Unlock Hidden User Data with Get Last Logged On User PowerShell

Have you ever experienced the frustration of having to track down the last person who used a computer? Perhaps you’re a system administrator who needs to troubleshoot a problem or maybe you’re just trying to figure out who left their coffee mug on your desk. Either way it can be a real pain in the you-know-what. But fear not my friends for there is a solution: PowerShell. With a few simple commands you can easily find out who the last logged on user was and save yourself a lot of time and hassle.

The importance of knowing the last logged on user

Knowing who the last person to use a computer was can be crucial in a number of situations. For example if there’s been a security breach you need to know who was using the computer at the time to identify the culprit. Or if you’re trying to troubleshoot a problem knowing who was logged on can help you narrow down the cause. And let’s be honest sometimes you just want to know who to blame for the mess on your desk. Whatever your reason being able to quickly and easily find out who the last logged on user was can save you a lot of time and frustration.

Now without further ado here are the PowerShell commands you need to know to get the last logged on user:

Command Description
Get-EventLog -LogName Security | where {$_.EventID -eq 4624} | sort TimeGenerated -Descending | select -First 1 | %{ $_.ReplacementStrings[5] } Returns the username of the last person to log on to the computer.
Get-WmiObject -Class Win32_ComputerSystem | select username Returns the username of the person currently logged on to the computer.

So there you have it folks. With these handy PowerShell commands you’ll never have to wonder who the last person to use a computer was again. Now go forth and track down those coffee mug culprits!

Get last logged on user powershell

Want more info? Check out 0x1 Task Scheduler and Savservice Exe.

Understanding PowerShell

Ah PowerShell. It’s like the Swiss Army knife of operating system tools. But if you’re still unfamiliar with it don’t worry – I won’t judge. In fact I’m here to help you understand what PowerShell is and how it can make your life easier or at least more interesting.

In a nutshell PowerShell is a command-line interface and scripting language for Windows. It’s like the Batcomputer for IT folks enabling them to automate and manage system tasks with ease. If you’re someone who loves efficiency and hates doing repetitive tasks PowerShell is your ticket to freedom.

But don’t let its nerdy exterior fool you – PowerShell is a powerful and versatile tool that can do anything from simple tasks like changing file extensions to more complex stuff like automating Active Directory migrations. You can even use it to interact with servers and other computers remotely.

What Makes PowerShell So Awesome?

For starters PowerShell is easy to learn. If you’re already familiar with other scripting languages like Python or Perl PowerShell’s syntax won’t be hard to pick up. And even if you’re a complete newbie you can learn PowerShell basics in a few days with the help of online tutorials and courses.

Another thing that makes PowerShell great is its ability to work with other programs and tools. You can use it to interact with SQL Server Exchange Azure and other Microsoft products and even integrate it with other programming languages like C# and Visual Basic.

But perhaps the most impressive thing about PowerShell is its ability to create custom commands and scripts. You can write a script that does everything from managing Active Directory to sending email notifications all with just a few lines of code. And once you’ve created a script you can reuse it as many times as you want saving yourself even more time and effort.

A Word of Warning

Now I know I’ve been singing PowerShell’s praises this whole time but there is a downside – with great power comes great responsibility. If you’re running PowerShell commands scripts or modules you need to be aware of the potential risks involved. Malicious code can easily hide in PowerShell so make sure you’re downloading scripts from trustworthy sources and testing them thoroughly before running them on your system.

But don’t let that scare you off – as long as you’re careful and vigilant PowerShell can be an incredibly useful and powerful tool. And who knows you might even end up loving it as much as I do.

Basic PowerShell commands

Alright my fellow tech wizards. Let’s dive into the magical world of PowerShell! Don’t worry if you’re a beginner we’ll start with basic commands and gradually work our way up to more advanced stuff.

First up let’s get the last logged on user using PowerShell. Trust me this is a useful trick to have up your sleeve.

Open up PowerShell on your computer and type in the following command:

Get-WmiObject –Class Win32_ComputerSystem | Select-Object UserName

Hit enter and voila! You’ve just pulled up the username of the last person who logged on to this computer.

Just a heads up this command won’t work if nobody has logged on to the computer since it was last restarted. In that case you’ll have to do a bit more digging.

Alright now that we’ve got that out of the way let’s move on to some other basic commands.


Want to see what processes are running on your computer right now? No problem just type in this command:


This will give you a list of all the processes currently running on your computer. You can also use the ‘-Name’ parameter to filter for a specific process name.


Need to check if a particular service is running on your computer? Easy peasy. Just type in:


This will give you a list of all the services currently running on your computer. You can also use the ‘-Name’ parameter to filter for a specific service name.


