How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows

I have been tasked by our ISSO to verify RMF control SC-23 Session Authenticity for our Windows environment. In particular, they want me to provide a screenshot that each windows session has a unique identifier.

I have found a number of methods but most seem questionable or unreliable.

• get-wmiobject Win32_LoggedOnUser: provides a "LogonId" but output varies depending on the executing user
• get-wmiobject Win32_session: Gives more or less the same info as Win32_LoggedOnUser
• query user: Provides a non-unique ID, usually 1
• [System.Diagnostics.Process]::GetCurrentProcess().SessionId: provides the same answer as query user and all logged on sessions give the same answer 1
• [Security.Principal.WindowsIdentity]::GetCurrent().User.Value: provides the current logged on user SID, not the session SID.
• Get-CimInstance -Class Win32_LUID: Provides no output on my system
• SysInternals logonsessions64.exe -p: Also provides a unique Logon Session: Logon session 00000000:000003e7 and may be viable but is not verifiable with documentation

The best information I've received (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers) indicates that the Unique Session ID should be a SID in the format S-1-5-5 -X-Y however I have found no information whatsoever on how to query that other than vague references to extracting it from the user's session token or C++ code that I don't know how to use.

Some references suggest this information may also be called a LUID:

• Get UserToken from Logon ID (LUID) (C++)
• https://learn.microsoft.com/en-us/windows/win32/secgloss/l-gly?redirectedfrom=MSDN#_security_logon_identifier_gly

However a search for LUID does not yield information that is helpful to me.

Is there a powershell script or other command line tool that I can use to find the correct session SID? Or barring that, any documentation you can find to support the use of the logonsessions tool or wmi info?

Edit: I already know the User SID starting with S-1-5-21. I need the Session SID starting with S-1-5-5. The goal is to confirm each session has a unique ID, not each user. Thanks.

Edit 2: I've found evidence of the Session ID S-1-5-5 in the windows event log. I was able to confirm that within a session the SID remains the same and after a complete logout and login (Lock/unlock is insufficient), the SID will change. However, I still want to be able to programmatically identify this SID without using the Event Viewer.

I also notice that the "Logon ID" has some relationship to the S-1-5-5 SID. If you truncate the first hex number (1) and subtract the two (after DEC-HEX conversion), the difference is around 2000. The first example was 0xB00 apart and I thought perhaps a programmer joke was at play but the second example had a different offset.

You can use the command whoami /logonid to obtain the logon ID.

The whoami utility writes to standard output, so you can capture this in PowerShell simply by writing (e.g.):

$sessionID = whoami /logonid