Related Logon and Logoff events in Windows using Win32_NTLogEvent class - windows

I'm trying to get the login and logoff events from the Win32_NTLogEvent class. To do it, I'm using the following WMI query:
PATH Win32_NTLogEvent WHERE "(EventIdentifier = 4648 OR EventIdentifier = 4647 OR EventIdentifier = 4634) And TimeGenerated > '201811010000'" GET /ALL
The query is working fine and brings in response all the relevant logons and logoffs for me. The problem is: How can I relate both events? I mean, how can I link which logoff is linked with some logon event?
Analyzing the (not so clear) documentation for the events 4648 (logon attempt) and 4634 (An account was logged off), it looks like both has a linked Id, considering SubjectLogonId for 4648 event and TargetLogonId for 4634 event.
Considering these information, I'm parsing the returned events, getting the Ids from the InsertionStrings and trying to find the linked IDs, but I didn't find any.
Am I misunderstood something or I'm looking for the wrong information?
I tested it in Windows 10 and also in Windows Server 2012, but I'm looking for something that works in as many versions as possible.
Some background:
In short, I want to know the login/logoff times and session duration for some specific dates. I able to get the logon and logoff times for a specific user using the following WMI query (Win32_NetworkLoginProfile class):
PATH Win32_NetworkLoginProfile WHERE "Name='DOMAIN\\user'" GET LastLogon, LastLogoff
My intention with the first query is almost the same, but I want the info for all users without know each username. My best guess is the use of Win32_NTLogEvent class as described, but this is not mandatory.

You are attempting to use a 4648 Logon Attempt. This event only indicates an attempt was made and whether or not it was successful.
The event you should look for is 4624 "An account was successfully logged on.", and the Logon ID for that event will correlate with the Logon ID for the 4634 "An account was logged off."
To comment on your background statement of "LastLogon, LastLogoff", These values are updated in active directory on every Logon or Logoff, but no history is kept.
I know the WBEM interface has existed since Windows XP, I cannot find proof that your powershell queries will work on that platform, however, they should work without modification on Windows 7+, and Server 2008+.

In windows vista(or windows server 2008) and above this PowerShell command should do the trick
Get-WmiObject -Query "select Name, LastLogon, LastLogoff from Win32_NetworkLoginProfile WHERE {your logic here}"
However, if you want to use Win32_NTLogEvent class which supports Windows XP I think cannot be done, because of two reason
The EventIdentifier in that class specifies the meta-data about the event types which can be 1-5 which mean: Error, Warning, Information, Security Audit Success and Security Audit Failure. And you should look into EventCode which leads me to my second point
Two events from the same source may have the same value for this property but may have different severity and EventIdentifier values. For example, a successful logoff is recorded in the Security log with the Event ID 538. However, Event IDs are not necessarily unique. It is possible that, when retrieving Event ID 538, you can get other kinds of events with ID 538. If this happens, you might need to filter by the source as well as ID.
and finally, as you might have noticed auditing events(like 4648, 4647) supports Windows 10(or Windows Server 2016)

Related

How to get "Last Arrival Date" of a USB device using setupapi/cfmgr apis

There is a property "Last Arrival Date" that is present for my USB device in the Device Manager UI.
screenshot (device-manager/properties/details)
How can I programmatically retrieve that value? I already have the corresponding handle (setupapi) and DEVINST (cfgmgr) which I use for everything else.
CLARIFICATION:
It's somewhere nested under "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\VID_8888&PID_8888\SERIALNUMBER\Properties" but I can't see into that folder in the registry, either in regedit or in code. I get Access Denied. Of course I can fix that problem on my own development machine, but that's going to be a problem for customers who have standard, non-admin user accounts and have not added the permission necessary to read this data from the registry.
I need a solution that works for any user.

Unable to Assign an Incident in workflow- CRM

We have used the case Entity, there is default user that is used to assign a case on new creation or reactivation.
We have a workflow created for Case Reactivation, so whenever a case is reopen it is assigned to the default system user. It was working fine till September 20, but now when you give the survey after case resolution and then try to reactivate it it throws error in workflow. It works fine when you try to reactivate without giving the survey.
Error:
The real-time workflow named "Case is Resolved/Reopened" failed with the error "Principal user (Id, type=8, roleCount=1, privilegeCount=619, accessMode=0), is missing prvReadmsfp_questionresponse privilege (Id) on OTC=10247 for entity 'msfp_questionresponse'.
The System user has the role assigned as of salesperson, giving permission for this entity to salesperson does solve the issue, but the salesperson role is being used by many others to whom permission for this entity can't be given.
Can anyone tell us why this started causing issue after a particular time. Was there any updates from Microsoft Forms Pro for this entity?
Its very possible there have been updates from MS. You can review the solution history in make.powerplatorm.
https://learn.microsoft.com/en-us/powerapps/maker/common-data-service/solution-history
Look for the forms pro solution and check the solution history.
Is the "Default" user an actual person that logs in? Or a Service account that is only used for automation/workflows?
In any case, I'd suggest creating an add-on or feature role called something like "Question Response Reader" that only has the read permission for that entity. You can then add that role to the default user, and any other users that need to read that entity.
Probably Microsoft changed something in the background especially w.r.t security of forms Response entity msfp_questionresponse.
You easily solution is to give proper security rights to user who is ruining your workflow.
If it is run by the owner of the workflow then that user, if workflow runs under the context of user then that user should have read rights for entity msfp_questionresponse

Get a specific Rule ID in a GPO

i am currently working on Windows Active Directory, and i would like to know if it's possible to get the id of a rule defined in a GPO. Because i would like write some powershell scripts to check if some rules are activated or not. I've found out that it was linked into the registers but only for the current user but i don't want to run my script for every user but only on the server domain or domain administrator account.
For example i've written a GPO telling that every basic user should not have the right to use the task manager i can get a report on my GPO containing list of users which are submitted to this rule, GPOID, and other information but no information about the rule except its name which is in this case "Disable TaskMgr"
The Get-GPO command, which is part of the Group Policy cmdlets, appears to return a GUID that it calls an ID as well as a status.

Windows Phone 8.1 user ID

I have a problem with getting User ID but I mean programmatically. Is any chance to get User's Live ID or something like that ? Because I want use trial experience with expiration time but is only one way how to do this. Storing all user's ID's and after installation check their identity. I don't want to use advertisement ID because it is not working in every case. Not every user is using this kind of ID.
So any ideas ?
You won't get any personal information without asking the user.
But the windows store features a trial mode with expiration. Check out the topic on MSDN.
Otherwise there is an overview on Idendity on Windows and you can use WebAuthenticationBroker on the Phone.

Vista: create a process from service with out popping up any dialog boxes

I am new to vista and not a advanced programmer. From past few days i am trying to digest many technical details about vista. But still i have few basic questions on it. Hope you all will be help me in getting the answers for my questions.
Can we create a interactive process(which is having a embedded manifest file with "invokeAsAdministrator") from a service which is running under Local system account?
Here i know about the session 0 isolation and all.Still i am asking this question because, when i create a interactive process through CreateProcessAsUser(which requires admin privileges) it is failing with error 740. While using this i have given proper session id. The session id is that of my active desktop, where my user login as administrative privilages.
If the process can be created does that show up the UAC dialog?
If the UAC dialog shows up, can we avoid this?
It is well understandable problem. Local account has no privelegies of admin. The only thing you can do is impersonation. Temporary you emulates another account (in your case it is admin). Example of this technique you can find in MSDN for topic WindowsIdentity.Impersonate ( http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx )
EDIT
Sorry, only after post noticed that you use vc++,
On Win API use ImpersonateLoggedOnUser
The createprocessasuser is failing in my case because by default when we query for the user token for the users desktop session I was getting a restricted token that was created for the user (for administrators two tokens are created 1)restricted token 2) full token; any how my application can be run only by administrators).
By browsing the net i have found that i have to find for linked token and use that token for creation of process.
The code for creation of process from service can be found in the following question:
Desktop problem with using CreateProcessAsUser from a service on Vista

Resources