PowerShell for Windows Admins

Apr 22 2010   3:08PM GMT

Current logged on user

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

in case you are wondering how I pick the topics for these posts – its quite scientific.  I run

Get-WmiObject -List win32* | where {$_.Name -notlike “*perf*”}

to see the available classes and pick something that catches my eye. Sometimes it leads to a series of posts and other times its a single post.

This time my eye was caught by Win32_LogonSession – which returns the logged on user

PS> Get-WmiObject -Class Win32_LogonSession

AuthenticationPackage : NTLM
LogonId               : 188568
LogonType             : 2
Name                  :
StartTime             : 20100422181039.691600+060
Status                :

AuthenticationPackage : NTLM
LogonId               : 188537
LogonType             : 2
Name                  :
StartTime             : 20100422181039.691600+060
Status
                :

OK thats not good ‘cos I know I’m the only one logged in – unless its my imaginary friend

PS> Get-WmiObject -Class Win32_SessionProcess | select Antecedent

Antecedent
———-
\\.\root\cimv2:Win32_LogonSession.LogonId=”188568″
\\.\root\cimv2:Win32_LogonSession.LogonId=”188568″

etc

Shows that LogonId 188568 is the latest as Win32_SessionProcess shows the processes associated with the current logged on user.

We need to take that fact and find the logged on user

 

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
## get session process
$proc = Get-WmiObject -Class Win32_SessionProcess | 
select Antecedent -First 1
$filt = ($proc -split “=”)[2] -replace ‘”‘,  -replace “}”,“”

$ltype = DATA {
ConvertFrom-StringData -StringData @’
0 = System
2 = Interactive
3 = Network
4 = Batch
5 = Service
6 = Proxy
7 = Unlock
8 = NetworkCleartext
9 = NewCredentials
10 = RemoteInteractive
11 = CachedInteractive
12 = CachedRemoteInteractive
13 = CachedUnlock
‘@

}
## get logon session
$sess = Get-WmiObject -Class Win32_LogonSession -Filter “LogonId=’$filt'”

## get user
$query = “ASSOCIATORS OF {Win32_LogonSession.LogonId=’$filt’} `
WHERE ResultClass=Win32_UserAccount”

$user = Get-WmiObject -Query  $query
 
Add-Member -InputObject $sess -MemberType NoteProperty -Name User `
 -Value $($user.Caption) -PassThru |
Format-List AuthenticationPackage, LogonId,
@{Name=“Logon Type”; Expression = {$ltype[“$($_.LogonType)”]}},
@{Name=“Time”; Expression = {$_.ConvertToDateTime($_.StartTime)}},
User

We take our session process – select first 1 and we only need the Antecedent property. We then split it on a “=” sign and do 2 replaces to clean it up.  I was surprised when the operators combined like that.

The here-string defines a the logon types. We find the Win32_LogonSession associated with the logonid and then get the ASSOCIATORS to find the associated user.

We use Add-Member to add the user name property to the session information and then use a couple of calculated fields to display the logon type and the logon date

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Richard Siddaway
    [...] this post http://itknowledgeexchange.techtarget.com/powershell/current-logged-on-user/ we discovered how to find the current logged on user.  I want to extend that a bit and add the [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: