Commit 2ab0ea4
Changed files (20)
windows
windows/commands/arp.md
@@ -15,13 +15,36 @@ title: "arp"
### See Also
* [getmac]({{< relref "windows/commands/getmac.md" >}})
-## Syntax
+## Examples
+| command | description |
+|-------------------------------------------------------|---------------------------------------|
+
+## Man
```
arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]]
[-d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]
- ```
-## Examples
-| command | description |
-|-------------------------------------------------------|---------------------------------------|
+ Syntax
+ View the contents of the local ARP cache table
+ ARP -a [ip_addr] [-N if_addr]
+ Add a static Arp entry for frequent accessed hosts
+ ARP -s ip_addr eth_addr [if_addr]
+ Delete an entry
+ ARP -d ip_addr [if_addr]
+
+ Key
+ -a Display current ARP entries. Can include more than one network interface.
+ If ip_addr is specified, the addresses for only the specified computer are displayed.
+ -g Same as -a.
+ -N if_addr Display the ARP entries for the network interface specified by if_addr.
+ -d ip_addr Delete the host specified by ip_addr. -d * will delete all hosts.
+ -s Add the host and associates the Internet address ip_addr
+ with the Physical address eth_addr. The Physical address is
+ given as 6 hexadecimal bytes separated by hyphens. The entry
+ is permanent.
+ eth_addr Specifies a physical address.
+ if_addr If present, this specifies the Internet address of the
+ interface whose address translation table should be modified.
+ If not present, the first applicable interface will be used.
+ ```
windows/commands/auditpol.md
@@ -30,3 +30,21 @@ Displays information about and performs functions to manipulate audit policies.
| command | description |
|-----------------|------------------------------------|
| `auditpol /get` | Displays the current audit policy. |
+
+
+## Man
+
+
+ ``` none
+ Syntax Auditpol command [<sub-command><options>]
+
+ Parameters
+ /get - Displays the current audit policy.
+ /set - Sets the audit policy.
+ /list - Displays selectable policy elements.
+ /backup - Saves the audit policy to a file.
+ /restore - Restores the audit policy from a file that was previously created by using auditpol
+ /backup - See Auditpol restore for syntax and options
+ /clear - Clears the audit policy
+ /remove
+ ```
windows/commands/cacls.md
@@ -0,0 +1,44 @@
+---
+date: "2016-12-13"
+draft: false
+title: "cacls"
+
+---
+
+
+
+## Man
+
+ ``` none
+ Syntax
+ CACLS pathname [options]
+
+ Options
+ /T Search the pathname including all subfolders. (/TREE)
+ /E Edit ACL, leave existing rights unchanged (/EDIT)
+ /C Continue on access denied errors. (/CONTINUE)
+ /L Work on the Symbolic Link itself versus the target (/LINK)
+ /M Change ACLs of volumes mounted to a directory (/MOUNT)
+ /G user:permission
+ Grant access rights (/GRANT), permision can be:
+ R Read
+ W Write
+ C Change (read/write)
+ F Full control
+ /R user
+ Revoke specified user's access rights, only valid with /E. (/REVOKE)
+ /P user:permission
+ Replace access rights (/REPLACE), permission can be:
+ R Read
+ W Write
+ C Change (read/write)
+ F Full control
+ N None
+ /D user
+ Deny access to user. (/DENY)
+ /S
+ Display the SDDL string for the DACL. (/SSDL)
+ /S:sddl
+ Replace the ACL(s) with those specified in the SDDL string
+ (not valid with /E, /G, /R, /P, or /D).
+ ```
windows/commands/icacls.md
@@ -179,4 +179,173 @@ icacls "C:\Folder Name"
BUILTIN\Administrators:(I)(OI)(CI)(F)
```
+## Man
+
+ ``` none
+ Syntax
+ ICACLS Name [/grant[:r] User:Permission[...]]
+ [/deny User:Permission[...]]
+ [/remove[:g|:d]] User[...]]
+ [/inheritance:e|d|r ]
+ [/t] [/c] [/l] [/q]
+ [/setintegritylevel Level[...]]
+
+ Store ACLs for one or more directories matching name into aclfile for later use with /restore
+ ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
+
+ Restore ACLs to all files in directory :
+ ICACLS directory [/substitute SidOld SidNew [...]]
+ /restore aclfile [/C] [/L] [/Q]
+
+ Change Owner:
+ ICACLS name /setowner user [/T] [/C] [/L] [/Q]
+
+ Find items with an ACL that mentions a specific SID:
+ ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
+
+ Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
+ ICACLS name /verify [/T] [/C] [/L] [/Q]
+
+ Replace ACL with default inherited acls for all matching files:
+ ICACLS name /reset [/T] [/C] [/L] [/Q]
+
+ Key
+ name The File(s) or folder(s) the permissions will apply to.
+
+ /T Traverse all subfolders to match files/directories.
+
+ /C Continue on file errors (access denied) Error messages are still displayed.
+
+ /L Perform the operation on a symbolic link itself, not its target.
+
+ /Q Quiet - supress success messages.
+
+ /grant :r user:permission
+ Grant access rights, with :r, the permissions
+ will replace any previouly granted explicit permissions.
+ Otherwise the permissions are added.
+
+ /deny user:permission
+ Explicitly deny the specified user access rights.
+ This will also remove any explicit grant of the
+ same permissions to the same user.
+
+ /remove[:[g|d]] User
+ Remove all occurrences of User from the acl.
+ :g remove all granted rights to that User/Sid.
+ :d remove all denied rights to that User/Sid.
+
+ /setintegritylevel [(CI)(OI)]Level
+ Add an integrity ACE to all matching files.
