query.exe

• File Path: C:\WINDOWS\system32\query.exe
• Description: MultiUser Query Utility

Hashes

Type	Hash
MD5	198E5A25B3F577F5E7C86F3A94909686
SHA1	269731F31CADA134126F99D3AD80FFAB800BBC87
SHA256	C02F3831375BDA955F13909985FAF5987B14968AE5A19F6128E407649AA3DD66
SHA384	338460918D9E5F0F198D3BF2A9D786FA54FA65B822F6798055AF708CB11FE366DFB2F6BE50A3B420852420943045F79B
SHA512	889633E09E747C6239834AACA0E1C1513CACFF99EEF949D380F489F3EB18E2D3B221326B163DDABCE72ADF36283629B16F8F175B696695A2AF44631006B0C309
SSDEEP	384:zw7SbB9BPhgulSQ8jWqU/vqhITHlP4Wa3W:c7SPhg68yqUnFP4
IMP	CCC9DA4A55E90DFE34CBCDB066D6A6B3
PESHA1	D68F6943074107D4BC92EA45E70A887ED091DBA7
PE256	FF2590B18E5326EBD20A75854E269521855997E083C0E420104203334DB545F1

Runtime Data

Usage (stdout):

QUERY { PROCESS | SESSION | TERMSERVER | USER }

Usage (stderr):

Invalid parameter(s)
QUERY { PROCESS | SESSION | TERMSERVER | USER }

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\query.exe

Signature

• Status: Signature verified.
• Serial: 33000002ED2C45E4C145CF48440000000002ED
• Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: query.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.22000.1 (WinBuild.160101.0800)
• Product Version: 10.0.22000.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/73
• VirusTotal Link: https://www.virustotal.com/gui/file/c02f3831375bda955f13909985faf5987b14968ae5a19f6128e407649aa3dd66/detection

File Similarity (ssdeep match)

File	Score
C:\WINDOWS\system32\change.exe	77
C:\WINDOWS\system32\reset.exe	72

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

query commands

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about processes, sessions, and Remote Desktop Session Host servers. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

query process
query session
query termserver
query user

Parameters

Parameter	Description
query process	Displays information about processes running on an Remote Desktop Session Host server.
query session	Displays information about sessions on a Remote Desktop Session Host server.
query termserver	Displays a list of all Remote Desktop Session Host servers on the network.
query user	Displays information about user sessions on a Remote Desktop Session Host server.

Additional References

• Command-Line Syntax Key

• Remote Desktop Services (Terminal Services) Command Reference

---

MIT License. Copyright (c) 2020-2021 Strontic.