TransWikia.com

Windows Batch - Get name of currently logged-in user

Server Fault Asked by DefToneR on December 30, 2021

In a sort of small mitigation for a large network for the exploit of replacing utilman.exe on windows repair, by cmd.exe, then changing user password, I’m doing a small script based on EventSentry tool that will detect that utilman.exe is changed and I can attach an action to it.
But this detect will take place after the attacker already logged in to the local computer.
So, I’m doing a script that will change access rights, and blocking delete and rename of utilman.exe and I want to add the password change for the current logged user and then log off.

This is what I have so far:

 @ECHO off
 takeown /f c:windowssystem32utilman.exe
 icacls c:windowssystem32utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
 net user [NeedToGetLogedUser] 123456
 shutdown -L

The action that I attach will execute this script under another user (not the actual logged user). So I need to get the actual current user logged to the computer instead of the user that this script will run under.

I was thinking of:

C:UsersMyUser>query user
USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>MyUser              console             1  Active      none   7/9/2020 6:27 PM

But I can’t figure out how to parse the result just to get "MyUser" alone (using findstr) to use it with the net user command.

5 Answers

..and for the hat trick - the same at the above using vbscript

Set wshShell = WScript.CreateObject("WScript.Shell")
 
' Get the username 
strUsername = Get_LoggedOnUserName()
 
' Set localappdata variable and then echo it out
 Dim localappdata 
localappdata = "C:users" & strUsername & "appdatalocal"
wscript.echo localappdata

Function Get_LoggedOnUserName
  Dim Array
  strComputer = "." 
  Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2") 
  Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48) 
 
  For Each objItem in colItems 
    Array = Split(objItem.UserName, "", -1, 1)  
 
    Get_LoggedOnUserName = Array(1)
  Next 
 
End Function

Answered by Phil Lawson on December 30, 2021

Same as below using Powershell

# get the Session ID of this process - the same as that of the user
$sessionId = Get-Process -id $pid | select-object -expand SessionId

# get the output of 'query.exe user' for that session ID
$quOutput = query.exe user $sessionId

# parse the output of query.exe to get the user ID only
$userId = $quOutput[1] -replace '^>([^s]+)+.*$','$1'

# set localappdata path
$localappdata = "C:users${userid}appdatalocal"

Answered by Phil Lawson on December 30, 2021

If you want to split the username and domain and then use it to set a localappdata path for the user here's how to do it

:: Get current session user's Domain and username
for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
:: Split and set variables for current session user's Domain and username
FOR /f "tokens=1 delims=" %%a IN ("%ConsoleUser%") do set "domain=%%a"
FOR /f "tokens=2 delims=" %%b IN ("%ConsoleUser%") do set "user=%%b"
:: Echo username and domain
echo %domain%
echo %user%
:: Set variable localappdata path and echo
set localappdata "C:users%user%AppDataLocal"
echo %localappdata%

Answered by Phil Lawson on December 30, 2021

Thanks for all replies. It helped me to find the solution. I ended up doing this script that works perfect for what I need :)

@ECHO off
set ConsoleUser=None
takeown /f c:windowssystem32utilman.exe
icacls c:windowssystem32utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
for /F "tokens=1" %%f in ('query user ^| find ">"') do set "ConsoleUser=%%f"
net user %ConsoleUser:~1% 123456
shutdown -L

This script will limit the execution, deletion and rename of utilman.exe, will reset the password of the user that is logged in and then log the user off. So attacker cant modify utilman.exe again or execute it, and password of the user was changed.

Thanks again!

Answered by DefToneR on December 30, 2021

for /F "tokens=2 delims==" %f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%f"

Output:

" >set "ConsoleUser=COMPUTERORDOMAINNAMEusername

When run in a batch file, replace % with %%

for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
echo %ConsoleUser%

Answered by Greg Askew on December 30, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP