Windows CMD Config Commands

Commands that display information about the configuration of the victim and are usually executed from the context of the cmd.exe or command.exe prompt.

Misc

c:\windows\system32\gathernetworkinfo.vbs

Command: c:\windows\system32\gathernetworkinfo.vbs
Command with arguments: NA
Description: Windows 7 Only Script included gathers data about the system and stores output in files in the c:\windows\system32\config directory. External link here.
Output:
- NA

echo

Command: echo
Command with arguments: echo %COMSPEC%%
Description: Determine the location of the command line interpreter such as cmd.exe.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>echo %COMSPEC% C:\Windows\system32\cmd.exe

fsutil

Command: set
Command with arguments: fsutil fsinfo drives
Description: Must be ADMIN to run this. Lists the current drives on the system.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Windows\system32>fsutil fsinfo drives Drives: A:\ C:\ D:\

gpresult

Command: gpresult
Command with arguments: gpresult /z
Description: Extremely verbose output of GPO (Group policy) settings as applied to the current system and user.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>gpresult /z Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 10/15/2013 at 7:02:05 PM RSOP data for LAB\johndoe on WIN-0P19ULL2NB6 : Logging Mode ------------------------------------------------------------ OS Configuration: Primary Domain Controller OS Version: 6.0.6002 Site Name: N/A Roaming Profile: N/A Local Profile: C:\Users\johndoe Connected over a slow link?: No USER SETTINGS -------------- CN=johndoe,CN=Users,DC=lab,DC=sky,DC=net Last time Group Policy was applied: 10/12/2013 at 6:20:23 PM Group Policy was applied from: WIN-0P19ULL2NB6.lab.sky.net Group Policy slow link threshold: 500 kbps Domain Name: LAB Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) Default Domain Policy Filtering: Not Applied (Empty) The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators BUILTIN\Pre-Windows 2000 Compatible Access NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users This Organization LOCAL High Mandatory Level The user has the following security privileges ---------------------------------------------- Resultant Set Of Policies for User -----------------------------------

set

Command: set
Command with arguments: NA
Description: Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>set ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\johndoe\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=WIN-0P19ULL2NB6 ComSpec=C:\Windows\system32\cmd.exe DFSTRACINGON=FALSE FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\johndoe LOCALAPPDATA=C:\Users\johndoe\AppData\Local LOGONSERVER=\\WIN-0P19ULL2NB6 OS=Windows_NT Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=2a07 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files PROMPT=$P$G PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\johndoe\AppData\Local\Temp\1 TMP=C:\Users\johndoe\AppData\Local\Temp\1 TRACE_FORMAT_SEARCH_PATH=\\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18005.090410-1830\x86fre\symbols.pri\TraceFormat USERDNSDOMAIN=LAB.SKY.NET USERDOMAIN=LAB USERNAME=johndoe USERPROFILE=C:\Users\johndoe windir=C:\Windows

whoami

Command: whoami
Command with arguments: whoami /all
Description: Lists information about the user you are currently logged in as. Helpful for showing what groups, sid and privileges of this user. Not available in all versions of Windows but is in Windows Vista and more recent. According to Wikipedia, this command can be added to Windows 2000 using the resource kit and is installed in Windows XP SP2 Support Tools.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>whoami lab\johndoe C:\Users\johndoe>whoami/all USER INFORMATION ---------------- User Name SID =========== =========================================== lab\johndoe S-1-5-21-60789211-843652525-1994898995-1001 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled

type

Command: type
Command with arguments: type %WINDIR%\System32\drivers\etc\hosts
Description: Show the contents of a file. In this case, you can get the system’s host file which does the local translation of IP address to hostname. This file may contain important servers.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>type %WINDIR%\System32\drivers\etc\hosts # Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ::1 localhost

Registry (reg)

For more information: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true or http://www.petri.co.il/reg_command_in_windows_xp.htm

Add

Command with arguments: reg add [\\TargetIPaddr\] [RegDomain\Key]
Description: Adds a key to target machine’s registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you’d like to insert.
Output:
- NA

