Windows: Difference between revisions

From Halfface
Jump to navigation Jump to search
Line 470: Line 470:
  Get-NetRoute -InterfaceIndex 12
  Get-NetRoute -InterfaceIndex 12
  route print -4
  route print -4
Add route
New-NetRoute -DestinationPrefix "10.0.0.0/24" -InterfaceIndex 12 -NextHop 192.168.0.1


=last logged in user and grep for user=
=last logged in user and grep for user=

Revision as of 14:45, 2 December 2020

which version of powershell is installed

$PSVersionTable

hibernate

powercfg.exe -h off

enable powershell

set-executionpolicy unrestricted

Configure network

  1. Static ip.
netsh interface ip set address name="Local Area Connection" static 192.168.122.41 255.255.255.0 192.168.122.1 1
  1. Dhcp
netsh interface is set address name="Local Area Connection" dhcp
  1. Verify mtu settings.
netsh interface ipv4 show subinterfaces
  1. Set correct mtu.
netsh interface ipv4 set subinterface "Ethernet 2" mtu=1000

extract msi

msiexec /a "C:\software.msi" /qb TARGETDIR="C:\Folder"

restart network

route -f
ipconfig /release
ipconfig /renew
arp -d *
nbtstat -R
nbtstat -RR
ipconfig /flushdns
ipconfig /registerdns

Profile

  1. Profile
C:\Users\abjorklund\AppData\Roaming\Microsoft\Windows\Start Menu

restart via rdesktop

CTRL + ALT + END

alternative shutdown

Shutdown with restart

shutdown /t 0 /r /f

Shutdown

shutdown /t 0 /s /f

logoff

shutdown /l /f

change password

Start a command prompt as administrator.

net user username password

activate account

net user username /active:yes

remove cached passwords

list/remove cached passwords graphically

rundll32.exe keymgr.dll,KRShowKeyMgr

list/remove cached passwords cli

cmdkey /list

is your account locked. bat file

@echo off
:again
date /t & time /t
net user /domain mdinkel > c:\temp\mdinkel
find "active" c:\temp\mdinkel
timeout 10
goto again

unlock account

Net user username /DOMAIN /active:YES

Browse active dirctory structure

adsiedit.msc

time zone conversion

Here you can convert from Windows to unix time zones tz.

http://www.unicode.org/cldr/charts/latest/supplemental/zone_tzid.html

uptime

net statistics server

Uptime and other information

systeminfo /FO CSV | ConvertFrom-CSV

credetial manager empty cache

rundll32.exe keymgr.dll,KRShowKeyMgr

remote powershell pssession

Create pssession.

$secpasswd = ConvertTo-SecureString "*************" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("domain\user", $secpasswd)
New-PSSession -ComputerName 10.111.222.5 -Credential $mycreds

get pssessions.

get-pssession

enter pssession

Enter-PSSession -Name
Enter-PSSession -ComputerName 10.50.197.70
Enter-PSSession 172.18.1.198 -Credential domain\uer

remove pssession

remove-pssession -name Session15

Run remote command.

Invoke-Command -name "Session14" -ScriptBlock { hostname }

Login to remote machine

Enter-PSSession 10.50.197.70 -Credential $mycreds

PowerShell

gc

Get-content. Print content of file.

gc c:\temp\file.txt

Set-content

Set-Content -path REMOTE\Filename.txt

Out-File

Out-File -Encoding UTF8

replace text in file

Get-Content REMOTE\Filename.txt | foreach-object { $_ -replace "OLD", "NEW" } | Set-Content REMOTE\Filename.txt


get-service

Status of one service.

get-service ipeventwatcher

status of all services. list services.

Get-Service

find service

get-service *service_to_find* | select -expand name

stop-service

stop-service ipeventwatcher

restart-service

restart-service ipremote -force

start-service

start-service ipeventwatcher

autostart service

Set-Service -Name sshd -StartupType Automatic

variable

Set variable to content of file.

$a = gc IPremote.exe.config

md5sum

[CmdletBinding(SupportsShouldProcess=$False)]
param([string]$File)

function Get-Checksum([string]$strInFile)
{
	    $objCrypto = New-Object "System.Security.Cryptography.MD5CryptoServiceProvider"
	    $objFile = Get-Item $strInFile
	    $objStream = $objFile.OpenRead()
	    $objBytes = $objCrypto.ComputeHash($objStream)
	    $strChecksum = ""
	    foreach($objByte in $objBytes) {
		        $strChecksum += $objByte.ToString('x2')
	    }
	    $objStream.Close() | Out-Null
	    return $strChecksum
}

$strFileToCheck = $File
if(Test-Path($strFileToCheck)) {
	    Get-Checksum $strFileToCheck
}

Get md5sum of all files.

gci * | Get-FileHash -Algorithm md5 | ft Hash,@{n="File";e={(Get-item $_.Path).Name}}

tcp connect port

netcat nc

(New-Object Net.Sockets.TcpClient).Connect("1.2.3.4",80)
$Tcp = New-Object Net.Sockets.TcpClient;$Tcp.BeginConnect("1.2.3.4", 80, $null, $null).AsyncWaitHandle.WaitOne(5000);$Tcp.Close()
New-Object System.Net.Sockets.TCPClient -ArgumentList "1.2.3.4",3389

Test-NetConnection -ComputerName 192.168.122.1 -InformationLevel Detailed -port 23

Latest and greatest.

$Computer="127.0.0.1"; $Port=20010; $Socket = New-Object Net.Sockets.TcpClient;($Socket.BeginConnect($Computer, $Port, $Null, $Null)).AsyncWaitHandle.WaitOne(200);$Socket.Close();

grep

gc IPremoteDebug.log | select-string "ip2date"

grep recursive

dir -Recurse | Select-String -pattern "192.168.19.102"

list processes

Get-Process

restart processes

get-process -name powershellserver | stop-process

clear content

Clear-Content filename.doc

dir recursive

dir /a/s/b filename.txt

dir recursive

'Get-ChildItem "c:\program files\" -rec | ForEach-Object -Process {$_.FullName}'
'Get-ChildItem . -recurse -force | ForEach-Object -Process {$_.FullName}'

locate a file

List recursive look for file with file name.

Get-Childitem -Path C:\ -Include *filename* -Recurse -ErrorAction SilentlyContinue

dir filename size

'get-childitem "C:\Program Files\directory" -rec | where {!$_.PSIsContainer} | select-object Name, Length'

find old files

Get-ChildItem | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-30)}

find old files and remove them

$Folder = "G:\Downloads"
#Delete files older than 6 months
Get-ChildItem $Folder -Recurse -Force -ea 0 |
? {!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-180)} |
 ForEach-Object {
   $_ | del -Force
   $_.FullName | Out-File C:\log\deletedlog.txt -Append
}

calculate size of directory

Value returned is in Scientific notation format. Add number of zeroes to value. 1.00E-6 is 1000000.

'(gci "D:\data\db" | measure Length -s).Sum /1GB'

dir human readable file size

function

Function Format-FileSize() {
   Param ([int]$size)
   If     ($size -gt 1TB) {[string]::Format("{0:0.00} TB", $size / 1TB)}
   ElseIf ($size -gt 1GB) {[string]::Format("{0:0.00} GB", $size / 1GB)}
   ElseIf ($size -gt 1MB) {[string]::Format("{0:0.00} MB", $size / 1MB)}
   ElseIf ($size -gt 1KB) {[string]::Format("{0:0.00} kB", $size / 1KB)}
   ElseIf ($size -gt 0)   {[string]::Format("{0:0.00} B", $size)}
   Else                   {""}
}

command

Get-ChildItem | Select-Object Name, @{Name="Size";Expression={Format-FileSize($_.Length)}}

base64

decode base64 string

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("YmxhaGJsYWg="))

decode content of file.

ssh ip_address_hostname '$Text=(get-content "C:\Program Files\application\application.log") ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText' | base64 -d

troubleshooting network

netstat -ano | findstr <ipremote-pid>

diff

Compare two files.

compare-object (get-content one.txt) (get-content two.txt)

log file. Eventlog

List event logs.

Get-EventLog -list

List evnts in a log.

Get-EventLog -LogName IPremoteLog

List events sins date.

Get-EventLog -LogName Application -after "den 5 november 2014 10:00:00"

date

Get-Date

Date in iso format.

Get-Date -UFormat '+%Y-%m-%d %H:%M:%S.000Z'

full output

Print all variable with full output

'(Get-Variable).StdOut'

Send output to line like the following to get more output.

| Ft -autosize | out-string -width 4096

restart services via samba

install samba-common

yum install samba-common

List services.

net rpc service list -I IPADDRESS -U USERNAME%PASSWORD

Stop service.

net rpc service start ipremote -I IPADDRESS -U 'user%password'

Start service.

net rpc service start ipeventwatcher -I IPADDRESS -U 'user%password'

Windows version

[System.Environment]::OSVersion.Version
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724833%28v=vs.85%29.aspx
(Get-WmiObject -class Win32_OperatingSystem).Caption

Which architecture.

gwmi win32_operatingsystem | select osarchitecture

Is proxy bypassed

$url = "http://10.127.12.10";$webclient = New-Object System.Net.WebClient; $webclient.Proxy.IsBypassed($url)

curl

(Invoke-WebRequest http://localhost/Requests -UseBasicParsing).content

wget

Invoke-WebRequest -Uri "http://1.2.3.4/file.txt" -OutFile "file.txt"

turn of index services when computer is not used

In stopindexer enter the line

net stop wsearch

In the startindexer enter the line

net start wsearch

robocopy(backup)

robocopy C:\Users\user_name\Documents h:\backup\user_name /e /mir /np /log+:c:\temp\backup_log.txt


number of cpus

Get-WmiObject -class Win32_processor | ft systemname,Name,DeviceID,NumberOfCores,NumberOfLogicalProcessors, Addresswidth

cpu_usage

Get-Counter '\Process(*)\% Processor Time'| Select-Object -ExpandProperty countersamples | Select-Object -Property instancename, cookedvalue| Sort-Object -Property cookedvalue -Descending| Select-Object -First 20| ft InstanceName,@{L='CPU';E={($_.Cookedvalue/100).toString('P')}} -AutoSize | Ft -autosize | out-string -width 4096
Get-WmiObject win32_processor | select LoadPercentage  |fl

Stats and all processes. Including process running under svhost.

$CpuInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_Processor;$MemInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_Memory;$SysInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfOS_System;$PrcInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_PerfFormattedData_PerfProc_Process;$SvcInfo = Get-WmiObject -Namespace "root\cimv2" -Class Win32_Service;$GeneralInfo = @{};$ProcOutput = @();$ServiceTable = @{};$GeneralInfo.Add("_Name", $env:COMPUTERNAME);$GeneralInfo.Add("ProcessorQueueLength", $SysInfo.ProcessorQueueLength);$GeneralInfo.Add("PercentInterruptTime", $($a = $CpuInfo | %{$_.PercentInterruptTime}; $a -join " "));$GeneralInfo.Add("AvailableMBytes", $MemInfo.AvailableMBytes);$GeneralInfo.Add("PercentIdleTime", $($a = $CpuInfo | %{$_.PercentIdleTime}; $a -join " "));$GeneralInfo.Add("PercentPrivilegedTime", $($a = $CpuInfo | %{$_.PercentPrivilegedTime}; $a -join " "));$GeneralInfo.Add("TotalMemory", (Get-WmiObject Win32_ComputerSystem | %{$_.TotalPhysicalMemory}));$GeneralInfo.Add("PercentProcessorTime", $($a = $CpuInfo | %{$_.PercentProcessorTime}; $a -join " "));$GeneralInfo.Add("CacheBytes", $MemInfo.CacheBytes);$GeneralInfo.Add("PercentUserTime", $($a = $CpuInfo | %{$_.PercentUserTime}; $a -join " "));$GeneralInfo.Add("CommittedBytes", $MemInfo.CommittedBytes);$GeneralInfo.GetEnumerator() | Sort-Object -Property Name | ForEach-Object {Write-Host -Object ($_.Name + ": ") -NoNewline; Write-Host -Object $_.Value};foreach($Service in $SvcInfo) {$ProcId = $Service.ProcessId.ToString();if($ProcId -ne "0") {if($ServiceTable.ContainsKey($ProcId)) {$Value = $ServiceTable.Get_Item($ProcId);$Value += $Service.Name;$ServiceTable.Set_Item($ProcId, $Value);} else {$ServiceTable.Add($ProcId, @($Service.Name));}}}foreach($proc in $PrcInfo) {$Obj = New-Object psobject;$Obj | Add-Member -MemberType NoteProperty -Name "Process" -Value $proc.Name;$Obj | Add-Member -MemberType NoteProperty -Name "CPU" -Value $proc.PercentProcessorTime;$Obj | Add-Member -MemberType NoteProperty -Name "Thread" -Value $proc.ThreadCount;$Obj | Add-Member -MemberType NoteProperty -Name "Handle" -Value $proc.HandleCount;$Obj | Add-Member -MemberType NoteProperty -Name "Services" -Value ($ServiceTable.Get_Item($proc.IDProcess.ToString()) -join ",");$ProcOutput += $Obj;}$ProcOutput | ft -AutoSize

Sort processes by mem usage.

get-wmiobject WIN32_PROCESS | Sort-Object -Property ws -Descending|select -first 20|Select processname, @{Name="Mem Usage(MB)";Expression={[math]::round($_.ws / 1mb)}},@{Name="ProcessID";Expression={[String]$_.ProcessID}},@{Name="UserID";Expression={$_.getowner().user}} | Ft -autosize | out-string -width 4096

total memory in machine

Get-WMIObject -class win32_physicalmemory | Format-Table devicelocator, capacity -a

how much memory is free in GB

$freemem = Get-WmiObject -Class Win32_OperatingSystem; echo ([math]::round(($freemem.FreePhysicalMemory / 1024 / 1024), 2))

disk usage

Get-PSDrive

tail

Get last 10 lines

Get-Content [filename] | Select-Object -Last 10

tail -f

Get-Content filename.log -Wait

Since PowerShell 3.

gc -Tail 10 log.txt 

head

get first 10 lines of file.

gc log.txt | select -first 10

get first 10 lines of file.

gc -TotalCount 10 log.txt

wc count lines

Get-Content C:\temp\ERRORLOG.5 | Measure-Object -line

disable firewall

From the command line

netsh advfirewall set allprofiles state off

Using Powershell

 Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

which firewall profiles are available

get-netfirewallprofile | select name,DefaultInboundAction,DefaultOutBoundAction | ft -a

which firewall profile is being used

get-NetConnectionProfile

which ports are open

Get-NetFirewallRule | Where { $_.Enabled -eq "True" -and $_.Direction -eq "Inbound" }

which rules exist

Get-NetFirewallRule

open port in firewall

netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

firewall get more info about opening

get-netfirewallrule -DisplayName "Remote Desktop - User Mode (TCP-In)"

add administrative user

Create user

net user /add root [password]

Add user to local group.

net localgroup administrators root /add

list local groups

Get-LocalGroup

Which process is using port

# Which process is using port.
netstat -nao | findstr :22
 TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       1916
# Which process has pid.
get-process  | findstr 1916
355      40    48752      56056   621     6,45   1916 PowerShellServer
# which process has pid.
tasklist | findstr 1916
PowerShellServer.exe          1916 Services                   0     56.072 K

which version is installed

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize

list drives

get-psdrive
wmic logicaldisk get caption

svchost.exe what is happening

tasklist /svc /fi "IMAGENAME eq svchost.exe"

computer management

Start computer management

compmgmt.msc

msinfo32

Generate report.

msinfo32

licensing

Get-wmiobject SoftwareLicensingProduct -ComputerName localhost | Where-Object {$_.ApplicationID -eq '55c92734-d682-4d71-983e-d6ec3f16059f' -and $_.licensestatus -eq '1'} | Select name, description, @{Label='computer'; Expression = {$_.PscomputerName}} | Format-List  name, description, computer

add line inbetween lines

$filePath=".\path_to_file"
$textToAdd="`nText to put in file"
$fileContent = Get-Content $filePath
$fileContent[$lineNumber+2] += $textToAdd
$fileContent | Set-Content $filePath

add line to end of file

Add-Content c:\scripts\test.txt "The End"

get network settings

Get among other things mtu

Get-NetIPInterface

start time of process

List start time from processes found with Get-Process.

get-process openvpn |select starttime

list local users

Get-WmiObject -Class Win32_UserAccount -Filter  "LocalAccount='True'"

list logged in users

query user /server:$SERVER

list permissions for users

Accesschk "NKS01579\ipwinpsr" -accepteula -a *

create windows boot media under linux

woeusb  --target-filesystem NTFS --device /install/system/win10/Win10_1909_EnglishInternational_x64.iso  /dev/sdb

rename computer

$NewName="alva"
$ComputerInfo = Get-WmiObject -Class Win32_ComputerSystem
$ComputerInfo.Rename($NewName)
Restart-Computer

startup dir

The All Users Startup Folder is located at the following path:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

The Current User Startup Folder is located here:

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

cmd scroll mode

Alt+Space -> E -> L

rdp allow many sessions

https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip

disable defender

Set-MpPreference -DisableRealtimeMonitoring $true
REG ADD "hklm\software\policies\microsoft\windows defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /F

list scheduled tasks

'Get-ScheduledTask | Ft -autosize | out-string -width 4096'

scheduled tasks enable disable

Get-ScheduledTask -taskname Hive*
TaskPath                                       TaskName                          State     
--------                                       --------                          -----     
\Microsoft\Windows\User Profile Service\       HiveUploadTask                    Disabled  

Enable scheduled task

Get-ScheduledTask -taskname Hive* | Enable-ScheduledTask

Disable scheduled task

Get-ScheduledTask -taskname Hive* | Disable-ScheduledTask

Start scheduled task

Get-ScheduledTask -taskname Hive* | Start-ScheduledTask

Get output from last scheduled command execution

Get-ScheduledTask -taskname Hive* | Get-ScheduledTaskInfo

scheduled task add

$action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -command "net user /add special_user PassW0rd ; net localgroup administrators special_user /add"'
$trigger = New-ScheduledTaskTrigger -Daily -At 12am
$task = Register-ScheduledTask -RunLevel "Highest" -TaskName "Add special_user" -Trigger $trigger -Action $action
$task.Triggers.Repetition.Duration = "P1D" # Repeat for a duration of one day
$task.Triggers.Repetition.Interval = "PT1H" # Repeat every 30 minutes, use PT1H for every hour
$task.Principal = New-ScheduledTaskPrincipal -UserID "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$task | Set-ScheduledTask

touch

echo $null >> filename

bitlocker read from linux

https://www.ceos3c.com/open-source/open-bitlocker-drive-linux/

runas

Run command as other user.

runas /user:%computername%\root cmd

install sshd

On Windows 10 version 1803 and newer
In Settings app, go to Apps > Apps & features > Manage optional features.
Locate "OpenSSH server" feature, expand it, and select Install.
Binaries are installed to %WINDIR%\System32\OpenSSH. Configuration file (sshd_config) and host keys are installed to %ProgramData%\ssh (only after the server is started for the first time).

You may still want to use the following manual installation, if you want to install a newer version of OpenSSH than the one built into Windows 10.

https://github.com/PowerShell/Win32-OpenSSH/releases (package OpenSSH-Win64.zip or OpenSSH-Win32.zip)
As the Administrator, extract the package to C:\Program Files\OpenSSH
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1

Configuring SSH server Allow incoming connections to SSH server in Windows Firewall:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22. Start the service and/or configure automatic start:

start-service "OpenSSH SSH Server"
Set-Service -Name sshd -StartupType Automatic

show routes

Get-NetRoute -InterfaceIndex 12
route print -4

Add route

New-NetRoute -DestinationPrefix "10.0.0.0/24" -InterfaceIndex 12 -NextHop 192.168.0.1

last logged in user and grep for user

Function Get-LoginEvents {
   Param (
       [Parameter(
           ValueFromPipeline = $true,
           ValueFromPipelineByPropertyName = $true
       )]
       [Alias('Name')]
       [string]$ComputerName = $env:ComputerName
       ,
       [datetime]$StartTime
       ,
       [datetime]$EndTime
   )
   Begin {
       enum LogonTypes {
           Interactive = 2
           Network = 3
           Batch = 4
           Service = 5
           Unlock = 7
           NetworkClearText = 8
           NewCredentials = 9
           RemoteInteractive = 10
           CachedInteractive = 11
       }
       $filterHt = @{
           LogName = 'Security'
           ID = 4624
       }
       if ($PSBoundParameters.ContainsKey('StartTime')){
           $filterHt['StartTime'] = $StartTime
       }
       if ($PSBoundParameters.ContainsKey('EndTime')){
           $filterHt['EndTime'] = $EndTime
       }
   }
   Process {
       Get-WinEvent -MaxEvents 100 -ComputerName $ComputerName -FilterHashtable $filterHt | foreach-Object {
           [pscustomobject]@{
               ComputerName = $ComputerName
               UserAccount = $_.Properties.Value[5]
               UserDomain = $_.Properties.Value[6]
               LogonType = [LogonTypes]$_.Properties.Value[8]
               WorkstationName = $_.Properties.Value[11]
               SourceNetworkAddress = $_.Properties.Value[19]
               TimeStamp = $_.TimeCreated
           }
       }
   }
   End{}
}
Get-LoginEvents > login
gc login | select-string dabuzaid -Context 5

powersave disable

powercfg /x -hibernate-timeout-ac 0
powercfg /x -hibernate-timeout-dc 0
powercfg /x -disk-timeout-ac 0
powercfg /x -disk-timeout-dc 0
powercfg /x -monitor-timeout-ac 0
powercfg /x -monitor-timeout-dc 0
Powercfg /x -standby-timeout-ac 0
powercfg /x -standby-timeout-dc 0