WMI query to capture Interactive logon event for permanent consumer

Question

I'm a powershell newbie and I want to create a filter to capture the login of a human user. Looking at the documentation out there the most popular WMI query seems to be:

SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance
ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2

This doesn't appear to work and I believe that an interactive logon should be of type 0 not 2. However, that still doesn't seem to work. Is there any filter you guys & gals know of that works?

Answer 1

Based on Microsoft's documentation just as you stated, interactive logon appears to be the value of 2.

With PowerShell you could query using something like the following:

If you are unsure of what version you have run $PSVersionTable.PSVersion and look at the Major version.

Powershell Version 2 or Below

Get-WmiObject -Class 'Win32_LogonSession' | Where {$_.LogonType -eq '2'}

PowerShell Version 3 or Above

Get-CimInstance -ClassName 'Win32_LogonSession' | Where {$_.LogonType -eq '2'}

Based on Microsoft's documentation you could query by any of these:

2 = Interactive

3 = Network

4 = Batch

5 = Service

6 = Proxy

7 = Unlock

8 = NetworkClearText

9 = NewCredentials

10 = RemoteInteractive

11 = CachedInteractive

12 = CachedRemoteInteractive

13 = CachedUnlock

If you wanted to query for multiple logon types you could change the where statement to something like:

Where {$_.LogonType -in ('2','10','11','12')}

Hope this helps.