Edit

Share via

Win32_LogonSession class

  • Article

The Win32_LogonSession WMI class (see Retrieving a WMI class) describes the logon session or sessions associated with a user logged on to a computer system running Windows.

The following syntax is simplified from Managed Object Format (MOF) code, and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[Dynamic, Provider("CIMWin32"), UUID("{9083C21E-7D58-4e0e-BC30-0BC8922AFB8B}"), AMENDMENT]
class Win32_LogonSession : Win32_Session
{
  string   Caption;
  string   Description;
  datetime InstallDate;
  string   Name;
  string   Status;
  datetime StartTime;
  string   AuthenticationPackage;
  string   LogonId;
  uint32   LogonType;
};

Members

The Win32_LogonSession class has these types of members:

Properties

The Win32_LogonSession class has these properties.

AuthenticationPackage

Data type: string

Access type: Read-only

Name of the subsystem used to authenticate the logon session.

Caption

Data type: string

Access type: Read-only

Qualifiers: MaxLen (64), DisplayName ("Caption")

A short textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

Description

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Description")

A textual description of the object.

This property is inherited from CIM_ManagedSystemElement.

InstallDate

Data type: datetime

Access type: Read-only

Qualifiers: MappingStrings ("MIF.DMTF|ComponentID|001.5"), DisplayName ("Install Date")

Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.

This property is inherited from CIM_ManagedSystemElement.

LogonId

Data type: string

Access type: Read-only

Qualifiers: key

ID assigned to the logon session.

LogonType

Data type: uint32

Access type: Read-only

Numeric value that indicates the type of logon session.

0

Used only by the System account.

Interactive (2)

Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.

Network (3)

Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.

Batch (4)

Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.

Service (5)

Indicates a service-type logon. The account provided must have the service privilege enabled.

Proxy (6)

Indicates a proxy-type logon.

Unlock (7)

This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

NetworkCleartext (8)

Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.

NewCredentials (9)

Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.

RemoteInteractive (10)

Terminal Services session that is both remote and interactive.

CachedInteractive (11)

Attempt cached credentials without accessing the network.

CachedRemoteInteractive (12)

Same as RemoteInteractive. This is used for internal auditing.

CachedUnlock (13)

Workstation logon.

Name

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Name")

Label by which the object is known. When subclassed, this property can be overridden to be a key property.

This property is inherited from CIM_ManagedSystemElement.

StartTime

Data type: datetime

Access type: Read-only

Time at which the session started.

This property is inherited from Win32_Session.

Status

Data type: string

Access type: Read-only

Qualifiers: MaxLen (10), DisplayName ("Status")

String that indicates the current status of the object. Operational and non-operational status can be defined. Operational status can include "OK", "Degraded", and "Pred Fail". "Pred Fail" indicates that an element is functioning properly, but is predicting a failure (for example, a SMART-enabled hard disk drive).

Non-operational status can include "Error", "Starting", "Stopping", and "Service". "Service" can apply during disk mirror-resilvering, reloading a user permissions list, or other administrative work. Not all such work is online, but the managed element is neither "OK" nor in one of the other states.

This property is inherited from CIM_ManagedSystemElement.

Values include the following:

OK ("OK")

Error ("Error")

Degraded ("Degraded")

Unknown ("Unknown")

Pred Fail ("Pred Fail")

Starting ("Starting")

Stopping ("Stopping")

Service ("Service")

Stressed ("Stressed")

NonRecover ("NonRecover")

No Contact ("No Contact")

Lost Comm ("Lost Comm")

Examples

The List Logon Session Information (List Logon Session Information.ps1) PowerShell sample returns information about logon sessions associated with the user currently logged on to a computer.

The following PowerShell example checks for remote session open for a specified user.

$user = "<user name>"
$servers = gci servers.txt 

     foreach ($server in $servers){
     $logons = gwmi win32_loggedonuser -computername $server

          foreach ($logon in $logons){
               if ($logon.antecedent -match $user){
               $logonid = $logon.dependent.split("=")[1] 
               $session =gwmi win32_logonsession |? {$_.logonid -match $logonid}
               if ($session.logontype -eq "10"){
               Write-host "You have an active Terminal Server session on server $($server)"
                }
          }

Requirements

Requirement Value
Minimum supported client
 Windows Vista
Minimum supported server
 Windows Server 2008
Namespace
 Root\CIMV2
MOF
CIMWin32.mof
DLL
CIMWin32.dll

See also

Win32_Session

Operating System Classes