Commit 70d9b1a
Changed files (25)
windows
meta
windows/commands/auditpol.md
@@ -0,0 +1,32 @@
+---
+date: "2016-12-12"
+draft: false
+title: "auditpol"
+
+---
+
+* [TechNet Manual](https://technet.microsoft.com/en-us/library/cc731451.aspx)
+* Available in: Vista+
+
+### Alternatives
+
+ * SysInt: none known
+ * WMIC: [audit_policy_functions](https://msdn.microsoft.com/en-us/library/aa375742.aspx#audit_policy_functions)
+ * PS: none known
+
+## Usage
+
+Displays information about and performs functions to manipulate audit policies. The audit policy command-line tool can be used to:
+
+ * Set and query a system audit policy.
+ * Set and query a per-user audit policy.
+ * Set and query auditing options.
+ * Set and query the security descriptor used to delegate access to an audit policy.
+ * Report or back up an audit policy to a comma-separated value (CSV) text file.
+ * Load an audit policy from a CSV text file.
+ * Configure global resource SACLs.
+
+## Examples
+| command | description |
+|-----------------|------------------------------------|
+| `auditpol /get` | Displays the current audit policy. |
windows/commands/driverquery.md
@@ -9,8 +9,8 @@ title: "driverquery"
### Alternatives
* SysInt: [sigcheck]({{ <relref "windows/commands/sigcheck.md" > }})
- * WMIC: [sysdriver]({{ <relref "windows/commands/sysdriver.md" > }})
- * PS: [PnPSignedDriver](({{ <relref "windows/commands/pnpsigneddriver.md" > }})
+ * WMIC: [sysdriver]({{ <relref "windows/wmic/sysdriver.md" > }})
+ * PS: [PnPSignedDriver](({{ <relref "windows/powershell/pnpsigneddriver.md" > }})
## Examples
windows/commands/index.md
@@ -5,21 +5,49 @@ title: "Windows CLI Commands"
---
-| Command | Description |
-|-----------------------------------------------------------------|------------------------------------------|
-| [arp]({{< relref "windows/commands/arp.md" >}}) | TODO 10 word description of this command |
-| [cmd]({{< relref "windows/commands/cmd.md" >}}) | TODO 10 word description of this command |
-| [driverquery]({{< relref "windows/commands/driverquery.md" >}}) | TODO 10 word description of this command |
-| [ds]({{< relref "windows/commands/ds.md" >}}) | TODO 10 word description of this command |
-| [icacls]({{< relref "windows/commands/icacls.md" >}}) | TODO 10 word description of this command |
-| [nbtstat]({{< relref "windows/commands/nbtstat.md" >}}) | TODO 10 word description of this command |
-| [netsh]({{< relref "windows/commands/netsh.md" >}}) | TODO 10 word description of this command |
-| [netstat]({{< relref "windows/commands/netstat.md" >}}) | TODO 10 word description of this command |
-| [pathping]({{< relref "windows/commands/pathping.md" >}}) | TODO 10 word description of this command |
-| [ping]({{< relref "windows/commands/ping.md" >}}) | TODO 10 word description of this command |
-| [sc]({{< relref "windows/commands/sc.md" >}}) | TODO 10 word description of this command |
-| [taskkill]({{< relref "windows/commands/taskkill.md" >}}) | TODO 10 word description of this command |
-| [tasklist]({{< relref "windows/commands/tasklist.md" >}}) | TODO 10 word description of this command |
-| [template]({{< relref "windows/commands/template.md" >}}) | TODO 10 word description of this command |
-| [tracert]({{< relref "windows/commands/tracert.md" >}}) | TODO 10 word description of this command |
+Not here? Check: [ss64](http://ss64.com/nt/)
+
+
+| Command | Description |
+|-----------------------------------------------------------------|--------------------------------------------------------------------------------|
+| [cmd]({{< relref "windows/commands/cmd.md" >}}) | |
+| [auditpol]( {{< relref "windows/commands/auditpol.md" >}}) | Displays information about and performs functions to manipulate audit policies |
+| [driverquery]({{< relref "windows/commands/driverquery.md" >}}) | |
+| [ds]({{< relref "windows/commands/ds.md" >}}) | |
+| [icacls]({{< relref "windows/commands/icacls.md" >}}) | |
+| [sc]({{< relref "windows/commands/sc.md" >}}) | Service Control |
+| [systeminfo]({{< relref "windows/commands/systeminfo.md" >}}) | |
+| [taskkill]({{< relref "windows/commands/taskkill.md" >}}) | |
+| [tasklist]({{< relref "windows/commands/tasklist.md" >}}) | |
+| [template]({{< relref "windows/commands/template.md" >}}) | |
+
+## Networking
+| Command | Description |
+|-----------------------------------------------------------|-------------|
+| [ipconfig]({{< relref "windows/commands/ipconfig.md" >}}) | |
+| [arp]({{< relref "windows/commands/arp.md" >}}) | |
+| [tracert]({{< relref "windows/commands/tracert.md" >}}) | |
+| [ping]({{< relref "windows/commands/ping.md" >}}) | |
+| [pathping]({{< relref "windows/commands/pathping.md" >}}) | |
+| [netsh]({{< relref "windows/commands/netsh.md" >}}) | |
+| [nbtstat]({{< relref "windows/commands/nbtstat.md" >}}) | |
+| [netstat]({{< relref "windows/commands/netstat.md" >}}) | |
+
+
+#### TODO
+| Command | Description |
+|-------------------------------------------------------------|--------------------------------------------------|
+| [doskey]({{< relref "windows/commands/doskey.md" >}}) | |
+| [set]({{< relref "windows/commands/set.md" >}}) | |
+| [setx]({{< relref "windows/commands/setx.md" >}}) | |
+| [type]({{< relref "windows/commands/type.md" >}}) | |
+| [telnet]({{< relref "windows/commands/telnet.md" >}}) | |
+| [openfiles]({{< relref "windows/commands/openfiles.md" >}}) | |
+| [find]({{< relref "windows/commands/find.md" >}}) | |
+| [findstr]({{< relref "windows/commands/findstr.md" >}}) | |
+| [runas]({{< relref "windows/commands/runas.md" >}}) | Execute a program under a different user account |
+| [attrib]({{< relref "windows/commands/attrib.md" >}}) | Change file attributes |
+| [bootcfg]({{< relref "windows/commands/bootcfg.md" >}}) | Edit Windows boot settings |
+| [bcdedit]({{< relref "windows/commands/bcdedit.md" >}}) | |
+| [bootrec]({{< relref "windows/commands/bootrec.md" >}}) | |
windows/commands/ipconfig.md
@@ -0,0 +1,27 @@
+---
+date: "2016-12-12"
+draft: false
+title: "ipconfig"
+tag: ["cli", "commands", "networkng"]
+category: "windows"
+
+---
+* [TechNet Manual](https://technet.microsoft.com/en-us/library/), [ss64 Manual](http://ss64.com/nt/)
+* Available In: All Windows
+
+### Alternatives
+ * SysInt: none known
+ * WMIC: none known
+ * PS: none known
+
+
+## Usage
+
+Displays the current configuration of the installed IP stack on a networked computer.
