Programming Field

Whoami - DOS/Command Prompt Reference

[Windows Vista or later] Displays information such as the username and permissions for the current login session.

Syntax

whoami[.exe] [/UPN | /FQDN | /LOGONID]
whoami[.exe] {/ALL | [/USER] [/GROUPS] [/CLAIMS] [/PRIV]} [/FO <format>] [/NH]

Options

(none) | /UPN | /FQDN | /LOGONID

Displays one of the following based on the specified options.

  • (none): User name (in format ‘Domain-name\User-name’)
  • UPN: User pricipal name (in format ‘User-name@Domain-FQDN’)
  • FQDN: Distinguished name (‘CN=xxx,DN=yyy’, etc.)
  • LOGONID: Logon ID(Logon SID; in format ‘S-1-5-x-yyy-zzz’)
/ALL | [/USER] [/GROUPS] [/CLAIMS] [/PRIV] Specifies either ‘/ALL’ or one or more of the desired pieces of information (see below). ‘/ALL’ is equivalent to ‘/USER /GROUPS /CLAIMS /PRIV’.
/USER Displays user information, specifically the mapping between the username and SID.
/GROUPS Displays information about the groups to which the user belongs, including the group name, type, SID, and attributes.
/CLAIMS Displays the attributes (claims) assigned to the user, primarily used in Dynamic Access Control.
/PRIV Displays the privileges held by the user. These privileges are based on the session, taking into account control and restrictions imposed by UAC.
/FO <format>

Specifies the output format for /ALL, /USER, /GROUPS, /CLAIMS, /PRIV. The three possible values are as follows. If /FO is omitted, the format defaults to ‘TABLE’.

ValueMeaning
TABLEOutputs in a pseudo-table format. Depending on the output content, the width may be wide, causing display issues in the default command prompt width.
LISTDisplays information in a format corresponding to ‘Item: Result’. This format is convenient for human inspection of the output. Also, since there are no ‘:’ in the item names (confirmed on Windows 10), it may be easy to parse with the For command for certain items.
CSVOutputs in CSV format. This is useful for analyzing output results using various scripting languages or programs. While it is possible to perform some analysis with the For command, if there are delimiter characters within " " quotes, you may need to devise a parsing method.

* When using /ALL or two or more of ‘/USER /GROUPS /CLAIMS /PRIV’, if the type of data in the output changes, the header appears again with an empty line in between (/NH, if present, introduces the next data format after the empty line).

/NH Does not add headers when outputting list data. This is effective when using ‘/FO TABLE’ or ‘/FO CSV’.

Details

Usage of Whoami 1 Usage of Whoami 2

Using Whoami, you can obtain information about the user, such as the name and permissions, who is currently running the command prompt or batch file. Since there is information, such as group membership and permissions, that cannot be obtained through environment variables, it can be useful not only for simply checking the output on the screen but also for extracting and checking values using the extended syntax of the For command or etc.

There is a command with the same name on Linux systems, but the Windows Whoami provides more information that can be outputted based on the options.

Samples

Sample 1

whoami

Outputs the username based on the current session in the format ‘Domain\Username’.

Sample 2

for /F "delims=" %A in ('whoami') do set "MY_NAME=%A"

[Extensions] The content output in Sample 1 has been set as the value of the environment variable ‘MY_NAME’.

Sample 3 (Batch file)

@echo off
setlocal enableextensions
set CREATE_SYMLINK=
for /F "tokens=1 delims=," %%A in ('whoami /priv /fo csv /nh') do (
    if "%%~A"=="SeCreateSymbolicLinkPrivilege" set CREATE_SYMLINK=1
)
if not "%CREATE_SYMLINK%"=="1" (
    echo warning: Cannot create symbolic link on this session.
)
dosetup.bat

[Extensions] Sets the value in the environment variable ‘CREATE_SYMLINK’ if the user based on the current session has the ‘Create Symbolic Link’ privilege, and then execute the batch file ‘dosetup.bat’ in that state (it will not return after execution). By combining Whoami's ‘/PRIV’ and the For command, you can extract the names (list) of privileges, so this script can check if ‘SeCreateSymbolicLinkPrivilege’ is among them.

As mentioned earlier, due to the influence of UAC, even if the user is an administrator, if elevation of privileges has not occurred, the ‘/PRIV’ list does not include the relevant privilege. Therefore, using Whoami allows for proper checking of the required privileges.

* Since the output format is CSV, each value may be enclosed in " ". Therefore, the script uses ‘%~A’ to remove the " ".