Sometimes it’s handy to find out who is logged on at a remote Windows computer. For example, before rebooting a critical server after hours, you might want to make sure your boss isn’t logged in at his computer.
In Linux, this is easy. You simply login to the remote computer with
telnet…yikes) and run the
who command. For example:
me@bosscomputer:~$ who boss tty7 2008-10-16 07:57 (:0) me pts/0 2008-11-14 15:25 (mycomputer)
In Windows, I found two ways of doing this. Both ways work with Windows XP and Windows 2003 (and perhaps other versions too).
C:\tools\pstools>psloggedon.exe \\bosscomputer loggedon v1.33 - See who's logged on Copyright ⌐ 2000-2006 Mark Russinovich Sysinternals - www.sysinternals.com Users logged on locally: 11/14/2008 9:35:31 AM MYDOMAIN\BOSS
In the example above, we see that my boss is currently logged into BOSSCOMPUTER and he logged in at 11/14/2008 9:35:31 AM.
Often, you’ll see error messages like these in the output, which you can ignore:
Error: could not retrieve logon time NT AUTHORITY\LOCAL SERVICE Error: could not retrieve logon time NT AUTHORITY\NETWORK SERVICE
The neat thing about
psloggedon is that it tells you not only about a logon from a user sitting in front of the computer but it can also tell you about remote logons to the computer via protocols like Remote Desktop Protocol (RDP). Here is an example of invoking
psloggedon on a computer running Citrix Server (like Terminal Services):
C:\tools\pstools>psloggedon.exe \\citrixbox loggedon v1.33 - See who's logged on Copyright ⌐ 2000-2006 Mark Russinovich Sysinternals - www.sysinternals.com Users logged on locally: 11/14/2008 9:27:15 AM MYDOMAIN\john 11/14/2008 6:44:56 AM MYDOMAIN\mary 11/14/2008 6:29:42 AM MYDOMAIN\steve 11/14/2008 6:34:21 AM MYDOMAIN\martha
All of the users in the above example were logged in remotely (despite the misleading word “locally” in the output).
If you only care about logins from a user sitting in front of the computer, you can use another method: wmic.exe. For example
C:\tools\pstools>wmic /node:"bosscomputer" ComputerSystem GET UserName UserName MYDOMAIN\boss
In the above example, you can see that my boss is logged in at BOSSCOMPUTER. When using the
wmic command, I recommend you get in the habit of wrapping the computer name in quotation marks. If you don’t, and the name contains a hyphen, you’ll see the error “Invalid Global Switch”.
If this tip helped you, please leave me a comment or send me an email!