Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
Script log does not show the time, when the workstation get lock

Answered Script log does not show the time, when the workstation get lock

  • Saturday, May 12, 2012 1:02 PM
     
      Has Code
    Sign In to Vote
    0

    Hi All,

    I have the script which should record time, when the user login, logoff, lock or unlock his computer.

    But the script does not show time when the user lock his workstation or when the workstation get automatically lock via Screen Saver.

    the following is the script

    '***********************************************************************
'Title        : AuditLogoff.vbs
'Description  : This script monitors logoff, lock and unlock events
'               Designed by Marjolein J. for Naguaramipana 
'               (TechNet Forum, 2009)
'Date Created : April 21, 2009
'Last Modified: -

'***********************************************************************
'Global Settings
'***********************************************************************
Option Explicit
'On Error Resume Next

Dim sLogFile, objFSO, objLogFile
Dim iEventId, iEventLock, iEventUnlock, dtmStartDate, dtmEndDate
Dim sComputer, objWMI, colLoggedEvents, objItem, objNet
Dim sQuery, sDate, sYear, sMonth, sDay, sHour, sMinute, sSeconds

Const ForAppending = 8
Const ForReading   = 1

sLogfile       ="d:\diversen\scripting\Audit.log" '\\Server\shared folder\log.log
Set objFSO     = WScript.CreateObject ("Scripting.FileSystemObject")
Set objLogFile = objFSO.OpenTextFile(sLogfile,ForAppending,True)

iEventLock     = 538 '4634 '(Vista)
iEventUnlock   = 528 '4624 '(Vista)

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateValue(DateAdd("d",-1,Now)), True
dtmEndDate.SetVarDate Now, True

'***********************************************************************
'Retrieve desired information and write to logfile
'***********************************************************************

'-----------------------------------------------------------------------
'Find lock/unlock events
'-----------------------------------------------------------------------

  sComputer = "."
  Set objWMI          = GetObject("winmgmts:{impersonationLevel=impersonate," & _
                        "(Security)}!\\" & sComputer & "\root\cimv2")
  Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent " & _
                        "Where Logfile ='Security' AND (EventCode = '" & _
                        iEventlock & "' OR EventCode = '" & iEventUnlock & "')")

  sQuery = "Select * from Win32_NTLogEvent Where Logfile = 'Security' AND " & _
           "(EventCode = " & iEventLock & " OR EventCode = " & iEventUnlock & ") " & _
           "AND ( TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & _
            dtmEndDate & "') AND Message like '%Logon Type:%" & vbTab & "7%'"

  Set colLoggedEvents = objWMI.ExecQuery (sQuery)


  For Each objItem in colLoggedEvents
    sDate=objItem.TimeGenerated 

    sYear        = Left(sDate,4)
    sMonth       = Mid(sDate,5,2)
    sDay         = Mid(sDate,7,2)
    sHour        = Mid(sDate,9,2)
    sMinute      = Mid(sDate,11,2)
    sSeconds     = Mid(sDate,13,2)

    objLogFile.Writeline DateValue(sDay & " " & Left(MonthName(sMonth),3) & " "  & sYear) & " " & sHour & ":" & sMinute & ":" & sSeconds & ":" & _
                         objItem.Message
  Next

'-----------------------------------------------------------------------
'Write logoff information to log
'-----------------------------------------------------------------------
Set objNet = WScript.CreateObject("WScript.Network")
objLogFile.Writeline "Logoff " & _
                     objNet.UserName & " " & _
                     objNet.ComputerName & " " & _
                     dateValue (Now) & " " & _
                     timeValue (Now)
objLogfile.close

wScript.Quit

    Please advice, where is the problem.

    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com


    • Edited by Param022012 Saturday, May 12, 2012 1:14 PM
    •  
     

All Replies

  • Saturday, May 12, 2012 1:16 PM
     
     
    Sign In to Vote
    0
    Do the missing events show up in the event log when you examine it manually with eventvwr.exe? If they don't then your first step must be to change the security policy so that all events of interest are logged.
     
  • Saturday, May 12, 2012 4:01 PM
     
     
    Sign In to Vote
    0

    Standard users cannot read the security log.  If yuo trap the error and write it to a file you will see that.

    If you run this under an admin account it will appear to work.

    Use a WIndows Event (SENS) to log all user activity to a file.  The SENS event is installed by an admin and will be able to trigger on the security log and capture all of teh inforamtion.  This can be forwarded, per-event, to a remote database if needed.

