Retrieve and display information about active user sessions on remote computers. No admin privileges required.
The tool leverages the remote registry service to query the HKEY_USERS registry hive on the remote computers. It identifies and extracts Security Identifiers (SIDs) associated with active user sessions, and translates these into corresponding usernames, offering insights into who is currently logged in.
If the -CheckAdminAccess
switch is provided, it will gather sessions by authenticating to targets where you have local admin access using Invoke-WMIRemoting (which most likely will retrieve more results)
It's important to note that the remote registry service needs to be running on the remote computer for the tool to work effectively. In my tests, if the service is stopped but its Startup type is configured to "Automatic" or "Manual", the service will start automatically on the target computer once queried (this is native behavior), and sessions information will be retrieved. If set to "Disabled" no session information can be retrieved from the target.
Usage:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Invoke-SessionHunter/main/Invoke-SessionHunter.ps1')
If run without parameters or switches it will retrieve active sessions for all computers in the current domain by querying the registry
Invoke-SessionHunter
Gather sessions by authenticating to targets where you have local admin access
Invoke-SessionHunter -CheckAsAdmin
You can optionally provide credentials in the following format
Invoke-SessionHunter -CheckAsAdmin -UserName "ferrari\Administrator" -Password "P@ssw0rd!"
You can also use the -FailSafe switch, which will direct the tool to proceed if the target remote registry becomes unresponsive.
This works in cobination with -Timeout | Default = 2, increase for slower networks.
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -FailSafe -Timeout 5
Use the -Match switch to show only targets where you have admin access and a privileged user is logged in
Invoke-SessionHunter -Match
All switches can be combined
Invoke-SessionHunter -CheckAsAdmin -UserName "ferrari\Administrator" -Password "P@ssw0rd!" -FailSafe -Timeout 5 -Match
Specify the target domain
Invoke-SessionHunter -Domain contoso.local
Specify a comma-separated list of targets or the full path to a file containing a list of targets - one per line
Invoke-SessionHunter -Targets "DC01,Workstation01.contoso.local"
Invoke-SessionHunter -Targets c:\Users\Public\Documents\targets.txt
Retrieve and display information about active user sessions on servers only
Invoke-SessionHunter -Servers
Retrieve and display information about active user sessions on workstations only
Invoke-SessionHunter -Workstations
Show active session for the specified user only
Invoke-SessionHunter -Hunt "Administrator"
Exclude localhost from the sessions retrieval
Invoke-SessionHunter -IncludeLocalHost
Return custom PSObjects instead of table-formatted results
Invoke-SessionHunter -RawResults
Do not run a port scan to enumerate for alive hosts before trying to retrieve sessions
Note: if a host is not reachable it will hang for a while
Invoke-SessionHunter -NoPortScan