Open-AudIT https://www.open-audit.org/phpBB3/ |
|
Beta 2 Bugs https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5753 |
Page 2 of 2 |
Author: | joofoo [ Mon Oct 03, 2011 11:59 pm ] |
Post subject: | Re: Beta 2 Bugs |
In a simpler manner, you could just switch the order in which you check for both values... That is to say: 1. Check for HKLM\software\microsoft\windows\currentversion\authentication\logonui\lastloggedonuser (this reg.key does not exist on XP systems) 2. If the value returned from Step 1 is NULL, check HKLM\software\microsoft\windows nt\currentversion\winlogon\DefaultUserName My first tests in a domain of ~600 workstations (mixed winXP & win7), indicate that this solution works. lines 220-230 of my audit_windows.vbs: [code] ' last logged on user oreg.getstringvalue hkey_local_machine, "software\microsoft\windows\currentversion\authentication\logonui", "lastloggedonuser", windows_user_name oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultDomainName", windows_user_domain if isnull(windows_user_domain) then windows_user_domain = "" else windows_user_domain = "@" & windows_user_domain end if if isnull(windows_user_name) then oreg.getstringvalue hkey_local_machine, "software\microsoft\windows nt\currentversion\winlogon", "DefaultUserName", windows_user_name [/code] [quote="Mark"][quote]In OAv2, for Windows 7, it seems to be getting this setting from here: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName While it seems like the actual last logged on user setting is located here: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser So, are you guys thinking I should change this (when it's detected that we are auditing a Win7 machine)? Maybe if we detect Win7, simply use the second value? |
Author: | joofoo [ Tue Oct 04, 2011 4:43 pm ] |
Post subject: | Re: Beta 2 Bugs |
You only need to switch order in which you check those registry keys: 1. First check for the Win7 key (HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser). 2. If value returned is NULL, check the WinXP key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName) So, basically, all one needs to do is swtch lines 221 and 242 on audit_windows.vbs |
Page 2 of 2 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |