Win32_LogonSession class

The Win32_LogonSession WMI class (see Retrieving a WMI class) describes the logon session or sessions associated with a user logged on to a computer system running Windows.

The following syntax is simplified from Managed Object Format (MOF) code, and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

[Dynamic, Provider("CIMWin32"), UUID("{9083C21E-7D58-4e0e-BC30-0BC8922AFB8B}"), AMENDMENT]
class Win32_LogonSession : Win32_Session
{
  string   Caption;
  string   Description;
  datetime InstallDate;
  string   Name;
  string   Status;
  datetime StartTime;
  string   AuthenticationPackage;
  string   LogonId;
  uint32   LogonType;
};

The Win32_LogonSession class has these types of members:

• Properties

The Win32_LogonSession class has these properties.

AuthenticationPackage

Data type: string

Access type: Read-only

Name of the subsystem used to authenticate the logon session.

Caption

Data type: string

Access type: Read-only

Qualifiers: MaxLen (64), DisplayName ("Caption")

A short textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

Description

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Description")

A textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

InstallDate

Data type: datetime

Access type: Read-only

Qualifiers: MappingStrings ("MIF.DMTF|ComponentID|001.5"), DisplayName ("Install Date")

Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.

This property is inherited from CIM_ManagedSystemElement.

LogonId

Data type: string

Access type: Read-only

Qualifiers: key

ID assigned to the logon session.

LogonType

Data type: uint32

Access type: Read-only

Numeric value that indicates the type of logon session.

0

Used only by the System account.

Interactive (2)

Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.

Network (3)

Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.

Batch (4)

Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.

Service (5)

Indicates a service-type logon. The account provided must have the service privilege enabled.

Proxy (6)

Indicates a proxy-type logon.

Unlock (7)

This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

NetworkCleartext (8)

Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.

NewCredentials (9)

Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.

RemoteInteractive (10)

Terminal Services session that is both remote and interactive.

CachedInteractive (11)

Attempt cached credentials without accessing the network.

CachedRemoteInteractive (12)

Same as RemoteInteractive. This is used for internal auditing.

CachedUnlock (13)

Workstation logon.

The List Logon Session Information (List Logon Session Information.ps1) PowerShell sample returns information about logon sessions associated with the user currently logged on to a computer.

The following PowerShell example checks for remote session open for a specified user.

$user = "<user name>"
$servers = gci servers.txt 

     foreach ($server in $servers){
     $logons = gwmi win32_loggedonuser -computername $server

          foreach ($logon in $logons){
               if ($logon.antecedent -match $user){
               $logonid = $logon.dependent.split("=")[1] 
               $session =gwmi win32_logonsession |? {$_.logonid -match $logonid}
               if ($session.logontype -eq "10"){
               Write-host "You have an active Terminal Server session on server $($server)"
                }
          }

Win32_Session

Operating System Classes