When is my account being used?

[karlsnooks]

Ever have the situation where several people have your logon password AND something goes wrong AND everyone denies having logged on?

Or would you simply like to when you logged on 2 days ago?

Try out this little example which simply involves copying and pasting into powershell. Resutls placed on your desktop:

# Start copy with very next line; Copy thru 2nd EXIT
$events = Get-WinEvent -FilterHashtable @{logname='application'; id=4101; level=4} `
-verbose:$false -erroraction:silentlycontinue 
$events | format-table -property timecreated,message -auto -wrap `
> $env:userprofile\desktop\LOGONTIMES.txt

EXIT
EXIT

# Places LOGONTIMES.TXT on your DESKTOP
#
# **********************INSTRUCTIONS**************************
# STEP 1 *****************************************************
# RUN PowerShell as administrator
# START ORB | type POWERSHELL | CTRL+SHIFT+ENTER key combo | YES
# ************************************************************
# STEP 2 *****************************************************
# COPY, using CTRL + C, every line down thru both EXIT statements 
# PASTE into Powershell by right-clicking at the PowerShell Prompt
#  (Ctrl V does not work)
# ************************************************************
# OUTPUT  File LOGONTIMES.txt is placed on your DESKTOP
#
# ***************** NOTE - POWERSHELL VERSION*****************
# if you receive this error msg:
#  Get-WinEvent: The system can not find the path specified
# you need to update your PowerShell
# you must be using Powershell 2.0 or later.
#
# To determine your Powershell version:
#   Run PowerShell
#   enter following $host.version
#   you should see at least:
# Major  Minor  Build  Revision
# -----  -----  -----  --------
# 2      0      -1     -1
#
# If you do not see the above, update your Vista/Win 7.
# ************************************************************
#
# *************** NOTE - EXECUTION POLICY*********************
# If you haven't set the execution policy, you may need to:
#   Run PowerShell
#   enter following without the #
#   Set-ExecutionPolicy -executionpolicy remotesigned
#
# ************************************************************
#
# ************************************************************
#

 

[seavixen32]

Just tried it (I'm the only user).


