who system
find out who's on your machine. besides you.
The who man page is 100 lines long. You need one command and zero flags.
You’re SSH’d into a server. Something is running that you didn’t start. A file was modified that you didn’t touch. A process is eating CPU and it’s not yours. You want to know: who else is on this machine right now?
On a Windows server, you’d open Computer Management, navigate to System Tools → Shared Folders → Sessions, and see a list of connected users displayed in a window that looks like it was designed for Windows Server 2003 because it was. Or you’d run query user in PowerShell and get a table that might or might not include remote desktop sessions depending on which version of Windows you’re running. Simple question, complex answer.
who answers it in one word. Type it. See who’s here. Done.
Unless you’re running Windows then wtf none of this applies to you. But hey, come to the dark side, go install WSL2 and you can follow along. We’ll wait. Impatiently.
If you’re lazy like me (all sysadmins are!) then click here for the who cheat sheet.
Who’s logged in right now
who
owner pts/0 2026-03-15 10:22 (192.168.1.50)
alice pts/1 2026-03-15 14:45 (10.0.0.23)
deploy pts/2 2026-03-15 16:02 (10.0.0.100)
Four columns: username, terminal, login time, and where they connected from (IP or hostname in parentheses). That’s it. You now know there are three people on this server and where each one came from.
Who am I
whoami
owner
Your current effective username. Useful after a chain of su and sudo commands when you’ve lost track of who you are. It happens. No judgment.
who am i
Different from whoami. This shows your original login session — the user who actually SSH’d in, even if you’ve su’d to root since then. Two words, space separated. Yes, it’s a real command. The developers had a sense of humor.
Show more details
who -a
Everything: logged-in users, system boot time, run level, dead processes, active processes. More than you usually need, but useful when you’re investigating something weird.
Just the headers
who -H
Adds column headers to the output. Useful if you can never remember which column is which.
NAME LINE TIME COMMENT
owner pts/0 2026-03-15 10:22 (192.168.1.50)
Count logged-in users
who -q
owner alice deploy
# users=3
Quick count. Just names and a total. For when you don’t need details, just a headcount.
Show boot time
who -b
system boot 2026-03-14 08:15
When was this machine last booted? Faster than parsing uptime output and more precise.
Related commands
w (who, but more)
w
16:30:01 up 1 day, 8:15, 3 users, load average: 0.52, 0.44, 0.38
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
owner pts/0 192.168.1.50 10:22 0.00s 0.12s 0.01s w
alice pts/1 10.0.0.23 14:45 1:42m 0.08s 0.08s vim server.conf
deploy pts/2 10.0.0.100 16:02 28:14 0.02s 0.02s bash
w is who with extras — idle time, what they’re currently running, system load. You can see that Alice is editing a config file, deploy is sitting in a bash shell doing nothing, and you’re the one who just ran w.
last (login history)
last
Shows recent login history — who logged in, when, from where, and when they logged out. The audit trail. For when you need to know who was on the server last Tuesday at 3 AM when the database went down.
last -n 20
Last 20 logins. Usually enough to find what you’re looking for.
last reboot
Shows reboot history. When was this server rebooted and by whom? Pairs well with “I swear I didn’t reboot it.”
The flags that actually matter
| Flag | What it does |
|---|---|
-a |
Show all information (boot time, dead processes, etc.). |
-b |
Show last boot time. |
-H |
Print column headers. |
-q |
Quick mode — names and user count only. |
-u |
Show idle time for each user. |
“But I—”
Go ahead.
“I don’t need to know who’s logged in.” Until you’re on a shared server and someone is running a process that’s eating all the memory. Or until you need to coordinate a reboot and want to make sure nobody else is in the middle of something. Or until you’re investigating a security incident and need to know who was on the machine.
“I just check /var/log/auth.log.” That shows login attempts and successes. who shows who’s logged in right now. Different questions. who is for the present, logs are for the past.
“I use ps aux to see who’s on the system.” ps aux shows processes, not sessions. A user might have 50 processes running from one login session. who tells you there’s one person logged in. Different question, different tool.
who cheat sheet
You made it. Or you skipped straight here. Either way, no judgment. Copy and paste these. Pin them. Tattoo them on your forearm. Whatever works.
| What you’re doing | Command |
|---|---|
| Who’s logged in now | who |
| Who am I (current user) | whoami |
| Original login identity | who am i |
| Show with headers | who -H |
| Quick count | who -q |
| Last boot time | who -b |
| Who + what they’re doing | w |
| Login history | last |
| Recent reboots | last reboot |
The one command:
w— it’swhoplus idle time plus what each user is running. One letter, all the context you need.