Feeling stuck and need some help? Don’t worry PowerShell’s got your back. Just type in:


This command will give you a list of all the cmdlets available in PowerShell. You can also use the ‘-Name’ parameter to get help with a specific cmdlet.

That’s it for now folks. Stay tuned for more advanced PowerShell tricks in the future!

Get-WinEvent command

Now it’s time to unleash the big guns – the Get-WinEvent command. This powerful command is like a Swiss Army knife for getting event log information. Sneakily named this command can be used to retrieve events from any event log and broken down by specific criteria. It’s like having a naughty little helper that can read the whole book for you and give you the juicy details.

To start using this command you need to open your PowerShell console as an administrator and then type in the following command:

Get-WinEvent -LogName “Security” | Where-Object {$_.ID -eq 4624} | Select-Object -Property TimeCreated Message

Now let me break it down for you:

– The `-LogName` parameter specifies which event log to retrieve events from. In this example we’re focusing on the Security Event Log.
– The `Where-Object` cmdlet filters the results to display only those with a specific Event ID. In this example we’re filtering for Event ID 4624 which is associated with a successful user logon event.
– The `Select-Object` cmdlet selects specific properties to display in the output. In this example we only want to see the TimeCreated and Message properties.

This command is just scratching the surface of what Get-WinEvent can do. You can use it to search for events based on a range of date and time event level keywords and more. It’s like a magician’s wand for getting the information you need when you need it.

But be warned with great power comes great responsibility. So make sure you use this command wisely and not for anything harmful. You don’t want to end up on the naughty list of your IT department.

Getting Fancy with Get-WinEvent

Now that we’ve covered the basics of Get-WinEvent let’s get fancy with it. Want to search for events that occurred between two specific dates? No problem just use the `-StartTime` and `-EndTime` parameters. Need to filter events by user account name? Easy peasy just use the `-FilterXPath` parameter. You can even search for events that contain specific keywords with the `-Message` parameter.

But before you start using these advanced features make sure you read the documentation thoroughly. Getting too fancy with Get-WinEvent can be like playing with fire without a fire extinguisher. So make sure you know what you’re doing and always test your commands in a non-production environment first.

In conclusion Get-WinEvent is a powerful command that can help you easily retrieve event log information. Whether you’re troubleshooting an issue or just being nosy this command is your new best friend. So go forth and use it wisely (and maybe a little mischievously).

Filtering events to retrieve last logged on user

Now that we’ve covered the basics of using PowerShell to retrieve the last logged on user let’s dive a little deeper. One thing that can make this process much easier is filtering the event log to only show logon and logoff events.

To do this we’ll use the Get-EventLog cmdlet with some specific parameters. First we’ll specify that we only want events from the Security log. Then we’ll use the -InstanceId parameter to filter for only logon and logoff events.

Here’s a sample command that does just that:

Get-EventLog -LogName Security -InstanceId 4624 4625 | Select-Object -Property *@{Name='User';Expression={$_.ReplacementStrings[5]}} | Sort-Object -Property TimeGenerated -Descending | Select-Object -First 1

But what does all of that mean? Let’s break it down.

The -LogName parameter tells PowerShell that we only want to look in the Security log. The -InstanceId parameter specifies that we only want events with ID numbers 4624 (logon events) and 4625 (logoff events).

The | (pipe) symbol is used to pass the output from one command to the next. In this case we’re piping the output from Get-EventLog to the Select-Object command.

The Select-Object command does a couple of things. First it selects all of the properties from the event log using the * wildcard. Then it creates a custom property called ‘User’ that extracts the username from the event log’s ‘ReplacementStrings’ property.

Finally we’re using the Sort-Object command to sort the events by the time they were generated in descending order. This way the most recent logon event will be at the top of the list. We’re then using Select-Object again to select only the first event in the list which will be the most recent logon event.

But wait there’s more!

There are a few other things you can do to make this command even more useful. For example you can use the -After parameter to only show events that occurred after a certain date and time. You can also use the -Before parameter to only show events that occurred before a certain date and time.

Here’s an example that shows only logon events that occurred in the last 24 hours:

Get-EventLog -LogName Security -InstanceId 4624 -After (Get-Date).AddDays(-1) | Select-Object -Property *@{Name='User';Expression={$_.ReplacementStrings[5]}} | Sort-Object -Property TimeGenerated -Descending | Select-Object -First 1

And here’s an example that shows the last logon event for a specific user:

Get-EventLog -LogName Security -InstanceId 4624 | Select-Object -Property *@{Name='User';Expression={$_.ReplacementStrings[5]}} | Where-Object {$_.User -eq 'domainusername'} | Sort-Object -Property TimeGenerated -Descending | Select-Object -First 1

So there you have it. With a little bit of PowerShell magic you can easily retrieve the last logged on user for a Windows computer. And who knows maybe with enough practice you’ll become a PowerShell wizard yourself!

Retrieving last logged on user remotely

Alright let’s be real here. As IT professionals we are always on the lookout for ways to save time and optimize our workflow. And one incredibly useful tool for this is PowerShell. In this article I’m going to show you how to retrieve the last logged on user remotely using PowerShell.

Let’s get started

First things first open your PowerShell console and enter the following command:

Get-WmiObject -Class Win32_ComputerSystem -ComputerName REMOTE_COMPUTER_NAME | Select-Object UserName

But of course replace “REMOTE_COMPUTER_NAME” with the name of the computer you want to retrieve the last logged on user from. And voila – you should see the username of the last person who logged on to that computer.

Now I know what you’re thinking. “But wait what if I want to retrieve the last logged on user from multiple computers?” Well my friend that’s where things get really interesting. Just use the following command to get the last logged on user from an entire Active Directory domain:

Get-ADComputer -Filter * | ForEach-Object { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name | Select-Object -Property UserName PSComputerName } | Sort-Object PSComputerName | Format-Table -AutoSize

Like seriously? It’s that simple? Yes my friend. Yes it is.

But wait there’s more

Now what if you want to see the last login time as well? No problem. Just use this command instead:

Get-WmiObject -Class Win32_NetworkLoginProfile -ComputerName REMOTE_COMPUTER_NAME | Select-Object Name LastLogon

And again replace “REMOTE_COMPUTER_NAME” with the name of the computer you want to retrieve the last logged on user and time from.

Time to wrap it up

So there you have it folks. Retrieving the last logged on user remotely using PowerShell is quick easy and ridiculously powerful. With these commands in your back pocket you’re sure to impress your coworkers and save yourself a ton of time in the process. Happy scriptin’!

Troubleshooting errors

So you’re trying to get the last logged on user in PowerShell and suddenly BAM! You hit an error message. Don’t panic this is just the universe testing your dedication to the cause.

First thing’s first make sure you’re running PowerShell as an administrator. Ain’t nobody got time for non-admin privileges. If that doesn’t work try using a different PowerShell module or version. It’s like trying on different shoes sometimes one size doesn’t fit all.

Next up double check your spelling and syntax. Are you missing a curly brace a semicolon or perhaps Satan himself snuck into your code and changed a character just for shits and giggles? It wouldn’t be the first time trust me.

If you’re still stumped it’s time to take a break and meditate on it. Channel your inner Yoda and let the Force guide you towards a solution. (Jedi robes optional but highly recommended.)

But wait there’s more! If the error isn’t specific enough try adding “-ErrorAction Stop” to your command. This will cause PowerShell to stop immediately if an error occurs and give you a more detailed message.

Lastly don’t be afraid to turn to the all-knowing Google for help. There’s probably a forum or a blog out there with someone who has encountered the same issue and found a solution.

And remember even Darth Vader had to troubleshoot errors in his Force choke technique before he could become the ultimate Sith Lord. Stay strong young Padawan and may the PowerShell be with you.

Limitations of the Get-WinEvent command

Ah PowerShell the language that is both the bane and boon of every sysadmin’s existence! While Get-WinEvent is a handy cmdlet for retrieving event logs it’s not without its limitations. Sure Get-WinEvent can fetch essential information like the name of the user who last logged on but it can’t do everything.

Non-Standardized Data

First and foremost Get-WinEvent’s greatest limitation is also its greatest strength: Event logs are not always standardized. It means that depending on the type or source of the event log the data fetched by Get-WinEvent may vary. You might find yourself lost in a maze of inconsistent data. Not to mention the problems that can arise when the event log you’re trying to fetch data from is for some reason encrypted or locked away behind a fortress of security measures.

Older Logs

Another major limitation of Get-WinEvent is that it can only fetch data from event logs that have not been archived or cleared. We all know how important it is to keep our logs up to date but when an event log is too old or archived we can’t use Get-WinEvent to retrieve data from it.


Lastly let’s not forget that using Get-WinEvent can be a bit time-consuming. Sure you can get the information you need but it can take a while to sort through it all. Don’t be surprised if you find yourself staring at the screen waiting for the script to complete only to realize it’s been ages since you took your last coffee break.

In conclusion while Get-WinEvent can help get important data like the last logged in user it has its limitations. Data standardization issues older logs and time consumption can make the process less than ideal. So if you’re going to use Get-WinEvent be prepared to roll up your sleeves and do some digging.


Page Updated: March 2, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *