BLOG Windows CLI and Tools – Part 2

Windows CLI and Tools – Part 2

ALEXANDRE BORGES - BLOG Windows CLI and Tools – Part 2

Author: Alexandre Borges Revision: A.1 Website: http://alexandreborges.org

This second part of the series brings some additional and useful command which can be used on a daily administration:

Command 57: How to get a list of processes and associated network information

The command tcpvcon.exe (from Sysinternals suite - http://technet.microsoft.com/en- us/sysinternals/bb842062.aspx) shows every processes and associated ports from a Windows system:

C:\Sysinternals>Tcpvcon.exe -a

[TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] chrome.exe PID: 2836 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] AvastSvc.exe PID: 1920 State: ESTABLISHED Local: exadata.example.com Remote: r-051-044-234-077.ff.avast.com [TCP] vmware.exe PID: 9508 State: ESTABLISHED Local: EXADATA Remote: localhost [TCP] vmware.exe PID: 9508 State: CLOSE_WAIT Local: exadata.example.com Remote: a23-199-243-51.deploy.static.akamaitechnologies.com [TCP] vmnat.exe PID: 4464 http://alexandreborges.org Page 1

Windows CLI and Tools – Part 2

State: CLOSE_WAIT Local: exadata.example.com Remote: 69.31.75.226 [TCP] vmnat.exe PID: 4464 State: ESTABLISHED Local: exadata.example.com Remote: exadata.example.com (truncated output)

Using Tcpvcon.exe is possible to export the output to a CSV file and import it into Excel:

C:\Sysinternals>Tcpvcon.exe –a -c > list_conn.csv

Figure 1

Command 58: How to determine resources are associated with a process

Sometimes we need to know all resources (file, registry keys, and network ports) which are associated with a process and the handle.exe tool from Sysinternals can be appropriate:

C:\Sysinternals>handle.exe -p Dropbox.exe

Windows CLI and Tools – Part 2

Sysinternals - www.sysinternals.com

------Dropbox.exe pid: 1484 EXADATA\Administrator 14: File (RW-) C:\Windows 20: File (RW-) C:\Windows\SysWOW64 24: File (RW-) C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.61 61_none_50934f2ebcb7eb57 1C4: File (R-D) C:\Windows\SysWOW64\en-US\KernelBase.dll.mui 1C8: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7 601.18120_none_72d2e82386681b36 1CC: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 220: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters 2FC: Section \BaseNamedObjects\__ComCatalogCache__ 308: Section \BaseNamedObjects\__ComCatalogCache__ 3D8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\notifications.dbx 408: File (R-D) C:\Windows\SysWOW64\wbem\wbemdisp.tlb 494: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\photo.dbx 4D8: File (RW-) C:\Users\Administrator\AppData\Roaming\DropboxMaster\instance.dbx 4DC: File (RW-) C:\Users\ADMINI~1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153- 5bce-5766-8f84-3e3e7ecf0d81}.tmpwvlmpb.lck 588: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\config.dbx 5BC: File (R-D) C:\Windows\SysWOW64\FirewallAPI.dll 5C4: File (R-D) C:\Windows\SysWOW64\stdole2.tlb 698: Section \Sessions\1\BaseNamedObjects\libcef_5458814812778194973 70C: File (RWD) C:\Windows\System32\drivers\etc 7D0: File (R-D) C:\Windows\Fonts\StaticCache.dat 8EC: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\sigstore.dbx 8F8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\filecache.dbx 9E0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\TO_HASH_mwg23a BF0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\deleted.dbx C5C: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 C60: File (RW-) C:\Users\Administrator\Dropbox

Command 59: How to detect network card interface (NIC) working in promiscuous mode

To determine which NIC are working in promiscuous mode we can use a tool named promiscdetect (http://ntsecurity.nu/toolbox/promiscdetect/) . If exists any NIC that doesn’t support promiscuous mode (for example, wireless cards) then the tool can’t open the adapter:

C:\Users\Administrator\Desktop\Forensic_Study>promiscdetect.exe

http://alexandreborges.org Page 3

Windows CLI and Tools – Part 2

Adapter name:

- Intel(R) 82579LM Gigabit Network Connection

Active filter for the adapter:

- Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets)

Adapter name:

- Intel(R) Centrino(R) Ultimate-N 6300 AGN

Active filter for the adapter:

- Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets)

Adapter name:

- Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter

Warning: Cannot open the adapter

Adapter name:

- SAMSUNG Mobile USB Remote NDIS Network Device

Warning: Cannot open the adapter

Adapter name:

- VirtualBox Host-Only Ethernet Adapter

Active filter for the adapter:

- Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets)

Command 60: How to list, disable and enable applications (programs, dlls, services, codecs, etc…) which will be started in next boot

Doubtless, the best application for this task is Autoruns.exe and Autorunsc.exe from Sysinternals. Personally, I like the option –v (to verify digital signatures) and –m (to exclude signed Microsoft entries (applications, dlls, etc..) c:\Sysinternals>autorunsc.exe -v -m | more

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Entry last modified: 25/01/2014 22:23 [DISABLED] NVHotkey rundll32.exe C:\Windows\system32\nvHotkey.dll,Start http://alexandreborges.org Page 4

Windows CLI and Tools – Part 2

NVIDIA Hotkey Service, Version 268.83 (Verified) NVIDIA Corporation 8.17.12.6883 c:\windows\system32\nvhotkey.dll 05/06/2011 08:36

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Entry last modified: 07/03/2014 13:39 ZoneAlarm "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe" ZoneAlarm (Verified) Check Point Software Technologies Ltd. 12.0.104.0 c:\program files (x86)\checkpoint\zonealarm\zatray.exe 26/10/2013 03:05 SDTray "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" Spybot - Search & Destroy tray access (Verified) Safer Networking Ltd. 2.0.12.127 c:\program files (x86)\spybot - search & destroy 2\sdtray.exe 13/11/2012 10:08 VirtualCloneDrive "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s Virtual CloneDrive Daemon (Verified) Elaborate Bytes AG 5.4.5.1 c:\program files (x86)\elaborate bytes\virtualclonedrive\vcddaemon.exe 10/03/2013 14:08 vmware-tray.exe "C:\Program Files (x86)\VMware\VMware Workstation\vmware- tray.exe" VMware Tray Process (Verified) VMware 10.0.1.41495 c:\program files (x86)\vmware\vmware workstation\vmware-tray.exe 18/10/2013 15:49

(trucated output)

Complementary you can use the GUI version (autoruns.exe):

http://alexandreborges.org Page 5

Windows CLI and Tools – Part 2

Figure 2

It’s still possible to save the output in a CSV file and import it into Excel: c:\Sysinternals>autorunsc.exe -v -m -c > autoruns_list.csv

Command 61: How to dump the Event log

Managing event logs in Windows system is critical and exist nice tools when trying to dump the Event Logs. One of these good tools is psloglist.exe (from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062). For example, to dump the event log from last 1 day:

C:\Sysinternals>psloglist.exe -d 1 | more

System log on \\EXADATA: [209298] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:20:34 ID: 7036 The Application Experience service entered the running state.

[209297] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:35 ID: 7036 The Windows Modules Installer service entered the stopped state.

[209296] Service Control Manager http://alexandreborges.org Page 6

Windows CLI and Tools – Part 2

Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:33 ID: 7040 User: NT AUTHORITY\SYSTEM The start type of the Windows Modules Installer service was changed from auto start to demand start. (truncated output)

Even better, it’s possible to show events from last 60 minutes:

C:\Sysinternals>psloglist.exe -m 60 | more

System log on \\EXADATA: [209299] Microsoft-Windows-DNS-Client Type: WARNING Computer: EXADATA Time: 16/03/2014 19:29:29 ID: 1014 User: NT AUTHORITY\NETWORK SERVICE Name resolution for the name wpad.example.com timed out after none of the configured DNS servers responded.

[209298] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:20:34 ID: 7036 The Application Experience service entered the running state.

[209297] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:35 ID: 7036 The Windows Modules Installer service entered the stopped state. (truncated output)

Command 62: How to list DLLs

When managing and reporting dll information,there’re relevant options when using listdlls.exe (from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062). Usually the first step is to run the command in its basic form:

C:\Sysinternals>Listdlls.exe | more

------smss.exe pid: 436 Command line: \SystemRoot\System32\smss.exe

Base Size Path 0x0000000047660000 0x20000 C:\Windows\System32\smss.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll ------csrss.exe pid: 628 http://alexandreborges.org Page 7

Windows CLI and Tools – Part 2

Command line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesr v,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThre ads=16

Base Size Path 0x0000000049b70000 0x6000 C:\Windows\system32\csrss.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x00000000fd070000 0x13000 C:\Windows\system32\CSRSRV.dll 0x00000000fd050000 0x11000 C:\Windows\system32\basesrv.DLL 0x00000000fd010000 0x38000 C:\Windows\system32\winsrv.DLL 0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll 0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll 0x0000000077120000 0x11f000 C:\Windows\SYSTEM32\kernel32.dll 0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll 0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll 0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll 0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll 0x00000000fd000000 0xc000 C:\Windows\system32\sxssrv.DLL 0x00000000fcef0000 0x91000 C:\Windows\system32\sxs.dll 0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll 0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll 0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll 0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll ------wininit.exe pid: 704 Command line: wininit.exe

Base Size Path 0x00000000ff8f0000 0x23000 C:\Windows\system32\wininit.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll (truncate output)

Nonetheless, other interesting options to be tested. For example, we could be interested in finding DLLs associated with winlogon.exe process:

C:\Sysinternals>Listdlls.exe winlogon.exe

------winlogon.exe pid: 1016 Command line: winlogon.exe

Base Size Path 0x00000000ffae0000 0x62000 C:\Windows\system32\winlogon.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll 0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll 0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll 0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll 0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll 0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll 0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll 0x00000000fc250000 0x3d000 C:\Windows\system32\WINSTA.dll 0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll 0x00000000fd930000 0x2e000 C:\Windows\system32\IMM32.DLL 0x00000000fe7e0000 0x109000 C:\Windows\system32\MSCTF.dll http://alexandreborges.org Page 8

Windows CLI and Tools – Part 2

0x00000000fcfb0000 0x3c000 C:\Windows\system32\nvinitx.dll 0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll 0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll 0x00000000fcff0000 0xf000 C:\Windows\system32\profapi.dll 0x00000000fcf90000 0x14000 C:\Windows\system32\RpcRtRemote.dll 0x00000000fce80000 0x57000 C:\Windows\system32\apphelp.dll 0x00000000fa170000 0xa000 C:\Windows\system32\UXINIT.dll 0x00000000fb480000 0x56000 C:\Windows\system32\UxTheme.dll 0x00000000fc880000 0x17000 C:\Windows\system32\CRYPTSP.dll 0x00000000fc580000 0x47000 C:\Windows\system32\rsaenh.dll 0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll 0x00000000faca0000 0x161000 C:\Windows\system32\WindowsCodecs.dll 0x00000000fed40000 0x203000 C:\Windows\system32\ole32.dll 0x00000000fc470000 0x15000 C:\Windows\system32\wkscli.dll 0x00000000fc990000 0x32000 C:\Windows\system32\netjoin.dll 0x00000000fc490000 0xc000 C:\Windows\system32\netutils.dll 0x00000000fce50000 0x25000 C:\Windows\system32\SspiCli.dll 0x00000000fab90000 0xb000 C:\Windows\system32\slc.dll 0x00000000f87e0000 0x18000 C:\Windows\system32\MPR.dll 0x00000000fca50000 0x2f000 C:\Windows\system32\AUTHZ.dll

Command 63: How to find local and remote logged users

This command (PsLoggedon.exe - from Sysinternals Suite – http://technet.microsoft.com/en- us/sysinternals/bb842062) lists which users are logged from local or remote machine:

C:\Sysinternals>PsLoggedon.exe

Users logged on locally: 14/03/2014 17:33:08 EXADATA\Administrator

No one is logged on via resource shares.

Command 64: How to use Tlist.exe command

The tlist.exe command isn’t installed by default in Windows operating system so it’s necessary to download and install the Windbg for Windows 7 or 8 from http://msdn.microsoft.com/en- us/windows/hardware/hh852365.aspx.

A first use of tlist.exe is to show services active in each process:

C:\Program Files\Debugging Tools for Windows (x64)> tlist -s | more 0 System Process 4 System 436 smss.exe 628 csrss.exe 704 wininit.exe 724 csrss.exe 776 services.exe 784 lsass.exe Svcs: KeyIso,ProtectedStorage,SamSs 792 lsm.exe 892 svchost.exe Svcs: DcomLaunch,PlugPlay,Power 968 nvvsvc.exe Svcs: NVSvc 992 GbpSv.exe Svcs: GbpSv 1016 winlogon.exe 592 svchost.exe Svcs: RpcEptMapper,RpcSs 728 svchost.exe Svcs: AudioSrv,Dhcp,eventlog,lmhosts,wscsvc http://alexandreborges.org Page 9