+ level is one of L,M,H (Low Medium or High)
+
+ A Directory Inheritance option for the integrity ACE can precede the level
+ and is applied only to directories:
+
+ /inheritance:e|d|r
+ e - enable inheritance
+ d - disable inheritance and copy the ACEs
+ r - remove all inherited ACEs
+
+ user A user account, Group or a SID
+
+ /restore Apply the acls stored in ACLfile to the files in directory
+ permission is a permission mask and can be specified in one of two forms:
+ a sequence of simple rights:
+ D - Delete access
+ F - Full access
+ N - No access
+ M - Modify access
+ RX - Read and eXecute access
+ R - Read-only access
+ W - Write-only access
+ a comma-separated list in parenthesis of specific rights:
+ DE - Delete
+ RC - read control
+ WDAC - write DAC
+ WO - write owner
+ S - synchronize
+ AS - access system security
+ MA - maximum allowed
+ GR - generic read
+ GW - generic write
+ GE - generic execute
+ GA - generic all
+ RD - read data/list directory
+ WD - write data/add file
+ AD - append data/add subdirectory
+ REA - read extended attributes
+ WEA - write extended attributes
+ X - execute/traverse
+ DC - delete child
+ RA - read attributes
+ WA - write attributes
+ inheritance rights can precede either form and are applied
+ only to directories:
+ (OI) - object inherit
+ (CI) - container inherit
+ (IO) - inherit only
+ (NP) - donโt propagate inherit
+ (I) - Permission inherited from parent container
+ Unlike earlier command-line tools, iCACLS correctly preserves the canonical ordering of ACE entries:
+ Order of Override
+ Explicit Deny
+ Explicit Grant
+ Inherited Deny
+ Inherited Grant
+
+ Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.
+
+ An access control list (ACL) is a list of access control entries (ACE). When backing up or restoring an ACL with iCACLS, you must do so for an entire directory (using /save and /restore) even if you are only interested in the ACEs for a few individual files. In practice most permissions are set at the per-directory level.
+
+ Using iCACLS
+ To edit a file you must already have the "Change" ACL (or be the file's owner)
+ To use the iCACLS command to change the permissions of a file requires "FULL Control" (or be the file's owner)
+ File "Ownership" will always override all ACL's - you always have Full Control over files that you create.
+ Inheritance
+ Inherited folder permissions are displayed as
+ OI - Object inherit - This folder and files. (no inheritance to subfolders)
+ CI - Container inherit - This folder and subfolders.
+ IO - Inherit only - The ACE does not apply to the current file/directory
+
+ These can also be combined as folllows
+ (OI)(CI) This folder, subfolders, and files.
+ (OI)(CI)(IO) Subfolders and files only.
+ (CI)(IO) Subfolders only.
+ (OI) (IO) Files only.
+ So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Full control)
+ similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission)
+
+ When icacls is applied to the current folder only there is no inheritance and so no output.
+
+ Built-In Groups
+ A command which addresses a built-in group by name like ICACLS foldername /GRANT Everyone:F /T
+ For example, to grant full control to Everyone on a folder ICACLS foldername /GRANT *S-1-1-0:F /T
+
+ Examples:
+
+ icacls "c:\Test" /remove "Authenticated Users"
+
+ icacls "c:\Test" /grant "Ducks":(OI)(CI)F
+ Give each user has Full Control of his own directory and remove the local Users group from having access to each subdirectory.
+ icacls "c:\Test\user" /grant user:(OI)(CI)F
+ icacls "c:\Test\*" /inheritance:d
+ icacls "c:\Test\*" /remove Users
+
+ To backup the ACLs of every file in a directory
+ icacls * /save Myacl_backup.txt
+ Restore ACLS using a previously saved acl file
+ icacls /restore Myacl_backup.txt
+ Change the Integrity Level (IL) of a file to High
+ icacls MyReport.doc /setintegritylevel H
+ Remove all inheritance on the 'Demo' folder and grant access to the domain user 'Volta', in this command the /t will traverse existing subfolders and files, and the (CI) will ensure that new folders/files added in future will inherit these permissions
+ icacls C:\Demo /inheritance:r /grant SS64dom\Volta:(CI)F /t
+ Grant the group FileAdmins 'Delete' and 'Write DAC' permissions to Sales_Folder
+ icacls Sales_Folder /grant FileAdmins(D,WDAC)
+ Propagate a new permission to all files and subfolders, without using inheritance
+ (so if any of the subfolders contain specific permissions, those won't be overwritten)
+
+ icacls * /grant accountName:(NP)(RX) /T
+ /remove:g removes all occurances of grant permissions
+```
windows/commands/index.md
@@ -10,16 +10,17 @@ Not here? Check: [ss64](http://ss64.com/nt/)
| Command | Description |
|-----------------------------------------------------------------|--------------------------------------------------------------------------------|
-| [cmd]({{< relref "windows/commands/cmd.md" >}}) | |
+| [cmd]({{< relref "windows/commands/cmd.md" >}}) | Windows' default command shell |
| [auditpol]( {{< relref "windows/commands/auditpol.md" >}}) | Displays information about and performs functions to manipulate audit policies |
-| [driverquery]({{< relref "windows/commands/driverquery.md" >}}) | |
-| [ds]({{< relref "windows/commands/ds.md" >}}) | |
-| [icacls]({{< relref "windows/commands/icacls.md" >}}) | |
-| [sc]({{< relref "windows/commands/sc.md" >}}) | Service Control |
-| [systeminfo]({{< relref "windows/commands/systeminfo.md" >}}) | |
-| [taskkill]({{< relref "windows/commands/taskkill.md" >}}) | |
-| [tasklist]({{< relref "windows/commands/tasklist.md" >}}) | |
-| [template]({{< relref "windows/commands/template.md" >}}) | |
+| [driverquery]({{< relref "windows/commands/driverquery.md" >}}) | Display a list of all installed device drivers and their properties. |
+| [ds]({{< relref "windows/commands/ds.md" >}}) | Domain services commands which start with the `ds` prefix |
+| [cacls]({{< relref "windows/commands/cacls.md" >}}) | Display or modify Access Controle Lists (Pre-Vista) |
+| [icacls]({{< relref "windows/commands/icacls.md" >}}) | Display or modify Access Controle Lists (Vista+) |
+| [sc]({{< relref "windows/commands/sc.md" >}}) | Create, stop, start, query or delete any windows service |
+| [systeminfo]({{< relref "windows/commands/systeminfo.md" >}}) | Detailed config info about a computer |
+| [taskkill]({{< relref "windows/commands/taskkill.md" >}}) | End one or more processes (by id or name) |
+| [tasklist]({{< relref "windows/commands/tasklist.md" >}}) | List of applications and services with their Process ID |
+| [wevtutil]({{< relref "windows/commands/wevtutil.md" >}}) | Retrieve information about event logs and publishers |
## Networking
| Command | Description |
windows/commands/wevtutil.md
@@ -0,0 +1,29 @@
+---
+date: "2016-12-13"
+draft: false
+title: "wevtutil"
+tag: ["cli", "commands", "logs"]
+category: "windows"
+
+
+---
+* [TechNet Manual](https://technet.microsoft.com/en-us/library/cc732848.aspx), [ss64 Manual](http://ss64.com/nt/wevtutil.html)
+* Available In: Vista+
+
+### Alternatives
+ * SysInt: none known
+ * WMIC: none known
+ * PS: none known
+
+Enables you to retrieve information about event logs and publishers.
+You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.
+
+## Usage
+
+
+## Examples
+
+| command | description |
+|---------------|----------------------------------------|
+| `wevtutil el` | "enum-logs" List the names of all logs |
+| `wevtutil qe System /rd:true /c:5 /f:text` | "query-events" from the System log, display 5 as text in reverse order |
windows/meta/index.md
@@ -5,7 +5,7 @@ title: "Windows Meta"
---
-
+* [survey]({{< relref "windows/meta/survey.md" >}})
* [auditing]({{< relref "windows/meta/auditing.md" >}})
* [env]({{< relref "windows/meta/env.md" >}})
* [kernel]({{< relref "windows/meta/kernel.md" >}})
windows/meta/passive.md
@@ -1,32 +0,0 @@
----
-date: "2016-12-01"
-draft: false
-title: "Process List"
-
----
-
-## process list
-
-| System PID | Win OS Version |
-|------------|----------------|
-| 2 | Windows NT |
-| 8 | Windows 2000 |
-| 4 | Windows XP+ |
-
-## other processes
-| process | system info |
-|---------|---------------------------------|
-| MsMpEng | Windows Defender |
-| NlsSrv | Security Essentials |
-| msseces | Security Essentials |
-| wininit | Vista+ |
-| csrss | n>=2,Vista+; n=1,XP/2K3 or less |
-| dwm | Vista+ |
-
-## uptime & logon time
-
-* smss's Elapsed Time
-* smss ET / Idle CPU Time ~= # CPU's
-* Logon time = explorer.exe ET
-
-
windows/meta/processes.md
@@ -0,0 +1,11 @@
+
+# Processes
+0. List All running processes
+ * `pslist`
+ * `wmic process list /format:list`
+ * `wmic process get description,commandline`
+ * `handle -u`
+ * `wmic process where "description=<process>.exe" get name,descrption,commandline /format:list`
+ * `handle -p <process>`
+ * `wmic process get name.executablepath`
+ * `listdlls <processname|pid>`
windows/meta/randy-meta.txt
@@ -1,246 +0,0 @@
-Case Study examples - Several ways of doing the same function
-# PROCESSES
-List All running processes
- pslist
- wmic process list /format:list
- wmic process list brief
- wmic process get description - gets just the name
- wmic process get description,commandline
- handle -a (add hku for user processes? )
- handle -u shows process owner
- 'handle c:\users - shows all the processes starting from c:\users
-
-
-Get a single process:
- wmic process where "description=vstoolsd.exe" will list everything but hard to read
- 'wmic process where "description=vstoolsd.exe" get name,descrption,commandline /format:list eaiser to read
- handle -p svchost
-
-Get the executable path for all running processes:
- wmic process get name.executablepath
- listdlls will show the path plus all the dlls, may be alot to look through
-
-
-Identify the number of logical processors on the target system:
- wmic cpu get numberoflogicalprocessors
- pslist # of threads in the IDLE process equals processors, SMSS
- systeminfo (add /find /I "processor")
-
-Determine which port(s) W32Time.dll is listening on:
- 1st step is to get the process ID. in this case since w32time is started by svchost it will not show useing pslist
-
- sc queryex w32time
- tasklist /FI "services eq w32time"
-
- listdlls -d w32time.dll
- Once you have the PID run netstat -ano to match process ID to port
-
-List the DLLs associated with processes:
- tasklist /m
- autorunsc -k (shows all the DLLs and their path, )
-
-List services that are running with procesess:
- tasklist /svc
-
-List all the processes running on a host:
- tasklist
- pslist \\computername -u user -p password on a remote system
-
-Which of the following binaries was used to generate the process listening on port 135:
-
- 1st Run netstat -ano to find listening on 135
- Run tasklist /fi "pid eq <proces id>"
-
-"System" process is currently listening on the following port(s)? :
- tasklist /fi "imagename eq system"
- netstat -ano
-
-Kill a proccess on a remote computer by PID:
- taskkill /s xp.ops.local /u xp\administrator /p L33tHax0r /PID 1187
-
-# REGISTRY
-Find current or last known good settings in Registry:
- reg query hklm\system\select - shows all 4 options Last Good Known,if 0x1 points to ControlSet001, 0x2 points to ControlSet002
-Find a registry Key for SAM:
- reg query HKLM\sam\sam\domains\account (shows all /v looks for a value i.e. /v v shows machine SID)
-Create a registry entry on a remote host:
- reg add \\xp.ops.local\HKLM\Software\hawkeye
- reg query \\xp.ops.local\HKLM\Software\hawkeye
-Check for all subkeys and values in a registry location:
- reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /s
-Find a specific value:
- reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103}
-Change a registry value 0 in this example chaning the GUID value:
- 1st step - query the value to see what the value type is, then add using /t for type and /d for data
- reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103} /t REG_DWORD /d 0x0
-Find registy entries:
- regfind -y sets case insensitive
- regfind "192.168.11.12" - searches just the path
- regfind -n "registeredOwner" - registry keys, and values
- handle -?
-Find a hotfix install date:
- regfind "KB905474" to get the path (in this example, KB is for WGA)
- regquery "hklm\software\microsoft\winodws\currentversion\uninstall\wganotify"
-
-PowerShell Registry:
- 'Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - item will only show the last entry setting i.e version
- 'get-childitem registry::hklm\software - gets all registry keys in software hive - (hard to read all)
- 'get-childitem registry::hklm\SAM\SAM\Domains\Account - will show all entries in Account and below
-
-# Services
-Show all running services:
- net start
- sc query
- gwmi win32_service | where {$_.state -eq 'running'}
- Get-WmiObject Win32_Service -filter "State like 'Running'" | select name - will just show name
- Get-CimInstance -ClassName Win32_Service | where state -match 'running
- 'wmic service get name,pathname /format:list
- 'wmic service where state='running' get name,pathname,status,state /format:list
- psserivce
-
-Show all running services on a remote host:
- sc \\xp.ops.local
- gwmi win32_service -computername win7 -credential fred | where {$_.state -eq 'running'}
- psservice \\computer -u user -p password
- 'wmic /node:XP service get name,pathname /format:list
- psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query -s all
-Query the status of Windows "Security Center" serivce (on XP):
- psservice \\xp.ops.local -u administrator -p L33thax0r query "Security Center" or you can use service name wscsvc
- psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query wscsvc
- psservice querry "Display Name or Service Name"
-
-Start/Stop/pause a service:
- net start <"service display name"> i.e. "print spooler" not spoolsv.exe or spooler
- sc start spooler
- psservice stop w32time or psservice stop "Windows Time"
- psservice start w32time
-
-Find a service name associated with the services display name:
- sc getkeyname "Display_Name" i.e sc getkeyname "Print Spooler"
-
-Change a service:
- sc config <service name> option i.e. sc config netlogon start= "disabled" (space after = is required)
- sc config <service name> by itself will give you the options/format you can change
- psservice config "Windows Event Collector" or psservice config wecsvc
- psservice config wecsvc /? Shows you options
-
-Look at services that are set to start automatically:
- wmic SERVICE WHERE StartMode="Auto" GET Name, State
-Get service dependcies:
- psservice depend <service>
-Get configuration of a service:
- psservice config wecsvc
-Config the Windows "Parental Controls" service to start automatically:
- psservice setconfig "parental Controls" auto
-
-# SIDS
-
-Get a users SID:psgetsid <username>
- wmic useraccount where name='<username>' get sid
- wmic useraccount where name='%username%' get sid - gets SID of current logged on user
- wmic useraccount where (name='administrator' and domain='%computername%' - gets SID of local administrator
- wmic useraccount get name,sid - gets all SIDs
- req query hku - this will give you all user SIDs
- psgetsid <username>
- 'gci registry::hku
-Get a user name from a SID:
- wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
- psgetsid <sid>
-
-Decode a machine SID:
- reg query HKLM\SAM\SAM\Domains\Account /v V
- Copy the last 12 bytes from the entry 75B97554D805B44DF09C85F
- Divide into 3 sections 75B97554 D805B44D F094C85F
- Reverse the order of of each group 54 75 B9 75 4D B4 05 D8 5F C8 94 F0
- Convert each section into decimal 1417001333 1303643608 1606980848 That is the machine SID
-
-Find the next available RID:
- reg query HKLM\SAM\SAM\Domains\Account /v F
- Count to offset 0x48 (72 in decimal) next 4 bytes i.e. EF 03
- reverse bytes 03EF, convert to decimal 1007
-
-
-#EVENT LOGS
-
-Read or get data from an event log:
- :WMIC NTEVENT WHERE SourceName="security" GET Message,EvenTtype /FORMAT:HTABLE > c:\winmgmtevents.htm (htable formats for htlm)
- :powershell get-winevent -path C:\Windows\System32\winevt\Logs\Security.evtx
- sc
- wevtutil eq <log>
-
-Get last 10 entries from a log file:
- powershell get-eventlog security -newest 10 | format-list
- psloglist security -n 10
- :wevtutil query-events security /count:10 /rd:true /format:xml
- WMIC NTEVENT WHERE "LogFile='application'"
- :powershell get-winevent -newest 10 -path C:\Windows\System32\winevt\Logs\Security.evtx
-
- Search an event log for an event type:
- auditpol security -f "success audit"
- psloglist -s -t "\t" -n 20 Security | findstr /n /i "Success Audit"
- Find all events with creating a new user:
- To find all of the appropriate new user events, you will need to first get the user SID
- wmic useraccount where name='username' get sid where 'username' would be 'icarus'
- use the psloglist and findstr commands to find the relevant entries in the event logs.
- psloglist -s -t "\t" -n 20 Security | findstr /n /i .*SID.*
-# USERS
- Enable a user account:
- wmic useraccount where name="vhalen" set disabled="False"
- Get information on a specific user:
- :wmic useraccount where name="username" get /all /format:list
- Get all group and user information:
- :wmic path w32_account get /format:list
-Find currently logged on user:
- reg query "HKCU\Volatile Environment" /v homepath
- Reg query "hklm\software\microsoft\windows nt\currentversion\profilelist" Gets you SID
-List everything about a user:
- wmic useraccount where name='rblum' get /format:list
-Find who was the last user to log onto a system:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v defaultusername
-Disabling a user account:
- wmic useraccount where name='john' set disabled=true
-For re-enabling user account:
- wmic useraccount where name='john' set disabled=false
-Set password to never expire:
- wmic useraccount where name='tstark' set PasswordExpiores=false
-
-# DOCUMENTS AND TIMESTAMPS
-Get version of a file
- wmic datafile where name="path_filename" get version
-Get timestamps
- dir /t C A W - Create, LastAccess, Last Write
- gci | select * will show all the options you can select
- gci | select name, LastWriteTime, LastWriteTimeUTC
-
-#FIREWALLS
-Get Firewall information for an XP box:
- From the XP OS
- netsh firewall show config
- Remotely (if enabled)
- netsh -r "xp.ops.local" -u Administrator -p <pswd> advfirewall show currentprofile
-
-Get Firewall information for Vista + :
- netsh advfirewall show allprofiles
- netsh advfirewall show currentprofile
-Turn off/on fireall - local/remote:
- netsh advfirewall set allprofiles state off
- netsh -r computername advfirewall set publicprofile state on
- netsh -r computername advfirewall set privateprofile state off
-Display Firewall Rules:
- netsh advfirewall firewall show rule profile=private name=all > fwrules.txt
-
-Change firewail Logging Settings:
- XP locally
- netsh firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE ENABLE (enables dropped pkts and connections)
-
-Change a firewall rule GROUP for Everyone:
- f
- Change a firewall rule GROUP for specific profiles (Group rules cannot be changed by profile):
- 1st get the all the rules in the group
- netsh advfirewall firewall show rule name=all | find /i "File and Print"
- change each rule individually
- netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Session-In)" new enable=yes profile=domain,public
-
-#MISC
- List the system directory
- wmic os get systemdirectory /value
\ No newline at end of file
windows/meta/registry.md
@@ -5,9 +5,34 @@ title: "Windows Registry"
---
-# Windows Registry
-
-## Registry Structure
+## Common tasks
+
+* Find current or last known good settings in Registry:
+ * reg query hklm\system\select - shows all 4 options Last Good Known,if 0x1 points to ControlSet001, 0x2 points to ControlSet002
+* Find a registry Key for SAM:
+ * reg query HKLM\sam\sam\domains\account (shows all /v looks for a value i.e. /v v shows machine SID)
+* Create a registry entry on a remote host:
+ * reg add \\xp.ops.local\HKLM\Software\hawkeye
+ * reg query \\xp.ops.local\HKLM\Software\hawkeye
+* Check for all subkeys and values in a registry location:
+ * reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /s
+* Find a specific value:
+ * reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103}
+* Change a registry value 0 in this example chaning the GUID value:
+ * 1st step - query the value to see what the value type is, then add using /t for type and /d for data
+ * reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103} /t REG_DWORD /d 0x0
+* Find registy entries:
+ * regfind -y sets case insensitive
+ * regfind "192.168.11.12" - searches just the path
+ * regfind -n "registeredOwner" - registry keys, and values
+ * handle -?
+* Find a hotfix install date:
+ * regfind "KB905474" to get the path (in this example, KB is for WGA)
+ * regquery "hklm\software\microsoft\winodws\currentversion\uninstall\wganotify"
+* PowerShell Registry:
+ * 'Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - item will only show the last entry setting i.e version
+ * 'get-childitem registry::hklm\software - gets all registry keys in software hive - (hard to read all)
+ * 'get-childitem registry::hklm\SAM\SAM\Domains\Account - will show all entries in Account and below
### Registry Root Keys [3]
windows/meta/services.md
@@ -0,0 +1,48 @@
+
+## Services
+0. Show all running services:
+ * `net start`
+ * `sc query`
+ * `gwmi win32_service | where {$_.state -eq 'running'}`j
+ * `Get-WmiObject Win32_Service -filter "State like 'Running'" | select name` will just show name
+ * `Get-CimInstance -ClassName Win32_Service | where state -match 'running`
+ * `'wmic service get name,pathname /format:list`
+ * `'wmic service where state='running' get name,pathname,status,state /format:list`
+ * `psserivce`
+
+0. Show all running services on a remote host:
+ sc \\xp.ops.local
+ gwmi win32_service -computername win7 -credential fred | where {$_.state -eq 'running'}
+ psservice \\computer -u user -p password
+ 'wmic /node:XP service get name,pathname /format:list
+ psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query -s all
+
+ Query the status of Windows "Security Center" serivce (on XP):
+ psservice \\xp.ops.local -u administrator -p L33thax0r query "Security Center" or you can use service name wscsvc
+ psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query wscsvc
+ psservice querry "Display Name or Service Name"
+
+Start/Stop/pause a service:
+ net start <"service display name"> i.e. "print spooler" not spoolsv.exe or spooler
+ sc start spooler
+ psservice stop w32time or psservice stop "Windows Time"
+ psservice start w32time
+
+Find a service name associated with the services display name:
+ sc getkeyname "Display_Name" i.e sc getkeyname "Print Spooler"
+
+Change a service:
+ sc config <service name> option i.e. sc config netlogon start= "disabled" (space after = is required)
+ sc config <service name> by itself will give you the options/format you can change
+ psservice config "Windows Event Collector" or psservice config wecsvc
+ psservice config wecsvc /? Shows you options
+
+Look at services that are set to start automatically:
+ wmic SERVICE WHERE StartMode="Auto" GET Name, State
+Get service dependcies:
+ psservice depend <service>
+Get configuration of a service:
+ psservice config wecsvc
+Config the Windows "Parental Controls" service to start automatically:
+ psservice setconfig "parental Controls" auto
+
windows/meta/sid.md
@@ -79,3 +79,27 @@ title: "SID & RID"
If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:
* regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes)
* explorer.exe: \%windir%\system32\config\SECURITY
+
+Get a users SID:psgetsid <username>
+ wmic useraccount where name='<username>' get sid
+ wmic useraccount where name='%username%' get sid - gets SID of current logged on user
+ wmic useraccount where (name='administrator' and domain='%computername%' - gets SID of local administrator
+ wmic useraccount get name,sid - gets all SIDs
+ req query hku - this will give you all user SIDs