    In Vista and later this can be set up usig Event Log tasks.  In erlier system you will jave to build a MOF to drive a script.

    ¯\_(ツ)_/¯

     
  • Saturday, May 12, 2012 4:26 PM
     
      Has Code
    Sign In to Vote
    0

    Here is a small script to help you prove to yourself that what you are doing will not work.

    Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile='Application'")
WScript.Echo "Application Log Total Events Found:" & colLoggedEvents.Count
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile='Security'")
WScript.Echo "Security Log Total Events Found:" & colLoggedEvents.Count

    First run the script as an admin t prove to yourself that it works then run it as a normal user.  The count for security log will mysteriously be zero.

    Normal users have NO access to the security log.  This script and many like it have shown up for years.  They never work.  People keep trying to force it to work.  Can't be done by normal means.

    The best you can do is to use a login script to record the login and a logoff script to record the logoff.

    ¯\_(ツ)_/¯

     
  • Monday, May 14, 2012 12:57 PM
     
     
    Sign In to Vote
    0

    Hi All,

    Thank you so much for your valuable Input.

    Just to inform you that I am running this script as Admin user only.

    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

     
  • Monday, May 14, 2012 1:22 PM
     
     
    Sign In to Vote
    0

    Hi All,

    Thank you so much for your valuable Input.

    Just to inform you that I am running this script as Admin user only.

    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

    Then you do no have detailed auditing turned on for logon events.

    ¯\_(ツ)_/¯

     
  • Wednesday, May 16, 2012 1:38 PM
     
     
    Sign In to Vote
    0

    Hi Jrv,

    Thank you so much for your reply.

    Please see the below print-screen. I think i have enable the required logon events

    Thanks & Regards,
    Param
    www.paramgupta.blogspot.com

     
  • Wednesday, May 16, 2012 2:14 PM
     
     
    Sign In to Vote
    0

    Are you saying yu just enabled these events?

    Remember that standard users cannot read the event log.

    ¯\_(ツ)_/¯

     
  • Wednesday, May 16, 2012 3:55 PM
     
     Answered
    Sign In to Vote
    0

    I repeat my previous reply:

    Do the missing events show up in the event log when you examine it manually with eventvwr.exe? If they don't then your first step must be to change the security policy so that all events of interest are logged.

    Unless you can see the events in the event logger, you are wasting your time looking for a problem with your script. Can you see them?

     
  • Wednesday, May 16, 2012 5:19 PM
     
      Has Code
    Sign In to Vote
    0

    There are a number of logic errors in the code. I simplified this so you can see how you need to approach it and how to reduce the complexity.

    The results willstill not give you exactly what you want.  Setting events on teh event log will geive you teh correct information.

    Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
' get the OS version
Set coll = wmi.ExecQuery("select * from Win32_OperatingSystem",,48)
For Each os In coll
    a = Split(os.version,".")
    If a(0) > 5 Then
        iEventLock     = 4634
        iEventUnlock   = 4624
    Else
        iEventLock     = 538
        iEventUnlock   = 528
    End If
Next
' get start of today
Set wbemDate = CreateObject("WbemScripting.SWbemDateTime")
wbemDate.SetVarDate DateValue(DateAdd("d",-1,Now)), True
dtmStartDate = wbemDate.Value
sQuery = "Select * from Win32_NTLogEvent Where Logfile = 'Security' AND " & _
           "(EventCode = " & iEventLock & " OR EventCode = " & iEventUnlock & ") " & _
           "AND (TimeWritten >= '" & dtmStartDate & "')"
            
Set colLoggedEvents = wmi.ExecQuery(sQuery)
For Each evt In colLoggedEvents
    With evt
        wbemDate.Value = .TimeGenerated 
        If .EventCode = 538 Then
            WScript.Echo "Locked:" & wbemDate.GetVarDate(True)
        Else
            WScript.Echo "UnLocked:" & wbemDate.GetVarDate(True) 
        End If
    End With
Next

    ¯\_(ツ)_/¯

     
  • Thursday, May 24, 2012 12:24 AM
     
     
    Sign In to Vote
    0

    Where-Oh-Where is my little OP.  Gone! Gone! Gone!

    The old detailed login events logging issue.  You must enable detailed logging of login events.

    ¯\_(ツ)_/¯