Nbtstat reveals who is logged on
NBT (NetBios over TCP/IP) STAT (Statistics) is a critical tool for problem solving and depends on the Microsoft's use of NetBIOS in Windows. The foundation for file and print sharing for Microsoft's windows networks is the Server Message Block (SMB) protocol (later renamed to CIFS, Common Internet File System). Every Windows computer is assigned a user friendly NetBIOS name to allow them to communicate with each other. Workgroup and domain names are also NetBIOS names. The NetBIOS protocol is not routeable. NetBIOS over TCP/IP is. Thus tools NetBIOS tools like Nbtstat are valuable for discovery and problem solving on Windows-based networks. It is a tool to view and manipulate the NetBIOS name table and the name cache.
It is possible to discover who is logged onto a networked PC using the Windows NT utility NBTSTAT since its in the logged on account is part of the naming info maintained locally by NBT. NBT runs on each Windows PC and functions as a local naming agent for TCP/IP. If a network address is not locally cached, NBT gets the info from WINS or LMHOSTs. Nbtstat can be used to capture logon ids. This Windows NT commandline utility is run as:
nbtstat -a wayneathome
nbtstat -A 18.104.22.168
You notice that you use -a when you know the machinename and -A when you know the ip address. The following is the result of nbtstat -a wayneathome run at the commandline while my home PC is attached to the Internet using a modem. nbtstat is a standard method to obtain NIC MAC addresses. Since I do not have a NIC but only a modem, the MAC address was 00-00-00-00-00-00.
NetBIOS Remote Machine Name Table
Name Type Status
Registered Registered Registered Registered Registered
MAC Address = 00-00-00-00-00-00
WAYNEATHOME <03> UNIQUE
WMAPLES <03> UNIQUE
WAYNEATHOME <00> UNIQUE
WORKGROUP <00> GROUP
WAYNEATHOME <20> UNIQUE
The account will be a 03 record. One of the records will be the PC machine name and the other will be the account name. Since the machine name shows up in multiple records and most user accounts follow a company standard, its not hard to determine which is the user account. 03 is one of many codes, see NetBIOS Service codes in the NetBIOS suffix for a fairly complete list.
If you have a RAS server, you will probably see Event ID 4320 or Event ID 4319. The text of both state that a duplicate name has been detected on the network. The messages states to run the nbtstat -n command to find the computer sending the name release message (the PC detecting the conflict). The 4319 and 4320 events have the tcpip address of the PC which detected the conflict but in a bizarre form. View the data in hex. The last line of data will have 4 hex digits. The Microsoft kb examples list the data e7 1a 65 16. Convert to decimal, 231 26 101 22. Finally invert the digits, 22 101 26 231. The reporting ip address is 22.214.171.124. When I performed this task, it was the ip address of a WINS server. Use of nbtstat -n can be very useful but in many cases, the conflicts are normal events - logon to two workstations and this event will be generated.
I have created scripts which probe PCs in our network and return list of logged on user accounts. PERL is particularly useful for scripting such tasks.
Type nbtstat at the commandlin to get a listing of the available parameters:
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
[-r] [-R] [-RR] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
-c (cache) Lists NBT's cache of remote [machine] names and their IP
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to computer NETBIOS names.
-RR (ReleaseRefresh) Sends Name Release packets to WINS and then, starts
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop redisplaying
There is a non-microsoft version available with binary and source which you can use. It has slightly different parms. Run it on your favorite linux box as well as other flavors of unix.
The following table lists the NetBIOS suffixes that are used by Microsoft Windows NT. The suffixes are listed in hexadecimal format because many of them are unprintable otherwise.
Name Number(h) Type Usage
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\--__MSBROWSE__> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Microsoft Exchange Interchange(MSMail
<computername> 23 U Microsoft Exchange Store
<computername> 24 U Microsoft Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Clients Remote Control
<computername> 44 U SMS Administrators Remote Control
<computername> 45 U SMS Clients Remote Chat
<computername> 46 U SMS Clients Remote Transfer
<computername> 4C U DEC Pathworks TCPIP service on
<computername> 42 U mccaffee anti-virus
<computername> 52 U DEC Pathworks TCPIP service on
<computername> 87 U Microsoft Exchange MTA
<computername> 6A U Microsoft Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Application
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G IIS
<IS~computer name> 00 U IIS
<computername> 2B U Lotus Notes Server Service
IRISMULTICAST 2F G Lotus Notes
IRISNAMESERVER 33 G Lotus Notes
Forte_$ND800ZA 20 U DCA IrmaLan Gateway Server Service
NetBIOS name types describe the functionality of the registration. Unique (U): The name may have only one IP address assigned to it. On a network device multiple occurrences of a single name may appear to be registered. The suffix may be the only unique character in the name. Group (G): A normal group; the single name may exist with many IP addresses. WINS responds to a name query on a group name with the limited broadcast address (255.255.255.255). Because routers block the transmission of these addresses, the Internet Group was designed to service communications between subnets. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer this configuration is necessary to permit the registration. The maximum number of addresses is 25. Internet Group (I): This is a special configuration of the group name used to manage Windows NT Domain names. Domain Name (D): New in Windows NT 4.0.
Note: If file and print sharing is turned off by policy in a network, nbtstat.exe -a will not return a user name.