Geek Answers Handbook

Connect to the inputs and outputs on a Windows 7 computer

I want to count the number of inputs and outputs for users of my computers. I take information for logging in / out of Windows event logs (from the Win32_NTLogEvent WMI class). For example, with the following query:

select * from Win32_NtLogEvent where EventCode = 4648 and TimeGenerated > '20120224000000.000000-***'

But when the computer was restarted or started, it counts 3 logins, when the user presses the logout button or locks (from the Start menu), and then launches the β€œ1 logon” account. The user authenticates through Windows Active Directory. Does this affect the number of logins? Can I only count the number of entries using explicit credentials for users?

I found EventCode: 4608 and 4609 to start and shut down Windows, but I also need the number of logins when the user set the logo or locked the computer.

+7
source share
2 answers

I found this solution here :

 strComputer = "." Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _ strComputer & "\root\cimv2") Set colEvents = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Security' AND " & _ "EventCode = 528 AND User = 'fabrikam\\kmyer'") Wscript.Echo colEvents.Count

Just replace the values ​​with the ones you want.

Now this is not Java, but VB code ... However, it seems that it uses the WMI interface that you can use in your Java program. Or you can do something ugly and invoke the batch version of the script from Java (or the scheduled task) and read its output or use the binding.

This, of course, assumes that you want to check it on the user's computer, as your question hinted. If you want to calculate login on a more global level and from different computers, you need to query Active Directory (or another mechanism used by the network infrastructure); knitted thread offers solutions for this.

Update:

You can take a look at the Eric Fitzgerald blog post on Tracking login activity using login events where you have the appropriate codes (as well as complete formulas for accurately tracking time).

Apparently you need event codes 4624 (LOGON) and 4634 (LOGOFF), as well as the others listed there if you plan to use the Fitzgerald formulas to calculate the exact time of activity.

+4
source

A better approach would be to use a system service .

The HandlerEx function defined by RegisterServiceCtrlHandlerEx can be configured to receive notification of a session change , including logging in, logging out, locking and unblocking events.

I'm not quite sure if the logout events received by HandlerEx are reliable, or if they have the same problems as the event log. As a backup, SetConsoleCtrlHandler allows you to define a callback function to receive retirement notifications. These notifications are reliable.

Remote Desktop Services API functions, such as WTSEnumerateSessions , can also be useful, which allows you to list registered users at any given time or to get additional information about a given session. On workstations, only a subset of these features is available, but these are the ones you need.

+1
source

More articles:


All Articles