Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to find all logon session IDs and logon types for use by KLIST
January 09
How to find all logon session IDs and logon types for use by KLIST

When troubleshooting Kerberos authentication, an essential tool to start with has been KLIST for some time now (since Windows Vista and Windows 2008). It is a powerful tool. It not only can display user's own ticket cache. It can also display Kerberos ticket caches of any arbitrary logon session you know an ID of.

Basically, the term logon session means an in-memory representation (LSA process memory) of a logged on user or service account. Kerberos tickets are always associated with a certain logon session, thus belonging to a specific user or service account. If you want to see the tickets another user account has in its ticket cache, you must first determine the number/ID of its logon session.

Among logon sessions of other users and service accounts, there are some generally important default builtin logon sessions to look at as well. These include SYSTEM's own logon session or that of NETWORK SERVICE. We are not interested in LOCAL SERVICE's logon session as it cannot use Kerberos at all.

The default built-in logon sessions are always assigned the same logon session ids while other logon sessions receive random IDs. If you know, for example, that logon session id of SYSTEM is always 3E7, you can list its Kerberos ticket cache with the following command:

KLIST -li 3e7

The default logon session IDs are listed in the following table. Note that klist -li parameter requires hexadecimal numbers as an input:

Logon session Id HEX Id DEC
SYSTEM 3e7 999
NETWORK SERVICE 3e4 996
LOCAL SERVICE 3e5 997
IUSR 3e3 995

For other logged on user accounts and service identities, you must determine the logon session id dynamically. You can use command line or PowerShell:

wmic logon assoc /resultclass:win32_account
gwmi Win32_LogonSession | % { $one = $_ ; $one.GetRelated('Win32_Account') | Select Domain, Name, SID, @{ n = 'LogonSessionHEX' ; e = { '0x{0:X}' -f ([int] $one.LogonId) } }, @{ n = 'LogonSessionDEC' ; e = { $one.LogonId } } , @{ n = 'LogonType' ; e = { $one.LogonType } } }

Note that the output of the PowerShell command displays both hexadecimal and the decimal representation of the logon id. The PowerShell command also displays the type of the logon session. Logon types are listed in the following table. It can be used to distinguish between different types of logon sessions of the same account or in general.

Logon type Number User right required Notes
Interactive 2 Logon locally  
Network 3 Access this computer from network  
Batch 4 Logon as a batch job  
Service 5 Logon as a service  
Unlock 7   this will not appear among the logon types of any logon session. This logon type ID is only used in logon/logoff auditing category and appears in the Security event log if you have the auditing enabled
NetworkCleartext 8 Access this computer from network used by logon sessions started from a network and authenticated with Basic or LDAP simple bind authentication protocols
NewCredentials 9    
RemoteInteractive 10 Access this computer through Remote Desktop Services  
CachedInteractive 11 Logon locally  
CachedRemoteInteractive 12 Access this computer through Remote Desktop Services  
CachedUnlock 13    

Comments

Great post!

Great post, I've enjoyed reading it, and learned a few new things! Keep it up! Cheers!
 on 09/01/2015 20:53

Add Comment

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Type the year of the start of the WW1 *


This simple antispam field seems to work well. Just put here the number.

Attachments