Quick, how do I find all user accounts on a Windows PC and their login count?
Sometimes you might need to find what user accounts exist on a system, and other times it could just help narrow down your work. Regardless, it is always beneficial to know as much case background information as possible. All Windows user account names, SIDs (Security Identifiers), login counts, creation dates, last password change dates, groups, and much more can be found in the Windows Registry SAM (Security Account Manager) file.
There are a few ways to parse this file, but my two favourite free tools for this analysis are Regripper and Registry Explorer. For both of these tools, begin by going to the above path and exporting the SAM file. (Exporting the SAM log files is also a good idea in case the hive is dirty. More on this here: http://bit.ly/2LKGzMB)
(Developed by Eric Zimmerman https://ericzimmerman.github.io/)
- First, go to File -> Load offline hive, and browse to your exported SAM file.
- Next, click on your new Hive, click on Bookmarks -> Common -> Users
- This action should populate the table like below. You can either resize the rows an columns within this application to better view the data, or export it into another file format like excel with the “Export” button at the bottom right.
- Once you have the table cleaned up you can see that you now have useful user account information, including the login count for each user. As you can see, we have four (user created) users accounts on this system:
- Justin Laptop
- “Justin Laptop” appears to have logged in 227 times, meanwhile “Ellie” has not been logged into at all. This would persuade me to focus more on the former, rather than using time to look through the latter account which hasn’t been accessed yet.
- The created date is an added benefit that could help determine if a user account was created after a specific time frame that may be relevant to the investigation.
(Developed by: Harlan Carvey https://github.com/keydet89/RegRipper2.8)
Unlike Registry Viewer, RegRipper won’t display any visual data within the GUI. Instead, it outputs all of the information to a txt file. To operate this very simple tool:
- Direct the “Hive File” field to the SAM file you exported
- Direct the “Report File” field to wherever you want to save the file (name it whatever you want)
- Set the “Profile” to SAM
- Click “Rip it” and…..let it rip.
- You will see text appear in the white textbox space, telling you the process is done.
- Go to the Report File path and open it using any text editor (notepad works fine). The format is very clean and deals with each user on a more individual basis. By scrolling down, we can again find our user “Justin Laptop”, with a login count of 227.
It’s that simple!
You now can find out what user accounts exist on the system along with a bunch of helpful metadata about them! If you have any further questions or suggestions for new topics don’t hesitate to reach me through my twitter (@BoncaldoJ) or the Contact page.