Viewing User Activity with PsLoggedOn on Windows: A Practical Guide

In environments Windows, controlling who is on your teams is vital to keeping incidents at bay and auditing access. PsLoggedOn, from the Sysinternals suite, is the key piece to view local sessions and connections through shared resources, both on your machine and on remote computers.

Beyond PsLoggedOn, there are commands native and utilities that help corroborate information, activate audits and detect suspicious logins. In this guide we review how PsLoggedOn works, its syntax, real-life cases (such as IPC$ sessions with computer accounts), alternative methods, and best practices. to strengthen remote access security.

What is PsLoggedOn and how does it detect online users?

PsLoggedOn is a PsTools applet that shows you who is logged in locally and who is connected via resources on a local or remote computer. Its logic combines two sources: the Registry for local sessions and the NetSessionEnum API for resource-shared sessions..

For local sessions, PsLoggedOn considers the logged-in user to be the one who has his profile loaded in the Registry (see the anatomy of the Windows Registry). Examine HKEY_USERS for user SIDs and resolves each SID to its account name for human-readable presentation.

For remote sessions via resources (e.g., IPC$, C$, or ADMIN$), call the NetSessionEnum API and list the active connections. This explains why, when querying a remote computer, you yourself may appear as connected via a share: A session is established to access the remote system registry.

Additionally, PsLoggedOn accepts a username as an argument. In that case, Scans the computers in the network neighborhood and tells you if the user is listed as connected in any of them. This is very useful before touching user profiles or policies.

Installation, versions and requirements

The installation is straightforward: just copy PsLoggedOn to a path in your PATH and run it. Place psloggedon.exe (and psloggedon64.exe if applicable) in a system folder or use it from the PsTools folder.

PsLoggedOn is part of PsTools, the Sysinternals package that also includes utilities such as PsInfo, PsFile, PsLogList, Process Explorer, and Process Monitor. You can download PsTools (approx. 2,7 MB) from the official Sysinternals site. and, if you prefer, install the full suite with Winget using the command “winget install sysinternals –accept-package-agreements”.

Compatibility: PsLoggedOn runs on Windows Vista and higher on the client, and Windows Server 2008 and higher on the serverThe version documented by the sources is PsLoggedOn v1.35, last updated in 2016, which does not prevent it from continuing to be useful for support and auditing tasks.

PsLoggedOn usage and syntax

The basic call supports a very short set of switches. It is a simple, fast and direct tool:

psloggedon    

Main Parameters: -l shows only local sessions, -x hides login times and "-" prints help with options and units of measurement. You can pass a remote computer with its UNC name (\\computer) or a username to search for it on the network.

Typical examples in console or PowerShell: list local sessions and by resources on your PC, consult a remote session or search for a specific user.

psloggedon
psloggedon \\EQUIPO-REMOTO
psloggedon usuario.dominio

Keep in mind that when you ask a remote team, Your account may be listed as connected through a share. due to the access required to read its registry. If your goal is to isolate only local sessions, use the -l switch.

Interpret results: IPC$ connections and computer accounts with $ sign

A common case is receiving alerts from sessions established by computer accounts (ending in “$”) on the IPC$ resource. This is often worrying, but it is often due to legitimate activity within the Windows environment itself. and services that communicate through named pipes.

IPC$ is a special resource created by the Server service. It allows you to open named pipes, which use system components and installed applications/services. Using this connection, even anonymous users can perform certain limited operations, such as listing shared resources., depending on the configuration. Therefore, seeing sessions in IPC$ does not in itself imply anything malicious.

On a Windows 10 Pro computer, it is perfectly normal for the IPC$ resource to exist. The server service exposes IPC$ to facilitate named pipes and other system operations.If PsLoggedOn shows entries like "DOMAIN\COMPUTER-A$" under "Users connected via shared resources," it's usually because that computer has opened an SMB session to yours (for example, via remote administration).

How to investigate the source? These checks help distinguish legitimate from suspicious, using native tools and what PsLoggedOn offers. The goal is to map the connection to processes, tasks or system components:

• Check SMB sessionsOn the affected computer, open Computer Management > Shared Folders > Sessions and Open Files to see who is online and what they are using it.
• net session command: Run “net session” to list current connections by share, host, and user.
• Events viewer: Look for event 4624 (successful logon) in "Windows Logs > Security" and review the logon type (e.g., type 3 for network). The event details the account, workstation, and address.
• Audit policy: Enable logon auditing in “gpedit.msc” > “Computer Configuration” > “Windows Settings” > “Security Settings” > “Local Policies” > “Audit Policy” > “Audit logon events”, checking Success and Error.
• Tasks and services: Check Task Scheduler, remote management services, inventory tools, and antivirus/EDR that may open sessions for queries or deployments.

