Windows CMD Config Commands
Commands that display information about the configuration of the victim and are usually executed from the context of the cmd.exe
or command.exe
prompt.
Misc
c:\windows\system32\gathernetworkinfo.vbs
- Command:
c:\windows\system32\gathernetworkinfo.vbs
- Command with arguments: NA
- Description: Windows 7 Only Script included gathers data about the system and stores output in files in the
c:\windows\system32\config
directory. External link here. - Output:
- NA
echo
- Command:
echo
- Command with arguments:
echo %COMSPEC%%
- Description: Determine the location of the command line interpreter such as cmd.exe.
- Output:
-
C:\Users\johndoe>echo %COMSPEC%
C:\Windows\system32\cmd.exe
-
fsutil
- Command:
set
- Command with arguments:
fsutil fsinfo drives
- Description: Must be ADMIN to run this. Lists the current drives on the system.
- Output:
-
C:\Windows\system32>fsutil fsinfo drives
Drives: A:\ C:\ D:\
-
gpresult
- Command:
gpresult
- Command with arguments:
gpresult /z
- Description: Extremely verbose output of GPO (Group policy) settings as applied to the current system and user.
- Output:
-
C:\Users\johndoe>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/15/2013 at 7:02:05 PM
RSOP data for LAB\johndoe on WIN-0P19ULL2NB6 : Logging Mode
------------------------------------------------------------
OS Configuration: Primary Domain Controller
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\johndoe
Connected over a slow link?: No
USER SETTINGS
--------------
CN=johndoe,CN=Users,DC=lab,DC=sky,DC=net
Last time Group Policy was applied: 10/12/2013 at 6:20:23 PM
Group Policy was applied from: WIN-0P19ULL2NB6.lab.sky.net
Group Policy slow link threshold: 500 kbps
Domain Name: LAB
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Resultant Set Of Policies for User
-----------------------------------
-
set
- Command:
set
- Command with arguments: NA
- Description: Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
- Output:
-
C:\Users\johndoe>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\johndoe\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN-0P19ULL2NB6
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\johndoe
LOCALAPPDATA=C:\Users\johndoe\AppData\Local
LOGONSERVER=\\WIN-0P19ULL2NB6
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\johndoe\AppData\Local\Temp\1
TMP=C:\Users\johndoe\AppData\Local\Temp\1
TRACE_FORMAT_SEARCH_PATH=\\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18005.090410-1830\x86fre\symbols.pri\TraceFormat
USERDNSDOMAIN=LAB.SKY.NET
USERDOMAIN=LAB
USERNAME=johndoe
USERPROFILE=C:\Users\johndoe
windir=C:\Windows
-
whoami
- Command:
whoami
- Command with arguments:
whoami /all
- Description: Lists information about the user you are currently logged in as. Helpful for showing what groups, sid and privileges of this user. Not available in all versions of Windows but is in Windows Vista and more recent. According to Wikipedia, this command can be added to Windows 2000 using the resource kit and is installed in Windows XP SP2 Support Tools.
- Output:
-
C:\Users\johndoe>whoami
lab\johndoe
C:\Users\johndoe>whoami/all
USER INFORMATION
----------------
User Name SID
=========== ===========================================
lab\johndoe S-1-5-21-60789211-843652525-1994898995-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
-
type
- Command:
type
- Command with arguments:
type %WINDIR%\System32\drivers\etc\hosts
- Description: Show the contents of a file. In this case, you can get the system’s host file which does the local translation of IP address to hostname. This file may contain important servers.
- Output:
-
C:\Users\johndoe>type %WINDIR%\System32\drivers\etc\hosts
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
-
Registry (reg)
For more information: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true or http://www.petri.co.il/reg_command_in_windows_xp.htm
Add
- Command with arguments:
reg add [\\TargetIPaddr\] [RegDomain\Key]
- Description: Adds a key to target machine’s registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you’d like to insert.
- Output:
- NA
Export
- Command with arguments:
reg export [RegDomain\Key] [OUTFILE]
- Description: Exports a key to a file. Replace [RegDomain\Key] with the registry domain and key you’d like to insert and [OUTFILE] with the name of the file you would like to save the registry key in.
- Output:
- NA
Import
- Command with arguments:
reg import [INFILE]
- Description: Imports content to target machine’s registry. Replace [INFILE] with the file that has the content you wish to insert.
- Output:
- NA
Query (Local)
- Command with arguments:
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
- Description: Securely registered executables within the system registry.
- Output:
-
C:\Users\johndoe>reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\TPVCGateway.exe
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe
(Default) REG_SZ C:\Program Files\Internet Explorer\iexplore.exe
LocalizedString REG_SZ @C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-1008
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-101
(Default) REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareTray.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\rpctool.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\unzip.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\Common Files\VMware\Drivers\vss\comreg.exe
-
Query (Remote)
- Command with arguments:
reg query [\\TargetIPaddr\] [RegDomain\Key] /v [ValueName]
- Description: Retrieves a key and value from target machine’s registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you’d like to query.
- Output:
- NA
Save
- Command with arguments:
reg save [HIVE] [OUTFILE]
- Description: Must be run as an administrator. Saves part of the registry to a file. Replace [HIVE] with HKLM\Security, HKLM\System, or HKLM\SAM and [OUTFILE] with the name of the file you would like to save the registry in.
- Output:
-
c:\temp>reg save HKLM\Security security.hive && dir
The operation completed successfully.
Volume in drive C has no label.
Volume Serial Number is 1A09-5F16
Directory of c:\temp
10/26/2013 11:17 PM.
10/26/2013 11:17 PM..
10/26/2013 11:17 PM 32,768 security.hive
1 File(s) 32,768 bytes
2 Dir(s) 33,312,219,136 bytes free</code></div> ----
-
sc
sc.exe retrieves and sets control information about services. You can use sc.exe for testing and debugging service programs. For more information: http://technet.microsoft.com/en-us/library/bb490995.aspx.
C:\Users\tester>sc
DESCRIPTION:
SC is a command line program used for communicating with the
Service Control Manager and services.
USAGE:
sc [command] [service name] ...
The option has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistent).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
failureflag-----Changes the failure actions flag of a service.
sidtype---------Changes the service SID type of a service.
privs-----------Changes the required privileges of a service.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
qfailureflag----Queries the failure actions flag of a service.
qsidtype--------Queries the service SID type of a service.
qprivs----------Queries the required privileges of a service.
qtriggerinfo----Queries the trigger parameters of a service.
qpreferrednode--Queries the preferred NUMA node of a service.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
showsid---------Displays the service SID string corresponding to an arbitrary name.
triggerinfo-----Configures the trigger parameters of a service.
preferrednode---Sets the preferred NUMA node of a service.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.
The following commands don't require a service name:
sc