COMMAND

dd.exe
attrib.exe
strings.exe
mem.exe
mem.exe
psinfo.exe
hostname.exe
uname.exe
uptime.exe
uptime.exe
psuptime.exe
whoami.exe
net.exe
net.exe
net.exe
net.exe
net.exe
net.exe
net.exe
net.exe
net.exe

net.exe
net.exe
net.exe
auditpol.exe
pclip.exe
pslist.exe
ps.exe
listdlls.exe
pstat.exe
tlist.exe
tlist.exe
tlist.exe
cmdline.exe
handle.exe
psservice.exe
sc.exe
servicelist.exe
drivers.exe
ipconfig.exe
iplist.exe
arp.exe
route.exe
netstat.exe
fport.exe
openports.exe
ipxroute.exe
nbtstat.exe
nbtstat.exe
nbtstat.exe
hunt.exe
promiscdetect.exe
psloggedon.exe
netusers.exe
netusers.exe
ntlast.exe
ntlast.exe
ntlast.exe
ntlast.exe
dumpel.exe
dumpel.exe
dumpel.exe
psloglist.exe
psloglist.exe
psloglist.exe
psloglist.exe
ntfsinfo.exe
psfile.exe
hfind.exe
streams.exe
sfind.exe
efsinfo.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
reg.exe
autorunsc.exe
regdmp.exe
RootkitRevealer.exe
md5sum.exe
now.exe

seccheck.exe
tasklist.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
cmd.exe
INCIDENT RESPONSE CLI TOOLS

COMMAND LINE SWITCHES

-R

/p
/d
-d -s -h

-a

/all

config rdr
user
group
localgroup
accounts
start
accounts /domain
share
view

session
use
file

-ealW

-v
-s
-c

/all

-a

-an(2K) or -ano (XP)

 -path -fport
config
-n
-c
-s
\\127.0.0.1

/local /history
/local
-v -s
-v -f
-v -i
-v -r
-t -l system
-t -l security
-t -l application

-s system
-s application
-s security

c:\ (or drive letter)

-s [drive]
[drive]
[drive] /S /AH /TA
query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /S
query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /S
query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" /S
query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /S
query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce "/S
query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\" /S
query "HKLM\Software\Policies\Microsoft\Windows\System\Scripts" /S
query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" /S
query "HKCU\Software\Policies\Microsoft\Windows\System\Scripts" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\" /S
query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83
query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /S
query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /S
query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /S
query "HKLM\Software\Microsoft\Updates" /S
-a -d -e -s -w
 /V
/C ver
/C set
/C type %SystemDrive%\autoexec.bat
/C type %SystemRoot%\win.ini
/C type %SystemRoot%\system.ini
/C type %SystemRoot%\winstart.bat
/C type %SystemRoot%\wininit.ini
/C dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
/C dir "%UserProfile%\Start Menu\Programs\Startup"
/C dir %SystemRoot%\Tasks
/C dir <%drive%>:\ /S /OD /TA
/C dir <%drive%>:\ /S /OD /TC
/C dir <%drive%>:\ /S /OD /TW
/C tree <%drive%>:\ /F /A
/C dir <%drive%>:\ /S /AH /TA
 DESCRIPTION
disk dump - create bitstream image of media or memory
attribute - display attributes on files & folders
Strings - display text strings from binary file
display memory information
display memory information
PsInfo v1.6 - Local and remote system information viewer
Get local hostname
Get OS Version
Get total uptime since last reboot
Get total uptime historically
PsUptime tells you how long an WinNT/2K system has been up
Displays current namespace
Displays Domain Information
Displays user accounts on system
Displays group membership information _PDC ONLY
Displays local user information
Display local user account policy information
Display services
Display domain account policy information
lists information about all resources being shared on the computer
lists the computers in the current domain
NET SESSION lists or disconnects sessions between the computer and
other
computers on the network. When used without options, it displays
information
about all sessions with the computer of current focus.
lists the computer's connections
List open files
Displays Audit Policy Informaiton
Grabs clipboard data and writes to STDOUT or redirect to file
PsList 1.26 - Process Information Lister
Unix style process information
ListDLLs v2.25 - DLL lister for Win9x/NT
lists all running threads and displays their status
list verbose information about processes
list service information about processes
list command line information about processes
DiamondCS Commandline Retrieval Tool for Windows NT4/2K/XP
list all processes and open handles
PsService v2.12 - local and remote services viewer/controller
SC is a command line program used for communicating with the NT Service Controller and services.
A program to list running services on a system
list information for installed drivers
show network interface parameters
list all IP interfaces
Display arp cache and static arp mappings
Display route information and static rotues
Display network status and socket information
Display network Socket information
identify unknown open ports and their associated applications
show the IPX routing tables
displays the NetBIOS name table of the local computer
displays the contents of the NetBIOS name cache
displays NetBIOS client and server sessions
SMB share enumerator and admin finder
checks to see if local adapter is in promiscuous mode
see who's logged on locally and via resource sharing
see who's logged on locally and via resource sharing
see who's logged on locally and via resource sharing
show last successful logons
show last failed logons
show last interactive logons
show last remote logons
dumps an Event Log to a tab-separated text file
dumps an Event Log to a tab-separated text file
dumps an Event Log to a tab-separated text file
dump event log records
dump system event log records
dump application event log records
dump security event log records
shows you information about NTFS volumes
shows files opened remotely
hidden file finder with last access times
view NTFS file stream information
view NTFS file stream information
shows information about EFS-encrypted files
REG: HKCU_R
REG: HKCU_RO
REG: HKCU_ROX
REG: HKCU_RS
REG: HKCU_RSO
REG: HKCU_SHELL
REG: HKCU_SCRIPTS
REG: HKCU_EXPL_RUN
REG: HKCU_R
REG: HKCU_RO
REG: HKCU_ROX
REG: HKCU_RS
REG: HKCU_RSO
REG: HKCU_SHELL
REG: HKCU_SCRIPTS
REG: HKCU_EXPL_RUN
SEARCH HISTORY
TYPED URLS
LAST COMMANDS
LAST FILES SAVED
INSTALL HISTORY
Patches & Hotfix Information
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
dumps of all or part of the registry to stdout
root kit detection utility
print or check MD5 checksums
displays the current date and time to stdout
SecCheck is a Windows forensic tool which aids in the detection and
removal of malicious applications, backdoors, trojans, worms, and viruses
that may be unknowningly installed on your computer
Windows XP built-in tasklist display
ver - show the operating system version number
environm - displays, sets, or removes environment variables
autoexec - starts every time system boots at DOS level
win_ini - starts every time Windows starts(look for... load= and run=)
sys_ini - starts every time Windows starts (look for... Shell=)
winstart - starts every time Windows starts (operates as normal .bat file)
init_ini - Used by setup programs; if file exists, it is run once and deleted by Windows
startup - show applications called from "All Users" Startup folder
user_startup -show applications called from current user's Startup folder
tasks - show scheduled tasks
<%drive%>_atime - show last access time based file listing
<%drive%>_ctime - show last created time based file listing
<%drive%>_mtime - show last modified (written) time based file listing
<%drive%>filestg - show the location of every file on the system
<%drive%>_hidden - show the hidden files on a system
 RESOURCE
http://users.erols.com/gmgarner/forensics/
from a trusted system
http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
from a trusted system
from a trusted system
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
from a trusted system
http://unxutils.sourceforge.net
https://www.microsoft.com/ntserver/nts/downloads/management/uptime/default.asp
https://www.microsoft.com/ntserver/nts/downloads/management/uptime/default.asp
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://unxutils.sourceforge.net
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system

