Windows Command Line

  • System Information and Configuration:

    • systeminfo: Provides detailed information about the system, including OS version, patches, and system uptime.

    • netstat -ano: Lists all ports that are currently open and the corresponding process IDs. Useful for identifying unexpected network connections.

    • ipconfig /all: Displays all network configuration details, including IP addresses, DNS servers, and MAC addresses.

    • tasklist: Shows all currently running processes, which is vital for identifying suspicious activity.

    • sc query: Lists the status of all services. This can help identify unauthorized or rogue services.

    • driverquery: Lists all installed drivers, useful for finding hidden or malicious drivers.

  • User Account and Login Information:

    • net users: Lists all user accounts on the system.

    • quser: Displays information about logged on users.

    • net user [username]: Provides detailed information about a specific user account.

    • wevtutil qe Security /f:text /rd:true /c:10: Queries the Security event log for the last 10 entries, which can include logon events.

  • File and Directory Analysis:

    • dir /a /s /b: Lists all files and directories, including hidden ones. Useful for a quick directory traversal.

    • fc /b [file1] [file2]: Compares two files byte-by-byte, which can be useful for checking file integrity.

    • findstr /s /i [string] *.*: Searches for a string in all files, helpful for finding specific content.

  • Network Configuration and Analysis:

    • route print: Displays the current routing table, which can reveal unexpected routes.

    • arp -a: Shows the ARP table, useful for identifying local network devices.

    • nslookup: A tool for querying DNS to resolve hostnames to IP addresses and vice versa.

  • Forensic Tools:

    • powershell "Get-WinEvent -ListLog *": Lists all event logs, useful for identifying available logs for deeper analysis.

    • wmic process list full: Provides comprehensive information about running processes, including their execution path, which can reveal malicious processes.

    • vssadmin list shadows: Lists Volume Shadow Copies, which can contain backups of critical files or evidence of tampering.

  • Miscellaneous:

    • sfc /scannow: Scans and verifies the integrity of all protected system files.

    • chkdsk: Checks the file system and file system metadata for logical and physical errors.

    • gpresult /H gpresult.html: Generates a report of group policy settings, which can help identify unauthorized changes.

PreviousWindows Quick TipsNextWorkstation File/Folder Locations

Last updated

Was this helpful?