Reg Command WMIC Windows Command Line Adding Keys and Values: Fundamental grammar: C:\> reg add C:\> wmic [alias] [where clause] [verb Cheat Sheet [\\TargetIPaddr\][RegDomain]\[Key] clause] By Ed Skoudis POCKET REFERENCE GUIDE Add a key to the registry on machine Useful [aliases]: [TargetIPaddr] within the registry domain process service http://www.sans.org [RegDomain] to location [Key]. If no remote share nicconfig machine is specified, the current machine is startup useraccount Purpose assumed. qfe (Quick Fix Engineering – shows patches) The purpose of this cheat sheet is to provide tips on how to use various Windows Export and Import: Example [where clauses]: command that are frequently referenced in C:\> reg export [RegDomain]\[Key] where name="nc.exe" SANS 504, 517, 531, and 560. [FileName] where (commandline like "%stuff") where (name="cmd.exe" and Process and Service Information Export all subkeys and values located in the domain parentprocessid!="[pid]") [RegDomain] under the location [Key] to the file List all processes currently running: [FileName] Example [verb clauses]: C:\> tasklist list [full|brief] C:\> reg import [FileName] get [attrib1,attrib2…] List all processes currently running and the DLLs call [method] each has loaded: Import all registry entries from the file [FileName] delete C:\> tasklist /m Import and export can only be done from or to the List all attributes of [alias]: Lists all processes currently running which have the local machine. C:\> wmic [alias] get /? specified [dll] loaded: C:\> tasklist /m [dll] Query for a specific Value of a Key: List all callable methods of [alias]: C:\> reg query C:\> wmic [alias] call /? List all processes currently running and the services [\\TargetIPaddr\][RegDomain]\[Key] /v hosted in those processes: [ValueName] Example: C:\> tasklist /svc List all attributes of all running processes: Query a key on machine [TargetIPaddr] within C:\> wmic process list full Query brief status of all services: the registry domain [RegDomain] in location C:\> sc query [Key] and get the specific value [ValueName] Make WMIC effect remote [TargetIPaddr]: under that key. Add /s to recurse all values. C:\> wmic /node:[TargetIPaddr] Query the configuration of a specific service: /user:[User] /password:[Passwd] process C:\> sc qc [ServiceName] list full Shutdown and Restart File Search and Counting Lines Invoking Useful GUIs at the Command Line Local User Manager (includes group management): Shutdown Windows immediately: Search directory structure for a file in a specific C:\> lusrmgr.msc C:\> shutdown /s /t 0 directory: C:\> dir /b /s [Directory]\[FileName] Services Control Panel: Note: Command may not power down the hardware. C:\> services.msc Count the number of lines on StandardOuy of Restart Windows immediately: [Command]: Task Manager: C:\> shutdown /r /t 0 C:\> [Command] | find /c /v "" C:\> taskmgr.exe Abort shutdown/restart countdown: Finds the count (/c) of lines that do not contain (/v) Security Policy Manager: C:\> shutdown /a nothing (""). Lines that do not have nothing are all C:\> secpol.msc lines, even blank lines, which contain CR/LF Useful Netstat Syntax Event Viewer: C:\> eventvwr.msc Show all TCP and UDP port usage and process ID: Command Line FOR Loops C:\> netstat –nao Control Panel: Counting Loop: C:\> control Look for usage of port [port] every [N] seconds: C:\> for /L %i in C:\> netstat –nao [N] | find [port] ([start],[step],[stop]) do [command] Close GUI windows by hitting Alt-F4 Dump detailed protocol statistics: Set %i to an initial value of [start] and increment Interacting with the Network Using Netsh C:\> netstat –s –p [tcp|udp|ip|icmp] it by [step] at every iteration until its value is equal to [stop]. For each iteration, run [command]. The Turn off built-in Windows firewall: Installing Built-in Packages on Vista iterator variable %i can be used anywhere in the C:\> netsh firewall set opmode disable command to represent its current value. Install telnet service on Vista: Configure interface “Local Area Connection” with C:\> pkgmgr /iu:"TelnetServer" [IPaddr] [Netmask] [DefaultGW]: Iterate over file contents: C:\> netsh interface ip set address C:\> for /F %i in ([file-set]) do Install telnet client on Vista: [command] local static [IPaddr] [Netmask] C:\> pkgmgr /iu:"TelnetClient" [DefaultGW] 1 Iterate through the contents of the file on a line-by- Install IIS on Vista: Configure DNS server for “Local Area Connection”: line basis. For each iteration, store the contents of C:\> pkgmgr /iu:IIS-WebServerRole;WAS- C:\> netsh interface ip set dns local the line into %i and run [command]. WindowsActivationService;WAS- static [IPaddr] ProcessModel; WAS-NetFxEnvironment;WAS- Configure interface to use DHCP: ConfigurationAPI C:\> netsh interface ip set address To remove any of these packages, replace install local dhcp update (/iu) with uninstall update (/uu)