-
May 29th, 2007, 02:38 AM
#11
You can use PSTools and use psinfo or psloggedon to determine how long the machine has been up or how long a user has been logged on.
Or, maybe use the powershell?
get-wmiobject Win32_OperatingSystem lastbootuptime
__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LastBootUpTime : 20070528123000.375000-240
That doesn't exactly do the same thing you were looking for... determine the last shutdown.. but it determines at least the last reboot or boot.
If you were to use the following:
get-wmiobject Win32_OperatingSystem LocalDateTime
__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LocalDateTime : 20070528215947.031000-240
Then you can subtract LastBootUpTime : 20070528123000.375000-240 from LocalDateTime : 20070528215947.031000-240 then you can determine that my computer has been "up" for about 9:29:47 giving you the uptime.
Wait! There's more!
You've already observed that one of the last services to stop before a shutdown/reboot is the eventlog. That happens to be stored in the system log and has an event id of 6006. As far as I know, this service can't be stopped any other way than a shutdown or reboot. (Though, I'm sure it's possible via system privledge elevation or a rootkit of sorts.)
get-eventlog System | where {$_.EventID -eq 6006} | format-list
Index : 18667
EntryType : Information
EventID : 6006
Message : The Event log service was stopped.
Category : (0)
CategoryNumber : 0
ReplacementStrings : {}
Source : EventLog
TimeGenerated : 5/27/2007 2:28:39 PM
TimeWritten : 5/27/2007 2:28:39 PM
UserName :
That coupled with entries in the security log of evenit id 551
(User initiated logoff)
get-eventlog Security | where {$_.EventID -eq 551} | format-list
Index : 422
EntryType : SuccessAudit
EventID : 551
Message : User initiated logoff:
User Name: user
Domain: DOMAIN
Logon ID: (0x0,0xxxxxx)
Category : Logon/Logoff
CategoryNumber : 2
ReplacementStrings : {user, COMPUTER, (0x0,0xxxxxx)}
Source : Security
TimeGenerated : 5/27/2007 2:28:07 PM
TimeWritten : 5/27/2007 2:28:07 PM
UserName : COMPUTER\user
So, from the above entries, we can determine that I logged off my computer around 2:28pm on 5-27-07 and turned it on again around 12:30pm on 5-28-07. This is pretty close if I had to guess. I don't recall the exact time I logged off (shutdown) and turned it on again today... but the above looks pretty damn close.
If you really need to get closer, you can probably use more info from that get-wmiobject Win32_OperatingSystem I posted above. To find out all the info you can query from it use
get-wmiobject Win32_OperatingSystem | get-member
That will list all the stuff you can query.
The following may be useful;
CountryCode
CurrentTimeZone
LastBootUpTime
LocalDateTime
Locale
Actually, I'm not sure those others would be useful at all. The CurrentTimeZone is also listed in the lastbootuptime and localdatetime (240 for me during eastern daylight time). countrycode and local will only give you info on country and what kind of language set they're using.
Last edited by phishphreek; May 29th, 2007 at 11:51 AM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By Tiger Shark in forum The Security Tutorials Forum
Replies: 5
Last Post: March 4th, 2004, 05:00 PM
-
By mrleachy in forum *nix Security Discussions
Replies: 2
Last Post: June 23rd, 2003, 09:16 AM
-
By instronics in forum The Security Tutorials Forum
Replies: 7
Last Post: February 5th, 2003, 10:04 AM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|