diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd
index 59a3885..e4f38f3 100644
--- a/oval-schemas/windows-definitions-schema.xsd
+++ b/oval-schemas/windows-definitions-schema.xsd
@@ -3931,6 +3931,8 @@
The ntuser test is used to check metadata associated with Windows ntuser.dat files. It extends the standard TestType as defined in the oval-definitions-schema and
one should refer to the TestType description for more information. The required object element references a ntuser_object and the optional state element specifies the ntuser
data to check.
+
+ To ensure consistent results across OVAL interpreters, application developers should refer to documentation in the ntuser_item when implenting this test.
ntuser_test
@@ -4062,16 +4064,21 @@
The logged_on element describes if the user account is currently logged on to the computer.
+ This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID>
+ HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users
+ This data can also be obtained by other various Windows API's such as a combination of win32_logonsession and win32_loggedonuser, but the specifics are beyond the scope of OVAL documentation.
- The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
+ The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
+ For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age
The enabled element describes if the user account is enabled or disabled.
+ Note: For domain users, if a domain controller is not available, this will not return data, and should be reported with a status of 'not collected'. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data.
@@ -4184,6 +4191,20 @@
+
+
+ For 'key_and_name_exist', items are only created when an ntuser.dat file includes the key and name provided in the ntuser object.
+ For 'every_ntuser', items are created for each relavent ntuser.dat found on the system. This option will prevent false negatives in instances where each ntuser.dat file must contain the required key/name/value in order to pass, but the file is lacking the key/name required to normally satisfy the creation of an ntuser item.
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd
index 6ff9177..6517e1b 100644
--- a/oval-schemas/windows-system-characteristics-schema.xsd
+++ b/oval-schemas/windows-system-characteristics-schema.xsd
@@ -1629,6 +1629,20 @@
The windows ntuser_item specifies information that can be collected from a particular ntuser.dat file.
+To ensure consistent results across OVAL interpreters, the following implementation methods are recommended. Note that there may be other technical ways to obtain the data, which vendors may choose to implement.
+1. Finding Human User Profiles
+ a. Obtain a list of User Profiles from the following registry key, where each subkey is a profile that may be included in scope for this test
+ i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
+ b. Determine which user profiles are from ‘human’ users
+ i. Exclude profiles for LocalService, Network service etc.. by excluding subkeys in the format of S-1-5-<number*gt;
+ ii. Exclude profiles for Per-Service SIDs by excluding subkeys in the format of S-1-5-80-<number*gt;-<number*gt;-<number*gt;-<number*gt;-<number*gt;
+ iii. Include Local and Domain User SIDs by including subkeys match the format of S-1-5-21-<number*gt;-<number*gt;-<number*gt;-<number*gt;
+ c. Obtain ntuser filepath from the ProfileImagePath value of 'human' profiles
+2. Gathering per user registry key data
+ a. If a user is logged in, their ntuser.dat file will be locked and the OVAL interpreter will not be able to read it, the OVAL interpreter will need to obtain that data from HKEY_USERS\<sid_of_logged_in_user>
+ b. If a user is not logged in, the OVAL interpreter will need to obtain the data directly from the users ntuser.dat file.
+ Note: There are many different methods depenending on programming language to parse ntuser.dat files, and each OVAL interpreter may choose their own methods.
+ If no other programming language native methods are available, it is advised not to load the ntuser.dat file directly from its original location, as it will lock the file and prevent that user from logging into Windows.
@@ -1666,16 +1680,21 @@
The logged_on element describes if the user account is currently logged on to the computer.
-
+ This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID>
+ HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users
+ This data can also be obtained by other various Windows API's such as a combination of win32_logonsession and win32_loggedonuser, but the specifics are beyond the scope of OVAL documentation.
+
-
- The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
-
-
+
+ The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
+ For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age
+
+
The enabled element describes if the user account is enabled or disabled.
+ Note: For domain users, if a domain controller is not available, this will not return data, and should be reported with a status of 'not collected'. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data.
@@ -1692,6 +1711,7 @@
This element describes the filepath of the ntuser.dat file.
+ The existance of each ntuser.dat file determines the overall ntuser_item existence.