################################################################################################# What is this? : file with Windows shell commands to get system/process info, and doing some manipulation. We cover some DOS (cmd), Powershell, wmic, and some other stuff. It also contains old stuff, but who knows? Maybe there is something useful here. Version : 0.5 Date : 14/07/2015 By : AvdS Warning : Some commands can affect your system, so test them first on a test machine. ################################################################################################# Addition : Section 15 added at 26/11/2020, as a "quick system info" section. ################################################################################################# Maybe you like to read these 3 notes first: Note 1: elevated privileges: ---------------------------- In many examples, elevated privileges are absolutely required ("Run As" with admin credentials). Select a command window icon, using rightclick, then choose "Run As" and provide admin credentials. Note 2: redirect and pipeline: ------------------------------ - Using "redirect" (the ">" symbol), you can redirect the output of some command, not to the standard output (like the screen), but for example to a file. Just use the ">" symbol, like for example: C:\> netstat -a > listing.txt # "netstat -a" just dumps output to the screen. But in this case, to a file. C:\> tasklist > mylist.txt - With pipelining you can make sure that the output of the first command, becomes the input for the second command, like for example: C:\> netstat -a | find "1433" C:\> netstat -a | find "10.16.20" C:\> type accounts.txt | find "AlbertS" > filtered.txt # "type" shows the content of an ascii file, then we "find" the string "AlbertS", then we redirect that output to another file. Note 3: An extended example: ---------------------------- Suppose Z:\BACKUP contains many subdirectories, each containing ".bak" bakupfiles (from database backups). During the day, transaction log backups and differential backups are created (having "tran" or "diff" in their filenames). Only in the evening, a full backup of each database is created (where part of the filenames is "full"). -->Quickly retrieve a list of full backups, from yesterday evening, e.g., the third of june: Z:\backup> dir *full*.bak /s | find "06/03" -->Quickly retrieve a list of full backups, from yesterday evening, the third of june, and put it in a text file: Z:\backup> dir *full*.bak /s | find "06/03" > c:\temp\fullbackuplist.txt -->as above, but now only count the number of *full*.bak files Z:\backup> dir *full*.bak /s | find "06/03" | find /c "bak" So, the last command just shows a number, like for example 330. Notes: -In "dir /s", the "/s" means listing/searching subdirectories too -find /c resembles the unix "wc -l" command -find "string" resembles the unix "grep" command ============================================================= 1. A few examples of listing Services: ============================================================= 1.1 Some Powershell examples: ----------------------------- PS C:\> Get-Service | Where-Object {$_.status -eq "stopped"} #show all stopped services PS C:\> Get-Service | Where-Object {$_.status -eq "running"} #show all running services PS C:\> Get-Service | Where-Object {$_.status -eq "running"} | out-file running.txt #show all running services, place in txt file. PS C:\> Get-Service | Where-Object {$_.name -like "*Ora*"} #only show *Ora* services PS C:\> Get-Service #show all 1.2 Some CMD prompt utility examples: ------------------------------------- -- listing stuff: C:\> net start #show all running services C:\> net start | more #show all running, line by line C:\> net start > c:\temp\services.txt #show all running services, place in txt file. C:\> net start | find "Ora" #only show *Ora* services, like Oracle C:\> net start | find /I "ora" #case insensitive C:\> net start | find "SQL" #take a look if SQL runs C:\> sc query #show all C:\> sc query > c:\temp\services.txt #show all running services, place in txt file. C:\> sc interrogate MSSQLServer #only show MSSQLServer C:\> sc query | find "SQL" #only show *SQL* services C:\> wmic service get caption,startmode #show all: name+startmode C:\> wmic service get caption, PathName #show all: name+exe path C:\> wmic service get name, ProcessID #show all: name+ ProcessID C:\> wmic service get name, ProcessID | find "Ora" #only get info for *Ora* services C:\> wmic service get name, ProcessID, ServiceType | find "Ora" #only get info for *Ora* services C:\> wmic service get name, ProcessID, ServiceType | find "Ora" > c:\temp\ora.txt #only get info for *Ora* services, place in txt file C:\> tasklist /svc #shows processes and what is a service C:\> tasklist /svc | find "svchost" #shows which services run under svchosts processes -- Stop / start a service: C:\> net stop servicename # if spaces in name, enclose it with "" C:\> net start servicename Note: the net command also provide options to view users, groups, and more, and even to add or remove users to or from groups. See section 14.Security_Algemene_Folders_Users_R ===================================================================================================== 2. Shutdown a system, logoff, showing sessions, stopping sessions: ===================================================================================================== -- command prompt In all Windows versions, you can use the logoff command, to "logout" the system. Especially in the latest Win versions, it may be hard to find the graphical equivalent. C:\> logoff # logoff your session C:\> shutdown -r -t 0 # reboot a system (t=0, nowait) C:\> shutdown -r -f -t 0 # reboot a system (t=0, nowait, -f force) C:\> shutdown -s -t 0 # shutdown a system C:\> shutdown -r -f -m \\Trex -t 60 # reboot remote Server "Trex" in 60 seconds -- Powershell PS C:\> stop-computer PS C:\> stop-computer -computername Server01, Server02 PS C:\> Restart-Computer PS C:\> Restart-Computer -ComputerName Server01, Server02 -- carefull with this stuff: $machines = get-content "C:\TEMP\machines.txt" foreach($machine in $machines) { restart-computer -computername $machine -force } -- show and manupulate sessions (not all will work on all Windows versions): C:\> quser C:\> qwista C:\> rwinsta C:\> query session C:\> query user C:\> reset session {sessionname | sessionid} [/SERVER:servername] [/V] C:\> reset session rdp-tcp#3 C:\> reset session 3 C:\> logoff 3 PS C:\> Get-TSSession -ComputerName comp1 -UserName user1 | Stop-TSSession -Force # for a Terminal Services session PS C:\> logoff [sessionname | sessionid] [/SERVER:servername] # for regular logons ===================================================================================================== 3. A few examples showing Process information, mem usage, cpu, handles etc.., and altering processes: ===================================================================================================== 3.1 Some Powershell examples: ----------------------------- PS C:\> Get-Process #shows all processes (with details like handles, cpu etc..) PS C:\> Get-Process s* #shows all processes with an executable name starting with an "s" PS C:\> Get-Process excel #shows details about the excel process PS C:\> Get-Process excel | Select-Object name,fileversion,productversion,company #shows name, fileversion,productversion,company of excel PS C:\> Get-Process | Select-Object name,fileversion,productversion,company #as above, but now for all processes PS C:\> Get-Process | where { $_.Name -eq "DataSafeOnline" } #shows details on the process "DataSafeOnline" PS C:\> Stop-Process 533 #stops the process with process id (pid) 533 PS C:\> Stop-Process -processname winword #stops the process named winword PS C:\> Stop-Process -processname xyz* #stops all processes starting with a name xyz* PS C:\> kill -processname xyz* #an alias to "Stop-Process" is "kill", thus performing the same action. PS C:\> get-process | where { $_.Name -eq "abc" } | foreach { $_.Kill() } #stops all processes with the name "abc" 3.2 Some CMD prompt utility examples: ------------------------------------- C:\> tasklist #shows all processes with name, memory usage, pid etc.. C:\> tasklist > c:\temp\processlist.txt #shows all processes and put it in a txt file C:\> tasklist /FI "memusage gt 40000" #shows only processes where the "filter" (FI) memusage gt 40000 is true C:\> tasklist /FI "cputime gt uu:mm:ss" #shows only processes with cpu >"cputime" using the filter cputime in uu:mm:ss C:\> tasklist /svc #shows processes and what is a service C:\> tasklist /svc | find "svchost" #shows which services run under svchosts processes C:\> tasklist | find "Ora" #shows only the processses with details, with a name where "Ora" is part of C:\> taskkill /pid 1480 #kills process with pid 1480 C:\> taskkill /pid 1530 /pid 1603 /pid 1153 #kills the processes with the pids 1530, 1603, 1153 C:\> taskkill /f /im abc.exe #if you do not know the pid, you can use the image (process) name C:\> taskkill /f /fi "status eq not responding" #kills a process using the filter "status equals not responding" C:\> wmic PROCESS get Caption,Kernelmodetime,Usermodetime #Shows list of processes with KernelModeTime and UserModeTime statistics C:\> wmic PROCESS get ExecutablePath, Caption,PageFaults #Shows list of processes with path to executable, pagefaults and other "gets" C:\> wmic PROCESS WHERE Name="calc.exe" CALL Terminate #kills the process with the name "calc.exe" C:\> wmic PROCESS call create calc.exe #Creates the calc.exe process C:\> net file #Shows open files originating from SMB (shared) C:\> net statistics server #Shows statistics of the SMB server process (file shares) C:\> net statistics workstation #Shows statistics of the redirector (file shares) -- advice: get the "handle" and "procmon" utilities from the SysInternal's suite. ====================================================================================== 4. A few examples of retrieving system information (system, memory, drives, hardware): ====================================================================================== 4.1 Some Powershell examples: ----------------------------- PS C:\> Get-WmiObject Win32_Processor #show detailed cpu information PS C:\> Get-Wmiobject win32_computersystem #show Domain, user, Computername, Manufacturer, memory or: PS C:\> Get-WmiObject -Class Win32_ComputerSystem | #show Domain, user, Computername, Manufacturer, memory >> Format-List Name, Manufacturer, Model, #but more nicely formatted. >> SystemType, Description, >> NumberOfProcessors, NumberOfLogicalProcessors, >> @{Name="RAM"; Expression={[math]::round($($_.TotalPhysicalMemory/1GB), 2)}} PS C:\> Get-WmiObject win32_LogicalDisk #Listing all logical disks, with size, free space etc.. PS C:\> Get-Wmiobject win32_OperatingSystem #Get details on the Operating System 4.2 Some CMD prompt utility examples: ------------------------------------- C:\> systeminfo #shows very detailed systeminfo C:\> systeminfo > c:\temp\sysinfo.txt #puts detailed systeminfo in a txt file C:\> msinfo32 # much systeminfo in graphical windows (not all win versions) C:\> msinfo32 /report c:\temp\diag.txt # very detailed information placed in a txt file C:\> driverquery #detailed information on drivers C:\> wmic cpu > c:\temp\cpu.txt #get all cpu info in a txt file C:\> wmic cpu get NumberOfCores #get cpu Core info C:\> wmic memphysical #get mem info C:\> wmic irq #info on irq's #get mem info C:\> wmic bios #get all bios info C:\> wmic bios get Manufacturer,ReleaseDate,SerialNumber,Version #get some bios specifics C:\> wmic diskdrive #get all disk info C:\> wmic diskdrive get SCSIBus,InterfaceType, SerialNumber,Signature, DeviceID #get selection of disk info C:\> wmic cpu #get all cpu info C:\> wmic cpu get CurrentClockSpeed,L3CacheSize,DataWidth,Status #get some selections of cpu info C:\> wmic computersystem #get loads of info about your computer C:\> wmic computersystem get AdminPasswordStatus,TotalPhysicalMemory,DomainRole #get some selection of computersystem C:\> wmic/? #get help on what you can do with this powerfull command ============================================================ 5. A few examples of altering the state of services: ============================================================ 5.1 Some Powershell examples: ----------------------------- PS C:\> Stop-Service "print spooler" #stops the service PS C:\> Start-Service "print spooler" #starts the service PS C:\> Stop-Service -displayname "Bluetooth service" #stops the service PS C:\> Stop-Service iisadmin -force -confirm #stops the service, which also needs a confirm PS C:\scrips> .\stop_ora.ps1 Where the script "stop_ora.ps1" is something like: foreach ($svc in Get-Service){ if(($svc.displayname.StartsWith("Oracle")) -AND ($svc.Status -eq "Stopped")) { echo $svc.DisplayName Start-Service $svc.name } } 5.2 Some CMD prompt utility examples: ------------------------------------- C:\> net stop "print spooler" #stops the service C:\> net start "print spooler" #starts the service C:\> net stop OracleServiceDBTEST11g #stops the service C:\> net start OracleServiceDBTEST11g #starts the service C:\> sc stop spooler #stops the service C:\> sc start spooler #starts the service C:\> sc.exe create MyService #for illustration only. binPath= "C:\usr\bin\myhttpd.exe -k runservice" This command creates a service. However, there are some DisplayName= "My http Service" constraints on the application to let it run correctly under Service Control. C:\> sc.exe delete MyService #deletes a service 5.3 winrm: ---------- A newer management implementation. It enables secure communication with local and remote computers using web services (SOAP). As of Vista/Win2K8. You need to enable it: Start the service "Windows Remote Management". C:\> WinRM quickconfig # follow instructions Many options are available. Here are a few examples of stopping/starting services. You need a tutorial for using it. C:\> winrm invoke StartService wmicimv2/Win32_Service?Name=spooler C:\> winrm invoke stopservice wmicimv2/Win32_Service?name= -r: C:\> winrm invoke startservice wmicimv2/Win32_Service?name= -r: ============================================================= 6. A few examples on how to get network information: ============================================================= 6.1 Some Powershell examples: ----------------------------- PS C:\> Get-WmiObject -Class Win32_NetworkAdapterConfiguration #shows network information of all adapters: IP, DHCP etc.. PS C:\> Get-WmiObject -Class Win32_NetworkAdapter #shows network information of all adapters: speed, MAC Address etc.. PS C:\> Get-WmiObject -Class Win32_NetworkAdapterConfiguration #shows only IPv4 and IPv6 addresses -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property IPAddress 6.2 Some CMD prompt utility examples: ------------------------------------- C:\> systeminfo #shows lots of systeminfo, including network interfaces C:\> systeminfo > c:\temp\sysinfo.txt #as above, but now placed in a txt file C:\> netstat -a C:\> netstat -ab #shows all the networkconnections of your machine (-b shows the apps) C:\> netstat -ab > c:\temp\conn.txt #as above, but now placed in a txt file C:\> netstat -a -b -f #shows all the networkconnections, including fully qualified domain names (-f) C:\> netstat -r #shows the routingtable as used by your local machine C:\> ipconfig #shows basic IP parameters C:\> ipconfig /all #shows all IP parameters C:\> ipconfig /release #release current IPv4 address C:\> ipconfig /renew #request new IP parameters (address, dns) from dhcp Server C:\> ipconfig /flushdns #remove dns resolver cache C:\> ipconfig /registerdns #renew DNS entries (e.g.: if DNS was changed) C:\> net use #shows all mapped networkdrives C:\> net view #shows all netbios Server names in your subnet (LanMan browser) C:\> net view > c:\temp\servers.txt #as above, but placed in a txt file C:\> net share #shows the fileshares on your machine C:\> arp -a #shows the arp cache: IP addresses resolved to MAC (card) addresses C:\> getmac #shows the MAC addresses of your networkinterfaces C:\> nslookup Servername #used to see how a remote host is resolved by DNS. C:\> tracert hostname or IP address #shows all hops to reach the destination C:\> nbtstat -a hostname #shows all netbios registered entries of the remote hostname C:\> nbtstat -A IP address #shows all netbios registered entries of the remote IP address C:\> nbtstat -n #shows all netbios registered entries of your local machine C:\> wmic nic get AdapterType,DeviceID,Caption,MACAddress #wmic allows you to "get" many properties of "nic" and "nicconfig" C:\> wmic nicconfig get Caption,DHCPServer,IPAddress,MTU Just a few "netsh" examples: netsh is a utility, especially meant for configuring interfaces, protocols, firewall, routes. C:\> netsh interface ip show config #shows all IP parameters C:\> netsh dump > c:\temp\netinfo.txt #writes extensive network configuration to a txt file netsh is very extended shell by itself. You can retrieve info from, or configure, all networkobjects. For using "netsh", you deserve a dedicated tutorial. C:\TEMP> netsh int ip reset reset.txt # Resetting your TCPIP stack, and sockets. C:\TEMP> netsh winsock reset Those commands might help if network connectivity issues are present, while the system worked well at an earlier time. C:\> netsh interface ip set # set the interface "Local Area Connection" address "Local Area Connection" static to the IP parameters specified. 192.168.0.50 255.255.255.0 192.168.0.254 C:\> netsh interface ip set dns # set the dns of that interface "Local Area Connection" static 192.168.0.2 => "Monkey" .bat or .cmd script to check IP connectivity on a number of servers: # Begin script @echo off echo "Report of Servers with no connection:" > failurelog.txt ping -n 4 Server1 if errorlevel 1 echo "No connecvtivity to Server1" >> failurelog.txt ping -n 4 Server2 if errorlevel 1 echo "No connecvtivity to Server2" >> failurelog.txt ping -n 4 Server3 if errorlevel 1 echo "No connecvtivity to Server3" >> failurelog.txt #(etc... Add and change servernames as needed.) type failurelog.txt # end script ============================================================================================================ 7. For reference: A very basic listing of some DOS (cmd) commands, for file, directory, or task management. ============================================================================================================ TASK from commandline: EXAMPLE COMMAND: - Moving around directories (or "folders"): C:\some_path> cd .. # go back to parent directory (one level up) C:\some_path> cd \ # go to the "root" of this disk or partition C:\some_path> cd \temp # goto c:\temp from any location C:\some_path> cd \data\excel # go to c:\data\excel from any location C:\some_path> E: # go to the E: disk or partition C:\some_path> tree # view a graph of all subdirectories - Listing the contents of a directory, for example C:\DATA C:\DATA> dir #simple listing C:\DATA> dir /s /p #listing of all files in all subdirectories too C:\DATA> dir *.doc /s /p #searching for all .doc files in all directories C:\DATA> dir *pay* /s /p #searching for any file with "pay" in it's name, #through all subdirectories. C:\DATA> dir /o-d #listing on date/time, from new to old - copy or move a file, or set of files. C:\DATA> copy a.doc b.doc #now you have two files with the same content C:\DATA> copy payments.doc H:\BACKUPS #copy payments.doc to H:\backups C:\DATA> copy *.doc H:\BACKUPS #copy all files with extension .doc to H:\BACKUPS C:\DATA> move *.doc G:\ARCHIVES\WORD #move (not copy!) of all .doc files C:\DATA> copy *.* H:\BACKUPS #copy ALL files in C:\DATA to H:\BACKUPS #(but not the files in subdirs: see xcopy) C:\DATA> xcopy *.* H:\BACKUPS /s # copy all files, subdirectories included, # to H:\BACKUPS C:\DATA> rename a.doc b.doc #a.doc is now called b.doc - creating a directory (folder). C:\DATA> md excel #creates the folder excel within c:\data - deleting an empty folder. C:\DATA> rd excel #deletes the folder excel, if it's empty - deleting files (no recycle bin !) C:\TEMP> del a.txt #deletes the file a.txt C:\TEMP> del *.txt #deletes ALL .txt files from C:\TEMP Be carefull !! C:\TEMP> del /F /Q /S *.* # Be carefull!! Deletes all files (included #files in subdirs) without confirmation, #from the "starting location" C:\TEMP - xcopy: Suppose you want to copy (or backup) C:\DATA> xcopy *.* F:\BACKUP /s /h all files in all subdirs, EXISTING in for example (xcopy will create subdirs at the target location as needed) the directory C:\DATA, to, for example, F:\BACKUP Copying all files to for example, a network share: - Extended xcopy example: C:\data> xcopy *.* m:\data /S /C /O /H /Y Where the switches mean: /S: copies subdirectories also /C: copy the files even if an error shows up (like the file is in use) /O: includes also ownership and Access Control Lists information. /H: includes also all hidden and system files /Y: suppresses the confirmation if you are about to overwrite files "robocopy" is even better. Should be available in Windows as of Win7 and Win2K8. - Suppose you want to perform some action (like delete) on C:\> forfiles /P C:\webserver\logs /S /M *.log /D -30 /C "cmd /c del @FILE" some set of files, based on some criteria, for example "delete of logfiles which are older than 30 days". Note that you can place the command in a .cmd batch file, and that you can schedule it. - Viewing the contents of a flat ascii file, C:\TEMP> type systeminfo.txt #view all content in one run for example, you want to view the contents of C:\TEMP\systeminfo.txt C:\TEMP> type systeminfo.txt | more #view line by line - Use of "for" from commandline: -> For example, register a set of .dll files in registry. C:\dev\lib> for %f in (*.dll) do regsrv32 %f # do not just do this: only for study! -> Find IP adresses the hard way. C:\> for /f "tokens=15" %f in ('ipconfig ^| findstr "Address"') do @echo %f - View scheduled tasks: C:\> schtasks C:\> schtasks | find "Backup" /I #notice that "find" is case sensitive #and with /I it is not case sensitive ===================================================================================================== 8. Some Specials ===================================================================================================== -- Renaming files across all subdirectories: Z:\Backups> for /r %x in (*.bak) do ren "%x" *.save -- Show your EFI boot disk and other interresting stuff (later Win versions, not XP/Win2K3 and before): C:\temp> bcdedit -- Do you use EFI on your system? From a (elevated) command prompt, run: C:\temp> bcdedit /enum If you get back records like: \EFI\Microsoft\Boot\bootmgfw.efi Then your system uses EFI/GPT. Furthermore, you would also see a reference to the bootloader "\Windows\system32\winload.efi". -- Finding a certain string in files in a directory: C:\DATA\docs> findstr "account" *.* -- Set an Service Principle Name in AD: an example setting a SQL Server SPN: C:\> setspn -A MSSQLSvc/goofy.antapex.nl:1433 ANTAPEX\serviceaccount_name -- sub performance for one object: General syntax (short version): C:\> typeperf "Object(Instance)\Counter" ["Object(Instance)\Counter" etc..] [other options] C:\> typeperf "\Processor(_Total)\% Processor Time" # Shows a record per second (is default) of the %Processor Time spend, by all cpu instances. C:\> typeperf "\PhysicalDisk(_Total)\Avg. Disk queue length" -o diskqueue.txt # Shows a record per second (is default) of the Average disk queue lengths, by all (disk) instances. -- search and perform an action (like find plus xargs): C:\> forfiles /P C:\webserver\logs /S /M *.log /D -30 /C "cmd /c del @FILE" # delete *.log files older than 30 days # for all files within c:\webserver\logs # plus all subdirs -- diskmanagement (be carefull !): C:\> diskpart DISKPART> list disk Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 127 GB 0 B Disk 1 Online 50 GB 1024 KB Disk 2 Online 535 GB 1024 KB Disk 3 Online 200 GB 1024 KB Disk 4 Online 50 GB 1024 KB Disk 