If you manage shared PCs, jump boxes, RDP hosts, or Windows servers, one of the first questions during troubleshooting is simple: who is actually logged in right now? Active and disconnected sessions consume memory, can lock files, and sometimes explain why a system feels busy even when no one is physically at the keyboard.
Windows has several built-in commands for answering that question.
Fastest Command to See Logged-In Users
Use:
query userOn many systems, quser works as well:
quserBoth commands show the current interactive sessions on the machine.
What the Output Means
Typical output includes:
- USERNAME: the account signed in
- SESSIONNAME: console or RDP session name
- ID: the session ID
- STATE: active, disconnected, and so on
- IDLE TIME: how long the session has been inactive
- LOGON TIME: when that session started
That combination is enough to answer several useful questions:
- Is anyone actively using the server?
- Did a user leave a disconnected RDP session behind?
- Which session should I target before running
logoff?
query user vs quser
For most practical purposes, query user and quser return the same session view. quser is just a shorter alias people often remember more easily. If one command works on your system, the other usually does too.
See Network Sessions Hitting Shared Folders
Interactive users are not the whole story. If you care about file shares and SMB access, use:
net sessionThis is different from query user.
query usershows signed-in desktop or RDP sessions.net sessionshows remote clients connected to shared resources.
That distinction matters when someone says "nobody is using the server" but files are still locked from another machine.
How to Log Off a Disconnected Session
Once you identify a stale session ID, you can end it:
logoff 2Replace 2 with the real session ID.
Use this carefully. Logging off a user will close their open applications and can discard unsaved work. On a shared RDS or admin server, always confirm that the session is actually abandoned before killing it.
How to Check Recent Logons
If you need historical visibility rather than current sessions, query the Security event log:
wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text /c:10That shows recent successful logons. It is useful when:
- you suspect an account was used outside normal hours
- you want to confirm whether a service account signed in interactively
- the user says "I never logged in to that server"
For failed logons, look for event ID 4625 instead.
Common Troubleshooting Use Cases
Server feels slow with no visible users
Check for disconnected sessions consuming memory or orphaned apps running under other user contexts.
You cannot update a file because it is "in use"
Run net session and inspect SMB sessions, then check open file handles in Computer Management if needed.
Admin tasks fail because another user is connected
Use query user to verify active RDP sessions before restarting services or rebooting.
Remote Usage
On many admin systems, you can query another machine directly:
query user /server:SERVER01Whether this works depends on permissions, edition, network reachability, and services exposed on the remote system.
Which Command Should You Use?
| Goal | Best Command |
|---|---|
| See current interactive sessions | query user |
| Same as above, shorter syntax | quser |
| See SMB share connections | net session |
| Log off a stale session | logoff <ID> |
| Review recent sign-in history | wevtutil qe Security ... |
Bottom Line
For "who is logged in right now," start with:
query userIf you are troubleshooting file locks or remote share access, add net session. If you are doing security review, check recent 4624 and 4625 events as well. Together, those commands give you a much clearer picture than just glancing at the sign-in screen.