Finding current logged on user(s) while running as SYSTEM (no environment variables)

Question

I have created a PowerShell script that saves the current user to a report. When creating this report, it was working fine because I was using $env:USERNAME. However, now that the report is running under the SYSTEM account as a scheduled task, it saves the current user as "HOSTNAME$." Is there another easy way of getting the logged on users? The following doesn't work as well:

Get-WMIObject -class Win32_ComputerSystem | select username

Any ideas would be greatly appreciated as I need the current logged on user saved. I also need to run the report as NT AUTHORITY\SYSTEM to run the elevated tasks.

At any given time there is going to be a lot more than just 1 user logged in. You'll have SYSTEM, LOCAL SERVICE, NETWORK SERVICE and probably others. You'll have to refine your criteria in order to have an answerable question : http://stackoverflow.com/questions/23219718/powershell-script-to-see-currently-logged-in-users-domain-and-machine-status — Cole9350, Aug 14 '15 at 20:12

score 8 · Answer 1 · edited Apr 13 '17 at 12:13

"Current user" is an ambiguous term that depends on what you're looking at. A user logged in on the desktop (locally or remotely)? A user running a background process? A user accessing an SMB share? WMI? WinRS?

Assuming that you want to identify which user is logged in on the desktop, you could check the owner of the explorer.exe process as described in this answer on ServerFault:

Get-WmiObject Win32_Process -Filter "Name='explorer.exe'" |
  ForEach-Object { $_.GetOwner() } |
  Select-Object -Unique -Expand User

score 2 · Answer 2 · answered Aug 14 '15 at 20:37

2

I was able to gather the current logged on user by using tasklist in PowerShell:

$User = tasklist /v /FI "IMAGENAME eq explorer.exe" /FO list | find "User Name:"
$User = $User.Substring(14)

Works perfectly even when ran as SYSTEM.

answered Aug 14 '15 at 20:37

user3711442

213
2
6
15

score 0 · Answer 3 · answered Apr 25 '19 at 17:26

I know this is old, it took me all morning to get this straightened out, this gets you the current logged on user and their my docs path, since environment variables don't work under the system account.

New-PSDrive HKU Registry HKEY_USERS
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value
$val = (Get-Item "HKU:\$sid\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders");
$myDocPath = $val.GetValue("Personal");

To test using a powershell account that runs as system, follow these instructions http://powershell-guru.com/powershell-tip-53-run-powershell-as-system/

score 0 · Answer 4 · answered Mar 12 '21 at 20:36

Assuming from your original script that you are looking to return just usernames, you could use this:

Get-Process -IncludeUserName | Select-Object UserName -Unique | Where-Object {$.UserName -notlike 'NT AUTHORITY\SYSTEM' -and $.UserName -notlike 'NT AUTHORITY\NETWORK SERVICE' -and $_.UserName -notlike 'NT AUTHORITY\LOCAL SERVICE'} | Format-Table -Wrap -AutoSize

score 0 · Answer 5 · answered Aug 30 '22 at 08:20

0

I liked the Get-Process answer from @MNiles, but made it a little simpler with the filtering for explorer from the other answers

Get-Process -IncludeUserName -Name explorer | Select-Object UserName -Unique

answered Aug 30 '22 at 08:20

Ties

5,726
3
28
37

Finding current logged on user(s) while running as SYSTEM (no environment variables)

5 Answers5

Linked