I have some trouble finding the correct builtins, so when I finally find it, I have to make a note. Like, if I wanted to see the username of a user logged on through RDP:
Define Field(#VALUE) Type(*STRING) Length(28)
Define Field(#RC) Type(*STRING) Length(2)
Define Field(#VT) Type(*STRING) Length(1)
Use Builtin(GET_REGISTRY_VALUE) With_Args('HKEY_CURRENT_USER' 'Volatile Environment' 'USERNAME') To_Get(#VALUE #RC #VT)
So now I have learned to use the GET_REGISTRY_VALUE builtin. Actually, I wanted to find the CLIENTNAME value, but the registry path to that is Volatile Environment\ENVID\CLIENTNAME where, apparently, ENVID updates on every connection.