Process
quser.exe
quser.exe shows the user sessions on a machine: who is logged on, whether each session is active or disconnected, and how long it has been idle. Administrators use it to see who is using a server. Attackers use it to learn who else is on a host before acting, to avoid notice and to hunt for privileged sessions worth stealing.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
Indicators
Not observed.
Analysis
quser.exe, also available as query user, lists interactive and Remote Desktop sessions on the local machine or, with /server:<host>, a remote one. For each session it shows the user name, the session name and ID, the state, the idle time, and the logon time. The genuine binary lives at C:\Windows\System32\quser.exe.
Legitimately, quser is run by administrators to check who is connected before maintenance or to free up sessions. It only reads session state.
quser answers a question an intruder cares about: who else is here (T1033). Knowing which users are logged on, and which sessions are active rather than idle, helps an attacker time their actions to avoid a watching administrator and, more usefully, spot privileged accounts with live sessions whose tokens or credentials are worth stealing.
A single quser is ordinary administration. quser run by an unusual parent, against remote hosts, or alongside other discovery commands is the reconnaissance pattern to flag.
- Image path other than
C:\Windows\System32\quser.exehigh - Parent is an Office application, a script host, or an unfamiliar processhigh
- Run shortly after access to enumerate other sessionsmed
- A remote target,
/server:<host>med
Telemetry
Not observed.
Not observed.