Windows Remote Access Commands

Commands that move data and files between systems on a network and are usually executed from the context of the cmd.exe or command.exe prompt.

Miscellaneous

dir

  • Command with arguments: dir \\[computername|ip]\share
  • Description: Must have token to the remote system. See net use below to establish such a connection. Displays the contents of the remote computer’s share.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Users\johndoe>dir \\192.168.10.34\c$ Volume in drive \\192.168.10.34\c$ has no label. Volume Serial Number is 1A09-5F16
      Directory of \\192.168.10.34\c$
      09/18/2006 05:43 PM 24 autoexec.bat 09/18/2006 05:43 PM 10 config.sys 01/19/2008 05:40 AM PerfLogs 10/08/2013 07:36 PM Program Files 10/23/2013 08:20 PM temp 10/10/2013 08:59 PM Users 10/23/2013 08:38 PM Windows 2 File(s) 34 bytes 5 Dir(s) 33,316,192,256 bytes free</code></div>

qprocess

  • Command with arguments: qprocess * [/SERVER:computername]
  • Description: Shows information about processes locally or remotely if you provide the computername or IP.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Users\johndoe>qprocess * /SERVER:192.168.1.2 USERNAME SESSIONNAME ID PID IMAGE (unknown) services 0 0 (unknown) services 0 4 system (unknown) services 0 268 smss.exe (unknown) services 0 356 csrss.exe (unknown) services 0 408 wininit.exe >(unknown) console 1 420 csrss.exe >(unknown) console 1 460 winlogon.exe (unknown) services 0 516 services.exe >johndoe console 1 1584 dwm.exe >johndoe console 1 1600 explorer.exe (unknown) services 0 1708 vmtoolsd.exe >johndoe console 1 1936 vmwaretray.exe >johndoe console 1 1944 vmtoolsd.exe (unknown) services 0 316 tpautoconnsv... >johndoe console 1 1716 tpautoconnec... >johndoe console 1 1680 conhost.exe (unknown) services 0 1984 searchindexe... (unknown) services 0 2076 msdtc.exe (unknown) services 0 2844 svchost.exe (unknown) services 0 2920 sppsvc.exe (unknown) services 0 2976 svchost.exe >johndoe console 1 3576 cmd.exe >johndoe console 1 3540 conhost.exe >johndoe console 1 2340 cmd.exe >johndoe console 1 1560 conhost.exe >johndoe console 1 3616 qprocess.exe

qwinsta

  • Command with arguments: qwinsta [/SERVER:computername]
  • Description: Shows information about Remote Desktop Sessions locally or remotely if you provide the computername or IP.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Users\johndoe>qwinsta
      SESSIONNAME USERNAME ID STATE TYPE DEVICE
      services 0 Disc
      >console johndoe 1 Active
      rdp-tcp 65536 Listen

Remote Assistance Enable

  • Command with arguments: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
  • Description: Must be admin to run this. Enable remote assistance through adding a registry entry on the local system.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f The operation completed successfully.

Remote Desktop Enable

  • Command with arguments: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • Description: Must be admin to run this. Enable remote desktop through adding a registry entry on the local system.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f The operation completed successfully.

tasklist

  • Command with arguments: tasklist /v /s [computername|IP]
  • Description: Retrieve the current running processes from the remote system. Microsoft manual.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Windows\system32>tasklist /V /S 192.168.10.34
      Type the password for WIN-V32NJ7H3AQE\johndoe:************************


      Image Name PID Session Name Session# Mem Usage User Name CPU Time
      ========================= ======== ================ =========== ============ ================================================== ============
      System Idle Process 0 0 24 K N/A 4:01:47
      System 4 0 2,244 K N/A 0:00:13
      smss.exe 388 0 696 K NT AUTHORITY\SYSTEM 0:00:00
      csrss.exe 452 0 4,992 K NT AUTHORITY\SYSTEM 0:00:01
      csrss.exe 492 1 10,800 K NT AUTHORITY\SYSTEM 0:00:17
      wininit.exe 500 0 3,740 K NT AUTHORITY\SYSTEM 0:00:00
      winlogon.exe 532 1 4,244 K NT AUTHORITY\SYSTEM 0:00:00
      services.exe 580 0 7,308 K NT AUTHORITY\SYSTEM 0:00:03
      lsass.exe 592 0 36,968 K NT AUTHORITY\SYSTEM 0:00:06
      lsm.exe 600 0 5,128 K NT AUTHORITY\SYSTEM 0:00:00
      svchost.exe 840 0 6,576 K NT AUTHORITY\SYSTEM 0:00:02
      svchost.exe 908 0 6,652 K NT AUTHORITY\NETWORK SERVICE 0:00:00
      svchost.exe 984 0 7,976 K NT AUTHORITY\LOCAL SERVICE 0:00:02
      svchost.exe 1036 0 7,992 K NT AUTHORITY\SYSTEM 0:00:00
      svchost.exe 1056 0 26,740 K NT AUTHORITY\SYSTEM 0:00:08
      SLsvc.exe 1072 0 11,280 K NT AUTHORITY\NETWORK SERVICE 0:00:12
      svchost.exe 1124 0 9,720 K NT AUTHORITY\LOCAL SERVICE 0:00:01
      svchost.exe 1184 0 8,888 K NT AUTHORITY\SYSTEM 0:00:01
      svchost.exe 1208 0 15,332 K NT AUTHORITY\NETWORK SERVICE 0:00:01
      svchost.exe 1368 0 10,140 K NT AUTHORITY\LOCAL SERVICE 0:00:00
      taskeng.exe 1572 0 7,024 K NT AUTHORITY\SYSTEM 0:00:00
      spoolsv.exe 1680 0 9,892 K NT AUTHORITY\SYSTEM 0:00:00
      dfsrs.exe 1732 0 8,608 K NT AUTHORITY\SYSTEM 0:00:00
      dns.exe 1756 0 39,456 K NT AUTHORITY\SYSTEM 0:00:00

net

net time

  • Command with arguments: net time \\[computername|ip]
  • Description: Display the time from the remote system.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Users\johndoe>net time \\192.168.10.34 Current time at \\192.168.10.34 is 10/23/2013 9:03:04 PM
      The command completed successfully.

net use

  • Command with arguments: net use \\[computername|ip] [/user:DOMAIN\USERNAME] [password]
  • Description: Create a connection to the remote computer. This maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user. If the user you launch the command as is not valid on the remote system you will need to specify a valid DOMAIN\USER and PASSWORD. This is useful when you have credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Users\johndoe>net use \\192.168.10.34 /user:lab\johndoe The password or user name is invalid for \\192.168.10.34.
      Enter the password for 'lab\johndoe' to connect to '192.168.10.34': The command completed successfully.