quser.exe

File Path: C:\Windows\SysWOW64\quser.exe
Description: Query User Utility

Hashes

Type	Hash
MD5	`C56FB0AA843D2D58F3166F6708B4613F`
SHA1	`8DB5D2B2109CA42AD231553EADF0D6B01F2A1545`
SHA256	`8A56B2B043ED340FFEEC3845498005EBF972AF3B937340F0FBA064EA014AB1BB`
SHA384	`294DE575B62F43C68F615CD7775D445CD45820321B4F0DE8B64CF75181EC708D4F56A244A0E9A4AA33ED8B6A27962BE6`
SHA512	`7DF28E5D792F52270E51FF355EF3F067C84AAD90425F6287E4D7C9038F9D2B1195A416B742C3D190321641215158FE7244BF9664E401DA8E670AF5C943700485`
SSDEEP	`384:2DFv6/9BVUogQjfR+/kyF7rASHJwnhHVJPwWU273XWSjFWu5:2DBgBKoFQ/MHK2TXp5`
IMP	`E9E1589ED6F2469789346FC3BDABFCE5`
PESHA1	`E80BF2159DB6CC9D10B87FC1A8ED263444B9020E`
PE256	`9F21FA1546849608346AA60553292B7E253698FF22B624D7327A2F2BC258FCD3`

Runtime Data

Usage (stdout):

Display information about users logged on to the system.

QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

  username            Identifies the username.
  sessionname         Identifies the session named sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).

Usage (stderr):

Invalid parameter(s)
Display information about users logged on to the system.

QUERY USER [username | sessionname | sessionid] [/SERVER:servername]

  username            Identifies the username.
  sessionname         Identifies the session named sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).

Child Processes:

powershell.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\quser.exe

Signature

Status: Signature verified.
Serial: 33000001C422B2F79B793DACB20000000001C4
Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: quser.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.17763.1 (WinBuild.160101.0800)
Product Version: 10.0.17763.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/67
VirusTotal Link: https://www.virustotal.com/gui/file/8a56b2b043ed340ffeec3845498005ebf972af3b937340f0fba064ea014ab1bb/detection/

Possible Misuse

The following table contains possible examples of quser.exe being misused. While quser.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_local_system_owner_account_discovery.yml	`- '\quser.exe'`	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	`- quser.exe`	DRL 1.0
sigma	proc_creation_win_webshell_detection.yml	`- '\quser.exe'`	DRL 1.0
atomic-red-team	T1033.md	quser /SERVER:”#{computer_name}”	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	quser	MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

quser

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about user sessions on a Remote Desktop Session Host server. You can use this command to find out if a specific user is logged on to a specific Remote Desktop Session Host server. This command returns the following information:

Name of the user
Name of the session on the Remote Desktop Session Host server
Session ID
State of the session (active or disconnected)
Idle time (the number of minutes since the last keystroke or mouse movement at the session)
Date and time the user logged on

[!NOTE] This command is the same as the query user command. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

quser [<username> | <sessionname> | <sessionID>] [/server:<servername>]

Parameters

Parameter	Description
`<username>`	Specifies the logon name of the user that you want to query.
`<sessionname>`	Specifies the name of the session that you want to query.
`<sessionID>`	Specifies the ID of the session that you want to query.
/server:`<servername>`	Specifies the Remote Desktop Session Host server that you want to query. Otherwise, the current Remote Desktop Session Host server is used. This parameter is only required if you’re using this command from a remote server.
/?	Displays help at the command prompt.

Remarks

To use this command, you must have Full Control permission or special access permission.
If you don’t specify a user using the <username>, <sessionname>, or sessionID parameters, a list of all users who are logged on to the server is returned. Alternatively, you can also use the query session command to display a list of all sessions on a server.
When quser returns information, a greater than (>) symbol is displayed before the current session.

Examples

To display information about all users logged on the system, type:

quser

To display information about the user USER1 on server Server1, type:

quser USER1 /server:Server1