qwinsta.exe
- File Path:
C:\Windows\SysWOW64\qwinsta.exe
- Description: Query Session Utility
Hashes
Type | Hash |
---|---|
MD5 | 8BA20D53B4FB03195AD2D401D1388592 |
SHA1 | 2D0A923E867034C41ED4E0F4CB01F342E1052C9C |
SHA256 | D292A447B82B1EE408B3FEE4AA092B9E437866E2C2631087B4A698426592DC76 |
SHA384 | 5D31F95B1AD51000EC5FDCF4C9104BDB219C350FE47C5FEAAB906074494500EBEF78ED508446C66B6206EF59FAA1C8EE |
SHA512 | EFE51E11802A8F02EE2388B181F5CCBE980FD3E434242516F232515192121AF92936B58D34CEE51EA8B178CCCEBA27B7869C6BAF1ED38CA0B26FDD7FAFF5418A |
SSDEEP | 384:ngeQrphbmcLelWRzVBlfBg1PE9iU3ogAv9QasXFZg8XImvCSGFETUYjWV6Ww/m:gLhbBBVXfBgG14IvSYGOm |
Runtime Data
Usage (stdout):
Display information about Remote Desktop Services sessions.
QUERY SESSION [sessionname | username | sessionid]
[/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]
sessionname Identifies the session named sessionname.
username Identifies the session with user username.
sessionid Identifies the session with ID sessionid.
/SERVER:servername The server to be queried (default is current).
/MODE Display current line settings.
/FLOW Display current flow control settings.
/CONNECT Display current connect settings.
/COUNTER Display current Remote Desktop Services counters information.
/VM Display information about sessions within virtual machines.
Usage (stderr):
Invalid parameter(s)
Display information about Remote Desktop Services sessions.
QUERY SESSION [sessionname | username | sessionid]
[/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER] [/VM]
sessionname Identifies the session named sessionname.
username Identifies the session with user username.
sessionid Identifies the session with ID sessionid.
/SERVER:servername The server to be queried (default is current).
/MODE Display current line settings.
/FLOW Display current flow control settings.
/CONNECT Display current connect settings.
/COUNTER Display current Remote Desktop Services counters information.
/VM Display information about sessions within virtual machines.
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC
- Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: qwinsta.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of qwinsta.exe
being misused. While qwinsta.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | apt_silence_downloader_v3.yml | - '\qwinsta.exe' |
DRL 1.0 |
sigma | proc_creation_win_local_system_owner_account_discovery.yml | - '\qwinsta.exe' |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - qwinsta.exe |
DRL 1.0 |
atomic-red-team | T1033.md | qwinsta.exe /server:#{computer_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1033.md | qwinsta.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1033.md | for /F “tokens=1,2” %i in (‘qwinsta /server:#{computer_name} ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > computers.txt | MIT License. © 2018 Red Canary |
atomic-red-team | T1033.md | @FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
qwinsta
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Displays information about sessions on a Remote Desktop Session Host server. The list includes information not only about active sessions but also about other sessions that the server runs.
[!NOTE] This command is the same as the query session command. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.
Syntax
qwinsta [<sessionname> | <username> | <sessionID>] [/server:<servername>] [/mode] [/flow] [/connect] [/counter]
Parameters
Parameter | Description |
---|---|
<sessionname> |
Specifies the name of the session that you want to query. |
<username> |
Specifies the name of the user whose sessions you want to query. |
<sessionID> |
Specifies the ID of the session that you want to query. |
/server:<servername> |
Identifies the rd Session Host server to query. The default is the current server. |
/mode | Displays current line settings. |
/flow | Displays current flow-control settings. |
/connect | Displays current connect settings. |
/counter | Displays current counters information, including the total number of sessions created, disconnected, and reconnected. |
/? | Displays help at the command prompt. |
Remarks
-
A user can always query the session to which the user is currently logged on. To query other sessions, the user must have special access permission.
-
If you don’t specify a session using the <username>, <sessionname>, or sessionID parameters, this query will display information about all active sessions in the system.
-
When qwinsta returns information, a greater than
(>)
symbol is displayed before the current session. For example:C:\>qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE console Administrator1 0 active wdcon >rdp-tcp#1 User1 1 active wdtshare rdp-tcp 2 listen wdtshare 4 idle 5 idle
Where:
- SESSIONNAME specifies the name assigned to the session.
- USERNAME indicates the user name of the user connected to the session.
- STATE provides information about the current state of the session.
- TYPE indicates the session type.
- DEVICE, which isn’t present for the console or network-connected sessions, is the device name assigned to the session.
- Any sessions in which the initial state is configured as DISABLED won’t show up in the qwinsta list until they’re enabled.
Examples
To display information about all active sessions on server Server2, type:
qwinsta /server:Server2
To display information about active session modeM02, type:
qwinsta modeM02
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.