Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Win32_LogonSession (Vista/2008)

114 views
Skip to first unread message

Gerry Hickman

unread,
Nov 12, 2009, 6:01:48 AM11/12/09
to
Hi,

I enumerate associators of Win32_logonSession on XP/2003 and I can see
interactive users logged in with their domain accounts. I can also see RDP
sessions.

I enumerate associators of Win32_logonSession on Vista/2008 and I can ONLY
see local accounts such as SYSTEM and LOCAL SERVICE.

For code examples see Torgeir's example here

http://www.ureader.com/message/1436360.aspx

I would like to know a reliable way to get interactive logon and RDP
sessions using WMI on Vista/2008. Any ideas?


--
Gerry Hickman
London (UK)

Gerry Hickman

unread,
Nov 12, 2009, 8:33:58 AM11/12/09
to
"Gerry Hickman" <gerry...@newsgroup.nospam> wrote in message
news:%23gBkJe4...@TK2MSFTNGP02.phx.gbl...

> Hi,
>
> I enumerate associators of Win32_logonSession on XP/2003 and I can see
> interactive users logged in with their domain accounts. I can also see RDP
> sessions.
>
> I enumerate associators of Win32_logonSession on Vista/2008 and I can ONLY
> see local accounts such as SYSTEM and LOCAL SERVICE.

After further testing, there's more to it. We have two domains in two
forests.

In the domain that has Win2003 DCs we can use WMI to see Logon Sessions for
all users on XP/2003/Vista and 2008.

In the domain that has Win2008 DCs we can NOT use WMI to see Logon Sessions
for domain users on any o/s. BUT if we run WMI from the same machine we are
logged into, we can then see all Logon Sessions.

The issue therefore appears to be remote WMI when used in our Win2008
domain...

Jialiang Ge [MSFT]

unread,
Nov 13, 2009, 3:31:52 AM11/13/09
to
Good morning Gerry!

Could you please try out the sample code in this article and let me know
the test result?

http://blogs.msdn.com/alejacma/archive/2008/03/04/how-to-get-the-logged-on-u
ser-with-wmi-vbscript.aspx

(if the long URL is truncated by the newsgroup system, please concat it)

The code gets the user who has logged on a given machine with VBScript &
WMI.


Regards,
Jialiang Ge (jia...@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Gerry Hickman

unread,
Nov 13, 2009, 6:36:49 AM11/13/09
to
Hello Jialiang,

Thank you for the help with this. When I run the code in the article, I get
exactly the same results. Targeting servers in the Win2003 domain show
interactive domain users correctly. Targeting servers in the Win2008 domain
finds sessions, but does not map them to domain users - I just get a list of
"Start Time: ..."

Did you read the comments in that blog? It seems they are seeing exactly the
same problem.

""Jialiang Ge [MSFT]"" <jia...@online.microsoft.com> wrote in message
news:V6rkJvDZ...@TK2MSFTNGHUB02.phx.gbl...

Gerry Hickman

unread,
Nov 13, 2009, 2:30:53 PM11/13/09
to
Gerry Hickman wrote:
> Hello Jialiang,
>
> Thank you for the help with this. When I run the code in the article, I
> get exactly the same results. Targeting servers in the Win2003 domain
> show interactive domain users correctly. Targeting servers in the
> Win2008 domain finds sessions, but does not map them to domain users - I
> just get a list of "Start Time: ..."

I now wonder if there's a double hop issue, the chain would look
something like this

WMI_Client->WMI_Server->AD

The WMI client contacts the WMI server and asks for Win32_LogonSession,
the server then maps Win32_LogonSession to Win32_Account as follows

class Win32_LoggedOnUser : CIM_Dependency
{
Win32_Account ref Antecedent;
Win32_LogonSession ref Dependent;
};

BUT

If the target account is a domain account, the WMI server will have to
contact AD (we assume) to get the account details. Unless the AD is
configured to allow ANONYMOUS access to user accounts, I don't see how
the WMI server can obtain the data used to populate the instance of
Win32_Account...


--
Gerry Hickman (London UK)

Jialiang Ge [MSFT]

unread,
Nov 15, 2009, 11:38:38 PM11/15/09
to
Hello Gerry

I'm performing researches on this issue and will update you soon.

Gerry Hickman

unread,
Nov 16, 2009, 9:33:46 AM11/16/09
to
Hi Jialiang,

I have an update on this.