+
+## Examples
+| command | description |
+|------------------------|---------------------------------------------------|
+| `ipconfig /all` | Display full configuration information |
+| `/release < adapter >` | Releases the IP address for a specified interface |
+| `/renew < adapter >` | Renews the IP address for a specified interface |
windows/commands/netsh.md
@@ -9,20 +9,19 @@ Advanced networking command-line utility.
## Resources
-| Description | Link |
-|--------------------------------------------------------------|--------------------------------------------------------------------------|
-| Shows: Enabling ports, services, programs, logging, and more | <https://support.microsoft.com/en-us/kb/947709> |
-| Logging Specific information | <https://technet.microsoft.com/en-us/library/cc787462%28v=ws.10%29.aspx> |
-| Disabling specific firewall profiles | [MSDN](https://msdn.microsoft.com/en-us/library/dd772588) |
-| `netsh advfirewall firewall` docs | [TechNet](https://technet.microsoft.com/en-us/library/dd734783) |
-| Some additional examples (old and new firewall cmds) | [support.microsoft](https://support.microsoft.com/en-us/kb/947709) |
+| Description | Link |
+|--------------------------------------------------------------|---------------------------------------------------------------------------------------------|
+| `netsh advfirewall firewall` docs | [TechNet](https://technet.microsoft.com/en-us/library/dd734783) |
+| Logging Specific information | [TechNet - Logging](https://technet.microsoft.com/en-us/library/cc787462%28v=ws.10%29.aspx) |
+| Disabling specific firewall profiles | [MSDN](https://msdn.microsoft.com/en-us/library/dd772588) |
+| Shows: Enabling ports, services, programs, logging, and more | [MS Support](https://support.microsoft.com/en-us/kb/947709) |
## Firewall
On older systems `netsh firewall` works. For newer systems use `netsh advfirewall firewall`.
-Get into the Firewall Configuration mode
+To enter into the Firewall Configuration mode
```bash
netsh advfirewall
@@ -35,170 +34,102 @@ Platform (WPF) has functionality in both User Mode and Kernel Mode.
Check and change the status of the firewall
-| Command | Description |
-|--------------------------------------------------|--------------------------------|
-| `netsh advfirewall show allprofiles` | Display status of all profiles |
-| `netsh advfirewall set allprofiles state off` | Turn off all profiles |
-| `netsh advfirewall set allprofiles state on` | Turn on all profiles |
-| `netsh advfirewall show currentprofile` | Show the current profile |
-| `netsh advfirewall set currentprofile state off` | Turn the current profile off |
-| `netsh advfirewall set currentprofile state on` | Turn the current profile on |
-| | |
-
-Example:
-
-```bash
-# Turn off public firewall
-netsh advfirewall set public state off
-# Another way to turn off/on existing firewall network profiles
-# enable
-netsh firewall set opmode profile=all mode=enable
-# disable
-netsh firewall set opmode profile=all mode=disable
-```
+| Command | Description |
+|------------------------------------------------------|---------------------------------------------------------------|
+| `netsh advfirewall show allprofiles ` | Display properties for all profiles. |
+| `netsh advfirewall show currentprofile ` | Display properties for the active profile. |
+| `netsh advfirewall show domainprofile ` | Display properties for the domain properties. |
+| `netsh advfirewall show global ` | Display the global properties. |
+| `netsh advfirewall show privateprofile ` | Display properties for the private profile. |
+| `netsh advfirewall show publicprofile ` | Display properties for the public profile. |
+| `netsh advfirewall show store ` | Display the policy store for the current interactive session. |
+| `netsh advfirewall set allprofiles state off` | Turn off all profiles |
+| `netsh advfirewall set allprofiles state on` | Turn on all profiles |
+| `netsh advfirewall set currentprofile state off` | Turn the current profile off |
+| `netsh advfirewall set currentprofile state on` | Turn the current profile on |
+| `netsh advfirewall set public state off` | Turn off public profile firewall |
+| `netsh firewall set opmode profile=all mode=enable` | Alternative syntax to enable a profile |
+| `netsh firewall set opmode profile=all mode=disable` | Alternative syntax to disable a profile |
### Review Firewall Rules
-| Command | Description |
+| Command | Description |
|-------------------------------------------------------------------------------|--------------------------------------------|
| `netsh advfirewall show currentprofile` | Display status of current profile |
| `netsh advfirewall firewall show rule profile=private name=all` | Replace "profile" for the current profile. |
| `netsh advfirewall firewall show rule profile=private name=all > fwrules.txt` | Get output as a text file for review |
-| | |
-
-Example:
-
-```bash
-# Show all the rules on the system
-netsh advfirewall firewall show rule name=all
-# Show all the rules on the private profile
-netsh advfirewall firewall show rule profile=private name=all
-# Filter for a rule name,
-```
-
-### Enable/Disable
-
-For individual rules:
-
-```bash
-# Enable a rule
-netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=yes
-# Disable a rule
-netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=no
-```
-
-For a rule group:
-
-```bash
-# This enables file and printer sharing
-# Disable
-netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
-# Enable
-netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
-```
-
-### Add a rule
-
-```bash
-# Add SSH
-netsh advfirewall firewall add rule
- name="Secure Shell"
- dir=in
- action=allow
- protocol=TCP
- localport=22
- remoteport=49155
- profile=any
-# Verify
-netsh advfirewall firewall show rule name="Secure Shell"
-```
-
-Create a rule that will allow inbound TCP traffic from a specific IP address and
-source port to a specific destination port:
-
-```bash
-netsh advfirewall firewall add rule
- name="Rule Name"
- dir=in
- protocol=tcp
- localport=31337
- remoteport=6666
- remoteip=192.168.11.14
- profile=private
- action=allow
-```
-
-#### Add a Program
-
-```bash
-netsh advfirewall firewall add rule
- name="FOX"
- dir=in
- action=allow
- program="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
- enable=yes
-```
-
-### Delete
-
-```bash
-netsh advfirewall firewall delete rule name="<Rule Name>"
-```
-
-### Backup/Import
-
-Export current settings:
-
-```bash
-netsh advfirewall export PATH
-# Example
-netsh advfirewall export "C:\FW-Before-Changes.wfw"
-```
-
-Import settings:
-
-```bash
-netsh advfirewall import "C:\FW-Before-Changes.wfw"
-```
-
-
-### Enable/Disable Windows Firewall log
-
-To enable or disable the Windows Firewall log:
-
-```bash
- netsh firewall set logging droppedpackets=enable connections=enable
-```
-
-### Respond to Pings
-
-```bash
-netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
-```
-
-### Turn on RDP
-
-```bash
-# newer netsh
-systems advfirewall firewall set rule group="remote desktop" new enable=Yes
-
-# older systems
-netsh firewall set service type = remotedesktop mode = enable
-```
-
-### Turn on File Sharing
-
-```bash
-# xp, enable
-netsh firewall set service type = fileandprint mode = enable
-# xp, disable
-netsh firewall set service type = fileandprint mode = disable
-
-# Newer
-netsh advfirewall firewall set rule group="Network Discovery" new enable=no
-netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
-# Enable
-netsh advfirewall firewall set rule group="Network Discovery" new enable=yes
-netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
-```
-
+| `netsh advfirewall firewall show rule name=all` | Show all the rules on the system |
+| `netsh advfirewall firewall show rule profile=private name=all` | Show all the rules on the private profile |
+
+### Enable/Disable Rules
+
+| Command | Description |
+|---------------------------------------------------------------------------------------|-----------------------------|
+| `netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=yes ` | Enable an individal rule |
+| `netsh advfirewall firewall set rule name="NameOfFirewallRule" new enable=no` | Disable an individual rule |
+| `netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes` | Enable a group rule |
+| `netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no` | Disable a group rule |
+
+### Add a Port based rule
+
+ ```bash
+ # Add SSH
+ netsh advfirewall firewall add rule
+ name="Secure Shell"
+ dir=in
+ action=allow
+ protocol=TCP
+ localport=22
+ remoteport=49155
+ profile=any
+ # Verify
+ netsh advfirewall firewall show rule name="Secure Shell"
+ ```
+
+
+ ```bash
+ # Create a rule that will allow inbound TCP traffic
+ # from a specific IP address and source port
+ # to a specific destination port:
+ netsh advfirewall firewall add rule
+ name="Rule Name"
+ dir=in
+ protocol=tcp
+ localport=31337
+ remoteport=6666
+ remoteip=192.168.11.14
+ profile=private
+ action=allow
+ # Verify
+ netsh advfirewall firewall show rule name="Rule Name"
+ ```
+
+#### Add a Program based rule
+
+ ```bash
+ netsh advfirewall firewall add rule
+ name="FOX"
+ dir=in
+ action=allow
+ program="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
+ enable=yes
+ ```
+
+### Delete, Backup, Import
+| Command | Description |
+|-------------------------------------------------------------------------------|--------------------------------------------|
+| `netsh advfirewall firewall delete rule name="<Rule Name>"` | Delete Rule by Name |
+| Example Needed | Delete Rule by Port |
+| `netsh advfirewall export "C:\FW-Before-Changes.wfw"` | Export firewall rules|
+| `netsh advfirewall import "C:\FW-Before-Changes.wfw"` | Import a firewall backup file |
+
+### Common and Useful rules
+| Command | Description |
+|----------------------------------------------------------------------------------------------------------------------------|-------------------------------|
+| `netsh firewall set logging droppedpackets=enable connections=<enable/disable>` | Enable / Disable Firewall Log |
+| `netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow` | Respond to Pings |
+| `netsh firewall set service type = remotedesktop mode = enable` | Turn on RDP (xp) |
+| `netsh advfirewall firewall set rule group="remote desktop" new enable=Yes` | Turn on RDP |
+| `netsh firewall set service type = fileandprint mode = <enable/disable>` | File share (xp) |
+| `netsh advfirewall firewall set rule group="Network Discovery" new enable=<yes/no>` | File Share |
+| `netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=<yes/no>` | File Share |
windows/commands/template.md
@@ -2,11 +2,15 @@
date: "2016-12-01"
draft: false
title: "template"
+tag: ["cli", "commands"]
+category: "windows"
+
---
```
-* [TechNet Manual]({{< relref "windows/commands/template.md" >}})
+* [TechNet Manual](https://technet.microsoft.com/en-us/library/), [ss64 Manual](http://ss64.com/nt/)
+* Available In: Vista+
### Alternatives
* SysInt: [pstemplate]({{< relref "windows/sysinternals/pstemplate.md" >}})
windows/meta/win_env.md → windows/meta/env.md
File renamed without changes
windows/meta/index.md
@@ -1,6 +1,15 @@
---
date: "2016-12-01"
draft: false
-title: "Windows"
+title: "Windows Meta"
---
+
+
+* [auditing]({{< relref "windows/meta/auditing.md" >}})
+* [env]({{< relref "windows/meta/env.md" >}})
+* [kernel]({{< relref "windows/meta/kernel.md" >}})
+* [passive]({{< relref "windows/meta/passive.md" >}})
+* [registry]({{< relref "windows/meta/registry.md" >}})
+* [sid]({{< relref "windows/meta/sid.md" >}})
+
windows/meta/win_kernel.md → windows/meta/kernel.md
File renamed without changes
windows/meta/ntfs.txt
@@ -0,0 +1,63 @@
+NTFS
+
+## NTFS - Advanced Features [WISEp2-426]
+
+* Multiple data streams
+* Unicode-based names (max len=255)
+* General indexing facility
+* Dynamic bad-cluster remapping
+* Hard links
+* Symbolic (soft) links and junctions
+* Compression and sparse files
+* Change logging
+* Per-user volume quotas
+* Link tracking
+* Encryption
+* POSIX support
+* Defragmentation
+* Read-only support and dynamic partitioning
+
+## MFT
+
+All records are 1KB, one for each file on the volume
+
+| System File | File Name | MFT Record | Purpose of the File |
+|-----------------------|-----------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Master file table | $Mft | 0 | Contains one base file record for each file and directory on an NTFS volume. If the allocation information for a file or directory is too large to fit within a single record, other file records are allocated as well. |
+| Master file table 2 | $MftMirr | 1 | A duplicate image of the first four records of the MFT. This file guarantees access to the MFT in case of a single-sector failure. |
+| Log file | $LogFile | 2 | Contains a list of transaction steps used for NTFS recoverability. Log file size depends upon the volume size. It is used by Windows 2000 to restore consistency to NTFS in the event of a system failure. For more information about the log file, see "NTFS Recoverability" later in this chapter. |
+| Volume | $Volume | 3 | Contains information about the volume, such as the volume label and the volume version. |
+| Attribute definitions | $AttrDef | 4 | A table of attribute names, numbers, and descriptions. |
+| Root file name index | $ | 5 | The root directory. |
+| Cluster bitmap | $Bitmap | 6 | A representation of the volume showing which clusters are in use. |
+| Boot sector | $Boot | 7 | Includes the bootstrap for the volume if it is a bootable volume. |
+| Bad cluster file | $BadClus | 8 | Contains bad clusters for the volume. |
+| Security file | $Secure | 9 | Contains unique security descriptors for all files within a volume. |
+| Upcase table | $Upcase | 10 | Converts lowercase characters to matching Unicode uppercase characters. |
+| NTFS extension file | $Extend | 11 | Used for various optional extensions such as quotas, reparse point data, and object identifiers. |
+| | | 12–15 | Reserved for future use. |
+| | | 17-23 | Sometimes uses as overflow when reserved entries are not enough [FSFA-285]
+
+## Standard Attributes (MFT File) [WISEp2-448]
+
+| Attribute | Type ID | Size (bytes) | Notes |
+|-------------------------|---------|--------------|--------------------------------------------------------|
+| `$STANDARD_INFORMATION` | 16 | 72 | ownership, security, quota, and time stamp information |
+| `$FILE_NAME` | 48 | 66 | same info as STD_INFO but not updated |
+| `$DATA` | 128 | Variable | file content, less than 700 bytes = resident |
+
+Timestamsps (in `STANDARD_INFORMATION`)
+• Creation time
+• Modified time
+• MFT Modified time
+• Accessed time
+
+## Other
+
+Opertunisitic Lock - oplock
+Metadata files - TODO?
+
+
+[FSFA-285]: File System Forensic Analysis - Page 285
+[WISEp2-426]: Windows Internals, Sixth Edition, Part 2 - page 426
+[WISEp2-448]: Windows Internals, Sixth Edition, Part 2 - page 448
windows/meta/win_passive.md → windows/meta/passive.md
File renamed without changes
windows/meta/randy-meta.txt
@@ -0,0 +1,246 @@
+Case Study examples - Several ways of doing the same function
+# PROCESSES
+List All running processes
+ pslist
+ wmic process list /format:list
+ wmic process list brief
+ wmic process get description - gets just the name
+ wmic process get description,commandline
+ handle -a (add hku for user processes? )
+ handle -u shows process owner
+ 'handle c:\users - shows all the processes starting from c:\users
+
+
+Get a single process:
+ wmic process where "description=vstoolsd.exe" will list everything but hard to read
+ 'wmic process where "description=vstoolsd.exe" get name,descrption,commandline /format:list eaiser to read
+ handle -p svchost
+
+Get the executable path for all running processes:
+ wmic process get name.executablepath
+ listdlls will show the path plus all the dlls, may be alot to look through
+
+
+Identify the number of logical processors on the target system:
+ wmic cpu get numberoflogicalprocessors
+ pslist # of threads in the IDLE process equals processors, SMSS
+ systeminfo (add /find /I "processor")
+
+Determine which port(s) W32Time.dll is listening on:
+ 1st step is to get the process ID. in this case since w32time is started by svchost it will not show useing pslist
+
+ sc queryex w32time
+ tasklist /FI "services eq w32time"
+
+ listdlls -d w32time.dll
+ Once you have the PID run netstat -ano to match process ID to port
+
+List the DLLs associated with processes:
+ tasklist /m
+ autorunsc -k (shows all the DLLs and their path, )
+
+List services that are running with procesess:
+ tasklist /svc
+
+List all the processes running on a host:
+ tasklist
+ pslist \\computername -u user -p password on a remote system
+
+Which of the following binaries was used to generate the process listening on port 135:
+
+ 1st Run netstat -ano to find listening on 135
+ Run tasklist /fi "pid eq <proces id>"
+
+"System" process is currently listening on the following port(s)? :
+ tasklist /fi "imagename eq system"
+ netstat -ano
+
+Kill a proccess on a remote computer by PID:
+ taskkill /s xp.ops.local /u xp\administrator /p L33tHax0r /PID 1187
+
+# REGISTRY
+Find current or last known good settings in Registry:
+ reg query hklm\system\select - shows all 4 options Last Good Known,if 0x1 points to ControlSet001, 0x2 points to ControlSet002
+Find a registry Key for SAM:
+ reg query HKLM\sam\sam\domains\account (shows all /v looks for a value i.e. /v v shows machine SID)
+Create a registry entry on a remote host:
+ reg add \\xp.ops.local\HKLM\Software\hawkeye
+ reg query \\xp.ops.local\HKLM\Software\hawkeye
+Check for all subkeys and values in a registry location:
+ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /s
+Find a specific value:
+ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103}
+Change a registry value 0 in this example chaning the GUID value:
+ 1st step - query the value to see what the value type is, then add using /t for type and /d for data
+ reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103} /t REG_DWORD /d 0x0
+Find registy entries:
+ regfind -y sets case insensitive
+ regfind "192.168.11.12" - searches just the path
+ regfind -n "registeredOwner" - registry keys, and values
+ handle -?
+Find a hotfix install date:
+ regfind "KB905474" to get the path (in this example, KB is for WGA)
+ regquery "hklm\software\microsoft\winodws\currentversion\uninstall\wganotify"
+
+PowerShell Registry:
+ 'Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - item will only show the last entry setting i.e version
+ 'get-childitem registry::hklm\software - gets all registry keys in software hive - (hard to read all)
+ 'get-childitem registry::hklm\SAM\SAM\Domains\Account - will show all entries in Account and below
+
+# Services
+Show all running services:
+ net start
+ sc query
+ gwmi win32_service | where {$_.state -eq 'running'}
+ Get-WmiObject Win32_Service -filter "State like 'Running'" | select name - will just show name
+ Get-CimInstance -ClassName Win32_Service | where state -match 'running
+ 'wmic service get name,pathname /format:list
+ 'wmic service where state='running' get name,pathname,status,state /format:list
+ psserivce
+
+Show all running services on a remote host:
+ sc \\xp.ops.local
+ gwmi win32_service -computername win7 -credential fred | where {$_.state -eq 'running'}
+ psservice \\computer -u user -p password
+ 'wmic /node:XP service get name,pathname /format:list
+ psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query -s all
+Query the status of Windows "Security Center" serivce (on XP):
+ psservice \\xp.ops.local -u administrator -p L33thax0r query "Security Center" or you can use service name wscsvc
+ psservice \\xp.ops.local -u xp\administrator -p L33tHax0r query wscsvc
+ psservice querry "Display Name or Service Name"
+
+Start/Stop/pause a service:
+ net start <"service display name"> i.e. "print spooler" not spoolsv.exe or spooler
+ sc start spooler
+ psservice stop w32time or psservice stop "Windows Time"
+ psservice start w32time
+
+Find a service name associated with the services display name:
+ sc getkeyname "Display_Name" i.e sc getkeyname "Print Spooler"
+
+Change a service:
+ sc config <service name> option i.e. sc config netlogon start= "disabled" (space after = is required)
+ sc config <service name> by itself will give you the options/format you can change
+ psservice config "Windows Event Collector" or psservice config wecsvc
+ psservice config wecsvc /? Shows you options
+
+Look at services that are set to start automatically:
+ wmic SERVICE WHERE StartMode="Auto" GET Name, State
+Get service dependcies:
+ psservice depend <service>
+Get configuration of a service:
+ psservice config wecsvc
+Config the Windows "Parental Controls" service to start automatically:
+ psservice setconfig "parental Controls" auto
+
+# SIDS
+
+Get a users SID:psgetsid <username>
+ wmic useraccount where name='<username>' get sid
+ wmic useraccount where name='%username%' get sid - gets SID of current logged on user
+ wmic useraccount where (name='administrator' and domain='%computername%' - gets SID of local administrator
+ wmic useraccount get name,sid - gets all SIDs
+ req query hku - this will give you all user SIDs
+ psgetsid <username>
+ 'gci registry::hku
+Get a user name from a SID:
+ wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
+ psgetsid <sid>
+
+Decode a machine SID:
+ reg query HKLM\SAM\SAM\Domains\Account /v V
+ Copy the last 12 bytes from the entry 75B97554D805B44DF09C85F
+ Divide into 3 sections 75B97554 D805B44D F094C85F
+ Reverse the order of of each group 54 75 B9 75 4D B4 05 D8 5F C8 94 F0
+ Convert each section into decimal 1417001333 1303643608 1606980848 That is the machine SID
+
+Find the next available RID:
+ reg query HKLM\SAM\SAM\Domains\Account /v F
+ Count to offset 0x48 (72 in decimal) next 4 bytes i.e. EF 03
+ reverse bytes 03EF, convert to decimal 1007
+
+
+#EVENT LOGS
+
+Read or get data from an event log:
+ :WMIC NTEVENT WHERE SourceName="security" GET Message,EvenTtype /FORMAT:HTABLE > c:\winmgmtevents.htm (htable formats for htlm)
+ :powershell get-winevent -path C:\Windows\System32\winevt\Logs\Security.evtx
+ sc
+ wevtutil eq <log>
+
+Get last 10 entries from a log file:
+ powershell get-eventlog security -newest 10 | format-list
+ psloglist security -n 10
+ :wevtutil query-events security /count:10 /rd:true /format:xml
+ WMIC NTEVENT WHERE "LogFile='application'"
+ :powershell get-winevent -newest 10 -path C:\Windows\System32\winevt\Logs\Security.evtx
+
+ Search an event log for an event type:
+ auditpol security -f "success audit"
+ psloglist -s -t "\t" -n 20 Security | findstr /n /i "Success Audit"
+ Find all events with creating a new user:
+ To find all of the appropriate new user events, you will need to first get the user SID
+ wmic useraccount where name='username' get sid where 'username' would be 'icarus'
+ use the psloglist and findstr commands to find the relevant entries in the event logs.
