Windows: Difference between revisions
(49 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=connect to windows from windows(rdp)= | |||
mstsc /v:172.30.142.11 | |||
Login with password. | |||
# Create credentials | |||
cmdkey /generic:"<servername>" /user:"<username>" /pass:"<password>" | |||
# Connect MSTSC with servername and credentials created before | |||
mstsc /v:<servername> | |||
# Delete the credentials after MSTSC session is done | |||
cmdkey /delete:TERMSRV/<servername> | |||
=which version of powershell is installed= | =which version of powershell is installed= | ||
$PSVersionTable | $PSVersionTable | ||
Line 22: | Line 32: | ||
=restart network= | =restart network= | ||
netsh interface set interface extbond admin = disabled | |||
ping 127.0.0.1 -n 6 | |||
netsh interface set interface extbond admin = enabled | |||
=Profile= | =Profile= | ||
Line 42: | Line 47: | ||
Shutdown | Shutdown | ||
shutdown /t 0 /s /f | shutdown /t 0 /s /f | ||
logoff | logoff/logout | ||
shutdown /l /f | shutdown /l /f | ||
Line 129: | Line 134: | ||
=restart-service= | =restart-service= | ||
restart-service ipremote -force | restart-service ipremote -force | ||
restart-service check_mk_agent -force | |||
Restart-Service -Force -Name "TermService" | |||
=start-service= | =start-service= | ||
start-service ipeventwatcher | start-service ipeventwatcher | ||
Line 173: | Line 181: | ||
$Computer="127.0.0.1"; $Port=20010; $Socket = New-Object Net.Sockets.TcpClient;($Socket.BeginConnect($Computer, $Port, $Null, $Null)).AsyncWaitHandle.WaitOne(200);$Socket.Close(); | $Computer="127.0.0.1"; $Port=20010; $Socket = New-Object Net.Sockets.TcpClient;($Socket.BeginConnect($Computer, $Port, $Null, $Null)).AsyncWaitHandle.WaitOne(200);$Socket.Close(); | ||
=What is using tcp connections= | |||
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | |||
=grep= | =grep= | ||
gc IPremoteDebug.log | select-string "ip2date" | gc IPremoteDebug.log | select-string "ip2date" | ||
=List all processes. Grep for string= | |||
Get-Process -IncludeUserName | findstr dkarlslatt | |||
=grep recursive= | =grep recursive= | ||
dir -Recurse | Select-String -pattern "192.168.19.102" | dir -Recurse | Select-String -pattern "192.168.19.102" | ||
Line 180: | Line 194: | ||
=list processes= | =list processes= | ||
Get-Process | Get-Process | ||
=kill processes from user= | |||
Get-Process -IncludeUserName | Where UserName -match joe | Stop-Process -force | |||
=restart processes= | =restart processes= | ||
get-process -name powershellserver | stop-process | get-process -name powershellserver | stop-process | ||
Line 211: | Line 228: | ||
Value returned is in Scientific notation format. Add number of zeroes to value. 1.00E-6 is 1000000. | Value returned is in Scientific notation format. Add number of zeroes to value. 1.00E-6 is 1000000. | ||
'(gci "D:\data\db" | measure Length -s).Sum /1GB' | '(gci "D:\data\db" | measure Length -s).Sum /1GB' | ||
=remove directory= | |||
rd /s /q $DIRECTORY | |||
=dir human readable file size= | =dir human readable file size= | ||
Line 245: | Line 264: | ||
List events sins date. | List events sins date. | ||
Get-EventLog -LogName Application -after "den 5 november 2014 10:00:00" | Get-EventLog -LogName Application -after "den 5 november 2014 10:00:00" | ||
=get-winevent= | |||
# List event logs. | |||
Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0} | |||
# Get latest rdp log entries. | |||
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | select * -first 1 | fl | |||
=date= | =date= | ||
Get-Date | Get-Date | ||
Line 271: | Line 296: | ||
Which architecture. | Which architecture. | ||
gwmi win32_operatingsystem | select osarchitecture | gwmi win32_operatingsystem | select osarchitecture | ||
=set windows proxy= | |||
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value 1 | |||
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer -Value proxy.int.redbridge.se":"3128 | |||
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyOverride -Value "*.redbridge.se" | |||
