I'm trying to get the user's last logon in some Windows machines using WMI, but for some reason, this information is different for different commands when I think they should be the same.
The first command that I'm using is : PATH Win32_NetworkLoginProfile WHERE "Name='DOMAIN\\fakeuser'" GET LastLogon. The result for it is like below:
LastLogon
20181206093540.000000-480
The second command is: PATH Win32_NTLogEvent WHERE "(EventIdentifier =4648 OR EventIdentifier = 4647 OR EventIdentifier = 4634)" GET CategoryString, TimeGenerated, InsertionStrings
The result is like below (after some processing to find the last entry of category "Logon" linked to the "fakeuser", since the command returns a lot of information):
CategoryString
Logon
InsertionStrings
{"S-1-5-21-3457937927-2839227994-823803824-1104","DOMAIN$","DOMAIN","0x3e6","{00000000-0000-0000-0000-000000000000}","fakeuser","DOMAIN","{00000000-0000-0000-0000-000000000000}","localhost","localhost","0x64c","C:\Windows\System32\svchost.exe","999.999.99.999","0"}
TimeGenerated
20181206173540.580545-000
For what I understand for these two commands, the LastLogon in the first result should be the same of TimeGenerated in the second one. Am I misunderstood something?
In my preliminary research, I found a possible bug in the WMI Timestamps, but I don't know if it is the same problem.
Some additional information:
These commands are executed using a script that make a remote connection using WinRM connection (ports 5985 and 5986) and then executes the commands to get the info, but I also tried to connect in the machine using RDP and execute it in Powershell with wmic PATH.... The result is the same.
I tested it in Windows 10 and also in Windows Server 2012, but the scripted will be used in some other Windows versions.
To get the Event numbers for the log class, I used this link
After first comment, I noticed that the problem is in time zones. Are there any way to set timezone direct in these commands or convert timezones between them?
Related
Lately I was having problem with WMI on one of the systems (win server 2019). Service list in Task Manager was empty and running Get-WmiObject Win32_Service from powershell was returning Generic failure. After fruitless hours of searching and trying to repair system I gave up and was ready to reinstall system. Then error was reproduced on another machine by accident and I was able to narrow down cause of the problem. After creating windows service with short name and short display name WMI brakes after system restart but only if that service is first (in alphanumeric order) on services list. To reproduce this effect you only need to run
sc create "A1" binpath="D:\foobar.exe" DisplayName="A1" start=disabled
binpath is irrelevant, service doesn't need to be started. DisplayName doesn't need to be identical to name. After that command you need to restart (before restart everything works). After that if you go to services list in task manager it will be empty (probably using WMI to query services list). Now you can run sc delete "A1" and reopen task manager. Everything is back to normal.
Problem was reproduced on Windows Server 2019 and Windows 10 (didn't tried on other versions).
Is this a known bug or what is happening here?
EDIT
I'm not asking about how to use sc. It's doesn't matter. I provided commands that someone can run to reproduce problem. You can create service with that parameters however you want.
You are using the sc command line arguments in the incorrect format.
From MSDN:
Optionvalue
Specifies the value for the parameter named by Optionname. See the Optionname reference for a list of supported values. When a string is to be input, the use of empty quotes means that an empty string is passed in. Note that there is a space between OptionValue and the equal sign.
The correct command should be:
sc create "A1" binpath= "D:\foobar.exe" DisplayName= "A1" start= disabled
i have a console command that i need to run using SID instead of User name. currently i suspect that the command is failing because the system locale is not English.
cmd.exe /q /c "for /L %i in (000,1,8010) do netsh http add urlacl url=http://+:%i/ user=Everyone"
thanks in advance
As long as I know, for such command that you present in your example, you must use the string username.
I'm not sure of your case, but I found myself in a similar situation where I need to run IIS under lower ports as a regular user, and I was using some similar command. For sure the Everyone username works as long your systems is in English.
I searched the internet and it would be too much complicated on Windows to get the username based on the SID. The Everyone user has a well known SID which is S-1-1-0.
With some programs, such as PsTools, you can run a similar command such as
SidToName.exe S-1-1-0
to retrieve a user's SID. For my case, it outputs
[WellKnownGroup]: \Todos
because my system is currently in Portuguese, where Todos means Everyone; thus I just need to get the Todos part. Yet I found it too cumbersome to manipulating strings with DOS batch files.
Turned out that I simplified my case by running the command with the %USERNAME windows variable, since I just needed to allow my own user to run the IIS on lower ports. If that it your case, it will do the trick. My command looks like:
netsh http add urlacl url=http://mylocalsite.app:80/ user=%USERNAME%
If the %USERNAME% does not suffice, you will have to do some string manipulation as a way of getting the language-agnostic name for Everyone.
I am creating a batch script to deal with the brute forcing through RDC on my server.
The way I plan on doing this is by making windows run my script when a failed RDC is logged in windows security log. I will add a whitelist to prevent trusted IP addresses from being blocked. It will also log how many times the IP has tried to login, and if it fails more than 5 times in a row, it will be blocked.
Problem is, I don't know how to pass the IP from the logged event to the batch script.
The Windows Server 2008 R2 event viewer has an ability to start a program when a specific event (With a event number) occurs. It has a box for arguments that can be passed onto the program that I can specify (which will be this batch script). However, It does not specify what arguments it can pass on (I want the IP to be passed onto the batch script... that is all).
Any help would be greatly appreciated.
I managed to fix it myself, using this. I adapted the one he had over to include $(IpAddress) and got it working after a bit of mucking around.
Is it possible to determine if a scheduled task is running on a local or remote machine using vbscript?
There's a WMI class called Win32_ScheduledJob that has some status fields that might be useful. Especially the ElapsedTime field looks like it might be what you're looking for, assuming that it gets reset when the task stops.
Here's some sample code for looking at the statuses. Just set strComputer to the name of the computer you want to look at (. means the local computer).
Otherwise, if that doesn't work, you might be able to just look at the Schedlgu.txt file in the Windows directory and see if it's started but not yet stopped.
You might be able to get this information with the command-line command schtasks /query... but you'd probably have to grep the output to find only the jobs with a status of "Running".
Details on usage can be found here.
Assume I have access to a SMB server at IP 1.2.3.4, how can I determine the list of available shares?
Windows Explorer can do it when I enter a UNC path \\1.2.3.4\ - but command prompt "dir \\1.2.3.4\" fails!
I've tried the usual FindFirstFile/FindNext calls - which I use successfully to read the files and directories on each share, but they don't work directly on the server root.
Ideally, I need something that works for XP onwards.
Edit: I want to do this programatically, rather than from command line. Redirecting and parsing the output from 'net view 1.2.3.4' would work, but I'm ideally looking for an API for this job.
According to the docs there's a NetShareEnum and a WNetEnumResource function.
net view \\1.2.3.4
Check out http://www.ss64.com/nt/net_share.html
Edit: If you want to do this programmatically, it looks like NetShareEnum would work.
It appears you can use WMI to get this information. Check this post for some neat PowerShell tutorials that show now to use the Win32_Share WMI object.
Never use WMI (not installed natively)
Use Win32 api to enumerate shares, posted millions of times on google groups( win32)