Nbtstat reveals who is logged on

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Determine who is logged on remote PCs using Windows NT nbtstat.

NBT (NetBios over TCP/IP) STAT (Statistics) is a critical tool for problem solving and depends on the Microsoft's use of NetBIOS in Windows. The foundation for file and print sharing for Microsoft's windows networks is the Server Message Block (SMB) protocol (later renamed to CIFS, Common Internet File System). Every Windows computer is assigned a user friendly NetBIOS name to allow them to communicate with each other. Workgroup and domain names are also NetBIOS names. The NetBIOS protocol is not routeable. NetBIOS over TCP/IP is. Thus tools NetBIOS tools like Nbtstat are valuable for discovery and problem solving on Windows-based networks. It is a tool to view and manipulate the NetBIOS name table and the name cache.

It is possible to discover who is logged onto a networked PC using the Windows NT utility NBTSTAT since its in the logged on account is part of the naming info maintained locally by NBT. NBT runs on each Windows PC and functions as a local naming agent for TCP/IP. If a network address is not locally cached, NBT gets the info from WINS or LMHOSTs. Nbtstat can be used to capture logon ids. This Windows NT commandline utility is run as:

nbtstat -a wayneathome

--or--

nbtstat -A 208.188.57.62

You notice that you use -a when you know the machinename and -A when you know the ip address. The following is the result of nbtstat -a wayneathome run at the commandline while my home PC is attached to the Internet using a modem. nbtstat is a standard method to obtain NIC MAC addresses. Since I do not have a NIC but only a modem, the MAC address was 00-00-00-00-00-00.


       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
Registered Registered Registered Registered Registered 
MAC Address = 00-00-00-00-00-00
WAYNEATHOME    <03>  UNIQUE      
WMAPLES        <03>  UNIQUE      
WAYNEATHOME    <00>  UNIQUE      
WORKGROUP      <00>  GROUP       
WAYNEATHOME    <20>  UNIQUE      
 

The account will be a 03 record. One of the records will be the PC machine name and the other will be the account name. Since the machine name shows up in multiple records and most user accounts follow a company standard, its not hard to determine which is the user account. 03 is one of many codes, see NetBIOS Service codes in the NetBIOS suffix for a fairly complete list.

If you have a RAS server, you will probably see Event ID 4320 or Event ID 4319. The text of both state that a duplicate name has been detected on the network. The messages states to run the nbtstat -n command to find the computer sending the name release message (the PC detecting the conflict). The 4319 and 4320 events have the tcpip address of the PC which detected the conflict but in a bizarre form. View the data in hex. The last line of data will have 4 hex digits. The Microsoft kb examples list the data e7 1a 65 16. Convert to decimal, 231 26 101 22. Finally invert the digits, 22 101 26 231. The reporting ip address is 22.101.26.231. When I performed this task, it was the ip address of a WINS server. Use of nbtstat -n can be very useful but in many cases, the conflicts are normal events - logon to two workstations and this event will be generated.

I have created scripts which probe PCs in our network and return list of logged on user accounts. PERL is particularly useful for scripting such tasks.

Type nbtstat at the commandlin to get a listing of the available parameters:


NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
        [-r] [-R] [-RR] [-s] [-S] [interval] ]

  -a   (adapter status) Lists the remote machine's name table given its name
  -A   (Adapter status) Lists the remote machine's name table given its
                           IP address.
  -c   (cache)          Lists NBT's cache of remote [machine] names and their IP
                           addresses
  -n   (names)          Lists local NetBIOS names.
  -r   (resolved)       Lists names resolved by broadcast and via WINS
  -R   (Reload)         Purges and reloads the remote cache name table
  -S   (Sessions)       Lists sessions table with the destination IP addresses
  -s   (sessions)       Lists sessions table converting destination IP
                        addresses to computer NETBIOS names.
  -RR  (ReleaseRefresh) Sends Name Release packets to WINS and then, starts 
                        Refresh

  RemoteName   Remote host machine name.
  IP address   Dotted decimal representation of the IP address.
  interval     Redisplays selected statistics, pausing interval seconds
               between each display. Press Ctrl+C to stop redisplaying
               statistics.

There is a non-microsoft version available with binary and source which you can use. It has slightly different parms. Run it on your favorite linux box as well as other flavors of unix.

The following table lists the NetBIOS suffixes that are used by Microsoft Windows NT. The suffixes are listed in hexadecimal format because many of them are unprintable otherwise.

Name                Number(h)  Type  Usage
--------------------------------------------------------------------------
<computername>         00       U    Workstation Service
<computername>         01       U    Messenger Service
<\\--__MSBROWSE__>     01       G    Master Browser
<computername>         03       U    Messenger Service
<computername>         06       U    RAS Server Service
<computername>         1F       U    NetDDE Service
<computername>         20       U    File Server Service
<computername>         21       U    RAS Client Service
<computername>         22       U    Microsoft Exchange Interchange(MSMail
                                                                Connector)
<computername>         23       U    Microsoft Exchange Store
<computername>         24       U    Microsoft Exchange Directory
<computername>         30       U    Modem Sharing Server Service
<computername>         31       U    Modem Sharing Client Service
<computername>         43       U    SMS Clients Remote Control
<computername>         44       U    SMS Administrators Remote Control
                                                               Tool
<computername>         45       U    SMS Clients Remote Chat
<computername>         46       U    SMS Clients Remote Transfer
<computername>         4C       U    DEC Pathworks TCPIP service on
                                                               Windows NT
<computername>         42       U    mccaffee anti-virus
<computername>         52       U    DEC Pathworks TCPIP service on
                                                               Windows NT
<computername>         87       U    Microsoft Exchange MTA
<computername>         6A       U    Microsoft Exchange IMC
<computername>         BE       U    Network Monitor Agent
<computername>         BF       U    Network Monitor Application
<username>             03       U    Messenger Service
<domain>               00       G    Domain Name
<domain>               1B       U    Domain Master Browser
<domain>               1C       G    Domain Controllers
<domain>               1D       U    Master Browser
<domain>               1E       G    Browser Service Elections
<INet~Services>        1C       G    IIS
<IS~computer name>     00       U    IIS
<computername>         2B       U    Lotus Notes Server Service
IRISMULTICAST          2F       G    Lotus Notes
IRISNAMESERVER         33       G    Lotus Notes
Forte_$ND800ZA         20       U    DCA IrmaLan Gateway Server Service

NetBIOS name types describe the functionality of the registration. Unique (U): The name may have only one IP address assigned to it. On a network device multiple occurrences of a single name may appear to be registered. The suffix may be the only unique character in the name. Group (G): A normal group; the single name may exist with many IP addresses. WINS responds to a name query on a group name with the limited broadcast address (255.255.255.255). Because routers block the transmission of these addresses, the Internet Group was designed to service communications between subnets. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer this configuration is necessary to permit the registration. The maximum number of addresses is 25. Internet Group (I): This is a special configuration of the group name used to manage Windows NT Domain names. Domain Name (D): New in Windows NT 4.0.

Note: If file and print sharing is turned off by policy in a network, nbtstat.exe -a will not return a user name.

See Also

Featured Links