From 40934d355edfb878ea16e6e1597a7f90f0d26770 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Thu, 14 May 2026 11:01:40 -0400 Subject: [PATCH] Added new 'user_has_signed_into_explorer' element to ntuser state/item per #306 --- oval-schemas/windows-definitions-schema.xsd | 6 ++++++ oval-schemas/windows-system-characteristics-schema.xsd | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index 59a3885..a3d475b 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -4069,6 +4069,12 @@ The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. + + The enabled element describes if the user account is enabled or disabled. diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 6ff9177..502d975 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1672,7 +1672,13 @@ The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. - + + + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as SSH or WinRM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. + + The enabled element describes if the user account is enabled or disabled.