Retrieving the actual user account that started a process

Question

I am trying to retrieve the user account under which a process has been started. So far i have not found any answers that retrieve the good information. All of them return the string of the username which is not the account. I have tried WMI and Diagnostic all with the same results which are half correct.

Let's say i start notepad twice.

First one i open it with the account : \MyDomain\Franck
Second on i open it with the account : \MyComputer\Franck

Then use either WMI or Diagnostics and both return username "Franck" and i have not way to know if it's running under the local user or the domain one.

One way could be to use Diagnostics

var procs = Process.GetProcessesByName("Notepad").ToList();
var notepad1 = procs[0].StartInfo.Environment["Username"];
var notepad2 = procs[1].StartInfo.Environment["Username"];

Both return Franck but one is the domain account and the other is the local.

Are you starting these processes in code, or looking at existing running processes? — Parrish Husband, Sep 22 '18 at 16:09

Bakri Bitar · Answer 1 · 2018-09-21T19:27:18.160

1

If you want the name of the domain that contains the user's account, then you're looking for UserDomain Environment Variable

If you want which domain controller authenticated the client's logon request, then you're looking for LogonServer Environment Variable

var procs = Process.GetProcessesByName("Notepad").
var userDomain = procs[0].StartInfo.Environment["UserDomain"];
var logonServer = procs[0].StartInfo.Environment["LogonServer"];

Values on my windows machine (local user):

userDomain: "LAPTOP-DDK137L8"
logonServer: "\\LAPTOP-DDK137L8"

So from this you should be able to determine if it's running under the local user or the domain one.

edited Sep 21 '18 at 19:27

answered Sep 21 '18 at 19:06

Bakri Bitar

1,543
18
29

It does not work either. Both process return the exact same values for all `Username`, `UserDomain` and `LoginServer` which are "Franck", "MyDomain", "MyDomainController" – Franck Sep 21 '18 at 19:42
Are you running both of them on the same machine? if yes then you will get same values I guess. Check out this https://stackoverflow.com/questions/12710355/check-if-user-is-a-domain-user-or-local-user – Bakri Bitar Sep 21 '18 at 19:58
Both are on the same machine. same session on a user logged as domain. ill check the link later – Franck Sep 21 '18 at 20:00

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

tasklist /v gives the relevant info that you are interested in, i.e., the user name with the domain name.

The official documentation does not show any sample outputs.

tasklist

Displays a list of currently running processes on the local computer or on a remote computer.

/v Displays verbose task information in the output.

You can use it together with /fo csv option to get the result and parse it.

This answer from SuperUser has screen shots showing the output.

You can run this command as a separate process from your application similar to this, but passing the other parameters.

This is perfect. It does show the real user running the process. — Franck, Sep 24 '18 at 12:09

Retrieving the actual user account that started a process

2 Answers2