Something I’ve toyed with in a bit is a script to work with Novell’s login system to reset the last known user logged in to the next default upon login. Not for purposes of hiding anything, but simply to make the login process easier (especially if something was changed between network and local login modes).

I ended up scrapping it as XP is becoming fast extinct with the end of service coming up in less than a year, however some quick notes for anyone trying to do this. It is definitely possible!

Windows XP

Everything is in the registry! You’ll need to examine the values hosted here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Finding the login time:

Within this key are subkeys that are pretty much pointers to different users and contains their log in times, although it is in a format I can’t confirm at the time being (though I do have a script that can convert this I’ll need to find and upload when I have more time). You’ll need to take interest in the “high” and “low” time presented.

I believe for the time being subtracting the larger number from the smaller number, and comparing that against the other accounts, would yield the last person logged in.

Finding who this belongs to:

Generally the subkeys are in the format S-1-5-*. These correlate to the keys in the root node HKEY_USERS. My script that I abandoned would have worked by first going through the ProfileList (the first key mentioned up above), grabbing the S-1-5-* identifier, then iterating through HKEY_USERS to find the name of the profile. The name can be found here. Once you have the S-1-5 ID you could, for example, navigate to here:

HKEY_USERS\S-1-5-21-4154294218-781191660-3493289840-1001\Software\Microsoft\Windows\CurrentVersion\Explorer

There should be a value in there that shows the actual username so you could put a face to the account.

Changing what is seen on next login:

You will need to modify the key DefaultUserName located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Novell Info

For anyone that works in a Novell environment (home users don’t bother crossing this line!) and needs some more control over this, here are a couple of places of interest. For the local user that Novell uses to populate the workstation only it comes from the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Location\Services\{1E6CEEA1-FB73-11CF-BD76-00001B27DA23}\Default\Tab3\DefaultUserName

Also, my notes point out this location which is the other piece of the puzzle:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NMAS\1.1\LastLogin

Incomplete Scripts

I have some scripts which calculate the times. These are started in Autoit, the math should be fairly easy to see in it on how it calculates the dates.

Quick Proof of Concept:

I manually copied the high and low values, converted them to decimal, and threw some math at them which appeared to work. I’m fairly certain Microsoft uses this quite a bit. I just managed to find some data on this if you need more resources on this Windows ‘filetime‘ structure. There are plenty of hexadecimal to decimal converters online.

#include <Date.au3>

$high = "1ce3c67"
$low = "9af053e4"

$highdec = 30293095
$lowdec=  2599441380

;this is nanoseconds?
$diff = ((($highdec * (2^32 ))+ $lowdec / 600000000 - 0) / 1440)

$diff = $highdec * 2^32 + $lowdec
;missing bias below
;$diff = ($diff*1E-7/60)/1440 ;days (1 day = 1440 minutes)

;TESTING!
$diff = ($diff*1E-7/60) ;minutes (1 day = 1440 minutes)

$logindate = _DateAdd('n', 216846424, "1601/01/01 00:00:00")

MsgBox(1, "", $diff & "               " & $logindate)
ClipPut($diff)

;MsgBox(1, "", ($highdec * 2 ^ 32 + $lowdec / 600000000 - 0) / 1440)

Incomplete Version using Registry

I set out to iterate through the registry to grab the keys, then match them to users, then put it all out but that’s when I decided this whole thing had gone too far.

Looks like I had left a hardcoded variable at the _DateAdd so keep that in mind

#include <Date.au3>

For $i = 1 To 50
Local $var = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", $i)
If @error <> 0 Then ExitLoop
Next

Local $iKeyname[$i]
Local $iProfileHigh[$i]
Local $iProfileLow[$i]

For $i = 1 To 50
Local $var = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", $i)
If @error <> 0 Then ExitLoop
$iKeyname[$i]=$var
$iProfileHigh[$i]=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" + $iKeyname[$i], "ProfileLoadTimeHigh")
$iProfileLow[$i]=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" + $iKeyname[$i], "ProfileLoadTimeLow")
Next

MsgBox(4096, "SubKey #" & $i & " under HKLM\Software: ", $i)
MsgBox(4096, "SubKey #" & $i & " under HKLM\Software: ", $iKeyname[$i-1])

$high = "1ce3c67"
$low = "9af053e4"

$highdec = 30293095
$lowdec=  2599441380

;this is nanoseconds?
$diff = ((($highdec * (2^32 ))+ $lowdec / 600000000 - 0) / 1440)
$diff = $highdec * 2^32 + $lowdec
$diff = ($diff*1E-7/60) ;minutes (1 day = 1440 minutes)

$logindate = _DateAdd('n', 216846424, "1601/01/01 00:00:00")

MsgBox(1, "", $diff & "               " & $logindate)
ClipPut($diff)

This was abandoned so it may not work at all, but I do recall it pulling dates out properly.

No Comments

There are no comments related to this article.

Leave a Reply

Your email address will not be published. Required fields are marked *