Skip to content

Make the system tick. Gather information.

List of installed software

CMD:

wmic product get name,version
wmic /output:D:\InstalledSoftwareList.txt product get name,version

PowerShell:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize > D:\InstalledSoftwareList.txt

Windows Optional Features

Programs.

List

PowerShell:

Get-WindowsOptionalFeature -Online | Format-Table -Autosize
Get-WindowsOptionalFeature -Online | Where-Object State -eq 'Enabled' | Format-Table
(Get-WindowsOptionalFeature -Online -FeatureName '*') | Format-Table -Autosize

CMD:

dism /Online /Get-Features
dism /Online /Get-FeatureInfo /FeatureName:BITS

Install

Add-WindowsOptionalFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
Enable-WindowsOptionalFeature -Online -FeatureName "Hearts" -All

Remove

Disable-WindowsOptionalFeature -FeatureName "RSAT-AD-PowerShell"

Windows Capabilities

wuauserv Windows Update service must be running.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0
Restart-Service "Windows Update"

List

Get-WindowsCapability -online | Format-Table
dism /Online /Get-Capabilities

Install

Add-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Windows Packages

MSIX or AppX packages. Source

List

Get-AppPackage | Format-Table
Get-AppxPackage -AllUsers | ft
Get-AppxProvisionedPackage -online | ft

Where are they installed? C:\Program Files\WindowsApps

Get-AppxVolume

Install

Add-AppxPackage -Path "C:\Users\user1\Desktop\MyApp.msix" -DependencyPath "C:\Users\user1\Desktop\winjs.msix"

Remove

Remove-AppxPackage -Package "package1_1.0.0.0_neutral__8wekyb3d8bbwe"
Get-AppxPackage -AllUsers |  where -Property Name -like "*yourphone*" | Remove-AppxPackage

Windows Tasks

List

schtasks.exe /query /V /FO CSV > tasks.csv
schtasks.exe /query /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName" }
schtasks.exe /query /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName" } | Select-Object @{ label='Name'; expression={split-path $_.taskname -Leaf} },Author,'run as user','task to run' | Format-Table -AutoSize

List Windows Services

get-wmiobject win32_service | select Name,DisplayName,State,StartMode | Export-Csv -Path .\Services.csv -NoTypeInformation
get-wmiobject win32_service -Filter "State = 'Stopped' AND StartMode = 'Auto'" | select Name,DisplayName,State,StartMode
get-wmiobject win32_service -Filter "NOT StartMode = 'Disabled' AND State = 'Running'" | select Name,DisplayName,State,StartMode
Get-Service | Export-Csv -Path .\Services.csv -NoTypeInformation

App Background tasks

Does the "Let apps run in the background" in Settings app apply?

List

Get-AppBackgroundTask
Get-AppBackgroundTask -IncludeResourceUsage
Get-AppBackgroundTask -PackageFamilyName "*YourPhone*"
Get-AppBackgroundTask | Where-Object -Property EntryPoint -Like '*Xbox*'
Get-AppBackgroundTask | Where { $_.EntryPoint -Like "*Game*" }
Get-AppBackgroundTask | Format-Table -Property *

Disable

Unregister-AppBackgroundTask -TaskID "6D99C4A8-839E-5440-BEFD-2A8DB30A6461"

Unregister all from a package

Get-AppBackgroundTask | Where { $_.PackageFullName -Like "*YourPhone*" } | Select TaskID | Unregister-AppBackgroundTask

Clean the filesystem

Windows Update cache.

BranchCache

Source

Clear-BCCache

Defender

Source

Clear printer spool

Stop-Service Spooler -Force -NoWait
Get-ChildItem -Path C:\Windows\System32\spool\PRINTERS\ -Include * -File -Recurse | foreach { $_.Delete()}
Start-Service Spooler

-File may not work with old versions of PS.

RDP

shadow sessions

The policy is located in the GPO editor section Computer Configuration -> Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections and is called "Set rules for remote control of Remote Desktop Services user sessions". Enable it and select an option. Reboot....

mstsc -v:1.1.1.1 /shadow:<sessionID> /noConsentPrompt /control /prompt

query session

psexec -u Administrator \\1.1.1.1 query session

qwinsta /server:1.1.1.1

Kill RDP sessions

https://techtalk.gfi.com/57-tips-admin/

regsvr32 query.dll # You only have to do this the first time.
query session /server:1.1.1.1
reset session <#> /server:1.1.1.1

psexec

Remote CMD

psexec \\server cmd

Remote command

psexec \\server cmd /c "systeminfo"

Robocopy

Copy a file

robocopy file.ext \\server\folder\

Copy all the content in a directory recursively

robocopy project \\server\backups\project /S /E

All the contents from project will be inside a new folder called project in \\server\backups.

Make an exact copy of the source

robocopy project \\server\backups\project /MIR /LOG+:projectbackup.log

This will delete files in the destination.

*EXTRA File     0   \\server\backups\project\New Text Document.txt

If you want to do the same without deleting data

robocopy project \\server\backups\project /E /LOG+:projectbackup.log

Make a backup

Some tweaks may be needed.

set day=%date:~7,2%
set month=%date:~4,2%
set year=%date:~10,4%

robocopy "C:\project" "D:\backups\project\%year%.%month%.%day%\\" /LOG+:backup.log /MIR /W:5 /R:3 /MT /Z /ETA /BYTES /SEC /B
  • LOG+: - Append to log.
  • MIR - Mirror a directory. Equivalent to /E /PURGE.
  • W:5 - Wait for 5 seconds to retry.
  • R:3 - Retry 3 times.
  • MT - Multi-threaded.
  • Z - Copy in restartable mode, for when the connection is lost. Slows the file transfer by a lot.
  • ETA - Show Estimated Time of Arrival.
  • BYTES - Print sizes in bytes.
  • SEC - Copy files with security (equivalent to /COPY:DATS). Data, atributes, timestamps and EAs.
  • B - Backup mode is a way to read and write files ignoring any permissions problems. It uses the SeBackupPrivilege (reading) and SeRestorePrivilege (writing) in order to read/write any and all files, disregarding any ACEs that would prevent you from reading or writing a file.
  • ZB - Use restartable mode; if access denied use Backup mode.

Constant sync

robocopy "C:\project" "\\server\files\project\" /LOG+:sync.log /E /W:5 /R:3 /MT /Z /ETA /BYTES /SEC /MON:5 /MOT:5
  • MON - Monitor source; run again when more than n changes seen.
  • MOT - Monitor source; run again in m minutes time, if changed.

GUI

Tips from the internet

  • Use a share path for destination and source e.g. \\server.domain.com\share or \\10.1.2.3\d$ instead of D:. It removes the file depth limit (250ish characters) and let's you copy/manage things nearly no other program can.
  • Use backup mode (/B). If your account is a administrator or backup operator. This enables robocopy to copy the file even if it does not have ntfs permissions for it.
  • Copying between OS older than win 7 or 2008 r2? If so you are stuck with a single thread. It can be substantially quicker to have a 3rd machine running win 7 / 2008r2 or newer doing the robocopy process e.g. 3rd machine has source:\\comp1\share and destination:\\comp2\share.
  • Job files. Save your parameters for future use with /save:filename.rcj All your parameters are out in a job file you can use again with robocopy /job:filename.rcj Even better you can then modify that job file for all future jobs and have a clearer and more logical working method.
  • Be careful of "c:\documents and settings" in older OSes. I have seen robocopy get in a loop of following symbolic links and keep copying the same 20gb or so until the destination volume is full, terabytes).
  • Using /XJ fixes the issue with docs and settings it will ignorejunction points. Can sometimes cause other issues but will not loop.

Sources:

Checks

Network

  • ipconfig /displaydns Display DNS information
  • ipconfig /flushdns Flush DNS cache
  • ipconfig /release & ipconfig /renew Ask for another IP address

Ping

Ping does not prove the network/system does/not work.

@echo off
FOR /L %N IN () DO (
    ping 1.1.1.1 -n 1 | findstr "Reply from"
    ping -n 5 127.0.0.1 > nul
)

ARP ping

Delete the ARP tables, do a ping, check the ARP tables.

arp -d
ping 0x0A000101 # 10.0.1.1
arp -a

Port

Test-NetConnection documentation

Test-NetConnection -ComputerName www.contoso.com -Port 80 -InformationLevel Detailed
Test-NetConnection -ComputerName www.contoso.com -DiagnoseRouting -InformationLevel Detailed
Test-NetConnection -ComputerName "www.contoso.com" -ConstrainInterface 5 -DiagnoseRouting -InformationLevel "Detailed"

Check an open port every 5 seconds and display the time if it goes down.

While ( $true ) {
    $Command = Test-NetConnection 1.1.1.1 -Port 443 -InformationLevel Quiet
    If ( -Not $Command ) { Get-Date -UFormat %H:%M:%S }
    ping -n 6 127.0.0.1 | Out-Null
}

Listening ports

TCP

Get-Process -Id (Get-NetTCPConnection -LocalPort YourPortNumberHere).OwningProcess

UDP

Get-Process -Id (Get-NetUDPEndpoint -LocalPort YourPortNumberHere).OwningProcess

CMD

netstat -a -b
  • -a - Displays all connections and listening ports.
  • -b - Displays the executable involved in creating each connection or listening port.
  • -n - Displays addresses and port numbers in numerical form.
  • -o - Displays the owning process ID associated with each connection

Wifi status

netsh wlan show wlanreport

It is saved to C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html

Hash

certutil -hashfile <file> <hash>
certutil -hashfile file.ext md5

<hash> can be MD2, MD4, MD5, SHA1, SHA256, SHA384 or SHA512.

