Table Of ContentWindows CLI and Tools – Part 2
ALEXANDRE BORGES - BLOG
Windows CLI and Tools – Part 2
Author: Alexandre Borges
Revision: A.1
Website: http://alexandreborges.org
This second part of the series brings some additional and useful command which can be used
on a daily administration:
Command 57: How to get a list of processes and associated network
information
The command tcpvcon.exe (from Sysinternals suite - http://technet.microsoft.com/en-
us/sysinternals/bb842062.aspx) shows every processes and associated ports from a Windows
system:
C:\Sysinternals>Tcpvcon.exe -a
TCPView v3.01 - TCP/UDP endpoint viewer
Copyright (C) 1998-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com
[TCP] googledrivesync.exe
PID: 2692
State: ESTABLISHED
Local: exadata.example.com
Remote: qc-in-f125.1e100.net
[TCP] googledrivesync.exe
PID: 2692
State: ESTABLISHED
Local: exadata.example.com
Remote: qc-in-f125.1e100.net
[TCP] chrome.exe
PID: 2836
State: ESTABLISHED
Local: exadata.example.com
Remote: qc-in-f125.1e100.net
[TCP] AvastSvc.exe
PID: 1920
State: ESTABLISHED
Local: exadata.example.com
Remote: r-051-044-234-077.ff.avast.com
[TCP] vmware.exe
PID: 9508
State: ESTABLISHED
Local: EXADATA
Remote: localhost
[TCP] vmware.exe
PID: 9508
State: CLOSE_WAIT
Local: exadata.example.com
Remote: a23-199-243-51.deploy.static.akamaitechnologies.com
[TCP] vmnat.exe
PID: 4464
http://alexandreborges.org Page 1
Windows CLI and Tools – Part 2
State: CLOSE_WAIT
Local: exadata.example.com
Remote: 69.31.75.226
[TCP] vmnat.exe
PID: 4464
State: ESTABLISHED
Local: exadata.example.com
Remote: exadata.example.com
(truncated output)
Using Tcpvcon.exe is possible to export the output to a CSV file and import it into Excel:
C:\Sysinternals>Tcpvcon.exe –a -c > list_conn.csv
Figure 1
Command 58: How to determine resources are associated with a
process
Sometimes we need to know all resources (file, registry keys, and network ports) which are
associated with a process and the handle.exe tool from Sysinternals can be appropriate:
C:\Sysinternals>handle.exe -p Dropbox.exe
Handle v3.51
Copyright (C) 1997-2013 Mark Russinovich
http://alexandreborges.org Page 2
Windows CLI and Tools – Part 2
Sysinternals - www.sysinternals.com
----------------------------------------------------------------------
--------
Dropbox.exe pid: 1484 EXADATA\Administrator
14: File (RW-) C:\Windows
20: File (RW-) C:\Windows\SysWOW64
24: File (RW-)
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.61
61_none_50934f2ebcb7eb57
1C4: File (R-D) C:\Windows\SysWOW64\en-US\KernelBase.dll.mui
1C8: File (RW-)
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7
601.18120_none_72d2e82386681b36
1CC: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
220: Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters
2FC: Section \BaseNamedObjects\__ComCatalogCache__
308: Section \BaseNamedObjects\__ComCatalogCache__
3D8: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\notifications.dbx
408: File (R-D) C:\Windows\SysWOW64\wbem\wbemdisp.tlb
494: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\photo.dbx
4D8: File (RW-)
C:\Users\Administrator\AppData\Roaming\DropboxMaster\instance.dbx
4DC: File (RW-)
C:\Users\ADMINI~1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-
5bce-5766-8f84-3e3e7ecf0d81}.tmpwvlmpb.lck
588: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\config.dbx
5BC: File (R-D) C:\Windows\SysWOW64\FirewallAPI.dll
5C4: File (R-D) C:\Windows\SysWOW64\stdole2.tlb
698: Section
\Sessions\1\BaseNamedObjects\libcef_5458814812778194973
70C: File (RWD) C:\Windows\System32\drivers\etc
7D0: File (R-D) C:\Windows\Fonts\StaticCache.dat
8EC: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\sigstore.dbx
8F8: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\filecache.dbx
9E0: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\TO_HASH_mwg23a
BF0: File (RW-)
C:\Users\Administrator\AppData\Roaming\Dropbox\deleted.dbx
C5C: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
C60: File (RW-) C:\Users\Administrator\Dropbox
Command 59: How to detect network card interface (NIC) working in
promiscuous mode
To determine which NIC are working in promiscuous mode we can use a tool named
promiscdetect (http://ntsecurity.nu/toolbox/promiscdetect/) . If exists any NIC that doesn’t
support promiscuous mode (for example, wireless cards) then the tool can’t open the adapter:
C:\Users\Administrator\Desktop\Forensic_Study>promiscdetect.exe
PromiscDetect 1.0 - (c) 2002, Arne Vidstrom
(arne.vidstrom@ntsecurity.nu)
- http://ntsecurity.nu/toolbox/promiscdetect/
http://alexandreborges.org Page 3
Windows CLI and Tools – Part 2
Adapter name:
- Intel(R) 82579LM Gigabit Network Connection
Active filter for the adapter:
- Directed (capture packets directed to this computer)
- Multicast (capture multicast packets for groups the computer is a
member of)
- Broadcast (capture broadcast packets)
Adapter name:
- Intel(R) Centrino(R) Ultimate-N 6300 AGN
Active filter for the adapter:
- Directed (capture packets directed to this computer)
- Multicast (capture multicast packets for groups the computer is a
member of)
- Broadcast (capture broadcast packets)
Adapter name:
- Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
Warning: Cannot open the adapter
Adapter name:
- SAMSUNG Mobile USB Remote NDIS Network Device
Warning: Cannot open the adapter
Adapter name:
- VirtualBox Host-Only Ethernet Adapter
Active filter for the adapter:
- Directed (capture packets directed to this computer)
- Multicast (capture multicast packets for groups the computer is a
member of)
- Broadcast (capture broadcast packets)
Command 60: How to list, disable and enable applications (programs,
dlls, services, codecs, etc…) which will be started in next boot
Doubtless, the best application for this task is Autoruns.exe and Autorunsc.exe from
Sysinternals. Personally, I like the option –v (to verify digital signatures) and –m (to exclude
signed Microsoft entries (applications, dlls, etc..)
c:\Sysinternals>autorunsc.exe -v -m | more
Autostart program viewer
Copyright (C) 2002-2013 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry last modified: 25/01/2014 22:23
[DISABLED] NVHotkey
rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
http://alexandreborges.org Page 4
Windows CLI and Tools – Part 2
NVIDIA Hotkey Service, Version 268.83
(Verified) NVIDIA Corporation
8.17.12.6883
c:\windows\system32\nvhotkey.dll
05/06/2011 08:36
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Entry last modified: 07/03/2014 13:39
ZoneAlarm
"C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
ZoneAlarm
(Verified) Check Point Software Technologies Ltd.
12.0.104.0
c:\program files (x86)\checkpoint\zonealarm\zatray.exe
26/10/2013 03:05
SDTray
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
Spybot - Search & Destroy tray access
(Verified) Safer Networking Ltd.
2.0.12.127
c:\program files (x86)\spybot - search & destroy 2\sdtray.exe
13/11/2012 10:08
VirtualCloneDrive
"C:\Program Files (x86)\Elaborate
Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
Virtual CloneDrive Daemon
(Verified) Elaborate Bytes AG
5.4.5.1
c:\program files (x86)\elaborate
bytes\virtualclonedrive\vcddaemon.exe
10/03/2013 14:08
vmware-tray.exe
"C:\Program Files (x86)\VMware\VMware Workstation\vmware-
tray.exe"
VMware Tray Process
(Verified) VMware
10.0.1.41495
c:\program files (x86)\vmware\vmware workstation\vmware-tray.exe
18/10/2013 15:49
(trucated output)
Complementary you can use the GUI version (autoruns.exe):
http://alexandreborges.org Page 5
Windows CLI and Tools – Part 2
Figure 2
It’s still possible to save the output in a CSV file and import it into Excel:
c:\Sysinternals>autorunsc.exe -v -m -c > autoruns_list.csv
Command 61: How to dump the Event log
Managing event logs in Windows system is critical and exist nice tools when trying to dump the
Event Logs. One of these good tools is psloglist.exe (from Sysinternals Suite –
http://technet.microsoft.com/en-us/sysinternals/bb842062). For example, to dump the event
log from last 1 day:
C:\Sysinternals>psloglist.exe -d 1 | more
PsLoglist v2.71 - local and remote event log viewer
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System log on \\EXADATA:
[209298] Service Control Manager
Type: INFORMATION
Computer: EXADATA
Time: 16/03/2014 19:20:34 ID: 7036
The Application Experience service entered the running state.
[209297] Service Control Manager
Type: INFORMATION
Computer: EXADATA
Time: 16/03/2014 19:19:35 ID: 7036
The Windows Modules Installer service entered the stopped state.
[209296] Service Control Manager
http://alexandreborges.org Page 6
Windows CLI and Tools – Part 2
Type: INFORMATION
Computer: EXADATA
Time: 16/03/2014 19:19:33 ID: 7040
User: NT AUTHORITY\SYSTEM
The start type of the Windows Modules Installer service was changed
from auto start to demand start.
(truncated output)
Even better, it’s possible to show events from last 60 minutes:
C:\Sysinternals>psloglist.exe -m 60 | more
PsLoglist v2.71 - local and remote event log viewer
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System log on \\EXADATA:
[209299] Microsoft-Windows-DNS-Client
Type: WARNING
Computer: EXADATA
Time: 16/03/2014 19:29:29 ID: 1014
User: NT AUTHORITY\NETWORK SERVICE
Name resolution for the name wpad.example.com timed out after none of
the configured DNS servers responded.
[209298] Service Control Manager
Type: INFORMATION
Computer: EXADATA
Time: 16/03/2014 19:20:34 ID: 7036
The Application Experience service entered the running state.
[209297] Service Control Manager
Type: INFORMATION
Computer: EXADATA
Time: 16/03/2014 19:19:35 ID: 7036
The Windows Modules Installer service entered the stopped state.
(truncated output)
Command 62: How to list DLLs
When managing and reporting dll information,there’re relevant options when using listdlls.exe
(from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062).
Usually the first step is to run the command in its basic form:
C:\Sysinternals>Listdlls.exe | more
ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
----------------------------------------------------------------------
--------
smss.exe pid: 436
Command line: \SystemRoot\System32\smss.exe
Base Size Path
0x0000000047660000 0x20000 C:\Windows\System32\smss.exe
0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll
----------------------------------------------------------------------
--------
csrss.exe pid: 628
http://alexandreborges.org Page 7
Windows CLI and Tools – Part 2
Command line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,20480,768 Windows=On SubSystemType=Windows
ServerDll=basesr
v,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThre
ads=16
Base Size Path
0x0000000049b70000 0x6000 C:\Windows\system32\csrss.exe
0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll
0x00000000fd070000 0x13000 C:\Windows\system32\CSRSRV.dll
0x00000000fd050000 0x11000 C:\Windows\system32\basesrv.DLL
0x00000000fd010000 0x38000 C:\Windows\system32\winsrv.DLL
0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll
0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll
0x0000000077120000 0x11f000 C:\Windows\SYSTEM32\kernel32.dll
0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll
0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll
0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll
0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll
0x00000000fd000000 0xc000 C:\Windows\system32\sxssrv.DLL
0x00000000fcef0000 0x91000 C:\Windows\system32\sxs.dll
0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll
0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll
0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll
0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll
----------------------------------------------------------------------
--------
wininit.exe pid: 704
Command line: wininit.exe
Base Size Path
0x00000000ff8f0000 0x23000 C:\Windows\system32\wininit.exe
0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll
0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll
(truncate output)
Nonetheless, other interesting options to be tested. For example, we could be interested in
finding DLLs associated with winlogon.exe process:
C:\Sysinternals>Listdlls.exe winlogon.exe
ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
----------------------------------------------------------------------
--------
winlogon.exe pid: 1016
Command line: winlogon.exe
Base Size Path
0x00000000ffae0000 0x62000 C:\Windows\system32\winlogon.exe
0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll
0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll
0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll
0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll
0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll
0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll
0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll
0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll
0x00000000fc250000 0x3d000 C:\Windows\system32\WINSTA.dll
0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll
0x00000000fd930000 0x2e000 C:\Windows\system32\IMM32.DLL
0x00000000fe7e0000 0x109000 C:\Windows\system32\MSCTF.dll
http://alexandreborges.org Page 8
Windows CLI and Tools – Part 2
0x00000000fcfb0000 0x3c000 C:\Windows\system32\nvinitx.dll
0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll
0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll
0x00000000fcff0000 0xf000 C:\Windows\system32\profapi.dll
0x00000000fcf90000 0x14000 C:\Windows\system32\RpcRtRemote.dll
0x00000000fce80000 0x57000 C:\Windows\system32\apphelp.dll
0x00000000fa170000 0xa000 C:\Windows\system32\UXINIT.dll
0x00000000fb480000 0x56000 C:\Windows\system32\UxTheme.dll
0x00000000fc880000 0x17000 C:\Windows\system32\CRYPTSP.dll
0x00000000fc580000 0x47000 C:\Windows\system32\rsaenh.dll
0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll
0x00000000faca0000 0x161000 C:\Windows\system32\WindowsCodecs.dll
0x00000000fed40000 0x203000 C:\Windows\system32\ole32.dll
0x00000000fc470000 0x15000 C:\Windows\system32\wkscli.dll
0x00000000fc990000 0x32000 C:\Windows\system32\netjoin.dll
0x00000000fc490000 0xc000 C:\Windows\system32\netutils.dll
0x00000000fce50000 0x25000 C:\Windows\system32\SspiCli.dll
0x00000000fab90000 0xb000 C:\Windows\system32\slc.dll
0x00000000f87e0000 0x18000 C:\Windows\system32\MPR.dll
0x00000000fca50000 0x2f000 C:\Windows\system32\AUTHZ.dll
Command 63: How to find local and remote logged users
This command (PsLoggedon.exe - from Sysinternals Suite – http://technet.microsoft.com/en-
us/sysinternals/bb842062) lists which users are logged from local or remote machine:
C:\Sysinternals>PsLoggedon.exe
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Users logged on locally:
14/03/2014 17:33:08 EXADATA\Administrator
No one is logged on via resource shares.
