LogonHist is a small utility (written in AutoitScript) that evaluates the Security Event Logs on the computer over a preset number of days (1-90) and returns the most prominent user (Primary Owner - PO). The PO is based on the EventCode/EventId 528 and Logon Types 2,7,10,11. It does NOT evaluate how long a user has been logged into a computer, just the amount of logins. I've found the LANDesk PO to not work well within our shop, so this utility was written in-house. It can be run as scheduled task, local scheduled task, etc.. and uses the LANDesk HKLM\Software\Intel\Landesk\Inventory\Custom Fields registry to write the user.
Source code, compiled exe, and readme.txt are included in the attached zip file. Readme contains all usage information. Use at your own risk
- 1.1 Added /f FQN Parameter Domain\user
- 1.1 Changed No Int Logins to not return error 10
- 1.1 Better WMI Handler - Actually Works this time
- 1.1 WMI Handler just exits and writes error to registry so it will not try to rerun after failure