JSI Tip 3438. Where is <Username>?

NOTE: See Where is <Username>?

If you implement tip 3437, with or without visibility, you can locate a user, with a roaming or local profile, by opening a CMD prompt and typing:

Whereis <Username>

Whereis.bat makes use of the freeware Reg utility, and contains:

@echo off
REM Change \\PDCname to your \\PDC Computer name
set PDCname=\\PDCname
if \{%1\}==\{\} goto syntax
set user=%1
set user=%user:"=%
if exist "%PDCname%\zipnew\%user%.lli" goto locate
@echo User %User% has never logged on.
goto end
type "%PDCName%\zipnew\%user%.lli"
REM Extract the computer name that the user last logged on from.
for /f "Tokens=9" %%i in ('type "%PDCName%\zipnew\%user%.lli"') do @set lastlogon=%%i
set lastlogon=%lastlogon:.=%
set locked=NOT LOCKED
set folder=%user%
REM You must not disable the default Administrative shares on the clients.
REM Is the computer powered up and attached to the network? 
if not exist \\%lastlogon%\c$\*.* goto noton
REM Set the registry path to locate the remote computers local profile folder.
set rp="\\%lastlogon%\machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\common desktop"
REM if reg is not in your path, or the reskit reg is, ('<Drive:>\folder\reg -lv %rp%')
for /f "tokens=1*" %%i in ('reg -lv %rp%') do set RegValue=%%j
set profiles=%RegValue:\All Users\Desktop=%
set profiles=%Profiles::=$%
REM Locate the users profile folder(s). 
if not exist "\\%lastlogon%\%profiles%\%user%*" goto noton
for /f "Tokens=*" %%i in ('dir /b /ad "\\%lastlogon%\%profiles%\%user%*"') do call :locate "%%i"
if exist %TEMP%\WhereIs.log del /q %TEMP%\WhereIs.log
goto end
set folder=%1
set folder=%folder:"=%
if exist %TEMP%\WhereIs.log del /q %TEMP%\WhereIs.log
REM The following command, response and output, is piped to %TEMP%\WhereIs.log.
REM If the user is logged on, the command pipes: "The process cannot access the file because it is being used by another process".
REM If local profiles are deleted, the command pipes: "The system cannot find the file specified.....".
REM if the user is logged off and local profiles are retained, the log is piped.  
for /f "Tokens=*" %%j in ('type "\\%lastlogon%\%profiles%\%folder%\ntuser.dat.LOG"^>%TEMP%\WhereIs.log 2^>^&1') do @echo nothing>null
for /f "Tokens=*" %%k in ('type "%TEMP%\WhereIs.log"') do @set locked=%%k
if not "%locked:~0,11%" EQU "The process" goto noton
@echo %user% is still logged on the %folder% profile at %lastlogon%. 
goto end
@echo %user% has logged off the %folder% profile. 
goto end
@echo Syntax: Whereis Username 
NOTE: WhereIs is stealthy and fast, the user does not know they are being located.

NOTE: WhereIs displays the following messages:

Syntax: Whereis <Username>              (When you didn't specify a user.)
User <User Name> has never logged on.
Last logon was MM/DD/YYYY HH:MM from computer name <Computer Name>.
<User Name> is still logged on the <Profile Folder> profile  at <Computer Name>.
<User Name> has logged off the <Profile Folder> profile.
Typical output examples:
C:\>WhereIs jennifer
Last logon was 03/01/2001 17:30 from computer name JSI007.
jennifer is currently logged on the Jennifer profile at JSI007.
C:\>WhereIs ultrabac
Last logon was 03/02/2001 08:30 from computer name JSI001.
ultrabac has logged off the UltraBac profile.
NOTE: There should be only one <Profile Folder> per user on <Computer Name>, but I thought it was prudent to alert you to the previous profile corruption, by listing them all.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.