Current logged on user

Tags:
in case you are wondering how I pick the topics for these posts – its quite scientific. I run
Get-WmiObject -List win32* | where {$_.Name -notlike “*perf*”}
to see the available classes and pick something that catches my eye. Sometimes it leads to a series of posts and other times its a single post.
This time my eye was caught by Win32_LogonSession – which returns the logged on user
PS> Get-WmiObject -Class Win32_LogonSession
AuthenticationPackage : NTLM
LogonId : 188568
LogonType : 2
Name :
StartTime : 20100422181039.691600+060
Status :
AuthenticationPackage : NTLM
LogonId : 188537
LogonType : 2
Name :
StartTime : 20100422181039.691600+060
Status :
OK thats not good ‘cos I know I’m the only one logged in – unless its my imaginary friend
PS> Get-WmiObject -Class Win32_SessionProcess | select Antecedent
Antecedent
———-
\\.\root\cimv2:Win32_LogonSession.LogonId=”188568″
\\.\root\cimv2:Win32_LogonSession.LogonId=”188568″
etc
Shows that LogonId 188568 is the latest as Win32_SessionProcess shows the processes associated with the current logged on user.
We need to take that fact and find the logged on user
001
002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 |
## get session process
$proc = Get-WmiObject -Class Win32_SessionProcess | select Antecedent -First 1 $filt = ($proc -split “=”)[2] -replace ‘”‘,” -replace “}”,“” $ltype = DATA { ## get user |
We take our session process – select first 1 and we only need the Antecedent property. We then split it on a “=” sign and do 2 replaces to clean it up. I was surprised when the operators combined like that.
The here-string defines a the logon types. We find the Win32_LogonSession associated with the logonid and then get the ASSOCIATORS to find the associated user.
We use Add-Member to add the user name property to the session information and then use a couple of calculated fields to display the logon type and the logon date
1  Comment on this Post