Error Opening HKEY_USERS for [COMPUTER NAME] PsLoggedon

Question

I use windows server 2008R2

I want to see who is currently Logged on a Machine. I used PsLoggedOn \\Machine Name or IP but it gives me the following error:

Error Opening HKEY_USERS for [COMPUTER NAME] Unable to query resource logons

any suggestion?

I don't know what does it mean to elevate a command session. could you please explain it more? — Mehrdad Kamelzadeh, Jul 16 '12 at 20:16
do this in an elevated command session from node A "wmic /node:b logon" what happens? Note this will not give you the names you are looking for its just a test. — tony roth, Jul 17 '12 at 15:23
are these computers in a domain based environment? And are they in the same domain? — tony roth, Jul 17 '12 at 16:14
@tony No they are in a workgroup. They are not in domain based environment. — Mehrdad Kamelzadeh, Jul 17 '12 at 19:35
without a domain this will be more work, you'll need set the administrator password on both devcies to the same password then login to node A as administrator then run the wmic command again, what happens? — tony roth, Jul 18 '12 at 16:41
Well if I had the Administrator Password of the other machines I could easily connect to that computer via RDP and check the users of that machine. the problem is that their administrator account is disabled — Mehrdad Kamelzadeh, Jul 19 '12 at 08:16
so do you have an account on the remote machine thats equivalent to admin if not you are done then! Done as in there is nothing you can do. — tony roth, Jul 20 '12 at 14:21

score 7 · Answer 1 · edited Jul 31 '12 at 22:06

7

Use PowerShell:

Get-WmiObject -Class win32_process -ComputerName remote-hostname | 
    Where-Object{ $_.Name -eq "explorer.exe" } | 
    ForEach-Object{ ($_.GetOwner()).Domain + "\\" + ($_.GetOwner()).User; }

...replacing remote-hostname with the computer name.

edited Jul 31 '12 at 22:06

Greg Askew

34,339
3
52
81

answered Jul 31 '12 at 21:49

Simon Catlin

5,222
3
16
20

In what way is this better than PsLoggeedOn? – VBwhatnow Aug 01 '12 at 13:54
Erm, no brainer, surely? PS/WMI is built into the O/S, whereas PSLoggedIn requires a binary. – Simon Catlin Aug 02 '12 at 22:05

score 6 · Answer 2 · edited Jun 11 '20 at 10:02

6

OK, it's hard to tell what exactly applies here, and what doesn't, but check this post at the SysInternals forum, specifically, what I'm going to copy below.

On your target machine check if

... [long list of things I clipped out, as they may not apply here, bringing us to]...

As soon as your target machine meets all of the above listed requirements, from your local machine try to execute these commands to your target machine:

net use \\target\Admin$ /user:Administrator

dir \\target\Admin$

net use \\target\Admin$ /delete

(only disconnects, does not delete anything.)

(They also have resources like a FAQ on the tools and links to the MS download page for the tools, so they're worth a visit for information on or questions about the Sysinternals suite.)

Now, assuming that all those criteria are met, and you can actually execute the three commands above, the most common cause of that error from PSLoggedon is... the Remote Registry Service being disabled. It's disabled by default, but required for PSLoggedon (among other things) to work. Check the services on your target machine, and I bet you'll need to enable it to get this tool working for you.

EDIT:

To start a service remotely with PSExec, you'd use:

psexec \\[target] -u [username with admin rights] -p [password] net start [servicename]

So you could use PSExec to remotely start the required services, then use PSLoggedOn, without having to actually go around to every machine, or deploying a GPO.

edited Jun 11 '20 at 10:02

Community

1

answered Jul 31 '12 at 22:34

HopelessN00b

53,385
32
133
208

I need both the remote registry service AND file and printer sharing for psLoggedOn to work. I can set the remote registry service in GPO but nothing about file and printer sharing. It honestly appears to be impossible without going round every machine. – VBwhatnow Aug 01 '12 at 13:53
@VBwhatnow Correct, you need both. (And others, that are enabled by default.) If you have a domain, you can set them to be automatically started by GPO, if you don't, you can use another tool (like PSExec) to manually start them. I'll edit that PSExec command into my answer, I suppose. – HopelessN00b Aug 01 '12 at 13:58
Could you tell me how to set file and printer sharing via GPO? I cant seem to find it anywhere and google has failed me – VBwhatnow Aug 01 '12 at 14:00
@VBwhatnow It depends entirely on what you mean by `set file and printer sharing`, actually. I'm going to make an assumption, and this is that you're talking about enabling the service that supports this functionality, which is called `Server` in the `services.msc` mmc snap-in. (Actual service name is `LanmanServer`.) To turn that on via GPO, it's under `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services`, define automatic startup. And you may need to define the corresponding exception in Windows Firewall as well. – HopelessN00b Aug 01 '12 at 15:28

score 2 · Answer 3 · answered Jul 17 '12 at 00:49

2

The user context under which the application is running (the Default Network Credentials), needs acces to open and read from the HKEY_USERS hive, on the computers you want to query.

To "elevate the command session", right click the executable (cmd.exe for instance), and choose "Run as Administrator". Now all executables run from that command prompt, will be run with "elevated privileges"

Read more on TechNet about User Account Control, the feature managing token elevation in Windows

answered Jul 17 '12 at 00:49

Mathias R. Jessen

24,907
4
62
95

I did that but again it gives me that error. Let me explain what I am going to do. maybe you can give me a better suggestion. I have two computer A and B. I am working on computer A. and Computer B has different users. these two are on a LAN (same network). I have the IP address of computer B. The question is how can I find which user is currently working on Computer B? Basically is PsloggedOn true tool I am using? – Mehrdad Kamelzadeh Jul 17 '12 at 05:40

Error Opening HKEY_USERS for [COMPUTER NAME] PsLoggedon

3 Answers3

Linked

Related