quser.exe

File Path: C:\windows\SysWOW64\quser.exe
Description: Query User Utility

Hashes

Type	Hash
MD5	`C32D9A5F478BB976119F91FB199D4D73`
SHA1	`91F243C1E288E7B006ACD0E75E6412E48A453DFE`
SHA256	`BE42AA1AC3BFA70AA8C277A190743FBF1B942BA29AB149693AA86889EBE7CE04`
SHA384	`4C7997DE22FD52AE51BA6AD2EFC0F40B92AE8BCD2B582138B3A3348E584268026FE939A381E3F1B7EA17AD457CF6D104`
SHA512	`0C92EDC3824A10686CF8478EB9BBBAFA8F0A2A5DBD3CECDFBDDE5083A6C39D893C6F22576E0660C333274A22E0BFD5BD2AE35D2240F888BC3A6018848FF47F68`
SSDEEP	`384:wDcq3/89+iuh46Cp9YdDpbm/+S5la0X2J/dP8r+cHWSmFWcjpO:g3k9yh4Z2M/icarjpO`

Signature

Status: The file C:\windows\SysWOW64\quser.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: quser.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of quser.exe being misused. While quser.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_local_system_owner_account_discovery.yml	`- '\quser.exe'`	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	`- quser.exe`	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	`- '\quser.exe'`	DRL 1.0
atomic-red-team	T1033.md	quser /SERVER:”#{computer_name}”	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	quser	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

quser

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about user sessions on a Remote Desktop Session Host server. You can use this command to find out if a specific user is logged on to a specific Remote Desktop Session Host server. This command returns the following information:

Name of the user
Name of the session on the Remote Desktop Session Host server
Session ID
State of the session (active or disconnected)
Idle time (the number of minutes since the last keystroke or mouse movement at the session)
Date and time the user logged on

[!NOTE] This command is the same as the query user command. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

quser [<username> | <sessionname> | <sessionID>] [/server:<servername>]

Parameters

Parameter	Description
`<username>`	Specifies the logon name of the user that you want to query.
`<sessionname>`	Specifies the name of the session that you want to query.
`<sessionID>`	Specifies the ID of the session that you want to query.
/server:`<servername>`	Specifies the Remote Desktop Session Host server that you want to query. Otherwise, the current Remote Desktop Session Host server is used. This parameter is only required if you’re using this command from a remote server.
/?	Displays help at the command prompt.

Remarks

To use this command, you must have Full Control permission or special access permission.
If you don’t specify a user using the <username>, <sessionname>, or sessionID parameters, a list of all users who are logged on to the server is returned. Alternatively, you can also use the query session command to display a list of all sessions on a server.
When quser returns information, a greater than (>) symbol is displayed before the current session.

Examples

To display information about all users logged on the system, type:

quser

To display information about the user USER1 on server Server1, type:

quser USER1 /server:Server1