The tool leverages the remote registry service to query the HKEY_USERS registry hive on the remote computers. It identifies and extracts Security Identifiers (SIDs) associated with active user sessions, and translates these into corresponding usernames, offering insights into who is currently logged in.
If the
-CheckAdminAccess switch is provided, it will gather sessions by authenticating to targets where you have local admin access using Invoke-WMIRemoting (which most likely will retrieve more results)It's important to note that the remote registry service needs to be running on the remote computer for the tool to work effectively. In my tests, if the service is stopped but its Startup type is configured to "Automatic" or "Manual", the service will start automatically on the target computer once queried (this is native behavior), and sessions information will be retrieved. If set to "Disabled" no session information can be retrieved from the target.
Usage:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Invoke-SessionHunter/main/Invoke-SessionHunter.ps1')If run without parameters or switches it will retrieve active sessions for all computers in the current domain by querying the registry
Invoke-SessionHunterGather sessions by authenticating to targets where you have local admin access
Invoke-SessionHunter -CheckAsAdminYou can optionally provide credentials in the following format
Invoke-SessionHunter -CheckAsAdmin -UserName "ferrari\Administrator" -Password "P@ssw0rd!"You can also use the -FailSafe switch, which will direct the tool to proceed if the target remote registry becomes unresponsive.
This works in cobination with -Timeout | Default = 2, increase for slower networks.
Invoke-SessionHunter -FailSafeInvoke-SessionHunter -FailSafe -Timeout 5Use the -Match switch to show only targets where you have admin access and a privileged user is logged in
Invoke-SessionHunter -MatchAll switches can be combined
Invoke-SessionHunter -CheckAsAdmin -UserName "ferrari\Administrator" -Password "P@ssw0rd!" -FailSafe -Timeout 5 -Match
Specify the target domain
Invoke-SessionHunter -Domain contoso.localSpecify a comma-separated list of targets or the full path to a file containing a list of targets - one per line
Invoke-SessionHunter -Targets "DC01,Workstation01.contoso.local"Invoke-SessionHunter -Targets c:\Users\Public\Documents\targets.txtRetrieve and display information about active user sessions on servers only
Invoke-SessionHunter -ServersRetrieve and display information about active user sessions on workstations only
Invoke-SessionHunter -WorkstationsShow active session for the specified user only
Invoke-SessionHunter -Hunt "Administrator"Exclude localhost from the sessions retrieval
Invoke-SessionHunter -IncludeLocalHostReturn custom PSObjects instead of table-formatted results
Invoke-SessionHunter -RawResultsDo not run a port scan to enumerate for alive hosts before trying to retrieve sessions
Note: if a host is not reachable it will hang for a whileInvoke-SessionHunter -NoPortScan