whoami — Current User Identity#

What it is#

whoami is a built-in Windows command that reports the identity of the currently logged-on user. Beyond the basic DOMAIN\username output, it can display the user’s UPN, SID, all group memberships with SIDs, and the full privilege set — making it the fastest way to diagnose “am I running as the right account?” or “why does this ACL check fail?” in a support session or batch script. The PowerShell equivalents are $env:USERNAME / [System.Security.Principal.WindowsIdentity]::GetCurrent().

Availability#

whoami ships as C:\Windows\System32\whoami.exe on Windows Vista and later (including Server 2008+). It is not present on Windows XP by default.

whoami /?

Output:

WhoAmI has several options.  If invoked without switches, it displays
the user name in the "DOMAIN\username" format.

WHOAMI [/UPN | /FQDN | /LOGONID]
WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO format] [/NH]
WHOAMI /ALL [/FO format] [/NH]

Syntax#

whoami takes no required arguments; all output is controlled through optional flags.

whoami [/UPN | /FQDN | /LOGONID] [/USER] [/GROUPS] [/PRIV] [/ALL] [/FO TABLE|LIST|CSV] [/NH]

Output: (prints identity information)

Essential options#

Basic output#

Running whoami with no arguments returns DOMAIN\username — the minimum needed to confirm which account is active.

whoami

Output:

myhost\alicedev

On a domain machine the domain replaces the host name:

whoami

Output:

CORP\alicedev

User name and SID#

/USER adds the Security Identifier (SID) alongside the account name — useful when troubleshooting ACL issues where the SID is more authoritative than the name.

whoami /user

Output:

USER INFORMATION
----------------

User Name      SID
============== ==============================================
myhost\alicedev S-1-5-21-1234567890-123456789-123456789-1001

UPN and FQDN formats#

/UPN returns the User Principal Name (user@domain) and /FQDN returns the full Active Directory distinguished name. Both require the machine to be domain-joined; they error on standalone workstations.

whoami /upn

Output:

alicedev@corp.example.com

whoami /fqdn

Output:

CN=Alice Dev,OU=Engineering,DC=corp,DC=example,DC=com

Group memberships#

/GROUPS lists every group the user belongs to, including well-known SIDs like BUILTIN\Users and NT AUTHORITY\Authenticated Users, along with the group SID and attribute flags.

whoami /groups

Output:

GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes
==================================== ================ ============ ====================
Everyone                             Well-known group S-1-1-0      Mandatory group, ...
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, ...
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, ...
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, ...
...

Privileges#

/PRIV shows all Windows privileges assigned to the token and whether each is currently enabled. A privilege that appears as Disabled can be enabled programmatically; one that is absent cannot be granted without changing the account’s rights.

whoami /priv

Output:

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeUndockPrivilege             Remove computer from dock      Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Full identity dump (/ALL)#

/ALL combines user, groups, claims (if any), and privileges in a single report — the most complete picture of the running token.

whoami /all

Output:

USER INFORMATION
...
GROUP INFORMATION
...
PRIVILEGES INFORMATION
...

CSV output for scripting#

/FO CSV serialises any whoami output into comma-separated form, suitable for parsing with for /f or importing into a spreadsheet.

whoami /groups /fo csv /nh

Output:

"Everyone","Well-known group","S-1-1-0","Mandatory group, Enabled by default, Enabled group"
"BUILTIN\Users","Alias","S-1-5-32-545","Mandatory group, Enabled by default, Enabled group"
...

Common pitfalls#

1. /UPN fails on non-domain machines — standalone workstations have no UPN; use whoami (no flag) for the local account name.
2. Elevation changes the token — whoami /priv run from an elevated prompt shows SeDebugPrivilege and others not present in a standard shell; always check from the same elevation level as the process you’re diagnosing.
3. %USERNAME% vs whoami — %USERNAME% is always available without a subprocess but returns only the short username, not the domain. Use whoami when the DOMAIN\user form or SID is needed.
4. Group list reflects the logon token — groups added after logon (e.g. after a security group change in AD) won’t appear until the user logs off and back on.

Real-world recipes#

Check whether the current session is elevated (has SeDebugPrivilege)#

whoami /priv | findstr "SeDebugPrivilege"

Output:

SeDebugPrivilege              Debug programs                 Enabled

Log current user to an audit file#

@echo off
for /f "tokens=*" %%u in ('whoami') do set WHO=%%u
echo %DATE% %TIME% — logged in as %WHO% >> C:\Audit\logins.txt
echo Audit entry written.

Output:

Audit entry written.

List only the group names (no SIDs) from CSV output#

for /f "tokens=1 delims=," %g in ('whoami /groups /fo csv /nh') do echo %~g

Output:

Everyone
BUILTIN\Users
NT AUTHORITY\Authenticated Users
...

Confirm domain membership before running a domain-aware script#

@echo off
whoami /upn >NUL 2>&1
if errorlevel 1 (
    echo Not domain-joined — skipping AD tasks.
) else (
    echo Domain account confirmed. Proceeding.
)

Output:

Not domain-joined — skipping AD tasks.

Claims (/CLAIMS)#

A claim is a Kerberos extension that lets Active Directory attach arbitrary key/value attributes to the user token (e.g. Department=Engineering, Country=US). Dynamic Access Control on file servers reads these claims to make permission decisions without group sprawl. whoami /claims lists everything the local LSA copied off the Kerberos ticket; on a stand-alone workstation or non-claims-aware domain controller the list is empty.

whoami /claims

Output:

USER CLAIMS INFORMATION
-----------------------

User claims
Name:                  ad://ext/Department
Flags:                 0x1
Type:                  String
Values:                Engineering

Name:                  ad://ext/EmployeeType
Flags:                 0x1
Type:                  String
Values:                Full-Time

Kerberos support for Dynamic Access Control on this device has been disabled.

If the bottom line shows disabled, enable claims support via Group Policy under Computer Configuration → Administrative Templates → System → Kerberos → Kerberos client support for claims, compound authentication, and Kerberos armoring.

Logon ID (/LOGONID)#

/LOGONID returns the SID of the current logon session, not the user — this is the LUID-based session SID like S-1-5-5-0-12345. It is the key administrators use to correlate token data to specific sessions in query session, klist sessions, and ETW traces. The value changes every time the user logs in.

whoami /logonid

Output:

S-1-5-5-0-167821

Pair the value with query session to find the corresponding interactive session:

query session

Output:

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
>console           alicedev                  1  Active
 rdp-tcp                                 65536  Listen

All output formats — TABLE, LIST, CSV#

/FO accepts TABLE (default, human-readable, fixed columns), LIST (key/value pairs, easier to grep, line-per-attribute), or CSV (quoted, comma-separated, designed for Import-Csv or for /f parsing). /NH strips column headers from TABLE and CSV output so you can pipe directly into other tools without trimming the first row.

whoami /priv /fo list

Output:

Privilege Name: SeShutdownPrivilege
Description:    Shut down the system
State:          Disabled

Privilege Name: SeChangeNotifyPrivilege
Description:    Bypass traverse checking
State:          Enabled

whoami /priv /fo csv

Output:

"Privilege Name","Description","State"
"SeShutdownPrivilege","Shut down the system","Disabled"
"SeChangeNotifyPrivilege","Bypass traverse checking","Enabled"

whoami /priv /fo csv /nh

Output:

"SeShutdownPrivilege","Shut down the system","Disabled"
"SeChangeNotifyPrivilege","Bypass traverse checking","Enabled"

LIST is generally the easiest to grep with findstr; CSV is best when piping into PowerShell’s ConvertFrom-Csv for structured handling.

Token integrity level#

Beyond user, groups, and privileges, every Windows token carries a mandatory integrity level (Low/Medium/High/System) that gates the User Account Control sandbox. whoami /groups includes the integrity-level pseudo-SID in its output — looking for it is the fastest way to tell whether the current shell is elevated. The well-known integrity SIDs are:

whoami /groups | findstr "Mandatory Level"

Output (non-elevated):

Mandatory Label\Medium Mandatory Level                Label            S-1-16-8192  Mandatory group, ...

Output (elevated):

Mandatory Label\High Mandatory Level                  Label            S-1-16-12288 Mandatory group, ...

Use this in scripts to refuse to run unless elevated:

@echo off
whoami /groups | findstr /c:"S-1-16-12288" >NUL
if errorlevel 1 (
    echo This script must be run as Administrator.
    exit /b 1
)
echo Elevated — proceeding.

Output:

Elevated — proceeding.

PowerShell equivalents#

PowerShell exposes the same identity data through [Security.Principal.WindowsIdentity] and friends — without spawning a child process, and with full .NET object output rather than parsed strings. Reach for these whenever you’re already in a PowerShell session.

# Current user (DOMAIN\username)
[Security.Principal.WindowsIdentity]::GetCurrent().Name

# Or the shorter built-in
$env:USERDOMAIN + "\" + $env:USERNAME

# Full identity object
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$id | Format-List Name, User, AuthenticationType, Token, IsAuthenticated, IsGuest, IsSystem

# SID only
[Security.Principal.WindowsIdentity]::GetCurrent().User.Value

# Groups (NT account names)
[Security.Principal.WindowsIdentity]::GetCurrent().Groups |
    ForEach-Object { $_.Translate([Security.Principal.NTAccount]) }

Output (Get-Current):

Name               : CORP\alicedev
User               : S-1-5-21-1234567890-123456789-123456789-1001
AuthenticationType : Kerberos
Token              : 1880
IsAuthenticated    : True
IsGuest            : False
IsSystem           : False

The canonical “am I elevated” check in PowerShell uses the Principal wrapper:

$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$pr = New-Object Security.Principal.WindowsPrincipal($id)
$pr.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Output:

True

Bundle it into a reusable function:

function Test-IsAdmin {
    $id = [Security.Principal.WindowsIdentity]::GetCurrent()
    (New-Object Security.Principal.WindowsPrincipal($id)).IsInRole(
        [Security.Principal.WindowsBuiltInRole]::Administrator)
}
if (-not (Test-IsAdmin)) { throw 'Run elevated.' }

CIM/WMI for user inventory#

For machine inventory work — listing logged-on users across a fleet — Get-CimInstance is faster than running whoami per host because it returns structured objects directly from the CIM repository.

# Currently logged on console user
Get-CimInstance -ClassName Win32_ComputerSystem |
    Select-Object Name, UserName, PartOfDomain, Domain

# All interactive logon sessions (RDP + console)
Get-CimInstance -ClassName Win32_LoggedOnUser |
    Select-Object Antecedent -Unique

# Across a fleet via PSRemoting
Invoke-Command -ComputerName web01, web02, web03 -ScriptBlock {
    [PSCustomObject]@{
        Host = $env:COMPUTERNAME
        User = (Get-CimInstance Win32_ComputerSystem).UserName
    }
}

Output (Get-CimInstance Win32_ComputerSystem):

Name      UserName        PartOfDomain Domain
----      --------        ------------ ------
MYHOST    CORP\alicedev          True  corp.example.com

SID and security principal lookups#

whoami shows the current user’s SID, but admins often need to convert between SIDs and account names for ACL or audit work. The classic CLI tool is PsGetSid (Sysinternals); PowerShell does it without a download.

# Name → SID
([Security.Principal.NTAccount]'CORP\alicedev').Translate(
    [Security.Principal.SecurityIdentifier]).Value

# SID → Name
([Security.Principal.SecurityIdentifier]'S-1-5-21-1234567890-123456789-123456789-1001').Translate(
    [Security.Principal.NTAccount]).Value

Output (Name → SID):

S-1-5-21-1234567890-123456789-123456789-1001

Output (SID → Name):

CORP\alicedev

Look up a remote machine SID (the prefix shared by all local accounts on that host):

$h = 'fileserver01'
([Security.Principal.NTAccount]"$h\Administrator").Translate(
    [Security.Principal.SecurityIdentifier]).AccountDomainSid.Value

Comparing whoami with related identity tools#

whoami is the dedicated identity dumper, but several adjacent commands report overlapping data. Pick the right one for the angle you need:

Common pitfalls (continued)#

6. whoami /upn errors with code 1332 — the account has no UPN attribute (userPrincipalName) in AD; check via ADUC or Get-ADUser alicedev -Properties UserPrincipalName.
7. whoami /groups omits restricted groups — if the token was created by runas /trustlevel:0x20000 (BasicUser), most groups are filtered out; only the user’s primary group and Everyone remain.
8. whoami /fqdn returns the user DN, not the computer DN — for the computer object, use gpresult /R or Get-ADComputer $env:COMPUTERNAME.
9. Token caches stale group changes — adding a user to a security group does not flow into the running token; the user must log off and back on, or run klist purge followed by a network operation to refresh the Kerberos ticket.
10. whoami /priv only lists privileges, not rights — user rights like “Log on as a service” are managed by the LSA and shown via secpol.msc or Get-NetFirewallRule; whoami /priv only enumerates privileges (Se*Privilege) attached to the token.

