Unlock a session – who’s that ?
So I had a requirement to kick off an update for a user when they unlock a Windows session on a client. But it had to be for the user performing the unlock.. So how to do this – well the really easy route is to scrape the client log looking for 4801 or 4803 or even go looking for logon events with Type=7.. However this is extra effort (remember take it easy) and if someone disables the the Audit entries you’re well.. stuck..
So – looking at what actually goes on and not wanting to go too deep into the system (I mean who wants to do C# or VB .Net services or DLL’s) – what can be done with Powershell ?
Well as it happens – on the basis that on a Windows Client you can only have two active sessions – why not look at the processes and do some inference ? So – this is what I came up with and across nearly 100,000 clients its being doing a pretty good consistent job..
$array = (Get-Process logonui -IncludeUserName -ErrorAction SilentlyContinue).sessionID forEach($session in (Get-Process explorer -IncludeUserName -ErrorAction SilentlyContinue | select username,sessionID)){ if($array -notcontains $session.sessionID){ $user = $session.username } }
So what is going on here ?
Well first we find all the processes that are logonui – this is the process that that shows the Secure Attention Sequence (aka Logon/Unlock prompt).
Then we find all the processes that are the explorer.exe – that is the explorer shell..
Now on a Windows Client we’ll have two processes with the explorer shell max – and if we have only one logonui process then all we need to discover is who of the two explorer processes doesnt have a logonui and voila.. we have who is currently active.
So run this powershell via a Schedule Task Unlock event and you will have your most likely candidate of who just unlocked..
Is this 100% cast iron ? – no probably not – are they other ways to do this – well of course – its Microsoft after all..
Its just another flavour to add to the System Admins soup…
Recent Comments