Controlling who's connected to your Windows computers isn't just about snooping: it's a central piece of security and auditing. In this scenario, PsLoggedOn excels at providing a quick snapshot of local sessions and SMB connections. agentless, and is perfectly complemented by native utilities and other Sysinternals tools.
The advantage is that you don't need to set up a laboratory to obtain useful signals. Understand how PsLoggedOn determines sessions, interpreting entries such as IPC$ or accounts with "$" and cross-referencing data with net session, quser, NBTSTAT or the Event Viewer allows you to create a faithful map of activity and separate noise from real incidents.
What is PsLoggedOn and how does it detect activity?
PsLoggedOn is part of the PsTools suite (Sysinternals/Microsoft) and displays users with active local session and incoming connections to shared resources on the local or remote computer. Its logic combines two sources: logging for local sessions and an API call for SMB sessions.
For local sessions, consider the user whose profile is loaded to be connected. Scans HKEY_USERS looking for user SIDs and translates each SID to the account name so you don't have to comb the Registry by hand.
For network connections (for example, ADMIN$, C$, or IPC$), enumerate sessions via NetSessionEnumKeep in mind: if you query a remote computer, it's normal for your own account to appear listed, because a session is opened to view its registry.
It also accepts a username as an argument. In that mode, searches for equipment in the network neighborhood to tell you where it is connected, very useful before touching your profile or applying changes that require you to be offline.
Compatibility: The binary works on client from Windows Vista and server from Windows Server 2008The most frequently cited version is 1.35 (last updated in 2016), which is still perfectly valid for support and auditing.
Sysinternals Suite Installation and Requirements
The installation is trivial: copy psloggedon.exe (and psloggedon64.exe where applicable) to a path in your PATH or run it from the PsTools folder. No formal installation or agents required.
If you prefer the full Sysinternals suite, you can download the package and extract it. It is also available via winget to go faster:
winget install sysinternals --accept-package-agreementsPsLoggedOn comes within PsTools along with utilities like PsInfo, PsFile, PsLogList, LogonSessions, Process Explorer or Process MonitorThe classic download was around 2,7 MB, and today the full suite is a few MB larger, covering end-to-end local/remote administration.
Usage, syntax and practical examples
The syntax is short and direct: with a couple of modifiers cover almost all cases. Help displays options and output format.
psloggedon [-] [-l] [-x] [\\equipo | usuario]Main Parameters: – prints help, -l limits to local sessions (ignoring SMB connections) and -x hides timestamps. You can specify a remote computer with its UNC (\\COMPUTER) or a username to find where the computer is logged in.
# Listar en el equipo local
psloggedon
# Consultar un equipo remoto
psloggedon \\EQUIPO-REMOTO
# Buscar en qué equipos tiene sesión un usuario
psloggedon usuario.dominioImportant reminder: when consulting another team, your account may appear in “shared resources” due to the authentication required to read your registry. If you're only interested in the local snapshot, use -l to filter out that noise.
In automation, the first execution registers the EULA under HKCU. You can avoid the prompt with -accepteula when you launch it from scripts or deployments.
How to interpret results: CPI$, team accounts and signals
It is usual to see computer accounts (ending in "$") connected to IPC$This is rarely a problem: it's usually due to legitimate system activity, inventory, antivirus/EDR, or administrative tools.
IPC$ is a special resource exposed by the Server service for named pipes. Although it is sometimes associated with the “null session”, the actual access is decided by the security of each pipe, allowing entry only to authorized identities. It's still present on Windows 10 Pro and modern servers.
A typical case is to have a script that calls psloggedon and psloggedon64 periodically. On normal days you'll see your own account; on other days, teams will appear as A-COMPUTER$ or B-COMPUTER$ connecting via IPC$. In managed environments, this is often used for inventory or remote tasks.
How to distinguish what's normal from what's unusual? These checks will help you get down to the nitty-gritty. The idea is to link the session with specific processes, tasks or services.:
- Computer Management > Shared Folders > Sessions/Open Files: who's online and what's playing.
- Net session command: lists active connections by resource, computer, and user Instantly.
- Event Viewer: Filter ID 4624 (start successful) in Security, check startup type (e.g., 3 = network), source, and account.
- Audit policy: Enable login auditing (success and failure) in gpedit.msc so as not to miss events.
- Tasks and services: Check Task Scheduler, WMI, Inventory, Antivirus/EDR and deployment tools that can open sessions.
If it's always the same teams during working hours, it's probably expected. If you see after-hours access, unknown origins, or strange patterns, it is time to correlate records, restrict access and raise alerts.
Alternative native methods for cross-referencing information
In addition to PsLoggedOn, Windows provides options for adding context. Mixing multiple sources reduces false positives and tells you not only who, but how they connected.
QUSER / QUERY USER. These commands list Remote Desktop/Terminal sessions. Agile on RDS servers and on computers with RDP.
quser /server:EQUIPO-REMOTO
query user /server:EQUIPO-REMOTOPowerShell (Get-CimInstance). For the local interactive session: the username field of Win32_ComputerSystem returns the user connected to the console (in certain RDP scenarios it may be empty).
Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName EQUIPO | Select -ExpandProperty usernameNBTSTAT. Old-school, but useful for NetBIOS. It is used to see the table of names, not to identify active users if they did not access shared resources.
nbtstat -a EQUIPO
nbtstat -A 192.0.2.25Task Manager. In the Users tab, you'll see active sessions on the local computer, including remote ones. It does not always distinguish the type of access well., but it's worth a quick glance.
Remote Desktop Services Manager (Windows Server). Using the MMC snap-in You will see Users and Sessions in detail (ID, status, etc.), essential in RDSH hosts.
Auditing with Event Viewer and Sysinternals Utilities
The Event Viewer is key to tying together evidence. Go to Security and filter by 4624 (start correctly); check the startup type, account, source device, and address.
If there are no events, enable local auditing. In gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy Enable “Audit login events” with Success and Error.
PsLogList allows you to dump and filter events from the console, local or remote. Ideal for extracting 4624, limiting by dates or exporting CSV without opening the GUI.
# Últimas 100 entradas del registro de Seguridad en un equipo remoto
psloglist \\EQUIPO -n 100 -l security
# Filtrar por origen o ID de evento
psloglist -o "Microsoft-Windows-Security-Auditing" -i 4624
# Salida compacta y separada por ;
psloglist -s -t ';' -l securityIts options include time windows (-h, -m, -d), date ranges (-a, -b), include/exclude IDs (-i, -e), and wait in real time with -w on the local system. The referenced version is 2.81 (2019).
PsFile tells you which files on a remote computer are open and by whomYou can even close a handle by its ID if you need to release a locked file when investigating why an SMB session exists.
LogonSessions list active login sessions and their tokens, perfect for investigating legacy persistence or access. And in the Sysinternals ecosystem, Autoruns, Process Explorer, Process Monitor, PsInfo and RAMMap They cover everything from “who” to “what they are doing.”
Scripts and automation at scale
For OU or domain-wide reporting, automate. A Get-UserLogon PowerShell module makes it easy to collect logons by computer, OU, or domain with few commands.
To use it as a module, create the folder and psm1 in the standard path: C:\\Program Files\\WindowsPowerShell\\Modules\\Get-UserLogon and import it before use.
# Todo el dominio
Get-UserLogon -All
# Por OU
Get-UserLogon -OU 'ou=Computers,dc=midominio,dc=local'
# Equipo concreto
Get-UserLogon -Computer EQUIPO-AD01If you prefer a direct script, there is also a feature published in the old TechNet Script GalleryThe goal is the same: to list "who" and "where" quickly and exportably for auditing or support.
Typical mistakes when orchestrating from PowerShell: don't apply Format-Table in the middle of the pipeline before iterating. You'll convert the objects to format data and see things like "Microsoft.PowerShell.Commands.Internal.Format.FormatEntryData."
# Correcto: expandir propiedades antes del bucle
$computers = Get-ADComputer -Filter * | Where-Object { $_.DistinguishedName -like "*OU=Computers,OU=site,OU=EMEA Hub,DC=zone2,DC=company,DC=net" } | Select -ExpandProperty Name
foreach ($c in $computers) { & "C:\\Ruta\\PsTools\\psloggedon.exe" -x -l \\$c }Other common pitfalls: insufficient permissions for Remote Registry, Firewall blocking SMB, unresolved DNS/NetBIOS name, or faulty architecture of the binary. Solution: Validate credentials, test resolution (ping/Test-Connection), review firewall rules, use the appropriate 32/64-bit version, and add -accepteula in deployments.
DFIR triage on Windows: express kit
To go a step beyond the “who”, Dfirtriage groups together tools for dump evidence quickly in Windows with administrator privileges.
