These are useful command lines that are all based on built-in Windows programs. They were tested on Windows 7, but most should be present on WinXP as well. Unlike the previous two blog posts, these are all about what is already present on the system. So, these are things you can do during live collection or when you don’t otherwise have forensics tools available. And, being command line, they are all easily scriptable for automated collection.
Command | Meaning |
arp -av | displays ARP cache |
assoc | lists file associations |
cipher /w:<driveletter> | wipes unallocated space on specified volume, does not affect live files to include those in recycle bin |
doskey /history | lists command history for given terminal window |
driverquery /v | lists loaded drivers and info about them |
gpresult /z | displays Group Policy info regarding current computer and user |
gpresult /z /user <username> | displays Group Policy info regarding current computer and specified user |
hostname | display computer’s name |
ipconfig /all | display network interface configuration information |
ipconfig /displaydns | display DNS Resolver cache |
nbtstat -c | lists cache of remote computer names and their IP addresses |
net accounts | displays the current settings for password, logon limitations, and domain information from local computer |
net accounts /domain | displays the current domain settings for password, logon limitations, and domain information per domain controller |
net config server | displays hostname, username, OS version, and domain info |
net file | lists the open files on a server |
net group | displays the groups for the domain |
net localgroup | displays the groups for the local computer |
net session | displays information about all client and server sessions for the local machine |
net share | lists information about all resources being shared on the computer |
net start | lists running services |
net statistics server | lists uptime and other statistics |
net use | lists the computer’s connections |
net user | lists the user accounts for the computer |
net view | lists the computers in the current domain |
netsh advfirewall firewall show rule name=all verbose | displays all the firewall rules |
netsh advfirewall monitor show firewall | displays firewall properties and status |
netsh firewall show config | displays firewall config |
netsh interface ip show config | display network interface settings |
openfiles | lists open file handles and associated process |
reg query “HKCU\Software\Microsoft\Internet Explorer\TypedURLs” /S | lists URLs typed into Internet Explorer address bar |
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /S | lists files opened/saved via explorer dialog boxes |
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /S | lists commands typed into the Start->Run dialog |
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S | Autoruns for the user |
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /S | Autoruns for the user |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S | Autoruns for the system |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /S | Autoruns for the system |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S | Applications listed in Add/Remove Programs |
route print | displays routing table information |
sc queryex | lists running services and info about them |
sc queryex state= all | lists all services and info about them |
schtasks /query /fo list /v | displays all scheduled tasks |
systeminfo | lists useful info about OS and Hardware |
taskkill /f /im cmd.exe /t | forcefully kill cmd.exe and its children |
taskkill /im notepad.exe | kill the notepad.exe process |
taskkill /pid 1230 /pid 1241 /pid 1253 /t | kill the three process ids and their children |
tasklist /m | lists running processes and their loaded modules |
tasklist /svc | lists running processes and their associated services |
tasklist /v | lists running processes and extra info |
whoami | display current user’s name |
wmic computersystem list full | list OS info |
wmic diskdrive list full | list info about physical disks |
wmic process list full | list running processes with copious info including full exe path |
wmic product list full | list info about installed programs |
wmic share | list shared folders |
wmic startup list full | list startup items in run keys and startup folder |
wmic useraccount list full | list users and useful info like SID, password policy, and description |
wmic volume | list of drive letters and their volume info |
wmic volume list brief | list of drive letters and their concise volume info |