This file has 7 sections
1. A few examples showing Process information, mem usage, cpu, handles etc.., and altering processes
2. A few examples of retrieving system information (system, memory, drives, hardware)
3. A few examples of listing Services
4. A few examples of altering the state of services
5. A few examples on how to get network information
6. For reference: A very basic listing of some DOS (cmd) commands, for file, directory, or task management.
7. A few wellknown scanning/tracing tools
=====================================================================================================
1. A few examples showing Process information, mem usage, cpu, handles etc.., and altering processes:
=====================================================================================================
1.1 Some Powershell examples:
-----------------------------
PS C:\> Get-Process #shows all processes (with details like handles, cpu etc..)
PS C:\> Get-Process s* #shows all processes with an executable name starting with an "s"
PS C:\> Get-Process excel #shows details about the excel process
PS C:\> Get-Process excel | Select-Object name,fileversion,productversion,company #shows name, fileversion,productversion,company of excel
PS C:\> Get-Process | Select-Object name,fileversion,productversion,company #as above, but now for all processes
PS C:\> Get-Process | where { $_.Name -eq "DataSafeOnline" } #shows details on the process "DataSafeOnline"
PS C:\> Stop-Process 533 #stops the process with process id (pid) 533
PS C:\> Stop-Process -processname winword #stops the process named winword
PS C:\> Stop-Process -processname xyz* #stops all processes starting with a name xyz*
PS C:\> kill -processname xyz* #an alias to "Stop-Process" is "kill", thus performing the same action.
PS C:\> get-process | where { $_.Name -eq "abc" } | foreach { $_.Kill() } #stops all processes with the name "abc"
1.2 Some CMD prompt utility examples:
-------------------------------------
C:\> tasklist #shows all processes with name, memory usage, pid etc..
C:\> tasklist > c:\temp\processlist.txt #shows all processes and put it in a txt file
C:\> tasklist /FI "memusage gt 40000" #shows only processes where the "filter" (FI) memusage gt 40000 is true
C:\> tasklist /FI "cputime gt uu:mm:ss" #shows only processes with cpu >"cputime" using the filter cputime in uu:mm:ss
C:\> tasklist /svc #shows processes and what is a service
C:\> tasklist /svc | find "svchost" #shows which services run under svchosts processes
C:\> tasklist | find "Ora" #shows only the processses with details, with a name where "Ora" is part of
C:\> taskkill /pid 1480 #kills process with pid 1480
C:\> taskkill /pid 1530 /pid 1603 /pid 1153 #kills the processes with the pids 1530, 1603, 1153
C:\> taskkill /f /im abc.exe #if you do not know the pid, you can use the image (process) name
C:\> taskkill /f /fi "status eq not responding" #kills a process using the filter "status equals not responding"
C:\> wmic PROCESS get Caption,Kernelmodetime,Usermodetime #Shows list of processes with KernelModeTime and UserModeTime statistics
C:\> wmic PROCESS get ExecutablePath, Caption,PageFaults #Shows list of processes with path to executable, pagefaults and other "gets"
C:\> wmic PROCESS WHERE Name="calc.exe" CALL Terminate #kills the process with the name "calc.exe"
C:\> wmic PROCESS call create calc.exe #Creates the calc.exe process
C:\> net file #Shows open files originating from SMB (shared)
C:\> net statistics server #Shows statistics of the SMB server process (file shares)
C:\> net statistics workstation #Shows statistics of the redirector (file shares)
======================================================================================
2. A few examples of retrieving system information (system, memory, drives, hardware):
======================================================================================
2.1 Some Powershell examples:
-----------------------------
PS C:\> Get-WmiObject Win32_Processor #show detailed cpu information
PS C:\> Get-Wmiobject win32_computersystem #show Domain, user, Computername, Manufacturer, memory
or:
PS C:\> Get-WmiObject -Class Win32_ComputerSystem | #show Domain, user, Computername, Manufacturer, memory
>> Format-List Name, Manufacturer, Model, #but more nicely formatted.
>> SystemType, Description,
>> NumberOfProcessors, NumberOfLogicalProcessors,
>> @{Name="RAM"; Expression={[math]::round($($_.TotalPhysicalMemory/1GB), 2)}}
PS C:\> Get-WmiObject win32_LogicalDisk #Listing all logical disks, with size, free space etc..
PS C:\> Get-Wmiobject win32_OperatingSystem #Get details on the Operating System
2.2 Some CMD prompt utility examples:
-------------------------------------
C:\> systeminfo #shows very detailed systeminfo
C:\> systeminfo > c:\temp\sysinfo.txt #puts detailed systeminfo in a txt file
C:\> msinfo32 # much systeminfo in graphical windows (not all win versions)
C:\> msinfo32 /report c:\temp\diag.txt # very detailed information placed in a txt file
C:\> driverquery #detailed information on drivers
C:\> wmic cpu > c:\temp\cpu.txt #get all cpu info in a txt file
C:\> wmic cpu get NumberOfCores #get cpu Core info
C:\> wmic memphysical #get mem info
C:\> wmic irq #info on irq's
#get mem info
C:\> wmic bios #get all bios info
C:\> wmic bios get Manufacturer,ReleaseDate,SerialNumber,Version #get some bios specifics
C:\> wmic diskdrive #get all disk info
C:\> wmic diskdrive get SCSIBus,InterfaceType, SerialNumber,Signature, DeviceID #get selection of disk info
C:\> wmic cpu #get all cpu info
C:\> wmic cpu get CurrentClockSpeed,L3CacheSize,DataWidth,Status #get some selections of cpu info
C:\> wmic computersystem #get loads of info about your computer
C:\> wmic computersystem get AdminPasswordStatus,TotalPhysicalMemory,DomainRole #get some selection of computersystem
C:\> wmic/? #get help on what you can do with this powerfull command
=============================================================
3. A few examples of listing Services:
=============================================================
3.1 Some Powershell examples:
-----------------------------
PS C:\> Get-Service | Where-Object {$_.status -eq "stopped"} #show all stopped services
PS C:\> Get-Service | Where-Object {$_.status -eq "running"} #show all running services
PS C:\> Get-Service | Where-Object {$_.status -eq "running"} | out-file running.txt #show all running services, place in txt file.
PS C:\> Get-Service | Where-Object {$_.name -like "*Ora*"} #only show *Ora* services
PS C:\> Get-Service #show all
3.2 Some CMD prompt utility examples:
-------------------------------------
C:\> net start #show all running services
C:\> net start | more #show all running, line by line
C:\> net start > c:\temp\services.txt #show all running services, place in txt file.
C:\> net start | find "Ora" #only show *Ora* services
C:\> net start | find "AVG" #only show *AVG* services
C:\> sc query #show all
C:\> sc query > c:\temp\services.txt #show all running services, place in txt file.
C:\> sc interrogate MSSQLServer #only show MSSQLServer
C:\> sc query | find "SQL" #only show *SQL* services
C:\> wmic service get caption,startmode #show all: name+startmode
C:\> wmic service get caption, PathName #show all: name+exe path
C:\> wmic service get name, ProcessID #show all: name+ ProcessID
C:\> wmic service get name, ProcessID | find "Ora" #only get info for *Ora* services
C:\> wmic service get name, ProcessID, ServiceType | find "Ora" #only get info for *Ora* services
C:\> wmic service get name, ProcessID, ServiceType | find "Ora" > c:\temp\ora.txt #only get info for *Ora* services, place in txt file
C:\> tasklist /svc #shows processes and what is a service
C:\> tasklist /svc | find "svchost" #shows which services run under svchosts processes
============================================================
4. A few examples of altering the state of services:
============================================================
4.1 Some Powershell examples:
-----------------------------
PS C:\> Stop-Service "print spooler"#stops the service
PS C:\> Start-Service "print spooler"#starts the service
PS C:\> Stop-Service -displayname "Bluetooth service"#stops the service
PS C:\> Stop-Service iisadmin -force -confirm#stops the service, which also needs a confirm
PS C:\scrips> .\stop_ora.ps1
Where the script "stop_ora.ps1" is something like:
foreach ($svc in Get-Service){
if(($svc.displayname.StartsWith("Oracle")) -AND ($svc.Status -eq "Stopped")) {
echo $svc.DisplayName
Start-Service $svc.name
}
}
4.2 Some CMD prompt utility examples:
-------------------------------------
C:\> net stop "print spooler"#stops the service
C:\> net start "print spooler"#starts the service
C:\> net stop OracleServiceDBTEST11g#stops the service
C:\> net start OracleServiceDBTEST11g#starts the service
C:\> sc stop spooler#stops the service
C:\> sc start spooler#starts the service
C:\> sc.exe create MyService #for illustration only.
binPath= "C:\usr\bin\myhttpd.exe -k runservice"This command creates a service. However, there are some
DisplayName= "My http Service"constraints on the application to let it run correctly under Service Control.
C:\> sc.exe delete MyService#deletes a service
=============================================================
5. A few examples on how to get network information:
=============================================================
5.1 Some Powershell examples:
-----------------------------
PS C:\> Get-WmiObject -Class Win32_NetworkAdapterConfiguration #shows network information of all adapters: IP, DHCP etc..
PS C:\> Get-WmiObject -Class Win32_NetworkAdapter #shows network information of all adapters: speed, MAC Address etc..
PS C:\> Get-WmiObject -Class Win32_NetworkAdapterConfiguration #shows only IPv4 and IPv6 addresses
-Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property IPAddress
5.2 Some CMD prompt utility examples:
-------------------------------------
C:\> systeminfo #shows lots of systeminfo, including network interfaces
C:\> systeminfo > c:\temp\sysinfo.txt #as above, but now placed in a txt file
C:\> netstat -ab #shows all the networkconnections of your machine (-b shows the apps)
C:\> netstat -ab > c:\temp\conn.txt #as above, but now placed in a txt file
C:\> netstat -a -b -f #shows all the networkconnections, including fully qualified domain names (-f)
C:\> netstat -r #shows the routingtable as used by your local machine
C:\> ipconfig #shows basic IP parameters
C:\> ipconfig /all #shows all IP parameters
C:\> ipconfig /release #release current IPv4 address
C:\> ipconfig /renew #request new IP parameters (address, dns) from dhcp Server
C:\> ipconfig /flushdns #remove dns resolver cache
C:\> ipconfig /registerdns #renew DNS entries (e.g.: if DNS was changed)
C:\> net use #shows all mapped networkdrives
C:\> net view #shows all netbios Server names in your subnet (LanMan browser)
C:\> net view > c:\temp\servers.txt #as above, but placed in a txt file
C:\> net share #shows the fileshares on your machine
C:\> arp -a #shows the arp cache: IP addresses resolved to MAC (card) addresses
C:\> getmac #shows the MAC addresses of your networkinterfaces
C:\> nslookup Servername #used to see how a remote host is resolved by DNS.
C:\> tracert hostname or IP address #shows all hops to reach the destination
C:\> nbtstat -a hostname #shows all netbios registered entries of the remote hostname
C:\> nbtstat -A IP address #shows all netbios registered entries of the remote IP address
C:\> nbtstat -n #shows all netbios registered entries of your local machine
C:\> wmic nic get AdapterType,DeviceID,Caption,MACAddress #wmic allows you to "get" many properties of "nic" and "nicconfig"
C:\> wmic nicconfig get Caption,DHCPServer,IPAddress,MTU
Just a few "netsh" examples:
C:\> netsh interface ip show config #shows all IP parameters
C:\> netsh dump > c:\temp\netinfo.txt #writes extensive network configuration to a txt file
netsh is very extended shell by itself.
You can retrieve info from, or configure, all networkobjects.
For using "netsh", you deserve a dedicated tutorial.
C:\TEMP> netsh int ip reset reset.txt Resetting your TCPIP stack, and sockets.
C:\TEMP> netsh winsock reset Those commands might help if network connectivity issues are present,
while the system worked well at an earlier time.
============================================================================================================
6. For reference: A very basic listing of some DOS (cmd) commands, for file, directory, or task management.
============================================================================================================
TASK from commandline:EXAMPLE COMMAND:
- Moving around directories (or "folders"):C:\some_path> cd ..# go back to parent directory (one level up)
C:\some_path> cd \# go to the "root" of this disk or partition
C:\some_path> cd \temp# goto c:\temp from any location
C:\some_path> cd \data\excel# go to c:\data\excel from any location
C:\some_path> cd E: # go to that disk or partition
- Listing the contents of a directory, for example C:\DATAC:\DATA> dir#simple listing
C:\DATA> dir /s /p#listing of all files in all subdirectories too
C:\DATA> dir *.doc /s /p#searching for all .doc files in all directories
C:\DATA> dir *pay* /s /p#searching for any file with "pay" in it's name,
#through all subdirectories.
C:\DATA> dir /o-d#listing on date/time, from new to old
- copy or move a file, or set of files.C:\DATA> copy a.doc b.doc#now you have two files with the same content
C:\DATA> copy payments.doc H:\BACKUPS#copy payments.doc to H:\backups
C:\DATA> copy *.doc H:\BACKUPS#copy all files with extension .doc to H:\BACKUPS
C:\DATA> move *.doc G:\ARCHIVES\WORD#move (not copy!) of all .doc files
C:\DATA> copy *.* H:\BACKUPS#copy ALL files in C:\DATA to H:\BACKUPS
#(but not the files in subdirs: see xcopy)
C:\DATA> rename a.doc b.doc#a.doc is now called b.doc
- creating a directory (folder).C:\DATA> md excel#creates the folder excel within c:\data
- deleting an empty folder.C:\DATA> rd excel#deletes the folder excel, if it's empty
- deleting files (no recycle bin !)C:\TEMP> del a.txt#deletes the file a.txt
C:\TEMP> del *.txt#deletes ALL .txt files from C:\TEMP
Be carefull !!C:\TEMP> del /F /Q /S *.*# Be carefull!! Deletes all files (included
#files in subdirs) without confirmation,
#from the "starting location" C:\TEMP
- xcopy: Suppose you want to copy (or backup) C:\DATA> xcopy *.* F:\BACKUP /s /h
all files in all subdirs, EXISTING in for example (xcopy will create subdirs at the target location as needed)
the directory C:\DATA, to, for example, F:\BACKUP
- Suppose you want to perform some action (like delete) on C:\> forfiles /P C:\webserver\logs /S /M *.log /D -30 /C "cmd /c del @FILE"
some set of files, based on some criteria, for example
"delete of logfiles which are older than 30 days".
