2

I'm trying to identify logged sessions using a WMI query using PowerShell with:

$logon_sess = @(gwmi win32_logonsession -ComputerName $computername)

But I see that this command is also reporting older sessions, are these still active? How can I reset it?

And when I compare the results with the "query user" command, I see different results because "Query user" command returns only current sessions.

Then, how can I get real result of existing sessions using WMI Win32_LogonSession method?

I say Reinstate Monica
  • 3,132
  • 7
  • 28
  • 52
Uh Trog
  • 103
  • 3
  • 10
  • https://msdn.microsoft.com/en-us/library/aa394189(v=vs.85).aspx – Colyn1337 Mar 10 '17 at 14:18
  • I already filtered by type, but this class has "StartTime" property, and it is also reporting older dates, then Which one is the good one or the current active sesion? – Uh Trog Mar 11 '17 at 15:33

1 Answers1

2

You are observing this behavior because Microsoft Security Bulletin MS16-111 contains an update that changed the way that Windows handles logon session objects. Now any service or application, either Microsoft or 3rd party, that leaks access tokens, now also leaks logon session objects.

You are leaking logon session objects every time a user logs off the system, and there isn't anything you can do about it except get your service or application vendor to fix their code so that it no longer leaks tokens.

https://blogs.technet.microsoft.com/askds/2017/04/05/using-debugging-tools-to-find-token-and-session-leaks/

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199