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' | findstr Proxy | |||
=Is proxy bypassed= | =Is proxy bypassed= | ||
$url = "http://10.127.12.10";$webclient = New-Object System.Net.WebClient; $webclient.Proxy.IsBypassed($url) | $url = "http://10.127.12.10";$webclient = New-Object System.Net.WebClient; $webclient.Proxy.IsBypassed($url) | ||
=curl= | =curl= | ||
(Invoke-WebRequest http://localhost/Requests -UseBasicParsing).content | (Invoke-WebRequest http://localhost/Requests -UseBasicParsing).content | ||
curl -TimeoutSec 1 https://halfface.se | |||
=wget= | =wget= | ||
Invoke-WebRequest -Uri "http://1.2.3.4/file.txt" -OutFile "file.txt" | Invoke-WebRequest -Uri "http://1.2.3.4/file.txt" -OutFile "file.txt" | ||
Line 400: | Line 434: | ||
=create windows boot media under linux= | =create windows boot media under linux= | ||
woeusb --device / | woeusb --target-filesystem NTFS --device /install/system/win10/Win10_1909_EnglishInternational_x64.iso /dev/sdb | ||
=rename computer= | =rename computer= | ||
$NewName="alva" | $NewName="alva" | ||
Line 417: | Line 452: | ||
=disable defender= | =disable defender= | ||
Set-MpPreference -DisableRealtimeMonitoring $true | Set-MpPreference -DisableRealtimeMonitoring $true | ||
REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /F | |||
=list scheduled tasks= | =list scheduled tasks= | ||
'Get-ScheduledTask | Ft -autosize | out-string -width 4096' | 'Get-ScheduledTask | Ft -autosize | out-string -width 4096' | ||
Line 444: | Line 481: | ||
=bitlocker read from linux= | =bitlocker read from linux= | ||
https://www.ceos3c.com/open-source/open-bitlocker-drive-linux/ | https://www.ceos3c.com/open-source/open-bitlocker-drive-linux/ | ||
=runas= | =runas(sudo)= | ||
Run command as other user. | Run command as other user. | ||
runas /user:%computername%\root cmd | runas /user:%computername%\root cmd | ||
=install sshd= | =install sshd= | ||
On Windows 10 version 1803 and newer | On Windows 10 version 1803 and newer | ||
Line 465: | Line 503: | ||
Set-Service -Name sshd -StartupType Automatic | Set-Service -Name sshd -StartupType Automatic | ||
=show routes= | =show routes= | ||
Get-NetRoute -InterfaceIndex 12 | |||
cmd | |||
route print -4 | route print -4 | ||
Add route | |||
New-NetRoute -DestinationPrefix "10.0.0.0/24" -InterfaceIndex 12 -NextHop 192.168.0.1 | |||
cmd | |||
route -p ADD 10.255.240.0 MASK 255.255.255.0 172.30.103.4 | |||
route -p add 0.0.0.0 mask 0.0.0.0 172.30.103.10 | |||
Get routing information. | |||
Find-NetRoute -RemoteIPAddress "10.0.0.34" | Select-Object ifIndex,DestinationPrefix,NextHop,RouteMetric -Last 1 | |||
=last login on local machine= | |||
get-localuser | Select Name,LastLogon | sort LastLogon | |||
=last logged in user and grep for user= | |||
Function Get-LoginEvents { | |||
Param ( | |||
[Parameter( | |||
ValueFromPipeline = $true, | |||
ValueFromPipelineByPropertyName = $true | |||
)] | |||
[Alias('Name')] | |||
[string]$ComputerName = $env:ComputerName | |||
, | |||
[datetime]$StartTime | |||
, | |||
[datetime]$EndTime | |||
) | |||
Begin { | |||
enum LogonTypes { | |||
Interactive = 2 | |||
Network = 3 | |||
Batch = 4 | |||
Service = 5 | |||
Unlock = 7 | |||
NetworkClearText = 8 | |||
NewCredentials = 9 | |||
RemoteInteractive = 10 | |||
CachedInteractive = 11 | |||
} | |||
$filterHt = @{ | |||
LogName = 'Security' | |||
ID = 4624 | |||
} | |||
if ($PSBoundParameters.ContainsKey('StartTime')){ | |||
$filterHt['StartTime'] = $StartTime | |||
} | |||
if ($PSBoundParameters.ContainsKey('EndTime')){ | |||
$filterHt['EndTime'] = $EndTime | |||
} | |||
} | |||
Process { | |||
Get-WinEvent -MaxEvents 100 -ComputerName $ComputerName -FilterHashtable $filterHt | foreach-Object { | |||
[pscustomobject]@{ | |||
ComputerName = $ComputerName | |||
UserAccount = $_.Properties.Value[5] | |||
UserDomain = $_.Properties.Value[6] | |||
LogonType = [LogonTypes]$_.Properties.Value[8] | |||
WorkstationName = $_.Properties.Value[11] | |||
SourceNetworkAddress = $_.Properties.Value[19] | |||
