TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt
Use this file to discover all available pages before exploring further.
logonsession command queries the Windows LSA for metadata about one or more active logon sessions. For each session it prints the LUID, username, logon domain, SID, authentication package (e.g. Kerberos, NTLM, Negotiate), logon type (Interactive, Network, NewCredentials, etc.), session ID, logon time, logon server, DNS domain name, and UPN. Without elevation, Rubeus can only read information about the calling process’s own session. When running as SYSTEM or with SeDebugPrivilege, all sessions on the system are enumerable.
Flags
Explicitly request only the current logon session. This is the default behavior when Rubeus is not running in a high-integrity context.
Query a specific logon session by its LUID (hex or decimal). Use
currentluid to find the LUID of any session of interest.Without any flags and without elevation,
logonsession automatically falls back to displaying only the current session. With elevation and no flags, it enumerates all sessions visible to the LSA.Examples
Show the current session’s information
Returns session details for the logon session that owns the calling process.Show a specific session by LUID
Target any session whose LUID you already know — for example a session created withcreatenetonly.