Wmi query win32_LoggedOnUser with specific account exclusions

Working with relevance in the “Track Primary User” (https://bigfix.me/fixlet/details/2533) for specifically “LastLoggedInUser”. This relevance is working as intended but we have a couple of applications that register as a local login. I would like to EXCLUDE these application logins in the relevance.

LastLoggedInUser relevance:
tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it) of ((it,((preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it, preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of (string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|")))) of ((preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ((following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 is 0) of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "") of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi))) & "|")))) whose (item 0 of item 0 of it = item 1 of item 1 of it)) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string))

I’ve managed to get the name excluded from just win32_LoggedOnUser but I can’t find how (where?) to add this in the original relevance.

Exclude specific account like “dwm” or “umf” from win32_LoggedOnUser:
((preceding text of first "%22" of following text of last "Name=%22" of string value of properties "Antecedent" of it) of select objects "* from Win32_LoggedOnUser" of wmis) whose ((it as string as lowercase does not contain "dwm" and (it as string as lowercase does not contain "wmf"))

I think the key is to exclude the accounts via the actual wmi query but I keep getting “Windows Error 0x80041017” when testing via the Fixlet Debugger.

Another option would be to specify specific domain account logons vs local user account logons.

Any help or breadcrumb would be very appreciated!

Welcome to the Forum! I think you’ll find it friendly here.

One note, when you’re pasting in chunks of Relevance, please use the ‘preformatted text’ button on the editor dialog, so the code comes in ‘as-is’ without getting messed up with “Smart Quotes” or interpreting HTML or MarkDown tags in your relevance.

I fixed this post for you already, but in the future use this button to highlight your text and make it ‘Preformatted Text’:

(Alternatively you can use markdown, adding your code between backticks like `code` or in a block with three backticks before and after like

```

code

```

(now that I fixed your Relevance so I can copy/paste, I’ll go check this out)

Try this:

tuple string item 0 of concatenation ", " of items 0 of ((item 0 of item 1 of it, item 1 of item 0 of it)of((it, ( (preceding texts of firsts "%22" of following texts of firsts "Name=%22" of it,preceding texts of firsts "%22" of following texts of firsts ".LogonId=%22" of it) of ( (following texts whose (number of substrings "|" of it is 1) of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 = 0) of substrings "|" of it) of ("|" & (concatenation "|" of( string values of selects "* from Win32_LoggedOnUser" of wmi)) & "|") ) ))of( (preceding texts of firsts "|" of it, following texts of firsts "|" of it) of ( (following texts whose (number of substrings "|" of it is 1)of substrings "|" of preceding texts whose (number of substrings "|" of it mod 2 = 0)of substrings "|" of it) of ("|" & (concatenation "|" of ((if (it as string contains "LogonId") then (string values of it) else if (it as string contains "StartTime") then (time values of it as string) else "")of (selects "StartTime, LogonId from Win32_LogonSession where (LogonType=2 OR LogonType=10)" of wmi) )) & "|") )))whose(item 0 of item 0 of it = item 1 of item 1 of it and(item 0 of item 1 of it as lowercase does not contain "dwm")and(item 0 of item 1 of it as lowercase does not contain "umf")) ) whose (item 1 of it = (maximum of time values of selects "starttime from win32_logonsession where (LogonType=2 OR LogonType=10)" of wmi as string) )

(item 0 of item 0 of it = item 1 of item 1 of it and(item 0 of item 1 of it as lowercase does not contain "dwm")and(item 0 of item 1 of it as lowercase does not contain "umf") AND (your new condition) AND (another condition))

Thanks guys!
I’ll give your idea a shot, vk. I’ll let you know how it goes :slight_smile: