question about getting the user name of a logoff event.

TheMSsForum.com: The Microsoft Software Forum

Hello,

I have a script which lets me actively monitor logoffs (the important
portion is attached below). It works fine but I'm only interested in
knowing about when a human logged off... I don't need to know about
accounts with a "$" in them or system accounts. Is there any way I can
filter or use a logical operator to prevent getting notified about
them?

Thanks!

==========

Set objWMIServices =
GetObject("WinMgmts:{impersonationLevel=impersonate,
(Security)}\\.\root\cimv2")
Set LoggedEvents = objWMIServices.ExecNotificationQuery ("Select * from
__instancecreationevent where TargetInstance isa 'Win32_NTLogEvent'")

set wshShell = WScript.createobject("wscript.shell")

Do
Set objLatestEvent = LoggedEvents.NextEvent
intEventID = objLatestEvent.TargetInstance.EventCode

Select Case intEventID

Case 538

wshShell.Run "net send 10.16.0.10 User logged off"
End Select

Loop
Top

Re: question about getting the user name of a logoff event. by Torgeir

Torgeir
Fri Jan 28 13:54:22 CST 2005

Adam Sandler wrote:

> Hello,
>
> I have a script which lets me actively monitor logoffs (the important
> portion is attached below). It works fine but I'm only interested in
> knowing about when a human logged off... I don't need to know about
> accounts with a "$" in them or system accounts. Is there any way I can
> filter or use a logical operator to prevent getting notified about
> them?
>
> Thanks!
>
> ==========
>
> Set objWMIServices =
> GetObject("WinMgmts:{impersonationLevel=impersonate,
> (Security)}\\.\root\cimv2")
> Set LoggedEvents = objWMIServices.ExecNotificationQuery ("Select * from
> __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent'")
>
> set wshShell = WScript.createobject("wscript.shell")
>
> Do
> Set objLatestEvent = LoggedEvents.NextEvent
> intEventID = objLatestEvent.TargetInstance.EventCode
>
> Select Case intEventID
>
> Case 538
>
> wshShell.Run "net send 10.16.0.10 User logged off"
> End Select
>
> Loop
Hi

To filter only interactive logoff, for event ID 538, check if the
Description part of the event contains this:

Logon Type: 7



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: question about getting the user name of a logoff event. by Torgeir

Torgeir
Fri Jan 28 14:00:53 CST 2005

Torgeir Bakken (MVP) wrote:

> To filter only interactive logoff, for event ID 538, check if the
> Description part of the event contains this:
>
> Logon Type: 7


Arghh, that was supposed to be


Logon Type: 2


(logon type 7 for event ID 538 is lock computer)


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: question about getting the user name of a logoff event. by Adam

Adam
Mon Jan 31 10:49:44 CST 2005

So should my case block look like this then?

Case 538
If objLatestEvent.TargetInstance.LogonType = 2
wshShell.Run "net send 10.16.0.10 User logged off"
End If
End Select


Torgeir Bakken (MVP) wrote:
> Torgeir Bakken (MVP) wrote:
>
> > To filter only interactive logoff, for event ID 538, check if the
> > Description part of the event contains this:
> >
> > Logon Type: 7
>
>
> Arghh, that was supposed to be
>
>
> Logon Type: 2
>
>
> (logon type 7 for event ID 538 is lock computer)
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx

Top

Re: question about getting the user name of a logoff event. by Torgeir

Torgeir
Mon Jan 31 18:59:30 CST 2005

Adam Sandler wrote:

> So should my case block look like this then?
>
> Case 538
> If objLatestEvent.TargetInstance.LogonType = 2
> wshShell.Run "net send 10.16.0.10 User logged off"
> End If
> End Select
Hi

If you tried that, you would just get this:

Microsoft VBScript runtime error: Object doesn't support this property
or method: 'objLatestEvent.TargetInstance.LogonType'

The only properties available to you are the ones listed here:

Win32_NTLogEvent WMI class
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/win32_ntlogevent.asp

As I wrote, you need to look for Logon Type 2 in the Description part
of the event, that would be Description as seen through eventvwr.msc,
that would be the same as the Message property in the link above.


Something like this should work I think:

'--------------------8<----------------------

Set objWMIServices = GetObject _
("WinMgmts:{impersonationLevel=impersonate,(Security)}\\.\root\cimv2")
Set LoggedEvents = objWMIServices.ExecNotificationQuery _
("Select * from __instancecreationevent where " _
& "TargetInstance isa 'Win32_NTLogEvent'")

Set wshShell = CreateObject("wscript.shell")

Do
Set objLatestEvent = LoggedEvents.NextEvent
intEventID = objLatestEvent.TargetInstance.EventCode
strEventMsg = objLatestEvent.TargetInstance.Message

Select Case intEventID
Case 538

If InStr(1, strEventMsg, _
"Logon Type:" & vbTab & "2", vbTextCompare) > 0 Then

wshShell.Run "net send 10.16.0.10 User logged off"
End If

End Select
Loop

'--------------------8<----------------------


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top

Re: question about getting the user name of a logoff event. by Adam

Adam
Tue Feb 01 09:17:51 CST 2005

Thanks for your help.... much appreciated!

Top