Skip to main content

Overview

The loggedon action enumerates currently logged-on users on local and remote systems. It queries the Win32_LoggedOnUser WMI class to identify all active user sessions, including interactive, remote desktop, and service sessions.
This is particularly useful for identifying high-value targets during lateral movement or determining if administrators are logged into systems.

Syntax

  • Local Query
  • Remote Query
SharpWMI.exe action=loggedon

Parameters

ParameterRequiredDescription
actionYesMust be loggedon
computernameNoTarget host(s), comma-separated. Defaults to localhost
usernameNoUsername for authentication (requires password)
passwordNoPassword for authentication (requires username)

Usage Examples

Basic Usage

SharpWMI.exe action=loggedon

Example Output

server.domain.com: DOMAIN\Administrator
server.domain.com: DOMAIN\jdoe
server.domain.com: DOMAIN\serviceaccount
server.domain.com: NT AUTHORITY\SYSTEM
server.domain.com: NT AUTHORITY\LOCAL SERVICE
The output includes system accounts (SYSTEM, LOCAL SERVICE, NETWORK SERVICE) and service accounts. Filter these when looking for interactive user sessions.

Operational Scenarios

Scenario 1: Domain Admin Hunting

Identify which systems have domain administrators logged in: 
# Check domain controller
SharpWMI.exe action=loggedon computername=dc.domain.com

# Check multiple servers
SharpWMI.exe action=loggedon computername=dc1,dc2,fileserver,appserver,sql01

# With credentials
SharpWMI.exe action=loggedon computername=dc1,dc2,fs1,fs2 username="DOMAIN\user" password="Password123!"
Look for:
  • Domain Admin accounts
  • Enterprise Admin accounts
  • Service accounts with elevated privileges
  • Administrator workstations

Scenario 2: Lateral Movement Target Selection

Determine the best targets for lateral movement: 
# Enumerate logged-on users across subnet
SharpWMI.exe action=loggedon computername=10.0.0.10,10.0.0.11,10.0.0.12,10.0.0.13,10.0.0.14,10.0.0.15
Target systems where:
  • Multiple administrators are logged in
  • High-value users are present
  • Service accounts are running (for credential theft)

Scenario 3: Operational Security

Ensure administrators aren’t logged in before conducting operations: 
# Check target before executing payload
SharpWMI.exe action=loggedon computername=target-workstation.domain.com

# If no admins present, proceed with execution
SharpWMI.exe action=exec computername=target-workstation.domain.com command="payload.exe"

Scenario 4: Network Mapping

Map user activity across the network: 
# Enumerate all domain systems (example with PowerShell wrapper)
# Get-ADComputer -Filter * | Select -ExpandProperty Name | ForEach-Object {
#   SharpWMI.exe action=loggedon computername=$_
# }

Understanding Session Types

The Win32_LoggedOnUser class returns various types of sessions:
Session TypeDescriptionIndicator
InteractiveConsole loginPhysical or VM access
RemoteInteractiveRDP/Terminal ServicesRemote desktop session
NetworkFile share/network accessSMB connections
ServiceService account sessionsRunning services
BatchScheduled tasksTask Scheduler
SharpWMI automatically filters out some system accounts (DWM-, UMFD-) but still returns:
  • NT AUTHORITY\SYSTEM
  • NT AUTHORITY\LOCAL SERVICE
  • NT AUTHORITY\NETWORK SERVICE
When analyzing output, focus on domain and local user accounts.

Remote vs Local Usage

  • Local Enumeration
  • Remote Enumeration
When to use:
  • Post-exploitation on compromised system
  • Determining current logged-on users
  • Identifying potential credential theft targets
Advantages:
  • No network traffic
  • Works without admin privileges
  • Immediate results
SharpWMI.exe action=loggedon

Detection Considerations

Enumerating logged-on users across multiple systems can generate detectable patterns, especially when done in bulk.
  • WMI queries for Win32_LoggedOnUser class
  • Bulk WMI queries from single source
  • Queries originating from non-administrative systems
  • Rapid sequential WMI connections
  • Queries outside business hours
  • Event ID 4624: Account logon (WMI connection)
  • Event ID 4672: Special privileges assigned to new logon
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI activity
  • Multiple 4624 events from same source IP
  • DCOM traffic on port 135
  • Dynamic RPC connections
  • Multiple WMI connections in short timeframe
  • WMI queries from workstation to servers
  • User account querying multiple systems
  • Queries against high-value targets (DCs, servers)
  • Reconnaissance pattern: loggedon → ps → exec
  • Queries correlating with other suspicious activity

Best Practices

Operational Security

  • Limit query frequency to avoid detection
  • Blend in with legitimate admin activity
  • Use during business hours when WMI traffic is common
  • Don’t query all systems at once

Target Selection

  • Prioritize high-value systems (DCs, app servers)
  • Focus on systems likely to have admin sessions
  • Cross-reference with network shares
  • Use information for lateral movement planning

Credential Management

  • Use current context when possible
  • Rotate credentials between operations
  • Minimize use of domain admin accounts
  • Monitor for account lockouts

Data Handling

  • Parse output to identify high-value accounts
  • Filter system accounts from results
  • Track user session patterns
  • Correlate with other enumeration data

Comparison with Alternatives

  • WMI (SharpWMI)
  • NetSessionEnum API
  • Registry Query
  • PowerShell Invoke-Command
Advantages:
  • Native Windows functionality
  • No additional tools required
  • Works over existing RPC/DCOM
Disadvantages:
  • Requires admin privileges
  • Generates WMI event logs
  • Network traffic visible
SharpWMI.exe action=loggedon computername=target

Troubleshooting

Cause: Insufficient privilegesSolution:
  • Verify you have admin rights on target
  • Use username/password parameters
  • Check UAC remote restrictions
  • Verify WMI permissions: wmimgmt.msc
Cause: Network or firewall issueSolution:
  • Verify target is online
  • Check firewall rules for ports 135, 445
  • Ensure WMI service is running
  • Test with: wmic /node:target computersystem get name
Cause: No active sessions or query issueSolution:
  • Verify users are actually logged in
  • Check if system is a workstation vs server
  • Test locally first: SharpWMI.exe action=loggedon
  • Try manual WMI query: wmic /node:target path Win32_LoggedOnUser get Antecedent
Cause: Multiple sessions for same userSolution:
  • This is expected behavior (console + RDP sessions)
  • Parse output to deduplicate if needed
  • Each session type appears separately

query

Execute custom WMI queries

ps

List processes with owner information

exec

Execute processes remotely

getenv

Get environment variables

Additional Resources

# Using wmic
wmic /node:target path Win32_LoggedOnUser get Antecedent

# Using PowerShell
Get-WmiObject -Class Win32_LoggedOnUser -ComputerName target | Select Antecedent

# Get logged-on users with PowerShell
$users = Get-WmiObject -Class Win32_LoggedOnUser -ComputerName target
$users | ForEach-Object {
    $user = $_.Antecedent
    if ($user -match 'Domain="(.+?)",Name="(.+?)"') {
        "$($matches[1])\$($matches[2])"
    }
} | Select-Object -Unique