1
How can I find user name(of the local machine) of the last logged on user on a remote system. Is there any command or script we can use? I am able to capture IP address of the local machine of the user but not the username. Please suggest.
Megha
Posted 2012-04-04T10:54:43.043
Reputation: 19
1
Run "quser" from Cmd. If you want to look into JSMITHPC, run "quser /server:JSMITHPC". I just tested from Windows 10 as a domain admin.
Christopher Hostage
Posted 2012-04-04T10:54:43.043
Reputation: 4 751
0
Username is an operating system-specific concept, not a network-specific concept. The IP tells you what machine but you'd have do some in-depth analysis to glean a username from captured traffic, and it's possible you won't be able to. There are likely many grey-hat and black-hat tools that do (Cain/Abel, something like that?)
One simple way in Windows is to log on to this system as Administrator (use Sysinternal's psexec if you know an admin login, and want to do it without actually being at the machine or making it look like you are logging in), go to C:\Users, and sort by last modified date. The last logged in user should have the most recently modified files. This would probably work for Linux as well.
LawrenceC
Posted 2012-04-04T10:54:43.043
Reputation: 63 487
1The "last modified date" trick in Windows 7/8/10 is not reliable, particularly when people stay logged in for long periods, or the Switch User function is used. I used to think so also, but the specific datum "Last modified date" on the C:\Users\JSmith folder does not always change when JSmith logs in. – Christopher Hostage – 2016-12-27T19:01:12.940
What OS? Linux/Mac/Windows? – brndr – 2015-09-03T11:50:06.190
The "local machine" does not have a "user name". Do you want the name of the user account that last logged in? – Daniel Andersson – 2012-04-04T11:07:45.193
It is not very clear which system you control - the local or the remote? It seems that you control what you call "remote system", and you call "local" what is local for the user, is that true? If so, it should be vice-versa. If not, I didn't understand. – lupincho – 2012-04-04T12:45:52.883
Hi Daniel and Lupincho, What I meant by local machine is the machine from which the user initiated the remote desktop connection, I want to capture users account details(username/userid) on that machine. I am able to capture IP address of the machine from which users have logged in and the id used to log in to the remote machine, but what I want is users account info on the system from which he initiate remote desktop connection. – Megha – 2012-04-19T07:30:00.103
@Megha: Then you are asking for data that only resides on the connecting party's computer. You can only get this data if the person gives consent, which concerns the Ident protocol mentions among the answers. If not, getting this information, since it is not needed to log in remotely and thus not given by their clients, is probably even illegal if taken to the extreme (breaking in to another computer to gain information). – Daniel Andersson – 2012-04-19T08:19:36.297