WMIC custom inventory Number of Logons question
On a recent KKE about custom inventories there was an example given.
ShellCommandTextReturn(wmic netlogin get Name, NumberOfLogons)
This command is supposed to return who all has logged into a targe machine and how many times.
I've talked to the teacher of the KKE (Ron Colson) and he says that command works correctly for him, but on my systems it seems to return wacky results. Below is what is returned on my machine.
C:\Users\jstrickland>wmic netlogin get Name, NumberOfLogons
Name NumberOfLogons
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
AFCUNT\pweatherton 12294
AFCUNT\ageorge 6825
AFCUNT\titaa 65535
AFCUNT\jstrickland 65535
The users returned are correct, but the number of logons is wayyy off. Anywhere in our domain that my name pops up it says I've logged in 65535 times.
Anyone have any ideas about this?
Thanks.
Answers (2)
does it do the same thing at the command prompt?
wmic netlogin get Name, NumberOfLogons
Comments:
-
Yes exact same results from command line. - AFCUjstrick 11 years ago
I recently checked this: it works fine.
the 65535 looks like a maximum (2^16 -1) and you may overflown this one.
Esp if you use your system for a longer time this may happen. I have my new work notebook since 2 month and have already 129 logins there.
May be you logged more often and it has this max number.
Comments:
-
I found on the web the range for that entry is 1-65535 which is FF FF in hex - SMal.tmcc 11 years ago
-
Ok I'll agree that's what it says, but everywhere my name shows up it has the 65535.
Also the other users that show up on my machine when I run the command havn't logged in anywhere near that many times.
Do you think it counts admin shares? Like someone admin sharing over to my machine? - AFCUjstrick 11 years ago-
It is kind if vague on the web where that entry is stored. I will keep digging around, have a feeling it is stored as a hex value. - SMal.tmcc 11 years ago
-
Thanks very much for the help. - AFCUjstrick 11 years ago
-
There is a laptop that I built yesterday, totally fresh Windows 7 install, and it has my number of logons as 65535.
THere is just no way I logged in that many times in one day. - AFCUjstrick 11 years ago-
I have a feeling it is pulling that info from the domain. - SMal.tmcc 11 years ago
-
Agreed, but it's ashame it's working like that.
This would be a fairly neat tool in the bag. - AFCUjstrick 11 years ago
Power executed locally on System
.
FSIND\MATT 2/10/2017 3:53:56 PM 4017
Output Shown in Kace inventory
Name LastLogon NumberOfLogons
---- --------- --------------
LTP0065\admin 2/2/2017 6:10:00 AM 1
FSIND\ARAV 2/10/2017 2:56:31 PM 4626
FSIND\RASH 2/4/2017 2:45:30 PM 227
FSIND\MATT 2/10/2017 3:53:56 PM 4017
CIR rules
ShellCommandTextReturn(cmd /c powershell.exe "Get-WmiObject -class Win32_NetworkLoginProfile | Where {($_.NumberOfLogons -gt 0) -and ($_.NumberOfLogons -lt 65535)} | Select-Object Name,@{label='LastLogon';expression={$_.ConvertToDateTime($_.LastLogon)}},NumberOfLogons") - rahimpal 7 years ago