C:\>cmd /c "date /t && time /t" Wed 10/04/2008 02:12 PM C:\>AuditPol Running ... (X) Audit Enabled AuditCategorySystem = Success AuditCategoryLogon = Success AuditCategoryObjectAccess = No AuditCategoryPrivilegeUse = No AuditCategoryDetailedTracking = No AuditCategoryPolicyChange = Success AuditCategoryAccountManagement = Success Unknown = Success Unknown = Success C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : MISKA Primary Dns Suffix . . . . . . . : STARBAND.net Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : STARBAND.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter Physical Address. . . . . . . . . : 00-50-56-BD-69-A1 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 148.78.247.25 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 148.78.247.10 DNS Servers . . . . . . . . . . . : 127.0.0.1 148.78.247.22 C:\>psloggedon PsLoggedOn v1.32 - Logon Session Displayer Copyright (C) 1999-2006 Mark Russinovich SysInternals - www.sysinternals.com Users logged on locally: Error: could not retrieve logon time NT AUTHORITY\LOCAL SERVICE Error: could not retrieve logon time NT AUTHORITY\NETWORK SERVICE 10/3/2008 12:44:19 PM STARBAND\Administrator Error: could not retrieve logon time NT AUTHORITY\SYSTEM No one is logged on via resource shares. C:\>pslist PsList 1.26 - Process Information Lister Copyright (C) 1999-2004 Mark Russinovich Sysinternals - www.sysinternals.com Process information for MISKA: Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time Idle 0 0 1 0 0 45:28:19.625 0:00:00.000 System 4 8 52 821 0 0:02:00.593 0:00:00.000 smss 264 11 3 18 140 0:00:00.421 46:49:32.859 csrss 428 13 11 438 1688 0:00:26.796 46:49:31.500 winlogon 464 13 21 615 7600 0:00:32.796 46:49:30.937 services 548 9 17 322 3856 0:00:21.687 46:49:28.609 lsass 564 9 52 960 25100 0:03:08.484 46:49:28.296 svchost 760 8 5 76 712 0:00:00.250 46:49:27.359 svchost 1024 8 10 207 1168 0:00:08.687 46:49:20.859 svchost 1088 8 11 147 3640 0:00:04.125 46:49:20.453 svchost 1108 8 13 161 1020 0:00:00.656 46:49:20.359 svchost 1132 8 45 861 11936 0:00:29.609 46:49:20.328 spoolsv 1948 8 12 147 3616 0:00:01.328 46:48:51.828 msdtc 1972 8 13 145 1424 0:00:00.250 46:48:51.750 dfssvc 196 8 11 120 1692 0:00:03.015 46:48:51.281 dns 300 8 13 180 7340 0:00:18.875 46:48:51.125 svchost 348 8 2 54 448 0:00:00.015 46:48:50.968 ismserv 372 8 9 118 1612 0:00:00.781 46:48:50.906 ntfrs 396 8 20 295 9072 0:00:20.921 46:48:50.828 svchost 492 8 2 55 420 0:00:00.078 46:48:50.359 VMwareService 812 13 3 47 532 0:25:09.781 46:48:50.031 svchost 1420 8 16 131 1328 0:00:00.281 46:48:42.906 wmiprvse 1208 8 4 150 2388 0:00:02.468 46:47:43.531 explorer 2392 8 13 380 9236 0:00:15.125 25:27:51.734 VMwareTray 2548 8 2 27 636 0:00:08.156 25:27:44.296 VMwareUser 3232 8 1 26 644 0:00:09.437 25:27:44.031 wuauclt 1152 8 3 107 5256 0:00:00.187 25:27:43.359 mmc 3988 8 3 236 6976 0:00:17.203 24:37:13.062 cmd 2216 8 1 25 1428 0:00:00.296 0:05:03.343 pslist 3212 13 1 80 628 0:00:00.031 0:00:00.078 C:\>listdlls | C:\>find "Command" Command line: Command line: \SystemRoot\System32\smss.exe Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Command line: winlogon.exe Command line: C:\WINDOWS\system32\services.exe Command line: C:\WINDOWS\system32\lsass.exe Command line: C:\WINDOWS\system32\svchost.exe -k DcomLaunch Command line: C:\WINDOWS\system32\svchost.exe -k rpcss Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService Command line: C:\WINDOWS\system32\svchost.exe -k LocalService Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs Command line: C:\WINDOWS\system32\spoolsv.exe Command line: C:\WINDOWS\system32\msdtc.exe Command line: C:\WINDOWS\system32\Dfssvc.exe Command line: C:\WINDOWS\System32\dns.exe Command line: C:\WINDOWS\System32\svchost.exe -k WinErr Command line: C:\WINDOWS\System32\ismserv.exe Command line: C:\WINDOWS\system32\ntfrs.exe Command line: C:\WINDOWS\system32\svchost.exe -k regsvc Command line: "C:\Program Files\VMware\VMware Tools\VMwareService.exe" Command line: C:\WINDOWS\System32\svchost.exe -k termsvcs Command line: C:\WINDOWS\system32\wbem\wmiprvse.exe Command line: C:\WINDOWS\Explorer.EXE Command line: "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" Command line: "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" Command line: "C:\WINDOWS\system32\wuauclt.exe" Command line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\dnsmgmt.msc" /s Command line: "C:\WINDOWS\system32\cmd.exe" Command line: Z:\Private\TrustedTools\listdlls C:\>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 0.0.0.0:88 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:389 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:464 0.0.0.0:0 LISTENING TCP 0.0.0.0:593 0.0.0.0:0 LISTENING TCP 0.0.0.0:636 0.0.0.0:0 LISTENING TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:1037 0.0.0.0:0 LISTENING TCP 0.0.0.0:1049 0.0.0.0:0 LISTENING TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING TCP 127.0.0.1:389 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:389 127.0.0.1:1033 ESTABLISHED TCP 127.0.0.1:389 127.0.0.1:1034 ESTABLISHED TCP 127.0.0.1:389 127.0.0.1:1045 ESTABLISHED TCP 127.0.0.1:1026 127.0.0.1:1059 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:389 ESTABLISHED TCP 127.0.0.1:1033 127.0.0.1:389 ESTABLISHED TCP 127.0.0.1:1034 127.0.0.1:389 ESTABLISHED TCP 127.0.0.1:1045 127.0.0.1:389 ESTABLISHED TCP 127.0.0.1:1059 127.0.0.1:1026 ESTABLISHED TCP 148.78.247.25:139 0.0.0.0:0 LISTENING TCP 148.78.247.25:139 148.78.247.202:1392 ESTABLISHED TCP 148.78.247.25:389 148.78.247.25:3906 ESTABLISHED TCP 148.78.247.25:389 148.78.247.25:4609 TIME_WAIT TCP 148.78.247.25:389 148.78.247.25:4610 TIME_WAIT TCP 148.78.247.25:1026 148.78.247.25:1217 ESTABLISHED TCP 148.78.247.25:1026 148.78.247.25:1460 ESTABLISHED TCP 148.78.247.25:1026 148.78.247.25:4608 ESTABLISHED TCP 148.78.247.25:1217 148.78.247.25:1026 ESTABLISHED TCP 148.78.247.25:1460 148.78.247.25:1026 ESTABLISHED TCP 148.78.247.25:3906 148.78.247.25:389 ESTABLISHED TCP 148.78.247.25:4607 148.78.247.25:135 TIME_WAIT TCP 148.78.247.25:4608 148.78.247.25:1026 ESTABLISHED TCP 148.78.247.25:4611 148.78.247.25:445 TIME_WAIT TCP 148.78.247.25:4615 148.78.247.22:445 ESTABLISHED UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1029 *:* UDP 0.0.0.0:1036 *:* UDP 0.0.0.0:1043 *:* UDP 0.0.0.0:4500 *:* UDP 127.0.0.1:53 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1031 *:* UDP 127.0.0.1:1035 *:* UDP 127.0.0.1:1038 *:* UDP 127.0.0.1:1044 *:* UDP 127.0.0.1:1221 *:* UDP 127.0.0.1:1233 *:* UDP 127.0.0.1:1415 *:* UDP 127.0.0.1:1799 *:* UDP 127.0.0.1:2730 *:* UDP 148.78.247.25:53 *:* UDP 148.78.247.25:88 *:* UDP 148.78.247.25:123 *:* UDP 148.78.247.25:137 *:* UDP 148.78.247.25:138 *:* UDP 148.78.247.25:389 *:* UDP 148.78.247.25:464 *:* C:\>fport FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 300 dns -> 53 TCP C:\WINDOWS\System32\dns.exe 564 lsass -> 88 TCP C:\WINDOWS\system32\lsass.exe 1024 -> 135 TCP 4 System -> 139 TCP 0 System -> 389 TCP 564 lsass -> 389 TCP C:\WINDOWS\system32\lsass.exe 4 System -> 445 TCP 564 lsass -> 464 TCP C:\WINDOWS\system32\lsass.exe 1024 -> 593 TCP 564 lsass -> 636 TCP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1026 TCP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1027 TCP C:\WINDOWS\system32\lsass.exe 372 ismserv -> 1032 TCP C:\WINDOWS\System32\ismserv.exe 372 ismserv -> 1033 TCP C:\WINDOWS\System32\ismserv.exe 372 ismserv -> 1034 TCP C:\WINDOWS\System32\ismserv.exe 396 ntfrs -> 1037 TCP C:\WINDOWS\system32\ntfrs.exe 300 dns -> 1045 TCP C:\WINDOWS\System32\dns.exe 300 dns -> 1049 TCP C:\WINDOWS\System32\dns.exe 564 lsass -> 1059 TCP C:\WINDOWS\system32\lsass.exe 396 ntfrs -> 1217 TCP C:\WINDOWS\system32\ntfrs.exe 564 lsass -> 1460 TCP C:\WINDOWS\system32\lsass.exe 564 lsass -> 3268 TCP C:\WINDOWS\system32\lsass.exe 564 lsass -> 3269 TCP C:\WINDOWS\system32\lsass.exe 396 ntfrs -> 3906 TCP C:\WINDOWS\system32\ntfrs.exe 4 System -> 4615 TCP 0 System -> 4622 TCP 196 Dfssvc -> 4623 TCP C:\WINDOWS\system32\Dfssvc.exe 196 Dfssvc -> 4624 TCP C:\WINDOWS\system32\Dfssvc.exe 1024 -> 53 UDP 564 lsass -> 53 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 88 UDP C:\WINDOWS\system32\lsass.exe 372 ismserv -> 123 UDP C:\WINDOWS\System32\ismserv.exe 564 lsass -> 123 UDP C:\WINDOWS\system32\lsass.exe 372 ismserv -> 137 UDP C:\WINDOWS\System32\ismserv.exe 372 ismserv -> 138 UDP C:\WINDOWS\System32\ismserv.exe 300 dns -> 389 UDP C:\WINDOWS\System32\dns.exe 300 dns -> 445 UDP C:\WINDOWS\System32\dns.exe 564 lsass -> 464 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 500 UDP C:\WINDOWS\system32\lsass.exe 1024 -> 1029 UDP 564 lsass -> 1031 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1035 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1036 UDP C:\WINDOWS\system32\lsass.exe 396 ntfrs -> 1038 UDP C:\WINDOWS\system32\ntfrs.exe 4 System -> 1043 UDP 300 dns -> 1044 UDP C:\WINDOWS\System32\dns.exe 564 lsass -> 1221 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1233 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1415 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 1799 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 2730 UDP C:\WINDOWS\system32\lsass.exe 564 lsass -> 4500 UDP C:\WINDOWS\system32\lsass.exe C:\>netstat -rn IPv4 Route Table =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x10003 ...00 50 56 bd 69 a1 ...... AMD PCNET Family PCI Ethernet Adapter =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 148.78.247.10 148.78.247.25 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 148.78.247.0 255.255.255.0 148.78.247.25 148.78.247.25 30 148.78.247.25 255.255.255.255 127.0.0.1 127.0.0.1 30 148.78.247.255 255.255.255.255 148.78.247.25 148.78.247.25 30 224.0.0.0 240.0.0.0 148.78.247.25 148.78.247.25 30 255.255.255.255 255.255.255.255 148.78.247.25 148.78.247.25 1 Default Gateway: 148.78.247.10 =========================================================================== Persistent Routes: None Route Table C:\>nbtstat -rn Local Area Connection: Node IpAddress: [148.78.247.25] Scope Id: [] NetBIOS Local Name Table Name Type Status --------------------------------------------- MISKA <00> UNIQUE Registered STARBAND <00> GROUP Registered STARBAND <1C> GROUP Registered MISKA <20> UNIQUE Registered STARBAND <1B> UNIQUE Registered STARBAND <1E> GROUP Registered STARBAND <1D> UNIQUE Registered ..__MSBROWSE__. <01> GROUP Registered C:\>autorunsc HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms rdpclip RDP Clip Monitor Microsoft Corporation c:\windows\system32\rdpclip.