Hardware

  • powercfg /batteryreport Battery status
  • powercfg /sleepstudy /duration 7 Battery drain during standby
  • systeminfo Basic report of system information

Recreate a domain profile

Open "System properties".

rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl

Or run and type sysdm.cpl, or control sysdm.cpl,,3.

Or go to "Control Panel" -> "System" -> "Change settings".

Linux is inconsistent because you have 20 different ways of doing the same fucking thing....

Go to the tab "Advanced", subsection "User profiles" and click in "Settings...".

Select the profile.

Go to C:\Users\ and move the user directory, like appending and old to the name.

Go back to "System properties" and delete the user profile.

If Windows does not decide to shit itself it will not delete the user data.

You may be able to delete from mmc...

Manually

Source

  1. Reboot the computer to release any locks on the profile.
  2. Log on with an administrative account.
  3. Navigate to the C:\Users\ folder.
  4. Rename the user profile with the word “.old” at the end of it. Example: “username” becomes “username.old”
  5. Delete these two registry keys for that user: Open regedit.exe and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList In the “Profile Image Path” value. Find the key that lists the user name. Note the last four digits of the value. Then delete it. Then navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\ProfileGuid Find and delete the key with the four digits from the last step.
  6. Reboot the computer again.
  7. Login with the users credentials.
  8. Transfer data from the user’s old profile (username-old), into the user new profile (username) one folder at a time. Do not transfer the AppData Contents unless you specifically know what you are looking for. This folder is most likely housing the garbage that jacked-up the user profile in the first place.
    1. If the user was fond of Sticky Notes, they can be found here: C:\Users\username\AppData\Roaming\Microsoft\Sticky Notes
    2. Web Browsers such as Chrome, Firefox, etc. often time store the user data in the AppData folder as well. For example you may need to reach back and restore the users Google Chrome folder here: C:\Users\username\AppData\Local\Google\Chrome\User Data
  9. After you are sure that you have moved all the users data from the old profile on to the new profile, you may delete the old profile.
  10. Another reboot may be required.

Gather information

Drivers

driverquery

driverquery /fo csv > driver.txt
Options | Parameter | Description | | --------- | ----------- | | `/s ` | Specifies the name or IP address of a remote computer. Do not use backslashes. The default is the local computer. | | `/u []` | Runs the command with the credentials of the user account as specified by user or domain\user. By default, `/s` uses the credentials of the user who is currently logged on to the computer that is issuing the command. `/u` can't be used unless `/s` is specified. | | `/p ` | Specifies the password of the user account that is specified in the `/u` parameter. `/p` cannot be used unless `/u` is specified. | | `/fo table` | Formats the output as a table. This is the default. | | `/fo list` | Formats the output as a list. | | `/fo csv` | Formats the output with comma-separated values. | | `/nh` | Omits the header row from the displayed driver information. Not valid if the `/fo` parameter is set to list. | | `/v` | Displays verbose output. `/v` is not valid for signed drivers. | | `/si` | Provides information about signed drivers. | | `/?` | Displays help at the command prompt. |

Temperature

CMD

wmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CriticalTripPoint,CurrentTemperature

PowerShell

$temp = Get-WMIObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"
$temp | Select-Object -Property InstanceName,@{n="Temps F";e={(($_.currenttemperature /10 -273.15) *1.8 +32)}}

The temperature is in Kelvin * 10. The number has to be divided by 10 and subtract 273.15.

Useful commands

Hashes

Get-FileHash file.ext
Get-FileHash -Path file.ext -Algorithm SHA256

certutil -hashfile c:\Users\YourUserName\Desktop\wire.exe SHA256

Export all drivers

PowerShell:

Export-WindowsDriver -Online -Destination C:\temp

Execute as Administrator without the user knowing the password

I do not know the repercussions of this.

  1. Create a symlink to C:\Windows\System32\runas.exe in the desktop
  2. Edit it adding /user:computername\username /savecred "C:\path\to\executable.exe"
  3. Change name, icon, ....

The first time it will ask for the password and it will be saved.

Securely Wipe a drive

How to securely wipe a drive from Windows. First delete all files and format the drive and then run cipher to overwrite all deallocated space in the drive. 

cipher /w:E:

Where E: is the letter of the drive.

ss64's cipher documentation

Sources