When someone logs onto a windows computer, I am wondering where that log is made and in what file and the best course of action to view those files.
It depends…what type of environment are you referring to?
If you're talking about a standalone system, and if the system has been configured to audit the appropriate activity, you need to check the Security Event Logs. If you're talking about a domain or AD, you need to check the logs on the DC.
However, by default, Windows doesn't audit login activity. However, there are other ways to determine this information. More information is needed, however.
If we are looking at a stand alone computer, to see when a user logged in and logged off, is basically what I am in need of information on.
Note I am aware of EventViewer, what we are really looking for is to see when users logged in and logged off (time) on a computer.
Also other then LogParser are there any handy tools to view this information?
If we are looking at a stand alone computer, to see when a user logged in and logged off, is basically what I am in need of information on.
Note I am aware of EventViewer, what we are really looking for is to see when users logged in and logged off (time) on a computer.
Also other then LogParser are there any handy tools to view this information?
Sounds like you've got all you need. If you're not seeing logons and logoffs, this may be due to the fact that (a) the system isn't auditing those events or (b) no one's done either.
Some potentially useful information can be found in the following registry keys
(Thank you, AccessData.)
SYSTEM - \ControlSetXXX\Control\Windows
- Last "normal shutdown" time
SOFTWARE - \Microsoft\Windows NT\CurrentVersion\Winlogon
- Name of Last User logged in
- Default user and corresponding domain
SOFTWARE - \Microsoft\Windows NT\CurrentVersion\ProfileList
- User security identifiers for users with profiles on the system
SAM - \Domains\Account\users\Names
- Lists local account security identifiers
SAM - \Domains\Account\Users\F Key
- Bytes 9-16 store the last log on time
- Bytes 41-48 store the last unsuccessful log on attempt
There are many utilities available for download to extract this info and more, too. A quick Google search shows many.
I hope this helps.
RegRipper extracts all of these for you…
If your 'windows computer' is running Vista, Successful Logins are recorded in the SECURITY.EVTX log as event ID 4624.
The best way to view the file is by forensically copying said log file to another Vista machine and using its own event viewer.
On WinXP, take a look at
C\WINDOWS\system32\CCM\Logs\execmgr.log
Also - watch for backup of the log. Sample backup log name listed below
execmgr-20090611-113136.log