Jump to content

Registry Timestamp


Recommended Posts

Hello,

I've seen SysInternals PsLoggedOn utility which tells you who is logged onto a PC, and what time they logged in using registry values. I just wondered if it's possible to do this in AutoIt?

I can figure out who is logged in easily enough by looking at HKEY_CURRENT_USER, getting the SID and then looping through the list of HKEY_USERS to find the matching SID to get the username.

The bit I'm stuck with is reading the timestamp of a registry key ("HKEY_USERS\ ** SID ** \Volatile Environment").

Anyone have any ideas how to do this?

SysInternals mention it in the PSLoggedOn section in this post here:

http://blogs.technet.com/sysinternals/arch.../30/452890.aspx

Thanks,

NiVZ

Link to comment
Share on other sites

I found a func to get the date here:

http://forum.oszone.net/post-658840-590.html Call:

Global Const $HKEY_USERS = 0x80000003
MsgBox(0, '', RegGetTimeStamp($HKEY_USERS,"*** SID ***\Volatile Environment"))

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Link to comment
Share on other sites

No. I dont't understand a word. I searched in Goole for RegQueryInfoKey and autoit and found this muttley

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Link to comment
Share on other sites

Hello, me again,

I'm now wanting to try and use this to query a remote registry. I'm quite new to AutoIT and to using DllCall but I do understand the registry. I know I need to do a RegConnectRegistry to the other machine, but I can only find VB examples of this here:

http://support.microsoft.com/kb/315586

and here

http://msdn.microsoft.com/en-us/library/ms724840(VS.85).aspx

I've tried translating this to AutoIT but am getting nowhere fast.

I've attached the code I'm using for reading the local machine, and my non-working amended code trying to read the remote PC.

Thanks,

NiVZ

No. I dont't understand a word. I searched in Goole for RegQueryInfoKey and autoit and found this muttley

LocalLoginTime.au3

RemoteLoginTime.au3

Edited by NiVZ
Link to comment
Share on other sites

Ah, got it now muttley

I had to use DllStructGetPtr to get a pointer to the remote PC and then use DllStructReadData(pointername,1) to get the data back when I want to read it.

I'll post some code once I've got it doing what i want it to. The aim of this was to copy the functionality that PSLoggedOn gives so you can see what time a PC was switched on, and what time the user logged in. You can also read the registry to see if the Session is local (on console) or RPD (if it's a remote)

Thanks,

NiVZ

Edited by NiVZ
Link to comment
Share on other sites

Here's the function that can get the timestamp of a remote registry. I also changed the date to use UK format of dd/mm/yyyy instead of yyyy/mm/dd.

Global Const $HKCR = 0x80000000
Global Const $HKCR = 0x80000000
Global Const $HKCU = 0x80000001
Global Const $HKLM = 0x80000002
Global Const $HKU  = 0x80000003
Global Const $HKCC = 0x80000005

;----------------------------------------------------------------------------------------------------------------

; Get Time That PC Was Started Up By Reading TimeStamp of Registry Key
$PC      = "\\MachineName"
$RegKey  = ".DEFAULT\Volatile Environment"
$RegTime = RegGetTimeStamp($PC, $HKU, $RegKey)

ConsoleWrite("PC " & StringReplace($PC,"\", "") & " Powered On At " & $RegTime & @CRLF)

;----------------------------------------------------------------------------------------------------------------

Func RegGetTimeStamp($iPC, $iRegHive, $sRegKey)
    Local $sRes='', $aRet, $hReg = DllStructCreate("int")
    Local $hRemoteReg = DllStructCreate("int")
    Local $FILETIME = DllStructCreate("dword;dword")
    Local $SYSTEMTIME1 = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    Local $SYSTEMTIME2 = DllStructCreate("ushort;ushort;ushort;ushort;ushort;ushort;ushort;ushort")
    Local $hAdvAPI=DllOpen('advapi32.dll'), $hKernel=DllOpen('kernel32.dll')
    If $hAdvAPI=-1 Or $hKernel=-1 Then Return SetError(1, $aRet[0], 'DLL Open Error!')

    $connect = DllCall("advapi32.dll", "int", "RegConnectRegistry", _
        "str", $iPC , _
        "int", $iRegHive, _
        "ptr", DllStructGetPtr($hRemoteReg))

    $aRet = DllCall("advapi32.dll", "int", "RegOpenKeyEx", _
        "int", DllStructGetData($hRemoteReg,1), _
        "str", $sRegKey, _
        "int", 0, _
        "int", 0x20019, _
        "ptr", DllStructGetPtr($hReg))
    If $aRet[0] Then Return SetError(2, $aRet[0], 'Registry Key Open Error!')
        
        
    $aRet = DllCall("advapi32.dll", "int", "RegQueryInfoKey", _
        "int", DllStructGetData($hReg,1), _
        "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, "ptr", 0, _
        "ptr", DllStructGetPtr($FILETIME))
    If $aRet[0] Then Return SetError(3, $aRet[0], 'Registry Key Query Error!')
        
        
    $aRet = DllCall("advapi32.dll", "int", "RegCloseKey", _
        "int", DllStructGetData($hReg,1))
    If $aRet[0] Then Return SetError(4, $aRet[0], 'Registry Key Close Error!')
        
        
    $aRet = DllCall("kernel32.dll", "int", "FileTimeToSystemTime", _
        "ptr", DllStructGetPtr($FILETIME), _
        "ptr", DllStructGetPtr($SYSTEMTIME1))
    If $aRet[0]=0 Then Return SetError(5, 0, 'Time Convert Error!')
        
        
    $aRet = DllCall("kernel32.dll", "int", "SystemTimeToTzSpecificLocalTime", _
        "ptr", 0, _
        "ptr", DllStructGetPtr($SYSTEMTIME1), _
        "ptr", DllStructGetPtr($SYSTEMTIME2))
    If $aRet[0]=0 Then Return SetError(5, 0, 'Time Convert Error!')
    
    ; UK Date Format
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,4)) &'/'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,2)) &'/'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,1)) &' '
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,5)) &':'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,6)) &':'
    $sRes &= StringFormat("%.2d",DllStructGetData($SYSTEMTIME2,7))

    Return $sRes
EndFunc
Edited by NiVZ
Link to comment
Share on other sites

Th format was the same as _NowCalc, so you were able to use it directly in Date-Function, who require yyyy/mm/dd HH:MM:SS

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...