Franck
Franck

Reputation: 4440

Retrieving the actual user account that started a process

I am trying to retrieve the user account under which a process has been started. So far i have not found any answers that retrieve the good information. All of them return the string of the username which is not the account. I have tried WMI and Diagnostic all with the same results which are half correct.

Let's say i start notepad twice.

Then use either WMI or Diagnostics and both return username "Franck" and i have not way to know if it's running under the local user or the domain one.

One way could be to use Diagnostics

var procs = Process.GetProcessesByName("Notepad").ToList();
var notepad1 = procs[0].StartInfo.Environment["Username"];
var notepad2 = procs[1].StartInfo.Environment["Username"];

Both return Franck but one is the domain account and the other is the local.

Upvotes: 3

Views: 112

Answers (2)

Subbu
Subbu

Reputation: 2205

tasklist /v gives the relevant info that you are interested in, i.e., the user name with the domain name.

The official documentation does not show any sample outputs.

tasklist

Displays a list of currently running processes on the local computer or on a remote computer.

/v Displays verbose task information in the output.

You can use it together with /fo csv option to get the result and parse it.

This answer from SuperUser has screen shots showing the output.

You can run this command as a separate process from your application similar to this, but passing the other parameters.

Upvotes: 1

Bakri Bitar
Bakri Bitar

Reputation: 1697

If you want the name of the domain that contains the user's account, then you're looking for UserDomain Environment Variable

If you want which domain controller authenticated the client's logon request, then you're looking for LogonServer Environment Variable

var procs = Process.GetProcessesByName("Notepad").
var userDomain = procs[0].StartInfo.Environment["UserDomain"];
var logonServer = procs[0].StartInfo.Environment["LogonServer"];

Values on my windows machine (local user):

userDomain: "LAPTOP-DDK137L8"
logonServer: "\\LAPTOP-DDK137L8"

So from this you should be able to determine if it's running under the local user or the domain one.

Upvotes: 1

Related Questions