Well, this works in vista: wmic ntevent where "EventIdentifier = '4624' OR EventIdentifier='4634' AND Logfile = 'Security'" GET Message,TimeGenerated /format:htable > crap.html
But it has so much extra data it's hard to read though. I'd just like to know about user logons, but this show system logons as well. Thanks, Adrian On Mon, Apr 6, 2009 at 11:57 AM, Nick Baronian <[email protected]> wrote: > If you don't mind, let me know if it works on Vista. I would like to > update my personal notes. > > > On Mon, Apr 6, 2009 at 10:13 AM, Adrian Crenshaw <[email protected]>wrote: > >> Thanks, I'll give it a try. >> Adrian >> >> >> On Mon, Apr 6, 2009 at 9:57 AM, Nick Baronian <[email protected]>wrote: >> >>> I don't have access to a Vista machine right now and I believe they >>> changed the EventID numbers but a wmic query should still work. >>> >>> wmic ntevent where "EventIdentifier = '540' OR EventIdentifier ='528' AND >>> Logfile = 'Security'" GET Message,TimeGenerated /format:htable > users.html >>> >>> For Vista and 2k8, I think 528 is now be 4624 and 540 is now 4636. You >>> might want to double check that. >>> >>> >>> >>> >>> On Mon, Apr 6, 2009 at 12:11 AM, Adrian Crenshaw >>> <[email protected]>wrote: >>> >>>> I just noticed the Windows Vista event log has changed a lot of stuff >>>> about how it logs logon events. The stuff I wrote way back when no longer >>>> works. Anyone know a way to get an easy to read list of logon/logoffs with >>>> the associated user names? Something like the *nix last command. >>>> >>>> Thanks, >>>> Adrian >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >> >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
