What's the difference between enumerating logged on users vs sessions?

PowerShellMafia / PowerSploit

PowerSploit - A PowerShell Post-Exploitation Framework

Other

11.96k stars 4.62k forks source link

What's the difference between enumerating logged on users vs sessions? #221

Closed seanthegeek closed 7 years ago

seanthegeek commented 7 years ago

I'm reading over PowerView.ps1, and I'm wondering: what's the difference between sessions and logged on users? Get-NetLoggedon (which uses the NetWkstaUserEnum Win32 API call, and requires local admin rights) always seems to return more results than Get-NetSession (which uses the NetSessionEnum Win32 API call). That's the opposite of what I would expect.

HarmJ0y commented 7 years ago

Not sure why you would expect less information from NetWkstaUserEnum() vs NetSessionEnum(), but that's just how the API calls work. You are correct in stating that NetWkstaUserEnum() requires admin privs (at least on modern OSs), so I am not surprised that more information is returned from an elevated context. As I'm just wrapping these Win32 API calls, I'm not able to control their behavior on remote systems nor the information they return :) For that you'll need to open an issue with Microsoft ;)