Sign in to follow this  
Followers 0
iamtheky

WMI password age issue

6 posts in this topic

#1 ·  Posted (edited)

$Output=""
$strComputer = "localhost"

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")

    If @Error Then
        $Output = $Output & "Computer: " & $strComputer & ":" & @CRLF & "   UNREACHABLE" & @CRLF & @CRLF

    Else
        $Output = $Output & "Computer: " & $strComputer  & @CRLF
        $Output = $Output & "==========================================" & @CRLF
        $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
        $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NetworkLoginProfile", "WQL", _
                                          $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

            If IsObj($colItems) then
                For $objItem In $colItems

                $Output = $Output & "Caption: " & $objItem.Caption & @CRLF
                $Output = $Output & "Comment: " & $objItem.Comment & @CRLF
                $Output = $Output & "LastLogon: " & WMIDateStringToDate($objItem.LastLogon) & @CRLF
                $Output = $Output & "Name: " & $objItem.Name & @CRLF
                $Output = $Output & "NumberOfLogons: " & $objItem.NumberOfLogons & @CRLF
                $Output = $Output & "PasswordAge: " & round($objItem.PasswordAge / 86400) & " days"  & @CRLF
                $Output = $Output & "PasswordExpires: " & WMIDateStringToDate($objItem.PasswordExpires) & @CRLF & @CRLF

                Next
            Endif
    EndIf


msgbox(0, '' , $Output)



Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
    
EndFunc

Does password age look right to anyone, its off by many hundreds of days on some, closer on others, but rarely accurate?  Any idea how to make this return reliable, or where to go get the actual password age.

Edited by boththose

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

WinNT object seems to be more accurate.  It will probably take some hunting to determine why in our environment networkloginprofile password age would greatly differ from the WinNT entry.

$system = "LOCALHOST"
$user = "USERNAME"

Local $adsPath = "WinNT://" & $system & "/" & $user & ",user"
Local $objuser = ObjGet($adsPath)


msgbox(0, '' , "System:  " & $system & @CRLF & "Name :  " & $objuser.name & @CRLF & "Password Age : " & round($objuser.passwordage / 86400) & " days." & @CRLF)
Edited by boththose
1 person likes this

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

boththouse, ObjGet is not returning an object for me, I'm using my username and $system = "LOCALHOST"
 
EDIT: Changed to

$system = "LOCALHOST"
$user = @ComputerName & "\\" & @UserName

And keeps not returning an object
 
EDIT2: Change to this and is working  :D

$system = @ComputerName
$user = @UserName

EDIT3: Now I'm curious about this objects thing
I discover that using "WinNT://" & ComputerName & "/" & @UserName does the same as "WinNT://" & ComputerName & "/" & @UserName & ",user"
This is a bit off topic but how do I get the Processor propriety? https://msdn.microsoft.com/en-us/library/aa746539(v=vs.85).aspx

Tried with:

Local $adsPath = "WinNT://" & $system & "/" & $user
$P = ObjGet($adsPath,"Computer")
ConsoleWrite($p.Processor&@LF)

but didn't return an object variable

Edited by Kyan

Heroes, there is no such thing

One day I'll discover what IE.au3 has of special for so many users using it.
C'mon there's InetRead and WinHTTP, way better
happy.png

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

boththose,

Is this closer?

<code deleted, see below>

It looks like the field is a date/time formatted field and the time part (after the decimal) is not used.  Just guessing...

 

kylomas

Edited by kylomas

Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

boththose,

The field appears to be CIM_DATETIME in interval format (see the link below).  Try this out...

$Output=""
$strComputer = "localhost"

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")

    If @Error Then
        $Output = $Output & "Computer: " & $strComputer & ":" & @CRLF & "   UNREACHABLE" & @CRLF & @CRLF

    Else
        $Output = $Output & "Computer: " & $strComputer  & @CRLF
        $Output = $Output & "==========================================" & @CRLF
        $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
        $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NetworkLoginProfile", "WQL", _
                                          $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

            If IsObj($colItems) then
                For $objItem In $colItems

                $Output = $Output & "Caption: " & $objItem.Caption & @CRLF
                $Output = $Output & "Comment: " & $objItem.Comment & @CRLF
                $Output = $Output & "LastLogon: " & WMIDateStringToDate($objItem.LastLogon) & @CRLF
                $Output = $Output & "Name: " & $objItem.Name & @CRLF
                $Output = $Output & "NumberOfLogons: " & $objItem.NumberOfLogons & @CRLF
                $Output = $Output & "PasswordAge: " & _cnvt_interval_format($objItem.passwordage)  & @CRLF
                $Output = $Output & "PasswordExpires: " & WMIDateStringToDate($objItem.PasswordExpires) & @CRLF & @CRLF

                Next
            Endif
    EndIf


msgbox(0, '' , $Output)

func _cnvt_interval_format($sIntrvl)
    return stringleft($sIntrvl,8) & ' Days ' & stringmid($sIntrvl,9,2) & ' hours ' & stringmid($sIntrvl,11,2) & ' minutes and ' & stringmid($sIntrvl,13,2) & ' seconds'
endfunc

Func WMIDateStringToDate($dtmDate)

    ; reformat date to mm/dd/yyyy hh:mm:ss and zero fill single digit values
    Return StringRegExpReplace(StringRegExpReplace($dtmDate, '(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2}).*', '$2/$3/$1 $4:$5:$6'), '(?<!\d)(\d/)', '0$1')

EndFunc

I found the following link about WMI datetime datatypes.

https://msdn.microsoft.com/en-us/library/aa390895(v=vs.85).aspx

kylomas

Edited by kylomas

Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

nicely done, thanks.  I will confirm that it has widespread accuracy (and test against the WinNT age return) when i run another domain sweep on Monday.

 

Length of time a password has been in effect. This value is measured from the number of seconds elapsed since the password was last changed.

 

https://msdn.microsoft.com/en-us/library/aa394221(v=vs.85).aspx

 

I was not doing myself any favors.  I kept reading that as how the data was returned, when it clearly states only how the value is measured.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0