5 Online 200 GB 1024 KB DISKPART> select disk 2 Disk 2 is now the selected disk. DISKPART> list partition Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 49 GB 1024 KB Many commands exist to delete or create partitions and many other actions. For example: DISKPART> create partition primary align=64 DISKPART> create partition primary size=400 DISKPART> assign letter = E DISKPART> format fs = NTFS quick Robocopy: --------- You can easily study a week or so, on all options of this utility. It's one of the best tools to copy or sync files and directories to another filesystem or share. It's **too large** to present it here. If you are new, and must copy (or sync) files/directories (e.g. backups), then go for it. %systemroot%\system32 "applet" shortcuts: ----------------------------------------- C:\Windows\system32> dir *.msc 6/02/2012 04:31 PM 41,587 azman.msc 6/02/2012 04:33 PM 63,081 certlm.msc 6/02/2012 04:33 PM 63,070 certmgr.msc 6/02/2012 04:34 PM 150,924 CluAdmin.msc 6/02/2012 04:30 PM 124,118 comexp.msc 6/02/2012 04:31 PM 113,256 compmgmt.msc 6/02/2012 04:52 PM 145,640 devmgmt.msc 6/02/2012 04:55 PM 47,679 diskmgmt.msc 6/02/2012 04:33 PM 145,127 eventvwr.msc 6/02/2012 04:34 PM 151,743 FailoverClusters.SnapInHelper. 6/02/2012 04:31 PM 144,909 fsmgmt.msc 6/02/2012 04:32 PM 147,439 gpedit.msc 6/02/2012 04:31 PM 144,998 lusrmgr.msc 6/02/2012 04:32 PM 63,411 NAPCLCFG.MSC 6/02/2012 04:37 PM 145,519 perfmon.msc 6/02/2012 04:32 PM 43,566 rsop.msc 6/02/2012 04:33 PM 120,458 secpol.msc 6/02/2012 04:31 PM 92,746 services.msc 2/10/2012 07:02 PM 26,289 SQLServerManager11.msc 6/02/2012 04:38 PM 41,761 tapimgmt.msc 6/02/2012 04:33 PM 145,059 taskschd.msc 6/02/2012 04:47 PM 144,862 tpm.msc 6/02/2012 04:55 PM 64,923 wbadmin.msc 6/02/2012 04:32 PM 115,091 WF.msc 6/02/2012 04:55 PM 62,971 wlbadmin.msc 6/02/2012 04:34 PM 144,673 WmiMgmt.msc Here, a number of .msc files are listed, which are sort of graphical applets, or "snapins", dedicated for certain tasks. You can start such a utility from the prompt, entering the full filename, like for example: C:\Windows\system32> certmgr.msc which starts the utility to manage "certificates". In the same way, if you want to start "performance monitor", just enter perfmon.msc. By the way, you do not need to "be in" the "%systemroot%\system32" directory. ============================================================================================================ 9. Some cluster commands: ============================================================================================================ NEWER STUFF: ============ 10.1 A few PowerShell commands Win2K8 server / Win2K12 server. ============================================================== - Just to make sure the Cluster cmdlets are loaded: PS C:\> import-module failoverclusters - Get the Cluster report/logging, which is great since the graphical tools shows us too little. General syntax: PS C:\> Get-ClusterLog [-InputObject ] [[-Node] ] [-Cluster ] [-Destination ] [-TimeSpan ] [ Get-ClusterLog -Destination . -TimeSpan 400 - Create the log into the current directory, over the last 10 minutes. PS C:\> Get-ClusterLog -Destination . -TimeSpan 10 - Show cluster nodes, if you have only one cluster: PS C:\> Get-ClusterNode Name State ---- ----- node1 Up node2 Up - Show cluster nodes: PS C:\> Get-ClusterNode -Cluster ClusterSales Name State ---- ----- node1 Up node2 Up - Show clusters: PS C:\> Get-Cluster cluster1 Name ---- cluster1 PS C:\> Get-Cluster | fl * Large output of properties PS C:\> Get-Cluster -domain antapex.nl Name ---- SQLcluster1 SQLcluster2 SQLcluster3 - Get cluster quorum info: PS C:\> Get-ClusterQuorum -Cluster SQLCluster1 Cluster QuorumResource QuorumType ------- -------------- ---------- Cluster1 none NodeMajority - Move Group to another node: PS C:\> Move-ClusterGroup –Name SQLCLUS1 -Node node2 PS C:\> Get-ClusterNode node2 | Get-ClusterGroup | Move-ClusterGroup A ClusterGroup = {clusterresources} that is, a Group is a collection of resources like disk, IP, service. 1: view first all Groups: PS C:\> Get-ClusterNode –Name “NODENAME” | Get-ClusterGroup Shows list of Groups... like "GROUPNAME" 2: view resources for a choosen Group PS C:\> Get-ClusterGroup "GROUPNAME" | Get-ClusterResource Shows a list of Resources in GROUPNAME 3: Now, move GROUPNAME to another node ("NODENAME") PS C:\> Move-ClusterGroup “GROUPNAME” –Node “NODENAME” - Start / stop group: PS C:\> Start-ClusterGroup SQLCLUS1 PS C:\> Stop-ClusterGroup SQLCLUS1 PS C:\> Get-ClusterGroup OLD STUFF: ========== 10.2 cluster.exe command: up to Win2K8 server. =============================================== - Get all cluster names as registered in DNS: C:\TEMP> cluster /list Cluster Name --------------- SQLCLUS1 SQLCLUS2 SQLCLUS3 - Get the properties for SQLCLUS3: C:\TEMP> cluster SQLCLUS3 /prop Produces a listing of properties for 'SQLCLUS3' - Get version info of a Cluster: C:\TEMP> cluster SQLCLUS3 /ver Cluster Name: SQLCLUS3 Cluster Version: 5.2 (Build 3790: Service Pack 2) Cluster Vendor: Microsoft(R) Cluster service - List the nodes of a Cluster: C:\TEMP> cluster node - Get Quorum information of a Cluster: C:\TEMP> cluster /quorum - Get a list of all disks of a Cluster: C:\TEMP> cluster SQLCLUS3 res - You can use the "cluster restype" command to display a full list of resource types, as follows: C:\TEMP> cluster restype Modifying a Cluster: -------------------- - A cluster group named "SQLServerGroup" on cluster "SQLCLUS3" needs to brought offline and then back online. C:\TEMP> cluster /cluster:SQLCLUS3 group "SQLServerGroup"/offline C:\TEMP> cluster /cluster:SQLCLUS3 group "SQLServerGroup"/online - Example on how to move a "resource group" from the current node to another node: C:\TEMP> cluster group "print1" /moveto:prod2 Note: if you have only a two-node cluster, you can just use /move without a node name. As another example: C:\TEMP> cluster . group "Cluster Group" /move:prod2 Here, the period means that we’re modifying the local cluster. Or, the command in general