TimeStamp = $_.TimeCreated | |||
} | |||
} | |||
} | |||
End{} | |||
} | |||
Get-LoginEvents > login | |||
gc login | select-string dabuzaid -Context 5 | |||
=powersave disable= | |||
powercfg /x -hibernate-timeout-ac 0 | |||
powercfg /x -hibernate-timeout-dc 0 | |||
powercfg /x -disk-timeout-ac 0 | |||
powercfg /x -disk-timeout-dc 0 | |||
powercfg /x -monitor-timeout-ac 0 | |||
powercfg /x -monitor-timeout-dc 0 | |||
Powercfg /x -standby-timeout-ac 0 | |||
powercfg /x -standby-timeout-dc 0 | |||
=hostname= | |||
Get fqdn | |||
[System.Net.Dns]::GetHostByName($env:computerName).HostName | |||
"$env:computername.$env:userdnsdomain" | |||
=resolve hostname= | |||
Resolve-DnsName -server 8.8.8.8 smtp.google.com | Format-Table Name, IPAddress -HideTableHeaders | |||
=clear screen reset= | |||
cls | |||
=top= | |||
While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls} | |||
=get users sid= | |||
wmic useraccount where name='dkarlslatt' get sid | |||
=traceroute= | |||
Test-NetConnection "IPaddress/HOSTaname" -TraceRoute | |||
=name of ad servers= | |||
nslookup -type=srv _ldap._tcp.dc._msdcs.${AD} | |||
=iis logfiles= | |||
Read last lines from iis log. | |||
gc -Tail 10 "C:\InetPub\Logs\LogFiles\W3SVC1\u_ex$(Get-Date -F 'yyMMdd').log" | |||
=join domain= | |||
netdom join %computername% /domain:your.ADDomainToJoin.net /UserD:LoginWithJoinPermissions /PasswordD:%password% | |||
=windows update info= | |||
wmic qfe list | |||
=patch= | |||
Update release area Windows. | |||
servicepack.exe -s:z:\w2k3 | |||
=get date in iso format= | |||
Get-Date (Get-Date) -UFormat '+%Y-%m-%d %H:%M:%S' | |||
=format-list(fl)= | |||
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | select * -first 1 | fl | |||
=whoami= | |||
echo "$env:UserDomain $env:UserName $env:ComputerName" | |||
=group= | |||
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf | |||
=unzip= | |||
Expand-Archive C:\a.zip | |||
=take ownership and remove= | |||
Remove-Item -Recurse -Force <directory> | |||
takeown /a /r /d Y /f <directory> | |||
=print info to remove directories= | |||
Prepare with two lists. One with users who are suitable to have their directories removed. And one list with the output from dir in c:\users. | |||
cat uc-remote01_login.txt | while read WIN_USER WIN_DATE ; do echo '#' $WIN_USER $WIN_DATE ; DIRECTORY=$(grep " $WIN_USER" uc-remote01_users.txt) ; if [ "${DIRECTORY}" ] ; then echo Remove-Item -Recurse -Force $WIN_USER \; takeown /a /r /d Y /f $WIN_USER \; Remove-Item -Recurse -Force $WIN_USER ; fi ; done | |||
=list environments variables= | |||
dir env: | |||
=list shares= | |||
Get-SmbShare |
Latest revision as of 09:36, 12 February 2024
connect to windows from windows(rdp)
mstsc /v:172.30.142.11
Login with password.
# Create credentials cmdkey /generic:"<servername>" /user:"<username>" /pass:"<password>" # Connect MSTSC with servername and credentials created before mstsc /v:<servername> # Delete the credentials after MSTSC session is done cmdkey /delete:TERMSRV/<servername>
which version of powershell is installed
$PSVersionTable
hibernate
powercfg.exe -h off
enable powershell
set-executionpolicy unrestricted
Configure network
- Static ip.
netsh interface ip set address name="Local Area Connection" static 192.168.122.41 255.255.255.0 192.168.122.1 1
- Dhcp
netsh interface is set address name="Local Area Connection" dhcp
- Verify mtu settings.
netsh interface ipv4 show subinterfaces
- Set correct mtu.
netsh interface ipv4 set subinterface "Ethernet 2" mtu=1000
extract msi
msiexec /a "C:\software.msi" /qb TARGETDIR="C:\Folder"
restart network
netsh interface set interface extbond admin = disabled ping 127.0.0.1 -n 6 netsh interface set interface extbond admin = enabled
Profile
- Profile
C:\Users\abjorklund\AppData\Roaming\Microsoft\Windows\Start Menu
restart via rdesktop
CTRL + ALT + END
alternative shutdown
Shutdown with restart
shutdown /t 0 /r /f
Shutdown
shutdown /t 0 /s /f
logoff/logout
shutdown /l /f
change password
Start a command prompt as administrator.
net user username password
activate account
net user username /active:yes
remove cached passwords
list/remove cached passwords graphically
rundll32.exe keymgr.dll,KRShowKeyMgr
list/remove cached passwords cli
cmdkey /list
is your account locked. bat file
@echo off :again date /t & time /t net user /domain mdinkel > c:\temp\mdinkel find "active" c:\temp\mdinkel timeout 10 goto again
unlock account
Net user username /DOMAIN /active:YES
Browse active dirctory structure
adsiedit.msc
time zone conversion
Here you can convert from Windows to unix time zones tz.
http://www.unicode.org/cldr/charts/latest/supplemental/zone_tzid.html
uptime
net statistics server
Uptime and other information
systeminfo /FO CSV | ConvertFrom-CSV
credetial manager empty cache
rundll32.exe keymgr.dll,KRShowKeyMgr
remote powershell pssession
Create pssession.
$secpasswd = ConvertTo-SecureString "*************" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("domain\user", $secpasswd) New-PSSession -ComputerName 10.111.222.5 -Credential $mycreds
get pssessions.
get-pssession
enter pssession
Enter-PSSession -Name Enter-PSSession -ComputerName 10.50.197.70 Enter-PSSession 172.18.1.198 -Credential domain\uer
remove pssession
remove-pssession -name Session15
Run remote command.
Invoke-Command -name "Session14" -ScriptBlock { hostname }
Login to remote machine
Enter-PSSession 10.50.197.70 -Credential $mycreds
PowerShell
gc
Get-content. Print content of file.
gc c:\temp\file.txt
Set-content
Set-Content -path REMOTE\Filename.txt
Out-File
Out-File -Encoding UTF8
replace text in file
Get-Content REMOTE\Filename.txt | foreach-object { $_ -replace "OLD", "NEW" } | Set-Content REMOTE\Filename.txt
get-service
Status of one service.
get-service ipeventwatcher
status of all services. list services.
Get-Service
find service
get-service *service_to_find* | select -expand name
stop-service
stop-service ipeventwatcher
restart-service
restart-service ipremote -force restart-service check_mk_agent -force Restart-Service -Force -Name "TermService"
start-service
start-service ipeventwatcher
autostart service
Set-Service -Name sshd -StartupType Automatic
variable
Set variable to content of file.
$a = gc IPremote.exe.config
md5sum
[CmdletBinding(SupportsShouldProcess=$False)] param([string]$File) function Get-Checksum([string]$strInFile) { $objCrypto = New-Object "System.Security.Cryptography.MD5CryptoServiceProvider" $objFile = Get-Item $strInFile $objStream = $objFile.OpenRead() $objBytes = $objCrypto.ComputeHash($objStream) $strChecksum = "" foreach($objByte in $objBytes) { $strChecksum += $objByte.ToString('x2') } $objStream.Close() | Out-Null return $strChecksum } $strFileToCheck = $File if(Test-Path($strFileToCheck)) { Get-Checksum $strFileToCheck }
Get md5sum of all files.
gci * | Get-FileHash -Algorithm md5 | ft Hash,@{n="File";e={(Get-item $_.Path).Name}}
tcp connect port
netcat nc
(New-Object Net.Sockets.TcpClient).Connect("1.2.3.4",80) $Tcp = New-Object Net.Sockets.TcpClient;$Tcp.BeginConnect("1.2.3.4", 80, $null, $null).AsyncWaitHandle.WaitOne(5000);$Tcp.Close() New-Object System.Net.Sockets.TCPClient -ArgumentList "1.2.3.4",3389 Test-NetConnection -ComputerName 192.168.122.1 -InformationLevel Detailed -port 23
Latest and greatest.
$Computer="127.0.0.1"; $Port=20010; $Socket = New-Object Net.Sockets.TcpClient;($Socket.BeginConnect($Computer, $Port, $Null, $Null)).AsyncWaitHandle.WaitOne(200);$Socket.Close();
What is using tcp connections
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
grep
gc IPremoteDebug.log | select-string "ip2date"
List all processes. Grep for string
Get-Process -IncludeUserName | findstr dkarlslatt
grep recursive
dir -Recurse | Select-String -pattern "192.168.19.102"
list processes
Get-Process
kill processes from user
Get-Process -IncludeUserName | Where UserName -match joe | Stop-Process -force
restart processes
get-process -name powershellserver | stop-process
clear content
Clear-Content filename.doc
dir recursive
dir /a/s/b filename.txt
dir recursive
'Get-ChildItem "c:\program files\" -rec | ForEach-Object -Process {$_.FullName}' 'Get-ChildItem . -recurse -force | ForEach-Object -Process {$_.FullName}'
locate a file
List recursive look for file with file name.
Get-Childitem -Path C:\ -Include *filename* -Recurse -ErrorAction SilentlyContinue
dir filename size
'get-childitem "C:\Program Files\directory" -rec | where {!$_.PSIsContainer} | select-object Name, Length'
find old files
Get-ChildItem | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-30)}
find old files and remove them
$Folder = "G:\Downloads" #Delete files older than 6 months Get-ChildItem $Folder -Recurse -Force -ea 0 | ? {!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-180)} | ForEach-Object { $_ | del -Force $_.FullName | Out-File C:\log\deletedlog.txt -Append }
calculate size of directory
Value returned is in Scientific notation format. Add number of zeroes to value. 1.00E-6 is 1000000.
'(gci "D:\data\db" | measure Length -s).Sum /1GB'
remove directory
rd /s /q $DIRECTORY
dir human readable file size
function
Function Format-FileSize() { Param ([int]$size) If ($size -gt 1TB) {[string]::Format("{0:0.00} TB", $size / 1TB)} ElseIf ($size -gt 1GB) {[string]::Format("{0:0.00} GB", $size / 1GB)} ElseIf ($size -gt 1MB) {[string]::Format("{0:0.00} MB", $size / 1MB)} ElseIf ($size -gt 1KB) {[string]::Format("{0:0.00} kB", $size / 1KB)} ElseIf ($size -gt 0) {[string]::Format("{0:0.00} B", $size)} Else {""} }
command
Get-ChildItem | Select-Object Name, @{Name="Size";Expression={Format-FileSize($_.Length)}}
base64
decode base64 string
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("YmxhaGJsYWg="))
decode content of file.
ssh ip_address_hostname '$Text=(get-content "C:\Program Files\application\application.log") ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText' | base64 -d
troubleshooting network
netstat -ano | findstr <ipremote-pid>
diff
Compare two files.
compare-object (get-content one.txt) (get-content two.txt)
log file. Eventlog
List event logs.
Get-EventLog -list
List evnts in a log.
Get-EventLog -LogName IPremoteLog
List events sins date.
Get-EventLog -LogName Application -after "den 5 november 2014 10:00:00"
get-winevent
# List event logs. Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0} # Get latest rdp log entries. Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | select * -first 1 | fl
date
Get-Date
Date in iso format.
Get-Date -UFormat '+%Y-%m-%d %H:%M:%S.000Z'
full output
Print all variable with full output
'(Get-Variable).StdOut'
Send output to line like the following to get more output.
| Ft -autosize | out-string -width 4096
restart services via samba
install samba-common
yum install samba-common
List services.
net rpc service list -I IPADDRESS -U USERNAME%PASSWORD
Stop service.
net rpc service start ipremote -I IPADDRESS -U 'user%password'
Start service.
net rpc service start ipeventwatcher -I IPADDRESS -U 'user%password'
Windows version
[System.Environment]::OSVersion.Version http://msdn.microsoft.com/en-us/library/windows/desktop/ms724833%28v=vs.85%29.aspx (Get-WmiObject -class Win32_OperatingSystem).Caption
Which architecture.
gwmi win32_operatingsystem | select osarchitecture
set windows proxy
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyEnable -Value 1 Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer -Value proxy.int.redbridge.se":"3128 Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyOverride -Value "*.redbridge.se" Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' | findstr Proxy
Is proxy bypassed
$url = "http://10.127.12.10";$webclient = New-Object System.Net.WebClient; $webclient.Proxy.IsBypassed($url)
curl
(Invoke-WebRequest http://localhost/Requests -UseBasicParsing).content curl -TimeoutSec 1 https://halfface.se
wget
Invoke-WebRequest -Uri "http://1.2.3.4/file.txt" -OutFile "file.txt"
turn of index services when computer is not used
In stopindexer enter the line
net stop wsearch
In the startindexer enter the line
net start wsearch
robocopy(backup)
robocopy C:\Users\user_name\Documents h:\backup\user_name /e /mir /np /log+:c:\temp\backup_log.txt
number of cpus
Get-WmiObject -class Win32_processor | ft systemname,Name,DeviceID,NumberOfCores,NumberOfLogicalProcessors, Addresswidth
cpu_usage
Get-Counter '\Process(*)\% Processor Time'| Select-Object -ExpandProperty countersamples | Select-Object -Property instancename, cookedvalue| Sort-Object -Property cookedvalue -Descending| Select-Object -First 20| ft InstanceName,@{L='CPU';E={($_.Cookedvalue/100).toString('P')}} -AutoSize | Ft -autosize | out-string -width 4096 Get-WmiObject win32_processor | select LoadPercentage |fl
Stats and all processes. Including process running under svhost.
$CpuInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_Processor;$MemInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_Memory;$SysInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_System;$PrcInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfProc_Process;$SvcInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_Service;$GeneralInfo = @{};$ProcOutput = @();$ServiceTable = @{};$GeneralInfo.Add("_Name", $env:COMPUTERNAME);$GeneralInfo.Add("ProcessorQueueLength", $SysInfo.ProcessorQueueLength);$GeneralInfo.Add("PercentInterruptTime", $($a = $CpuInfo | %{$_.PercentInterruptTime}; $a -join " "));$GeneralInfo.Add("AvailableMBytes", $MemInfo.AvailableMBytes);$GeneralInfo.Add("PercentIdleTime", $($a = $CpuInfo | %{$_.PercentIdleTime}; $a -join " "));$GeneralInfo.Add("PercentPrivilegedTime", $($a = $CpuInfo | %{$_.PercentPrivilegedTime}; $a -join " "));$GeneralInfo.Add("TotalMemory", (Get-WmiObject Win32_ComputerSystem | %{$_.TotalPhysicalMemory}));$GeneralInfo.Add("PercentProcessorTime", $($a = $CpuInfo | %{$_.PercentProcessorTime}; $a -join " "));$GeneralInfo.Add("CacheBytes", $MemInfo.CacheBytes);$GeneralInfo.Add("PercentUserTime", $($a = $CpuInfo | %{$_.PercentUserTime}; $a -join " "));$GeneralInfo.Add("CommittedBytes", $MemInfo.CommittedBytes);$GeneralInfo.GetEnumerator() | Sort-Object -Property Name | ForEach-Object {Write-Host -Object ($_.Name + ": ") -NoNewline; Write-Host -Object $_.Value};foreach($Service in $SvcInfo) {$ProcId = $Service.ProcessId.ToString();if($ProcId -ne "0") {if($ServiceTable.ContainsKey($ProcId)) {$Value = $ServiceTable.Get_Item($ProcId);$Value += $Service.Name;$ServiceTable.Set_Item($ProcId, $Value);} else {$ServiceTable.Add($ProcId, @($Service.Name));}}}foreach($proc in $PrcInfo) {$Obj = New-Object psobject;$Obj | Add-Member -MemberType NoteProperty -Name "Process" -Value $proc.Name;$Obj | Add-Member -MemberType NoteProperty -Name "CPU" -Value $proc.PercentProcessorTime;$Obj | Add-Member -MemberType NoteProperty -Name "Thread" -Value $proc.ThreadCount;$Obj | Add-Member -MemberType NoteProperty -Name "Handle" -Value $proc.HandleCount;$Obj | Add-Member -MemberType NoteProperty -Name "Services" -Value ($ServiceTable.Get_Item($proc.IDProcess.ToString()) -join ",");$ProcOutput += $Obj;}$ProcOutput | ft -AutoSize
Sort processes by mem usage.
get-wmiobject WIN32_PROCESS | Sort-Object -Property ws -Descending|select -first 20|Select processname, @{Name="Mem Usage(MB)";Expression={[math]::round($_.ws / 1mb)}},@{Name="ProcessID";Expression={[String]$_.ProcessID}},@{Name="UserID";Expression={$_.getowner().user}} | Ft -autosize | out-string -width 4096
total memory in machine
Get-WMIObject -class win32_physicalmemory | Format-Table devicelocator, capacity -a
how much memory is free in GB
$freemem = Get-WmiObject -Class Win32_OperatingSystem; echo ([math]::round(($freemem.FreePhysicalMemory / 1024 / 1024), 2))
disk usage
Get-PSDrive
tail
Get last 10 lines
Get-Content [filename] | Select-Object -Last 10
tail -f
Get-Content filename.log -Wait
Since PowerShell 3.
gc -Tail 10 log.txt
head
get first 10 lines of file.
gc log.txt | select -first 10
get first 10 lines of file.
gc -TotalCount 10 log.txt
wc count lines
Get-Content C:\temp\ERRORLOG.5 | Measure-Object -line
disable firewall
From the command line
netsh advfirewall set allprofiles state off
Using Powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
which firewall profiles are available
get-netfirewallprofile | select name,DefaultInboundAction,DefaultOutBoundAction | ft -a
which firewall profile is being used
get-NetConnectionProfile
which ports are open
Get-NetFirewallRule | Where { $_.Enabled -eq "True" -and $_.Direction -eq "Inbound" }
which rules exist
Get-NetFirewallRule
open port in firewall
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
firewall get more info about opening
get-netfirewallrule -DisplayName "Remote Desktop - User Mode (TCP-In)"
add administrative user
Create user
net user /add root [password]
Add user to local group.
