Monitor Everything with Monitis – And do it easily with PowerShell – Part 8

Monitoring Logons with Monitis

The last couple of articles have introduced you to some of the fun things you can monitor with WMI and Monitis.  Today, we’ll show you how to use the monitis custom monitor infrastructure to track what users are registered on a system.

The PowerShell command to get this inform from WMI is very simple:

Get-WmiObject win32_LoggedOnUser

This returns back what WMI class an association class.  This class tells you the relationships between two things: the loggedon session, and the user that logged on.  You have to be running as admin to accurately see the results of this class.

There are a lot of association classes in WMI, and they’re very easy to work with.  They’re made up of the paths to two related items.  Here’s how I can pick out the exact user that’s logged on:

Get-WmiObject Win32_loggedOnUser |
    ForEach-Object {
        $computerName, $namespaceAndClass, $instance = $_.Antecedent.Split(".")
        $instanceQuery = "$instance".ToString().Replace(",", " AND ")
        $namespace, $class =$namespaceAndClass.Split(":")
        if ($computerName -ne '.') {
            $user = Get-WmiObject -Query "SELECT * FROM $class WHERE $instanceQuery" -Namespace $namespace.Trim("\") -EnableAllPrivileges
        } else {
            $user = Get-WmiObject -ComputerName $computerName -Query "SELECT * FROM $class WHERE $instanceQuery" -Namespace $namespace.Trim("\")
        }
        $user

    }  

Now that we’ve got this information, let’s make a custom monitor to track it.

Let’s start by declaring the monitor

$monitorExists = Get-MonitisCustomMonitor -Name LoggedOnUsers
if (-not $monitorExists) {
    Add-MonitisCustomMonitor -Name LoggedOnUsers -Parameter Account, Sid, Time
}
$monitorId = Get-MonitisCustomMonitor -Name LoggedOnUsers | Select-Object -ExpandProperty MonitisTestId

To upload it, we can just modify our earlier code a little bit, to push the data

Get-WmiObject Win32_loggedOnUser |
    ForEach-Object {
        $computerName, $namespaceAndClass, $instance = $_.Antecedent.Split(".")
        $instanceQuery = "$instance".ToString().Replace(",", " AND ")
        $namespace, $class =$namespaceAndClass.Split(":")
        if ($computerName -ne '.') {
            $user = Get-WmiObject -Query "SELECT * FROM $class WHERE $instanceQuery" -Namespace $namespace.Trim("\") -EnableAllPrivileges
        } else {
            $user = Get-WmiObject -ComputerName $computerName -Query "SELECT * FROM $class WHERE $instanceQuery" -Namespace $namespace.Trim("\")
        }
        Update-MonitisCustomMonitor -Name LoggedOnUsers -value @{
            Name =  $user.Caption
            Sid = $user.sid
            Time = Get-Date
        }

    }

That’s it.  All done.  You now have a monitor that keeps who is logged on, and the toolkit to get the information. Tomorrow, we’ll continue learning more deep dark secrets of WMI, as we explore how to monitor access to shared folders.

Monitor Everything with Monitis – And do it easily with PowerShell – Part 1

Monitor Everything with Monitis – And do it easily with PowerShell – Part 2

Monitor Everything with Monitis – And do it easily with PowerShell – Part 3

Monitor Everything with Monitis – And do it easily with PowerShell – Part 4

Monitor Everything with Monitis – And do it easily with PowerShell – Part 5

Monitor Everything with Monitis – And do it easily with PowerShell – Part 6

Monitor Everything with Monitis – And do it easily with PowerShell – Part 7

You might also like