TimeCreated Message
----------- -------
03/06/2012 09:23:32 Windows license validated.
02/06/2012 10:49:22 Windows license validated.
02/06/2012 09:10:56 Windows license validated.
02/06/2012 07:43:01 Windows license validated.
02/06/2012 00:59:40 Windows license validated.
01/06/2012 18:56:33 Windows license validated.
01/06/2012 18:27:56 Windows license validated.
01/06/2012 16:22:10 Windows license validated.
01/06/2012 09:09:34 Windows license validated.
01/06/2012 08:03:32 Windows license validated.
31/05/2012 15:14:26 Windows license validated.
31/05/2012 12:22:42 Windows license validated.
31/05/2012 07:21:07 Windows license validated.
31/05/2012 00:55:29 Windows license validated.
30/05/2012 11:32:48 Windows license validated.
30/05/2012 07:23:53 Windows license validated.
29/05/2012 20:18:50 Windows license validated.
29/05/2012 20:16:46 Windows license validated.
29/05/2012 09:22:07 Windows license validated.
29/05/2012 03:45:10 Windows license validated.
28/05/2012 17:29:16 Windows license validated.
28/05/2012 12:53:07 Windows license validated.
28/05/2012 07:20:01 Windows license validated.
28/05/2012 07:06:52 Windows license validated.
28/05/2012 00:25:11 Windows license validated.
27/05/2012 11:03:16 Windows license validated.
26/05/2012 22:49:24 Windows license validated.
26/05/2012 15:16:04 Windows license validated.
26/05/2012 13:02:28 Windows license validated.
26/05/2012 08:36:00 Windows license validated.
26/05/2012 02:26:12 Windows license validated.
25/05/2012 07:24:44 Windows license validated.
24/05/2012 09:05:09 Windows license validated.
23/05/2012 11:09:29 Windows license validated.
23/05/2012 10:57:18 Windows license validated.
23/05/2012 10:41:53 Windows license validated.
23/05/2012 10:39:49 Windows license validated.
23/05/2012 10:38:40 Windows license validated.
23/05/2012 06:30:14 Windows license validated.
22/05/2012 20:29:28 Windows license validated.
22/05/2012 08:53:44 Windows license validated.
21/05/2012 23:37:31 Windows license validated.
21/05/2012 23:20:23 Windows license validated.
21/05/2012 07:11:43 Windows license validated.
20/05/2012 10:39:12 Windows license validated.
20/05/2012 10:03:29 Windows license validated.
20/05/2012 03:15:56 Windows license validated.
19/05/2012 22:48:10 Windows license validated.
19/05/2012 14:23:31 Windows license validated.
19/05/2012 06:30:30 Windows license validated.
18/05/2012 07:13:51 Windows license validated.
17/05/2012 10:31:34 Windows license validated.
17/05/2012 09:42:51 Windows license validated.
16/05/2012 23:09:32 Windows license validated.
16/05/2012 16:54:59 Windows license validated.
16/05/2012 15:28:05 Windows license validated.
16/05/2012 10:12:45 Windows license validated.
15/05/2012 21:24:04 Windows license validated.
15/05/2012 11:29:39 Windows license validated.
15/05/2012 03:30:15 Windows license validated.
14/05/2012 15:11:58 Windows license validated.
14/05/2012 08:03:24 Windows license validated.
13/05/2012 23:39:25 Windows license validated.
13/05/2012 14:38:47 Windows license validated.
13/05/2012 09:33:05 Windows license validated.
12/05/2012 23:38:04 Windows license validated.
12/05/2012 18:02:39 Windows license validated.
12/05/2012 14:08:37 Windows license validated.
12/05/2012 12:26:57 Windows license validated.
12/05/2012 09:40:55 Windows license validated.
11/05/2012 23:00:48 Windows license validated.
11/05/2012 22:35:01 Windows license validated.
11/05/2012 17:15:05 Windows license validated.
11/05/2012 10:27:03 Windows license validated.
11/05/2012 08:52:13 Windows license validated.
10/05/2012 21:20:44 Windows license validated.
10/05/2012 07:43:45 Windows license validated.
10/05/2012 07:20:09 Windows license validated.
10/05/2012 06:25:53 Windows license validated.
10/05/2012 00:54:27 Windows license validated.
09/05/2012 23:06:14 Windows license validated.
09/05/2012 22:30:13 Windows license validated.
09/05/2012 16:56:44 Windows license validated.
09/05/2012 07:04:08 Windows license validated.
09/05/2012 00:00:11 Windows license validated.
08/05/2012 18:53:34 Windows license validated.
08/05/2012 18:51:07 Windows license validated.
08/05/2012 11:53:45 Windows license validated.
08/05/2012 11:21:42 Windows license validated.
08/05/2012 09:56:05 Windows license validated.
08/05/2012 02:54:46 Windows license validated.
07/05/2012 10:33:01 Windows license validated.
06/05/2012 09:05:19 Windows license validated.
05/05/2012 23:04:21 Windows license validated.
05/05/2012 22:45:33 Windows license validated.
05/05/2012 22:36:46 Windows license validated.
05/05/2012 21:52:00 Windows license validated.
05/05/2012 17:06:57 Windows license validated.
05/05/2012 16:50:23 Windows license validated.
05/05/2012 16:36:21 Windows license validated.
05/05/2012 16:29:25 Windows license validated.
05/05/2012 16:11:41 Windows license validated.
05/05/2012 16:02:03 Windows license validated.
05/05/2012 15:53:53 Windows license validated.

 

[karlsnooks]

That shows your log on times and also, part of the log on routine is to check if your windows version has been validated. This doesn't catch every thief in the woods, but is effective at catching the dumb thieves, that is, those who have never validated their Win 7 and not used one of the "better" illegal hacks.

Also good for the college student who suspects that someone else in the dorm/dwelling has been using the computer.

 

[seavixen32]

Anything that picks up on illegal software is fine by me.

 

[karlsnooks]

Sometimes people overlook validating their Win 7 and then start having popup messages that they didn't expect and then I had the one chap whose 3-mo validation time for his illegal enterprise version was only two days from running out. After pointing out to him that his particular copy would need to be validated by the domain server, he disappeared from the landscape.