I have traced the problem to the point where it tries to obtain user
accounts from the Win2008 domain. It looks like it is trying to connect to
AD as ANONYMOUS and fails. I can reproduce the problem without
Win32_LogonSession. I can simply request a Win32_Account object and see the
failure.

var oUser = oSvc.Get("Win32_Account.Domain='OLD',Name='Gerry'); //works
local and remote
var oUser = oSvc.Get("Win32_Account.Domain='NEW',Name='Gerry'); // fails
remote

Domain 'OLD' is Win2003
Domain 'NEW' is Win2008

I don't know how to solve this; it appears that remote WMI relies on
ANONYMOUS access in order to populate the Win32_Account class?

When we run WMI on the local box, we don't see the problem because it can
use impersonation.

This doesn't only affect Logon Sessions, it also has implications when
viewing ACLs on remote servers.

There must be a security setting on the Win2003 domain that's "weaker" than
on the Win2008 system, but I'm not sure which setting. It would help to know
what mechanism WMI is using to obtain the user accounts from the domain
(e.g. WinNT provider).

--
Gerry Hickman
London (UK)

""Jialiang Ge [MSFT]"" <jia...@online.microsoft.com> wrote in message
news:bMJzyanZ...@TK2MSFTNGHUB02.phx.gbl...

Jialiang Ge [MSFT]

unread,
Nov 17, 2009, 9:49:54 AM11/17/09
to
Hello Gerry

Thanks for your efforts. I'm still discussing this with the product team. I
will update you about the findings on our side.

Gerry Hickman

unread,
Nov 17, 2009, 3:59:13 PM11/17/09
to
Hi Jialiang,

Thank you for contacting the product team about this. Were you able to
reproduce the problem, using the simple code to .Get a Win32_Account
instance via a remote machine against a Win2008 domain?

Jialiang Ge [MSFT]

unread,
Nov 23, 2009, 1:14:06 AM11/23/09
to
Hello Gerry

I found some relevant product issue report on my side. According to their
log, PG is going to fix it in future release of OS.

I also find this workaround proposed by a community member. This seems the
best workaround that I have found so far. Please let me know whether it
works for you.

sub GetLogin(strComputer)

dim objWMIService
dim objEnum
dim obj
dim outParams

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

set objEnum = objWMIService.execQuery("select __relpath from win32_process
where
caption = 'explorer.exe'")


If objEnum.Count <> 0 then
for each obj in objEnum
set outParams = obj.ExecMethod_("GetOwner")
wscript.echo strcomputer & ": " & outParams.User
next
End If

end sub

Gerry Hickman

unread,
Nov 23, 2009, 8:18:37 AM11/23/09
to
""Jialiang Ge [MSFT]"" <jia...@online.microsoft.com> wrote in message
news:%2361lwQA...@TK2MSFTNGHUB02.phx.gbl...

> I found some relevant product issue report on my side. According to their
> log, PG is going to fix it in future release of OS.

Thank you for getting this answer from the product group, but it's not a
very helpful answer from them.

1. It doesn't explain why we see different behavior on Win2003/Win2008.
2. It doesn't clarify which o/s are affected, or what they mean by "future
release of OS", this could mean Windows 8?

I have carried out more tests with a Win32_Account instance on a remote
machine, and it's not able to obtain data from the Win2008 domain. This is a
serious problem.

> I also find this workaround proposed by a community member. This seems the
> best workaround that I have found so far. Please let me know whether it
> works for you.

Thanks, I have tested the work-around, but it's quite limited compared with
Win32_LogonSession, for example we want to view only RDP sessions, or only
interactive sessions. But this is no longer important, the issue above with
Win32_Account is a much bigger problem.

> sub GetLogin(strComputer)
>
> dim objWMIService
> dim objEnum
> dim obj
> dim outParams
>
> Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
>
> set objEnum = objWMIService.execQuery("select __relpath from win32_process
> where
> caption = 'explorer.exe'")
>
>
> If objEnum.Count <> 0 then
> for each obj in objEnum
> set outParams = obj.ExecMethod_("GetOwner")
> wscript.echo strcomputer & ": " & outParams.User
> next
> End If
>
> end sub
>
> Regards,
> Jialiang Ge (jia...@online.microsoft.com, remove 'online.')
> Microsoft Online Community Support

--
Gerry Hickman
London (UK)

Jialiang Ge [MSFT]

unread,
Dec 3, 2009, 12:25:38 AM12/3/09
to
Hello Gerry

Sorry for my late response. I sent an email about this case to you. Could
you please check your mailbox?

Regards,
Jialiang Ge (jia...@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================

0 new messages