From cda9c1ceaa1f406d4f8a981fcdc67b0cd76bca4e Mon Sep 17 00:00:00 2001 From: goofoo Date: Wed, 20 May 2026 08:59:01 -0400 Subject: [PATCH 1/2] fix: add quser fallback for currently logged-on users On machines where only logon types 3/5 appear in the Security event log (remote sessions, VDI, etc.), the event-log scan returns no results. Fall back to quser to capture the currently logged-on user in those cases. Also guard against empty account names and wrap quser in a try/catch so any errors are handled cleanly rather than propagating to the scanner. Closes #110 --- .../User Last Logged On.ps1 | 66 ++++++++++++++++--- 1 file changed, 58 insertions(+), 8 deletions(-) diff --git a/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 b/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 index 96a8414..390a5b2 100644 --- a/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 +++ b/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 @@ -5,9 +5,10 @@ param ( [Switch]$Lowercase ) +$Results = New-Object System.Collections.ArrayList $UserArray = New-Object System.Collections.ArrayList -# Query all logon events with id 4624 +# Query all logon events with id 4624 Get-EventLog -LogName "Security" -newest 200 -InstanceId 4624 -ErrorAction "SilentlyContinue" | ForEach-Object { $EventMessage = $_ @@ -22,13 +23,13 @@ Get-EventLog -LogName "Security" -newest 200 -InstanceId 4624 -ErrorAction "Sile } # Look for events that contain local or remote logon events, while ignoring Windows service accounts - if ( ( $LogonType -in "2", "10", "11" ) -and ( $AccountName -notmatch "^(DWM|UMFD)-\d" ) ) { - + if ( ( $LogonType -in "2", "10", "11" ) -and ( $AccountName -notmatch "^(DWM|UMFD)-\d" -and ($AccountName -ne "") ) ) { + # Skip duplicate names if ( $UserArray -notcontains $AccountName ) { $null = $UserArray.Add($AccountName) - + # Translate the Logon Type if ( $LogonType -eq "2" ) { @@ -39,19 +40,68 @@ Get-EventLog -LogName "Security" -newest 200 -InstanceId 4624 -ErrorAction "Sile $LogonTypeName = "Remote" } elseif ( $LogonType -eq "11" ) { - + $LogonTypeName = "Cached" } # Build an object containing the Username, Logon Type, and Last Logon time - [PSCustomObject]@{ + $null = $Results.Add([PSCustomObject]@{ Username = $AccountName LogonType = $LogonTypeName LastLogon = [DateTime]$EventMessage.TimeGenerated.ToString("yyyy-MM-dd HH:mm:ss") - } + }) } } -} \ No newline at end of file +} + +# Fall back to quser to catch currently logged-on users that have no matching security event +# (common on machines where only logon types 3/5 are present, e.g. remote-only or VDI sessions) +try { + $queryUser = quser 2>&1 +} +catch { + $Results + return +} + +if ( $LASTEXITCODE -ne 0 ) { + + $Results + return + +} + +$userName = $null +if ( $queryUser ) { + + if ( $queryUser -match '\s(\S+)\s+\d+\s' ) { + $userName = $matches[1] + } + +} + +if ( $null -eq $userName ) { + + $Results + return + +} + +if ( $Lowercase ) { + $userName = $userName.ToLower() +} + +if ( $UserArray -notcontains $userName ) { + + $null = $Results.Add([PSCustomObject]@{ + Username = $userName + LogonType = "Current User" + LastLogon = [DateTime](Get-Date) + }) + +} + +$Results From 7ba4cc230a04197bf64e2e3557b5c51342a24163 Mon Sep 17 00:00:00 2001 From: goofoo Date: Wed, 20 May 2026 09:29:55 -0400 Subject: [PATCH 2/2] style: fix OTBS violation in try/catch block --- .../User Last Logged On/User Last Logged On.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 b/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 index 390a5b2..fa5d976 100644 --- a/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 +++ b/PowerShell Scanners/User Last Logged On/User Last Logged On.ps1 @@ -61,8 +61,7 @@ Get-EventLog -LogName "Security" -newest 200 -InstanceId 4624 -ErrorAction "Sile # (common on machines where only logon types 3/5 are present, e.g. remote-only or VDI sessions) try { $queryUser = quser 2>&1 -} -catch { +} catch { $Results return }