# Windows CMD Config Commands
Commands that display information about the configuration of the victim and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
## Misc
### c:\windows\system32\gathernetworkinfo.vbs
* **Command**: `c:\windows\system32\gathernetworkinfo.vbs`
* **Command with arguments**: NA
* **Description**: **Windows 7 Only** Script included gathers data about the system and stores output in files in the `c:\windows\system32\config` directory. External link [here.](http://www.verboon.info/index.php/2011/06/the-gathernetworkinfo-vbs-script/)
* **Output**:
* NA
### echo
* **Command**: `echo`
* **Command with arguments**: `echo %COMSPEC%%`
* **Description**: Determine the location of the command line interpreter such as cmd.exe.
* **Output**:
*
### fsutil
* **Command**: `set`
* **Command with arguments**: `fsutil fsinfo drives`
* **Description**: **Must be ADMIN to run this.** Lists the current drives on the system.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Windows\system32>fsutil fsinfo drives
Drives: A:\ C:\ D:\
### gpresult
* **Command**: `gpresult`
* **Command with arguments**: `gpresult /z`
* **Description**: Extremely verbose output of GPO (Group policy) settings as applied to the current system and user.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
Created On 10/15/2013 at 7:02:05 PM
RSOP data for LAB\johndoe on WIN-0P19ULL2NB6 : Logging Mode ------------------------------------------------------------
OS Configuration: Primary Domain Controller OS Version: 6.0.6002 Site Name: N/A Roaming Profile: N/A Local Profile: C:\Users\johndoe Connected over a slow link?: No
USER SETTINGS -------------- CN=johndoe,CN=Users,DC=lab,DC=sky,DC=net Last time Group Policy was applied: 10/12/2013 at 6:20:23 PM Group Policy was applied from: WIN-0P19ULL2NB6.lab.sky.net Group Policy slow link threshold: 500 kbps Domain Name: LAB Domain Type: Windows 2000
Applied Group Policy Objects ----------------------------- N/A
The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty)
Default Domain Policy Filtering: Not Applied (Empty)
The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators BUILTIN\Pre-Windows 2000 Compatible Access NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users This Organization LOCAL High Mandatory Level
The user has the following security privileges ----------------------------------------------
Resultant Set Of Policies for User -----------------------------------
### set
* **Command**: `set`
* **Command with arguments**: NA
* **Description**: Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
* **Output**:
*
### whoami
* **Command**: `whoami`
* **Command with arguments**: `whoami /all`
* **Description**: Lists information about the user you are currently logged in as. Helpful for showing what groups, sid and privileges of this user. Not available in all versions of Windows but is in Windows Vista and more recent. According to [Wikipedia](http://en.wikipedia.org/wiki/Whoami), this command can be added to Windows 2000 using the resource kit and is installed in Windows XP SP2 Support Tools.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>whoami lab\johndoe
C:\Users\johndoe>whoami/all
USER INFORMATION ----------------
User Name SID =========== =========================================== lab\johndoe S-1-5-21-60789211-843652525-1994898995-1001
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled
### systeminfo
* **Command**: `systeminfo`
* **Command with arguments**: NA
* **Description**:In computing, systeminfo.exe, a command-line utility shipped with Microsoft Windows versions from Windows XP onwards, produces summary output of Windows hardware/software operating-environment parameters.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Windows\system32>systeminfo
Host Name: ADMIN-PC OS Name: Microsoft Windows 2008 OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: johndoe Registered Organization: Product ID: 00426-OEM-8992662-00400 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. ...
### type
* **Command**: `type`
* **Command with arguments**: `type %WINDIR%\System32\drivers\etc\hosts`
* **Description**: Show the contents of a file. In this case, you can get the system's host file which does the local translation of IP address to hostname. This file may contain important servers.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>type %WINDIR%\System32\drivers\etc\hosts # Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost ::1 localhost
----
## Registry (reg)
For more information: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true or http://www.petri.co.il/reg_command_in_windows_xp.htm
### Add
* **Command with arguments**: `reg add [\\TargetIPaddr\] [RegDomain\Key]`
* **Description**: Adds a key to target machine's registry. Replace [\\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to insert.
* **Output**:
* NA
### Export
* **Command with arguments**: `reg export [RegDomain\Key] [OUTFILE]`
* **Description**: Exports a key to a file. Replace [RegDomain\Key] with the registry domain and key you'd like to insert and [OUTFILE] with the name of the file you would like to save the registry key in.
* **Output**:
* NA
### Import
* **Command with arguments**: `reg import [INFILE]`
* **Description**: Imports content to target machine's registry. Replace [INFILE] with the file that has the content you wish to insert.
