The Windows® Command Line is a Windows® application that is available on most versions of Microsoft Windows where the application provides the ability to enter specific commands. These commands can probe the system, perform administrative functions, execute specialized scripts that automate operations, troubleshoot or isolate problems, or perform live investigations if an incident occurs.
It is important to note that for this to work on the machine you are investigating, the current user must have Admin rights.
File System Information
The file system utility fsutil is a suite of command-line operations for displaying and
managing certain file and drive properties. It is an advanced tool intended primarily for system administrators but security professionals will also find that it has a
number of possible applications. The fsutil utility contains a host of subcommands which are listed below. Each of these subcommands may in turn have additional subcommands of its own:
PS C:\Users\JOSEPH> fsutil
---- Commands Supported ----
8dot3name 8dot3name management
behavior Control file system behavior
bypassIo BypassIo management
dax Dax volume management
dirty Manage volume dirty bit
file File specific commands
fsInfo File system information
hardlink Hardlink management
objectID Object ID management
quota Quota management
repair Self healing management
reparsePoint Reparse point management
storageReserve Storage Reserve management
resource Transactional Resource Manager management
sparse Sparse file control
tiering Storage tiering property management
trace File system trace management
transaction Transaction management
usn USN management
volume Volume management
wim Transparent wim hosting managementTo get information about the file system, use the fsinfo subcommand. This command lists all drives, queries the drive type, queries volume information, queries NTFS-specific volume
information, or queries file system statistics. This subcommand also has its own subcommands which can be queried to obtain specific file system information. They are listed below:
PS C:\Users\JOSEPH> fsutil fsinfo
---- FSINFO Commands Supported ----
drives List all drives
driveType Query drive type for a drive
ntfsInfo Query NTFS specific volume information
refsInfo Query REFS specific volume information
sectorInfo Query sector information
statistics Query file system statistics
volumeInfo Query volume information
To list all the drives contained in the system's hard disk, enter the following command:
PS C:\Users\JOSEPH> fsutil fsinfo drives
Drives: C:\ D:\
To display the drive type for a particular drive, enter the command below:
PS C:\Users\JOSEPH> fsutil fsinfo Drivetype D:
D: - Fixed Drive
To display important statistics about a volume, enter the following command:
PS C:\Users\JOSEPH> fsutil fsinfo statistics D:
File System Type : NTFS
UserFileReads : 89
UserFileReadBytes : 22896640
UserDiskReads : 1705
UserFileWrites : 0
UserFileWriteBytes : 0
UserDiskWrites : 0
MetaDataReads : 24
MetaDataReadBytes : 376832
MetaDataDiskReads : 32
MetaDataWrites : 0
MetaDataWriteBytes : 0
MetaDataDiskWrites : 0
To obtain information for a specified volume such as the file system type and whether the volume supports case-sensitive file names, unicode in file names, disk quotas, or is a Direct Access (DAX) volume, enter the command below:
PS C:\Users\JOSEPH> fsutil fsinfo volumeinfo D:
Volume Name : NTFS1
Volume Serial Number : 0x5048ccc7
Max Component Length : 255
File System Name : NTFS
Is ReadOnly
Not Thinly-Provisioned
Supports Case-sensitive filenames
Preserves Case of filenames
Supports Unicode in filenames
Preserves & Enforces ACL's
Supports file-based Compression
Supports Disk Quotas
Supports Sparse files
Supports Reparse Points
Returns Handle Close Result Information
Supports Bypass IO
Supports Object Identifiers
Supports Encrypted File System
Supports Named Streams
Supports Transactions
Supports Hard Links
Supports Extended Attributes
Supports Open By FileID
Supports USN Journal
To display NTFS-specific volume information for a specified volume, enter the command below. This command lists information such as the number of sectors, total clusters, free clusters, bytes per cluster, and the start and end of the MFT Zone.
PS C:\Users\JOSEPH> fsutil fsinfo ntfsinfo D:
NTFS Volume Serial Number : 0xda5048e85048ccc7
NTFS Version : 3.1
LFS Version : 1.1
Total Sectors : 1,008,895 (492.6 MB)
Total Clusters : 1,008,895 (492.6 MB)
Free Clusters : 887,522 (433.4 MB)
Total Reserved Clusters : 0 ( 0.0 KB)
Reserved For Storage Reserve : 0 ( 0.0 KB)
Bytes Per Sector : 512
Bytes Per Physical Sector : 512
Bytes Per Cluster : 512 (0 KB)
Bytes Per FileRecord Segment : 1024
Clusters Per FileRecord Segment : 2
Mft Valid Data Length : 96.00 KB
Mft Start Lcn : 0x00000000000521aa
Mft2 Start Lcn : 0x000000000007b27f
Mft Zone Start : 0x0000000000052260
Mft Zone End : 0x0000000000070e60
MFT Zone Size : 61.50 MB
Max Device Trim Extent Count : 524543
Max Device Trim Byte Count : 0x1001fe00
Max Volume Trim Extent Count : 62
Max Volume Trim Byte Count : 0x1001fe00
NTFS File System Behaviour
The fsutil behavior is a command-line tool that can be used to query or modify the NTFS file system behaviour. The fsutil behavior command has two further subcommands:
- query - This displays the current values for option settings
- set - This is used to change current settings. Commands involving "set" can change Registry entries and may require a reboot to take effect.
It has several options that can be used to query or modify the behaviour of the file system as follows:
|
Option |
Possible Values |
|
allowextchar |
0 or 1 |
|
disable8dot3 |
0 or 1 |
|
disablecompression |
0 or 1 |
|
disablelastaccess |
0, 1, 2 |
|
disableencryption |
0 or 1 |
|
encryptpagingfile |
0 or 1 |
|
mftzone |
0 through 4 |
|
memoryusage |
0, 1, 2 |
|
quotanotify |
1 through 4294967295 seconds |
|
SymlinkEvaluation |
Various |
For example, to check if the last access timestamps update are enabled or not, enter the following command:
PS C:\Users\JOSEPH> fsutil behavior query disablelastaccess
DisableLastAccess = 2 (System Managed, Last Access Time Updates ENABLED)
Running Processes and Services
The applications, associated processes, and system services that are running or in use can provide useful investigative information and of course, provide a baseline of the state of the system under investigation. The objective is to identify the malicious service, and software running on the machine.
Harlan Carvey has suggested documenting the following information about running processes.
- The process' executable image
- The command line used to initiate the process
- How long the process has been running
- The security context that it runs in
- Modules or libraries (DLLs) it accesses
- Memory that the process consumes
The command tasklist lists the processes running on a Windows system, including their name and PID.
PS C:\Users\JOSEPH> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 K
System 4 Services 0 1,008 K
Secure System 72 Services 0 23,644 K
Registry 124 Services 0 74,176 K
smss.exe 448 Services 0 1,040 K
csrss.exe 652 Services 0 4,268 K
wininit.exe 732 Services 0 4,792 K
csrss.exe 752 Console 1 5,520 K
services.exe 804 Services 0 7,892 K
lsass.exe 812 Services 0 20,480 K
svchost.exe 944 Services 0 34,488 K
fontdrvhost.exe 972 Services 0 2,476 K
WUDFHost.exe 1000 Services 0 11,180 K
svchost.exe 880 Services 0 17,012 K
svchost.exe 968 Services 0 7,492 K
winlogon.exe 1128 Console 1 10,836 K
fontdrvhost.exe 1180 Console 1 7,908 K
dwm.exe 1256 Console 1 90,628 K
svchost.exe 1308 Services 0 3,432 K
svchost.exe 1408 Services 0 6,400 K
svchost.exe 1428 Services 0 9,544 K
svchost.exe 1440 Services 0 10,480 K
svchost.exe 1516 Services 0 9,764 K
svchost.exe 1528 Services 0 14,828 K
svchost.exe 1620 Services 0 7,140 K
svchost.exe 1648 Services 0 9,136 K
There are many more options and these are provided by switches. The full syntax is given below. It should be noted that the command is case-insensitive.
tasklist [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
The table below describes the various parameters:
|
Parameter |
Description |
|
Specifies the remote system to connect to. Not needed for local computer. |
|
Specifies the user context. Not needed for local computer. |
|
Specifies the password for the given user context (if necessary). |
|
Lists all tasks that have DLL modules loaded in them that match the given pattern name. If the module name is not specified, displays all modules loaded by each task. |
|
Displays services in each process. |
|
Specifies that the verbose information is to be displayed. |
|
Displays a set of tasks that match a given criteria specified by the filter. |
|
Specifies the output format. Valid values: "TABLE", "LIST", "CSV". |
|
Specifies that the "Column Header" should not be displayed in the output. Valid only for "TABLE" and "CSV" formats. |
These additional parameters enable Tasklist to provide very detailed information about the system. It can be very useful to know the relationship between a process and the services that are running on a system. To obtain a table relating Image Name, PID, and Services use the command below:
PS C:\Users\JOSEPH> tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Secure System 72 N/A
Registry 124 N/A
smss.exe 448 N/A
csrss.exe 652 N/A
wininit.exe 732 N/A
csrss.exe 752 N/A
services.exe 804 N/A
lsass.exe 812 EFS, KeyIso, SamSs, VaultSvc
svchost.exe 944 BrokerInfrastructure, DcomLaunch, PlugPlay,
Power, SystemEventsBroker
fontdrvhost.exe 972 N/A
WUDFHost.exe 1000 N/A
svchost.exe 880 RpcEptMapper, RpcSs
svchost.exe 968 LSM
winlogon.exe 1128 N/A
fontdrvhost.exe 1180 N/A
dwm.exe 1256 N/A
svchost.exe 1308 HvHost
svchost.exe 1408 BTAGService
svchost.exe 1428 BthAvctpSvc
svchost.exe 1440 bthserv
svchost.exe 1516 NcbService
svchost.exe 1528 Schedule
svchost.exe 1620 nsi
Attackers have recognized the value of using svchost.exe as a cover for their malware; any process named svchost.exe without corresponding Windows services should be treated as suspicious. The sc command can be used to provide the description of a service. To find the description of BthAvctpSvc from PID 1428 above, enter the following command:
C:\Windows\system32>sc qdescription BthAvctpSvc
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: BthAvctpSvc
DESCRIPTION: This is Audio Video Control Transport Protocol service
Extended information about the state of a service can be found with the below command:
C:\Windows\system32> sc queryex BthAvctpSvc
SERVICE_NAME: BthAvctpSvc
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1428
FLAGS :
Processes can be using many different DLL files by calling on various procedures from their libraries. To find which DLLs are used by each process use the following command. This will return a table relating Image Name, PID, and Modules. "Modules" here indicates DLLs.
PS C:\Users\JOSEPH> tasklist /m
Image Name PID Modules
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Secure System 72 N/A
Registry 124 N/A
smss.exe 448 N/A
csrss.exe 652 N/A
wininit.exe 732 N/A
csrss.exe 752 N/A
services.exe 804 N/A
lsass.exe 812 ntdll.dll, KERNEL32.DLL, KERNELBASE.dll,
RPCRT4.dll, lsasrv.dll, ucrtbase.dll,
msvcp_win.dll, LSAADT.dll, sechost.dll,
samsrv.dll, CRYPT32.dll, bcrypt.dll,
ncrypt.dll, NTASN1.dll, Wldp.dll,
msvcrt.dll, bcryptprimitives.dll,
msprivs.DLL, netprovfw.dll, JOINUTIL.DLL,
MSASN1.dll, negoexts.DLL, CRYPTBASE.dll,
CRYPTSP.dll, kerberos.DLL, USERENV.dll,
KerbClientShared.dll, WS2_32.dll,
gpapi.dll, cryptdll.dll, mswsock.dll,
msv1_0.DLL, NtlmShared.dll, netlogon.DLL,
gmsaclient.dll, tspkg.DLL, advapi32.dll,
SspiCli.dll, pku2u.DLL, cloudAP.DLL,
profapi.dll, aadcloudap.dll, combase.dll,
ntmarta.dll, kernel.appcore.dll,
MicrosoftAccountCloudAP.dll, DPAPI.DLL,
The output can be narrowed down to specific parameters by using filters and the switch /FI. There are a number of comparison operators and these are given in the table below:
|
Operator |
Description |
|
eq |
Equals |
|
ne |
Does not equal |
|
gt |
Greater than. Only used with numeric values |
|
lt |
Less than. Only used with numeric values |
|
ge |
Greater than or equal to. Only used with numeric values |
|
le |
Less than or equal to. Only used with numeric values |
Not all operators can be used with every parameter and allowed values are shown for the most useful parameters in the table below:
|
Parameters |
Valid Operators |
Valid Values |
|
ImageName |
eq, ne |
Any valid string |
|
PID |
eq, ne, gt, lt, ge, le |
Any valid positive integer |
|
MemUsage |
eq, ne, gt, lt, ge, le |
Any valid positive integer (in Kilobytes) |
|
Status |
eq, ne |
Running, Not Responding, Unknow |
|
Username |
eq, ne |
Any valid user name (includes SYSTEM, LOCAL SERVICE, NETWORK SERVICE) |
|
WindowTitle |
eq, ne |
Any valid string |
|
Session |
eq, ne, gt, lt, ge, le |
Session number |
|
Services |
eq, ne |
Service name |
|
Modules |
eq, ne |
DLL name |
|
CPUTime |
eq, ne, gt, lt, ge, le |
CPU time in the format of hh:mm:ss. |
An example of using a filter is a command to find all the processes created by the system and haven’t used any CPU time. The command would be as follows:
PS C:\Users\JOSEPH> TaskList /V /FO LIST /FI “USERNAME eq System” /FI “CPUTIME eq 0:00:00”
Image Name: Secure System
PID: 72
Session Name: Services
Session#: 0
Mem Usage: 23,640 K
Status: Unknown
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:00
Window Title: N/A
Image Name: smss.exe
PID: 492
Session Name: Services
Session#: 0
Mem Usage: 1,044 K
Status: Unknown
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:00
Window Title: N/A
Image Name: wininit.exe
PID: 772
Session Name: Services
Session#: 0
Mem Usage: 4,140 K
Status: Unknown
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:00
The basic Tasklist utility commands does not show services, which are special applications that run in the background. In order to see services, you must type Taskist /SVC and press Enter. The output includes the image name, PID, and services supplied by the process. You can’t use the /SVC command line switch with the /V or /M command line switches, so you can’t obtain verbose information about services. Unfortunately, the output of this command includes all of the applications in addition to the services. You have a number of ways to get around the problem of seeing processes with the services. One technique is to rely on the fact that SvcHost.EXE is the image name of the application that runs most (but not all) of the services. To find the low-level services (those not associated with applications) running on your system, enter the following command:
PS C:\Users\JOSEPH> taskList /SVC /FI “ImageName eq SvcHost.EXE”
Image Name PID Services
========================= ======== ============================================
svchost.exe 992 BrokerInfrastructure, DcomLaunch, PlugPlay,
Power, SystemEventsBroker
svchost.exe 1028 RpcEptMapper, RpcSs
svchost.exe 1068 LSM
svchost.exe 1356 HvHost
svchost.exe 1384 lmhosts
svchost.exe 1404 BTAGService
svchost.exe 1432 BthAvctpSvc
svchost.exe 1472 bthserv
svchost.exe 1564 NcbService
svchost.exe 1580 Schedule
svchost.exe 1624 ProfSvc
svchost.exe 1632 TimeBrokerSvc
svchost.exe 1732 nsi
svchost.exe 1744 UserManager
svchost.exe 1780 DisplayEnhancementService
svchost.exe 1832 netprofm
svchost.exe 1840 EventSystem
svchost.exe 2004 DeviceAssociationService
svchost.exe 1040 CoreMessagingRegistrar
svchost.exe 1508 camsvc
svchost.exe 1804 SENS
svchost.exe 2260 Dnscache
svchost.exe 2376 EventLog
svchost.exe 2392 DispBrokerDesktopSvc
svchost.exe 2404 Winmgmt
When examining processes, we would also like to map the dynamic link libraries that are loaded by all processes or by a specific process. The below command does this for chrome.exe.
PS C:\Users\JOSEPH> tasklist /m /FI "ImageName eq chrome.exe"
Image Name PID Modules
========================= ======== ============================================
chrome.exe 9916 ntdll.dll, KERNEL32.DLL, KERNELBASE.dll,
apphelp.dll, AcLayers.DLL, msvcrt.dll,
SHLWAPI.dll, chrome_elf.dll, VERSION.dll,
ADVAPI32.dll, sechost.dll, RPCRT4.dll,
CRYPTBASE.DLL, bcryptPrimitives.dll,
ntmarta.dll, ucrtbase.dll, SHELL32.dll,
msvcp_win.dll, USER32.dll, win32u.dll,
GDI32.dll, gdi32full.dll, IMM32.DLL,
windows.storage.dll, combase.dll,
wintypes.dll, SHCORE.dll, chrome.dll,
OLEAUT32.dll, WS2_32.dll, WINTRUST.dll,
CRYPT32.dll, WINMM.dll, dbghelp.dll,
IPHLPAPI.DLL, USERENV.dll, Secur32.dll,
UIAutomationCore.DLL, WINHTTP.dll,
DWrite.dll, WINSPOOL.DRV, dhcpcsvc.DLL,
SSPICLI.DLL, MSASN1.dll, uxtheme.dll,
gpapi.dll, wkscli.dll, netutils.dll,
ole32.dll, kernel.appcore.dll, MSCTF.dll,
powrprof.dll, UMPDC.dll, profapi.dll,
COMCTL32.dll, DPAPI.dll, nlansp_c.dll,
NSI.dll, dhcpcsvc6.DLL, DNSAPI.dll,
clbcatq.dll, textinputframework.dll,
wevtapi.dll, Windows.UI.dll, WTSAPI32.dll,
WINSTA.dll, mscms.dll, bcrypt.dll,
cfgmgr32.dll, SETUPAPI.dll, DEVOBJ.dll,
MMDevApi.dll, wpnapps.dll,
There is a better way to execute the above command to obtain additional information. First, you should specify the/V or verbose option, which will provide greater details regarding each process. Next, you could use the format output option /FO to specify the type of output. Two popular output formats are TABLE and CSV (comma-separated value). This is valuable if you plan to analyze the running processes and services later using a spreadsheet program like Microsoft Excel.
PS C:\Users\JOSEPH> tasklist /v /FO CSV
"Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title"
"System Idle Process","0","Services","0","8 K","Unknown","NT AUTHORITY\SYSTEM","25:51:58","N/A"
"System","4","Services","0","1,008 K","Unknown","N/A","0:25:41","N/A"
"Secure System","72","Services","0","23,644 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"Registry","124","Services","0","74,884 K","Unknown","NT AUTHORITY\SYSTEM","0:00:01","N/A"
"smss.exe","448","Services","0","1,040 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"csrss.exe","652","Services","0","4,280 K","Unknown","NT AUTHORITY\SYSTEM","0:00:02","N/A"
"wininit.exe","732","Services","0","4,468 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"csrss.exe","752","Console","1","5,608 K","Running","NT AUTHORITY\SYSTEM","0:00:13","N/A"
"services.exe","804","Services","0","7,840 K","Unknown","NT AUTHORITY\SYSTEM","0:00:19","N/A"
"lsass.exe","812","Services","0","20,272 K","Unknown","NT AUTHORITY\SYSTEM","0:00:10","N/A"
"svchost.exe","944","Services","0","34,308 K","Unknown","NT AUTHORITY\SYSTEM","0:00:28","N/A"
"fontdrvhost.exe","972","Services","0","2,260 K","Unknown","Font Driver Host\UMFD-0","0:00:00","N/A"
"WUDFHost.exe","1000","Services","0","11,068 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:00","N/A"
"svchost.exe","880","Services","0","17,076 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:47","N/A"
"svchost.exe","968","Services","0","7,436 K","Unknown","NT AUTHORITY\SYSTEM","0:00:01","N/A"
"winlogon.exe","1128","Console","1","10,728 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"fontdrvhost.exe","1180","Console","1","9,120 K","Unknown","Font Driver Host\UMFD-1","0:00:03","N/A"
"dwm.exe","1256","Console","1","98,720 K","Running","Window Manager\DWM-1","1:18:46","DWM Notification Window"
"svchost.exe","1308","Services","0","3,408 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"svchost.exe","1408","Services","0","6,348 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:00","N/A"
"svchost.exe","1428","Services","0","9,520 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:00","N/A"
"svchost.exe","1440","Services","0","10,424 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:00","N/A"
"svchost.exe","1516","Services","0","9,720 K","Unknown","NT AUTHORITY\SYSTEM","0:00:01","N/A"
"svchost.exe","1528","Services","0","14,676 K","Unknown","NT AUTHORITY\SYSTEM","0:00:04","N/A"
"svchost.exe","1620","Services","0","7,264 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:02","N/A"
"svchost.exe","1648","Services","0","9,044 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"svchost.exe","1704","Services","0","6,984 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"svchost.exe","1720","Services","0","16,496 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:22","N/A"
The above output follows the order specified below:
"Image Name","PID","Session Name","Session#","Mem Usage","Status", "User Name","CPU Time","Window Title"
To better understand the resulting output along with the potential forensic value, consider the table below.
You might also need to determine the relationship between the processes running on the system by examining the parent-child relationships. The following command will list the parent PIDs along with the PIDs and the paths to the executables.
C:\Users\JOSEPH>wmic process get name, processid, parentprocessid, executablepath
ExecutablePath Name ParentProcessId ProcessId
System Idle Process 0 0
System 0 4
Secure System 4 72
Registry 4 124
smss.exe 4 492
csrss.exe 648 688
wininit.exe 648 772
csrss.exe 764 792
services.exe 772 844
lsass.exe 772 852
svchost.exe 844 992
WUDFHost.exe 844 1012
fontdrvhost.exe 772 96
svchost.exe 844 1028
svchost.exe 844 1068
winlogon.exe 764 1172
fontdrvhost.exe 1172 1228
dwm.exe 1172 1308
svchost.exe 844 1356
svchost.exe 844 1384
svchost.exe 844 1404
svchost.exe 844 1432
svchost.exe 844 1472
svchost.exe 844 1564
svchost.exe 844 1580
svchost.exe 844 1624
svchost.exe 844 1632
svchost.exe 844 1732
svchost.exe 844 1744
svchost.exe 844 1780
svchost.exe 844 1832
svchost.exe 844 1840
svchost.exe 844 2004
svchost.exe 844 1040
svchost.exe 844 1508
svchost.exe 844 1804
igfxCUIService.exe 844 2144
svchost.exe 844 2260
svchost.exe 844 2376
svchost.exe 844 2392
svchost.exe 844 2404
svchost.exe 844 2480
svchost.exe 844 2500
svchost.exe 844 2600
svchost.exe 844 2616
Memory Compression 4 2624
svchost.exe 844 2716
svchost.exe 844 2844
svchost.exe 844 2892
svchost.exe 844 2924
svchost.exe 844 3036
RtkAudioService64.exe 844 2372
svchost.exe 844 3092
svchost.exe 844 3100
svchost.exe 844 3216
svchost.exe 844 3224
svchost.exe 844 3236
svchost.exe 844 3364
svchost.exe 844 3428
svchost.exe 844 3452
svchost.exe 844 3516
RAVBg64.exe 2372 3664
RAVBg64.exe 2372 3684
RAVBg64.exe 2372 3692
spoolsv.exe 844 3732
svchost.exe 844 3892
AnyDesk.exe 844 3932
svchost.exe 844 3944
svchost.exe 844 3960
svchost.exe 844 3980
fpCSEvtSvc.exe 844 3996
HotKeyServiceUWP.exe 844 4024
HPSIsvc.exe 844 4040
ibtsiva.exe 844 4060
IpOverUsbSvc.exe 844 3132
svchost.exe 844 3616
LanWlanWwanSwitchingServiceUWP.exe 844 4104
svchost.exe 844 4176
svchost.exe 844 4192
svchost.exe 844 4200
svchost.exe 844 4224
SynTPEnhService.exe 844 4240
valWBFPolicyService.exe 844 4276
svchost.exe 844 4324
MsMpEng.exe 844 4336
svchost.exe 844 4344
svchost.exe 844 4432
WUDFHost.exe 844 4716
AggregatorHost.exe 3960 5480
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe SynTPEnh.exe 4240 6104
C:\Windows\system32\sihost.exe sihost.exe 1744 864
C:\Windows\system32\svchost.exe svchost.exe 844 4128
PresentationFontCache.exe 844 5960
svchost.exe 844 5432
C:\Windows\system32\svchost.exe svchost.exe 844 5408
svchost.exe 844 5232
C:\Windows\System32\DriverStore\FileRepository\hpqkbsoftwarecompnent.inf_amd64_8598cf7f18c538c5\HPHotkeyNotification.exe HPHotkeyNotification.exe 4024 4976
C:\Windows\system32\taskhostw.exe taskhostw.exe 1580 6192
svchost.exe 844 6476
SynTPHelper.exe 1400 6576
svchost.exe 844 6604
C:\Windows\Explorer.EXE
For more on the wmic command, you can view this post.
Sometimes it is desirable to end a program or a process from the command line. The process may be hung or not responding or deemed as suspicious. Although the graphical utility Task Manager can be used to terminate programs that are hung up, the command line can be faster and easier to use. The Taskkill command is capable of sophisticated filters. The command syntax is as follows:
TASKKILL [/S system [/U username [/P[password]]]]{ [/FI filter] [/PID processid | /IM imagename] } [/F] [/T]
Parameter | Description |
| Specifies the remote system to connect to. Not needed for local computer. |
| Specifies the user context. Not needed for local computer. |
| Specifies the password for the given username |
| Specifies the PID of the process that has to be terminated. Not used when the image name is given in the command. |
| Specifies the image name of the process that has to be terminated. Wildcard '*' can be used to specify all image names. Not used if PID is given in the command. |
| Forces the termination of all processes. |
| Displays a set of tasks that match a given criteria specified by the filter. |
| Tree kill: terminates the specified process and any child processes which were started by it |
To close the process WhatsApp.exe, for example, the appropriate command is given as follows:
PS C:\Users\JOSEPH> taskkill /im WhatsApp.exe /f
SUCCESS: The process "WhatsApp.exe" with PID 4452 has been terminated.
You can also close several programs at once.
PS C:\Users\JOSEPH> taskkill /f /im notepad.exe /im mspaint.exe
SUCCESS: The process "mspaint.exe" with PID 7480 has been terminated.
SUCCESS: The process "Notepad.exe" with PID 4904 has been terminated.
Taskkill becomes especially powerful when filters are used with the switch "/fi". Various rules can be formed by using the comparison operators. The filter operators and allowed parameters remain the same as with the tasklist command. With filters, you can impose some specific set of conditions that must be met. Filters give Taskkill considerable versatility and allow you to fine-tune the target. Note that a specific image name or PID does not have to be included when using filters.
To forcefully shut down all the processes that are not responding, enter the following command:
PS C:\Users\JOSEPH> taskkill /f /fi "status eq not responding"
INFO: No tasks running with the specified criteria.
You may want to forcefully shut down all programs using a specific DLL file. This should be used with care but one application might be to stop processes thought to be associated with a DLL from spyware or a Trojan.
taskkill /f /fi "modules eq MFC42UL.dll"
To close down all programs using large amounts of memory, say 40 MB:
taskkill /f /fi "memusage gt 40000"
To close down programs using more than 40 MB of memory but not Google Chrome.
taskkill /f /fi "imagename ne chrome.exe" /fi "memusage gt 40000"
Network Information
The next area of immediate consideration is the basic network information, in other words—how is the system under investigation connected to the outside world?.
A good place to start is with the ipconfig command. To obtain the full breadth of information available, the ipconfig /all command is used. The command provides basic information such as the Host Name, Internet Protocol
Addresses, and the Network Interface physical address (typically referred to as the MAC
address), and DNS Suffix (which will typically give you a clue regarding the Internet
Service Provider that the system uses). In addition, information about wired, wireless, Bluetooth, and virtual machine network interfaces are provided.
Another important command option under ipconfig is the ipconfig /displaydns
command. Executing this command provides details of the domain name services in
play for the currently logged-in user. More specifically, this command displays the
resolver cache of DNS translations for the system.
PS C:\Users\JOSEPH> ipconfig /displaydns
Windows IP Configuration
desktop-tso5jmr.mshome.net
----------------------------------------
No records of type AAAA
desktop-tso5jmr.mshome.net
----------------------------------------
Record Name . . . . . : DESKTOP-TSO5JMR.mshome.net
Record Type . . . . . : 1
Time To Live . . . . : 589186
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 172.22.0.1
1.0.22.172.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.22.172.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 589186
Data Length . . . . . : 8
Section . . . . . . . : Answer
PTR Record . . . . . : DESKTOP-TSO5JMR.mshome.net
After identifying the running processes and specific details related to these processes, we need to take a look at how those processes are communicating with the external environment via the network. We can use the netstat command to probe active network information. It provides a way to check if various aspects of TCP/IP are working and what connections are present. There are various ways that a system administrator might use the assortment of switches. A brief description of the switches is given below:
PS C:\Users\JOSEPH> netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-f] [-i] [-n] [-o] [-p proto] [-r] [-s] [-t] [-x] [-y] [interval]
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-f Displays Fully Qualified Domain Names (FQDN) for foreign
addresses.
-i Displays the time spent by a TCP connection in its current state.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-q Displays all connections, listening ports, and bound
nonlistening TCP ports. Bound nonlistening ports may or may not
be associated with an active connection.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
-t Displays the current connection offload state.
-x Displays NetworkDirect connections, listeners, and shared
endpoints.
-y Displays the TCP connection template for all connections.
Cannot be combined with the other options.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
Let’s start with a simple netstat command that reports on all (–a) connections and listening ports, displays the numerical values (–n) for the port numbers and addresses, and displays the process ID or PID of the owning process (–o):
PS C:\Users\JOSEPH> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6576
TCP 0.0.0.0:7070 0.0.0.0:0 LISTENING 3932
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 848
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 768
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1576
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2416
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 3624
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 840
TCP 127.0.0.1:1001 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:49670 0.0.0.0:0 LISTENING 6668
TCP 192.168.56.1:139 0.0.0.0:0 LISTENING 4
TCP 192.168.176.57:139 0.0.0.0:0 LISTENING 4
TCP 192.168.176.57:52011 20.44.10.122:443 TIME_WAIT 0
TCP 192.168.176.57:52013 23.73.0.192:443 FIN_WAIT_1 3440
TCP 192.168.176.57:52015 204.79.197.203:443 FIN_WAIT_1 4576
TCP 192.168.176.57:52016 152.199.19.161:80 TIME_WAIT 0
TCP 192.168.176.57:52019 204.79.197.203:443 TIME_WAIT 0
TCP 192.168.176.57:52030 102.132.101.61:5222 TIME_WAIT 0
TCP 192.168.176.57:52031 204.79.197.239:443 TIME_WAIT 0
TCP 192.168.176.57:52033 197.210.32.33:443 ESTABLISHED 1452
TCP 192.168.176.57:52034 102.132.101.60:443 ESTABLISHED 1452
TCP 192.168.176.57:52035 13.107.4.52:80 TIME_WAIT 0
TCP 192.168.176.57:52037 102.132.101.60:443 ESTABLISHED 1452
TCP 192.168.176.57:52038 13.107.4.52:80 TIME_WAIT 0
TCP 192.168.176.57:52057 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52058 13.107.246.56:443 ESTABLISHED 10180
TCP 192.168.176.57:52059 13.107.246.56:443 ESTABLISHED 10180
TCP 192.168.176.57:52060 172.217.23.202:443 ESTABLISHED 10180
TCP 192.168.176.57:52061 172.217.23.202:443 ESTABLISHED 10180
TCP 192.168.176.57:52062 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52063 208.115.231.126:443 ESTABLISHED 3932
TCP 192.168.176.57:52064 13.107.42.14:443 ESTABLISHED 10180
TCP 192.168.176.57:52065 20.199.120.182:443 ESTABLISHED 4368
TCP 192.168.176.57:52067 45.54.49.5:443 ESTABLISHED 10180
TCP 192.168.176.57:52072 216.58.223.206:443 ESTABLISHED 10180
TCP 192.168.176.57:52073 108.157.78.77:443 ESTABLISHED 10180
TCP 192.168.176.57:52076 13.107.246.56:443 ESTABLISHED 10180
TCP 192.168.176.57:52079 108.157.78.7:443 ESTABLISHED 10180
TCP 192.168.176.57:52080 216.239.32.117:443 ESTABLISHED 10180
TCP 192.168.176.57:52082 52.210.27.198:443 ESTABLISHED 10180
TCP 192.168.176.57:52083 52.210.27.198:443 ESTABLISHED 10180
TCP 192.168.176.57:52084 34.120.195.249:443 ESTABLISHED 10180
TCP 192.168.176.57:52085 20.199.120.182:443 ESTABLISHED 4368
TCP 192.168.176.57:52087 54.144.30.117:443 ESTABLISHED 10180
TCP 192.168.176.57:52088 54.144.30.117:443 ESTABLISHED 10180
TCP 192.168.176.57:52089 54.144.30.117:443 ESTABLISHED 10180
TCP 192.168.176.57:52090 104.109.143.19:443 ESTABLISHED 10180
TCP 192.168.176.57:52093 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52097 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52098 209.197.3.8:80 ESTABLISHED 3972
TCP 192.168.176.57:52099 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52100 152.199.21.118:443 ESTABLISHED 10180
TCP 192.168.176.57:52103 13.107.246.67:443 ESTABLISHED 10180
TCP 192.168.176.57:52106 204.79.197.200:443 ESTABLISHED 9036
TCP 192.168.176.57:52107 204.79.197.200:443 ESTABLISHED 9036
TCP 192.168.176.57:52109 13.107.246.67:443 ESTABLISHED 10180
TCP 192.168.176.57:52114 23.73.0.158:443 ESTABLISHED 4576
TCP 192.168.176.57:52115 104.225.98.131:443 SYN_SENT 10180
TCP 192.168.176.57:52116 104.225.98.131:443 SYN_SENT 10180
TCP [::]:135 [::]:0 LISTENING 884
TCP [::]:445 [::]:0 LISTENING 4The information that is displayed includes the protocol, the local address, the remote (foreign) address, and the connection state. Note that the various IP addresses include port information as well. An explanation of the different connection states is given below.
|
State |
Description |
|
CLOSED |
Indicates that the server has received an ACK signal from the client and the connection is closed. |
|
CLOSE_WAIT |
Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed. |
|
ESTABLISHED |
Indicates that the server received the SYN signal from the client and the session is established. |
|
FIN_WAIT_1 |
This indicates that the connection is still active but not currently being used |
|
FIN_WAIT_2 |
Indicates that the client just received acknowledgment of the first FIN signal from the server |
|
LAST_ACK |
This indicates that the server is in the process of sending its own FIN signal |
|
LISTENING |
Indicates that the server is ready to accept a connection |
|
SYN_RECEIVED |
This indicates that the server just received a SYN signal from the client |
|
SYN_SEND |
Indicates that this particular connection is open and active |
|
TIME_WAIT |
Indicates that the client recognizes the connection as still active but not currently being used |
Next, we would connect the network activity with the specific processes that were generated from the tasklist command. Examining the results of the tasklist command, we can easily identify a couple of processes that should have active network connections (e.g. WhatsApp.exe). Let’s say we wish to only output information related to this process and only display the result if the connection state is equal to ESTABLISHED. Examining the tasklist output, we can identify the PID for WhatsApp.exe (1452). We can accomplish this by connecting the output of the netstat command with the findstr command using a pipe operator (|). The resulting command and output is shown below.
PS C:\Users\JOSEPH> netstat -ano | findstr 1452 | findstr ESTABLISHED
TCP 192.168.176.57:52034 102.132.101.60:443 ESTABLISHED 1452To find out which programs are making connections with the outside world, we can use the command below. This can be used to spot potential malicious applications.
PS C:\Users\JOSEPH> netstat -b
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:49670 DESKTOP-TSO5JMR:49671 ESTABLISHED
[Explorer.EXE]
TCP 127.0.0.1:49671 DESKTOP-TSO5JMR:49670 ESTABLISHED
[msedge.exe]
TCP 192.168.176.57:49830 192.229.221.95:http FIN_WAIT_1
[WhatsApp.exe]
TCP 192.168.176.57:58159 13.107.4.52:http TIME_WAIT
TCP 192.168.176.57:58160 20.199.120.85:https ESTABLISHED
WpnService
[svchost.exe]
TCP 192.168.176.57:58161 relay-94aea023:https TIME_WAIT
TCP 192.168.176.57:58162 relay-cf3fb52a:https ESTABLISHED
[AnyDesk.exe]
TCP 192.168.176.57:58164 20.199.120.85:https ESTABLISHED
WpnService
[svchost.exe]
TCP 192.168.176.57:58165 52.184.216.246:https TIME_WAIT
TCP 192.168.176.57:58169 wr-in-f188:5228 ESTABLISHED
[chrome.exe]
TCP 192.168.176.57:58170 whatsapp-chatd-edge-shv-01-los2:https TIME_WAIT
TCP 192.168.176.57:58171 20.234.163.55:https TIME_WAIT
TCP 192.168.176.57:58172 13.107.42.14:https ESTABLISHED
[chrome.exe]
TCP 192.168.176.57:58173 197.210.93.34:https TIME_WAIT
TCP 192.168.176.57:58174 20.234.163.55:https TIME_WAIT
TCP 192.168.176.57:58175 whatsapp-cdn-shv-01-los2:https TIME_WAIT
TCP 192.168.176.57:58177 197.210.93.34:https ESTABLISHED
[WhatsApp.exe]
TCP 192.168.176.57:58178 102.88.19.33:https ESTABLISHED
[WhatsApp.exe]
TCP 192.168.176.57:58179 197.210.93.99:https ESTABLISHED
[WhatsApp.exe]
TCP 192.168.176.57:58180 whatsapp-cdn-shv-01-los2:https ESTABLISHED
Actually, it is better to check over a period of time and we can add a number that sets the command to run at fixed intervals. Also, it is best to create a written record of the connections that are made over some period of time. The command can then be written as:
netstat -b 5 >> D:\connections.txt
This command will run at five-second intervals until stopped by entering "Ctrl+c", which is a general command to exit.
You may also wish to view the Fully Qualified Domain Names (FQDN) for remote (foreign) addresses the system is making connections to:
PS C:\Users\JOSEPH> netstat -f
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.176.57:52031 204.79.197.239:https TIME_WAIT
TCP 192.168.176.57:52033 197.210.32.33:https ESTABLISHED
TCP 192.168.176.57:52034 whatsapp-cdn-shv-01-los2.fbcdn.net:https ESTABLISHED
TCP 192.168.176.57:52037 whatsapp-cdn-shv-01-los2.fbcdn.net:https ESTABLISHED
TCP 192.168.176.57:52058 13.107.246.56:https ESTABLISHED
TCP 192.168.176.57:52060 prg03s05-in-f10.1e100.net:https ESTABLISHED
TCP 192.168.176.57:52061 prg03s05-in-f10.1e100.net:https ESTABLISHED
TCP 192.168.176.57:52062 152.199.21.118:https ESTABLISHED
TCP 192.168.176.57:52063 relay-28682325.net.anydesk.com:https ESTABLISHED
TCP 192.168.176.57:52064 13.107.42.14:https ESTABLISHED
TCP 192.168.176.57:52065 20.199.120.182:https ESTABLISHED
TCP 192.168.176.57:52072 los02s03-in-f14.1e100.net:https ESTABLISHED
TCP 192.168.176.57:52073 server-108-157-78-77.los50.r.cloudfront.net:https ESTABLISHED
TCP 192.168.176.57:52076 13.107.246.56:https ESTABLISHED
TCP 192.168.176.57:52079 server-108-157-78-7.los50.r.cloudfront.net:https ESTABLISHED
TCP 192.168.176.57:52080 216.239.32.117:https ESTABLISHED
TCP 192.168.176.57:52082 ec2-52-210-27-198.eu-west-1.compute.amazonaws.com:https ESTABLISHED
TCP 192.168.176.57:52083 ec2-52-210-27-198.eu-west-1.compute.amazonaws.com:https TIME_WAIT
TCP 192.168.176.57:52084 249.195.120.34.bc.googleusercontent.com:https ESTABLISHED
TCP 192.168.176.57:52085 20.199.120.182:https ESTABLISHED
TCP 192.168.176.57:52087 ec2-54-144-30-117.compute-1.amazonaws.com:https ESTABLISHED
TCP 192.168.176.57:52090 a104-109-143-19.deploy.static.akamaitechnologies.com:https ESTABLISHED
TCP 192.168.176.57:52093 152.199.21.118:https ESTABLISHED
TCP 192.168.176.57:52097 152.199.21.118:https CLOSE_WAIT
TCP 192.168.176.57:52098 vip0x008.map2.ssl.hwcdn.net:http ESTABLISHED
TCP 192.168.176.57:52099 152.199.21.118:https CLOSE_WAIT
TCP 192.168.176.57:52100 152.199.21.118:https ESTABLISHED
TCP 192.168.176.57:52106 a-0001.a-msedge.net:https ESTABLISHED
TCP 192.168.176.57:52107 a-0001.a-msedge.net:https ESTABLISHED
One additional area of concern is that of the current routing table. Routing tables are basically a set of rules that govern how IP packets are directed. All devices, including computers, switches, routers, firewalls, and other network appliances contain a routing table. Since routing tables contain specific IP addresses, if the tables were to be maliciously altered (often referred to as poisoning) packets could be directed to intermediary network devices in order to intercept or alter the packets leaving a network based on these poisoned routing rules.
The netstat command provides a simple way of capturing the current routing table using the –r option. Before turning off or shutting down the system it is prudent to capture the current state of the routing table, as the table is typically not persistent and would be more difficult to reconstruct postmortem.
PS C:\Users\JOSEPH> netstat -r
===========================================================================
Interface List
6...0a 00 27 00 00 06 ......VirtualBox Host-Only Ethernet Adapter
5...34 02 86 39 2b 1a ......Microsoft Wi-Fi Direct Virtual Adapter
29...36 02 86 39 2b 19 ......Microsoft Wi-Fi Direct Virtual Adapter #2
16...80 9f 9a 50 54 53 ......Generic Mobile Broadband Adapter
33...34 02 86 39 2b 1d ......Bluetooth Device (Personal Area Network)
11...34 02 86 39 2b 19 ......Intel(R) Dual Band Wireless-AC 7265
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.176.205 192.168.176.57 65
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.176.0 255.255.255.0 On-link 192.168.176.57 321
192.168.176.57 255.255.255.255 On-link 192.168.176.57 321
192.168.176.255 255.255.255.255 On-link 192.168.176.57 321
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.176.57 321
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.176.57 321
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 281 fe80::/64 On-link
11 321 fe80::/64 On-link
6 281 fe80::5796:a945:bc30:9006/128
On-link
11 321 fe80::7610:ff89:867a:21e2/128
On-link
1 331 ff00::/8 On-link
6 281 ff00::/8 On-link
11 321 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
The actual path between two computers on the Internet is not a straight line but consists of numerous segments or "hops" from one intermediate computer to another. The tracert command shows each step of the path taken. It can be interesting to see just how convoluted it is. The times for each hop and the IP addresses for each intermediate computer are displayed. Tracert shows up to 30 hops. It is convenient for finding if there is one particular segment that is causing a slow or bad connection.
PS C:\Users\JOSEPH> tracert sans.org
Tracing route to sans.org [45.60.103.34]
over a maximum of 30 hops:
1 3 ms 1 ms 2 ms 192.168.176.205
2 174 ms 1272 ms 374 ms 10.8.255.254
3 86 ms 46 ms 73 ms 172.24.240.34
4 90 ms 132 ms 57 ms 172.24.240.92
5 45 ms 48 ms 54 ms 172.24.240.98
6 42 ms 44 ms 79 ms 192.168.10.2
7 160 ms 157 ms 141 ms 149.6.148.18
8 478 ms 144 ms 152 ms 149.6.148.17
9 201 ms 188 ms 140 ms 154.54.61.253
10 297 ms 216 ms 245 ms 154.54.82.34
11 230 ms 307 ms 325 ms 66.28.4.237
12 493 ms 597 ms 468 ms 154.54.43.17
13 885 ms 565 ms 256 ms 154.54.41.205
14 214 ms 218 ms 217 ms 66.28.4.246
15 216 ms 217 ms 220 ms 38.32.231.34
16 257 ms 213 ms 226 ms 45.60.103.34
Trace complete.
To determine the location of the queried IP address, attention should be paid to the last, penultimate hop, or individual routing device, before the actual destination is reached. Using traceroute provides the most reliable way to determine the most probable location of an IP address. Even the APNIC, the regional Internet address registry for the Asia-Pacific region states in an article that they: "consider the IP in the same economy as the LG if the traceroute confirms a topological proximity." Any other way of checking the location does not meet their standards. No IP2Geo database in the world will be foolproof, so the only way to find a geographical area is to use basic physics to determine how long it takes for electricity or light to travel to a medium called a 'network cable'.
Another good command is the pathping command. This command combines the functions of Ping and Tracert. Pathping will first list the number of hops required to reach the address you are testing and then send multiple pings to each router between you and the destination. After that, it computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Note that the whole process may consume 5-10 minutes because many pings are being sent. There are switches to modify the process and these can be seen by entering "pathping /?" in the command prompt.
PS C:\Users\JOSEPH> pathping sans.org
Tracing route to sans.org [45.60.103.34]
over a maximum of 30 hops:
0 DESKTOP-TSO5JMR [192.168.176.57]
1 192.168.176.205
2 192.168.223.22
3 172.24.246.82
4 * 172.24.246.180
5 172.24.246.193
6 * * *
Computing statistics for 125 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 DESKTOP-TSO5JMR [192.168.176.57]
0/ 100 = 0% |
1 6ms 0/ 100 = 0% 0/ 100 = 0% 192.168.176.205
1/ 100 = 1% |
2 122ms 3/ 100 = 3% 2/ 100 = 2% 192.168.223.22
0/ 100 = 0% |
3 112ms 1/ 100 = 1% 0/ 100 = 0% 172.24.246.82
0/ 100 = 0% |
4 115ms 1/ 100 = 1% 0/ 100 = 0% 172.24.246.180
0/ 100 = 0% |
5 105ms 1/ 100 = 1% 0/ 100 = 0% 172.24.246.193
Trace complete.Another command that is quite useful and offers additional options for working with networks is the Network Services shell (netsh).
PS C:\Users\JOSEPH> netsh /?
Usage: C:\Windows\system32\netsh.exe [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *]
[Command | -f ScriptFile]
The following commands are available:
Commands in this context:
? - Displays a list of commands.
add - Adds a configuration entry to a list of entries.
advfirewall - Changes to the `netsh advfirewall' context.
bridge - Changes to the `netsh bridge' context.
delete - Deletes a configuration entry from a list of entries.
dhcpclient - Changes to the `netsh dhcpclient' context.
dnsclient - Changes to the `netsh dnsclient' context.
dump - Displays a configuration script.
exec - Runs a script file.
firewall - Changes to the `netsh firewall' context.
help - Displays a list of commands.
http - Changes to the `netsh http' context.
interface - Changes to the `netsh interface' context.
ipsec - Changes to the `netsh ipsec' context.
lan - Changes to the `netsh lan' context.
mbn - Changes to the `netsh mbn' context.
namespace - Changes to the `netsh namespace' context.
netio - Changes to the `netsh netio' context.
nlm - Changes to the `netsh nlm' context.
p2p - Changes to the `netsh p2p' context.
ras - Changes to the `netsh ras' context.
rpc - Changes to the `netsh rpc' context.
set - Updates configuration settings.
show - Displays information.
trace - Changes to the `netsh trace' context.
wcn - Changes to the `netsh wcn' context.
wfp - Changes to the `netsh wfp' context.
winhttp - Changes to the `netsh winhttp' context.
winsock - Changes to the `netsh winsock' context.
wlan - Changes to the `netsh wlan' context.
The following sub-contexts are available:
advfirewall bridge dhcpclient dnsclient firewall http interface ipsec lan mbn namespace netio nlm p2p ras rpc trace wcn wfp winhttp winsock wlan
To view help for a command, type the command, followed by a space, and then
type ?.
To display various IP addresses and TCP/IP settings, execute the following command.
PS C:\Users\JOSEPH> netsh interface ip show config
Configuration for interface "Ethernet 2"
DHCP enabled: No
IP Address: 192.168.56.1
Subnet Prefix: 192.168.56.0/24 (mask 255.255.255.0)
InterfaceMetric: 25
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None
Configuration for interface "Local Area Connection* 1"
DHCP enabled: Yes
InterfaceMetric: 25
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: None
Configuration for interface "Local Area Connection* 2"
DHCP enabled: Yes
InterfaceMetric: 25
DNS servers configured through DHCP: None
Register with which suffix: Primary only
WINS servers configured through DHCP: None
Configuration for interface "Cellular"
DHCP enabled: No
InterfaceMetric: 25
Statically Configured DNS Servers: None
Register with which suffix: Primary only
Statically Configured WINS Servers: None
Another example of using the Netsh Internet Ip context is resetting TCP/IP. For several reasons, including infestation from malware, these settings might get corrupted. Netsh contains a command that will reset the TCP/IP stack to the original settings that existed when the operating system was installed. These settings may not be the most up-to-date for your system but they will allow you to reconfigure after a spyware invasion or other problem. The command to reset TCP/IP is given below. Note that you must include a file name where a log of the actions will be placed. Thus, if the log file is D:\tcplog.txt, the command is also given below.
netsh interface ip reset {logfile}
netsh interface ip reset D:\tcplog.txt
Uninstalling spyware or poorly written applications can corrupt the Winsock settings and result in loss of network connectivity. There are two commands for managing the settings. To display a list of various installed services (LSP, BSP, NSP), enter the following command:
PS C:\Users\JOSEPH> netsh winsock show catalog
Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: Hyper-V RAW
Provider ID: {1234191B-4BF7-4CA7-86E0-DFD7C32B5445}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1005
Version: 2
Address Family: 34
Max Address Length: 36
Min Address Length: 36
Socket Type: 1
Protocol: 1
Service Flags: 0x20026
Protocol Chain Length: 1
Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1006
Version: 2
Address Family: 23
Max Address Length: 28
Min Address Length: 28
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1
To reset the Winsock to the default configuration, enter the command below:
netsh winsock reset catalog
Note that any installed software that uses Internet connections may be partially disabled by this action and have to be reinstalled. This would include most software that updates itself and anti-virus programs that use proxy servers. Therefore, this command should only be used for cases where the degree of corruption makes it necessary.
You might also want to view all of the wireless networks the system has connected to. The following command will display the list:
PS C:\Users\JOSEPH> netsh wlan show profiles
Profiles on interface Wi-Fi:
Group policy profiles (read only)
---------------------------------
User profiles
-------------
All User Profile : Galaxy S10+
All User Profile : itel A58 Lite
All User Profile : TECNO POP 7 Pro
All User Profile : itel S18
To view the password of any of the above Wireless connections, enter the following command:
netsh wlan show profile name="TECNO POP 7 Pro" key=clear
Security settings
-----------------
Authentication : WPA2-Personal
Cipher : CCMP
Authentication : WPA2-Personal
Cipher : GCMP
Security key : Present
Key Content : hausaman3
Other important commands you might want to examine in the show subcommand include:
C:\Users\JOSEPH>netsh wlan show
The following commands are available:
Commands in this context:
show all - Shows complete wireless device and networks information.
show allowexplicitcreds - Shows the allow shared user credentials settings.
show autoconfig - Shows whether the auto configuration logic is enabled or
disabled.
show blockednetworks - Shows the blocked network display settings.
show createalluserprofile - Shows whether everyone is allowed to create all
user profiles.
show drivers - Shows properties of the wireless LAN drivers on the system.
show filters - Shows the allowed and blocked network list.
show hostednetwork - Show hosted network properties and status.
show interfaces - Shows a list of the wireless LAN interfaces on
the system.
show networks - Shows a list of networks visible on the system.
show onlyUseGPProfilesforAllowedNetworks - Shows the only use GP profiles on GP configured networks setting.
show profiles - Shows a list of profiles configured on the system.
show randomization - Shows whether MAC randomization is enabled or
disabled.
show settings - Shows the global settings of wireless LAN.
show tracing - Shows whether wireless LAN tracing is enabled or disabled.
show wirelesscapabilities - Shows the wireless capabilities of the system
show wlanreport - Generate a report showing recent wireless session information.
To configure network priority, note the name of the network connection to make the highest from the output of the above command, and enter the following command:
set profileorder name="type network name here" interface="type adapter name here" priority=1
To remove a wireless network from the list of networks the system has made connections to, enter the following command:
PS C:\Users\JOSEPH> netsh wlan delete profile name="TECNO POP 7 Pro"
Profile "TECNO POP 7 Pro" is deleted from interface "Wi-Fi".
Finally, there’s one other Wi-Fi setting to introduce, and this is the option to use your Windows computer to create a personal mobile hotspot you can share with others.
netsh wlan set hostednetwork mode=allow ssid=network name key=password
Malware and External Intrusion Detection and Remediation
There are many levels of threats to a computer system. There are threats to the network as a whole, servers, and individual machines. A threat can be internal from users, incorrect configurations, loose security, or external from nefarious individuals who are intent on harming your organization. A threat can be personal, such as an individual user downloading a virus, or corporate, such as someone trying to steal the latest intellectual property from your network. You must combine preventative and detection software with training, policies, and other elements to create an effective defense against all these threats. Most importantly, the smart administrator is constantly thinking outside the box because the adversary certainly is.
Detect and Remove Malware
The Malicious Software Removal Tool (MRT) helps you remove common malicious software from your system. You can find a description of this utility in this article. It’s important to review this Knowledge Base article relatively often because Microsoft updates it each month with the list of viruses that MRT can detect. If you’re an administrator, make sure you check the deployment instructions in this article. To use the wizard-based GUI of MRT, type MRT and press Enter.
Verify System Files
Viruses often replace system files with patched versions that contain the virus code. Hitchhiking on an existing system file makes it less likely that someone will remove the virus and ensures that the virus gets a chance to run, so virus writers are motivated to use system files whenever they think they can.
To scan all of the protected system files immediately and repair any damage found, enter the following command:
SFC /ScanNow
The utility normally relies on the content of the <%SystemDrive%>\WINDOWS\system32\dllcache folder to make repairs to the system files. In many cases, you will want to know what repairs SFC is going to make before you let SFC make them. In this case, enter the following command:
PS C:\Users\JOSEPH> SFC /VerifyOnly
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found integrity violations.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.
The SFC scanning process can require an extended time to complete (up to 15 minutes on many systems). You probably won’t want to wait all that time if you suspect only one file is corrupted or tainted in some way. In this case, enter the following command:
PS C:\Users\JOSEPH> SFC /ScanFile=C:\Hackware\MagnetRESPONSEv170\MagnetRESPONSE.exe
It’s also possible to verify a file, rather than scan it. Verifying the file saves time in some cases. SFC simply tells you whether or not the file is corrupt and then you can replace it using whatever technique works best. To verify a file, enter the command:
SFC /VerifyFile=C:\Hackware\MagnetRESPONSEv170\MagnetRESPONSE.exe
Post a Comment