For some time now I’ve been using this script to view my login time for a particular computer:
Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.GetFile("C:\Windows\setupact.log") Wscript.Echo "Log on today at " & FormatDateTime(objFile.DateLastModified,vbShortTime)
This is a Windows 7 Enterprise edition computer with Service Pack 1 installed. It is connected to a domain, and I am unable to change group policy.
Is it possible to modify the script to capture both the login and shutdown time? And, if so, is it possible to capture this for a set period (e.g. for the previous week or the previous 28 days)? The script doesn’t necessarily have to store/save this info – I can live with just being able to view it.
I also came across this question, but this didn’t help me much (beyond the fact that it opened my eyes to Event Viewer.
I have since discovered I can manually view the information I need by viewing various logs in Event Viewer, but I’m not sure if there is some way to leverage off this information in a script or not. Obviously this information must be ‘stored’ somewhere on the system, but I’m not entirely sure where and whether it’s accessible.
Any suggestions would be most appreciated.
Answer
I have found a script that might suit your needs:
Option Explicit
Dim strComputer, objWMIService, colEvents, objEvent
Dim dtmStart, dtmEnd, strUser
strComputer = "West204"
dtmStart = "20091228000000.000000-360"
dtmEnd = "20100101000000.000000-360"
strUser = "MyDomain\jsmith"
strUser = "jsmith"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,authenticationLevel=Pkt,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND " _
& "TimeWritten >= '" & dtmStart & "' AND TimeWritten < '" _
& dtmEnd & "' AND " _
& "(EventCode = '528' OR EventCode = '540' OR EventCode = '538')")
For Each objEvent In colEvents
Wscript.Echo "---------------------------"
Wscript.Echo "Computer: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Time: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.EventType
Wscript.Echo "User: " & objEvent.User
Next
Just replace the strComputer
, dtmStart
, dtmEnd
, strUser
and strUser
with your information.
These queries are always slow. I tried to add a WHERE clause for the
user, but could not get it to work, so the output will include all
logon/logoff events between the dates. I also expected more WHERE
clauses to make the query faster, but it doesn’t seem to work that
way. Run the script at a command prompt and redirect the output to a
text file. The date format is yyyymmddhhmmss.ssssss-zzz, were -zzz is
your local time zone bias in minutes (from UTC)
Attribution
Source : Link , Question Author : Monomeeth , Answer Author : Divin3