Windows Commands, Scripting, and (Very) Basic Internals

Kahoot is not a game.

cmd.exe / batch scripting basics

Redirection operators

Conditional processing

Nesting commands

Argument expansion

Note that these can be combined (i.e., %~dp1 expands to a drive letter and path only).

Variable Expansion
%* all arguments (%1, %2, etc.)
%~1 remove any surrounding quotes
%~f1 fully qualified path name
%~d1 drive letter only
%~p1 path only
%~n1 file name only
%~x1 file extensions only
%~s1 expanded path contains short names only
%~a1 file attributes
%~t1 date/time of the file
%~z1 size of the file
%~$PATH:1 searches the directories listed in the PATH environment variable and expands %1 to the fully qualified name of the first one found

Environment variable subsitution

Batch has support for expansion of variables to include subsitution and sub-string operations.

:: expand PATH with all instances of str1 replaced with str2
%PATH:str1=str2%

:: expand PATH with all instances of str1 removed
%PATH:str1=%

:: extract the 5 characters that begin at the 11th (offset 10) character of
:: PATH
%PATH:~10,5%

:: extract the last 10 characters of PATH
%PATH:~-10%

:: extract all but the last 2 characters of PATH
%PATH:~0,-2%

Internal cmd.exe commands

These commands are native to the cmd.exe program. In other words, there is no executable on the system that corresponds to the command. They are interpreted by your shell session and executed as subroutines defined with cmd.exe. For more information, use cmd.exe /? and checkout the fantastic SS64 reference.

assoc

Display and modify file extension associations. It is important to note that a cmd.exe shell can be started without Command Extensions enabled (via either the /E:OFF or /Y options), in which case assoc will not function.

:: view all file associations
assoc

:: simple example of viewing .doc extension associations
$ assoc .doc
.doc=Word.Document.8

:: add a file association; this example is already the default for .txt files
assoc .txt=txtfile

:: delete a file association (please don't actually run the below command on a
:: system you care about)
assoc .txt=

break

An old DOS utility for for setting or clearing CTRL+C checking. Has no effect on Windows.

call

Call one batch program from another. Also accepts labels for calling subroutines defined within the same batch file. This will result in a new batch context being created with the specified arguments being passed to the new context. The parent batch program pauses during the execution of the called program. See the SS64 call reference for more advanced usage examples and features.

Notes:

:: example of calling a separate batch program
@echo off
call my_other_function_that_accepts_an_argument.bat 10
echo Came back from the call

:: example of a subroutine-calling batch script
@echo off
call :echoer_subroutine hello
call :echoer_subroutine goodbye
echo Did you see my message?
goto :eof

:echoer_subroutine
echo You wanted to print %1
exit /b

cd / chdir

Display the name or change the current directory.

:: print the current directory
cd

:: change directories within the current drive
cd \Users\brian

:: change directories across drives
cd /D Z:\mypath

cls

Clears the screen.

color

Set the default console foreground and background colors. The syntax of this command is color <bg><fg>, based on the codes in the below table.

Code Color
0 black
1 blue
2 green
3 aqua
4 red
5 purple
6 yellow
7 white
8 gray
9 light blue
a light green
b light aqua
c light red
d light purple
e light yellow
f bright white
:: set the console colors to light red on bright white
color fc

:: restore colors to their state from cmd.exe start
color

:: set ERRORLEVEL to 1 by using the same fg and bg color
color 11

copy

Copies one or more files to another location. Supports copying across drives. Important to note that this will copy in ASCII mode by default; use the /B option to perform a binary file copy that will include extended characters.

:: basic copying of files in the current directory
copy source.txt dest.txt

:: combine files into a destination
copy src1.txt + src2.txt + src3.txt dest.txt

:: specify the source only, which will copy into the current directory
copy "C:\my stuff\*.txt"

:: suppress prompting of overwriting a destination file
copy /y source.txt destthatexistsandimabouttooverwrite.txt

:: suppress feedback from the operation
copy source.txt dest.txt >nul

date

Display or set the date.

:: display the date
date /t

:: set the date interactively
date

:: set the date to something very important
date 03/19/1996

del / erase

Delete one or more files.

:: delete with a prompt before each file
del /p *.txt

:: force deletion of read-only files
del /f *.txt

:: recursive deletion with suppressed prompting
del /q /s mydir

:: delete based on file attributes; this example deletes hidden files
del /a:h *.txt

dpath

An undocumented internal utility that allows the type command to read data files in specified directories as if they were in the current directory. The list of directories is held in the DPATH directory, which this command modifies.

:: a simple example of adding all PATH directories to the DPATH
$ type boot.ini
The system cannot find the file specified.
$ dpath %PATH%
$ type boot.ini
...

echo

Print text, usually to the active console session.

:: show if echo is on or off
echo

:: print a string to stdout
echo Hey there, stdout

:: print a string to stderr
echo Hey there, stderr >&2

:: print a blank line
echo.

:: in a batch script file, display printing the echo command in the prompt
@echo off

:: show an environment variable (in this case, using a built-in variable)
echo %COMPUTERNAME%

exit

Quit the cmd.exe program or the current batch script. Use the /b switch to exit the current batch script. The exit code can also be specified.

for

Conditionally perform a command multiple times. Reference loop variables with %% in batch scripts and % from the command prompt. Note that loops will default to taking the first token from each line, which are separated via the delims keyword argument.

:: loop over files
for %g in (*.txt) do echo %g

:: loop over file contents
for /f %g in (*.txt) do echo %g

:: loop over numbers
$ for /l %g in (0,1,3) do echo %g
0
1
2
3

:: loop over command results line-by-line
for /f "tokens=*" %g in ('dir') do echo %g

ftype

Used in conjunction with the assoc command to display or modify file types used in file extension associations. The PATHEXT environment variable allows for implicit extension identification.

:: configure execution of Perl scripts without specifying the perl.exe program
assoc .pl=PerlScript
ftype PerlScript=perl.exe %1 %*

:: we can now execute Perl scripts like this
script.pl 1 2 3

goto

Direct cmd.exe execution flow to a labeled line in a batch program. The :eof label is an implicit reference to the end of the file.

if

Conditional processing in batch programs.

Comparison operators:

Operator Meaning
EQU equal
NEQ not equal
LSS less than
LEQ less than or equal to
GTR greater than
GEQ greater than or equal to
:: checking the error level; the below statements are equivalent
if ERRORLEVEL 1 An error was found
if %ERRORLEVEL% geq 1 An error was found
if %ERRORLEVEL% gtr 0 An error was found

:: case-sensitive string comparison
if Brian==Brian echo These strings are equal

:: case-insensitive string comparison
if /i brian==BRIAN echo These strings are equal

:: testing for an empty variable
if [%1] eq [] echo No argument present

:: testing for an undefined variable
if not defined MY_VAR echo The variable is not defined

:: if-else construct
if exist file.txt (
    echo Found the file
) else (
    echo Couldn't find the file
)

keys

Enables or disables command-line editing on DOS systems and has no effect on Windows systems.

md / mkdir

Creates a directory. When Command Extensions are enabled, these commands will also create intermediate directories in the specified path if they do not already exist.

:: this
mkdir \a\b\c\d

:: is the same as
mkdir \a
chdir \a
mkdir b
chdir b
mkdir c
chdir c
mkdir d

Create a symbolic link. Defaults to creating a file symbolic link, use the /d option to create a directory symbolic link. See the SS64 reference for information on the difference between shortcuts, hard links, soft links, and symbolic links.

:: a simple example of linking to an executable
mklink brian.exe \Windows\System32\notepad.exe

move

Move and rename files and directories. Note that the source field may contain wildcards, but the destination cannot.

:: simple move within the same folder
move old.txt new.txt

:: suppress prompting to confirm you want to overwrite an existing file
move /y old.txt new.txt

:: moving across drives
move g:\old.txt c:\new.txt

path

Modify or display the PATH environment variable.

:: display the current PATH variable
path

:: clear the current PATH configuration, which means only the current directory
:: will be searched
path ;

:: add a new drive to the PATH variable
path Z:;%PATH%

pause

Pause the execution of a batch file by displaying the message Press any key to continue....

:: display a custom message
echo Do you want to continue? Then press any key...
pause >nul

prompt

Changes the cmd.exe prompt string to the specified text. See the SS64 prompt page for a list of the available special codes.

pushd / popd

Modify the "directory stack".

:: a simple example
C:\demo> pushd \work
C:\work> popd
C:\demo> pushd "F:\monthly reports"
F:\monthly reports> popd
C:\demo>

rem

Mark a line as a comment or remark. Also of note that while :: is commonly used as a comment, it is in fact a specially-treated blank label

:: comments can also be included inline and "jumped" around
goto :start

What we write here will not be executed or validated as batch syntax!

:start
rem The real program starts here

rd / rmdir

Remove (i.e., delete) a directory.

:: quietly delete an entire directory tree
rmdir /s /q mydirectory

set

Display, set, or remove cmd.exe environment variables. This can also be used to compute arithmetic/logical results via the following operators:

The following environment variables will not be displayed by set (although they still exist and are accessible by the user):

:: show all environment variables
set

:: show all environment variables beginning with A
set A

:: define a new variable
set MY_VAR=100

:: building a list via delayed expansion
set LIST=
for %i in (*) do set LIST=!LIST! %i

:: prompt the user for a variable definition
set /p PROMPT_VAR=Enter your variable...

setlocal / endlocal

Begin / end localization of environment variables within a batch file. In other words, environment changes made after setlocal has been issued will be local to the batch file and not have an effect on the calling batch script's environment. There is an implicit endlocal at the end of every batch script.

The setlocal command can also be used to enable or disable delayed expansion of environment variables via setlocal ENABLEDELAYEDEXPANSION and setlocal DISABLEDELAYEDEXPANSION.

shift

Change the position of replaceable parameters in a batch file.

:: shift %1 to %0, %2 to %1, etc.
shift

:: shift %3 to %2, %4 to %3, etc., but leave %0 and %1 unaffected
shift /2

start

Start a separate window to run a specified program or command. Accepts the the title of window as the first positional argument. Other important options include:

time

Display or set the system time.

:: output the current time
time /t

:: set the current time (make a wish)
time 11:11 AM

title

Set the window title for the current command prompt.

type

Display the contents of a text file.

:: create a new file with empty contents
type nul >file.txt

ver

Displays the Windows version.

verify

Tell cmd.exe whether to verify that your files are written correctly to a disk. Accepts one positional argument: either ON or OFF. Omitting this parameter will tell you the current setting.

vol

Display the disk volume label and serial number, if they exist.

External cmd.exe commands

These commands come from places like C:\Windows, C:\Windows\System, C:\Windows\System32, and C:\Windows\SysWOW64 (only on 64-bit systems). Loading these commands depends on proper configuration of the PATH environment variable.

auditpol

Display information about and perform functions to manipulate audit policies.

:: get audit policy for all categories
auditpol /get /category:*

:: view global SACLs for different resource types
auditpol /resourceSACL /type:File /view
auditpol /resourceSACL /type:Key /view

eventvwr

GUI for viewing event logs.

findstr

Search for a text string in a file.

:: case-insensitive search
findstr /i brian file.txt

:: match patterns at the beginning of the line
findstr /b /i beginningpattern file.txt

:: regular expression search
findstr /i /r /c:"hello.*goodbye" file.txt

:: search in subfolders for txt and ini files
findstr /si searchstr *.txt *.ini

hostname

Display the host name portion of the full computer name of the computer.

:: the two below commands are essentially equivalent
hostname
echo %COMPUTERNAME%

icacls

Display or modify Access Control Lists (ACLs) for files and folders.

$ icacls C:\Windows
C:\Windows NT SERVICE\TrustedInstaller:(F)
           NT SERVICE\TrustedInstaller:(CI)(IO)(F)
           NT AUTHORITY\SYSTEM:(M)
           NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
           BUILTIN\Administrators:(M)
           BUILTIN\Administrators:(OI)(CI)(IO)(F)
           BUILTIN\Users:(RX)
           BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
           CREATOR OWNER:(OI)(CI)(IO)(F)
           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

net

Manage network resources. The following subcommands are available within this tool (see the SS64 reference for more information):

:: temporarily map the local t: drive
net use t:\\computername\c$ /persistent:no

:: map the first available drive to mount sysinternals tools
net use * https://live.sysinternals.com

:: remove a drive map
net use t: /delete

:: view all local users
net user

:: view all local groups
net localgroup

:: create a new user
net user brian mypassword /add

:: add a user to a group
net localgroup Administrators brian /add

netsh advfirewall

Interact with firewall configurations.