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VMware Tools VMwareTray VMware, Inc. c:\program files\vmware\vmware tools\vmwaretray.exe VMware User Process VMwareUser VMware, Inc. c:\program files\vmware\vmware tools\vmwareuser.exe C:\>reg query HKLM\System\CurrentControlSet\Control\Hivelist ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Hivelist \REGISTRY\MACHINE\HARDWARE REG_SZ \REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY \REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume1\WINDOWS\system32\config\software \REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume1\WINDOWS\system32\config\system \REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume1\WINDOWS\system32\config\default \REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume1\WINDOWS\system32\config\SAM \REGISTRY\USER\S-1-5-20 REG_SZ \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT \REGISTRY\USER\S-1-5-20_Classes REG_SZ \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat \REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT \REGISTRY\USER\S-1-5-19_Classes REG_SZ \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat \REGISTRY\USER\S-1-5-21-4190164925-2839916710-2620655279-500 REG_SZ \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT \REGISTRY\USER\S-1-5-21-4190164925-2839916710-2620655279-500_Classes REG_SZ \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat C:\>reg query HKLM\System\CurrentControlSet\Control\Windows ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows CSDVersion REG_DWORD 0x100 CSDReleaseType REG_DWORD 0x0 Directory REG_EXPAND_SZ %SystemRoot% ErrorMode REG_DWORD 0x0 NoInteractiveServices REG_DWORD 0x0 SystemDirectory REG_EXPAND_SZ %SystemRoot%\system32 ShellErrorMode REG_DWORD 0x1 ShutdownTime REG_BINARY 45C9930D58E6C601 C:\>reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations" ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\FileRenameOperations C:\>reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs REG_SZ DeviceNotSelectedTimeout REG_SZ 15 GDIProcessHandleQuota REG_DWORD 0x2710 Spooler REG_SZ yes swapdisk REG_SZ TransmissionRetryTimeout REG_SZ 90 USERProcessHandleQuota REG_DWORD 0x2710 DesktopHeapLogging REG_DWORD 0x1 C:\>reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 DefaultDomainName REG_SZ STARBAND DefaultUserName REG_SZ Administrator LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PowerdownAfterShutdown REG_SZ 0 ReportBootOk REG_SZ 1 Shell REG_SZ Explorer.exe ShutdownWithoutLogon REG_SZ 0 System REG_SZ Userinit REG_SZ C:\WINDOWS\system32\userinit.exe, VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl" SfcQuota REG_DWORD 0xffffffff allocatecdroms REG_SZ 0 allocatedasd REG_SZ 0 allocatefloppies REG_SZ 0 cachedlogonscount REG_SZ 10 forceunlocklogon REG_DWORD 0x0 passwordexpirywarning REG_DWORD 0xe scremoveoption REG_SZ 0 AllowMultipleTSSessions REG_DWORD 0x1 AppSetup REG_SZ UIHost REG_EXPAND_SZ %SystemRoot%\system32\logonui.exe DebugServerCommand REG_SZ no SFCDisable REG_DWORD 0x0 WinStationsDisabled REG_SZ 0 ShowLogonOptions REG_DWORD 0x1 AltDefaultUserName REG_SZ Administrator AltDefaultDomainName REG_SZ STARBAND DisableLockWorkstation REG_DWORD 0x0 DCacheUpdate REG_BINARY 545616DCDFE7C601 CachePrimaryDomain REG_SZ STARBAND HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials C:\>winclip -p http://www.msexchange.org/tutorials/Configuring-Exchange2003-HTTP-Remote-Access.html C:\>doskey /h C:\>cmd /c "date /t && time /t" Wed 10/04/2008 02:12 PM