Open-AudIT

What's on your network?
It is currently Wed Jan 24, 2018 3:48 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 17 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Beta 2 Bugs
PostPosted: Mon Oct 03, 2011 11:59 pm 
Offline
Newbie

Joined: Fri Sep 30, 2011 10:24 pm
Posts: 7
In a simpler manner, you could just switch the order in which you check for both values... That is to say:
1. Check for HKLM\software\microsoft\windows\currentversion\authentication\logonui\lastloggedonuser (this reg.key does not exist on XP systems)
2. If the value returned from Step 1 is NULL, check HKLM\software\microsoft\windows nt\currentversion\winlogon\DefaultUserName

My first tests in a domain of ~600 workstations (mixed winXP & win7), indicate that this solution works.

lines 220-230 of my audit_windows.vbs:
Code:
' last logged on user
oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonuser", windows_user_name
oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultDomainName", windows_user_domain
if isnull(windows_user_domain) then
   windows_user_domain = ""
else
   windows_user_domain = "@" & windows_user_domain
end if
if isnull(windows_user_name) then
   oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultUserName", windows_user_name


Mark wrote:
Quote:
In OAv2, for Windows 7, it seems to be getting this setting from here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName

While it seems like the actual last logged on user setting is located here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser


So, are you guys thinking I should change this (when it's detected that we are auditing a Win7 machine)?

Maybe if we detect Win7, simply use the second value?

_________________
Server Info:
OS : CentOS Linux release 6.0 (Final)
Auditing: 700 machines
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject: Re: Beta 2 Bugs
PostPosted: Tue Oct 04, 2011 4:43 pm 
Offline
Newbie

Joined: Fri Sep 30, 2011 10:24 pm
Posts: 7
You only need to switch order in which you check those registry keys:
1. First check for the Win7 key (HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser).
2. If value returned is NULL, check the WinXP key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName)

So, basically, all one needs to do is swtch lines 221 and 242 on audit_windows.vbs

_________________
Server Info:
OS : CentOS Linux release 6.0 (Final)
Auditing: 700 machines
LDAP: Active Directory


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page Previous  1, 2

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group