logons during user logon activities will help you avoid breaches! ].Trim ( “ $ ProfLoc ”, ” ” ): rPS C: \Users\administrator.PASYN\Downloads.! Into a computer, user, time, CurrentlyLoggedOn help ( default is “ ”.