none
Win32_NetworkLoginProfile LastLogon - The results are incorrect in domain joined machines. RRS feed

  • General discussion

  • Greetings,

    I am in need of calculating the time taken from Ctrl + Alt + Del to the Desktop\Explorer.

    Based on multiple online posts, I have decided to use the Win32_NetworkLoginProfile and the property LastLogon - this works a treat on non-domain joined machines.

    However, the domain joined machines somehow brings inaccurate\incorrect (an old LastLogon entry for the user) results often.

    I would like to understand where Win32_NetworkLoginProfile pull data from. My assumption was that the data comes from the local machine that I am connecting to.

    A link to the WMI class
    https://msdn.microsoft.com/en-us/library/aa394221(v=vs.85).aspx

    The few lines I am running to achieve the mentioned. (Ignore the warnings for existing event log source)

    try{
        $Computer = hostname
        $LastLogon = $null
        $LastLogon = Get-WmiObject Win32_NetworkLoginProfile -ComputerName $Computer |
            Sort -Descending LastLogon |
            Select * -First 1 |
            ? {$_.LastLogon -match "(\d{14})"} |
                % {
                    New-Object PSObject -Property @{
                        Name=$_.Name ;
                        LastLogon=[datetime]::ParseExact($matches[0], "yyyyMMddHHmmss", $null)
                    }
                }
         $LogOnTime =  ((Get-Date).TimeOfDay.TotalSeconds) - $LastLogon.LastLogon.TimeOfDay.TotalSeconds
         $Message = "It has taken  " + (((Get-Date).TimeOfDay.TotalSeconds) - $LastLogon.LastLogon.TimeOfDay.TotalSeconds) + " seconds to load the Desktop from the time the credentials were entered by  " + $LastLogon.Name
         New-EventLog -Source "LogOnTime" -LogName Application
         Write-EventLog -LogName Application -Source "LogOnTime" -EntryType Information -EventId 12345 -Message $Message
         }
    Catch
        {
        Write-EventLog -LogName Application -Source "LogOnTime" -EntryType Information -EventId 12345 -Message "Something went wrong!"
        }   

    Thanking you in advance.
    Wednesday, July 27, 2016 10:41 PM

All replies

  • How to correctly convert a WMI time to a WInodws time:

    $x=Get-WmiObject Win32_NetworkLoginProfile
    $x.ConvertToDateTime( $x.LastLogon)

    Steps 2.  No sweat,  Always accurate.


    \_(ツ)_/

    Wednesday, July 27, 2016 11:34 PM
  • Excellent, thanks for the tip.. but not sure if I got that right as I am getting an error as follows,

    PS H:\> $x=Get-WmiObject Win32_NetworkLoginProfile
    PS H:\> $x.ConvertToDateTime( $x.LastLogon)
    Exception calling "ConvertToDateTime" with "1" argument(s): "Exception calling "ToDateTime" with "1" argument(s):
    "Specified argument was out of the range of valid values.
    Parameter name: dmtfDate""
    At line:1 char:1
    + $x.ConvertToDateTime( $x.LastLogon)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : ScriptMethodRuntimeException

    Also to clarify, when I run the WMI query, I am getting results the way I am expecting however the actual values are *sometimes* incorrect.

    In other words, If I log on the workstation right now and run below query,

    PS H:\> Get-WmiObject Win32_NetworkLoginProfile -Property * | select lastlogon

    I get the following. I am happy with the time format etc.

    lastlogon
    ---------

    20160726164112.000000+720

    My problem is when it returns a date and time value, for example, from two days ago. I know the value is incorrect because I just logged on to the machine.

    On a non-domain joined machine, the result represents the actual log on time 100% of the time.

    Cheers


    Wednesday, July 27, 2016 11:53 PM
  • So now you get to learn about WMI in big letters:

    $x=Get-WmiObject Win32_NetworkLoginProfile
    $x[1].ConvertToDateTime( $x[1].LastLogon)


    \_(ツ)_/

    Thursday, July 28, 2016 12:20 AM
  • Thanks for the response but I am not sure if you have read my comments about the actual problem I am facing. I would like to understand where WMI query pulls its data from.

    Just using your couple of lines, I can demonstrate the "issue" I am seeing..

    1) Log on to laptop (fresh log on, not an unlock)

    2) Run Powershell prompt

    3) Run the 3 lines as below

    PS H:\> get-date

    Thursday, 28 July 2016 12:50:14 p.m.


    PS H:\> $x=Get-WmiObject Win32_NetworkLoginProfile
    PS H:\> $x[1].ConvertToDateTime( $x[1].LastLogon)

    Tuesday, 26 July 2016 4:41:12 p.m.

    The value returned by WMI query in this case is two days "old". But I just logged on!! Do you see what I am going on about?

    As per the TechNet article, the LastLogOn value is the user last logged on to the system therefore the returned value should be close to the result of the get-date.


    • Edited by Emil Roshan Thursday, July 28, 2016 1:04 AM
    Thursday, July 28, 2016 1:03 AM
  • It pulls, I believe,  it from the network (AD) and it will be old when in a domain.

    \_(ツ)_/

    Thursday, July 28, 2016 1:32 AM
  • Thanks and that is what I suspected as well but finding any articles to confirm that is proving to be difficult. I guess If I run a Wireshark capture I should see if the query is going to any of the DCs.

    Thanks for your input.

    Thursday, July 28, 2016 1:43 AM
  • For domain accounts I cannot guess that any other method would be useful.

    Windows is tricky.  It is smart.  It knows its "context" always.  That is the function of a 21st century system.  Windows was in the 21st century in the late middle of the 20th century. 

    Some kids at Bell Labs, Texas Instruments and Intel invented these silly ideas. (a little help from PARC)


    \_(ツ)_/

    Thursday, July 28, 2016 1:55 AM
  • Hello,

    I want to get LastLogoff time using that syntax, when I'm running that code I'm getting

    01 January 0001 00:00:00

    why is it coming like that, I'll be waiting for your response

    Tuesday, December 18, 2018 12:57 PM