Jan 222008

NTLast from FoundStone is a simple security auditing command line tool for Windows specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons. NTLast can distinguish between remote and interactive logons and match Logon/Logoff times.

While NTLast is designed for Windows NT, it is a Win32 command line tool which works perfectly on Windows 2000, Windows XP and Windows 2003. NTLast can be run on the local system or on a remote system which has the Audit Logging enabled and the user running the command has Administrator privileges.

Some of the features of NTLast are

Can copy event logs to .evt, csv files and read of archived .evt files

Can search by dates before/after a date and in between a date range.

Can filter logons ‘From’ a certain host to zero in on suspected intrusions¬†

Can filter out and distinguishes web log usage by directly allowing to search for IIS logs
Can filter Interactive, Remote or Failed logons

Distinguish between Remote & Interractive logons

Matches logon times with logoff times

NTLast can be downloaded from the following FounStone website:


The download is a zip file with a command help file, FAQ along with the actual utility.

The following are example of how you can use this tool.

Failed Logon attempts for a user

C:\NTLast>ntlast /f /u jondoe

Track IIS Activity

C:\NTLast>ntlast /IIS

Copy Security Audit events from Remote server

C:\NTLast>ntlast -m \\server -file c:\log\sec.evt

C:\NTLast>ntlast -file \\server\log\sec.evt

Incoming search terms:

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>