I am looking for a reliable method to extract the last logon date/time for each user profile on a given machine.
Any ideas? Read below to see my current methods.
On Windows XP I already look in the registry and extract the ProfileLoadTimeHigh and ProfileLoadTimeLow values from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ key.
These value names exist in Vista, Windows 7 and 2008 but their value is always 0.
On these systems I have a kludgy way of extracting the data but I know it is not 100% accurate. On these operating systems I go to each registered profile directory and pull the lastwritetime value from the ntuser.pol file. This is fairly accurate but in XP (where I can use the method mentioned above) I see about a 3 - 4 minute difference between the time the ntuser.pol file was last written vs. the logontime shown in the registry.
The Win32_NetworkLoginProfile class in WMI has the same limitation. XP systems store the last logon in the LastLogon property but for later OSes this property is empty.
So there you have it. Where is the data that is supplied for XP located in Vista/7/2008?