blob: 2fd6e091da3e32f6618015708da54e6ee088b410 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
# Get-RegLoggedOn
## SYNOPSIS
Returns who is logged onto the local (or a remote) machine
through enumeration of remote registry keys.
Note: This function requires only domain user rights on the
machine you're enumerating, but remote registry must be enabled.
Author: Matt Kelly (@BreakersAll)
License: BSD 3-Clause
Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID
## SYNTAX
```
Get-RegLoggedOn [[-ComputerName] <String[]>]
```
## DESCRIPTION
This function will query the HKU registry values to retrieve the local
logged on users SID and then attempt and reverse it.
Adapted technique from Sysinternal's PSLoggedOn script.
Benefit over
using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
required (NetWkstaUserEnum requires remote admin access).
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-RegLoggedOn
```
Returns users actively logged onto the local host.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-RegLoggedOn -ComputerName sqlserver
```
Returns users actively logged onto the 'sqlserver' host.
### -------------------------- EXAMPLE 3 --------------------------
```
Get-DomainController | Get-RegLoggedOn
```
Returns users actively logged on all domain controllers.
### -------------------------- EXAMPLE 4 --------------------------
```
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
```
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
## PARAMETERS
### -ComputerName
Specifies the hostname to query for remote registry values (also accepts IP addresses).
Defaults to 'localhost'.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: HostName, dnshostname, name
Required: False
Position: 1
Default value: Localhost
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerView.RegLoggedOnUser
A PSCustomObject including the UserDomain/UserName/UserSID of each
actively logged on user, with the ComputerName added.
## NOTES
## RELATED LINKS
|