PsLoggedon64.exe

  • File Path: C:\SysinternalsSuite\PsLoggedon64.exe
  • Description: See who’s logged on

Hashes

Type Hash
MD5 07ED30D2343BF8914DAAED872B681118
SHA1 1F5B5E40C420F64AA8E8DE471367E3DECC9763CD
SHA256 FDADB6E15C52C41A31E3C22659DD490D5B616E017D1B1AA6070008CE09ED27EA
SHA384 A0720AAAB54F66BD58068DA9BF3F70B7615C2FBB49CD1AAA856AF5AB864E9FC0276D87BF15ADAEE494062E21D0DCD783
SHA512 4F410A52C3A91174086990D4F827842514946874D9D65A71D2716258224CB28DF7214602A84EA062747E1406CAB15E7CD4B61C6660BC2A7E756031D83FEB85D2
SSDEEP 3072:2CU/1bZRbIWLbJ+YdTcSio3qXatOg2X5UFyHYoWOwVRxnYs6aJcqRzE/Ma:hQ1rIabJ++TppMatOZqAL0+Ma
IMP E4941A2A5BD3B0E41593AE57BDCEF195
PESHA1 8BE83555D2510BCFA49AF88DB46A404C8C348F5B
PE256 1F1ECC50780B058CBA3BA4574C07CCCBAED06DA0AF46D1DAC6FB3AAA36F405AD

Runtime Data

Usage (stdout):


PsLoggedon v1.35 - See who's logged on
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Usage: C:\SysinternalsSuite\PsLoggedon64.exe [-l] [-x] [\\computername]
    or C:\SysinternalsSuite\PsLoggedon64.exe [username]
-l     Show only local logons
-x     Don't show logon times
-nobanner Do not display the startup banner and copyright message.


Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28 File
(RW-) C:\xCyclopedia File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\SysinternalsSuite\PsLoggedon64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 330000010A2C79AED7797BA6AC00010000010A
  • Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: psloggedon.exe
  • Product Name: Sysinternals PsLoggedon
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.35
  • Product Version: 1.35
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2000-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea/detection/

Possible Misuse

The following table contains possible examples of PsLoggedon64.exe being misused. While PsLoggedon64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\psLoggedon64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.