Scribd
Upload
12 views

Windows forensic commands - Draft

The document provides a comprehensive list of Windows forensic commands categorized into various sections such as Network Discovery, Network Scan, Firewall, Users, Services, Registry, Shadow Files, System Info, and Miscellaneous. Each section includes specific commands for tasks like displaying network devices, managing users, configuring firewall rules, and retrieving system information. These commands are essential for conducting forensic analysis and managing Windows systems effectively.

Uploaded by

scribd1975scribd
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views

Windows forensic commands - Draft

The document provides a comprehensive list of Windows forensic commands categorized into various sections such as Network Discovery, Network Scan, Firewall, Users, Services, Registry, Shadow Files, System Info, and Miscellaneous. Each section includes specific commands for tasks like displaying network devices, managing users, configuring firewall rules, and retrieving system information. These commands are essential for conducting forensic analysis and managing Windows systems effectively.

Uploaded by

scribd1975scribd
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Windows forensic commands

Network discovery:

 Display a list of network devices in the domain or workgroup:


net view

 Display all shared resources on a network:


net view /all

 Display the shared resources on a specific computer or server:


net view \\”hostname”

 Display shared resources on a computer:


net share

 Display information about active sessions connected to the computer:


net session

 Display information about shared folders on the local computer:


wmic share get

Network Scan:

 nbtstat -A IPaddress
for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "Reply" >> PingSweepResult.txt

 nbtstat -c
for /L %I in (1,1,254) do nbtstat -An 192.168.1.%I

 View saved wifi connections:


netsh wlan show profile

 View saved passwords:


netsh wlan show profile “wlan name” key=clear

Network:

 Network Interface Statistics:


netstat -e

 Display Route Table:


netstat -nr

 Detailed Route Table:


route print

 IP Statistics:
netstat -s

 Active Network Connections:


netstat -naob
 Detailed Information Active Network Connections:
netstat -vb

 Display the Address Resolution Protocol cache:


arp -a

 Detailed information about the network config for all NIC:


ipconfig /all

 Information about the wireless network interfaces:


netsh wlan show interfaces

 Wireless System Information:


netsh wlan show all

 List of network clients installed:


wmic netclient list brief

 Display configuration information for all NICs:


wmic nicconfig get

 Display information about network resources currently connected to the system:


wmic netuse get

Firewall:

 Display all firewall rules configured in the Windows Firewall:


netsh advfirewall show rule name=all

 Disable the Windows Firewall for all network profiles:


netsh advfirewall set allprofile state off

 Enable the Windows Firewall for all network profiles:


netsh advfirewall set allprofile state on

 Enable the Windows Firewall specifically for the Public network profile
netsh advfirewall set publicprofile state on

 Enable the Windows Firewall specifically for the Private network profile:
netsh advfirewall set privateprofile state on

 Enable the Windows Firewall specifically for the Domain network profile:
netsh advfirewall set domainprofile state on

 Create a rule in the Windows Firewall to allow incoming traffic on port 80 over TCP:
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP
localport=80

 Add a custom firewall rule in Windows that allows incoming traffic for a specific application:
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\
MyApp\MyApp.exe" enable=yes
Users:

 Create user:
net user /add “username” “password”

 Add user to a group (e.g. administrators):


net localgroup “administrators” “username” /add

 View user details:


net user “username”

 Change password:
net user “username” “newpassword”

 Display a list of user accounts on the local computer:


net users

 Display the membership of the Administrators group:


net localgroup administrators

 Display group memberships in Acitve Directory environments:


net group administrators

 Use Windows Management Instrumentation to query and manage Remote Desktop settings:
wmic rdtoggle list

 Display a list of user accounts:


wmic useraccount list

 Display all local groups:


wmic group list

 Retrieves information about user login activities:


wmic netlogin get name,lastlogin,badpasswordcount

Services:

 Schedules commands and programs (deprecated):


at

 Schedules commands and programs:


schtask

 Displays a list of currently running processes:


tasklist

 Displays services hosted in each process:


tasklist /svc

 List or manage the services currently running:


net start
 Query the status of services on a local or remote machine:
sc query

 List all services that are currently in the Running state:


wmic service list brief | findstr "Running"

 List all services that are currently in the Stopped state:


wmic service list brief | findstr "Stopped"

 Display the configuration settings of all services on the system:


wmic service list config

 Display the services installed on the system in a concise format:


wmic service list brief

 Display all services with their current status:


wmic service list status

 Display a list of running services along with their memory usage:


wmic service list memory

 Display running services and applications along with their memory usage:
tasklist /fo table

 start/stop service:
sc config "service name" start= disable

 Stop a service on a Windows machine:


sc stop "service name"

 Start a service on a Windows machine:


sc start "service name"

 Disable a service by setting its startup type to "Disabled":


wmic service where name="service name" call ChangeStartMode Disabled

 Display a detailed list of programs and services that run automatically at system startup:
wmic startup list full

Read registry entries:

 Display registry values and settings stored under the specified key:
reg query "HKCU\Control Panel\Desktop"

 Disable Remote Desktop:


reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0 /f

 Enable Remote Desktop:


reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 1 /f
 Enable Remote Assistance:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fAllowToGetHelp /t REG_DWORD /d 1 /f

Shadows files:

 Display information about the shadow copy storage areas:


vssadmin List ShadowStorage

 Display all the Volume Shadow Copies (VSS) that exist on the system:
vssadmin List Shadow

 start the Volume Shadow Copy Service (VSS):


net start VSS

System info:

 Display the current date and time:


echo %DATE% %TIME%

 Display the name of the computer or host on the network:


hostname

 Display detailed configuration information about the operating system and the computer:
systeminfo

 Display the model name of the computer system:


wmic csproduct get name

 Retrieve the serial number of the computer's BIOS:


wmic bios get serialnumber

 Display a summary of key details about the computer system:


wmic computersystem list brief

 Display information about the system's storage volumes in a concise format:


wmic volume list brief

 Display information about the logical disks (partitions):


wmic logicaldisk get

 Query information about the domain that the computer is part of, in a brief format:
wmic ntdomain list brief

 Display, set, or modify environment variables:


set

 Display the Group Policy Result:


gpresult /r
 Display information about installed hotfixes or updates:
wmic qfe

 Display the configuration settings for the Security log:


wevtutil gl Security

Miscellaneous:

 Displays the contents of a text file or files:


type “file.txt”

 Force reboot:
shutdown /r /f

You might also like