At my company, we perform random scans of remote machines on different subnets to see whether they're creating unnecessary traffic and hence are compromised. Most of the compromised machines have been located in agencies that use our machines. People at the agencies log on with the Active Directory (AD) logon names my company had given them for business needs.
Because we have thousands of machines and thousands of logon names, we needed a way to quickly identify the logon names used on the compromised machines so that we could disable those accounts. So, I wrote a script, WhoLogon.vbs, to detect who is logging on to a remote machine that has been compromised. Listing 1 contains WhoLogon.vbs. As callout A in Listing 1 shows, this script uses the UserName property of Windows Management Instrumentations (WMI's) Win32_ComputerSystem class to obtain the name of the currently logged-on user.
To launch this script, open a command-shell window and type
cscript whologon Machinewhere Machine is the name of the target remote computer. If CScript is your default scripting host, you can simply type
You need WMI and Windows Script Host (WSH) 5.6 on the machine from which you want to launch WhoLogon.vbs. The remote machines should also have WMI and WSH 5.6 installed. I wrote and tested this script on machines running Windows XP and Windows 2000.