form: C:\TEMP> cluster SVCLUS3 group "Cluster Group" /move:prod2 - Example how to move some available storage into a new resource group: C:\TEMP> cluster res "DataDisk" /move:"file server" - Creating a Cluster report: C:\TEMP> cluster log /gen Will create a report in %systemroot%\cluster\reports. Some nice switches can be used like: /Copy:directory (for example: /Copy:logs, where logs should be a direcory below "your current path"). /Span:minutes (for example /Span:30, so that your log will only contains entries from the last 30 minutes). Creating a basic Cluster: ------------------------- Say you use WinK8 Server. It needs the Server 2008 Failover Clustering feature, so make sure it's installed first on your nodes. You can do that using the graphical server manager, or by using "servermanagercmd -install Failover-Clustering". You can even create a cluster using cluster.exe. The following extremely simple example will only create the basic cluster, and Resources still needs to be added. Also, observe that no "account" is listed, so you will be prompted. C:\TEMP> cluster MYCLUSTER /create /ipaddress:10.10.10.1/255.255.255.0 /Nodes:"srv1","srv2" Some defaults will be taken for granted. Actually, above is the most basic of all basics! Other cluster features needs to be added later (possibly using the cluster command), like storage, applications etc.. ===================================================================================================== 10. Network drive mounts: ===================================================================================================== (1) Listings: ============= - In some cases, it's possible to view remote Server shares (if policies, security allows it): C:\> net view # list servers on your subnet C:\> net view \\STARBOSS # list shares on server STARBOSS C:\> net share # list the shares of your PC or Server where you interactively logged on to C:\> net use # list all your smb/cifs network mounts (2) Mounting drives For SMB/CIFS: (the regular traditional shares and mounts): ============================================================================== You can mount a (remote) network share (disk) to a "drive letter", using: C:\> net use M: \\starboss\docs # the share "docs" will be available as drive M: if your current credentials have permissions to it. C:\> net use M: \\starboss\docs /user:DOM1\AlbertS # connect to "\\starboss\docs" as Domain user "DOM1\AlbertS". The network will ask for the password of "DOM1\AlbertS", unless your current identity is "DOM1\AlbertS". C:\> net use Z: \\10.10.20.55\data # If you only have an IP of the Server, or names resolving does not work C:\> net use * \\starboss\docs # use the first available drive letter for the mount C:\> net use y: "\\mycomputername\a shared folder with spaces" # use quotes in the object has "spaces". C:\> net use # list all your network mounts C:\> net use K: /delete # disconnect K: as a network drive C:\> net use * /d # disconnect all your network drives using the parameter "/persistent:yes", will store the mapping in the current user hive of the Registry. (3) Mounting drives For WEBDAV: =============================== C:\> net use * http://servername/share /USER:username [password] C:\> net use * http://websrv.testdom.com/folder Enter the user name for 'websrv.testdom.com': example\user Enter the password for websrv.testdom.com: ===================================================================================================== 11. A few commands related to disks: ===================================================================================================== fsutil: ------- Use it to manage or view "volumes" or "disks" and properties. Examples: C:\PerfLogs> fsutil ---- Commands Supported ---- 8dot3name 8dot3name management behavior Control file system behavior dirty Manage volume dirty bit file File specific commands fsinfo File system information hardlink Hardlink management objectid Object ID management quota Quota management repair Self healing management reparsepoint Reparse point management resource Transactional Resource Manager management sparse Sparse file control transaction Transaction management usn USN management volume Volume management C:\temp> fsutil volume diskfree C: Total # of free bytes : 98448703488 Total # of bytes : 135996108800 Total # of avail free bytes : 98448703488 C:\temp> fsutil fsinfo drives Drives: A:\ C:\ D:\ E:\ F:\ G:\ K:\ T:\ C:\temp> fsutil file queryfileid mytext.txt File ID is 0x0024000000012c2c C:\temp> fsutil file queryfilenamebyid c: 0x0024000000012c2c A random link name to this file is \\?\C:\temp\connections.txt C:\temp> fsutil file findbysid asel c:\users C:\temp> fsutil repair query d: Self healing is enabled for volume d: with flags 0x1. flags: 0x01 - enable general repair 0x08 - warn about potential data loss 0x10 - disable general repair and bugcheck once on first corruption C:\temp> fsutil volume dismount F: You can dismount a volume using "fsutil", but for mounting, use "mountvol". C:\temp> fsutil file createnew c:\temp\testfile.txt 1048576 This creates a file of 1MB. C:\TEMP> fsutil fsinfo ntfsinfo c: NTFS Volume Serial Number : 0xd8cc8a65cc8a3e2e NTFS Version : 3.1 LFS Version : 2.0 Number Sectors : 0x000000000fd4ffff Total Clusters : 0x0000000001fa9fff Free Clusters : 0x0000000000f243aa Total Reserved : 0x00000000000033d0 Bytes Per Sector : 512 Bytes Per Physical Sector : 4096 Bytes Per Cluster : 4096 Bytes Per FileRecord Segment : 1024 Clusters Per FileRecord Segment : 0 Mft Valid Data Length : 0x000000000a740000 Mft Start Lcn : 0x00000000000c0000 Mft2 Start Lcn : 0x0000000000000002 Mft Zone Start : 0x00000000000ca740 Mft Zone End : 0x00000000000cca00 Resource Manager Identifier : B27C186E-EE2E-11E2-97B1-D1FD9C71EF6B C:\TEMP> fsutil behavior query mftzone MftZone = 0 (translates to a zone size of 200 MB) Mountvol: --------- C:\temp> mountvol Possible values for VolumeName along with current mount points are: \\?\Volume{c1a289c7-dadf-11e1-bb3e-806e6f6e6963}\ *** NO MOUNT POINTS *** \\?