Logoff User After Idle

Posted On 2017-09-27 by dwirch
Keywords:
Tags: Free Stuff General Blog 
Views: 7226

Title Uploaded Size
SystemIdleCheck.1.0.0.8.zip 6/6/2018 1:25:26 PM 10,649
SystemIdleCheck.1.0.0.7.zip 4/28/2018 2:20:53 PM 9,904
SystemIdleCheck.1.0.0.6.zip 1/27/2018 10:11:25 AM 5,836
SystemIdleCheck.1.0.0.5.zip 9/27/2017 6:54:30 PM 5,313


Recently, there was a request for our team to implement a new security requirement for workstations. Specifically, If a user remains logged in, but is idle for a specific period of time, that user should be logged out. 

After consulting the interwebs for a few minutes, all I could find were hacky solutions using vbscript, PowerShell, task scheduler, or screensavers that may or may not work. I don't need weird, chained together items. I just need something that works.

Concept

So, I cracked open my favorite Rapid Application Development (RAD) environment, and built something that fits the bill.  I had a few requirements, though.

  • No installation - I don't need a setup program, which makes deployment and update just a bit easier.
  • No dependencies - Deploying this program to any version of Windows should just work. No support libraries needed, not even .Net.
  • No interface - The program should run transparently to the user.
  • Configurable idle time -  Default to five minutes (300 seconds), but accept any number of seconds.

The program that I've put together meets all the criteria above. By utilizing API calls that are standard across the Windows product line, the program will run anywhere. Heck, it might even work in WINE, but I haven't tried it.

Further, no DLLs or other extras need to be distributed with it. No registering of random DLLs or any of that.

Usage

As mentioned, the program runs without dependencies. All you need to do is drop it in to a folder on a target machine. Or you could run it from a network share (it's small!), but I would recommend against that.

Next, you need to make sure the program runs at user logon. There are multiple ways to do this, but I've used Group Policy Objects (GPO) to get this done. In your Group Policy Management console, look for:

User Configuration \ Policies \Administrative Templates \ System \ Logon \ Run this programs at user logon

In the configuration of that policy, I've given the full path and filename for the executable, as it sits on the target system, like so:

c:\spdistro\scripts\SystemIdleCheck.exe 3600

You'll notice that in the example, I've configured the only command switch for the program. This switch is the idle time, in seconds. The example shows a value of 3600 seconds, or one hour. If no value is specified, a default value of 300 seconds (five minutes) is used.

Once again, there is no interface for the app, not even in the tray. The only indicator is the presence of the executable in Task Manager.

Warning

This program will forcefully log off the currently logged on user. It is possible for the user to lose anything they were working on that was not saved.

You have been warned.  Neither I nor anyone affiliated with this site is responsible for the use or misuse of this software.  It is provided free of charge, and there are no requirements for payment of any kind.

To Do

The only thing I have to add at the moment is logging. I'll be adding the capability of logging to the Windows event log. By using the event log, a standard central log aggregation service like Splunk or SCOM will be able to pick up on the idle logoff events, for audit purposes.

If anyone has any other ideas for things to add, I'm all ears.

Updates

Version Comments
1.0.0.5 Initial public build and release.
1.0.0.6 Warning notice prior to logoff. The application will now pop up a warning message in the middle of the screen sixty (60) seconds before the user is logged off. To dismiss the warning, the user simply needs to move the mouse or press a key. The logoff will be aborted, and the idle timer will be reset.
1.0.0.7
  • Per request of end user, added move-to-top functionality for warning window. The warning will now pop up above everything else onscreen, even the screensaver.
  • Added Readme file to the archive, giving instructions, support options and warnings.
  • Added support forums
1.0.0.8 Added event logging functionality.


About the Author

has posted a total of 192 articles.


Comments On This Post

By: AnonymousCoward
Date: 2017-12-08

This is perfect, is the code available or could you create one that switches users instead of log out this way the work is not lost.

By: dwirch
Date: 2017-12-09

Sorry - the source is not available. I might be able to manage locking the workstation, but why wouldn't simply enforce a screensaver at that point?

By: AnonymousCoward
Date: 2017-12-16

this sounds perfect thanks- it's crazy this still isn't baked into the OS. How can I get this to apply to specific users or groups (ie. users not admins)?

By: dwirch
Date: 2017-12-16

GPO for the win. Turn it on for Domain Users, then farther down in your GPO turn it off for admins (Domain Admins, Server Operators, etc.)

By: AnonymousCoward
Date: 2017-12-23

Hmm, sorry - I cannot find this as one of the "turn-off options". Can you point me to where that would be in the GPO for turning off start at user logon for Admins?

By: dwirch
Date: 2017-12-23

You'd simply make a second GPO, farther down in the precedence, where the option is Disabled rather than Enabled. Both GPOs reference the same setting. Domain users would be enabled, domain admins would be disabled. It's important to note that the domain admins GPO would need to be processed second.

By: AnonymousCoward
Date: 2018-01-22

Is there any current option or thought to implement the option to show a message box warning the user that they will be logged out in x number of seconds unless they are active? (much like Grimadmin Screensaver Operations https://www.grimadmin.com/page.php/ss-operations)

By: dwirch
Date: 2018-01-22

I had not thought of that, nor had I been asked for it. I will get to work on it as soon as possible, and update the post when it is ready. Thanks for the suggestion!

By: dwirch
Date: 2018-01-27

Feature added. When sixty seconds remains before logoff, a warning will pop up in the middle of the screen, warning of the impending logoff. Also includes a countdown timer.

By: AnonymousCoward
Date: 2018-03-20

This .exe file gets blocked by windows defender and says it contains a virus?

By: dwirch
Date: 2018-03-20

That's very possible.  The program works by hooking the keyboard system-wide.  This is seen by some A/V software as a keylogger.

By: AnonymousCoward
Date: 2018-03-25

Referring back to 12-23 post for implementing this for either a specific user or user group, Can you give a bit more of a walk through on that.  I'm doing this on a single home PC. New to GPO; was able to get this to work for all users based on the usage instructions provided, but could use more details for the second GPO.  I have one household user that never logs off that I'd like to have systemidlecheck sign out after a set number of inactive hours. 

Thank you!

By: dwirch
Date: 2018-03-25

@AnonymousCoward on 2018-03-25:

I'll post up a GPO basics tutorial as soon as possible. I'm working on some other issues at the moment, but I will get to this next.

By: AnonymousCoward
Date: 2018-04-26

Can you modify the alert to display in the foreground instead of the backgound so users see it if they are using apps like IE or chrome?

By: dwirch
Date: 2018-04-26

It should pop to the front already, but I will add code to ensure it is on top. 

I won't get to it until this weekend, but I will get to it! Look for v1.0.0.7 sometime this weekend. I will post a follow up on this thread, or in the forums, under FortyPound Software.

Thanks for checking it out!

By: dwirch
Date: 2018-04-28

@AnonymousCoward on 2018-04-26: 

Your wish is my command. The request functionality has been added, and is now available by using the links at the top of this page.

By: dwirch
Date: 2018-06-06

v1.0.0.8 has been released, which adds event logging functionality. 

See this forum post for details.

By: AnonymousCoward
Date: 2018-06-19

Would it be possible to add a command line switch to allow a configurable warning timer? It would be nice to be able to set that a little longer like 5 or 10 minutes.

Also, any chance of getting Cylance to not detect on your program? Shoot them an email and see what they say. They false-positive on a lot of these logoff utilities and that is annoying: https://www.virustotal.com/#/file/f7e1e00be3efc89db77c5477ac129c03e87fba8e179fb3377f4626975c0b1c00/detection

Nice work!

By: dwirch
Date: 2018-06-19

@AnonymousCoward on 2018-06-19 - 

Ask, and ye shall receive.  I will add a second switch to the app, for configuring the warning message. I'll get to it as soon as I can, most likely later this week.

By: dwirch
Date: 2018-06-19

Oh, and I will see what I can do about Cylance and other A/V programs.

 


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.166.141.12

Before you can post, you need to prove you are human. If you log in, this test goes away.


Code Links