Jump to content
Sign in to follow this  
NiVZ

Registry Timestamp

Recommended Posts

NiVZ

Hello,

I've seen SysInternals PsLoggedOn utility which tells you who is logged onto a PC, and what time they logged in using registry values. I just wondered if it's possible to do this in AutoIt?

I can figure out who is logged in easily enough by looking at HKEY_CURRENT_USER, getting the SID and then looping through the list of HKEY_USERS to find the matching SID to get the username.

The bit I'm stuck with is reading the timestamp of a registry key ("HKEY_USERS\ ** SID ** \Volatile Environment").

Anyone have any ideas how to do this?

SysInternals mention it in the PSLoggedOn section in this post here:

http://blogs.technet.com/sysinternals/arch.../30/452890.aspx

Thanks,

NiVZ

Share this post


Link to post
Share on other sites
JamesDover

Maybe this will get you started.

#include <Process.au3>

$rc = _RunDos("start c:\psloggedon" & " \\192.168.0.1 -u <yourAdminName> cmd")

Edited by JamesDover

Share this post


Link to post
Share on other sites
ProgAndy

I found a func to get the date here:

http://forum.oszone.net/post-658840-590.html Call:

Global Const $HKEY_USERS = 0x80000003
MsgBox(0, '', RegGetTimeStamp($HKEY_USERS,"*** SID ***\Volatile Environment"))

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites
NiVZ

@ProgAndy - Thanks thats exactly what I needed. Your Russian must be a lot better than mine ;o)

Thanks again,

NiVZ

I found a func to get the date here:

http://forum.oszone.net/post-658840-590.html Call:

Global Const $HKEY_USERS = 0x80000003
MsgBox(0, '', RegGetTimeStamp($HKEY_USERS,"*** SID ***\Volatile Environment"))

Share this post


Link to post
Share on other sites
ProgAndy

No. I dont't understand a word. I searched in Goole for RegQueryInfoKey and autoit and found this muttley


*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites
NiVZ

Hello, me again,

I'm now wanting to try and use this to query a remote registry. I'm quite new to AutoIT and to using DllCall but I do understand the registry. I know I need to do a RegConnectRegistry to the other machine, but I can only find VB examples of this here:

http://support.microsoft.com/kb/315586

and here

http://msdn.microsoft.com/en-us/library/ms724840(VS.85).aspx

I've tried translating this to AutoIT but am getting nowhere fast.

I've attached the code I'm using for reading the local machine, and my non-working amended code trying to read the remote PC.

Thanks,

NiVZ

No. I dont't understand a word. I searched in Goole for RegQueryInfoKey and autoit and found this muttley

LocalLoginTime.au3

RemoteLoginTime.au3

Edited by NiVZ

Share this post


Link to post
Share on other sites
NiVZ

Ah, got it now muttley

I had to use DllStructGetPtr to get a pointer to the remote PC and then use DllStructReadData(pointername,1) to get the data back when I want to read it.

I'll post some code once I've got it doing what i want it to. The aim of this was to copy the functionality that PSLoggedOn gives so you can see what time a PC was switched on, and what time the user logged in. You can also read the registry to see if the Session is local (on console) or RPD (if it's a remote)

Thanks,

NiVZ

Edited by NiVZ

Share this post


Link to post
Share on other sites
NiVZ

Here's the function that can get the timestamp of a remote registry. I also changed the date to use UK format of dd/mm/yyyy instead of yyyy/mm/dd.

Global Const $HKCR = 0x80000000
Global Const $HKCR = 0x80000000
Global Const $HKCU = 0x80000001
Global Const $HKLM = 0x80000002
Global Const $HKU  = 0x80000003
Global Const $HKCC = 0x80000005

;----------------------------------------------------------------------------------------------------------------

; Get Time That PC Was Started Up By Reading TimeStamp of Registry Key
$PC      = "\\MachineName"
$RegKey  = ".DEFAULT\Volatile Environment"
$RegTime = RegGetTimeStamp($PC, $HKU, $RegKey)

ConsoleWrite("PC " & StringReplace($PC,"\", "") & " Powered On At " & $RegTime & @CRLF)

;----------------------------------------------------------------------------------------------------------------

Func RegGetTimeStamp($iPC, $iRegHive, $sRegKey)
    Local $sRes='', $aRet, $hReg = DllStructCreate("int")
    Local $hRemoteReg = DllStructCreate("int")
    Local $FILETIME = DllStructCreate("dword;dword")
    Local $SYSTEMTIME1 = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    Local $SYSTEMTIME2 = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    Local $hAdvAPI=DllOpen('advapi32.dll'), $hKernel=DllOpen('kernel32.dll')
    If $hAdvAPI=-1 Or $hKernel=-1 Then Return SetError(1, $aRet[0], 'DLL Open Error!')

    $connect = DllCall("advapi32.dll", "int", "RegConnectRegistry", _
        "str", $iPC , _
        "int", $iRegHive, _
        "ptr", DllStructGetPtr($hRemoteReg))

    $aRet = DllCall("advapi32.dll", "int", "RegOpenKeyEx", _
        "int", DllStructGetData($hRemoteReg,1), _
        "str", $sRegKey, _
        "int", 0, _
        "int", 0x20019, _
        "ptr", DllStructGetPtr($hReg))
    If $aRet[0] Then Return SetError(2, $aRet[0], 'Registry Key Open Error!')
        
        
    $aRet = DllCall("advapi32.dll", "int", "RegQueryInfoKey", _
        "int", DllStructGetData($hReg,1), _
        "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, _
        "ptr", DllStructGetPtr($FILETIME))
    If $aRet[0] Then Return SetError(3, $aRet[0], 'Registry Key Query Error!')
        
        
    $aRet = DllCall("advapi32.dll", "int", "RegCloseKey", _
        "int", DllStructGetData($hReg,1))
    If $aRet[0] Then Return SetError(4, $aRet[0], 'Registry Key Close Error!')
        
        
    $aRet = DllCall("kernel32.dll", "int", "FileTimeToSystemTime", _
        "ptr", DllStructGetPtr($FILETIME), _
        "ptr", DllStructGetPtr($SYSTEMTIME1))
    If $aRet[0]=0 Then Return SetError(5, 0, 'Time Convert Error!')
        
        
    $aRet = DllCall("kernel32.dll", "int", "SystemTimeToTzSpecificLocalTime", _
        "ptr", 0, _
        "ptr", DllStructGetPtr($SYSTEMTIME1), _
        "ptr", DllStructGetPtr($SYSTEMTIME2))
    If $aRet[0]=0 Then Return SetError(5, 0, 'Time Convert Error!')
    
    ; UK Date Format
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,4)) &'/'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,2)) &'/'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,1)) &' '
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,5)) &':'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,6)) &':'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,7))

    Return $sRes
EndFunc
Edited by NiVZ

Share this post


Link to post
Share on other sites
ProgAndy

Th format was the same as _NowCalc, so you were able to use it directly in Date-Function, who require yyyy/mm/dd HH:MM:SS


*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×