qwinsta.exe

  • File Path: C:\Windows\SysWOW64\qwinsta.exe
  • Description: Query Session Utility

Hashes

Type Hash
MD5 1FF9B1AEED99DD811AA7E9749B707529
SHA1 5C27E855F00FAA2DD5F2F0D4BF3BFBB9B2482808
SHA256 1644B3F0CDE757EDD7100243B5FBDDDE0A15F73041F5E666D11089BA07E9ED86
SHA384 98CF026518D533580498240728EE0DC97E9B7D352AF14DE69DD039CF830D399D607279DE86692F029389D8C00E0A88E4
SHA512 F91429603BFC33D90B14091B5054359DD46564767583E7868D9EB7253A8605CDDA0654B76036B029D9CA7F393FEA6EBDCBD313527418FB2EEF52A100E3D2C14A
SSDEEP 384:x+ku06aRM2jZFVfstBQS2jIj9o0U8xjFJSXZAg14ODPFWU27c7WR6Wxqf8:xQ0ZRDxszQS2bT32wyl
IMP 1234BA58D47CA5DA651AFE0A91CF2841
PESHA1 8C7B512A5120E45AFF1980E1DFB794474407EEBA
PE256 BF79E54B76FCCC5A836B2CC52C4DF7599BC29F11A9EC5B269EAE21E25AADF9AF

Runtime Data

Usage (stdout):

Display information about Remote Desktop Services sessions.

QUERY SESSION [sessionname | username | sessionid]
              [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]

  sessionname         Identifies the session named sessionname.
  username            Identifies the session with user username.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).
  /MODE               Display current line settings.
  /FLOW               Display current flow control settings.
  /CONNECT            Display current connect settings.
  /COUNTER            Display current Remote Desktop Services counters information.
  /VM                 Display information about sessions within virtual machines.


Usage (stderr):

Invalid parameter(s)
Display information about Remote Desktop Services sessions.

QUERY SESSION [sessionname | username | sessionid]
              [/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]

  sessionname         Identifies the session named sessionname.
  username            Identifies the session with user username.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server to be queried (default is current).
  /MODE               Display current line settings.
  /FLOW               Display current flow control settings.
  /CONNECT            Display current connect settings.
  /COUNTER            Display current Remote Desktop Services counters information.
  /VM                 Display information about sessions within virtual machines.


Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\qwinsta.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: qwinsta.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/1644b3f0cde757edd7100243b5fbddde0a15f73041f5e666d11089ba07e9ed86/detection/

Possible Misuse

The following table contains possible examples of qwinsta.exe being misused. While qwinsta.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\qwinsta.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\qwinsta.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - qwinsta.exe DRL 1.0
atomic-red-team T1033.md qwinsta.exe /server:#{computer_name} MIT License. © 2018 Red Canary
atomic-red-team T1033.md qwinsta.exe MIT License. © 2018 Red Canary
atomic-red-team T1033.md for /F “tokens=1,2” %i in (‘qwinsta /server:#{computer_name} ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > computers.txt MIT License. © 2018 Red Canary
atomic-red-team T1033.md @FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


qwinsta

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about sessions on a Remote Desktop Session Host server. The list includes information not only about active sessions but also about other sessions that the server runs.

[!NOTE] This command is the same as the query session command. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.

Syntax

qwinsta [<sessionname> | <username> | <sessionID>] [/server:<servername>] [/mode] [/flow] [/connect] [/counter]

Parameters

Parameter Description
<sessionname> Specifies the name of the session that you want to query.
<username> Specifies the name of the user whose sessions you want to query.
<sessionID> Specifies the ID of the session that you want to query.
/server:<servername> Identifies the rd Session Host server to query. The default is the current server.
/mode Displays current line settings.
/flow Displays current flow-control settings.
/connect Displays current connect settings.
/counter Displays current counters information, including the total number of sessions created, disconnected, and reconnected.
/? Displays help at the command prompt.
Remarks
  • A user can always query the session to which the user is currently logged on. To query other sessions, the user must have special access permission.

  • If you don’t specify a session using the <username>, <sessionname>, or sessionID parameters, this query will display information about all active sessions in the system.

  • When qwinsta returns information, a greater than (>) symbol is displayed before the current session. For example:

      C:\>qwinsta
          SESSIONNAME     USERNAME        ID STATE    TYPE    DEVICE
          console         Administrator1  0 active    wdcon
          >rdp-tcp#1      User1           1 active    wdtshare
          rdp-tcp                         2 listen    wdtshare
                                          4 idle
                                          5 idle
    

    Where:

    • SESSIONNAME specifies the name assigned to the session.
    • USERNAME indicates the user name of the user connected to the session.
    • STATE provides information about the current state of the session.
    • TYPE indicates the session type.
    • DEVICE, which isn’t present for the console or network-connected sessions, is the device name assigned to the session.
    • Any sessions in which the initial state is configured as DISABLED won’t show up in the qwinsta list until they’re enabled.

Examples

To display information about all active sessions on server Server2, type:

qwinsta /server:Server2

To display information about active session modeM02, type:

qwinsta modeM02

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.