quser.exe

  • File Path: C:\Windows\SysWOW64\quser.exe
  • Description: Query User Utility

Hashes

Type Hash
MD5 C56FB0AA843D2D58F3166F6708B4613F
SHA1 8DB5D2B2109CA42AD231553EADF0D6B01F2A1545
SHA256 8A56B2B043ED340FFEEC3845498005EBF972AF3B937340F0FBA064EA014AB1BB
SHA384 294DE575B62F43C68F615CD7775D445CD45820321B4F0DE8B64CF75181EC708D4F56A244A0E9A4AA33ED8B6A27962BE6
SHA512 7DF28E5D792F52270E51FF355EF3F067C84AAD90425F6287E4D7C9038F9D2B1195A416B742C3D190321641215158FE7244BF9664E401DA8E670AF5C943700485
SSDEEP 384:2DFv6/9BVUogQjfR+/kyF7rASHJwnhHVJPwWU273XWSjFWu5:2DBgBKoFQ/MHK2TXp5
IMP E9E1589ED6F2469789346FC3BDABFCE5
PESHA1 E80BF2159DB6CC9D10B87FC1A8ED263444B9020E
PE256 9F21FA1546849608346AA60553292B7E253698FF22B624D7327A2F2BC258FCD3

Runtime Data

Usage (stdout):

Display information about users logged on to the system.

QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

  username            Identifies the username.
  sessionname         Identifies the session named sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).


Usage (stderr):

Invalid parameter(s)
Display information about users logged on to the system.

QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

  username            Identifies the username.
  sessionname         Identifies the session named sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).


Child Processes:

powershell.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\quser.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: quser.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/8a56b2b043ed340ffeec3845498005ebf972af3b937340f0fba064ea014ab1bb/detection/

Possible Misuse

The following table contains possible examples of quser.exe being misused. While quser.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\quser.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - quser.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\quser.exe' DRL 1.0
atomic-red-team T1033.md quser /SERVER:”#{computer_name}” MIT License. © 2018 Red Canary
atomic-red-team T1033.md quser MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


quser

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about user sessions on a Remote Desktop Session Host server. You can use this command to find out if a specific user is logged on to a specific Remote Desktop Session Host server. This command returns the following information:

  • Name of the user

  • Name of the session on the Remote Desktop Session Host server

  • Session ID

  • State of the session (active or disconnected)

  • Idle time (the number of minutes since the last keystroke or mouse movement at the session)

  • Date and time the user logged on

[!NOTE] This command is the same as the query user command. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

quser [<username> | <sessionname> | <sessionID>] [/server:<servername>]

Parameters

Parameter Description
<username> Specifies the logon name of the user that you want to query.
<sessionname> Specifies the name of the session that you want to query.
<sessionID> Specifies the ID of the session that you want to query.
/server:<servername> Specifies the Remote Desktop Session Host server that you want to query. Otherwise, the current Remote Desktop Session Host server is used. This parameter is only required if you’re using this command from a remote server.
/? Displays help at the command prompt.
Remarks
  • To use this command, you must have Full Control permission or special access permission.

  • If you don’t specify a user using the <username>, <sessionname>, or sessionID parameters, a list of all users who are logged on to the server is returned. Alternatively, you can also use the query session command to display a list of all sessions on a server.

  • When quser returns information, a greater than (>) symbol is displayed before the current session.

Examples

To display information about all users logged on the system, type:

quser

To display information about the user USER1 on server Server1, type:

quser USER1 /server:Server1

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.