Re: how to detect the currently logged in Windows user?

Tue, 29 Jul 2008 07:59:46 -0700 

We at Tenable use a similar method.  I wrote a simple NASL that gets
DefaultUserName.  It uses SMB to login and get registry access, then
just grabs DefaultUserName from the registry.  This works on all our
corporate laptops, won't work well on mulit-user systems such as an
AD or Exchange Server. We added this NASL to our OS ID scan, and then
we use Security Center's Asset List functionality to create an asset
list for each user.

key = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"; item = 
"DefaultUserName";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if ( ! 
isnull(key_h) ) {
   value = RegQueryValue(handle:key_h, item:item);
if (value[1] != "") && (value [1] != NULL){
   rep = "DefaultUserName:" + value[1];
   security_note (port, data:rep);
   RegCloseKey(handle:key_h);



David Jacobs
Tenable Network Security


Doug Nordwall wrote:
> Try grabbing the registry key 
> HKey_current_user/Software/Microsoft/Windows/Explorer/Logon User Name. 
> One of the other registry reading scripts can tell you how to grab a 
> registry key more generically.
> 
> give me a shout if that works... that'll actually be a decent one. I 
> don't know how it will behave on a  terminal server though.
> 
> On Mon, Jul 28, 2008 at 7:04 PM, Jason Haar <[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>> wrote:
> 
>     Hi there
> 
>     Nessus-3.2.1 doesn't appear to log the domain\username account details
>     on remote Windows machines. I don't know about anyone else, but we'd
>     love to know that - so that we can track machines back to owners.
> 
>     Can it be done? I've had a go with some WMI scripts - but no luck so
>     far :-(
> 
>     Thanks!
> 
>     --
>     Cheers
> 
>     Jason Haar
>     Information Security Manager, Trimble Navigation Ltd.
>     Phone: +64 3 9635 377 Fax: +64 3 9635 417
>     PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
>     _______________________________________________
>     Nessus mailing list
>     [email protected] <mailto:[email protected]>
>     http://mail.nessus.org/mailman/listinfo/nessus
> 
> 
> 
> 
> -- 
> Doug Nordwall
> Unix, Network, and Security Administrator
> You mean the vision is subject to low subscription rates?!!? - Scott 
> Stone, on MMORPGs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Nessus mailing list
> [email protected]
> http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to