whoami.exe
- File Path:
C:\WINDOWS\SysWOW64\whoami.exe
- Description: whoami - displays logged on user information
Hashes
Type | Hash |
---|---|
MD5 | 311EFED1B6336ED8DC5471FE58C88CB5 |
SHA1 | 11E59C45DAB4B2B65884F043DB738D39574AAFBA |
SHA256 | AA1583D770C6774F8D8FCEC099CF7BDC05BEB0F08F6DB387F5B37CCA860771D7 |
SHA384 | 70F2BA7715EBF01E36F7A6E362D230577D549B3AFEF23557C149C21735AA3099B79ADE748A3BCDB14F5E3A1E149529FF |
SHA512 | 7CAE8E0CA29B21ED29033B58A075AD9FE5A7A2331196C17E4A34DE1F40287FEF16D63D5FCAA34592E87949C0858E2F1E28DB7268A4D0EC25110A1D576BCCBA61 |
SSDEEP | 1536:it/GOnLQsPrbAXLE7bYfnK1lWlVI4ih6oQyINs7c6dwOxL5J9k:cLPYfnyWE4imNs7c6dwOxtJ9k |
Runtime Data
Usage (stdout):
WhoAmI has three ways of working:
Syntax 1:
WHOAMI [/UPN | /FQDN | /LOGONID]
Syntax 2:
WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO format] [/NH]
Syntax 3:
WHOAMI /ALL [/FO format] [/NH]
Description:
This utility can be used to get user name and group information
along with the respective security identifiers (SID), claims,
privileges, logon identifier (logon ID) for the current user
on the local system. I.e. who is the current logged on user?
If no switch is specified, tool displays the user name in NTLM
format (domain\username).
Parameter List:
/UPN Displays the user name in User Principal
Name (UPN) format.
/FQDN Displays the user name in Fully Qualified
Distinguished Name (FQDN) format.
/USER Displays information on the current user
along with the security identifier (SID).
/GROUPS Displays group membership for current user,
type of account, security identifiers (SID)
and attributes.
/CLAIMS Displays claims for current user,
including claim name, flags, type and values.
/PRIV Displays security privileges of the current
user.
/LOGONID Displays the logon ID of the current user.
/ALL Displays the current user name, groups
belonged to along with the security
identifiers (SID), claims and privileges for
the current user access token.
/FO format Specifies the output format to be displayed.
Valid values are TABLE, LIST, CSV.
Column headings are not displayed with CSV
format. Default format is TABLE.
/NH Specifies that the column header should not
be displayed in the output. This is
valid only for TABLE and CSV formats.
/? Displays this help message.
Examples:
WHOAMI
WHOAMI /UPN
WHOAMI /FQDN
WHOAMI /LOGONID
WHOAMI /USER
WHOAMI /USER /FO LIST
WHOAMI /USER /FO CSV
WHOAMI /GROUPS
WHOAMI /GROUPS /FO CSV /NH
WHOAMI /CLAIMS
WHOAMI /CLAIMS /FO LIST
WHOAMI /PRIV
WHOAMI /PRIV /FO TABLE
WHOAMI /USER /GROUPS
WHOAMI /USER /GROUPS /CLAIMS /PRIV
WHOAMI /ALL
WHOAMI /ALL /FO LIST
WHOAMI /ALL /FO CSV /NH
WHOAMI /?
Usage (stderr):
ERROR: Invalid argument/option - '-help'.
Type "WHOAMI /?" for usage.
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232
- Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: whoami.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1 (WinBuild.160101.0800)
- Product Version: 10.0.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of whoami.exe
being misused. While whoami.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
whoami
Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.
Syntax
whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]
Parameters
Parameter | Description |
---|---|
/upn | Displays the user name in user principal name (UPN) format. |
/fqdn | Displays the user name in fully qualified domain name (FQDN) format. |
/logonid | Displays the logon ID of the current user. |
/user | Displays the current domain and user name and the security identifier (SID). |
/groups | Displays the user groups to which the current user belongs. |
/priv | Displays the security privileges of the current user. |
/fo <Format> | Specifies the output format. Valid values include:</br>table Displays output in a table. This is the default value.</br>list Displays output in a list.</br>csv Displays output in comma-separated value (CSV) format. |
/all | Displays all information in the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to. |
/nh | Specifies that the column header should not be displayed in the output. This is valid only for table and CSV formats. |
/? | Displays help at the command prompt. |
Examples
To display the domain and user name of the person who is currently logged on to this computer, type:
whoami
Output similar to the following appears:
DOMAIN1\administrator
To display all of the information in the current access token, type:
whoami /all
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.