Can someone tell me where (I'm assuming it's in the registry), I can find a count of how many times a user has logged in. I've searched this forum / Google, etc… and cant find the registry key. Right now, I'm dealing with Windows XP service pack 3. I'd also like to know the location in Vista if it's different.
I ran Regripper and it identified 841 logins. I need to know where that number came from. As respected as Harlan is, I can't just assume Regripper is doing the right thing without verifying it first. For what it's worth, I do have Harlan's book, but it's at home and I'm at work.
Any help would be appreciated.
Thanks
Well, I got the information I used to construct the various tools and ultimately the RegRipper plugin from Peter Nordahl's ntchpwd tool. This is essentially the same as what is provided by AccessData
http//
So, you can validate it by hand, if you like, *assuming* that all of these sources are correct…
Thank you very much !! This was exactly what I needed. Using F Value offset 66-67, I came up with the same number as Regripper. At this point I have no other choice but to assume that Regripper and the Accessdata paper are correct, and document how I came up with the number.
well, there are ways to verify this…
Create a new account on your system, and log into it…once, twice, whatever. Using FTK Imager, grab a copy of the SAM hive file from the live system, and run it through RegRipper. If your results correspond to what you see in the RegRipper report as well as by hand, you can add "testing" to your report…