* **Output**:
* NA
### Query (Local)
* **Command with arguments**: `reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"`
* **Description**: Securely registered executables within the system registry.
* **Output**:
*
### Query (Remote)
* **Command with arguments**: `reg query [\\TargetIPaddr\] [RegDomain\Key] /v [ValueName]`
* **Description**: Retrieves a key and value from target machine's registry. Replace [\\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to query.
* **Output**:
* NA
### Save
* **Command with arguments**: `reg save [HIVE] [OUTFILE]`
* **Description**: **Must be run as an administrator.** Saves part of the registry to a file. Replace [HIVE] with HKLM\Security, HKLM\System, or HKLM\SAM and [OUTFILE] with the name of the file you would like to save the registry in.
* **Output**:
*
**Windows 2008:** Show/Hide
c:\temp>reg save HKLM\Security security.hive && dir The operation completed successfully. Volume in drive C has no label. Volume Serial Number is 1A09-5F16 Directory of c:\temp 10/26/2013 11:17 PM . 10/26/2013 11:17 PM .. 10/26/2013 11:17 PM 32,768 security.hive 1 File(s) 32,768 bytes 2 Dir(s) 33,312,219,136 bytes free
----
## sc
sc.exe retrieves and sets control information about services. You can use sc.exe for testing and debugging service programs. For more information: http://technet.microsoft.com/en-us/library/bb490995.aspx.
Help details can be found if you expand this section here: Show/Hide
C:\Users\tester>sc
DESCRIPTION:
SC is a command line program used for communicating with the
Service Control Manager and services.
USAGE:
sc [command] [service name] ...
The option has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistent).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
failureflag-----Changes the failure actions flag of a service.
sidtype---------Changes the service SID type of a service.
privs-----------Changes the required privileges of a service.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
qfailureflag----Queries the failure actions flag of a service.
qsidtype--------Queries the service SID type of a service.
qprivs----------Queries the required privileges of a service.
qtriggerinfo----Queries the trigger parameters of a service.
qpreferrednode--Queries the preferred NUMA node of a service.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
showsid---------Displays the service SID string corresponding to an arbitrary name.
triggerinfo-----Configures the trigger parameters of a service.
preferrednode---Sets the preferred NUMA node of a service.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.
The following commands don't require a service name:
sc
### Query Configuration
* **Command with arguments**: `sc qc [servicename]`
* **Description**: Queries the configuration information for a service. Things to look at here are the path to the executable, the start type (does it start at boot or on demand?), and service names.
* **Output**:
*
### Query Status
* **Command with arguments**: `sc query [servicename]`
* **Description**: Queries the status for a service, or enumerates the status for types of services.
* **Output**:
*
### Query Status Extended
* **Command with arguments**: `sc queryex [servicename]`
* **Description**: Queries the status for a service, or enumerates the status for types of services.
* **Output**:
*
----
## wmi
According to Microsoft (http://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx), "the WMI command-line (WMIC) utility provides a command-line interface for WMI. WMIC is compatible with existing shells and utility commands." Additional information can also be found here https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229.
For some of these `wmic` commands that pull information (versus perform an action) you can add `list full` to the end and retrieve the data in a non-table format. Sometimes this view is easier to read. Using `list brief` shows less data. The examples below show several output formats.
### BIOS Information
* **Command with arguments**: `wmic bios [list full]`
* **Description**: Retrieves BIOS information including system serial number.
* **Output**:
*
### Disk Information
* **Command with arguments**: `wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber`
* **Description**: Retrieve information about the harddrive.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber FileSystem FreeSpace Name Size SystemName VolumeSerialNumber NTFS 33311481856 C: 42947571712 WIN-0P19ULL2NB6 1A095F16
### Patch IDs
* **Command with arguments**: `wmic qfe get hotfixid`
* **Description**: Retrieves BIOS information including system serial number.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic qfe get hotfixid HotFixID KB955430
### Process Create
* **Command with arguments**: `wmic process call create [EXECUTABLE]`
* **Description**: Launches an executable. Replace [EXECUTABLE] with the name of the executable you'd like to launch (for example: calc.exe). Do not include quotes around the value (for example: *DO* use calc.exe; do *NOT* use "calc.exe").