:: query basic firewall information
netsh firewall show state
netsh firewall show config

:: disable the firewall on newer Windows versions
netsh advfirewall set allprofiles state off

:: disable the firewall on older Windows versions
netsh firewall set opmode disable

reg

Command-line tool for interacting with the registry.

:: search registry for keyword "password"
reg query HKLM /f password /t REG_SZ /s

:: search registry for AlwaysInstallElevated value
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

regedit

GUI program for viewing and editing the registry.

sfc

Scan the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions.

:: verify a single file
sfc /verifyfile=c:\windows\system32\winhttp.dll

:: verify all system files; if any are malformed then they will be replaced
sfc /scannow

where

Find executables in the PATH environment variable.

:: a simple example
$ where findstr
C:\Windows\System32\findstr

:: recursive search in C:\Windows for executable-ish files
where /r C:\windows *.exe *.dll *.bat

:: return only the exit code without printing output (useful for scripting)
$ where /q notarealprogram || echo Couldn't find it
Couldn't find it

wmic

Windows Management Instrumentation Command: retrieve a huge range of information about local or remote computers. See the SS64 wmic reference for a full overview of functionality.

:: show all users on the local machine
$ wmic useraccount list brief
AccountType  Caption                     Domain   FullName        Name                SID
512          BrianJr\Administrator       BrianJr                  Administrator       <sid>
512          BrianJr\Brian               BrianJr  Brian Welch     Brian               <sid>
...

:: NIC information
wmic nicconfig list brief

:: list event logs
$ wmic nteventlog list brief
FileSize  LogfileName                        Name                                                                     NumberOfRecords
18944000  Application                        C:\WINDOWS\System32\Winevt\Logs\Application.evtx                         24994
69632     HardwareEvents                     C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                      0
69632     Internet Explorer                  C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                   0
...

:: show locally running processes
$ wmic process list brief
HandleCount  Name                                                    Priority  ProcessId  ThreadCount  WorkingSetSize
0            System Idle Process                                     0         0          4            8192
5619         System                                                  8         4          184          13910016
0            Registry                                                8         96         3            1556480
...

:: show locally running services
$ wmic service list brief
ExitCode  Name                                                    ProcessId  StartMode  State    Status
0         AdobeARMservice                                         4620       Auto       Running  OK
0         AdobeFlashPlayerUpdateSvc                               0          Manual     Stopped  OK
1077      AJRouter                                                0          Manual     Stopped  OK
...

wf / wf.msc

Windows Defender Firewall GUI.

wevtutil

The Windows Events Command Line Utility. Retrieve information about event logs and publishers, install and uninstall event manifests, run queries, and export, archive, and clear logs.

:: show all logs
wevtutil el

:: get security log info
wevtutil gli security

:: get last three events from the security log
wevtutil qe security /c:3

PowerShell

PowerShell versions

Version Release Date Windows Version
1.0 Nov 2006 Win XP
2.0 Oct 2009 Win 7
3.0 Sep 2012 Win 8
4.0 Oct 2013 Win 8.1
5.0 Apr 2014 Win 10

Execution policy

Execution policies are designed to protect users, but they really just get in the way.

There are several different policies:

Here's how to bypass them:

# pipe your script to a PowerShell process
Write-Host "<script contents>" | powershell.exe -noprofile -

# pipe your script from a file
Get-Content script.ps1 | powershell.exe -noprofile -
type script.ps1 | powershell.exe -noprofile -

# piping to Invoke-Expression
Get-Content script.ps1 | Invoke-Expression

# download and run via IEX
IEX(New-Object Net.WebClient).DownloadString('https://bit.ly/myscript')

# execute via -Command switch
powershell.exe -Command "Write-Host 'Executing some PowerShell"

# run via Invoke-Command
Invoke-Command -ScriptBlock {Write-Host "Executing some more PowerShell"}

# use the bypass execution policy
powershell.exe -ExecutionPolicy Bypass -File script.ps1

# set the execution policy for the process scope
Set-ExecutionPolicy Bypass -Scope Process

# disable ExecutionPolicy by swapping out the AuthorizationManager
function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}
Disable-ExecutionPolicy script.ps1

Multi-threading

Multi-threading can be achieved via the Start-Job, Get-Job, Receive-Job, and Remove-Job cmdlets.

