Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

PywerView gives you full control over how results are presented. The default mode prints human-readable key: value pairs that are easy to scan in a terminal, while the --json flag switches to structured JSON output that carries command metadata alongside results — making it straightforward to pipe into jq, save to files, or feed into downstream tooling. Both modes are available on every subcommand. Understanding the output structure and the logging system helps you get the most out of PywerView whether you are doing interactive enumeration or scripting automated workflows.

Default Text Output

Without any flags, PywerView prints each returned Active Directory object as a block of key: value lines. Multiple objects are separated by blank lines. 
dnshostname: centos.contoso.com

dnshostname: debian.contoso.com

dnshostname: windows10.contoso.com
For commands that return full object data (using --full-data), every LDAP attribute is printed on its own line: 
distinguishedname:  CN=Administrator,CN=Users,DC=contoso,DC=com
useraccountcontrol: NORMAL_ACCOUNT
samaccountname:     Administrator

JSON Output

Add --json to any command to switch to machine-readable output. The JSON envelope includes a cmd block with the submodule name, all parsed arguments, and ISO-format start and end timestamps — giving you a complete audit trail of exactly what was queried and when. 
pywerview get-netuser \
  -t dc.contoso.com \
  -u alice \
  -p 'P@ssw0rd' \
  -w contoso.com \
  --json

JSON Structure

{
  "cmd": {
    "submodule": "get-netcomputer",
    "args": { "domain_controller": "dc.contoso.com", "domain": "contoso.com" },
    "starting_time": "2024-01-15T10:30:00",
    "ending_time": "2024-01-15T10:30:02"
  },
  "results": [
    {
      "dnshostname": "centos.contoso.com"
    },
    {
      "dnshostname": "debian.contoso.com"
    }
  ]
}
The results array contains one entry per returned AD object. Each entry is produced by calling .to_json() on the underlying object, so attribute names match their LDAP counterparts exactly.

Logging Levels

The -l / --logging-level flag controls the verbosity of diagnostic messages written to stderr. Results always go to stdout, so piping works regardless of logging level.
LevelDescription
CRITICALOnly critical errors are shown. (default)
WARNINGWarnings plus critical errors.
DEBUGVerbose internal operations — connection setup, LDAP filter construction, response parsing.
ULTRAExtremely verbose. Shows raw LDAP queries and low-level impacket/ldap3 activity.
Level names are case-insensitive. Pass the level directly after the flag: 
pywerview get-netcomputer -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com -l DEBUG
The ULTRA logging level is extremely verbose and is intended only for deep debugging sessions. It exposes raw LDAP queries, packet-level activity from ldap3, and internal state from impacket. Use it when you need to diagnose an unexpected result or a connection failure — not during normal enumeration, as the output volume makes results difficult to read.

Pipeline Integration

Combining --json with jq is the fastest way to extract specific fields from large result sets. The cmd block gives you timestamps for free, so every saved file is self-documenting.

Extract Specific Fields with jq

pywerview get-netcomputer \
  -t dc.contoso.com \
  -u alice \
  -p 'P@ssw0rd' \
  -w contoso.com \
  --json | jq '.results[].dnshostname'

Save Results to File

pywerview get-netuser \
  -t dc.contoso.com \
  -u alice \
  -p 'P@ssw0rd' \
  -w contoso.com \
  --json > users.json
Because the JSON includes starting_time and ending_time inside the cmd block, saved files retain full provenance — you always know when the data was collected and which arguments produced it.

Check Query Metadata

# View just the command metadata, not the results
pywerview get-netgroupmember \
  -t dc.contoso.com \
  -u alice \
  -p 'P@ssw0rd' \
  -w contoso.com \
  --groupname 'Domain Admins' \
  --json | jq '.cmd'

Build docs developers (and LLMs) love

Get started for freeTalk to us