Remote Session Client Name does not populate on Event Task run of Powershell script

jakerjaker77 21 Reputation points
2021-02-17T15:19:53.787+00:00

I put together a fairly simple PowerShell script to run and send an email when a Scheduled Event Task is triggered for RDP logon event for a particular remote machine running Windows 10. I found a couple ways to get the connected client computer name, either with $env:CLIENTNAME or the code snippet below. These both work great running manually in PowerShell. But when my Scheduled Event Task is triggered, neither of these methods for getting the CLIENTNAME populate the variable $ClientName and the alert email just shows a blank.

Any idea why this would work to get CLIENTNAME running manually in PowerShell but not when run as Scheduled Event Task? The Task is setup with a network user with Admin privileges to the machine, but maybe this is a privileges issue of some kind?

$SessionID = (Get-Process -pid $pid).SessionId
$regKey = 'HKCU:\Volatile Environment\{0}' -f $SessionId
$regKeyValues = Get-ItemProperty $regKey
    $sessionName = $regKeyValues | ForEach-Object {$_.SESSIONNAME}
    if ($sessionName -ne 'Console')
    {
      $ClientName = $regKeyValues | ForEach-Object {$_.CLIENTNAME}
    }
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,952 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,335 questions
{count} votes

Accepted answer
  1. MotoX80 32,526 Reputation points
    2021-02-19T16:19:29.357+00:00

    loop through HKEY_USERS to get the Clientname? Any example scripts for that?

    Try this.

    $AllUsers = Get-ChildItem REGISTRY::HKEY_USERS -ErrorAction SilentlyContinue                      
    foreach ($u in $Allusers) {
        $r =  "REGISTRY::$($u.name)\Volatile Environment"
        if (test-path -path $r -ErrorAction SilentlyContinue) { 
            $ve = get-childitem -path $r
            foreach ($sub in $ve) {
                $sid = $u.name.split('\')[1]
                $objSID = New-Object System.Security.Principal.SecurityIdentifier ($sid)
                $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
                "SID        : {0}" -f $sid 
                "User       : {0}" -f $objUser.Value    
                "Clientname : {0}" -f (Get-ItemProperty -Path $('REGISTRY::' + $sub.name) -name CLIENTNAME).CLIENTNAME
                "Sessionname: {0}" -f (Get-ItemProperty -Path $('REGISTRY::' + $sub.name) -name SESSIONNAME).SESSIONNAME
                ""
            }     
        }
    }
    
    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. MotoX80 32,526 Reputation points
    2021-02-17T22:18:07.88+00:00

    $regkey references HKEY_CURRENT_USER so that's the account that the script is running as. That would be your "network user with admin privileges" when run with the task scheduler.

    $ENV:Clientname is only going to work when the script runs in the context of the RDP user/session.

    Depending on what event you are looking at, you could loop thru HKEY_USERS and try to find clientname.

    Or run quser.exe and capture and parse stdout

    C:\WINDOWS\system32>quser.exe
    USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
    admin console 1 Active none 2/17/2021 9:21 AM

    1 person found this answer helpful.