Logoff (session id of logged in user)

atlauren · January 16, 2015, 7:03am

Hi all,

I’m working on a script action that will logoff any currently-active user sessions.

Right now, I’m using appendfile to build lines with “logoff (session id of current user)”, and then I copy that to c:\windows\temp\my.bat If I run the batch file manually in the command prompt (as administrator), it works wonderfully.

However, when the BigFix agent runs the file, the logout doesn’t happen.

Does the agent’s status under the System account mean it can’t issue the logoff command to other sessions?

-Andrew

AlanM · January 16, 2015, 5:21pm

The documentation does suggest that the LOCAL SYSTEM account can’t do this.

Specifically it states: You cannot log off a user from the console session ( http://technet.microsoft.com/en-us/library/cc731280.aspx )

But as you are trying to do this to a logged on user you could just run it as them (override wait, runas=currentuser, wait )

And as you are doing that you just need to do a “wait logoff” and add anything optional to force the logoff and not build a script. You should protect the action though with an “exists current user” relevance of course.

Additionally its worth noting that “current user” only returns the person on the console of the endpoint. “logged on users” also will give you remote people or those not actually on the “console”

atlauren · January 16, 2015, 9:38pm

Oooh, interesting. So I’d use “exists current user”/“wait logoff” for the console users, and “logoff (session id of logged in user)” for remote users (as on a terminal server).

Thanks!

AlanM · January 16, 2015, 10:26pm

Not quite.

exists current user

would be in the targeting relevance of the fixlet

The action body would be:

override wait
   runas=currentuser
wait logoff

This works as the “current user” (the one on the console) will be the one running the logoff command. The other users (remotes) you can’t force off with the LOCAL SYSTEM account due to the OS restriction.

steini44 · December 8, 2015, 1:35pm

Hi AlanM

I’m struggling with this problem too, but i don’t quite understand it.
Let say I have user X that is logged on on the device.
I’m user Y managing the console.

If I use

override wait
   runas=currentuser
wait logoff

Will it run with user X or does user Y needs to be logged on to do this?

Thanks for your reply.

Greetings

AlanM · December 8, 2015, 4:27pm

It turns out this is a bit more complex than it appears

runas=currentuser

Will run as the current user permissions wise, but in a separate console.

We call CreateProcessAsUser ( https://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx ) to create the process using the flag CREATE_NEW_CONSOLE so it does not inherit the same console as the user. So when you instruct this console to log off, it happily does. It just doesn’t log off the user on the other console.

So that suggests the only way to actually do this would be:

override wait
   runas=currentuser
wait logoff {session id of current user}

steini44 · December 9, 2015, 7:14am

Thanks for your respons AlanM, appreciate it. But I keep on struggling…

My actionscript:

The result:

This is the logfile of the device:

At 08:12:41 +0100 - 
   GatherHashMV command received.
At 08:12:42 +0100 - mailboxsite (http://x.be:52311/cgi-bin/bfgather.exe/mailboxsite15943651)
   Downloaded 'http://x.be:52311/mailbox/files/b6/a4/b6a4b08375bb09b80d221d005b4f474f2193a5cb' as 'Action 59940.fxf'
   Gather::SyncSiteByFile adding files - count: 1
At 08:12:42 +0100 - 
   Successful Synchronization with site 'mailboxsite' (version 28) - 'http://x.be:52311/cgi-bin/bfgather.exe/mailboxsite15943651'
   Processing action site.
At 08:12:43 +0100 - mailboxsite (http://x.be:52311/cgi-bin/bfgather.exe/mailboxsite15943651)
   Relevant - Test - log off (fixlet:59940)
At 08:12:43 +0100 - 
   ActionLogMessage: (action:59940) Action signature verified for Execution
   ActionLogMessage: (action:59940) starting action
At 08:12:44 +0100 - actionsite (http://x.be:52311/cgi-bin/bfgather.exe/actionsite)
   Command succeeded override wait (action:59940)
   Command succeeded override runas=currentuser (action:59940)
   Command started - wait logoff 6 (action:59940)
At 08:13:31 +0100 - 
   Report posted successfully
At 08:13:31 +0100 - actionsite (http://x.be:52311/cgi-bin/bfgather.exe/actionsite)
   Command failed (Thread execution failed (2)) wait logoff 6 (action:59940)
At 08:13:31 +0100 - 
   ActionLogMessage: (action:59940) ending action
At 08:13:31 +0100 - mailboxsite (http://x.be:52311/cgi-bin/bfgather.exe/mailboxsite15943651)
   Not Relevant - Test - log off (fixlet:59940)
At 08:15:15 +0100 - 
   Report posted successfully
At 08:17:50 +0100 - 
   Report posted successfully

When I search the errormessage:

C:\Users\x>net helpmsg 2

The system cannot find the file specified.

But i don’t download a file…?

Thanks for helping me out!

jgstew · December 9, 2015, 3:12pm

This error message is referring to the logoff command itself. It can’t find logoff in the PATH so it can’t execute it.

My guess is that you need to disable WoW64 redirection for this to work.

steini44 · December 10, 2015, 6:55am

How do you disable this?

jgstew · December 10, 2015, 3:40pm

You use this actionscript:

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

This will disable it on 64bit systems, but do nothing on 32bit systems.

This is from this example: https://bigfix.me/fixlet/details/3860

AlanM · December 10, 2015, 11:36pm

Two things here.

First, in retrospect you don’t need to run as current user as this is telling a specific session to log off so you can just “wait” it

Second, I’m wondering if logoff is a shell command, so maybe using

dos logoff {session id of current user}

would really be the trick, or using a wait but invoking it with a command shell

steini44 · December 11, 2015, 2:24pm

This seems to work, thanks! I’ll test it a few more times.

jgstew · December 12, 2015, 7:58pm

Based upon @AlanM 's post, try this:

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

// log off the current user
waithidden logoff {session id of current user}

or for a command that requires running through dos:

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

// log off the current user
waithidden cmd /c logoff {session id of current user}

It is possible that many of these options work.

atlauren · August 27, 2020, 3:27am

Holy thread resurrection Batman!

Having completely forgotten this thread, or that I’d tried it before, today I set about trying to do the same thing. After trying a few things I searched the forum and found this thread.

For what it’s worth, this works perfectly for logging off all logged on users:

action uses wow64 redirection {not x64 of operating system}

delete _appendfile
delete c:\windows\temp\userslogout.bat

appendfile { concatenation "%0d%0a" of ("logoff " & it) of (session ids of logged on users as string) }
copy __appendfile c:\windows\temp\userslogout.bat
waithidden cmd.exe /C c:\windows\temp\userslogout.bat

delete c:\windows\temp\userslogout.bat

jgstew · September 3, 2020, 2:23pm

Minor note: I’d write the relevance like this:

concatenation "%0d%0a" of ("logoff " & it) of (it as string) of session ids of logged on users

This shouldn’t work if more than one user is logged in: (session ids of logged on users as string)

Also, I think you can do it in a single command without creating the file first using this:

("FOR /L %25%25G IN (" & it & ") DO logoff %25%25G") of concatenations "," of (it as string) of session ids of logged on users

References:

https://ss64.com/nt/for_l.html