'logged_in_users' Table not Showing Disconnected Sessions

Question

'logged_in_users' Table not Showing Disconnected Sessions

Opened this issue 3 months ago · 0 comments

Bug report

What operating system and version are you using?

 version = 10.0.19045
   build = 19045
platform = windows

What version of osquery are you using?

5.11.0

What steps did you take to reproduce the issue?

.\osqueryi.exe "SELECT * FROM logged_in_users;"

What did you expect to see?

I expected to see both active and disconnected user sessions.

What did you see instead?

I am only seeing active sessions when I can confirm there are disconnected sessions as well. I expect to also see disconnected sessions, as that is important information when dealing with locked accounts and such. Here is a screenshot showing Osquery's result with only the active session, then a quser showing both the active and a disconnected session: