From 40934d355edfb878ea16e6e1597a7f90f0d26770 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Thu, 14 May 2026 11:01:40 -0400 Subject: [PATCH 1/3] Added new 'user_has_signed_into_explorer' element to ntuser state/item per #306 --- oval-schemas/windows-definitions-schema.xsd | 6 ++++++ oval-schemas/windows-system-characteristics-schema.xsd | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index 59a3885..a3d475b 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -4069,6 +4069,12 @@ The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. + + The enabled element describes if the user account is enabled or disabled. diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 6ff9177..502d975 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1672,7 +1672,13 @@ The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. - + + + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. + + The enabled element describes if the user account is enabled or disabled. From df0768670f830539cc81dbf1ca4221ace369e715 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Thu, 21 May 2026 11:28:50 -0400 Subject: [PATCH 2/3] Merged changes from 5.12.3 branch down to resolve accidental conflict with last_logon documentation --- .../windows-system-characteristics-schema.xsd | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 502d975..9279b75 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1666,13 +1666,17 @@ The logged_on element describes if the user account is currently logged on to the computer. - + This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID> + HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users + This data can also be obtained by other various Windows API's such as a combination of win32_logonsession and win32_loggedonuser, but the specifics are beyond the scope of OVAL documentation. + - - The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. - - + + The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. @@ -1682,6 +1686,7 @@ The enabled element describes if the user account is enabled or disabled. + Note: For domain users, if a domain controller is not available, this will not return data, and should be reported with a status of 'not collected'. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. From 5d38d9aaf97ebcf44fa21c9144bc73c4d698e257 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Thu, 21 May 2026 15:08:11 -0400 Subject: [PATCH 3/3] Updated documentation based on @balleman-ctr recommendation --- oval-schemas/windows-definitions-schema.xsd | 2 +- oval-schemas/windows-system-characteristics-schema.xsd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index a7369a9..e437a48 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -4086,7 +4086,7 @@ - The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + The user_has_signed_into_explorer element describes if the user account has ever run Windows Explorer. This is a practical indicator of accounts using interactive (desktop/GUI) sessions and is not set by non-interactive logon methods such as WinRM or SSH. Content authors may use this element to exclude non-interactive users from user policy checks. This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 2f7e98d..c5b4170 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1693,7 +1693,7 @@ - The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + The user_has_signed_into_explorer element describes if the user account has ever run Windows Explorer. This is a practical indicator of accounts using interactive (desktop/GUI) sessions and is not set by non-interactive logon methods such as WinRM or SSH. Content authors may use this element to exclude non-interactive users from user policy checks. This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false.