Sunday, March 15, 2009

Windows Commandline KungFu Part 1

When I first attended training by ed on commandline kungFu I was just amzed.

Well bassically commandline KungFu is more about windows commandline since linux already has extremly powerfull commandline so need to go to that side.

Lots of people dont know or ignore the power of wmic commands, we will start with wmic command which will allow us some stuff that we always do on linux.

C:\> wmic process [pid] delete

That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".

Or, better yet, try this one on for size:

C:\> wmic process where name='cmd.exe' delete

I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.

And, check this out:

C:\> wmic process list brief /every:1

Sort of like (but not exactly) the Linux/UNIX top command.

But, wait! There's more...

C:\> wmic useraccount

This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.

Fun, fun, fun! Here's another:

C:\> wmic qfe

This one shows all hotfixes and service packs. qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.

C:\> wmic startup list full

It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.

C:\> wmic process list brief | find "cmd.exe"

That works a little like a Linux "ps -aux | grep cmd.exe".

So, I run it as I show above, piping its output through sort, find, findstr, etc.

C:\> wmic /output:[file] [stuff you want it to do] /format:[format]

Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:

C:\> wmic /output:c:\os.html os get /format:hform

Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.

For a list of format types supported by WMIC, you could type:

C:\> wmic [stuff to do] /format /?

As in:

C:\> wmic process list /format /?

Going further, there is ability to pull lists of attributes and output them nicely, as follows:

C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)