net localgroup administrators root /add
list local groups
Get-LocalGroup
Which process is using port
# Which process is using port. netstat -nao | findstr :22 TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 1916 # Which process has pid. get-process | findstr 1916 355 40 48752 56056 621 6,45 1916 PowerShellServer # which process has pid. tasklist | findstr 1916 PowerShellServer.exe 1916 Services 0 56.072 K
which version is installed
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize
list drives
get-psdrive wmic logicaldisk get caption
svchost.exe what is happening
tasklist /svc /fi "IMAGENAME eq svchost.exe"
computer management
Start computer management
compmgmt.msc
msinfo32
Generate report.
msinfo32
licensing
Get-wmiobject SoftwareLicensingProduct -ComputerName localhost | Where-Object {$_.ApplicationID -eq '55c92734-d682-4d71-983e-d6ec3f16059f' -and $_.licensestatus -eq '1'} | Select name, description, @{Label='computer'; Expression = {$_.PscomputerName}} | Format-List name, description, computer
add line inbetween lines
$filePath=".\path_to_file" $textToAdd="`nText to put in file" $fileContent = Get-Content $filePath $fileContent[$lineNumber+2] += $textToAdd $fileContent | Set-Content $filePath
add line to end of file
Add-Content c:\scripts\test.txt "The End"
get network settings
Get among other things mtu
Get-NetIPInterface
start time of process
List start time from processes found with Get-Process.
get-process openvpn |select starttime
list local users
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"
list logged in users
query user /server:$SERVER
list permissions for users
Accesschk "NKS01579\ipwinpsr" -accepteula -a *
create windows boot media under linux
woeusb --target-filesystem NTFS --device /install/system/win10/Win10_1909_EnglishInternational_x64.iso /dev/sdb
rename computer
$NewName="alva" $ComputerInfo = Get-WmiObject -Class Win32_ComputerSystem $ComputerInfo.Rename($NewName) Restart-Computer
startup dir
The All Users Startup Folder is located at the following path:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
The Current User Startup Folder is located here:
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
cmd scroll mode
Alt+Space -> E -> L
rdp allow many sessions
https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip
disable defender
Set-MpPreference -DisableRealtimeMonitoring $true REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /F
list scheduled tasks
'Get-ScheduledTask | Ft -autosize | out-string -width 4096'
scheduled tasks enable disable
Get-ScheduledTask -taskname Hive* TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\User Profile Service\ HiveUploadTask Disabled
Enable scheduled task
Get-ScheduledTask -taskname Hive* | Enable-ScheduledTask
Disable scheduled task
Get-ScheduledTask -taskname Hive* | Disable-ScheduledTask
Start scheduled task
Get-ScheduledTask -taskname Hive* | Start-ScheduledTask
Get output from last scheduled command execution
Get-ScheduledTask -taskname Hive* | Get-ScheduledTaskInfo
scheduled task add
$action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -command "net user /add special_user PassW0rd ; net localgroup administrators special_user /add"' $trigger = New-ScheduledTaskTrigger -Daily -At 12am $task = Register-ScheduledTask -RunLevel "Highest" -TaskName "Add special_user" -Trigger $trigger -Action $action $task.Triggers.Repetition.Duration = "P1D" # Repeat for a duration of one day $task.Triggers.Repetition.Interval = "PT1H" # Repeat every 30 minutes, use PT1H for every hour $task.Principal = New-ScheduledTaskPrincipal -UserID "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest $task | Set-ScheduledTask
touch
echo $null >> filename
bitlocker read from linux
https://www.ceos3c.com/open-source/open-bitlocker-drive-linux/
runas(sudo)
Run command as other user.
runas /user:%computername%\root cmd
install sshd
On Windows 10 version 1803 and newer In Settings app, go to Apps > Apps & features > Manage optional features. Locate "OpenSSH server" feature, expand it, and select Install. Binaries are installed to %WINDIR%\System32\OpenSSH. Configuration file (sshd_config) and host keys are installed to %ProgramData%\ssh (only after the server is started for the first time).