Real-world recipes (continued)#

Guard a deployment script against the wrong account#

A common bug in scheduled task scripts: the task is registered to run as NT AUTHORITY\SYSTEM when the developer intended CORP\svc_deploy. Guard the script’s entry point so it refuses to do work as the wrong identity.

@echo off
for /f "tokens=*" %%u in ('whoami') do set CURRENT=%%u
if /i not "%CURRENT%"=="corp\svc_deploy" (
    echo Refusing to run as %CURRENT% — expected CORP\svc_deploy.
    exit /b 2
)
echo Running as %CURRENT% — proceeding with deploy.

Output:

Refusing to run as nt authority\system — expected CORP\svc_deploy.

Snapshot the full token to a timestamped log#

For incident response — capture exactly what the running token looked like at the time something happened.

$stamp = Get-Date -Format yyyyMMdd-HHmmss
whoami /all /fo list > "C:\Audit\token-$env:USERNAME-$stamp.log"
Write-Host "Wrote C:\Audit\token-$env:USERNAME-$stamp.log"

Output:

Wrote C:\Audit\token-alicedev-20260525-093015.log

Diff privilege sets between elevated and non-elevated shells#

rem In a normal shell
whoami /priv /fo csv /nh > %TEMP%\priv-normal.csv

rem Then in an elevated shell
whoami /priv /fo csv /nh > %TEMP%\priv-elevated.csv

fc /n %TEMP%\priv-normal.csv %TEMP%\priv-elevated.csv

Output:

Comparing files priv-normal.csv and priv-elevated.csv
***** priv-normal.csv
    3:  "SeSecurityPrivilege","Manage auditing and security log","Disabled"
***** priv-elevated.csv
    3:  "SeSecurityPrivilege","Manage auditing and security log","Disabled"
    4:  "SeTakeOwnershipPrivilege","Take ownership of files or other objects","Disabled"
    5:  "SeLoadDriverPrivilege","Load and unload device drivers","Disabled"
*****

The elevated shell shows all the Se*Privilege entries that are filtered out of a standard-user token.

Run only when not logged in as Administrator#

For tools that should never run as the built-in Administrator account (UAC bypasses common safety checks).

$id = [Security.Principal.WindowsIdentity]::GetCurrent()
if ($id.User.Value -eq 'S-1-5-21-*-500') {
    Write-Warning 'Refusing to run as built-in Administrator.'
    exit 1
}

Forward identity to a remote logging endpoint#

$ident = whoami /all /fo csv /nh | ConvertFrom-Csv -Header User, SID
Invoke-RestMethod -Method POST -Uri https://audit.example.com/login `
    -Body (@{ user=$ident.User; sid=$ident.SID; host=$env:COMPUTERNAME } | ConvertTo-Json) `
    -ContentType 'application/json'

Related cheat sheets#

• runas — launch a child process under a different identity
• icacls — apply the SIDs whoami returns to file/folder ACLs
• net-user — query and manage local SAM accounts
• shutdown — requires SeShutdownPrivilege from whoami /priv
• powershell-basics — [Security.Principal.WindowsIdentity] patterns
• powershell-builtin-variables — $env:USERNAME, $env:USERDOMAIN

Sources#

• Following an access token with WinDbg — Chad Duffey (May 2026) — current view of how the kernel resolves the data whoami surfaces.
• Mastering Windows Access Control: SeDebugPrivilege — Jonathan Johnson — privilege semantics behind whoami /priv Enabled vs Disabled.
• The Core of Windows Authorization — Kelvin TC Law — token, SID, and integrity-level reference.
• Abusing Tokens — HackTricks — comprehensive list of Se*Privilege entries that may appear in whoami /priv.