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process call create calc.exe Executing (Win32_Process)->Create() Method execution successful. Out Parameters: instance of __PARAMETERS { ProcessId = 1936; ReturnValue = 0; };
### Process Information
* **Command with arguments**: `wmic process get caption,executablepath,commandline`
* **Description**: Retrieves process names, captions, executable paths and command line flags.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process get caption,executablepath,commandline Caption CommandLine ExecutablePath System Idle Process System smss.exe csrss.exe [...SNIP...] dllhost.exe dwm.exe "C:\Windows\system32\Dwm.exe" C:\Windows\system32\Dwm.exe taskeng.exe taskeng.exe {72464C44-C181-4387-A20A-569E0267D2AF} C:\Windows\system32\taskeng.exe TPAutoConnect.exe TPAutoConnect.exe -q -i vmware -a COM1 -F 30 C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe explorer.exe C:\Windows\Explorer.EXE C:\Windows\Explorer.EXE VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" C:\Program Files\VMware\VMware Tools\VMwareTray.exe vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr C:\Program Files\VMware\VMware Tools\vmtoolsd.exe cmd.exe "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe cmd.exe TrustedInstaller.exe WMIC.exe wmic process get caption,executablepath,commandline C:\Windows\System32\Wbem\WMIC.exe WmiPrvSE.exe
### Process Terminate
* **Command with arguments**: `wmic process where name="[PROCESS]" call terminate`
* **Description**: Terminates a process. Replace [PROCESS] with the name of the process you'd like to terminate and you *DO* need the quotes around it (for example: calc.exe).
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process where name="calc.exe" call terminate Executing (\\WIN-0P19ULL2NB6\ROOT\CIMV2:Win32_Process.Handle="1936")->terminate() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; };
### Service Information
* **Command with arguments**: `wmic service [list full]`
* **Description**: Retrieves ton of information about all the services installed on the system.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic service list full
AcceptPause=FALSE AcceptStop=TRUE Caption=Application Experience CheckPoint=0 CreationClassName=Win32_Service Description=Processes application compatibility cache requests for applications as they are launched DesktopInteract=FALSE DisplayName=Application Experience ErrorControl=Normal ExitCode=0 InstallDate= Name=AeLookupSvc PathName=C:\Windows\system32\svchost.exe -k netsvcs ProcessId=1056 ServiceSpecificExitCode=0 ServiceType=Share Process Started=TRUE StartMode=Auto StartName=localSystem State=Running Status=OK SystemCreationClassName=Win32_ComputerSystem SystemName=WIN-0P19ULL2NB6 TagId=0 WaitHint=0
AcceptPause=FALSE AcceptStop=FALSE Caption=Application Layer Gateway Service CheckPoint=0 CreationClassName=Win32_Service Description=Provides support for 3rd party protocol plug-ins for Internet Connection Sharing DesktopInteract=FALSE DisplayName=Application Layer Gateway Service ErrorControl=Normal ExitCode=1077 InstallDate= Name=ALG PathName=C:\Windows\System32\alg.exe ProcessId=0 ServiceSpecificExitCode=0 ServiceType=Own Process Started=FALSE StartMode=Manual StartName=NT AUTHORITY\LocalService State=Stopped Status=OK SystemCreationClassName=Win32_ComputerSystem SystemName=WIN-0P19ULL2NB6 TagId=0 WaitHint=0 [...Truncated for brevity...]
### Share Information
* **Command with arguments**: `wmic share [list brief]`
* **Description**: Retrieve information about local shares.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic share list brief
Description Name Path
Remote Admin ADMIN$ C:\Windows
Default share C$ C:\
Remote IPC IPC$
Logon server share NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS
Logon server share SYSVOL C:\Windows\SYSVOL\sysvol
### Startup Items
* **Command with arguments**: `wmic startup [list brief]`
* **Description**: Shows startup items, which user runs them and full paths to the executables.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic startup list brief Caption Command User VMware Tools "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" Public VMware User Process "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Public
### User Information
* **Command with arguments**: `wmic useraccount [list full]`
* **Description**: Retrieve information about the user accounts on the system.
* **Output**:
*
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic useraccount list full
AccountType=512 Description=Built-in account for administering the computer/domain Disabled=FALSE Domain=LAB FullName= InstallDate= LocalAccount=FALSE Lockout=FALSE Name=Administrator PasswordChangeable=TRUE PasswordExpires=TRUE PasswordRequired=TRUE SID=S-1-5-21-60789211-843652525-1994898995-500 SIDType=1 Status=OK
AccountType=512 Description=Key Distribution Center Service Account Disabled=TRUE Domain=LAB FullName= InstallDate= LocalAccount=FALSE Lockout=FALSE Name=krbtgt PasswordChangeable=TRUE PasswordExpires=TRUE PasswordRequired=TRUE SID=S-1-5-21-60789211-843652525-1994898995-502 SIDType=1 Status=Degraded