\Volume{f8f7d89d-daa2-11e1-b7c3-00155d111501}\ D:\ \\?\Volume{f8f7d8a4-daa2-11e1-b7c3-00155d111501}\ E:\ \\?\Volume{f8f7d8ab-daa2-11e1-b7c3-00155d111501}\ F:\ \\?\Volume{f8f7d8b2-daa2-11e1-b7c3-00155d111501}\ G:\ \\?\Volume{f8f7d8b9-daa2-11e1-b7c3-00155d111501}\ T:\ \\?\Volume{c1a289c8-dadf-11e1-bb3e-806e6f6e6963}\ C:\ \\?\Volume{c1a289cc-dadf-11e1-bb3e-806e6f6e6963}\ A:\ \\?\Volume{c1a289cb-dadf-11e1-bb3e-806e6f6e6963}\ K:\ Note the "\\?\Volume\{GUID}\" The GUID is used to uniquely identify a volume, independent of drive letters. C:\temp> mountvol K: \\?\Volume{c1a289cb-dadf-11e1-bb3e-806e6f6e6963}\ C:\> md data C:\> mountvol data \\?\Volume{c1a289cb-dadf-11e1-bb3e-806e6f6e6963}\ C:\temp> mountvol G: /p C:\temp> mountvol G: /D please note: /p : actually dismounts the volume and sets it offline /D : only removes the volume mount point, but keeps it online /r : removes the volume mount point and deletes registry settings and the like. Diskpart: --------- see section 8. Chkdsk: ------- C:\temp> chkdsk E: Checks disk/volume/partition E: and lists results. C:\temp> chkdsk E: /F Checks disk/volume/partition E: and fixes allocation errors. sfc: ---- System File Checker. Windows includes the command line tool "System File Checker", which scans all basic Windows files, and compare them against the original versions that shipped with Windows or, updates thereof. If needed, it will replace a "bad" file with a sound one. In some cases, you need the install media. Use like it like os, to perform a system scan: C:\windows\system32> sfc /scannow If you need to inspect an individual file, use it like this: C:\windows\system31> sfc /VERIFYFILE=c:\windows\system32\kernel32.dll A logging can be found in c:\windows\logs\CBS\CBS.log Other: ------ If serious errors occur on NTFS volumes, like MTF or superblock issues, which do not seem to get "cured" with MS utilities, you might investigate Linux options and tools like "testdisk". It might be worth while to investigate that further. ===================================================================================================== 13. A few older commands and concepts related to security: ===================================================================================================== This is mainly old stuff. Sorry. Older stuff: ============ Actually, some of this is pretty old stuff. Maybe you can't find all of them. Many tracing and scanning tools (used to be) (or are) available, from standard sources like Microsoft (Resource Kit, Sysinternals), as well as from a few organizations related to "forensic" activities (which tools are probably somewhat less known). However, here the discussion is limited to just a few wellknown tools from Microsoft. rpcdump (from ResKit): ---------------------- Can be used with RPC issues. By default, the Rpc_Svr_Binding_Order entry contains the following value data: ncacn_ip_tcp,ncacn_spx,ncacn_vns_spp Following is a list of protocols for endpoints: Protocol Description ncacn_np Connection-oriented named pipes ncacn_mq Datagram connectionless over the Message Queuing server ncadg_ipx Datagram connectionless IPX ncacn_spx Connection-oriented SPX ncacn_http Connection-oriented TCP/IP using Microsoft Internet Information Services as HTTP proxy. ncacn_nb_nb Connection-oriented NetBEUI ncacn_nb_tcp Connection-oriented NetBIOS over TCP ncacn_nb_ipx Connection-oriented NetBIOS over IPX ncacn_ip_tcp Connection-oriented TCP/IP ncacn_at_dsp AppleTalk DSP ncadg_ip_udp Datagram connectionless UDP/IP ncacn_vns_spp Connection-oriented Vines SPP transport ncacn_dnet_nsp Connection-oriented DECnet transport ncacn_nb_xns Connection-oriented XNS Some of them are sort of "obsolete", like SPX/IPX. => Using rpcdump to show all endpoint mappings on your machine: C:\TEMP> rpcdump /i C:\TEMP> rpcdump /i /v C:\TEMP> rpcdump /i /v > rpclisting.txt Checking for a particular endpoint like ncacn_http: C:\TEMP> rpcdump /p ncacn_http epdump (from ResKit): --------------------- Additional rpc binding information can be found using the epdump utility. => Finding the local machine's bindings: C:\TEMP> epdump C:\TEMP> epdump > dump.txt => Showing you \\foo's bindings, connecting over SPX. C:\TEMP> epdump ncacn_spx foo handle (from SysInternals): --------------------------- This tool displays information about open handles for any process on your system. => Showing all processes and handles (to screen, or printed to file). C:\TEMP> handle C:\TEMP> handle > openhandles.txt portqry (Win2K3 Support Tools, newer versions are not "easy" to find and download): ----------------------------------------------------------------------------------- Good utility in your toolkit to perform network diagostics, especially if TCP/UDP ports are open or not. => Finding out if a Server would respond to LDAP queries (port 389): C:\TEMP> portqry -n SRVDC1 -p udp -e 389 => Showing all endpoints listening on 135: C:\TEMP> portqry -n SRVDC1 -p udp -e 135 Many graphical tools (as well as other prompt tools) exists as well. Especially having a look at "procmon", as a graphical tool from the "Sysinternals suite", is highly recommended. Some newer stuff: ================= Carefull, be sure you know what you are doing. Can be great, but can be nasty too. Check DEP: ---------- C:\> wmic OS Get DataExecutionPrevention_Available Output: TRUE C:\> wmic OS Get DataExecutionPrevention_Drivers Output: TRUE C:\> wmic OS Get DataExecutionPrevention_SupportPolicy Output (for example): 2 The first command actually only checks if DEP is "available", which is almost always true, so this is indeed a trivial exercise. The third command might have some more value: it shows the current policy on your systems: 0: Always off. No DEP is in effect (you can play all "games" and programs not blocked by DEP). 1: Always on. DEP is ON systemwide. 2: OptIn - DEP is ON for Windows processes. 