Note that you can place the command in a .cmd batch file,
and that you can schedule it.
- Viewing the contents of a flat ascii file,C:\TEMP> type systeminfo.txt#view all content in one run
for example, you want to view the contents of C:\TEMP\systeminfo.txtC:\TEMP> type systeminfo.txt | more#view line by line
- Use of "for" from commandline:
-> For example, register a set of .dll files in registry.C:\dev\lib> for %f in (*.dll) do regsrv32 %f# do not just do this: only for study!
-> Find IP adresses the hard way.C:\> for /f "tokens=15" %f in ('ipconfig ^| findstr "Address"') do @echo %f
- View scheduled tasks:C:\> schtasks
C:\> schtasks | find "Backup" /I#notice that "find" is case sensitive
#and with /I it is not case sensitive
=====================================================================================================
7. A few wellknown scanning/tracing tools:
=====================================================================================================
Many tracing and scanning tools are available, from standard sources like Microsoft (Resource Kit, Sysinternals), as well as from
a few organizations related to "forensic" activities (which tools are probably somewhat less known).
However, here the discussion is limited to just a few wellknown tools from Microsoft.
Actually, in sections 1-6, a couple of tracing tools (like netstat etc..) were already discussed.
So please browse through those sections too.
rpcdump (from ResKit):
----------------------
Can be used with RPC issues.
By default, the Rpc_Svr_Binding_Order entry contains the following value data:
ncacn_ip_tcp,ncacn_spx,ncacn_vns_spp
Following is a list of protocols for endpoints:
Protocol Description
ncacn_np Connection-oriented named pipes
ncacn_mq Datagram connectionless over the Message Queuing server
ncadg_ipx Datagram connectionless IPX
ncacn_spx Connection-oriented SPX
ncacn_http Connection-oriented TCP/IP using Microsoft Internet Information Services as HTTP proxy.
ncacn_nb_nb Connection-oriented NetBEUI
ncacn_nb_tcp Connection-oriented NetBIOS over TCP
ncacn_nb_ipx Connection-oriented NetBIOS over IPX
ncacn_ip_tcp Connection-oriented TCP/IP
ncacn_at_dsp AppleTalk DSP
ncadg_ip_udp Datagram connectionless UDP/IP
ncacn_vns_spp Connection-oriented Vines SPP transport
ncacn_dnet_nsp Connection-oriented DECnet transport
ncacn_nb_xns Connection-oriented XNS
Some of them are sort of "obsolete", like SPX/IPX.
=> Using rpcdump to show all endpoint mappings on your machine:
C:\TEMP> rpcdump /i
C:\TEMP> rpcdump /i /v
C:\TEMP> rpcdump /i /v > rpclisting.txt
Checking for a particular endpoint like ncacn_http:
C:\TEMP> rpcdump /p ncacn_http
epdump (from ResKit):
---------------------
Additional rpc binding information can be found using the epdump utility.
=> Finding the local machine's bindings:
C:\TEMP> epdump
C:\TEMP> epdump > dump.txt
=> Showing you \\foo's bindings, connecting over SPX.
C:\TEMP> epdump ncacn_spx foo
handle (from SysInternals):
---------------------------
This tool displays information about open handles for any process on your system.
=> Showing all processes and handles (to screen, or printed to file).
C:\TEMP> handle
C:\TEMP> handle > openhandles.txt
portqry (Win2K3 Support Tools, newer versions are not "easy" to find and download):
-----------------------------------------------------------------------------------
Good utility in your toolkit to perform network diagostics, especially if TCP/UDP ports are open or not.
=> Finding out if a Server would respond to LDAP queries (port 389):
C:\TEMP> portqry -n SRVDC1 -p udp -e 389
=> Showing all endpoints listening on 135:
C:\TEMP> portqry -n SRVDC1 -p udp -e 135
Many graphical tools (as well as other prompt tools) exists as well.
Especially having a look at "procmon", as a graphical tool from the "Sysinternals suite", is highly recommended.