Export

Command with arguments: reg export [RegDomain\Key] [OUTFILE]
Description: Exports a key to a file. Replace [RegDomain\Key] with the registry domain and key you’d like to insert and [OUTFILE] with the name of the file you would like to save the registry key in.
Output:
- NA

Import

Command with arguments: reg import [INFILE]
Description: Imports content to target machine’s registry. Replace [INFILE] with the file that has the content you wish to insert.
Output:
- NA

Query (Local)

Command with arguments: reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
Description: Securely registered executables within the system registry.
Output:
- **Windows 2008:** Show/Hide
  
  C:\Users\johndoe>reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" (Default) REG_SZ C:\Program Files\VMware\VMware Tools\TPVCGateway.exe (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe (Default) REG_SZ C:\Program Files\Internet Explorer\iexplore.exe LocalizedString REG_SZ @C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-1008 (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-101 (Default) REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareTray.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\rpctool.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\unzip.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\Common Files\VMware\Drivers\vss\comreg.exe

Query (Remote)

Command with arguments: reg query [\\TargetIPaddr\] [RegDomain\Key] /v [ValueName]
Description: Retrieves a key and value from target machine’s registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you’d like to query.
Output:
- NA

Save

Command with arguments: reg save [HIVE] [OUTFILE]
Description: Must be run as an administrator. Saves part of the registry to a file. Replace [HIVE] with HKLM\Security, HKLM\System, or HKLM\SAM and [OUTFILE] with the name of the file you would like to save the registry in.
Output:
- **Windows 2008:** Show/Hide
  
  c:\temp>reg save HKLM\Security security.hive && dir The operation completed successfully. Volume in drive C has no label. Volume Serial Number is 1A09-5F16 Directory of c:\temp 10/26/2013 11:17 PM . 10/26/2013 11:17 PM .. 10/26/2013 11:17 PM 32,768 security.hive 1 File(s) 32,768 bytes 2 Dir(s) 33,312,219,136 bytes free</code></div> ----

sc

sc.exe retrieves and sets control information about services. You can use sc.exe for testing and debugging service programs. For more information: http://technet.microsoft.com/en-us/library/bb490995.aspx.

Help details can be found if you expand this section here: Show/Hide

C:\Users\tester>sc
DESCRIPTION:
        SC is a command line program used for communicating with the
        Service Control Manager and services.
USAGE:
        sc  [command] [service name]  ...

        The option  has the form "\\ServerName"
        Further help on commands can be obtained by typing: "sc [command]"
        Commands:
          query-----------Queries the status for a service, or
                          enumerates the status for types of services.
          queryex---------Queries the extended status for a service, or
                          enumerates the status for types of services.
          start-----------Starts a service.
          pause-----------Sends a PAUSE control request to a service.
          interrogate-----Sends an INTERROGATE control request to a service.
          continue--------Sends a CONTINUE control request to a service.
          stop------------Sends a STOP request to a service.
          config----------Changes the configuration of a service (persistent).
          description-----Changes the description of a service.
          failure---------Changes the actions taken by a service upon failure.
          failureflag-----Changes the failure actions flag of a service.
          sidtype---------Changes the service SID type of a service.
          privs-----------Changes the required privileges of a service.
          qc--------------Queries the configuration information for a service.
          qdescription----Queries the description for a service.
          qfailure--------Queries the actions taken by a service upon failure.
          qfailureflag----Queries the failure actions flag of a service.
          qsidtype--------Queries the service SID type of a service.
          qprivs----------Queries the required privileges of a service.
          qtriggerinfo----Queries the trigger parameters of a service.
          qpreferrednode--Queries the preferred NUMA node of a service.
          delete----------Deletes a service (from the registry).
          create----------Creates a service. (adds it to the registry).
          control---------Sends a control to a service.
          sdshow----------Displays a service's security descriptor.
          sdset-----------Sets a service's security descriptor.
          showsid---------Displays the service SID string corresponding to an arbitrary name.
          triggerinfo-----Configures the trigger parameters of a service.
          preferrednode---Sets the preferred NUMA node of a service.
          GetDisplayName--Gets the DisplayName for a service.
          GetKeyName------Gets the ServiceKeyName for a service.
          EnumDepend------Enumerates Service Dependencies.

        The following commands don't require a service name:
        sc