Easy, sort of... here are some tips:
To determine if there's a session on the box:
Get-WMIObject win32_LoggedOnUser
We could also run:
wmic /node:"workstation_name" COMPUTER GET USERNAME
If you omit the "/node" arg, it will perform the query locally. Additionally, on pre-Windows 8, there's the qwinsta command.
If there is a user logged in, we can determine if the the user is most likely sitting in front of the workstation with the following:
Get-Process -name explorer.exe
Since explorer.exe is the process that runs the graphical user interface, it's a safe bet to assume someone is logged in. If the Explorer process doesn't exist, then there should be an instance of the logonui process:
If a logonui.exe process is present, this indicates that the logon screen is present. If the win32_LoggedOnUser class or wmic query returns a user AND logonui is present, that very most likely means the workstation is locked.
get-process -name logonui.exe
If a logonui.exe process is present, this indicates that the logon screen is present. If the win32_LoggedOnUser class or wmic query returns a user AND logonui is present, that very most likely means the workstation is locked.
