Is it a Virus?
✔ NO - Safe
Must be in a Sysinternals PsTools folder (e.g., C:\Sysinternals\PsTools\psloggedon.exe).
Warning
Often runs only when invoked
No background service; remote queries require proper credentials and privileges.
Can I Disable?
✔ YES
As a tool, you can simply delete or ignore it. It does not auto-run unless invoked by a script.
What is psloggedon.exe?
psloggedon.exe is a Sysinternals utility that shows who is currently logged on to a local Windows computer or a remote host. It does not start automatically; you run it on demand to audit sessions, capture the user list, domains, and session types for security checks or troubleshooting.
psloggedon.exe queries Windows authentication data via standard OS APIs to list active logons. It supports local and remote queries when you have proper credentials and network access, providing a quick snapshot for auditing.
Quick Fact: PsLoggedOn is part of the Sysinternals PsTools suite, helping admins verify who is logged on across machines.
Types of PsLoggedOn Usage
- Local Logon Check: Shows who is logged on to the local machine (console and services).
- Remote Logon Check: Queries a remote computer to display its logged-on users (requires credentials).
- Audit Capture: Outputs results to console or a file for audit logs.
- Scripting Integration: Included in admin scripts and batch jobs for automated checks.
- Security Auditing: Used during incident response to confirm active sessions.
Is psloggedon.exe Safe?
Yes, psloggedon.exe is safe when downloaded from official Sysinternals/Microsoft sources.
Is psloggedon.exe a Virus or Malware?
The genuine psloggedon.exe is not a virus. Malware may imitate it; verify source and path as below.
How to Tell if psloggedon.exe is Legitimate or Malware
- Location: Must be in
C:\Sysinternals\PsTools\psloggedon.exe or C:\Tools\Sysinternals\psloggedon.exe. Any psloggedon.exe elsewhere is suspicious.
- Digital Signature: Right-click psloggedon.exe -> Properties -> Digital Signatures. Should show "Microsoft Corporation".
- Resource Usage: Typically very light; expect brief execution with minimal CPU and memory.
- Behavior: Should run on demand and exit; no persistent background service.
Red Flags: If psloggedon.exe is located in unusual folders (Temp, AppData, System32) or runs without a clear command or digital signature, scan with antivirus and verify the source.
Why Is psloggedon.exe Running on My PC?
psloggedon.exe runs when you or a script explicitly executes the PsLoggedOn tool to view logon sessions on the local or remote machine. It does not run by default and only appears when you initiate it.
Reasons it's running:
- Manual audit of local logons: Security or IT staff run it to see who is logged on locally.
- Remote logon discovery: Administrators query a remote computer to enumerate sessions across a network.
- Incident response or forensics: Used during investigations to verify active users on machines involved.
- Automation in maintenance scripts: Part of batch jobs that collect session data during routine tasks.
- Compliance and auditing: Regular checks to document active sessions for compliance reporting.
Can I Disable or Remove psloggedon.exe?
Yes, you can disable or remove it. It is a standalone tool; remove it if you no longer need it. Deleting the PsTools folder will remove the utility from the system.
How to Stop psloggedon.exe
- End If Running: If a session is active, end the process from Task Manager.
- Remove the executable: Delete psloggedon.exe from its PsTools folder (e.g., C:\Sysinternals\PsTools).
- Uninstall PsTools (optional): Delete the entire PsTools folder to remove all tools.
- Policy controls: If you push PsTools via policy, remove the deployment package to prevent reinstallation.
How to Uninstall PsTools
- ✔ Delete the PsTools folder from your system (e.g., C:\Sysinternals\PsTools).
- ✔ Optionally remove any environment PATH entries added for PsTools.
- ✔ If using a package manager, uninstall the PsTools package.
Common Problems: Handling psloggedon.exe
If psloggedon.exe isn’t behaving as expected, review these common scenarios and fixes.
Common Causes & Solutions
- Wrong path or missing PsTools folder: Ensure psloggedon.exe exists in the PsTools folder (e.g., C:\Sysinternals\PsTools\psloggedon.exe) or re-download PsTools from the official source.
- Cannot query remote machine: Run with an account that has admin privileges; ensure remote Windows management and firewall settings allow the query.
- Access denied due to UAC or remote restrictions: Run in elevated mode (Run as administrator) on both local and remote systems where needed.
- Firewall or network policy blocks remote WMI/RPC: Configure firewall rules to permit management traffic and verify network connectivity to the target host.
- Antivirus flags PsTools as unwanted: Validate the source is official; temporarily create an exception if legitimate.
- Invalid usage syntax or parameters: Consult the PsLoggedOn usage documentation and ensure you pass the correct target machine (e.g., psloggedon.exe \\computername).
Quick Fixes:
1. Run psloggedon.exe in an elevated command prompt to ensure access.
2. Verify the executable location and signature before use.
3. If querying remotely, ensure proper credentials and firewall configuration.
4. Check for updated PsTools packaging from the official Sysinternals site.
5. Document results to a log file for auditing.
Frequently Asked Questions
Is psloggedon.exe a virus?
No. The genuine psloggedon.exe from Sysinternals/Microsoft is a safe auditing tool. Verify the file path (e.g., C:\Sysinternals\PsTools\psloggedon.exe) and digital signature.
What does psloggedon.exe do?
psloggedon.exe lists users currently logged on to a local or remote computer, including domain, session types, and console sessions.
How do I use psloggedon.exe?
Run it from an elevated Command Prompt. For remote checks, specify the target computer (e.g., psloggedon.exe \\SERVERNAME).
Where can I download psloggedon.exe?
From the official Sysinternals website (https://docs.microsoft.com/sysinternals/downloads/psloggedon).
Do I need admin rights to run psloggedon?
Yes. Remote queries and auditing typically require administrator privileges and access to management interfaces.
Can psloggedon.exe be used in scripts?
Yes. It’s commonly integrated into maintenance and auditing scripts to capture logon information programmatically.