+ psloglist -s -t "\t" -n 20 Security | findstr /n /i .*SID.*
+# USERS
+ Enable a user account:
+ wmic useraccount where name="vhalen" set disabled="False"
+ Get information on a specific user:
+ :wmic useraccount where name="username" get /all /format:list
+ Get all group and user information:
+ :wmic path w32_account get /format:list
+Find currently logged on user:
+ reg query "HKCU\Volatile Environment" /v homepath
+ Reg query "hklm\software\microsoft\windows nt\currentversion\profilelist" Gets you SID
+List everything about a user:
+ wmic useraccount where name='rblum' get /format:list
+Find who was the last user to log onto a system:
+ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v defaultusername
+Disabling a user account:
+ wmic useraccount where name='john' set disabled=true
+For re-enabling user account:
+ wmic useraccount where name='john' set disabled=false
+Set password to never expire:
+ wmic useraccount where name='tstark' set PasswordExpiores=false
+
+# DOCUMENTS AND TIMESTAMPS
+Get version of a file
+ wmic datafile where name="path_filename" get version
+Get timestamps
+ dir /t C A W - Create, LastAccess, Last Write
+ gci | select * will show all the options you can select
+ gci | select name, LastWriteTime, LastWriteTimeUTC
+
+#FIREWALLS
+Get Firewall information for an XP box:
+ From the XP OS
+ netsh firewall show config
+ Remotely (if enabled)
+ netsh -r "xp.ops.local" -u Administrator -p <pswd> advfirewall show currentprofile
+
+Get Firewall information for Vista + :
+ netsh advfirewall show allprofiles
+ netsh advfirewall show currentprofile
+Turn off/on fireall - local/remote:
+ netsh advfirewall set allprofiles state off
+ netsh -r computername advfirewall set publicprofile state on
+ netsh -r computername advfirewall set privateprofile state off
+Display Firewall Rules:
+ netsh advfirewall firewall show rule profile=private name=all > fwrules.txt
+
+Change firewail Logging Settings:
+ XP locally
+ netsh firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE ENABLE (enables dropped pkts and connections)
+
+Change a firewall rule GROUP for Everyone:
+ f
+ Change a firewall rule GROUP for specific profiles (Group rules cannot be changed by profile):
+ 1st get the all the rules in the group
+ netsh advfirewall firewall show rule name=all | find /i "File and Print"
+ change each rule individually
+ netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Session-In)" new enable=yes profile=domain,public
+
+#MISC
+ List the system directory
+ wmic os get systemdirectory /value
\ No newline at end of file
windows/meta/randy-reg.txt
@@ -0,0 +1,179 @@
+FIND A SERIVCE Pack DATE
+
+ regfind "Service Pack 3" - results show entry is in CSDVersion Hex value show SP 9x0300 SP3, 0x0100 SP!
+ reg query HKLM\System\CurrentControlSet\Control\Windows
+ PS [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate))
+
+FIND USERS BY SID
+ Reg query "hklm\software\microsoft\windows nt\currentversion\profilelist"
+ wmic useraccount list brief
+
+FIND USERS CURRENTLY LOGGED ON SYSTEM
+ reg query HKLM\System\CurrentControlSet\Control\Hivelist
+ look for name pairs SID and classes - convert SID to name
+ psgetsid <SID>
+ wmic useraccount list brief - gives all user inlcuding not logged in
+ wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
+
+FIND ALL USERS ON A HOST
+ reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users\names
+ reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users - shows that RID of users (note this is not the next available RID)
+
+FIND THE LAST PERSON TO LOGIN (UNDER THE DEFAULTUSERNAME)
+ reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+
+FIND STARTUP PROGRAMS IN REGISTRY
+
+RunServiceOnce subkey: designed to start service programs before user logs on and before other registry subkeys start.
+
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (key may not exist)
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (key may not exist)
+
+RunServices subkey: loads immediately after RunServicesOnce and before user logon.
+
+ Reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
+
+Run subkey: The Run subkey in HKLM runs immediately before the Run subkey in HKCU.
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+
+RunOnce subkey: primarily used by Setup programs. The HKLM subkey version of RunOnce runs programs immediately after logon and before other registry Run entries. The HKCU subkey version of RunOnce runs programs after Run subkeys and after the Startup folder.
+
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (XP only)
+reg
+RunOnce\Setup subkey: specifies programs to run after the user logs on Explorer\Run subkey:
+
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+
+Userinit subkey: there is an entry for userinit.exe but subkey can accept multiple comma-separated values. Can't find where program starting? Look here.
+
+ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+
+Programs that start from Appinit_DLL registry setting (Can indicate Virus)
+
+ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\windows" /v AppInit_DLLs
+
+Other locations for specific startup
+
+ reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms
+ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
+ reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
+ reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+ This only provides GUIDs
+
+Find the Current Control Set and Last Good Known
+ reg query HKLM\system\Select - Hex value shows the control set
+
+Find the Computer name
+ reg query "HKLM\System\ControlSet001\Control\computername\activecomputername"
+
+
+reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations"
+
+reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
+
+Find the Default User Name
+ reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
+
+
+
+
+
+___________________________________________________________
+FROM EXERCISE
+Manually search the registry for the Wireshark subkey
+HKU\S-1-5-21-1891946569-2026382101-2396600481-500\Software\Wireshark
+or
+regfind -n UpdateInterval.
+
+What are some of the registry values stored within the Drive subkey under HKEY_CLASSES_ROOT? (Select all that apply.)
+To answer this question, in the Windows command shell, you will need to perform a reg query on the Drive subkey under the HKCR root key. The correct syntax for this query is reg query HKCR\Drive.
+
+Question 3
+Examine the registry key: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account. What value is stored in the last 12 bytes of the V value?
+
+local computer's SID as it is stored in the registry.
+HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
+
+reg query HKU
+
+Question 5
+Examine the registry key: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System. What is the data value for the SystemBiosDate?
+
+reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
+reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership
+-1305.
+
+This question is directing you to identify the data stored in the value Group6 under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership on the local computer.
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership within the registry. Locate the Group6 value and read the data it stores.