If the pattern is stable (the same machines with “$” are always connected during business hours) and it corresponds to administration or supervision, it is probably normal. If you detect unusual connections, outside of business hours or from unrecognized devices, then it is worth looking deeper. with records and limit access.

Alternative methods to see who is logged in

Complementing PsLoggedOn with native tools gives you a more complete view. Combining multiple sources reduces false positives and gives you context about the session.

Console/PowerShell (quser/query user). Run "quser /server:RemoteComputer" or "query user /server:RemoteComputer" to list Remote Desktop/Terminal sessions. It is fast and useful on servers with RDS and also works for devices that accept RDP.

quser /server:Equipo1
query user /server:Equipo2

PowerShell (Get-CimInstance). A simple approach to checking the local interactive session: «Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName Computer | Select -ExpandProperty username». Note that if someone connects via RDP in certain configurations, this may not return a value.

Get-CimInstance -ClassName Win32_ComputerSystem -ComputerName EQUIPO | Select -ExpandProperty username

Sysinternals PsLoggedOn from your console. If you have the suite, simply invoke "PsLoggedOn \\RemoteComputer" and you'll get both local sessions and connections via resources. It is the most direct way to cross Registry and SMB share sessions.

PsLoggedOn \\EQUIPO-REMOTO

NBTSTAT. “nbtstat -a Host” or “nbtstat -A IPAddress” shows you the NetBIOS name table. It is a legacy method that may offer clues, but is not reliable for active users. if they have not accessed shared resources.

nbtstat -a EQUIPO
nbtstat -A 192.0.2.25

Event Viewer. Go to "Windows Logs > Security" and filter by ID 4624 (successful startups). The event details give you username, domain and workstation. Requires administrator rights and auditing enabled.

Task ManagerIn the "Users" tab, you can see active sessions on the local machine, including remote ones. It doesn't always clearly differentiate the type of access, but it helps for quick checks..

Remote Desktop Services Manager (Windows Server). From the MMC, add the RDS snap-in to view the "Users" and "Sessions" tabs with details (session ID, status, etc.). It is the reference console on RDSH hosts.

Scripts and related utilities for auditing

When you need reporting at scale (OU, domain, or equipment inventory), relying on scripts greatly speeds up the work. There are PowerShell modules and Sysinternals tools designed for this..

PowerShell Get-UserLogon. You can load a module with functions to collect logons by computer, OU, or domain-wide. Save it as psm1 in 'C:\Program Files\WindowsPowerShell\Modules\Get-UserLogon', import it and use it with very simple switches.

# Todo el dominio
Get-UserLogon -All

# Por OU
Get-UserLogon -OU 'ou=Computers,dc=midominio,dc=local'

# Un equipo concreto
Get-UserLogon -Computer EQUIPO-AD01

PsLogList (Sysinternals). If you're looking to correlate security events, psloglist dumps local or remote event logs, even if you authenticate with other credentials. It's an advanced clone of elogdump and can extract messages from the source machine of the log.

# Últimas 100 entradas del registro de Seguridad en un equipo remoto
psloglist \\EQUIPO -n 100 -l security

# Filtrar por origen o ID de evento
psloglist -o "Microsoft-Windows-Security-Auditing" -i 4624

# CSV-friendly (una entrada por línea)
psloglist -s -t ';' -l security

Its parameters allow you to limit by dates (-a, -b), time windows (-h, -m, -d), number of entries (-n), IDs to include or exclude (-i, -e), origins (-o, -q) and until waiting for new real-time events with -w on the local system. The version referenced by the sources is v2.81 (updated in 2019).

PsFile (Sysinternals). Useful for knowing which files on a remote computer are open by network users, their access type, and even close them by indicating the ID if you need to release them. It requires specifying credentials when you don't have sufficient permissions.

Other utilities in the suite that complement diagnostics: PsInfo for inventory, Process Explorer and Process Monitor for inspecting processes and DLLs, LogonSessions for listing active sessions, and RAMMap for memory scanning. The Sysinternals ecosystem covers everything from session detection to deep system analysis..

Strengthens remote access security

Monitoring who's coming in is good; reducing the attack surface is even better. These measures raise the bar and avoid scares:

• Strong passwords and periodic rotations for all accounts with remote access.
• Multi-factor authentication (MFA) to cut off unauthorized access even with stolen credentials.
• Principle of least privilege: Only essential permissions, avoiding broad memberships.
• VPN to encapsulate and encrypt remote traffic on public or mixed networks.
• Startup supervision with alerts of anomalous activity (unexpected origins, strange times).

With PsLoggedOn, you can view local sessions and connections by resource at a glance, and rely on commands like quser, NBTSTAT, and the Event Viewer to complete the picture. If you correctly interpret IPC$ entries and have "$", you enable auditing and rely on PsLogList, PsFile and PowerShell modules., you'll have control over who's connecting, from where, and why, as well as a solid foundation for responding to any suspicious activity.