# Enumerate Logged-On Users with the Remote Registry Service

This option uses the **Remote Registry Service** through the `\\winreg` pipe to check which user profiles are currently loaded in the user registry hive `HKEY_USERS`.

```bash
nxc smb $TARGET/24 -u $USER -p $PASSWORD --reg-sessions
```

{% hint style="warning" %}
Having a user listed by `--reg-sessions` does not guarantee that you can impersonate them via `schtask_as`, because that module requires the user to have an **active interactive session**. This option only indicate that the user has a primary token (login context) on the machine, not necessarily an interactive session.
{% endhint %}

## Filtering by username(s)

In case you want to hunt a specific user, you can specify a username:

```bash
nxc smb $TARGET/24 -u $USER -p $PASSWORD --reg-sessions 'admin_user'
```

You can also pass a file containing a list of usernames:

```bash
nxc smb $TARGET/24 -u $USER -p $PASSWORD --reg-sessions './users.txt'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.netexec.wiki/smb-protocol/enumeration/enumerate-logged-on-users-winreg.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.