Home / server / Questions / 1026581
In Process
DefToneR
Asked: 2020-07-25 05:07:09 +0800 CST

Windows Batch - Get name of currently logged-in user

  • 772

In a sort of small mitigation for a large network for the exploit of replacing utilman.exe on windows repair, by cmd.exe, then changing user password, I'm doing a small script based on EventSentry tool that will detect that utilman.exe is changed and I can attach an action to it. But this detect will take place after the attacker already logged in to the local computer. So, I'm doing a script that will change access rights, and blocking delete and rename of utilman.exe and I want to add the password change for the current logged user and then log off.

This is what I have so far:

 @ECHO off
 takeown /f c:\windows\system32\utilman.exe
 icacls c:\windows\system32\utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
 net user [NeedToGetLogedUser] 123456
 shutdown -L

The action that I attach will execute this script under another user (not the actual logged user). So I need to get the actual current user logged to the computer instead of the user that this script will run under.

I was thinking of:

C:\Users\MyUser>query user
USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>MyUser              console             1  Active      none   7/9/2020 6:27 PM

But I can't figure out how to parse the result just to get "MyUser" alone (using findstr) to use it with the net user command.

windows batch findstr

5 Answers

  1. for /F "tokens=2 delims==" %f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%f"

    Output:

    " \>set "ConsoleUser=COMPUTERORDOMAINNAME\username

    When run in a batch file, replace % with %%

    for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
    echo %ConsoleUser%

    • 4

  2. Thanks for all replies. It helped me to find the solution. I ended up doing this script that works perfect for what I need :)

    @ECHO off
set ConsoleUser=None
takeown /f c:\windows\system32\utilman.exe
icacls c:\windows\system32\utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
for /F "tokens=1" %%f in ('query user ^| find ">"') do set "ConsoleUser=%%f"
net user %ConsoleUser:~1% 123456
shutdown -L

    This script will limit the execution, deletion and rename of utilman.exe, will reset the password of the user that is logged in and then log the user off. So attacker cant modify utilman.exe again or execute it, and password of the user was changed.

    Thanks again!

    • 2

  3. If you want to split the username and domain and then use it to set a localappdata path for the user here's how to do it

    :: Get current session user's Domain and username
for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
:: Split and set variables for current session user's Domain and username
FOR /f "tokens=1 delims=\" %%a IN ("%ConsoleUser%") do set "domain=%%a"
FOR /f "tokens=2 delims=\" %%b IN ("%ConsoleUser%") do set "user=%%b"
:: Echo username and domain
echo %domain%
echo %user%
:: Set variable localappdata path and echo
set localappdata "C:\users\%user%\AppData\Local"
echo %localappdata%
    • 0

  4. Same as below using Powershell

    # get the Session ID of this process - the same as that of the user
$sessionId = Get-Process -id $pid | select-object -expand SessionId

# get the output of 'query.exe user' for that session ID
$quOutput = query.exe user $sessionId

# parse the output of query.exe to get the user ID only
$userId = $quOutput[1] -replace '^>([^\s]+)+.*$','$1'

# set localappdata path
$localappdata = "C:\users\${userid}\appdata\local"
    • 0

  5. ..and for the hat trick - the same at the above using vbscript

    Set wshShell = WScript.CreateObject("WScript.Shell")
 
' Get the username 
strUsername = Get_LoggedOnUserName()
 
' Set localappdata variable and then echo it out
 Dim localappdata 
localappdata = "C:\users\" & strUsername & "\appdata\local"
wscript.echo localappdata

Function Get_LoggedOnUserName
  Dim Array
  strComputer = "." 
  Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
  Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48) 
 
  For Each objItem in colItems 
    Array = Split(objItem.UserName, "\", -1, 1)  
 
    Get_LoggedOnUserName = Array(1)
  Next 
 
End Function
    • 0