# print a couple of strings via concurrent jobs
"Hello", "Good-bye" | %{
    $ThreadScript = {
        param($word)
        Write-Host "You wanted me to say $word"
        Start-Sleep 5
    }

    Write-Host "Beginning job for $_..."
    Start-Job $ThreadScript -ArgumentList $_
}

# block until job execution completes
While (Get-Job -State "Running") { Start-Sleep 1 }

# display output from all jobs
Get-Job | Receive-Job

# clean up
Remove-Job *

Get-Process

Get the processes running on the local computer.

PS C:\> Get-Process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    225      18     3552       9692       8.58   4612   0 AppleMobileDeviceService
    395      23    14268      25032       0.77  11520   6 ApplicationFrameHost
    322      16     2980      13028       0.22   4620   0 armsvc
...

Get-Service

Get the services running on the local computer.

PS C:\> Get-Service
Status   Name               DisplayName
------   ----               -----------
Running  AdobeARMservice    Adobe Acrobat Update Service
Stopped  AdobeFlashPlaye... Adobe Flash Player Update Service
Stopped  AJRouter           AllJoyn Router Service
...

Get-Help

Display information about Windows PowerShell commands and concepts.

# Get-Help about Get-Help (mind = blown)
Get-Help Get-Help

# include examples
Get-Help Get-Process -Examples

Get-Alias

Get aliases for the current session.

# get all aliases for the current session
Get-Alias

# look up aliases mapped to a specific command
PS C:\> Get-Alias -Definition Get-ChildItem

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           dir -> Get-ChildItem
Alias           gci -> Get-ChildItem
Alias           ls -> Get-ChildItem

Get-Member

Gets the properties and methods of objects.

PS C:\>Get-Service | Get-Member
    TypeName: System.ServiceProcess.ServiceController
    Name                      MemberType    Definition
    ----                      ----------    ----------
    Name                      AliasProperty Name = ServiceName
    Close                     Method        System.Void Close()
    Continue                  Method        System.Void Continue()
...

Get-CimInstance

Gets the CIM instances of a class from a CIM server. CIM (Common Information Model) is like WMI but intended to be cross-platform.

# get running processes
Get-CimInstance -ClassName Win32_Process

# get running processes with an applied filter
Get-CimInstance -ClassName Win32_Process -Filter "Name like 'p%'"

# get a property from two remote computes named Server01 and Server02
$s = New-CimSession ComputerName Server01,Server02
Get-CimInstance -ClassName Win32_ComputerSystem -CimSession $s

Get-Item

Get files and folders.

# get all of the streams from a specific file
Get-Item file.txt -Stream *

# get all items in the current directory
Get-Item .

# deterimine the last access time of a directory
(Get-Item C:\Windows).LastAccessTime

# filter out matches
Get-Item C:\Windows\*.exe -Exclude w*

Get-ItemProperty

Get the properties of a specified item (shocker).

# get the properties of a directory
Get-ItemProperty C:\Windows

# display the value name and data of each of the registry entries contained in
# the CurrentVersion registry subkey
PS C:\> Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion
ProgramFilesDir          : C:\Program Files
CommonFilesDir           : C:\Program Files\Common Files
ProgramFilesDir (x86)    : C:\Program Files (x86)
...

# gets the value name and data of the ProgramFilesDir registry entry in the
# CurrentVersion registry subkey
PS C:\> Get-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion -name "ProgramFilesDir"
ProgramFilesDir : C:\Program Files
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
PSChildName     : CurrentVersion
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry

Get-NetFirewallRule

Retrieve firewall rules from the target computer.

# retrieve all of the firewall rules in the active store (i.e., those that
# apply to the computer)
Get-NetFirewallRule -PolicyStore ActiveStore

# retrieve all of the firewall rules scoped to the public profile
Get-NetFirewallProfile -Name Public | Get-NetFirewallRule

Get-Acl

Get the security descriptor for a resource, such as a file or registry key.

# get security access information about the C:\Windows directory
Get-Acl C:\Windows

# view access controls of a registry key
Get-Acl -Path "HKLM:\System\CurrentControlSet\Control" | Format-List

Get-Eventlog

Get the events in an event log, or a list of the event logs, on the local or remote computers.

# get all event logs on a computer
Get-EventLog -List

# get the five most recent entries in the Application event log
Get-EventLog -Newest 5 -LogName "Application"

# query event logs on remote computers
Get-EventLog -LogName "Windows PowerShell" -ComputerName "localhost", "Server01", "Server02"

# search for log messages that match a pattern
Get-EventLog -LogName "Windows PowerShell" -Message "*failed*"

Third-party / sysinternals

accesschk

Report effective permissions for securable objects.

:: check the permissions of a folder
$ accesschk.exe C:\Windows

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\.erlang.cookie
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  BUILTIN\Users
  R  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
  R  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
...

autoruns

GUI tool that will show you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.

handle

Handle viewer to search for open file references.

:: dump all handles
handle -a

procexp

AKA: Process Explorer. A GUI tool for examining running processes, considered to be a more advanced form of the Windows Task Manager.

procmon

AKA: Process Monitor. A GUI tool for displaying information regarding the file system, registry, and the processes running on the system as they are occurring.

psinfo

Gathers key information about the local or remote system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if it's a trial version, the expiration date.

$ psinfo

PsInfo v1.78 - Local and remote system information viewer
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\BRIANJR:
Uptime:                    3 days 17 hours 59 minutes 31 seconds
Kernel version:            Windows 10 Enterprise, Multiprocessor Free
...

pslist

Show running process statistics.

$ pslist

PsList v1.4 - Process information lister
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for BRIANJR:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   4    0     52    65:17:57.812    90:00:08.176
System                4   8 191 5839    228     0:25:56.375    90:00:08.176
Registry             96   8   3    0   2240     0:00:02.437    90:00:09.431
smss                440  11   2   52    488     0:00:00.281    90:00:08.170
...

psloggedon

Display both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, psloggedon searches the computers in the network neighborhood and tells you if the user is currently logged on.

$ psloggedon

PsLoggedon v1.35 - See who's logged on
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     11/18/2018 5:32:55 AM      BRIANJR\Brian
     <unknown time>             BrianJr\postgres

No one is logged on via resource shares.

logonsessions

List the currently active logon sessions and, if you specify the -p option, the processes running in each session.

$ logonsessions

LogonSessions v1.4 - Lists logon session information
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


[0] Logon session 00000000:000003e7:
    User name:    WORKGROUP\BRIANJR$
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          S-1-5-18
    Logon time:   11/14/2018 4:14:14 PM
    Logon server:
    DNS Domain:
    UPN:
...

tcpview

GUI tool to show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections,

psexec

A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

Input is only passed to the remote system when you press the Enter key. Typing Ctrl-C terminates the remote process.

:: execute a command on Mark's laptop
psexec \\marklap "c:\long name app.exe"

psgetsid

Translate SIDs to their display name and vice versa.

:: get the SID for a user
psgetsid brian

sigcheck

Show file version number, timestamp information, and digital signature details, including certificate chains. Also includes an option to check a file's status on VirusTotal.

:: check for unsigned files in C:\Windows\System32
sigcheck -u -e c:\Windows\System32

Process states

New / created

Newly created process follows this flow:

Ready

Process ready to execute when given the opportunity (CPU Time).

Running

Process currently being executed (one or more threads executing).

Waiting

Process can’t execute until some event occurs (i.e., I/O Read).

Terminated / exit

Termination of a process due to a halt or abort.

Thread states

Initialized

Threads are placed in the Initialized state whilst they are being created.

Running

A Running thread is the thread that is currently executing on a processor.

Ready

Threads that are not Ready to run are given state determined by the reason they cannot run.

