cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Todd_Richardson
Engaged Sweeper
Trying to make some very cool for security.

Looking for report which shows any admin group account logins over the last 30 days and any failed login attempts.

next I would like a list of any items listed in the following
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx


Lastly, I would also like for this to report on the critical signs of attempted takeover via security events in the system event logs.

Windows 7 regular expressions
SOURCE EventID Number

".*APPCRASH.*" Application 1001
".*he protected system file.*" Application 64004
".*EMET_DLL Module logged the following event:.*" Application 2
.*your virus/spyware.* Application
".*A new process has been created\..*" Security 4688
".*A service was installed in the system\..*" Security 4697
".*A scheduled task was created\..*" Security 4698
".*Logon Type:[\W]*(3|10).*" Security 4624, 4625
".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*" Security 4657
".*service terminated unexpectedly\..*" System 7034
".*service was successfully sent a.*" System 7035

1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.

You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
  • Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
  • As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".

The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
  • Open the report builder under Reports\Create New Report.
  • Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
  • In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
  • Give your report a title and hit Save & Run.

Report 1

Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc


Report 2
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc

View solution in original post

1 REPLY 1
Susan_A
Lansweeper Alumni
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.

You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
  • Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
  • As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".

The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
  • Open the report builder under Reports\Create New Report.
  • Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
  • In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
  • Give your report a title and hit Save & Run.

Report 1

Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc


Report 2
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc