Windows CMD/DOS/Batch commands
CMD commands
appwiz.cpl -- Control Panel plug-in for add/remove porgramms
certmgr.msc -- certificate manager
mmc certmgr.msc [/a | /64 | /32]
devmgmt.msc -- device manager
mmc devmgmt.msc
eventvwr.msc -- Event viewer
gpedit.msc -- Group Policy Editor
intl.cpl -- configure system region and language settings. Changes to the settings require one to logoff then back to take effect.
secpol.msc -- Security Policy
services.msc -- Services
taskmgr.exe [/s] -- Task Manager
wuapp.exe [/s] -- Windows Update App
winver.exe - get windows version information.
driverquery /v /fo csv > textfile.csv -- list installed drivers
mstsc.exe [.RDP filename][/admin][/f] -- run remote desktop using RDP file name, in adimin mode, and /f is to force full screen mode on startup.
msiexec.exe - Use the following command line options to update a program using msiexec.exe. This may be executed from either the comjmand line or through sccm.
msiexec.exe /fvo filename.msi
Test-NetConnection -- Test network connection to another computer
wevtutil [e|p|l] -- lets you list, or query windows event logs.
In Example 1 below, we list the contents with a create time greather than April 30, 2015, from the Windows System event log. We then port that information out
to a file called test.evtx. The .evtx file type may be read by the enentvwr.exe program.
In Example 2 below, we just list the availabe Windows event log types that we may query.
Ex. 1.
wevtutil epl System /q:"*[System[TimeCreated[@SystemTime>='2015-04-30T00:00:00']]]" c:\temp\test.evtx
Ex. 2.
wevtutil el
Available event logs.
Application
Security
Setup
System
Systeminfo / msiinfo32 - displays the system information and can write the same to a file.
In Example 1 below we run the systeminfo with the file output (/fo) option and requesting list format. We redirect the output to a text file.
In Example 2, we use the msinfo32 command to write a text based report to a file. this is very similar to the systeminfo executed above.
In Example 3, we run the msifo32 command this time requesting the native .nfo format. The resulting .NFO file may be read by the MSINFO.exe command later.
Ex 1.
Systeminfo /fo list > systeminfo.txt
Ex 2.
Msiinfo32 /report systeminfo.txt
Ex 3.
Msinfo32 /nfo systeminfo.nfo
Get registry information
How to add/modify/delete registry and sub-key information https://support.microsoft.com/en-us/kb/310516
To query the registry for a key and all its values we use the reg query command. The following are the valid command line switches for the regcommand
/v = get value
/s = get all sub-keys, recursively.
/k = get key names only
/d = search in data only
/z = include the numeric equiv for the registry type
An example of querying the registry keys is give below. This is a query of the OfficeScan tree.
C:\Users\gleng>reg query HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc. /s | more
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
TmListenInitDone REG_DWORD 0x1
VDIController01_Status REG_DWORD 0x0
ClientHelpZipTimeStamp REG_SZ 20140408090032
ECSP REG_DWORD 0x1
UADuplicationOptValue REG_DWORD 0x40
Uninstall_Pwd REG_SZ !CRYPT!5231A81DDC1B6EC5B996FFA60ED115E107ED5CE33ACCEBC0373BA1DBE3B2CFF2BB429A974B37B8BB7B
0133D2C67
Unload_Pwd REG_SZ !CRYPT!5231A81DDC1B6EC5B996FFA60ED115E107ED5CE33ACCEBC0373BA1DBE3B2CFF2BB429A974B37B8BB7B013
3D2C67
ConfirmUninstall REG_DWORD 0x0
CheckServerByHTTP REG_DWORD 0x0
ExcludeDCFiles REG_DWORD 0x1
DirectCheck REG_DWORD 0x0
EngineMin REG_SZ 9.800.1009
ExcludeExchangeStore REG_DWORD 0x1
ExcludeExchangeStoreFiles REG_SZ
ExcludeExchangeStoreFolders REG_SZ
BkFileKeepDay REG_DWORD 0x7
NonSynProxySetting REG_DWORD 0x0
FqdnFirstOnOff REG_DWORD 0x0
EngineZipVer REG_SZ 9.850.1008
ProgramVer REG_SZ 11.0
ProductName REG_SZ Trend Micro OfficeScan
BuildNum REG_DWORD 0x17a6
NoPwdProtect REG_DWORD 0x0
NoProgramUpgrade REG_DWORD 0x0
AllowMobile REG_DWORD 0x0
DiskReserved REG_DWORD 0x64
InstallCTA REG_DWORD 0x0
RemoveCTA REG_DWORD 0x0
AllowStopScheduleScan REG_DWORD 0x0
AllowDelayScheduleScan REG_DWORD 0x1
AllowUpdateNow REG_DWORD 0x1
AllowUpdateFromTMAU REG_DWORD 0x1
Allow Uninstall REG_DWORD 0x0
MailScanPageOnOff REG_DWORD 0x1
ToolPageOnOff REG_DWORD 0x0
Pop3TrapOnOff REG_DWORD 0x1
RunPop3Trap REG_DWORD 0x1
OutlookScanOnOff REG_DWORD 0x1
ProxySettingOnOff REG_DWORD 0x1
Updating REG_DWORD 0x0
DomainType REG_DWORD 0x1
ReferenceHosts REG_SZ SJDC-NABUOSCE3.us.trendnet.org@80
RefHostsChkTimeout REG_DWORD 0x3
PingServerScheduleInterval REG_DWORD 0xe10
PingServerCheckMode REG_DWORD 0x1
RefHostsEnable REG_DWORD 0x1
RefHostsChkMode REG_DWORD 0x1
CookieScanner REG_DWORD 0x0
LogCookie REG_DWORD 0x0
EnableAssessment REG_DWORD 0x0
AssessmentUntil REG_DWORD 0x559a2770
EnableAutoStopScheduleScan REG_DWORD 0x1
ScheduleScanLimitMinutes REG_DWORD 0xb4
wslimit_l REG_DWORD 0x989680
wslimit_r REG_DWORD 0x989680
wslimit_m REG_DWORD 0x4c4b40
wsperiod_l REG_DWORD 0x7530
wsperiod_r REG_DWORD 0x7530
wsperiod_m REG_DWORD 0x7530
Update_Agent_Direct_Update REG_DWORD 0x1
EnableEventLog REG_DWORD 0x0
EventLogForPatternUpdate REG_DWORD 0x0
HeartbeatFrequency REG_DWORD 0x0
PollingFrequency REG_DWORD 0x3c
UnreachableNetworkScopeCount REG_DWORD 0x0
ShowMailScan REG_DWORD 0x1
AllowConfigNotification REG_DWORD 0x0
EnableScheduleScanWarning REG_DWORD 0x0
EnableVirEmailWarning REG_DWORD 0x1
AllowPromptRebootForCleanup REG_DWORD 0x1
GlobalHeartbeat REG_DWORD 0x0
LaunchBelowUsage REG_DWORD 0x14
LaunchMustContinueBelow REG_DWORD 0xf
LaunchCheckUsageFrequency REG_DWORD 0x2
LaunchCheckTimeout REG_DWORD 0xb4
DelayCheckFile REG_DWORD 0x1
DelayLoadAEGIS REG_DWORD 0x1
DelayLoadFirewall REG_DWORD 0x1
DelayLoadDlp REG_DWORD 0x1
-- More --
We may also export and import information from/to the registry. We use the export and import command line options with the reg command. We may export data registry trees to a text file and, by the same token, import that information into the registry structure as well.
reg export HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp outputfile.reg
reg import outputfile.reg
To delete a registry key with a .reg file, put a hyphen (-) in front of the RegistryPath in the .reg file. For example, to delete the Test subkey from the following registry key: HKEY_LOCAL_MACHINE\Software put a hyphen in front of the following registry key in the .reg file: HKEY_LOCAL_MACHINE\Software\Test. The following example has a .reg file that can perform this task.
[
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmtdi
]
To delete a registry value with a .reg file, put a hyphen (-) after the equals sign following the DataItemName in the .reg file. For example, to delete the TestValue registry value from the following registry key: HKEY_LOCAL_MACHINE\Software\Test put a hyphen after the "TestValue"= in the .reg file. The following example has a .reg file that can perform this task.
HKEY_LOCAL_MACHINE\Software\Test
"TestValue"=-
To create the .reg file, use Regedit.exe to export the registry key that you want to delete, and then use Notepad to edit the .reg file and inser
Create Recovery
To create a Windows7 restore point on your local hard disk drive, follow the instructions outlined here.
To create a Windows7 repair disk on a DVD, follow the instructures outline here
Terminal Server Keys
From the Microsoft&tm; Knowledge Base article 186624...
Task-switching hotkeys operate on the local computer level and are not passed through to the Terminal Server. However, some alternative hotkeys have been provided in the RDP Client:
CTRL+ALT+END starts the Windows NT Security dialog box. Similar to Windows NT/2000 CTRL+ALT+DEL.
ALT+PAGE UP switches between programs from left to right. Similar to Windows ALT+TAB.
ALT+PAGE DOWN switches between programs from right to left. Similar to Windows SHIFT+ALT+TAB.
ALT+INSERT cycles through the programs in most recently used order. Similar to Windows ALT+ESC.
ALT+HOME displays the Start menu. Similar to Windows CTRL+ESC.
CTRL+ALT+BREAK switches the Client between a window and a full screen.
ALT+DELETE Displays the Windows menu.
CTRL+ALT+MINUS (Minus as in the - symbol on the numeric keypad) Places a snapshot of the active window, within the client, on the Terminal server clipboard (provides the same functionality as pressing ALT+PrintScrn on a local computer.)
CTRL+ALT+PLUS (Plus as in the + symbol on the numeric keypad) Places a snapshot of the entire client window area on the Terminal server clipboard (provides the same functionality as pressing PrintScrn on a local computer.)
Note the keyboard shortcuts listed above many not be supported on embedded devices.
Retrieve the registered system serial number. See Microsoft KB 558124 for more information.
C:\Users\geen>wmic bios get serialnumber
SerialNumber
5CB24128KM
Firefox NTLM autentication trusted URIs
In the Firefox address bar type about:config. Then click the button in the middle of the screen promissing to be careful. In the search box type in ntlm. Look for network.automatic-ntlm-auth.trusted-uris. Double click on that line and you are presented with a dialogue box. In the text field of the dialogue box enter the list of URIs that you wish to trust. Seperate each one with a comma.
Microsoft Configuration
Run the msconfig.exe command to review the configuration of the operating system. Look at the Startup tab to see the Terminate Stay Resident (TSR) programs. Also review the Boot and Services tabs to make sure that you do not have extra services running that you do not need. This can slow your system down considerably.
netsh
The netsh command is used to configure certain aspects of the Windows server. Among those is setting a proxy server. In the example below you will see me display and set the windows proxy server.
C:\> netsh winhttp show proxy
Current WinHTTP proxy settings:
Proxy Server(s) : 172.27.16.12:3128
Bypass List : (none)
C:\> netsh winhttp set proxy proxy-server="172.27.16.12:3128"
Performance Monitor
Performance monitor counters to monitor to check the general health of a system.
- SQL Server Best Practices Analyzer. This is a server management tool that helps administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2. To know more about the BPA tool, refer to the Microsoft article: http://technet.microsoft.com/en-us/library/dd759260.aspx
- Counters to monitor
- CPU: %Processor Time, %Privileged Time
- sqlserver.exe process: %Processor Time, %Privileged Time
- Memory: Available Mbytes
- SQL server: Buffer Manager
- Lazy writes/sec
- page life expectancy
- page reads/sec
- page writes/sec
- SQL Server Memory Manager
- Total Server Memory (KB)
- Target Server Memory (KB)
- Disk: Avg. Disk sec/read, Avg. Disk Bytes/Read, Avg. Disk sec/Write, Avg. Bytes/Write. Microsoft recommends for i/o latencies: <8ms = excellent, <12ms = good, <20ms = fair, >20ms = poor performance.
- Network
- Network Adapter: Bytes Received/sec, Bytes Sent/sec, Bytes Total/sec
List Processes
From a Windows command shell execute tasklist. IF you are looking for a specific process in the list and you know the exact name then you use the /fi (find) switch.
Other ways of listing processes and services.
- Execute services.msc to use the GUI interface to review the list of running services.
- Execute net start from a CMD shell to display a simple list of running services.
- Execute sc query type= service from a CMD shell to get a detailed list of running services. Add the 'state= all' to include services not in a running state.
C:\>tasklist /fi "imagename eq chrome.exe"
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
chrome.exe 7156 Console 1 113,040 K
chrome.exe 5800 Console 1 108,992 K
chrome.exe 6936 Console 1 28,956 K
chrome.exe 8048 Console 1 34,732 K
chrome.exe 5768 Console 1 80,632 K
chrome.exe 8484 Console 1 71,152 K
chrome.exe 5240 Console 1 38,008 K
For the PowerShell you can simply add the name of the process that you are looking for. The optoinal "-Name" flag may be used. Note that the string is not case sensitive.
Net User
There are a couple of command to list the accounts on a computer.
net user
This first command displays a simple list of accounts on the computer.
net localgroup
This second one may be a bit more useful. This command without any parameters displays a list of groups on the computer. By providing a local group name such as Administrators the command displays a list of accounts that are members of the group.
Wireshark/tshark
Wireshark is a very useful packet analysis tool that has become the industry standard. The software is available for free and is on my list of recommended software. Part of the software include the tshark.exe command. This is a text version of Wireshark and is my preferred method for performing package captures as it is not encombered by the graphical interface.
To query the list of network interfaces on your computer use the -D command line option. This returns a list of available network interfaces both physical and logical interfaces.
C:\Program Files\Wireshark>tshark -D
1. \Device\NPF_{A0F24A18-4C32-4A9E-887D-B67E2DFFD3AA} (VMware Network Adapter VMnet8)
2. \Device\NPF_{5BFDAE3B-91A0-4187-B0A4-2C1042CBA68B} (VMware Network Adapter VMnet1)
3. \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} (Local Area Connection)
4. \Device\NPF_{6C25E520-B632-4254-80DB-882E0081DB50} (Wireless Network Connection)
5. \Device\NPF_{DEE651A1-41F5-4D13-B19A-E4BDA74F465A} (Local Area Connection* 214)
6. \Device\NPF_{1905F85A-8799-4FFC-8AC4-9558EDC34796} (Wireless Network Connection 2)
In a Windows environment as I show here, look for the interface described as (Local Area Connection). This is your physical copper wire connection and likely the one you want to use for your packet capture. Copy the device Hex string into your buffer as the interface name, such as \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2}, in our example.
Next we perform a simple capture using the information that we now know. The -i command line option is for the interface name. This is the Hex encoded device name specified above. The -n tells tshark not to perform DNS look ups. This is to increase the speed of the lookups and reduce the number of packets missed. Finally the -w option tells tshark where to write its ouput. In the second example we see the use of our first capture filter, host and the IP address. In this example the host with match bosth source and destination IP addresses.
Example:
C:\Program Files\Wireshark>tshark -i \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} -n -w test.pcap
C:\Program Files\Wireshark>tshark -i \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} -n host 172.27.64.17