Deferred ready

Global state that indicates the thread is ready to run on any processor. This can be used for one CPU to schedule a high priority thread on another CPU, for example.

Waiting

Waiting on some event, such as synchronization or I/O completion, or can be forced to wait if they access memory that is paged to disk, for example. Once the event has been signalled, or the timeout has elapsed, the thread will be eligible to run again.

Transition

Threads placed in this state when their kernel stack has been paged out. These threads will not be ready to run until their kernel stack is available again.

Standby

The Standby thread is the Ready thread that is currently selected to be swapped into the Running state next on that processor. However, this may change if a higher priority thread becomes ready before the change is made.

Terminated

For threads that have exited. They will remain here until the system has cleaned up.

Registry

Primary hive (root) keys:

Only HKU and HKLM are available via remote tools.

To query the hivelist:

reg query hklm\system\currentcontrolset\control\hivelist

Registry contains keys and values:

Registry data types:

Type Description
REG_BINARY Binary data in any form
REG_DWORD 32-bit number
REG_QWORD 64-bit number
REG_DWORD_LITTLE_ENDIAN 32-bit number in little-endian format, equivalent to REG_DWORD
REG_QWORD_LITTLE_ENDIAN A 64-bit number in little-endian format, equivalent to REG_QWORD
REG_DWORD_BIG_ENDIAN 32-bit number in big-endian format
REG_EXPAND_SZ Null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%")
REG_LINK Unicode symbolic link
REG_MULTI_SZ Array of null-terminated strings that are terminated by two null characters
REG_NONE No defined value type
REG_RESOURCE_LIST Device-driver resource list
REG_SZ Null-terminated string

Logging Sequence

Windows Resource Protection (WRP)

Previously known as Windows File Protection (WPF) in Windows XP, which did the following:

WRP adds the following functionality:

The following are still blue team concerns with regard to WRP:

User Account Control (UAC)

Limits the privileges of user-run applications (even when run as Administrator) in order to prevent the modification of system files, resources, or settings. This mechanism causes explicit acknowledgement from the user when elevated privileges are requested.

User Interface Privilege Isolation (UIPI) is a part of UAC, where each process is given a privilege level.

New Technology File System (NTFS)

Each file in NTFS has a security descriptor, which includes: * Security identifiers (SIDs) for the owner * A Discretionary Access Control List (DACL) that specifies the read/write/execute/delete access rights allowed or denied to particular users or groups * A System Access Control List (SACL) that specifies the types of access attempts that generate audit records for the object

Locating SIDs in the registry:

reg query HKU
reg query "hklm\software\microsoft\windows nt\currentversion\profilelist\{SID}"

wmic useraccount get name,sid,fullname
wmic useraccount where sid={sid} get name
wmic useraccount where name={name} get sid

Get-ChildItem Registry::\HKEY_USERS -ErrorAction SilentlyContinue
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\'

Equivalent methods of checking the permission properties of notepad.exe:

:: via explorer.exe: right click -> properties -> security
icacls C:\Windows\System32\notepad.exe
Get-Acl C:\Windows\System32\notepad.exe | Format-List
accesschk C:\Windows\System32\notepad.exe

Windows Boot Sequence

Windows XP boot sequence

Windows 7 boot sequence

Pre-boot:

Boot:

Logon:

Active Directory

Important features:

Terminology:

Logical AD structure:

Physical AD structure:

Interating with active directory:

General Concepts

Paging

Paging is a memory management scheme by which a computer stores and retrieves data from secondary storage for use in main memory.

User mode and kernel mode

In addition to being private, the virtual address space of a user-mode application is limited. A processor running in user mode cannot access virtual addresses that are reserved for the operating system. Limiting the virtual address space of a user-mode application prevents the application from altering, and possibly damaging, critical operating system data.

All code that runs in kernel mode shares a single virtual address space. This means that a kernel-mode driver is not isolated from other drivers and the operating system itself. If a kernel-mode driver accidentally writes to the wrong virtual address, data that belongs to the operating system or another driver could be compromised. If a kernel-mode driver crashes, the entire operating system crashes.

Tactical Survey

Incident Response

Six phases of incident response (P.I.C.I.E.R.):

Order of volatility:

Enumeration

What to consider when baselining: