Windows Utilities#
Table of Contents#
attrib#
[examples]
attrib
attrib //d
attrib //s
[examples]
find /c -exec attrib '{}' \; | egrep '^.{4}H.*' # identify hidden files in the c:\ drive
find /c -exec attrib '{}' \; | egrep '^.{4}H.*' | cut -c22- # identify hidden files in the c:\ drive (display file path only)
autorunsc#
autoruns //?
eventcreate#
eventcreate write entries to the event log
options
/da detailed description of the event (any string is valid)/ida integer ID between 1 and 1000 that identifies the event/levent log nameAPPLICATIONSYSTEM
/soevent source, the name of the application generating the event (any string is valid)/tevent type, a category that best describes the eventERRORWARNINGINFORMATIONSUCCESSAUDITFAILUREAUDIT
[examples]
eventcreate //ID 200 //L APPLICATION //T INFORMATION //SO "Cybersecurity Ops" //D "This is an event" # write an event to the local system
wevtutil qe APPLICATION //c:1 //rd:true # view the last event
eventcreate //s https://remote.system //u username //p password //ID 200 //L APPLICATION //T INFORMATION //SO "Cybersecurity Ops" //D "This is an event" # write an event to a remote system
icacls#
icacls setup ACLs
options
/denydenies the specified user the specified permissions/grantallows the specified user the specified permissions/resetresets the ACLs to the default inherited permissions
Windows file permissions
FfullMmodifyRXread and executeRread-onlyWwrite-only
[examples]
icacls report.txt # view the current permissions for file `report.txt`
icacls report.txt //grant jsmith:rw # grant user `jsmith` read-write permission for file `report.txt`
net#
net manage users, groups, etc.
options
groupadd or modify a groupuseradd or modify a user
net help
net user //help
net user jsmith somepassword //add # create a new user `jsmith` with password `somepassword`
net user jsmith otherpassword # set a password `otherpassword` for user `jsmith`
net user jsmith * # Command Prompt ONLY: prompt for the password and stop it from being echoed to the screen
net user # view a list of users
net user jsmith # view information about user `jsmith`
net user jsmith //delete # delete user `jsmith`
net group ... # groups associated with a Windows domain
net localgroup ... # local system groups
net localgroup accounting //add # create a new group `accounting`
net localgroup accouting jsmith //add # add user `jsmith` to group `accounting`
net localgroup accounting # view a list of users associated with group `accounting`
netsh#
reg#
reg “Windows Registry” (available on Windows XP and later)
reg /?- helpreg command /?- help for commandreg add- add an entry to the registryreg export- copty the specified registry entries to a filereg query- return a list of subkeys below the specified path
[example]
List all the root keys in hive HKEY_LOCAL_MACHINE.
reg query HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
ServiceLastKnownStatus REG_DWORD 0x2
HKEY_LOCAL_MACHINE\BCD00000000
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SYSTEM
[example]
Export hive HKEY_LOCAL_MACHINE.
reg export HKEY_LOCAL_MACHINE ${HOSTNAME}_hklm.bak
regedit#
[example]
Export the entire Windows Registry to a file.
regedit //E ${HOSTNAME}_reg.bak
runas#
sc#
schtasks#
schtasks schedule tasks to run commands at a particular time or interval
options
/Createschedule a new task/Deletedelete a scheduled task/Querylist all scheduled tasks/SCschedule frequency/STstart time/TNtask name/TRtask to run
[example]
schtasks //Create //TN "Network Scanner" //SC DAILY //ST 08:00 //TR "C:\Users\Paul\AppData\Local\Programs\Git\git-bash.exe C:\Users\Paul\autoscan"
sfc#
sfc Resource Checker - scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions
[examples]
sfc //scanfile=<file> # scans integrity of the file with full path <file>, repairs file if problems are identified
sfc //scannow # scans integrity of all protected system files and repairs files with problems when possible
sfc //verifyfile=<file> # verifies the integrity of the file with full path <file> but no repair operation is performed
sfc //verifyonly # scans integrity of all protected system files but no repair operation is performed
systeminfo#
[ w ] systeminfo general system settings
wevtutil#
wevtutil “Windows Event Utility”
wevtutil el- enumerate available logswevtutil qe- query a log’s events
options
/c(cmd) or//c(gitbash) specify the max number of events to read/f(cmd) or//f(gitbash) format the output as text or XML/rd(cmd) or//rd(gitbash) read direction - if set to true then it will read the most recent logs first
[example]
View the most recent event in log System (in Git Bash).
wevtutil qe System //c:1 //rd:true
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-WindowsUpdateClient' Guid='{945a8954-c147-4acd-923f-40c45405a658}'/><EventID>19</EventID><Version>1</Version><Level>4</Level><Task>1</Task><Opcode>13</Opcode><Keywords>0x8000000000000018</Keywords><TimeCreated SystemTime='2023-11-17T17:06:10.6937615Z'/><EventRecordID>2095</EventRecordID><Correlation ActivityID='{f798f182-1971-0002-5460-9af77119da01}'/><Execution ProcessID='1588' ThreadID='1960'/><Channel>System</Channel><Computer>DAVEFRIEDMABB22</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='updateTitle'>9NMPJ99VJBWV-Microsoft.YourPhone</Data><Data Name='updateGuid'>{3b94222f-a640-412b-a341-771d83dd9904}</Data><Data Name='updateRevisionNumber'>1</Data><Data Name='serviceGuid'>{855e8a7c-ecb4-4ca3-b045-1dfa50104289}</Data></EventData></Event>
[example] Cybersecurity Ops with bash
#!/usr/bin/env bash
#
# winlogs.sh
#
# Description:
# Gather copies of Windows log giles
#
# Usage:
# winlogs.sh [-z] [dir]
# -z Tar and zip the output
# dir Optional scratch directory for holding the log files
TGZ=0
if (( $# > 0 ))
then
if [[ ${1:0:2} == '-z' ]] # take a substring of the first argument at the beginning of the string (an offset of 0 bytes), 2 bytes long
then
TGZ=1 # tgz flag to tar/zip the log files
shift # shift the first argument `-z` out of the way so that the second argument is now the first argument
fi
fi
SYSNAM=$(hostname)
LOGDIR=${1:-/tmp/${SYSNAM}_logs} # create a default location if the user didn't supply one
mkdir -p $LOGDIR
cd ${LOGDIR} || exit -2
wevtutil el | while read ALOG
do
# lines terminate with `\n\r` in Windows
ALOG="${ALOG%$'\r'}" # replace the two characters `\r` by the single non-printing character ASCII 13, the return character
echo "${ALOG}:" # display progress
SAFNAM="${ALOG// /_}" # replace all blanks with underscores
SAFNAM="${SAFNAM//\//-}" # replace all forward slashes with dashes
wevtutil epl "$ALOG" "${SYSNAM}_${SAFNAM}.evtx"
done
if (( TGZ == 1 ))
then
tar -czvf ${SYSNAM}_logs.tgz *.evtx
fi
winget#
[ w ] winget
[examples]
winget list
winget list git
winver#
wmic#
wmic Windows Management Instrumentation Command
options
processmanipulate currently running processesproductinstallation package management
[examples]
wmic product get name,version //format:csv
Windows Command Prompt#
[ w ] cls
[ w ] dir
/Srecurse through subdirectories/A:Hdisplay files with the hidden attribute
dir c:\ /S /A:H # identify hidden files in the c:\ drive
[ w ] help
[ w ] where
PS |
CMD |
Git Bash |
Description |
|---|---|---|---|
|
|
|
|
|
|
|
|
. |
|
|
|
|
|
|
|
|
|||
|
|||
|
|
|
|
. |
|
|
|
|
|
|
|
|
|
get all environment variables |
|
|
|
get the environment variable called ComSpec |
|
|
|
|
|
. |
|
|
|
. |
|
|
|
. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
. |
|
||
|
|
|
|
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|||
|