-1

I logged in to my Windows 7 Enterprise machine by tests user which is standard user and runs command to check last logon info. Pleaser refer below output.

>net user tests | findstr "logon"

Last logon 9/16/2021 12:18:17 PM

Then I run same command for testa user which is administrator user for same machine.

>net user testa | findstr "logon"

Last logon 9/16/2021 11:36:17 PM

Till now net user was showing expected information. Later I started services.msc with run as administrator by providing testa user's credentials, and again executed same command. But this time last logon timestamp was changed as mentioned below.

>net user testa | findstr "logon"

Last logon 9/16/2021 12:19:17 PM

So, Please anyone can help me with explanation what's happening here because mostly I worked in linux platform quite new to windows.

Does windows starts session for admin users whenever run as administrator action is triggered ?

Does there is any better way to find out last logon time for all users in windows ?

kit
  • 1
  • 2

1 Answers1

0

There are in a way two types of logons.

The "full" type of logon where a user clicks their name to log in and a new TS session+window station+desktop is created and their shell (usually Explorer.exe) is started.

The other type of logon where the LogonUser function (or other related functions that require username and password) is called. This function creates a token that represents the user and their groups and privileges. The "full" logon also calls this function.

The Net API (and net.exe) is simply telling you about the last LogonUser authentication event.

I'm sure there are ways to figure out the "other" type of logon event as well but nothing pops into my head right now.

Programatically you could create a NT service and get notified about session changes (look at the WTS* API).

Anders
  • 97,548
  • 12
  • 110
  • 164