PowerShell – Return Current User – System Account

email me

This will return the current user, even from the system account security content. Highly useful, if you’re trying to apply settings, configs, or run processes from the security context of the current user, but initially starting from the system account, like when using desktop management systems like SCCM or Intune.

 

Code.ps1

 

# MrNetTek
# eddiejackson.net
# 12/19/2023
# free for public use
# free to claim as your own

$qwinstaOutput = & qwinsta

$currentUserName = $null

foreach ($line in $qwinstaOutput) {
    if ($line -match '^>\s*\S+\s+(\S+)') {
        $currentUserName = $matches[1]
        break
    }
}

Write-Host "Currently Logged-in User: $currentUserName"


 
 

 

From the Console

PS C:\WINDOWS\system32> whoami
nt authority\system
PS C:\WINDOWS\system32> $qwinstaOutput = & qwinsta
>>
>> $currentUserName = $null
>>
>> foreach ($line in $qwinstaOutput) {
>>     if ($line -match '^>\s*\S+\s+(\S+)') {
>>         $currentUserName = $matches[1]
>>         break
>>     }
>> }
>>
>> Write-Host "Currently Logged-in User: $currentUserName"
Currently Logged-in User: Demo99
PS C:\WINDOWS\system32>

 

Notes

Other methods tested by me for user name and user SID:

 

Code.ps1

 

# MrNetTek 
# eddiejackson.net 
# 12/19/2023 
# free for public use 
# free to claim as your own

# LOGGED IN USER
$users = (quser | ForEach-Object {
	$username = ($_ -split '\s+')[0]
	$username = $username -replace ">", "" -replace '^\s+', ''
} | Where-Object { $_ -match '^[0-9]*' })
 
# Initialize a flag to indicate if the logged-in user has an explorer.exe process
$explorerUsed = $false
 
# USER EXPLORER.EXE PROCESS
# Secondary Validation Routine
# Check if the user has an explorer.exe process
$explorerProcesses = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='explorer.exe'"
foreach ($process in $explorerProcesses) {
	$owner = $process.GetOwner()
	if ($owner.User -eq $username) {
    	$explorerUsed = $true
    	break
	}
}
 
if ($explorerUsed) {
	$result = $true
} else {
	$result = $false
}
 
 
# USER SID 1
# Registry path for user profiles (local)
$profilePath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
 
# Get the list of user SIDs in the registry
$userSIDs = Get-ChildItem $profilePath | ForEach-Object { $_.PSChildName }
 
# Find the user SID that matches the specified username
$userSID = $userSIDs | Where-Object { (Get-ItemProperty -Path (Join-Path $profilePath $_)).ProfileImagePath -match "\\$username$" }

# USER SID 2
$key1 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey1 = $key1.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI")
$SID = $subKey1.GetValue("LastLoggedOnUserSID")
 
 
# RETURN SESSION INFO
 
# CURRENT USER SECURITY CONTEXT
Write-Host "Security context:" (whoami) 
 
# LOGGED IN USER
if ($username) {Write-Host "Logged in user: '$username'"} 
 
# EXPLORER PROCESS OWNER FOR LOGGED IN USER
Write-Host "User $username has explorer.exe process: $result"
 
# LOGGED IN USER SID
if ($userSID) {Write-Host "User SID: $userSID"}