Why am I not getting my logon session from a WMI query?

I'm writing a program one of whose functions is to get the current logon sessions on a Windows computer. It queries WMI for the current sessions with logon type 2 (interactive), logon type 10 (remote interactive) and logon type 11 (cached interactive). The code I have works OK, except for one thing I just noticed. When I was testing it in my work domain environment, everything was fine, but now that I'm at home and logged on outside of our work network, I'm not getting any sessions at all -- and I thought I would get my logon session as a cached interactive session.

So I've tested it with this PS code taken from this website:

$computername = "mycomputername"
Get-WmiObject -Class Win32_LogonSession -ComputerName $computername |            
foreach {            
 $data = $_            

 $id = $data.__RELPATH -replace """", "'"            
 $q = "ASSOCIATORS OF {$id} WHERE ResultClass = Win32_Account"            
 Get-WmiObject -ComputerName $computername -Query $q |            
 select @{N="User";E={$($_.Caption)}},             
 @{N="LogonTime";E={$data.ConvertToDateTime($data.StartTime)}}            
}

which simply takes all logon sessions. And again, it's like I haven't logged on at all:

User LogonTime
---- ---------
mycomputername\IUSR 1/22/2016 12:07:50 AM
mycomputername\SYSTEM 1/22/2016 12:07:09 AM
mycomputername\LOCAL SERVICE 1/22/2016 12:07:11 AM
mycomputername\NETWORK SERVICE 1/22/2016 12:07:10 AM
mycomputername\ANONYMOUS LOGON 1/22/2016 12:08:03 AM

My actual username is not shown... Why could that be? What can I do to get to see my logon session?

Michał Masny

Posted 2016-01-22T01:00:11.783

Reputation: 296

Answers

Why isn't it working?

According to this Microsoft blog post, your query cannot retrieve information about the account of a domain user when the domain is not accessible. That's because Win32_Account has properties that require information from the domain controller to fill. Therefore, the construction of the Win32_Account instance fails, and the relevant entries do not appear in your results.

What can be done?

It's really a sad state of affairs, but you'll need to parse the Antecedent string of the Win32_LoggedOnUser class to reliably get an account's name when you can't talk to its domain. The account name is between Name=" and ", as you can see in the output of gwmi -class Win32_LoggedOnUser. I'm sure you could do better with regular expressions, but this is my quick-and-dirty way of printing just the usernames of all logon sessions:

gwmi -Query "select * from win32_loggedonuser" | ForEach-Object { (($_.Antecedent -Split "Name=`"")[1] -Split "`"")[0] }

(Since I'm not correlating with actual console sessions here, there'll be a couple loose faux-users like DWM-1.)

Ben N

Posted 2016-01-22T01:00:11.783

Reputation: 32 973

Ah, I see. I thought of using the antecedent property but win32_account seemed much cleaner. Oh well. Thanks a lot for the info, I'll change the code and all being well, all will be well! (I hope you don't mind if I keep the bounty open for a bit - some more exposure should probably not hurt.) – Michał Masny – 2016-01-24T03:30:34.240

One can also use the Terminal Server command QUERY :

The query utilities are used to display current information about the system such as the current allocation of resources and system status. The query command can invoke any one of the query utilities. The command line format is:
query [appservers | object | process | session | user] [/?]

This command will get the list of all logged-on users :

query user

The result may look like this for a local logon, but I also verified it for a remote logon :

harrymc

Posted 2016-01-22T01:00:11.783

Reputation: 306 093