from a trusted system

from a trusted system
from a trusted system
Windows 2000 Resource Kit
http://unxutils.sourceforge.net
Sysinternals - www.sysinternals.com
http://www.cygwin.com
http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx
http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx
http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx
http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx
http://www.diamondcs.com.au/index.php?page=console-cmdline
http://www.sysinternals.com/ntw2k/freeware/handle.shtml
Sysinternals - www.sysinternals.com
Windows 2000 Resource Kit
www.NetLatency.com
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/drivers-o.asp
from a trusted system
http://www.diamondcs.com.au/index.php?page=console
from a trusted system
from a trusted system
from a trusted system
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddes
http://www.diamondcs.com.au/openports/
from a trusted system
from a trusted system
from a trusted system
from a trusted system
http://www.ntobjectives.com (no longer available)
http://ntsecurity.nu/toolbox/promiscdetect/
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.systemtools.com/free_frame.htm
http://www.systemtools.com/free_frame.htm
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddes
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddes
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddes
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddes
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.sysinternals.com/ntw2k/source/ntfsinfo.shtml
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
http://www.foundstone.com
http://www.sysinternals.com/ntw2k/source/misc.shtml
http://www.foundstone.com
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/efsinfo-o.asp
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
from a trusted system
shows you what programs are configured to run during system bootup or login, and shows you the entries i
from Windows Resource Kit
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
http://unxutils.sourceforge.net
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/now-o.asp

http://www.mynetwatchman.com/tools/sc/
from a trusted system
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
cmd.exe from trusted source
nt/uptime/default.asp
nt/uptime/default.asp

xisting/drivers-o.asp

gation.htm&subcontent=/resources/proddesc/fport.htm
gation.htm&subcontent=/resources/proddesc/ntlast.htm
gation.htm&subcontent=/resources/proddesc/ntlast.htm
gation.htm&subcontent=/resources/proddesc/ntlast.htm
gation.htm&subcontent=/resources/proddesc/ntlast.htm
xisting/dumpel-o.asp
xisting/dumpel-o.asp
xisting/dumpel-o.asp

xisting/efsinfo-o.asp

bootup or login, and shows you the entries in the order Windows processes them

xisting/now-o.asp