You may still want to use the following manual installation, if you want to install a newer version of OpenSSH than the one built into Windows 10.
https://github.com/PowerShell/Win32-OpenSSH/releases (package OpenSSH-Win64.zip or OpenSSH-Win32.zip) As the Administrator, extract the package to C:\Program Files\OpenSSH powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
Configuring SSH server Allow incoming connections to SSH server in Windows Firewall:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22. Start the service and/or configure automatic start:
start-service "OpenSSH SSH Server" Set-Service -Name sshd -StartupType Automatic
show routes
Get-NetRoute -InterfaceIndex 12
cmd
route print -4
Add route
New-NetRoute -DestinationPrefix "10.0.0.0/24" -InterfaceIndex 12 -NextHop 192.168.0.1
cmd
route -p ADD 10.255.240.0 MASK 255.255.255.0 172.30.103.4 route -p add 0.0.0.0 mask 0.0.0.0 172.30.103.10
Get routing information.
Find-NetRoute -RemoteIPAddress "10.0.0.34" | Select-Object ifIndex,DestinationPrefix,NextHop,RouteMetric -Last 1
last login on local machine
get-localuser | Select Name,LastLogon | sort LastLogon
last logged in user and grep for user
Function Get-LoginEvents { Param ( [Parameter( ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true )] [Alias('Name')] [string]$ComputerName = $env:ComputerName , [datetime]$StartTime , [datetime]$EndTime ) Begin { enum LogonTypes { Interactive = 2 Network = 3 Batch = 4 Service = 5 Unlock = 7 NetworkClearText = 8 NewCredentials = 9 RemoteInteractive = 10 CachedInteractive = 11 } $filterHt = @{ LogName = 'Security' ID = 4624 } if ($PSBoundParameters.ContainsKey('StartTime')){ $filterHt['StartTime'] = $StartTime } if ($PSBoundParameters.ContainsKey('EndTime')){ $filterHt['EndTime'] = $EndTime } } Process { Get-WinEvent -MaxEvents 100 -ComputerName $ComputerName -FilterHashtable $filterHt | foreach-Object { [pscustomobject]@{ ComputerName = $ComputerName UserAccount = $_.Properties.Value[5] UserDomain = $_.Properties.Value[6] LogonType = [LogonTypes]$_.Properties.Value[8] WorkstationName = $_.Properties.Value[11] SourceNetworkAddress = $_.Properties.Value[19] TimeStamp = $_.TimeCreated } } } End{} } Get-LoginEvents > login gc login | select-string dabuzaid -Context 5
powersave disable
powercfg /x -hibernate-timeout-ac 0 powercfg /x -hibernate-timeout-dc 0 powercfg /x -disk-timeout-ac 0 powercfg /x -disk-timeout-dc 0 powercfg /x -monitor-timeout-ac 0 powercfg /x -monitor-timeout-dc 0 Powercfg /x -standby-timeout-ac 0 powercfg /x -standby-timeout-dc 0
hostname
Get fqdn
[System.Net.Dns]::GetHostByName($env:computerName).HostName "$env:computername.$env:userdnsdomain"
resolve hostname
Resolve-DnsName -server 8.8.8.8 smtp.google.com | Format-Table Name, IPAddress -HideTableHeaders
clear screen reset
cls
top
While(1) {ps | sort -des cpu | select -f 15 | ft -a; sleep 1; cls}
get users sid
wmic useraccount where name='dkarlslatt' get sid
traceroute
Test-NetConnection "IPaddress/HOSTaname" -TraceRoute
name of ad servers
nslookup -type=srv _ldap._tcp.dc._msdcs.${AD}
iis logfiles
Read last lines from iis log.
gc -Tail 10 "C:\InetPub\Logs\LogFiles\W3SVC1\u_ex$(Get-Date -F 'yyMMdd').log"
join domain
netdom join %computername% /domain:your.ADDomainToJoin.net /UserD:LoginWithJoinPermissions /PasswordD:%password%
windows update info
wmic qfe list
patch
Update release area Windows.
servicepack.exe -s:z:\w2k3
get date in iso format
Get-Date (Get-Date) -UFormat '+%Y-%m-%d %H:%M:%S'
format-list(fl)
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | select * -first 1 | fl
whoami
echo "$env:UserDomain $env:UserName $env:ComputerName"
group
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf
unzip
Expand-Archive C:\a.zip
take ownership and remove
Remove-Item -Recurse -Force <directory> takeown /a /r /d Y /f <directory>
print info to remove directories
Prepare with two lists. One with users who are suitable to have their directories removed. And one list with the output from dir in c:\users.
cat uc-remote01_login.txt | while read WIN_USER WIN_DATE ; do echo '#' $WIN_USER $WIN_DATE ; DIRECTORY=$(grep " $WIN_USER" uc-remote01_users.txt) ; if [ "${DIRECTORY}" ] ; then echo Remove-Item -Recurse -Force $WIN_USER \; takeown /a /r /d Y /f $WIN_USER \; Remove-Item -Recurse -Force $WIN_USER ; fi ; done
list environments variables
dir env:
Get-SmbShare