Built-in system commands for Windows analysis...

Hi malware fighters,

In the case of analysis of a malware infested Windows machine, use the following commands for evaluation purposes, see the following article:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1313370,00.html

Always keep at the back of your head that the commands may not be trusted if the machine is severely compromised.

1.) WMIC to evaluate a certain process or processes.
C:> wmic process
C:> wmic process list brief
C:> wmic process list brief /every:1
C:> wmic process list full
C:> wmic startup list full

2.) To evaluate users and groups.
“net user”
“net localgroup”
“net localgroup administrators”
“net start”

3.) Openfiles to evaluate active files.
C:> openfiles /local on
C:> openfiles /query /v
C:> openfiles /local off

4.) Netstat to evaluate network activity.
C:> netstat -nao
C:> netstat –s –p icmp
C:> netstat –na 2

5.) Find, to render a readable output.
C:> wmic process list brief /every:1 | find “cmd.exe”
C:> wmic startup list brief | find /i “hklm”
C:> openfiles /query /v | find /c /v “”
C:> netstat –nao 1 | find “2222”

6.) Tasklist to evaluate processes and DLL-files.
C:> tasklist /svc
C:> tasklist /m

7.) Reg to analyse the registry.
C:> reg query hklm\software\microsoft\windows\currentversion\run

8.) Ipconfig to evaluate DNS analysis.
C:> ipconfig /displaydns

9.) FOR /L to repeat certain commands
C:> for /L %[var] in ([start],[step],[stop]) do [command]
C:> for /L %i in (1,1,10) do @echo %i
C:> for /L %i in (1,0,2) do @tasklist
C:> for /L %i in (1,0,2) do @tasklist & ping --n 6 127.0.0.1 > nul

10.) To start admin GUIs trough the command line.
C:> lusrmgr.msc (local user manager)
C:> Secpol.msc (security policy manager)
C:> Services.msc (services control panel)
C:> Control (Configuration screen)
C:> Taskmgr.exe (task management)
C:> Explorer.exe (Windows Explorer)
C:> Eventvwr.msc (Windows Event Viewer)

enjoy,

polonus