Queries/

Get current users with active shell/console on the system

Ahmed Elshaer

Get current users with active shell/console on the system and associated process

To learn more about queries, check this guide.

Query PowerShellNEW BashNEW

SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;

$computerName = $env:COMPUTERNAME
$results = @()
Get-CimInstance Win32_Process | ForEach-Object {
    $proc = $_
    # Get owner information
    $ownerInfo = $proc | Invoke-CimMethod -MethodName GetOwner
    if ($ownerInfo.ReturnValue -eq 0 -and -not [string]::IsNullOrEmpty($ownerInfo.User)) {
        # Create a custom object with the desired fields.
        # Note: Windows does not expose current working directory (cwd) or process root via WMI,
        # so these fields will be returned empty.
        $results += [PSCustomObject]@{
            user    = $ownerInfo.User
            host    = $computerName
            time    = $proc.CreationDate
            name    = $proc.Name
            cmdline = $proc.CommandLine
            cwd     = ""
            root    = ""
        }
    }
}
# Sort the results by time (process creation date) and output to stdout.
$results | Sort-Object time | Format-Table -AutoSize

echo "User,Host,Time,Name,Cmdline,Cwd,Root"; while read u tty d t r; do host=$(echo "$r" | sed -E 's/^\((.*)\)$/\1/'); pid=$(ps -t "$tty" -o pid= | head -n1 | awk '{print $1}'); if [ -n "$pid" ]; then name=$(ps -p "$pid" -o comm= | xargs); cmd=$(ps -p "$pid" -o command= | cut -d' ' -f2-); else name="N/A"; cmd="N/A"; fi; if [ -z "$host" ]; then host="N/A"; fi; echo "$u,$host,$d $t,$name,$cmd,N/A,N/A"; done < <(who)