Windows CLI and Tools – Part 2

1060 svchost.exe Svcs: AudioEndpointBuilder,CscService,IPBusEnum,Netman,PcaSvc,SysMain,TrkWks ,UxSms,Wlansvc,wudfsvc 1096 svchost.exe Svcs: EventSystem,fdPHost,FontCache,netprofm,nsi,WdiServiceHost,WinHttpAutoP roxySvc 1120 svchost.exe Svcs: AeLookupSvc,Appinfo,BITS,Browser,CertPropSvc,EapHost,gpsvc,IKEEXT,iphl psvc,LanmanServer,MSiSCSI,ProfSvc,Schedule,seclogon ,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv 1404 svchost.exe Svcs: CryptSvc,Dnscache,LanmanWorkstation,NlaSvc 1548 vsmon.exe Svcs: vsmon 1612 NvXDSync.exe 1628 nvvsvc.exe 1448 AvastSvc.exe Svcs: avast! Antivirus 1748 spoolsv.exe Svcs: Spooler 1904 svchost.exe Svcs: SCardSvr,SSDPSRV,upnphost 1976 svchost.exe Svcs: BFE,DPS,MpsSvc 2400 armsvc.exe Svcs: AdobeARMservice 2432 BvSshServer.exe Svcs: BvSshServer 2496 httpd.exe Svcs: EnterpriseDBApachePHP 2564 sqlservr.exe Svcs: MSSQL$SQLEXPRESS 2680 httpd.exe (truncated output)

Other very useful approach using tlist.exe is to show the command line associated with each process:

C:\Program Files\Debugging Tools for Windows (x64)>tlist.exe -c | more 0 System Process Command Line: 4 System Command Line: 436 smss.exe Command Line: \SystemRoot\System32\smss.exe 628 csrss.exe Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=b asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxReques tThreads=16 704 wininit.exe Command Line: wininit.exe 724 csrss.exe Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=b asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxReques tThreads=16 776 services.exe Command Line: C:\Windows\system32\services.exe 784 lsass.exe Command Line: C:\Windows\system32\lsass.exe 792 lsm.exe Command Line: C:\Windows\system32\lsm.exe (truncated output)

The tlist.exe makes possible to list the processes tree:

http://alexandreborges.org Page 10

Windows CLI and Tools – Part 2

C:\Program Files\Debugging Tools for Windows (x64)>tlist.exe -t | more System Process (0) System (4) smss.exe (436) csrss.exe (628) conhost.exe (9320) wininit.exe (704) services.exe (776) svchost.exe (892) mobsync.exe (6004) dllhost.exe (8084) dllhost.exe (1304) nvvsvc.exe (968) NvXDSync.exe (1612) nvvsvc.exe (1628) GbpSv.exe (992) svchost.exe (592) svchost.exe (728) svchost.exe (1060) WUDFHost.exe (4576) dwm.exe (1428) (truncated output)

Sometimes, it’s suitable to collect detailed information about a specific process:

C:\Program Files\Debugging Tools for Windows (x64)>tlist.exe lsass.exe -v [0] 0 64 784 lsass.exe Svcs: KeyIso,ProtectedStorage,SamSs Command Line: C:\Windows\system32\lsass.exe CWD: C:\Windows\system32\ CmdLine: C:\Windows\system32\lsass.exe VirtualSize: 58364 KB PeakVirtualSize: 70140 KB WorkingSetSize: 12068 KB PeakWorkingSetSize: 17288 KB NumberOfThreads: 9 804 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 812 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 816 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 820 Win32StartAddr:0x00000000 LastErr:0x000003e5 State:Waiting 824 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 3396 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 4716 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 7700 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 8028 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 6.1.7601.18270 shp 0x00000000FF4D0000 C:\Windows\system32\lsass.exe 6.1.7601.18247 shp 0x0000000077240000 C:\Windows\SYSTEM32\ntdll.dll 6.1.7601.18229 shp 0x0000000077120000 C:\Windows\system32\kernel32.dll 6.1.7601.18229 shp 0x000007FEFD1B0000 C:\Windows\system32\KERNELBASE.dll 7.0.7601.17744 shp 0x000007FEFF4B0000 C:\Windows\system32\msvcrt.dll 6.1.7601.18205 shp 0x000007FEFD5A0000 C:\Windows\system32\RPCRT4.dll 6.1.7601.18270 shp 0x000007FEFCE40000 C:\Windows\system32\SspiSrv.dll 6.1.7601.18270 shp 0x000007FEFCCA0000 C:\Windows\system32\lsasrv.dll (truncated output)

Command 65: How to show memory information

This is a quick and very nice way to report information about memory in Windows: http://alexandreborges.org Page 11

Windows CLI and Tools – Part 2

C:\>systeminfo | findstr "Total Physical Memory"

Total Physical Memory: 16.341 MB Available Physical Memory: 7.940 MB Virtual Memory: Max Size: 32.680 MB Virtual Memory: Available: 23.869 MB Virtual Memory: In Use: 8.811 MB

Command 66: How to show processor information

That’s another very interesting command from Sysinternals suite (http://technet.microsoft.com/en-us/sysinternals/bb842062 ) that shows us all information about the processor and its respective cores:

C:\Sysinternals>Coreinfo.exe

Intel(R) Core(TM) i7-2920XM CPU @ 2.50GHz Intel64 Family 6 Model 42 Stepping 7, GenuineIntel HTT * Hyperthreading enabled HYPERVISOR - Hypervisor is present VMX * Supports Intel hardware-assisted virtualization SVM - Supports AMD hardware-assisted virtualization EM64T * Supports 64-bit mode

SMX * Supports Intel trusted execution SKINIT - Supports AMD SKINIT

NX * Supports no-execute page protection SMEP - Supports Supervisor Mode Execution Prevention SMAP - Supports Supervisor Mode Access Prevention PAGE1GB - Supports 1 GB large pages PAE * Supports > 32-bit physical addresses PAT * Supports Page Attribute Table PSE * Supports 4 MB pages PSE36 * Supports > 32-bit address 4 MB pages PGE * Supports global bit in page tables SS * Supports bus snooping for cache operations VME * Supports Virtual-8086 mode RDWRFSGSBASE - Supports direct GS/FS base access

FPU * Implements i387 floating point instructions MMX * Supports MMX instruction set MMXEXT - Implements AMD MMX extensions 3DNOW - Supports 3DNow! instructions 3DNOWEXT - Supports 3DNow! extension instructions SSE * Supports Streaming SIMD Extensions SSE2 * Supports Streaming SIMD Extensions 2 SSE3 * Supports Streaming SIMD Extensions 3 SSSE3 * Supports Supplemental SIMD Extensions 3 SSE4a - Supports Sreaming SIMDR Extensions 4a SSE4.1 * Supports Streaming SIMD Extensions 4.1 SSE4.2 * Supports Streaming SIMD Extensions 4.2

AES * Supports AES extensions AVX * Supports AVX intruction extensions FMA - Supports FMA extensions using YMM state MSR * Implements RDMSR/WRMSR instructions MTRR * Supports Memory Type Range Registers XSAVE * Supports XSAVE/XRSTOR instructions OSXSAVE * Supports XSETBV/XGETBV instructions RDRAND - Supports RDRAND instruction RDSEED - Supports RDSEED instruction

CMOV * Supports CMOVcc instruction http://alexandreborges.org Page 12

Windows CLI and Tools – Part 2

CLFSH * Supports CLFLUSH instruction CX8 * Supports compare and exchange 8-byte instructions CX16 * Supports CMPXCHG16B instruction BMI1 - Supports bit manipulation extensions 1 BMI2 - Supports bit manipulation extensions 2 ADX - Supports ADCX/ADOX instructions DCA - Supports prefetch from memory-mapped device F16C - Supports half-precision instruction FXSR * Supports FXSAVE/FXSTOR instructions FFXSR - Supports optimized FXSAVE/FSRSTOR instruction MONITOR * Supports MONITOR and MWAIT instructions MOVBE - Supports MOVBE instruction ERMSB - Supports Enhanced REP MOVSB/STOSB PCLULDQ * Supports PCLMULDQ instruction POPCNT * Supports POPCNT instruction LZCNT - Supports LZCNT instruction SEP * Supports fast system call instructions LAHF-SAHF * Supports LAHF/SAHF instructions in 64-bit mode HLE - Supports Hardware Lock Elision instructions RTM - Supports Restricted Transactional Memory instructions

DE * Supports I/O breakpoints including CR4.DE DTES64 * Can write history of 64-bit branch addresses DS * Implements memory-resident debug buffer DS-CPL * Supports Debug Store feature with CPL PCID * Supports PCIDs and settable CR4.PCIDE INVPCID - Supports INVPCID instruction PDCM * Supports Performance Capabilities MSR RDTSCP * Supports RDTSCP instruction TSC * Supports RDTSC instruction TSC-DEADLINE * Local APIC supports one-shot deadline timer TSC-INVARIANT * TSC runs at constant rate xTPR * Supports disabling task priority messages

EIST * Supports Enhanced Intel Speedstep ACPI * Implements MSR for power management TM * Implements thermal monitor circuitry TM2 * Implements Thermal Monitor 2 control APIC * Implements software-accessible local APIC x2APIC * Supports x2APIC

CNXT-ID - L1 data cache mode adaptive or BIOS

MCE * Supports Machine Check, INT18 and CR4.MCE MCA * Implements Machine Check Architecture PBE * Supports use of FERR#/PBE# pin

PSN - Implements 96-bit processor serial number

PREFETCHW * Supports PREFETCHW instruction

Maximum implemented CPUID leaves: 0000000D (Basic), 80000008 (Extended).

Logical to Physical Processor Map: **------Physical Processor 0 (Hyperthreaded) --**---- Physical Processor 1 (Hyperthreaded) ----**-- Physical Processor 2 (Hyperthreaded) ------** Physical Processor 3 (Hyperthreaded)

Logical Processor to Socket Map: ******** Socket 0

Logical Processor to NUMA Node Map: ******** NUMA Node 0

Logical Processor to Cache Map: **------Data Cache 0, Level 1, 32 KB, Assoc 8, LineSize 64 **------Instruction Cache 0, Level 1, 32 KB, Assoc 8, LineSize 64 **------Unified Cache 0, Level 2, 256 KB, Assoc 8, LineSize 64 --**---- Data Cache 1, Level 1, 32 KB, Assoc 8, LineSize 64 --**---- Instruction Cache 1, Level 1, 32 KB, Assoc 8, LineSize 64 --**---- Unified Cache 1, Level 2, 256 KB, Assoc 8, LineSize 64 ----**-- Data Cache 2, Level 1, 32 KB, Assoc 8, LineSize 64 ----**-- Instruction Cache 2, Level 1, 32 KB, Assoc 8, LineSize 64 ----**-- Unified Cache 2, Level 2, 256 KB, Assoc 8, LineSize 64 http://alexandreborges.org Page 13

Windows CLI and Tools – Part 2

------** Data Cache 3, Level 1, 32 KB, Assoc 8, LineSize 64 ------** Instruction Cache 3, Level 1, 32 KB, Assoc 8, LineSize 64 ------** Unified Cache 3, Level 2, 256 KB, Assoc 8, LineSize 64 ******** Unified Cache 4, Level 3, 8 MB, Assoc 16, LineSize 64

Logical Processor to Group Map: ******** Group 0

If you think this output is very long then there’re some good options to focus on more particular information. For example, to list the process cache information:

C:\Sysinternals>Coreinfo.exe -l

To dump information on cores:

C:\Sysinternals>Coreinfo.exe -c

Command 67: How to report directory information

Same way as Unix, Windows has a simple utility named du.exe from Sysinternals suite (http://technet.microsoft.com/en-us/sysinternals/bb842062 ) that can be used to report directory disk usage:

C:\Sysinternals>du.exe c:\Sysinternals

Files: 97 Directories: 1 Size: 35.545.735 bytes Size on disk: 35.729.408 bytes

http://alexandreborges.org Page 14

Windows CLI and Tools – Part 2

Command 68: How to report NTFS information

To report NTFS information, the Sysinternals suite (http://technet.microsoft.com/en- us/sysinternals/bb842062 ) offers a good tool named ntfsinfo.exe:

C:\Sysinternals>ntfsinfo.exe c:\

Volume Size ------Volume size : 714607 MB Total sectors : 1463517183 Total clusters : 182939647 Free clusters : 16654102 Free space : 65055 MB (9% of drive)

Allocation Size ------Bytes per sector : 512 Bytes per cluster : 4096 Bytes per MFT record : 1024 Clusters per MFT record: 0

MFT Information ------MFT size : 417 MB (0% of drive) MFT start cluster : 786432 MFT zone clusters : 73097120 - 73148320 MFT zone size : 200 MB (0% of drive) MFT mirror start : 2

Meta-Data files ------

Command 69: How to get SID information

When handling with some strict operations on Windows (cracking passwords ?!) can be useful to translate SIDs (Security Identifier) to username and vice versa. The Sysinternals suite (http://technet.microsoft.com/en-us/sysinternals/bb842062 ) can help us to accomplish this task using PsGetsid.exe command:

C:\Sysinternals>PsGetsid.exe Administrator

SID for EXADATA\Administrator: S-1-5-21-3350660802-243114697-3461100895-500

C:\Sysinternals>PsGetsid.exe "Alexandre Borges"

Windows CLI and Tools – Part 2

Sysinternals - www.sysinternals.com

SID for EXADATA\Alexandre Borges: S-1-5-21-3350660802-243114697-3461100895-1000

Command 70: How to collect general information about the system

Through command psinfo.exe ( from Sysinternals - http://technet.microsoft.com/en- us/sysinternals/bb842062 ) is easy to gather basic information about Windows and to generate a simple report about disk space:

C:\Sysinternals>PsInfo.exe -d

System information for \\EXADATA: Uptime: Error reading uptime Kernel version: Windows 7 Ultimate, Multiprocessor Free Product type: Professional Product version: 6.1 Service pack: 0 Kernel build number: 7601 Registered organization: Registered owner: IE version: 9.0000 System root: C:\Windows Processors: 8 Processor speed: 2.4 GHz Processor type: Intel(R) Core(TM) i7-2920XM CPU @ Physical memory: 3314 MB Video driver: Intel(R) HD Graphics 3000 Volume Type Format Label Size Free Free C: Fixed NTFS 697.86 GB 62.97 GB 9.0% D: CD-ROM 0.0% E: CD-ROM 0.0% G: Fixed NTFS RECOVERY 752.00 MB 520.98 MB 69.3% Q: Fixed NTFS 120.00 GB 27.70 GB 23.1%

C:\Sysinternals>PsInfo.exe -s | more

System information for \\EXADATA:.. Uptime: Error reading uptime Kernel version: Windows 7 Ultimate, Multiprocessor Free Product type: Professional Product version: 6.1 Service pack: 0 Kernel build number: 7601 Registered organization: Registered owner: IE version: 9.0000 System root: C:\Windows http://alexandreborges.org Page 16

Windows CLI and Tools – Part 2

Processors: 8 Processor speed: 2.4 GHz Processor type: Intel(R) Core(TM) i7-2920XM CPU @ Physical memory: 3314 MB Video driver: Intel(R) HD Graphics 3000 Applications: AVS Media Player 4.2.1.103 4.2.1.103 AVS Video Converter 8 8.4.1.540 Adobe Flash Player 11 Plugin 11.9.900.170 Adobe Flash Player 12 ActiveX 12.0.0.70 Adobe Reader X (10.1.9) - PortuguÛs 10.1.9 Amazon Kindle AnyDVD 7.1.5.0 Apache/PHP 2.2.22-5.3.10 2.2.22-5.3.10-1 Bitvise SSH Client 4.60 (remove only) Bitvise SSH Server 6.04 (remove only) Cisco Packet Tracer 5.3.3 Cisco WebEx Meetings Citrix Online Launcher 1.0.168 CloneDVD2 2.9.3.0 D3DX10 15.4.2368.0902 DSF-KitSetup 1.1.6001.0 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (truncated output)

Command 71: How to obtain RAM information

In Sysinternals suite (http://technet.microsoft.com/en-us/sysinternals/bb842062 ) there’s a singular tool named RAMMAP.exe that help us to understand better the RAM usage: c:\Sysinternals>RAMMap.exe

Figure 2

http://alexandreborges.org Page 17

Windows CLI and Tools – Part 2

Figure 3

Figure 4

Command 72: How to know the load order of drives and services

A simple utility named LoadOrd.exe from Sysinternals suite (http://technet.microsoft.com/en- us/sysinternals/bb842062 ) show us what the driver and service load order. c:\Sysinternals>LoadOrd.exe

http://alexandreborges.org Page 18

Windows CLI and Tools – Part 2

Figure 5

Command 73: How to map the RAM

The Sysinternals utility (http://technet.microsoft.com/en-us/sysinternals/bb842062 ) brings another simple tool to map the RAM: vmmap.exe. This tool shows us the size of heap, stack, mapped file, etc…

c:\Sysinternals>vmmap.exe

Figure 6

http://alexandreborges.org Page 19

Windows CLI and Tools – Part 2

Command 74: How to verify the signature and version of a file

An excellent tool named sigcheck.exe (from Sysinternals suite - http://technet.microsoft.com/en-us/sysinternals/bb842062) can be used to verify the signature of a file (or entire directory) against Microsoft site. Personally, I love this command because it allows to check if the file is original or a kind of malware.

In the example below I’ve shown the sigcheck.exe with –a (extended version information) and –h (show the hash information):

C:\Sysinternals>sigcheck.exe -a -h C:\Windows\explorer.exe

Sigcheck v2.01 - File version and signature viewer Copyright (C) 2004-2013 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\explorer.exe: Verified: Signed Signing date: 16:16 28/02/2011 Publisher: Microsoft Windows Description: Windows Explorer Product: Microsoft« Windows« Operating System Prod version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) MachineType: 64-bit Binary Version: 6.1.7601.17567 Original Name: EXPLORER.EXE.MUI Internal Name: explorer Copyright: ® Microsoft Corporation. All rights reserved. Comments: n/a MD5: 332FEAB1435662FC6C672E25BEB37BE3 SHA1: 5A49D7390EE87519B9D69D3E4AA66CA066CC8255 PESHA1: B52FEBED7846C884D1E2937109DF1A3D70FF7B92 PE256: 7C21B488DF6CA3D872EC59E1D4BEB781B42BF4CA226F525FD92283B1D7D1B467 SHA256: 6BED1A3A956A859EF4420FEB2466C040800EAF01EF53214EF9DAB53AEFF1CFF0

If we also include the –i option (show catalog name and image signers), the output is much more complete:

C:\Sysinternals>sigcheck.exe -a -h -i C:\Windows\explorer.exe

Sigcheck v2.01 - File version and signature viewer Copyright (C) 2004-2013 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\explorer.exe: Verified: Signed Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE- 11D1-85E5- 00C04FC295EE}\Package_1_for_KB2515325~31bf3856ad364e35~amd64~~6.1.1.0. ca t Signers: Microsoft Windows Status: A required certificate is not within its validity period when verifying against the current system clock or the times tamp in the signed file. Valid Usage: Code Signing, NT5 Crypto Serial Number: 61 15 23 0F 00 00 00 00 00 0A http://alexandreborges.org Page 20

Windows CLI and Tools – Part 2

Thumbprint: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 Algorithm: SHA1 Valid from: 18:57 07/12/2009 Valid to: 18:57 07/03/2011 Microsoft Windows Verification PCA Status: Valid Valid Usage: Code Signing, NT5 Crypto Serial Number: 61 07 02 DC 00 00 00 00 00 0B Thumbprint: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Algorithm: SHA1 Valid from: 18:55 15/09/2005 Valid to: 19:05 15/03/2016 Microsoft Root Certificate Authority Status: Valid Valid Usage: All Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: SHA1 Valid from: 20:19 09/05/2001 Valid to: 20:28 09/05/2021 Signing date: 16:16 28/02/2011 Counter Signers: Microsoft Time-Stamp Service Status: A required certificate is not within its validity period when verifying against the current system clock or the times tamp in the signed file. Valid Usage: Timestamp Signing Serial Number: 61 03 DC F6 00 00 00 00 00 0C Thumbprint: 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C Algorithm: SHA1 Valid from: 16:12 25/07/2008 Valid to: 16:22 25/07/2011 Microsoft Time-Stamp PCA Status: Valid Valid Usage: Timestamp Signing Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: SHA1 Valid from: 09:53 03/04/2007 Valid to: 10:03 03/04/2021 Microsoft Root Certificate Authority Status: Valid Valid Usage: All Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: SHA1 Valid from: 20:19 09/05/2001 Valid to: 20:28 09/05/2021 Publisher: Microsoft Windows Description: Windows Explorer Product: Microsoft« Windows« Operating System Prod version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) MachineType: 64-bit Binary Version: 6.1.7601.17567 Original Name: EXPLORER.EXE.MUI Internal Name: explorer Copyright: ® Microsoft Corporation. All rights reserved. Comments: n/a http://alexandreborges.org Page 21

Windows CLI and Tools – Part 2

MD5: 332FEAB1435662FC6C672E25BEB37BE3 SHA1: 5A49D7390EE87519B9D69D3E4AA66CA066CC8255 PESHA1: B52FEBED7846C884D1E2937109DF1A3D70FF7B92 PE256: 7C21B488DF6CA3D872EC59E1D4BEB781B42BF4CA226F525FD92283B1D7D1B467 SHA256: 6BED1A3A956A859EF4420FEB2466C040800EAF01EF53214EF9DAB53AEFF1CFF0

Command 75: How to search for alternate NTFS data streams

Usually hackers try to hide information (text files or binaries) on system to use them later (mainly after an invasion).To accomplish it they use alternate NTFS data streams and usually it isn’t so easy to discover them. To help us, there’s a good command names streams.exe that verify if exist any file with ADS (alternate data stream) inside it.

To test the streams.exe command, let’s create a text file inside the alexandreborges.pdf file using ADS:

C:\Sysinternals> notepad alexandreborges.pdf:hidden_info.txt

Now we can test the streams.exe command:

C:\Sysinternals> streams.exe -s C:\Sysinternals

C:\Sysinternals\alexandreborges.pdf: :hidden_info.txt:$DATA 34

Alexandre Borges.

http://alexandreborges.org Page 22