I am looking for a reliable method to extract the last logon date/time for each user profile on a given machine.
Any ideas? Read below to see my current methods.
On Windows XP I already look in the registry and extract the ProfileLoadTimeHigh and ProfileLoadTimeLow values from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ key.
These value names exist in Vista, Windows 7 and 2008 but their value is always 0.
On these systems I have a kludgy way of extracting the data but I know it is not 100% accurate. On these operating systems I go to each registered profile directory and pull the lastwritetime value from the ntuser.pol file. This is fairly accurate but in XP (where I can use the method mentioned above) I see about a 3 - 4 minute difference between the time the ntuser.pol file was last written vs. the logontime shown in the registry.
The Win32_NetworkLoginProfile class in WMI has the same limitation. XP systems store the last logon in the LastLogon property but for later OSes this property is empty.
So there you have it. Where is the data that is supplied for XP located in Vista/7/2008?
The LastLogon property of Win32_NetworkLoginProfile should have it. On the Win7 machine I'm looking at right now, I opened wbemtest and ran:
The only entries that came back with <null> values for LastLogon were the built-in accounts like NT AUTHORITY\SYSTEM. All the other accounts in the list (which included both domain and local accounts) had valid values for LastLogon.
I'm not sure what would cause your systems to behave differently.