Command 64: How to use Tlist.exe command
The tlist.exe command isn’t installed by default in Windows operating system so it’s necessary
to download and install the Windbg for Windows 7 or 8 from http://msdn.microsoft.com/en-
us/windows/hardware/hh852365.aspx.
A first use of tlist.exe is to show services active in each process:
C:\Program Files\Debugging Tools for Windows (x64)> tlist -s | more
0 System Process
4 System
436 smss.exe
628 csrss.exe
704 wininit.exe
724 csrss.exe
776 services.exe
784 lsass.exe Svcs: KeyIso,ProtectedStorage,SamSs
792 lsm.exe
892 svchost.exe Svcs: DcomLaunch,PlugPlay,Power
968 nvvsvc.exe Svcs: NVSvc
992 GbpSv.exe Svcs: GbpSv
1016 winlogon.exe
592 svchost.exe Svcs: RpcEptMapper,RpcSs
728 svchost.exe Svcs: AudioSrv,Dhcp,eventlog,lmhosts,wscsvc
http://alexandreborges.org Page 9
Windows CLI and Tools – Part 2
1060 svchost.exe Svcs:
AudioEndpointBuilder,CscService,IPBusEnum,Netman,PcaSvc,SysMain,TrkWks
,UxSms,Wlansvc,wudfsvc
1096 svchost.exe Svcs:
EventSystem,fdPHost,FontCache,netprofm,nsi,WdiServiceHost,WinHttpAutoP
roxySvc
1120 svchost.exe Svcs:
AeLookupSvc,Appinfo,BITS,Browser,CertPropSvc,EapHost,gpsvc,IKEEXT,iphl
psvc,LanmanServer,MSiSCSI,ProfSvc,Schedule,seclogon
,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv
1404 svchost.exe Svcs: CryptSvc,Dnscache,LanmanWorkstation,NlaSvc
1548 vsmon.exe Svcs: vsmon
1612 NvXDSync.exe
1628 nvvsvc.exe
1448 AvastSvc.exe Svcs: avast! Antivirus
1748 spoolsv.exe Svcs: Spooler
1904 svchost.exe Svcs: SCardSvr,SSDPSRV,upnphost
1976 svchost.exe Svcs: BFE,DPS,MpsSvc
2400 armsvc.exe Svcs: AdobeARMservice
2432 BvSshServer.exe Svcs: BvSshServer
2496 httpd.exe Svcs: EnterpriseDBApachePHP
2564 sqlservr.exe Svcs: MSSQL$SQLEXPRESS
2680 httpd.exe
(truncated output)
Other very useful approach using tlist.exe is to show the command line associated with each
process:
C:\Program Files\Debugging Tools for Windows (x64)>tlist.exe -c | more
0 System Process
Command Line:
4 System
Command Line:
436 smss.exe
Command Line: \SystemRoot\System32\smss.exe
628 csrss.exe
Command Line: %SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=b
asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxReques
tThreads=16
704 wininit.exe
Command Line: wininit.exe
724 csrss.exe
Command Line: %SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=b
asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxReques
tThreads=16
776 services.exe
Command Line: C:\Windows\system32\services.exe
784 lsass.exe
Command Line: C:\Windows\system32\lsass.exe
792 lsm.exe
Command Line: C:\Windows\system32\lsm.exe
(truncated output)
The tlist.exe makes possible to list the processes tree:
http://alexandreborges.org Page 10
Description:Mar 7, 2014 x2APIC. * Supports x2APIC. CNXT-ID. - L1 data cache mode adaptive or BIOS
Maximum implemented CPUID leaves: 0000000D (Basic),
