Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Get the logged in Windows user name associated with a desktop

I wish to enumerate all desktops in a system and get the logged in user name for that desktop. So far I have the following code snippit as an example of obtaining a HDESK handle and trying to determine the user name associated with it (if any), but the call to LookupAccountSid fails with ERROR_NONE_MAPPED ("No mapping between account names and security IDs was done").

HDESK desk = OpenDesktop( "Default", 0, FALSE, READ_CONTROL | DESKTOP_READOBJECTS );

DWORD size = 4096;

SID * sid  = (SID *)malloc( size );

GetUserObjectInformation( desk , UOI_USER_SID, sid, size, &size );

char name[512], domain[512];
int namesz = 512, domainsz = 512;

LookupAccountSid( NULL, sid, &name, &namesz, &domain, &domainsz, &s);

It might be because I am pulling out a logon SID via GetUserObjectInformation rather then a user SID. If so can I convert that to the logged in users SID?

Can anybody point me in the right direction for getting the logged in user name for an arbitrary desktop (via either it's respective HDESK or HNWD handle or even the desktop's stations HWINSTA handle)? thanks in advance.

like image 827
QAZ Avatar asked Jan 07 '10 01:01

QAZ


People also ask

How do I find my desktop username and password?

Click on the Control Panel. Go to User Accounts. Click on Manage your network passwords on the left. You should find your credentials here!

How do I view Windows user logs?

To view the events, open Event Viewer and navigate to Windows Logs > Security. Here you'll find details of all events that you've enabled auditing for. You can define the size of the security log here, as well as choose to overwrite older events so that recent events are recorded when the log is full.


2 Answers

The problem is that desktops aren't associated with users at all. Try using psexec to run Notepad under the SYSTEM account. It's running on your window station, on your desktop. Otherwise, you wouldn't be able to see it.

But if you want to get the session associated with the window station, then yes it's possible. You need to call NtQueryObject with ObjectNameInformation to get the name of the object. For example, here's what I get: \Sessions\1\Windows\WindowStations\WinSta0. There's your session ID.

like image 33
wj32 Avatar answered Sep 28 '22 04:09

wj32


If what you want is the user information then this will work.

call WTSEnumerateSessions to obtain an array of WTS_SESSION_INFO structures. for each structure, pass the SessionId member to WTSQuerySessionInformation with the WTSInfoClass member set to WTSUserName. This will give you the name of the user (if there is one) associated with the session.

Alternatively you can set the WTSInfoClass to WTSSessionInfo and get a WTSINFO structure back. This contains a lot of information including the user name and domain. Look at the header file definition of WTSINFO though as the MSDN page is wrong.

You have to call WTSEnumerateSessions twice, once to get the required buffer size and then once to get your information.

Relationships: One or more Desktop objects are in a Windows Station. A Windows Station is associated with a Session.

like image 90
janglin Avatar answered Sep 28 '22 05:09

janglin