0

I’m working on an AWS setup where I need to detect last user activity (keyboard/mouse input) on a Windows EC2 instance.

Inside the instance, if I run this PowerShell snippet directly, it works perfectly and gives me the latest last input time whenever I touch the mouse/keyboard:

Add-Type @"
using System;
using System.Runtime.InteropServices;
public class IdleTime {
    [StructLayout(LayoutKind.Sequential)]
    struct LASTINPUTINFO {
        public uint cbSize;
        public uint dwTime;
    }
    [DllImport("user32.dll")]
    static extern bool GetLastInputInfo(ref LASTINPUTINFO plii);
    public static uint GetIdleTime() {
        LASTINPUTINFO lii = new LASTINPUTINFO();
        lii.cbSize = (uint)System.Runtime.InteropServices.Marshal.SizeOf(lii);
        GetLastInputInfo(ref lii);
        return ((uint)Environment.TickCount - lii.dwTime) / 1000;
    }
}
"@
$idle = [IdleTime]::GetIdleTime()
$lastActivity = (Get-Date).ToUniversalTime().AddSeconds(-$idle)
Write-Output $lastActivity.ToString("o")

But when I run the same script from a Lambda function using boto3 + ssm.send_command (with AWS-RunPowerShellScript), I only ever get one Administrator session and the same timestamp every time. It never updates, even if I’m actively connected to the EC2 instance via NICE DCV or RDP and moving the mouse/keyboard.

Question

How can I reliably get real last user activity (mouse/keyboard) from AWS Lambda or SSM, across all session types (console, RDP, NICE DCV, Moonlight, etc.)?

Do I need to run a custom agent inside the instance that updates DynamoDB/S3 with the activity timestamp? Or is there a way to force SSM RunCommand to execute inside the interactive desktop session instead of Session 0?

Any pointers or best practices for this scenario would be super helpful 🙏

My suspicion:

I think this is because the SSM Agent runs in Session 0 (non-interactive background service), and GetLastInputInfo() there never changes. Whereas when I run it inside the interactive session (console/RDP/DCV), it works correctly.

What I’ve tried

quser → only shows console/RDP, doesn’t show NICE DCV sessions. dcv list-sessions → shows DCV sessions, but not actual user input time. Event logs → show logon/logoff/lock events, but not continuous activity.

Improve this question
Related questions
474
Can an AWS Lambda function call another
0
initiate aws ssm from jenkins in one account to ec2 in another instance for data transfer
0
Cannot remote (rdp) into EC2 started from aws lambda using boto3::run_instances
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.