Unlock a session – who’s that ?

So I had a requirement to kick off an update for a user when they unlock a Windows session on a client.  But it had to be for the user performing the unlock..  So how to do this – well the really easy route is to scrape the client log looking for 4801 or 4803 or even go looking for logon events with Type=7..  However this is extra effort (remember take it easy) and if someone disables the the Audit entries you’re well..  stuck..

So – looking at what actually goes on and not wanting to go too deep into the system (I mean who wants to do C# or VB .Net services or DLL’s) – what can be done with Powershell ?

Well as it happens – on the basis that on a Windows Client you can only have two active sessions – why not look at the processes and do some inference ? So – this is what I came up with and across nearly 100,000 clients its being doing a pretty good consistent job..

$array = (Get-Process logonui -IncludeUserName -ErrorAction SilentlyContinue).sessionID
forEach($session in (Get-Process explorer -IncludeUserName -ErrorAction SilentlyContinue | select username,sessionID)){
  if($array -notcontains $session.sessionID){
       $user = $session.username
  }
}

So what is going on here ?

Well first we find all the processes that are logonui – this is the process that that shows the Secure Attention Sequence (aka Logon/Unlock prompt).

Then we find all the processes that are the explorer.exe – that is the explorer shell..

Now on a Windows Client we’ll have two processes with the explorer shell max – and if we have only one logonui process then all we need to discover is who of the two explorer processes doesnt have a logonui and voila.. we have who is currently active.

So run this powershell via a Schedule Task Unlock event and you will have your most likely candidate of who just unlocked..

Is this 100% cast iron ? – no probably not – are they other ways to do this – well of course – its Microsoft after all..

Its just another flavour to add to the System Admins soup…