+
+What is the string value stored within the Run subkey under the HKLM hive?
+\Software.
+-p RegistryPathKey, where RegistryPathKey is the point in the registry where your search will start.
+
+Examine the WinStations subkey within the HKLM hive. What port is RDP configured to use?
+regfind -n WinStation.
+You will notice under the System hive, it provides the paths through ControlSet001 and ControlSet002.
+You can navigate down either of these paths or substitute the CurrentControlSet subkey in their place. Once you have navigated to the
+HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations subkey,
+you will notice two additional subkeys. The RDP configuration settings are stored in the RDP-TCP subkey. Within this subkey you will find the value: PortNumber. The data stored within this value (0x22B8) is a hexidecimal value. You will need to convert this value to find the correct answer of 8888.
+
+What executables are being launched from the Run subkey under the HKCU hive?
+In order to answer this question, you will need to determine the registry path to the Run under the HKCU root key. There are a couple of methods you can use to accomplish this.
+regfind -n -h HKCU Run
+The first method would be to run the regfind -n Run command. This command will search the entire registry for instances of subkeys and values named Run. If you choose this method, you will need to search through a lengthy return to locate the Run under HKCU. You could also run this command with the -h HKCU switch. This directs reg query to begin its search at the HKCU root key. This query will enable you to discover the registry path to the Run key. Then simply perform the following registry query:
+reg query hkcu\software\microsoft\windows\currentversion\run
+ Another method is to execute the command:
+reg query hkcu\software /s and pipe its output into the find command searching for all instances of Run. Your syntax will look like
+reg query hkcu /s | find "Run"
+The /s switch tells the command to query all subkeys and values. This will provide you with the complete path to the Run key: hkcu\software\microsoft\windows\currentversion\run.
+The final method to use would be to use the Registry Keys reference under the Help tab to identify the path to the Run subkey and directly query its contents.
+
+SharedAccess is the registry key under HKLM that stores Windows firewall settings. Using this information, which ports are explicitly disabled by the Windows firewall?
+locate where in the registry the SharedAccess subkey
+regfind -n SharedAccess.
+query for the contents of the subkey using the following command syntax:
+reg query hklm\system\currentcontrolset\services\sharedaccess.
+The settings you are looking for are stored under the parameters subkey. Query for the contents of this subkey using the following command syntax:
+reg query hklm\system\currentcontrolset\services\sharedaccess\parameters.
+Under this subkey, you will find another subkey called FirewallPolicy. Query for the contents of this subkey using the following command syntax:
+reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy.
+Under this subkey, you will find the subkeys named DomainProfile and StandardProfile. The information you are seeking is stored under the StandardProfile subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile.
+Under this subkey, you will find two additional subkeys named AuthorizedApplications and GloballyOpenPorts. The information you are seeking is stored under the GloballyOpenPorts subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports.
+Under this subkey, you will find the subkey titled List. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list.
+This query returned a listing of the ports that are configured as either Enabled or Disabled. Compare the values listed in the registry key with the possible answers, selecting those answers that match the ports that are configured as Disabled.
+Question 5
+SharedAccess is the registry key under HKLM that stores Windows firewall settings. Using this information, which applications are enabled under the StandardProfile subkey? (Select all that apply.)
+
+Missed 2 out of 3 correct answers
+
+Your answer(s):
+ tlntsvr.exe
+
+Feedback:
+To correctly answer this question, you will need to perform the following:
+
+Using the path to the StandardProfile you discovered in the previous question, query for the contents of this key using the following command: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile.
+Under this subkey, you will find two subkeys named AuthorizedApplications and GloballyOpenPorts. The information you are seeking is stored under the AuthorizedApplications subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications.
+Under this subkey, you will find the subkey titled List. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list.
+Demonstrate the use of the Command-Line Registry Editor to View Analyze, Modify, and Create Registry Entries
+Question 1
+Within the registry of the remote machine, create a new binary value and Modify/Delete the binary data values in the RunOnce subkey under the HKLM hive, according to the following instructions.
+Create a new binary value with the following information:
+Value Name = Test3
+Value Data = aaaaaaaaaa
+MODIFY the BINARY data stored in Test1 to have Value Data = bbbbbbbbbb
+DELETE the BINARY VALUE for Test2
+
+
+Create the value Test3 in the RunOnce subkey of HKLM using the following command:
+ reg add hklm\software\microsoft\windows\currentversion\runonce /v Test3 /t REG_BINARY /d aaaaaaaaaa.
+NOTE: Use the Registry Keys reference under the Help tab to identify the path to the RunOnce subkey.
+Modify the binary value of Test1 using the following command:
+reg add hklm\software\microsoft\windows\currentversion\runonce /v Test1 /t REG_BINARY /d bbbbbbbbbb
+Delete the binary value for Test2 using the following command:
+reg delete hklm\software\microsoft\windows\currentversion\runonce /v Test2
\ No newline at end of file
windows/meta/randy-remoteing.txt
@@ -0,0 +1,35 @@
+REMOTING
+
+TASKLIST
+ tasklist /s remote host /u domain\user /p password cmd
+SYSTEMINFO
+ systeminfo /s system /u domain\user /p password
+PSEXEC
+ psexec \\computername -u user -p password -s (run command as system) cmd (opens a cmd window)
+POWERSHELL -WMI
+note: using credentials in a cmd only works with WMI
+ cmd -ComputerName win7 (this only works without user/pwd because local credentials are the same on both systems)
+ cmd -computername win10 -credential barney (prompts for pwd)
+ $c = get-credential -credential barney - Stores the username and pwd for future cmds
+Create Multi cmd Sessions
+ $session7 = new-PSSession -computername win7
+ $session10 = new-PSSession -computername win10 -credential $c
+POWERSHELL CIM
+note: CIM you must first open a session with the remote system and then reference that session in your CIM cmdlet
+ $c = New-CimSession -computername win10 -credential fred
+ $c | Get-CimInstance -ClassName Win32_Service | where state -match 'running'
+
+WMIC
+ wmic /node:computer /user:username /password:pwd
+ you can enable all privleges using /privileges:enable
+PSLOGLIST
+ psloglist \\computername -u username -p password
+wevtutil
+ wevtutil /r:computer /u:user /p:pwd
+REG FIND
+ -m \\machiname
+
+ds commnads
+
+-s Server | -d Domain}]
+ [-u UserName] [-p {Password
\ No newline at end of file
windows/meta/win_registry.md → windows/meta/registry.md
File renamed without changes
windows/meta/win_sid.md → windows/meta/sid.md
File renamed without changes
windows/meta/winfiles.txt
@@ -0,0 +1,13 @@
+| File Location | Contents / Info |
+|-------------------------------|---------------------------------------------------------------------------------------------------------------|
+| Program Files | contains installed programs |
+| Users | contains user Profiles (Windows Vista +) |
+| Documents and Settings | contains user Profiles (user hives) (Windows XP) |
+| Program Files (x86) | contains installed 32-bit programs on 64-bit architectures |
+| Windows\Prefetch | on XP and up; stores pathname and mapping of last time application was run.. |
+| Windows\SoftwareDistribution | contains the Windows downloaded updates |
+| Windows\$NT* | contains replaced files after a system update or service pack so a user can roll back to previous versions |
+| Windows\system32\config | contains registry files |
+| Windows\system32\dllcache | contains backed up critical system files |
+| Windows\system32\drivers\etc | contains system (tcp/ip) network files |
+| Windows\system32\Repair | contains the backup, or off-line copy, of registry files |
\ No newline at end of file
windows/sysinternals/handle.md
@@ -1,15 +1,12 @@
---
date: "2016-12-01"
draft: false
-title: ""
+title: "handle"
---
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/handle)
-# handle
-
-https://technet.microsoft.com/en-us/sysinternals/handle
-
## Examples
| command | description |
|--------------------|---------------------------------------------|
windows/sysinternals/index.md
@@ -5,9 +5,17 @@ title: "SysInternals"
---
-* [handle]({{ < relref "windows/sysinternals/handle.md" > }})
-* [listdlls]({{ < relref "windows/sysinternals/listdlls.md" > }})
-* [pskill]({{ < relref "windows/sysinternals/pskill.md" > }})
-* [pslist]({{ < relref "windows/sysinternals/pslist.md" > }})
-* [psservice]({{ < relref "windows/sysinternals/psservice.md" > }})
+* [handle]({{< relref "windows/sysinternals/handle.md" >}})
+* [listdlls]({{< relref "windows/sysinternals/listdlls.md" >}})
+* [psexec]({{< relref "windows/sysinternals/psexec.md" >}})
+* [pskill]({{< relref "windows/sysinternals/pskill.md" >}})
+* [pslist]({{< relref "windows/sysinternals/pslist.md" >}})
+* [psservice]({{< relref "windows/sysinternals/psservice.md" >}})
+* [sigcheck]({{< relref "windows/sysinternals/sigcheck.md" >}})
+* [psloggedon]({{< relref "windows/sysinternals/psloggedon.md" >}})
+
+### TODO
+* [psloglist]({{< relref "windows/sysinternals/psloglist.md" >}}) - TODO
+* [autorunc]({{< relref "windows/sysinternals/autorunc.md" >}}) - TODO
+* [pssuspend]({{< relref "windows/sysinternals/pssuspend.md" >}}) - TODO
windows/sysinternals/listdlls.md
@@ -1,13 +1,11 @@
---
date: "2016-12-01"
draft: false
-title: ""
+title: "listdlls"
---
-# listdlls
-
-https://technet.microsoft.com/en-us/sysinternals/bb896656
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/bb896656)
## Examples
| command | description |
windows/sysinternals/pskill.md
@@ -1,12 +1,10 @@
---
date: "2016-12-01"
draft: false
-title: ""
+title: "pskill"
---
-# pskill
-
-https://technet.microsoft.com/en-us/sysinternals/pskill
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/pskill)
# Examples
| command | description |
windows/sysinternals/pslist.md
@@ -1,12 +1,10 @@
---
date: "2016-12-01"
draft: false
-title: ""
+title: "pslist"
---
-# pslist
-
-https://technet.microsoft.com/en-us/sysinternals/pslist.aspx
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/pslist.aspx)
## Examples
| command | description |
windows/sysinternals/psloggedon.md
@@ -0,0 +1,23 @@
+---
+date: "2016-12-12"
+draft: false
+title: "psloggedon"
+tag: ["cli", "commands"]
+category: "sysinternals"
+
+---
+
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/psloggedon.aspx)
+
+### Alternatives
+ * CMD: [query]({{< relref "windows/command/query.md" >}}) user
+ * WMIC: [computersystem]({{< relref "windows/wmic/computersystem.md" >}})
+ * PS: [WMI Win32_ComputerSystem](https://msdn.microsoft.com/en-us/library/aa394102.aspx)
+
+## Usage
+
+Summary of usage to include a table of flags if appropriate
+
+## Examples
+| command | description |
+|---------|-------------|
windows/sysinternals/psservice.md
@@ -1,11 +1,10 @@
---
date: "2016-12-01"
draft: false
-title: ""
+title: "psservice"
---
-# psservice
-https://technet.microsoft.com/en-us/sysinternals/psservice
+* [TechNet Manual](https://technet.microsoft.com/en-us/sysinternals/psservice)
## Usage
windows/sysinternals/sigcheck.md
@@ -0,0 +1,15 @@
+---
+date: "2016-12-01"
+draft: false
+title: "sigcheck"
+
+---
+
+* [TechNet Manual](TODO)
+
+### Alternatives
+ * Command: [driverquery]({{ <relref "windows/commands/driverquery.md"> }})
+ * WMIC: [sysdriver]({{ <relref "windows/wmic/sysdriver.md"> }})
+ * PS: [PnPSignedDriver](({{ <relref "windows/powershell/pnpsigneddriver.md"> }})
+
+## Examples