I am running the following WMI query against a remote computer, in the security context of a user who is not an administrator on the remote computer.
select * from Win32_LogonSession where LogonType = 2
The query does not return any instances of Win32_LogonSession. (Note that if I run the same query as an administrative, I get back the currently logged on user, which is my goal.)
I have followed instructions on Technet to enable remote WMI / DCOM access for this user (verified by running the following query, which returns instances of Win32_LogonSession of LogonType = 3).
select * from Win32_LogonSession
Here is a full sample of the C# code I am running:
var scope = new ManagementScope("\\\\SERVER\\root\\cimv2")
{
Options =
{
Impersonation = ImpersonationLevel.Impersonate,
Password = "myPassword",
Username = "DOMAIN\\myUser"
EnablePrivileges = true,
Authentication = AuthenticationLevel.Packet
}
};
scope.Connect();
var query = new ObjectQuery("select * from Win32_LogonSession where LogonType = 2");
using (var searcher = new ManagementObjectSearcher(scope, query))
{
var managementObjects = searcher.Get();
// managementObjects is empty!
}
Why would this user only receive certain instances of Win32_LogonSession (LogonType = 3 - Network) but not others (e.g., LogonType = 2 - Interactive), even if the user has sufficient access to query WMI remotely?
Some additional information: According to this article on The Code Project, only the LocalSystem account has sufficient access to query all logon sessions:
Enumerating Logon Sessions on The Code Project
This doesn't seem to be completely true since being a member of the local Administrators group seems to be sufficient. But maybe this implies there is an undocumented restriction preventing one from granting permissions on the WMI objects without also giving full administrative rights?