In a simpler manner, you could just switch the order in which you check for both values... That is to say: 1. Check for HKLM\software\microsoft\windows\currentversion\authentication\logonui\lastloggedonuser (this reg.key does not exist on XP systems) 2. If the value returned from Step 1 is NULL, check HKLM\software\microsoft\windows nt\currentversion\winlogon\DefaultUserName
My first tests in a domain of ~600 workstations (mixed winXP & win7), indicate that this solution works.
lines 220-230 of my audit_windows.vbs: [code] ' last logged on user oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonuser", windows_user_name oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultDomainName", windows_user_domain if isnull(windows_user_domain) then windows_user_domain = "" else windows_user_domain = "@" & windows_user_domain end if if isnull(windows_user_name) then oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultUserName", windows_user_name [/code]
[quote="Mark"][quote]In OAv2, for Windows 7, it seems to be getting this setting from here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
While it seems like the actual last logged on user setting is located here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser
So, are you guys thinking I should change this (when it's detected that we are auditing a Win7 machine)?
Maybe if we detect Win7, simply use the second value?
_________________ Server Info: OS : CentOS Linux release 6.0 (Final) Auditing: 700 machines LDAP: Active Directory
|