+ psgetsid <username>
+ 'gci registry::hku
+Get a user name from a SID:
+ wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
+ psgetsid <sid>
+
+Decode a machine SID:
+ reg query HKLM\SAM\SAM\Domains\Account /v V
+ Copy the last 12 bytes from the entry 75B97554D805B44DF09C85F
+ Divide into 3 sections 75B97554 D805B44D F094C85F
+ Reverse the order of of each group 54 75 B9 75 4D B4 05 D8 5F C8 94 F0
+ Convert each section into decimal 1417001333 1303643608 1606980848 That is the machine SID
+
+Find the next available RID:
+ reg query HKLM\SAM\SAM\Domains\Account /v F
+ Count to offset 0x48 (72 in decimal) next 4 bytes i.e. EF 03
+ reverse bytes 03EF, convert to decimal 1007
windows/meta/survey.md
@@ -0,0 +1,216 @@
+---
+date: "2016-12-13"
+draft: false
+title: "Windows Survey"
+
+---
+
+# Init
+0. **Situational Awareness**
+
+ * `ipconfig /all` *`# Host Name, IP Address`*
+ * `wmic process get executablepath, processid, parentprocessid | more` *`# Unusual processes`*
+ * `wmic process get commandline` *`# Process args and location`*
+ * `net service` *`# current running services`*
+ * `date /t` `time /t` *`# Get system date and time`*
+ * `ver` *`# system version`*
+ * `net stats server` *`# uptime and stats`*
+ * `systeminfo`
+
+ PowerShell alternative
+
+ * `gwmi win32_networkadapterconfiguration | ft description, ipaddress, defaultipgateway`
+ * `gwmi win32_process | select processid, parentprocessid, <executablepath | commandline> | ft -autosize`
+ * `gwmi win32_service | select processid, <displayname|name>, state, pathname | sort processid | ft -autosize`
+ * `get-date`
+
+# Networking - LIVE EDIT
+
+0. **Listening Ports**
+
+ * Map service to listening port:
+ * `sc query <service>` *`# find dll`*
+ * `tasklist /FI "services eq <service>"` *`# Find dll`*
+ * `listdlls -d <service>.dll` *`# find PID`*
+ * `netstat -ano` *`# match PID to PORT`*
+ * Map listening port to process:
+ * `netstat -ano | findstr EST` *`# find Established connections and PID`*
+ * `netstat -ano` *`# find listening connection port's PID`*
+ * `tasklist /fi "pid eq <pid>"`
+
+0. **NetBIOS**
+ * `nbtstat -n`
+
+0. **Routes**
+ * `route print`
+
+0. **Share Usage**
+
+ * `net use` *`# Current outbound connections`*
+ * `net share` *`# Current shared resources`*
+
+0. **Firewall**
+
+ * XP
+ * `netsh firewall show config`
+ * Vista+
+ * `netsh advfirewall show allprofiles`
+ * `netsh advfirewall show currentprofile`
+ * `netsh advfirewall firewall show rule profile=<PROFILE> name=all`
+ * Allowed programs
+ * `netsh firewall show allowedprogram`
+
+# Users and Domains
+
+0. **Users**
+ * `net users` *`# Enumerate users`*
+ * `net session` *`# Enumerate users`*
+ * `reg querey hklm\system\currentcontrolset\control\hivelist` *`# Look for other users logged on SIDs`*
+ * `psloggedon` *`# Look for other users logged on`*
+ * `psloglist "Security" -i 528 -s | find /i "Logon Type: 10"`
+
+0. **Local Policies**
+
+ * `secedit /export /cfg c:\seccfg.ini`
+ * `type c:\seccfg.ini` *`# show policies`*
+
+0. **Auditing**
+ * `auditpol` *`# Look for actions which will be logged`*
+
+0. **Domain Membership**
+
+ * `reg query hklm\system\currentcontrolset\services\tcpip\parameters` *`# NV Domain `*
+ * `systeminfo` *`# Domain`*
+
+ | Values | Inference |
+ |--------------------------------|-----------|
+ | NV Domain absent or empty | WORKGROUP |
+ | NV Domain == systemifo Domain | DOMAIN |
+ | NV Domain != systeminfo Domain | WORKGROUP |
+
+0. **SIDs**
+ * `wmic useraccount where name='<username>' get sid`
+ * `wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name`
+ * `psgetsid <sid>`
+
+# Hardware
+
+ * Identify the number of logical processors on the target system:
+ * `wmic cpu get numberoflogicalprocessors`
+ * `pslist` processor count:
+ * Number of threads in the `system` IDLE process equals processors
+ * `smss` Elapsed Time / Idle CPU Time aproximately equals
+ * `systeminfo /find /I "processor"`
+
+
+# Software
+
+0. **System info via process lists**
+ * `pslist`
+
+ | Interogated Values | Inferred Information |
+ |-------------------------|-------------------------|
+ | System PID = 2 | Windows NT |
+ | System PID = 4 | Windows XP+ |
+ | System PID = 8 | Windows 2000 |
+ | `winint` and `lsm` | Windows Vista+ |
+ | one `csrss` | Windows XP/2003 or less |
+ | more than 2 `csrss` | Windows Vista+ |
+ | `dwm` | Windows Vista+ |
+ | `MsMpEng` | Windows Defender |
+ | `NlsSrv` | Security Essentials |
+ | `msseces` | Security Essentials |
+ | `explorer` Elapsed Time | Logon time |
+ | `smss` Elapsed Time | System Uptime |
+
+0. **System software integrity**
+ * `dir /tc /od c:\windows\system32` *`# look for most recent changes in system32 (likely suspect)`*
+
+0. **System PATH integrity**
+ * `reg query "hklm\system\currentcontrolset\control\session manager\environment" /v path`
+ * `reg query "hkcu\environment" /v path`
+
+0. **AppInit (dll) integrity**
+
+ * `reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v appinit_dlls`
+
+ All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. (TODO: move to registry.md, link to there)
+
+0. **Enumerate Persistance**
+ * `autorunsc <-b|-l>` *`# show boot and logon auto startups `*
+ * `reg query hklm\software\microsoft\windows\currentversion\run`
+ * `reg query hkcu\software\microsoft\windows\currentversion\run`
+ * `reg query hklm\software\microsoft\windows\currentversion\runonce`
+ * `reg query hkcu\software\microsoft\windows\currentversion\runonce`
+ * `reg query hklm\software\microsoft\windows\currentversion\winlogon /v shell`
+
+0. **Evaluate Files (exe, dll, sys, etc)**
+ * `dir /O:D /T:[A|C|W]`
+
+0. **Evaluate Anti-Virus Protection**
+
+ * `wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list`
+
+ or
+
+ * make a copy of [killav.rb](https://github.com/Rendered79/metasploit/blob/master/scripts/meterpreter/killav.rb) with only the file names, one per line (avlis.txt)
+ * `$av = gc avlist.txt`
+ * `$p = gwmi win32_process | sort name -unique | select name`
+ * `$p | ?{$av -contains $_.Name}` *`# display the intersection of processes names and anti-virus names`*
+
+#EVENT LOGS
+
+Read or get data from an event log:
+ :WMIC NTEVENT WHERE SourceName="security" GET Message,EvenTtype /FORMAT:HTABLE > c:\winmgmtevents.htm (htable formats for htlm)
+ :powershell get-winevent -path C:\Windows\System32\winevt\Logs\Security.evtx
+ sc
+ wevtutil eq <log>
+
+Get last 10 entries from a log file:
+ powershell get-eventlog security -newest 10 | format-list
+ psloglist security -n 10
+ :wevtutil query-events security /count:10 /rd:true /format:xml
+ WMIC NTEVENT WHERE "LogFile='application'"
+ :powershell get-winevent -newest 10 -path C:\Windows\System32\winevt\Logs\Security.evtx
+
+ Search an event log for an event type:
+ auditpol security -f "success audit"
+ psloglist -s -t "\t" -n 20 Security | findstr /n /i "Success Audit"
+ Find all events with creating a new user:
+ To find all of the appropriate new user events, you will need to first get the user SID
+ wmic useraccount where name='username' get sid where 'username' would be 'icarus'
+ use the psloglist and findstr commands to find the relevant entries in the event logs.
+ psloglist -s -t "\t" -n 20 Security | findstr /n /i .*SID.*
+0. USERS
+ Enable a user account:
+ wmic useraccount where name="vhalen" set disabled="False"
+ Get information on a specific user:
+ :wmic useraccount where name="username" get /all /format:list
+ Get all group and user information:
+ :wmic path w32_account get /format:list
+Find currently logged on user:
+ reg query "HKCU\Volatile Environment" /v homepath
+ Reg query "hklm\software\microsoft\windows nt\currentversion\profilelist" Gets you SID
+List everything about a user:
+ wmic useraccount where name='rblum' get /format:list
+Find who was the last user to log onto a system:
+ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v defaultusername
+Disabling a user account:
+ wmic useraccount where name='john' set disabled=true
+For re-enabling user account:
+ wmic useraccount where name='john' set disabled=false
+Set password to never expire:
+ wmic useraccount where name='tstark' set PasswordExpiores=false
+
+0. DOCUMENTS AND TIMESTAMPS
+Get version of a file
+ wmic datafile where name="path_filename" get version
+Get timestamps
+ dir /t C A W - Create, LastAccess, Last Write
+ gci | select * will show all the options you can select
+ gci | select name, LastWriteTime, LastWriteTimeUTC
+
+
+#MISC
+ List the system directory
+ wmic os get systemdirectory /value
windows/sysinternals/handle.md
@@ -14,3 +14,34 @@ title: "handle"
| `handle -p <PID>` | show for specific pid |
| `handle -a <NAME>` | show all |
| `handle -s <NAME>` | show statistics of handles |
+
+
+## Man
+
+ ``` none
+ handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]
+ -a Dump information about all types of handles, not just those that refer to files. Other types include ports,
+ Registry keys, synchronization primitives, threads, and processes. Need to use this with any searches beyond files
+ -c Closes the specified handle (interpreted as a hexadecimal number). You must specify the process by its PID.
+ WARNING Closing handles can cause application or system instability.
+ -l Dump the sizes of pagefile-backed sections.
+ -y Don't prompt for close handle confirmation.
+ -s Print count of each type of handle open.
+ -u Show the owning user name when searching for handles.
+ -p Dump all the handles belonging to process (you can use partial names i.e. exp for explorer).
+ name Search for handles to objects with a particular name. for example, if you wanted to know which process (if any)
+ has "c:\windows\system32" open type handle windows\system The name match is case-insensitive and the fragment specified
+ can be anywhere in the paths you are interested in.
+
+ EXAMPLES
+ Disply the open handles with an instance of notepad
+
+
+ handle -a -p notepad.exe (-a is for all -p indicates process, can use fragments i.e. note or lsass )
+ Display to handle information using command shell PID
+ handle -a -p 2944 (PID of cmd.exe)
+ Find process that have a specific handle open
+ handle -a hklm\system (-a allows search of all handle types, without it will only search for files)
+ handle -a hku shows process
+
+ ```
windows/sysinternals/index.md
@@ -7,15 +7,16 @@ title: "SysInternals"
* [handle]({{< relref "windows/sysinternals/handle.md" >}})
* [listdlls]({{< relref "windows/sysinternals/listdlls.md" >}})
-* [psexec]({{< relref "windows/sysinternals/psexec.md" >}})
* [pskill]({{< relref "windows/sysinternals/pskill.md" >}})
* [pslist]({{< relref "windows/sysinternals/pslist.md" >}})
* [psservice]({{< relref "windows/sysinternals/psservice.md" >}})
* [sigcheck]({{< relref "windows/sysinternals/sigcheck.md" >}})
* [psloggedon]({{< relref "windows/sysinternals/psloggedon.md" >}})
+* [psloglist]({{< relref "windows/sysinternals/psloglist.md" >}})
-### TODO
-* [psloglist]({{< relref "windows/sysinternals/psloglist.md" >}}) - TODO
-* [autorunc]({{< relref "windows/sysinternals/autorunc.md" >}}) - TODO
-* [pssuspend]({{< relref "windows/sysinternals/pssuspend.md" >}}) - TODO
+# TODO
+* [psexec]({{< relref "windows/sysinternals/psexec.md" >}})
+* [psloglist]({{< relref "windows/sysinternals/psloglist.md" >}})
+* [autorunc]({{< relref "windows/sysinternals/autorunc.md" >}})
+* [pssuspend]({{< relref "windows/sysinternals/pssuspend.md" >}})
windows/sysinternals/listdlls.md
@@ -7,10 +7,43 @@ title: "listdlls"
* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/bb896656)
+Reports the DLLs loaded into processes, without any filters or flags
+the results are likely to be in the order in which the dlls were loaded.
+
## Examples
-| command | description |
-|----------------------------|--------------------------------------------|
-| `listdlls <NAME/PID>` | list loaded dlls of process by name or pid |
-| `listdlls -d <MODULE>.dll` | list process with MOUDLE dll loaded |
-| `listdlls -u` | show only unsigned dlls |
-| `listdlls -v` | show dll version numbers |
+| command | description |
+|---------------------------------------------|--------------------------------------------|
+| `listdlls <NAME/PID>` | list loaded dlls of process by name or pid |
+| `listdlls -d <MODULE>.dll` | list process with MOUDLE dll loaded |
+| `listdlls -u` | show only unsigned dlls |
+| `listdlls -v` | show dll version numbers |
+| <code>listdlls | find "Command"</code> | show only the `Command line:` output |
+
+## Man
+
+ ``` none
+ listdlls [-r] [-v | -u] [processname|pid]
+ listdlls [-r] [-v] [-d dllname]
+ processname Dump DLLs loaded by process (partial name accepted).
+ pid Dump DLLs associated with the specified process id.
+ dllname Show only processes that have loaded the specified DLL.
+ -r Flag DLLs that relocated because they are not loaded at their base address.
+ -u Only list unsigned DLLs.
+ -v Show DLL version information
+ -d dllname
+
+ EXAMPLES
+ view all the Dlls that have been loaded by the command shell process
+ listdlls cmd.exe
+ display the DLLs that are loaded by notepad.exe using the process ID
+ tasklist /FI "imagename eq notepad.exe" will give you the PID
+ listdlls notepad.exe will also give you PID
+ pslist notepad (will match any Fragment i.e. note
+ listdlls 2552
+ display all the processes that have loaded the WOW64.dll loaded
+ listdlls -d wow64.dll
+ List process that is using a dll (must have pid from dll)
+ listdlls <pid> i.e. listdlls 780
+
+
+ ```
windows/sysinternals/pslist.md
@@ -14,4 +14,44 @@ title: "pslist"
| `pslist -t` | show tree view |
| `pslist -s <S> -r <R>` | taskman mode for S seconds with periodic updates every R seconds |
| `pslist \\<SYSTEM> /u <USER> /p <PASS>` | remote plist |
-| | show/sort on priority |
+
+## Man
+
+ ``` none
+ pslist
+ -d Show thread detail.
+ -m Show memory detail.
+ -x Show processes, memory information and threads.
+ -t Show process tree.
+ -s [n] Run in task-manager mode, for optional seconds specified. Press Escape to abort.
+ -r n Task-manager mode refresh rate in seconds (default is 1).
+ \\computer Specifies remote system
+ -u username on a remote system and the account you are executing in does not have administrative privilege
+ -p password for remote user. If you specify an account name and omit the -p option PsList prompts you interactively for a password.
+ name Show information about processes that begin with the name specified.
+ -e Exact match the process name.
+ pid shows information about specified PID i.e. pslist 53 would dump statistics for the process with the PID 53.
+
+ Memory Abbreviation Key
+ All memory values are displayed in KB.
+ Pri Priority
+ Thd Number of Threads
+ Hnd Number of Handles
+ VM Virtual Memory
+ WS Working Set
+ Priv Private Virtual Memory
+ Priv Pk Private Virtual Memory Peak
+ Faults Page Faults
+ NonP Non-Paged Pool
+ Page Paged Pool
+ Cswtch Context Switches
+
+ EXAMPLES
+ view a process' memory and thread details
+ pslist -dm or pslist -x
+ view the parent-child process relationships
+ pslist -t
+ View a list of running processes on a remote computer
+ pslist \\computer -u domain\administrator -p password
+
+ ```
windows/sysinternals/psloggedon.md
@@ -21,3 +21,5 @@ Summary of usage to include a table of flags if appropriate
## Examples
| command | description |
|---------|-------------|
+
+
windows/sysinternals/psloglist.md
@@ -0,0 +1,53 @@
+---
+date: "2016-12-13"
+draft: false
+title: "psloglist"
+tag: ["cli", "commands"]
+category: "sysinternals"
+
+---
+
+
+## Man
+
+ ``` none
+ psloglist [- ] [\\computer[,computer[,...] | @file
+ [-u user [-p passwd]]] [-s [-t delim]]
+ [-m #|-n #|-h #|-d #|-w]
+ [-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy]
+ [-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]]
+ [-o event source[,event source][,..]]]
+ [-q event source[,event source][,..]]]
+ [-l event_log_file] <eventlog>
+ Options
+ \\computer The computer on which the log resides. Default=local system
+ -p passwd Specify a password for user (optional). Passed as clear text. If omitted, you will be prompted to enter a hidden password.
+ -u user Specify a user name for login to remote computer(optional).
+ @file Execute the command on each of the computers listed in the file.
+ -a Dump records timestamped after specified date.
+ -b Dump records timestamped before specified date.
+ -c Clear the event log after displaying.
+ -d # Only display records from previous # days.
+ -e ID Exclude events with the specified ID or IDs (up to 10).
+ -f filter Filter event types with filter string (e.g. "-f w" to filter warnings).
+ -h # Only display records from previous # hours.
+ -i ID Show only events with the specified ID or IDs (up to 10).
+ -l event_log_file Dump records from the specified event log file.
+ -m # Only display records from previous # minutes.
+ -n # Only display # number of most recent entries.
+ -o event source Show only records from the specified event source (e.g. \"-o cdrom\").
+ -q event source Omit records from the specified event source or sources (e.g. \"-q cdrom\").
+ -r Dump log from least recent to most recent.
+ -s Print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches,
+ e.g. psloglist | findstr /i text
+ -t delim The default delimeter is a comma, but can be overriden with the specified character.
+ -w Wait for new events, dumping them as they generate (local system only).
+ -x Dump extended data.
+ eventlog application, system or security, only the first few letters need be used.
+ default=system log.
+ -accepteula Suppress the display of the license dialog.
+ Examples
+ List everyting in the application event log on computer from the last 24 hours
+ psloglist \\computer -h 24 application
+
+ ```