0

I was more or less copy-pasting the solution of this question. Have customized and whatnot but the general method is the same.

The thing is, that it works like charm on all of the - tested - XP machines (don't ask, you'd be surprised)

It is also good on most of the W7 machines on desktops, notebooks through VPN and embedded models (Thin Clients) as well. The program freezes if the WMI is broken (?) but that I'll take care of later.

The painful part is that there is some sort of updater or installer service-like user. It's checking AD and such, but I don't have access to the servers to check if how it exactly works. The user is called TA2whatever looks just like an ordinary user what is slowing down the query of the logged in users, and it also gives an untrue result. The TA2 user is not only logged in once at once but 2, 10 or even 30 times at the same time. And this makes getting logged on remote users extremely slow.

The goal would be to get one logged in username (with status like locked or active if possible). I thought to get the SID and search for the registry and resolve the SID to username. Is that doable?

I haven't tried yet, but I've read that there is no NOT LIKE option in this query language. (I don't want to sound dumb so please correct me if I'm saying anything wrong)

Could something this work?

ObjectQuery Query = new ObjectQuery("SELECT LogonId  FROM Win32_LogonSession Where LogonType=2 Name NOT LIKE TA2");

Or even with a set of variables if there will be more strange not real person users.

Thank you!

Community
  • 1
  • 1
Nash
  • 69
  • 9
  • WQL does, in fact, have [`LIKE`](https://msdn.microsoft.com/library/aa392263), as well as `NOT`. What you want is expressible as `WHERE LogonType = 2 AND NOT Name LIKE "%TA2%"`, but whether that solves your problem is another matter. For starters, it would be pretty simple for a legitimate account to have `TA2` in its name somewhere, so you probably want to narrow that down. – Jeroen Mostert Nov 08 '16 at 20:12
  • Thanks, I'll try tomorrow. As far as I know it's unlikely that an actual user can have TA2 in its username. They are 2 letters (never TA) a number and 4 letters. Admins' 3rd character is A instead of a number. I'll search AD first though. Give feedback tom. Thanks again. Can the heaps of TA2 users be the reason of the slow query by the way? Couldn't find any other sympton. Yet. – Nash Nov 08 '16 at 20:17
  • I have no experience with queries on `Win32_LogonSession`, so I couldn't tell. WMI is certainly allowed to do all sorts of neat stuff in the background, but if it just calls `LsaEnumerateLogonSessions` and `LsaGetLogonSessionData`, then no network lookups should be taking place. Any *other* thing you do with the logon data, though, might involve AD lookups of some sort. – Jeroen Mostert Nov 08 '16 at 20:37

1 Answers1

0

Ok I don't know how this NOW works since I'm quite sure, that I've tried tons of the WIN32_ queries, but this

ObjectQuery Query = new ObjectQuery("SELECT * FROM Win32_ComputerSystem");

seems working and it's fast. It always gives back one and only one result (win-win, no list needed?)

Is this because it's only listing the logged in and active users?

"UserName returns the name of the user that is logged on to the console—not the user logged on during the terminal service session."

This however might will be a problem later since there are heaps of VDI and Citrix users within the domain.

I have to accept my own answer as answer, still thanks to Jeroen Mostert for the suggestions.

Community
  • 1
  • 1
Nash
  • 69
  • 9