query.exe

Windows Command-Line Utility

System UtilitySafeAdministrative Tool

CPU Usage

1-10%

Memory

2-20 MB

Location

C:\Windows\System32

Publisher

Microsoft Corporation

Quick Answer

query.exe is safe. It is a legitimate Windows utility used to query user sessions, active sessions, and process status via Terminal Services. It is typically invoked from the command prompt or admin scripts.

Is it a Virus?

✔ NO - Safe

Must be in C:\Windows\System32\query.exe

Warning

Usually legitimate

Often invoked by administrators during remote sessions or audits; unexpected spikes warrant scanning

Can I Disable?

✔ NO

query.exe is a standard Windows tool; disabling may disrupt admin tasks. If needed, restrict usage via access control rather than removal.

What is query.exe?

query.exe is a Windows command-line helper that reports on user sessions, remote sessions, and running processes. It is a lightweight, non-graphical utility that administrators invoke to quickly surface who is logged on and what sessions exist on a host.

query.exe is a built-in Windows command-line tool that retrieves session and process information through Terminal Services APIs. It supports commands such as query user and query session, returning user names, IDs, and session state for auditing and remote management.

Quick Fact: query.exe has been part of Windows for decades and remains essential for quick, scriptable session auditing without a GUI.

Query Tool Modes

Query User: Lists users currently logged on, including session IDs and statuses
Query Session: Displays details for a specific session, including state and activity
Query Process (admin view): Shows processes associated with a user or session for troubleshooting
Remote Administration: Used by remote management scripts to gather session data across hosts
Scripting Output: Output is designed to be parsed by scripts or scheduled tasks

Is query.exe Safe?

Yes, query.exe is safe when it's the legitimate system utility located in C:\Windows\System32 and not replaced by malware.

Is query.exe a Virus or Malware?

The real query.exe is NOT a virus. Malware may masquerade with similar names, so verify location and signature.

How to Tell if query.exe is Legitimate or Malware

File Location: Must be in C:\Windows\System32\query.exe (64-bit Windows) or C:\Windows\SysWOW64\query.exe (32-bit subsystem). Any other path is suspicious.
Digital Signature: Right-click query.exe -> Properties -> Digital Signatures. Should show a Microsoft signer such as "Microsoft Windows".
Resource Usage: Normal usage is minimal and transient when commands run. Persistent high CPU without prompting actions is suspicious.
Behavior: Should execute in response to a user command or script. Random, background spawning is a red flag.

Red Flags: If query.exe is found in non-system folders (Temp, AppData), runs without user action, lacks a valid signature, or consumes CPU constantly, scan with Windows Defender or other AV.

Why Is query.exe Running on My PC?

query.exe runs when an administrator or script queries session data, or when a remote desktop or monitoring tool requests session details.

Reasons it's running:

Active Admin or Script Execution: An admin task or script is actively querying sessions or processes
Remote Desktop/Session Host: RD Session Host or management tools invoke queries for live session data
Scheduled Auditing: A scheduled task collects and logs session information at intervals
Diagnostics and Troubleshooting: IT staff use query.exe to verify user logins and resolve remote access issues
Policy-Linked Startup Tasks: GPO or startup scripts may run query.exe for environment checks

Can I Disable or Remove query.exe?

Disabling query.exe is not recommended. It is a standard Windows tool used for administration. You can restrict its use via permissions or remove it from startup scripts if needed.

How to Stop query.exe

Close Active Command Windows: Close any CMD or PowerShell sessions that invoked query.exe
End Task if Hung: Open Task Manager -> Details -> locate query.exe and End Task
Remove from Scheduled Tasks: Task Scheduler -> locate any tasks calling query.exe and disable or delete
Group Policy Adjustments: Modify GPO to restrict query usage for non-admin users
Verify Scripts: Locate system or admin scripts invoking query.exe and adjust permissions

How to Remove Windows Query Tools

✔ Note: query.exe is a system utility and typically cannot be uninstalled separately. To limit exposure, adjust policies and remove exposure from scripts.
✔ Consider using a different remote management workflow that doesn't rely on query.exe.

Common Problems: High CPU or Unexpected Output from query.exe

If query.exe is consuming resources or producing unexpected results:

Common Causes & Solutions

Active or misconfigured admin scripts: Review and optimize scripts; add appropriate filters to query commands to limit data
Remote Desktop or RD Services activity: Ensure only authorized hosts run queries; tighten RD session host permissions
Scheduled tasks running too often: Increase interval or scope of the task; log only necessary data
Malformed or parsing errors in scripts: Validate and sanitize script output; use proper parsing
Malware impersonating query.exe: Run a full system malware scan; verify signature and path
Unauthorized background processes: Audit startup items and scheduled tasks; remove or restrict unnecessary background queries

Quick Fixes:
1. Run query user /server:<host> to limit scope and avoid broad queries
2. Check for unauthorized CMD/Powershell sessions
3. Review scheduled tasks invoking query.exe and disable as needed
4. Update Windows and ensure a valid signature
5. Run antivirus and malware scans to rule out impersonation

Frequently Asked Questions

Is query.exe a virus?

No, query.exe is a legitimate Windows utility located in C:\Windows\System32. If found elsewhere or unsigned, scan for malware.

What is query.exe used for?

Query.exe is used to retrieve session and process information such as active sessions, user names, and IDs for administration.

Where is query.exe located?

Typically in C:\Windows\System32\query.exe. On 64-bit Windows, the 32-bit WOW64 version may reside elsewhere; verify signature.

Can I delete query.exe?

Do not delete it; it is a system utility. You can disable usage via permissions or alter scripts that invoke it.

Why is query.exe running on startup?

It usually isn't; if it runs at startup, it is likely invoked by a startup script or a scheduled task for auditing. Check Task Scheduler.

How do I reduce query.exe resource usage?

Limit the scope of queries, avoid frequent automatic runs, and run commands in a controlled manner to minimize CPU load.