At my company, we perform
random scans of remote
machines on different subnets
to see whether they're creating
unnecessary traffic and hence are
compromised. Most of the compromised
machines have been located in
agencies that use our machines. People at
the agencies log on with the Active
Directory (AD) logon names my
company had given them for business needs.
Because we have thousands of
machines and thousands of logon
names, we needed a way to quickly
identify the logon names used on the
compromised machines so that we could disable those accounts. So, I
wrote a script, WhoLogon.vbs, to
detect who is logging on to a remote
machine that has been compromised.
Listing 1 contains WhoLogon.vbs. As
callout A in Listing 1 shows, this script
uses the UserName property of
Windows Management Instrumentations
(WMI's) Win32_ComputerSystem
class to obtain the name of the
currently logged-on user.
To launch this script, open a command-shell window and type
cscript whologon Machine
where
Machine is the name of the target remote computer. If CScript is your default scripting host, you can simply type
whologon Machine
You need WMI and Windows Script Host (WSH) 5.6 on the machine from which you want to launch WhoLogon.vbs. The remote machines should also have WMI and WSH 5.6 installed. I wrote and tested this script on machines running Windows XP and Windows 2000.
Register
For Each objItem In colItems
WScript.Echo "Current Login User on Computer " & strComputer & " is " & objItem.UserName
In that way, you don't have to click "OK" multiple times when you call the script without "cscript"
Also note that if a firewall blocks port 135/tcp between admin's machine and remote machine, it won't work.
I wish someone will improve this script with input area for computer name. I guess it shouldn't be too hard to do for experienced script person. (not me;)
Thanks.
ksmoe August 02, 2006 (Article Rating: