Windows – Monitor the IIS logon Sessions and more …

I find it very hard to monitor who is logged on the which session in Windows.

Using the Event Viewer you get these Logon types possible:


Logon Type Description
2 Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3 Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
6 Unlock (i.e. unnattended workstation with password protected screen saver)
7 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”) See this article for more information.
8 NewCredentials
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

And even more difficult to monitor it for IIS using SharePoint.

Solution is given by the famous MS SysInternal Team.

They created the tool LogOnSessions.exe –p


Exporting this to a text a log file using the > “C:\Temp\LogonSessions.log” parameter give you the data to be used for later treatment.

Or use Powershell Winking smile


$Cmd ="C:\Apps\MS SysInternal\logonsessions.exe"

$cmdOutput = & $Cmd 2>&1

# echo "--------"
# echo $cmdOutput
# $cmdOutput | Tee-Object -Variable scriptOutput | % { "processing Output : $_ " }
# echo "--------"
echo ""
echo "Number of Objects $($scriptOutput.Count) Too many let's filter :)"
echo ""

$cmdOutput | Tee-Object -Variable scriptOutput | % { $_} | `

    Where-object {$_ -like '*UPN*' `
    -and $_ -notlike  "*Administrator*" `
    -and $_ -notlike  "*spFarm*" `
    -and $_ -notlike "*SRV*"} `
        |  Sort-Object -descending | Get-Unique

Output looks like this giving you only the remote users Login Accounts  (UPN)Smile


Enjoy !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: