SANS
SANS
SANS
Command Line
Adding Keys and Values: Fundamental grammar:
C:\> reg add C:\> wmic [alias] [where clause] [verb Cheat Sheet
[\\TargetIPaddr\][RegDomain]\[Key] clause] By Ed Skoudis
Import and export can only be done from or to the List all attributes of [alias]: Lists all processes currently running which have the
local machine. C:\> wmic [alias] get /? specified [dll] loaded:
C:\> tasklist /m [dll]
Query for a specific Value of a Key: List all callable methods of [alias]:
C:\> reg query C:\> wmic [alias] call /? List all processes currently running and the services
[\\TargetIPaddr\][RegDomain]\[Key] /v hosted in those processes:
[ValueName] Example: C:\> tasklist /svc
List all attributes of all running processes:
Query a key on machine [TargetIPaddr] within C:\> wmic process list full Query brief status of all services:
the registry domain [RegDomain] in location C:\> sc query
[Key] and get the specific value [ValueName] Make WMIC effect remote [TargetIPaddr]:
under that key. Add /s to recurse all values. C:\> wmic /node:[TargetIPaddr] Query the configuration of a specific service:
/user:[User] /password:[Passwd] process C:\> sc qc [ServiceName]
list full
Shutdown and Restart File Search and Counting Lines Invoking Useful GUIs at the Command Line
Search directory structure for a file in a specific Local User Manager (includes group management):
Shutdown Windows immediately: C:\> lusrmgr.msc
C:\> shutdown /s /t 0 directory:
C:\> dir /b /s [Directory]\[FileName]
Services Control Panel:
Note: Command may not power down the hardware. C:\> services.msc
Count the number of lines on StandardOuy of
Restart Windows immediately: [Command]:
C:\> [Command] | find /c /v "" Task Manager:
C:\> shutdown /r /t 0 C:\> taskmgr.exe
Abort shutdown/restart countdown: Finds the count (/c) of lines that do not contain (/v)
Security Policy Manager:
C:\> shutdown /a nothing (""). Lines that do not have nothing are all C:\> secpol.msc
lines, even blank lines, which contain CR/LF
Useful Netstat Syntax Event Viewer:
C:\> eventvwr.msc
Show all TCP and UDP port usage and process ID: Command Line FOR Loops
C:\> netstat –nao
Counting Loop: Control Panel:
C:\> for /L %i in C:\> control
Look for usage of port [port] every [N] seconds:
C:\> netstat –nao [N] | find [port] ([start],[step],[stop]) do [command]
Close GUI windows by hitting Alt-F4
Dump detailed protocol statistics: Set %i to an initial value of [start] and increment Interacting with the Network Using Netsh
C:\> netstat –s –p [tcp|udp|ip|icmp] it by [step] at every iteration until its value is equal
to [stop]. For each iteration, run [command]. The Turn off built-in Windows firewall:
Installing Built-in Packages on Vista iterator variable %i can be used anywhere in the C:\> netsh firewall set opmode disable
command to represent its current value.
Install telnet service on Vista: Configure interface “Local Area Connection” with
C:\> pkgmgr /iu:"TelnetServer" [IPaddr] [Netmask] [DefaultGW]:
Iterate over file contents:
C:\> for /F %i in ([file-set]) do C:\> netsh interface ip set address
Install telnet client on Vista: [command] local static [IPaddr] [Netmask]
C:\> pkgmgr /iu:"TelnetClient" [DefaultGW] 1
Iterate through the contents of the file on a line-by-
Install IIS on Vista: Configure DNS server for “Local Area Connection”:
line basis. For each iteration, store the contents of
C:\> pkgmgr /iu:IIS-WebServerRole;WAS- C:\> netsh interface ip set dns local
the line into %i and run [command].
WindowsActivationService;WAS- static [IPaddr]
ProcessModel; WAS-NetFxEnvironment;WAS-
ConfigurationAPI Configure interface to use DHCP:
C:\> netsh interface ip set address
To remove any of these packages, replace install
local dhcp
update (/iu) with uninstall update (/uu)