logged on user

These Windows and Macintosh inspectors return information about the currently logged-on user. With the advent of Terminal Services and Fast User Switching, these inspectors are designed to iterate over all logged on users. Windows Note: If Terminal Services are available (NT/2000/2003/XP/Vista) and enabled, these inspectors iterate over the active and disconnected sessions as returned by WTSEnumerateSessions. Disconnected sessions are those where a user logs on, but is currently inactive. On Vista, the non-interactive session 0 (used for services isolation) is not included. If Terminal Services aren't available, the ACLs on the security descriptor of the "winsta0" window station are examined for user logons. On Windows 9x systems, these inspectors return the user session associated with the registry value "Current User" of "SYSTEM\CurrentControlSet\Control" if it exists. Otherwise, if a shell process process such as Explorer.exe is running, they return a single session associated with an unnamed user (which occurs when the user cancels the 9x login dialog).

Starting from BigFix Version 11.0.5, the Windows inspector has properties for retrieving information about the logon session and last logon. The logon session refers to the logon event that initiated the Windows user session, which is the first interactive logon that created the desktop environment. In contrast, the last logon refers to the most recent logon performed within that session, such as an unlock or a re-authentication. The last logon may differ from the logon session, especially if the session has been reactivated multiple times (for example, after a lock screen). Those properties are valid for Windows versions starting from Windows Vista and Windows Server 2008.

On Windows, the enumerations indicating the logon types correspond to those documented by Microsoft. For more information, see this Audit logon events article.

Creation
Properties

Parent: user

Version	Platforms
8.0.584.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

Creation

current user : logged on user

Returns the active console (local) user, if logged on, otherwise returns "Does not exist". For all users that are logged on remotely, for instance through RDP, telnet, ssh, VNC, putty and so on, this inspector returns "Does not exist".

Plural: current users

Version	Platforms
8.0.584.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source

logged on user : logged on user

Returns zero or more users logged on to this computer. This inspector iterates through all logged-on users, using Fast User Switching, Terminal Services, ACLs, and on Win 9x, the registry.

Plural: logged on users

Version	Platforms
8.0.584.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source

logged on user of <user> : logged on user

Converts a user into a 'logged on' user type -- if and only if the specified user is currently logged in.

Plural: logged on users

Version	Platforms
8.1.535.0	Windows
8.2.1310.0	Mac

permalink source

Properties

active of <logged on user> : boolean

Returns True if the specified user session is active (either as a current Fast User or an active terminal services connection).

Plural: actives

Version	Platforms
8.0.584.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source

activity history of <logged on user> : activity history

Returns the activity history of the specified logged on user.

Plural: activity histories

Version	Platforms
8.0.584.0	Windows

permalink source

last logon time of <logged on user> : time

Returns the timestamp of the last logon event.

Q: last logon time of logged on user
A: Mon, 30 Jun 2025 09:43:51 +0200

Plural: last logon times

Version	Platforms
11.0.5.0	Windows

permalink source

last logon type number of <logged on user> : integer

Returns the last logon type as an integer:

2 for Interactive
7 for Unlock
10 for RemoteInteractive
11 for CachedInteractive

Q: last logon type number of logged on user
A: 7

Plural: last logon type numbers

Version	Platforms
11.0.5.0	Windows

permalink source

last logon type of <logged on user> : string

Returns the last logon type as a string. Possible values: Interactive, Unlock, RemoteInteractive or CachedInteractive.

Q: last logon type of logged on user
A: Unlock

Plural: last logon types

Version	Platforms
11.0.5.0	Windows

permalink source

logon completion time of <logged on user> : time interval

Returns the logon duration that initiated the Windows session as a time interval, with precision up to microseconds.

Q: logon completion time of logged on user
A: 00:00:00.953209

Plural: logon completion times

Version	Platforms
11.0.5.0	Windows

permalink source

logon session time of <logged on user> : time

Returns the timestamp of the logon event that started the Windows session.

Q: logon session time of logged on user
A: Wed, 25 Jun 2025 10:56:55 +0200

Plural: logon session times

Version	Platforms
11.0.5.0	Windows

permalink source

logon session type number of <logged on user> : integer

Returns the logon type that initiated the Windows session as an integer:

2 for Interactive
7 for Unlock
10 for RemoteInteractive
11 for CachedInteractive

Q: logon session type number of logged on user
A: 10

Plural: logon session type numbers

Version	Platforms
11.0.5.0	Windows

permalink source

logon session type of <logged on user> : string

Returns the logon type that initiated the Windows session as a string. Possible values: Interactive, Unlock, RemoteInteractive or CachedInteractive.

Q: logon session type of logged on user
A: RemoteInteractive

Plural: logon session types

Version	Platforms
11.0.5.0	Windows

permalink source

name of <logged on user> : string

If Terminal Services is available and enabled under NT4/2000/2003/XP/Vista, this inspector returns the result of WTSQuerySessionInformation with WTSUserName. With Terminal Services disabled, it examines the ACLs on the security descriptor of the "winsta0" window station. Under Windows 9x, returns the "Current User" of "SYSTEM\CurrentControlSet\Control" if it exists. Otherwise returns No Such Object.

Plural: names

Version	Platforms
8.0.584.0	Windows
8.2.1078.0	AIX, Debian, HP-UX, Mac, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source

process id of <logged on user> : integer

Returns the process id number for the base session process for logged on users, usually the session manager.

Plural: process ids

Version	Platforms
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu

permalink source

remote of <logged on user> : boolean

Returns True if the user session is a remote terminal services connection.

Plural: remotes

Version	Platforms
8.0.584.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source

session id of <logged on user> : integer

No documentation exists.

Plural: session ids

Version	Platforms
8.2.1078.0	Mac, Windows

permalink source

session id of <logged on user> : string

Returns the session id, which uniquely identifies a logged on user session. A logged-on user is a subclass of a user, and adding the session id uniquely identifies the session.

Deprecated: This property was removed in version 8.1.653.0.

Plural: session ids

Version	Platforms
8.0.584.0	Mac

permalink source

sid of <logged on user> : security identifier

Returns the Security ID (SID) of the user associated with the session's primary access token. With Windows 2003/XP/Vista, this is determined by WTSQueryUserToken. With NT4/2000 it is determined by the apparent shell process running in the given session. This inspector may fail if run in a non-privileged context. The SID does not exist under Windows 9x.

Plural: sids

Version	Platforms
8.0.584.0	Windows

permalink source

tty of <logged on user> : string

Returns the name of the connection the user is on. Result is platform specific. Examples are: "Console", "RDP-Tcp#0", "pts/1", ":0"

Plural: ttys

Version	Platforms
8.2.1078.0	AIX, Debian, HP-UX, Mac, Red Hat, SUSE, Solaris, Ubuntu, Windows
9.5.13.130	Raspbian

permalink source

user key of <logged on user> : registry key

Returns the registry key of the specified logged on user

Plural: user keys

Version	Platforms
9.0.586.0	Windows

permalink source

user of <logged on user> : user

Returns a user object from a 'logged on' user. This is for Active Directory expressions to bridge the gaps between user types. This retains the domain information of the logged on user within the user object where other user types might not.

Plural: users

Version	Platforms
8.1.535.0	Mac, Windows
8.2.1078.0	AIX, Debian, HP-UX, Red Hat, SUSE, Solaris, Ubuntu
9.5.13.130	Raspbian

permalink source