Includes pieces like BrowserHistoryView and LastActivityView for recent activity, pslist for processes (including those you don't see in Task Manager) and tcpvcon for per-process network connections.
Inside the set you will see Sysinternals utilities like Autoruns, PsLoggedOn, PsFile, PsInfo and PsLogListThis allows you to identify SMB sessions, close files, inventory your system, and extract events without opening dozens of consoles.
Its use is simple: decompress, Run dfirtriage.exe as administrator and collect artifacts in text files for review or delivery, speeding up the first response time.
Good security practices for remote access
Monitoring is vital, but reducing the attack surface is even more so. Strengthen passwords and rotate credentials to cut off access even if someone steals a key.
Apply the principle of least privilege and segment. Only accounts that need it should have remote administration permissions., ideally through controlled groups.
Use VPN to expose fewer administrative services to the Internet. Encapsulation and encryption reduce noise and prevent opportunistic recognition. which leads to intrusions.
Supervises and implements. Set up alerts for anomalous activity (schedules, sources, accounts), logs everything (4624, 4625, etc.) and watches for patterns to detect subtle changes that indicate compromise.
Real-time audit solutions
If your environment grows or you have compliance requirements, platforms such as ManageEngine's ADAudit Plus They provide real-time Active Directory auditing and consolidate logon, change, and access reports, with a 30-day trial option.
Sysinternals Historical Context and Technical Notes
There were significant milestones in the evolution of PsLoggedOn. Version 1.2 added the -l switch (at the request of administrators who only wanted local sessions) and the connection time details.
For local sessions, PsLoggedOn translate SIDs in HKEY_USERS. At logon, WinLogon loads the profile and creates a volatile subkey “Volatile Environment”; the last modified timestamp allows to deduce the local connection time.
To list a remote registry use RegConnectKey; for resource sessions you get “free” startup times by calling NetSessionEnum (the same base used by the NET command).
The prefix “Ps” was born by analogy with UNIX “ps”. PsTools unified command line utilities local/remote tools such as PsList, PsKill, PsLogList or PsGetSid, downloadable as a package.
Other historical tools help to understand the ecosystem: Tokenmon monitors security activity (tokens, impersonation); Filemon and Regmon popularized I/O and Register tracing; DebugView captured debug output with filters and highlighting; NFI (NTFS Information) dumped internal NTFS structures.
A curiosity: in Win9x, Internet Explorer loaded a temporary hive (ratings.pol) with RegLoadKey for Content Advisor, hiding its settings in the Registry until it is downloaded. Anecdotally, there were shortcuts for bypass poorly designed protections at that time.
Licensing: Although the software is free to use, redistribution is not permitted Do not use or derive products from the source code without permission. It is recommended to link to the official pages to always obtain the latest version.
Historical tip: If Filemon/Regmon were loaded as administrator, then could be executed from unprivileged accounts by reusing the already loaded driver (with its security implications).
As an extra curiosity, LiveKd allowed kernel debuggers to run against a live system, presenting the RAM as a dump. And on the network side, TCPView/tcpvcon brought socket visibility down to the process level.
The classic Sysinternals content was accompanied by notices and disclaimers Typical of community documentation: they were offered “as is”, without guarantees, reminding the reader to validate in their environment.
Additional tracking with directives and scripts
Beyond PsLoggedOn, you can enhance the activity trail with directives and scripts. Enable auditing on domain or computers via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
Key Settings: “Audit login events” (registration on the affected computers) and “Audit account login events” (logging on domain controllers for domain logons).
You can complement with login/logout scripts that record date, time, equipment, user and server in a central repository for forensic analysis or reporting.
REM Ejemplo de líneas de un script de inicio/cierre de sesión
echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >> \\SERVIDOR\\share\\logons.csvIf you opt for WMI/ADSI, another way is consult each DC for relevant events (start/close), useful for correlation at scale when the audit is well configured.
With PsLoggedOn, you get a reliable snapshot of local sessions and connections by resource, and cross-referencing it with quser, net session, NBTSTAT, Event Viewer, PsLogList, PsFile, LogonSessions, and PowerShell modules gives you a 360° view. Understand the role of IPC$, recognize computer accounts with “$”, enable auditing, and document with scripts It makes the difference between a false alarm and a real incident, and gives you the momentum you need to respond quickly and judiciously. Share this tutorial and more users will know how to view activity with PsLoggedOn on Windows..