Win32_LogonSession class

The Win32_LogonSession WMI classdescribes the logon session or sessions associated with a user logged on to a computer system running Windows.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[Dynamic, Provider("CIMWin32"), UUID("{9083C21E-7D58-4e0e-BC30-0BC8922AFB8B}"), AMENDMENT]
class Win32_LogonSession : Win32_Session
{
  string   Caption;
  string   Description;
  datetime InstallDate;
  string   Name;
  string   Status;
  datetime StartTime;
  string   AuthenticationPackage;
  string   LogonId;
  uint32   LogonType;
};

Members

The Win32_LogonSession class has these types of members:

Properties

The Win32_LogonSession class has these properties.

AuthenticationPackage
Data type: string
Access type: Read-only

Name of the subsystem used to authenticate the logon session.

Caption
Data type: string
Access type: Read-only
Qualifiers: MaxLen (64), DisplayName ("Caption")

A short textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

Description
Data type: string
Access type: Read-only
Qualifiers: DisplayName ("Description")

A textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

InstallDate
Data type: datetime
Access type: Read-only
Qualifiers: MappingStrings ("MIF.DMTF|ComponentID|001.5"), DisplayName ("Install Date")

Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.

This property is inherited from CIM_ManagedSystemElement.

LogonId
Data type: string
Access type: Read-only
Qualifiers: key

ID assigned to the logon session.

LogonType
Data type: uint32
Access type: Read-only

Numeric value that indicates the type of logon session.

0

Used only by the System account.

Interactive (2)

Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.

Network (3)

Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.

Batch (4)

Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.

Service (5)

Indicates a service-type logon. The account provided must have the service privilege enabled.

Proxy (6)

Indicates a proxy-type logon.

Unlock (7)

This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

NetworkCleartext (8)

Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.

NewCredentials (9)

Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.

RemoteInteractive (10)

Terminal Services session that is both remote and interactive.

CachedInteractive (11)

Attempt cached credentials without accessing the network.

CachedRemoteInteractive (12)

Same as RemoteInteractive. This is used for internal auditing.

CachedUnlock (13)

Workstation logon.

Name
Data type: string
Access type: Read-only
Qualifiers: DisplayName ("Name")

Label by which the object is known. When subclassed, this property can be overridden to be a key property.

This property is inherited from CIM_ManagedSystemElement.

StartTime
Data type: datetime
Access type: Read-only

Time at which the session started.

This property is inherited from Win32_Session.

Status
Data type: string
Access type: Read-only
Qualifiers: MaxLen (10), DisplayName ("Status")

String that indicates the current status of the object. Operational and non-operational status can be defined. Operational status can include "OK", "Degraded", and "Pred Fail". "Pred Fail" indicates that an element is functioning properly, but is predicting a failure (for example, a SMART-enabled hard disk drive).

Non-operational status can include "Error", "Starting", "Stopping", and "Service". "Service" can apply during disk mirror-resilvering, reloading a user permissions list, or other administrative work. Not all such work is online, but the managed element is neither "OK" nor in one of the other states.

This property is inherited from CIM_ManagedSystemElement.

Values include the following:

OK ("OK")

Error ("Error")

Degraded ("Degraded")

Unknown ("Unknown")

Pred Fail ("Pred Fail")

Starting ("Starting")

Stopping ("Stopping")

Service ("Service")

Stressed ("Stressed")

NonRecover ("NonRecover")

No Contact ("No Contact")

Lost Comm ("Lost Comm")

Examples

The List Logon Session Information PowerShell sample returns information about logon sessions associated with the user currently logged on to a computer.

The following PowerShell example checks for remote session open for a specified user.


$user = "<user name>"
$servers = gci servers.txt 

     foreach ($server in $servers){
     $logons = gwmi win32_loggedonuser -computername $server

          foreach ($logon in $logons){
               if ($logon.antecedent -match $user){
               $logonid = $logon.dependent.split("=")[1] 
               $session =gwmi win32_logonsession |? {$_.logonid -match $logonid}
               if ($session.logontype -eq "10"){
               Write-host "You have an active Terminal Server session on server $($server)"
                }
          }

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2008

Namespace

Root\CIMV2

MOF

CIMWin32.mof

DLL

CIMWin32.dll

See also

Win32_Session
Operating System Classes

 

 

Show: