Skip to content

WHOAMI – How to use WHOAMI command on Windows 7


The WHOAMI command enumerates SIDs, Groups and privileges.  For a hacker, it can enumerate groups and privileges from the command line of the current user.

Step1 – run the command prompt with admin rights

Start > all programs > accessories > cmd (black tv icon)

Right click on CMD > run as admin

Step 2 – whoami


On it’s own the workgroup or domain will be displayed.

Step 3 – whoami /user

Notice the information is USER then SID.

whoami user

A RID of 1001, tells us this is a user, not an Administrator.

A RID of 500 is the local Administrator.

A RID of 512 is Domain Admins

A RID of 518 is Schema Admins

A RID of 519 is Enterprise Domain Admins (*YAY*)

Step 4 – whoami /groups

Here groups are enumerated.

whoami groups

Notice BUILTIN\Administrators

The SID is 32 – 544.
32 = BUILTIN and 544 = Administrators group.

So this is a powerful group membership.

Step 5 – whoami /priv

whoami priv

If we need to add privileges to the user account, we use ntrights.

ntrights -u smile +r SeSecurityPrivilege

This means that the user Smile can now control and delete security logs.

Step 6 –  whoami /all

A one hit command to get all of the above information.

If the user doesn’t have the privileges you need to shutdown auditing, then assign them the privileges with ntrights.  THEN shutdown auditing.

Step 7 – Eventlog codes

If you shutdown auditing it will appear as event code 517 in the event viewer.  That would tell the SysAdmin, that you’ve shut down all his hard work🙂

Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.

The Primary User Name and Client User Name fields will identify the user who cleared the log. Primary User Name will correspond to the system, and Client user name will indicate the user who cleared the log.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: