How to Enumerate All Logon Sessions on a Computer in Batch Script
Identifying who is currently logged into a Windows machine, and via which method (local console, Remote Desktop, or background service), is a vital task for system administrators. For security monitoring, you need to know if an unauthorized user is active. For maintenance, you need to know if anyone is currently working before you initiate a reboot. While the "Task Manager" provides a simple view, a Batch script can "Enumerate" all active sessions instantly.
This guide explains how to use the quser and qwinsta commands to audit your system's active logons.
Why Enumerate Logon Sessions?
- Pre-Reboot Check: Verifying that no one is logged into a production server before pushing updates or restarting a critical service.
- Security Audit: Identifying suspicious remote sessions (RDP) that might indicate a compromised account or an unauthorized access attempt.
- Support Troubleshooting: Finding which "Session ID" a user's crashing application is running in so you can forcefully terminate it.
The quser (Query User) and qwinsta (Query Window Station) commands are built into all modern versions of Windows, including Home, Pro, and Enterprise.
Method 1: Using QUSER (Best for Active Users)
The quser command is the standard way to list every person with an interactive session (local or remote).
@echo off
echo [PROCESS] Listing all currently logged-in users...
echo.
:: Display: Username, Session Name, ID, State, Idle Time, Logon Time
quser 2>nul
if %errorlevel% neq 0 (
echo [INFO] No interactive user sessions found on this machine.
echo [NOTE] This can occur if only service accounts are active
echo or no one has logged in yet.
)
pause
Method 2: Using QWINSTA (Best for All Sessions)
If you need to see "Listener" sessions (the system waiting for an RDP connection) or disconnected sessions, qwinsta provides a deeper look.
@echo off
echo [PROCESS] Retrieving full Window Station inventory...
echo.
qwinsta 2>nul
if %errorlevel% neq 0 (
echo [ERROR] Could not query window stations.
echo [HELP] Try running as Administrator.
)
pause
Creating a Remote Desktop Security Auditor
This professional script identifies remote and disconnected sessions and provides a complete session summary.
@echo off
setlocal
echo ============================================================
echo Active Session Security Monitor
echo %COMPUTERNAME% - %DATE% %TIME%
echo ============================================================
:: 0. Verify we can query sessions
quser >nul 2>&1
if %errorlevel% neq 0 (
echo.
echo [INFO] No interactive sessions detected.
echo [NOTE] Run as Administrator for complete results.
echo ============================================================
pause
exit /b 0
)
:: 1. Show full session overview
echo.
echo [OVERVIEW] All active sessions:
echo -----------------------------------------
quser 2>nul
echo -----------------------------------------
:: 2. Check for RDP sessions
echo.
echo [CHECK 1] Remote Desktop Sessions:
quser 2>nul | findstr /i /c:"rdp-tcp" >nul
if %errorlevel% equ 0 (
echo [ALERT] Active REMOTE sessions detected:
for /f "tokens=*" %%r in ('quser 2^>nul ^| findstr /i /c:"rdp-tcp"') do echo %%r
) else (
echo [OK] No remote users are currently connected.
)
:: 3. Check for disconnected sessions
echo.
echo [CHECK 2] Disconnected Sessions:
quser 2>nul | findstr /i /c:"Disc" >nul
if %errorlevel% equ 0 (
echo [WARN] Stale disconnected sessions found:
for /f "tokens=*" %%d in ('quser 2^>nul ^| findstr /i /c:"Disc"') do echo %%d
echo.
echo [ACTION] Log off stale sessions with: logoff SESSION_ID
) else (
echo [OK] No disconnected sessions.
)
:: 4. Count active sessions
echo.
echo [CHECK 3] Session Count:
set "SESS_COUNT=0"
for /f "skip=1 tokens=*" %%s in ('quser 2^>nul') do set /a "SESS_COUNT+=1"
echo Active sessions: %SESS_COUNT%
echo.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
While standard users can often see their own session, you must run as an Administrator to see sessions belonging to other users or to see the full technical details in qwinsta.
Output Format (Empty Result)
If quser returns "No User exists for *," it doesn't mean the computer is off. It usually means only the "Console" is active but no one has typed their password yet.
Advise your users that if their script is running on a high-traffic server, they should use findstr /v /i /c:"services" on qwinsta to hide the noisy background system processes and focus only on human logons.
Best Practices for Session Management
- Check Idle Time: Use
quserto find users who have been idle for 2+ hours. These are the best candidates for being forcefully logged off during maintenance. - Verify Session ID: When using the
logoffcommand, always use the Session ID (e.g.,logoff 2) rather than the username, as a single user could technically have multiple sessions on a server. - Automated Security Cleanup: Create a scheduled task that runs your script every hour and logs the current session count to a CSV:
echo %DATE% %TIME% >> sessions.csv && quser >> sessions.csv.
Note that qwinsta also shows a "Session State" called "Listen." This is the RDP service (TermService) waiting for a connection; it is a normal part of the Windows networking infrastructure and should not be terminated.
Conclusion
Enumerating all logon sessions via Batch script is a fundamental prerequisite for professional Windows administration and security monitoring. By leveraging tools like quser and qwinsta to programmatically identify active users and their connection states, you can maintain a transparent and secure environment. This professional approach to system identification ensures that your infrastructure is monitored, your maintenance windows are safe, and your security perimeter is resilient against unauthorized remote access across the entire Windows network.