tags:

views:

205

answers:

1
+3  Q: 

Get current user's last logon

I am trying to get the current's user last logon. I might be this current session or it might be one before that.
I am calling GetUserName() to get the current username. I feed that into NetUserGetInfo() to try to get the last logon time. All this fails with error 2221 (user not found). When I tried with "administrator" it works. Even when I hardcode my username it returns a 2221. This is what I am using:

nStatus = NetUserGetInfo(NULL, L"administrator", dwLevel, (LPBYTE *) & pBuf);

How can you get the current user's last logon time?

thank you, code is always welcomed.

Here's the full code I am currently using:

DWORD dwLevel = 2;
NET_API_STATUS nStatus;
LPTSTR sStringSid = NULL;
LPUSER_INFO_0 pBuf = NULL;
LPUSER_INFO_2 pBuf2 = NULL;
WCHAR UserName[256];
DWORD nUserName = sizeof(UserName); 

if(GetUserName(UserName, &nUserName))
{
    printf("information for %ls\n", UserName);
    nStatus = NetUserGetInfo(NULL, UserName, dwLevel, (LPBYTE *) & pBuf);
    if (nStatus == NERR_Success) 
    {
        pBuf2 = (LPUSER_INFO_2) pBuf;
        printf("\tUser account name: %ls\n", pBuf2->usri2_name);
        printf("\tLast logon (seconds since January 1, 1970 GMT): %d\n", pBuf2->usri2_last_logon);
        printf("\tLast logoff (seconds since January 1, 1970 GMT): %d\n", pBuf2->usri2_last_logoff);
    }
    else
        fprintf(stderr, "NetUserGetinfo failed with error: %d\n", nStatus);

    if (pBuf != NULL)
        NetApiBufferFree(pBuf);
}
+2  A: 

You can try to use other level as 2 for example 11.

You can aslo try LsaGetLogonSessionData (see http://msdn.microsoft.com/en-us/library/aa378290.aspx). The struct SECURITY_LOGON_SESSION_DATA has a lot of information which can be helpful for you. The LUID (the first parameter of LsaGetLogonSessionData) you can get from GetTokenInformation with TokenStatistics and get AuthenticationId field of the TOKEN_STATISTICS struct.

UPDATED: I read more carefully your code and I see now your main error. Function NetUserGetInfo is very old. It exists in the time before Windows NT 3.1. The group of functions which Microsoft named now "Network Management" has the name "LAN Manager API". All the functions were introduced in the time where no local login exists. So you can use NetUserGetInfo with NULL as the first parameter only on a domain controller. So in the case that you login with the domain account you should call NetGetDCName, NetGetAnyDCName or better DsGetDcName to get the name of a domain controller and use this name (started with two backslashes) as the first parameter of NetUserGetInfo. If you login with a local workstation account your program should work, but the account seems me must be UNICODE string like L"Administrator" and not "Administrator". By the way if I login locally on my Windows 7 64-bit computer your program work without any problem. The code

nStatus = NetUserGetInfo(NULL, L"administrator", dwLevel, (LPBYTE *) & pBuf);

works also.

I repeat then in my opinion the best way to get user's last logon is the usage of LSA (Local Security Authority) API like LsaGetLogonSessionData. How promised I wrote for you a code example which shows how to use LsaGetLogonSessionData in C:

#include <windows.h>
#include <Ntsecapi.h>
#include <Sddl.h>
#include <tchar.h>
#include <stdio.h>
//#include <ntstatus.h>
#include <malloc.h>
#include <strsafe.h>

#pragma comment (lib, "Secur32.lib")
#pragma comment (lib, "strsafe.lib")

// The following constant may be defined by including NtStatus.h.
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
// The LSA authentication functions are available in Unicode only.

BOOL GetLogonLUID (LUID *pLuid)
{
    BOOL bSuccess;
    HANDLE hThread = NULL;
    DWORD cbReturnLength;
    TOKEN_STATISTICS ts;

    __try {
        bSuccess = OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hThread);    // TOKEN_QUERY_SOURCE
        if (!bSuccess)
            __leave;

        cbReturnLength = sizeof(TOKEN_STATISTICS);
        bSuccess = GetTokenInformation (hThread, TokenStatistics, &ts, sizeof(TOKEN_STATISTICS), &cbReturnLength);
        if (bSuccess)
            *pLuid = ts.AuthenticationId;
    }
    __finally {
        if (hThread)
            CloseHandle (hThread);
    }

    return bSuccess;
}

void PrintUnicodeString (LPCTSTR pszPrefix, LSA_UNICODE_STRING lsaString)
{
    if (lsaString.MaximumLength >= lsaString.Length + sizeof(WCHAR) &&
        lsaString.Buffer[lsaString.Length/sizeof(WCHAR)] == L'\0')
        _tprintf (TEXT("%s: %ls\n"), pszPrefix, lsaString.Buffer);
    else if (lsaString.Length <= STRSAFE_MAX_CCH * sizeof(TCHAR)) {
        LPWSTR sz = (LPWSTR) _alloca (lsaString.Length + sizeof(WCHAR));
        StringCbCopyNW (sz, lsaString.Length + sizeof(WCHAR), lsaString.Buffer, lsaString.Length);
        _tprintf (TEXT("%s: %ls\n"), pszPrefix, sz);
    }
}

void PrintLogonType (SECURITY_LOGON_TYPE type)
{
    if (type < Interactive || type > CachedUnlock)
        // This is used to specify an undefied logon type
        _tprintf (TEXT("LogonType: UndefinedLogonType\n"));
    else {
        static LPTSTR szTypes[] = {
            TEXT("Interactive"),      // Interactively logged on (locally or remotely)
            TEXT("Network"),              // Accessing system via network
            TEXT("Batch"),                // Started via a batch queue
            TEXT("Service"),              // Service started by service controller
            TEXT("Proxy"),                // Proxy logon
            TEXT("Unlock"),               // Unlock workstation
            TEXT("NetworkCleartext"),     // Network logon with cleartext credentials
            TEXT("NewCredentials"),       // Clone caller, new default credentials
            TEXT("RemoteInteractive"),  // Remote, yet interactive. Terminal server
            TEXT("CachedInteractive"),  // Try cached credentials without hitting the net.
            // The types below only exist in Windows Server 2003 and greater
            TEXT("CachedRemoteInteractive"), // Same as RemoteInteractive, this is used internally for auditing purpose
            TEXT("CachedUnlock")        // Cached Unlock workstation
        };
        _tprintf (TEXT("LogonType: %s\n"), szTypes[(int)type-Interactive]);
    }
}

void PrintFilefime (LPCTSTR pszPrefix, const FILETIME *lpFileTime)
{
    SYSTEMTIME st;
    FILETIME ft;
    BOOL bSuccess;
    TCHAR szTime[1024], szDate[1024];

    bSuccess =  FileTimeToLocalFileTime (lpFileTime, &ft);
    if (!bSuccess)
        return;
    bSuccess = FileTimeToSystemTime (&ft, &st);
    if (!bSuccess)
        return;

    if (GetDateFormat (LOCALE_USER_DEFAULT, // or LOCALE_CUSTOM_UI_DEFAULT
                       DATE_SHORTDATE,
                       &st, NULL, szDate, sizeof(szDate)/sizeof(TCHAR)) > 0) {
        if (GetTimeFormat (LOCALE_USER_DEFAULT, // or LOCALE_CUSTOM_UI_DEFAULT
                           0, &st, NULL, szTime, sizeof(szTime)/sizeof(TCHAR)) > 0) {
            _tprintf (TEXT("%s: %s, %s\n"), pszPrefix, szDate, szTime);
        }
    }
}

int main()
{
    LUID LogonLuid; // LOGONID_CURRENT
    PSECURITY_LOGON_SESSION_DATA pLogonSessionData = NULL;
    LPWSTR pszSid = NULL;
    NTSTATUS ntStatus;

    GetLogonLUID (&LogonLuid);
    __try {
        ntStatus = LsaGetLogonSessionData (&LogonLuid, &pLogonSessionData);
        if (ntStatus == STATUS_SUCCESS) {
            if (pLogonSessionData->UserName.Length)
                PrintUnicodeString (TEXT("UserName"), pLogonSessionData->UserName);
            if (pLogonSessionData->LogonDomain.Length)
                PrintUnicodeString (TEXT("LogonDomain"), pLogonSessionData->LogonDomain);
            if (pLogonSessionData->AuthenticationPackage.Length)
                PrintUnicodeString (TEXT("AuthenticationPackage"), pLogonSessionData->AuthenticationPackage);
            PrintLogonType ((SECURITY_LOGON_TYPE)pLogonSessionData->LogonType);
            _tprintf (TEXT("Session: %d\n"), pLogonSessionData->Session);
            if (ConvertSidToStringSidW (pLogonSessionData->Sid, &pszSid))
                _tprintf (TEXT("Sid: %ls\n"), pszSid);
            if (pLogonSessionData->LogonTime.QuadPart)
                PrintFilefime (TEXT("LogonTime"), (const FILETIME *)&pLogonSessionData->LogonTime);
            if (pLogonSessionData->LogonServer.Length)
                PrintUnicodeString (TEXT("LogonServer"), pLogonSessionData->LogonServer);
            if (pLogonSessionData->DnsDomainName.Length)
                PrintUnicodeString (TEXT("DnsDomainName"), pLogonSessionData->DnsDomainName);
            if (pLogonSessionData->Upn.Length)
                PrintUnicodeString (TEXT("Upn"), pLogonSessionData->Upn);
            // one can dump more information like HomeDirectory, ProfilePath and so on
            // if _WIN32_WINNT >= 0x0600 and user login a domain
        }
    }
    __finally {
        if (pLogonSessionData)
            LsaFreeReturnBuffer(pLogonSessionData);
        if (pszSid)
            pszSid = (LPTSTR)LocalFree (pszSid);
    }
}
Oleg  2010-07-30 16:54:46
Thanks Oleg. Level 11 returns the exact same error. So far I haven't found an answer anywhere as to why this error is returned, even when the user DOES exist.I tried something similar to what you just suggested (check http://www.codeproject.com/KB/system/logonsessions.aspx) and i keep getting all messed up with the different structs and error messages suggesting that I don't have enough memory. Do you have a working snippet? thanks
Mr Aleph  2010-07-30 18:27:06
I foud an error in your code and post more other code examples after I bring my dauther in bed.
Oleg  2010-07-30 20:15:58
I tried with the unicode version but I just get the same error. The last snippet you posted seems to work. Now I need to figure how to get the last login for the user "prior" to the one just now, everytime you login the logontime gets overwritten with the current session. So of thew workstation was lock or on a screensaver and I log the last logon would be the time I logged *now*
Mr Aleph  2010-08-02 15:02:14
Operating system can not protocol all verification of the users password. It saves only when the users password was verified. In some protocols like Kerberos the login ticket can expire and it should be renewed before its expire. One more problem, that after the login the account can be disabled or deleted. In the case the time of the last password verification shows is the users login <b>more of less verified</b>. If you need some other login time you can use notifications like ISensNetwork or implement your own credential manager http://msdn.microsoft.com/en-us/library/aa374792.aspx.
Oleg  2010-08-02 15:38:37
thanks Oleg. I see what I can find now
Mr Aleph  2010-08-02 16:54:18

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS