Open-AudIT
https://www.open-audit.org/phpBB3/

Beta 2 Bugs
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5753
Page 2 of 2

Author:  joofoo [ Mon Oct 03, 2011 11:59 pm ]
Post subject:  Re: Beta 2 Bugs

In a simpler manner, you could just switch the order in which you check for both values... That is to say:
1. Check for HKLM\software\microsoft\windows\currentversion\authentication\logonui\lastloggedonuser (this reg.key does not exist on XP systems)
2. If the value returned from Step 1 is NULL, check HKLM\software\microsoft\windows nt\currentversion\winlogon\DefaultUserName

My first tests in a domain of ~600 workstations (mixed winXP & win7), indicate that this solution works.

lines 220-230 of my audit_windows.vbs:
[code]
' last logged on user
oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonuser", windows_user_name
oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultDomainName", windows_user_domain
if isnull(windows_user_domain) then
windows_user_domain = ""
else
windows_user_domain = "@" & windows_user_domain
end if
if isnull(windows_user_name) then
oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultUserName", windows_user_name
[/code]

[quote="Mark"][quote]In OAv2, for Windows 7, it seems to be getting this setting from here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName

While it seems like the actual last logged on user setting is located here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser

So, are you guys thinking I should change this (when it's detected that we are auditing a Win7 machine)?

Maybe if we detect Win7, simply use the second value?

Author:  joofoo [ Tue Oct 04, 2011 4:43 pm ]
Post subject:  Re: Beta 2 Bugs

You only need to switch order in which you check those registry keys:
1. First check for the Win7 key (HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser).
2. If value returned is NULL, check the WinXP key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName)

So, basically, all one needs to do is swtch lines 221 and 242 on audit_windows.vbs

Page 2 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/