3: OptOut - DEP is ON for all processes. But you can create exceptions for certain programs. C:\> bcdedit.exe /set {current} nx AlwaysOff C:\> bcdedit.exe /set {current} nx OptIn C:\> bcdedit.exe /set {current} nx AlwaysOn Check DEP, ASLR: ---------------- C:\> pefinder.exe "path to executable" -v "executable": ASLR enabled DEP enabled Show regular (and possible nasty) handles on files: --------------------------------------------------- C:\> handle C:\> handle > openhandles.txt (handle comes from the sysinternals toolset, easy to download) Getting a list of installed patches (kb's / MSXY-ABC) using Powershell: ----------------------------------------------------------------------- Many folks write their own functions or CmdLets to get such results. It's easy to find such code on the Internet. Some simple standard available code would be something like: PS C:\> Get-WmiObject -Class "win32_quickfixengineering" or something like this: PS C:\> $Session = New-Object -ComObject "Microsoft.Update.Session" $Searcher = $Session.CreateUpdateSearcher() $historyCount = $Searcher.GetTotalHistoryCount() $Searcher.QueryHistory(0, $historyCount) | Select-Object Date, @{name="Operation"; expression={switch($_.operation){ 1 {"Installation"}; 2 {"Uninstallation"}; 3 {"Other"}}}}, @{name="Status"; expression={switch($_.resultcode){ 1 {"In Progress"}; 2 {"Succeeded"}; 3 {"Succeeded With Errors"}; 4 {"Failed"}; 5 {"Aborted"} }}}, Title | Export-Csv listing.csv Getting a list of installed patches (kb's / MSXY-ABC) using DOS / CMD: ---------------------------------------------------------------------- C:\TEMP> systeminfo C:\TEMP> systeminfo | find "kbnumber" C:\TEMP> wmic qfe get C:\TEMP> wmic qfe get > patchlist.txt C:\WINDOWS> copy WindowsUpdate.log C:\TEMP Then you can just browse around, and search for kb's or other info, in C:\TEMP\WindowsUpdate.log ===================================================================================================== 14. A few commands and concepts related to security and Active Directory: ===================================================================================================== ============================================================================== 14.1 icacls: Showing, Setting, Removing ACL's on NTFS objects (files, directories): ============================================================================== As the latest command prompt tool, "icacls" replaces the former "cacls" and "xcacls" utilities. Example: setting NTFS permissions on a NTFS directory. ------------------------------------------------------ C:\> icacls "C:\test" /grant WSWIN7\albert:(OI)(CI)F /T The command above, gives the user WSWIN7\albert, Full Control (F) on the directory C:\TEST. The command further gives Full Control on any subdir, due to the "/T" switch. Instead of a local user of a Workstation or Server, the account may also be a Domain Account, like for example "albert@antapex.org", or an AD group. The parameters in parenthesis, might seem weird, but they stand for Object Inheritence (OI) and Container Inheritence (CI). Example: Showing ACL's on a Directory. -------------------------------------- If you want to know which users and groups have access to D:\DATA, then you may use the simple command: c:\> icacls D:\DATA which returns users and/or groups, including system accounts. It's all relatively easy. Use "icacls /?" to see all possible switches and parameters. Example: Saving ACL's of a Directory into a file. ------------------------------------------------- C:\> icacls C:\scripts\ /save c:\backups\scripts_ACLs.txt /T You can open the ascii file "c:\backups\scripts_ACLs.txt" with notepad, and view the contents. The contents are not easily readable, but you may notice the SID's of users and groups. Using the "/restore" switch, you can apply the permissions to the directory again. I have to say that I in some situations, the restore switch is somewhat troublesome if accounts in the backupfile are not "scoped" to your own account. Larger example: --------------- Suppose in a Domain, we have Global-Local groups: Security_Folders_Users_RX Security_Folders_Users_RWX Those security groups contain users and groups. On some member server, we have directories which might be accessed by Domain users having only List and Read rights, and other users which must have List, Read and Write rights. Maybe you can see the correspondence with the upper listed security groups. Suppose on the member Server, we have the directories D:\DATA and D:\SOFTWARE. Suppose further, that the domain group "Security_Folders_Users_RWX" needs NTFS Modify rights on D:\DATA and all subdirectories. Suppose too that the domain group "Security_Folders_Users_RX" needs NTFS RX rights on D:\SOFTWARE and all subdirectories. Then the following commands will implement that: C:\> icacls "D:\DATA" /grant Security_Folders_Users_RWX:(OI)(CI)M /T C:\> icacls "D:\SOFTWARE" /grant Security_Folders_Users_RX:(OI)(CI)RX /T C:\> icacls "D:\SOFTWARE" /grant Security_Folders_Users_RX:(OI)(CI)R /T If you need to remove the NTFS permissions: C:\> icacls "D:\DATA" /remove Security_Folders_Users_RWX /T C:\> icacls "D:\SOFTWARE" /remove Security_Folders_Users_RX /T ===================================================================================================== 15. A few commands to quickly check your system: ===================================================================================================== Quite some time back, a lot of tools of the SysInternal's suite, like the "handle" and "procmon" utilities, and many more, were fabulous. And they still are. I certainly advise to try to find "handle", "autoruns", and "process monitor". But some standard tools, which are already present on your system, are great too. Some of them we already have seen above, and a few new ones are introduced in this section. I will reserve this section as a "quick info" section, to check your system. It's not "forensic stuff" or something, but still quite informative to get a feel for the state of your system. ================== openfiles command: ================== This one shows you all open files, and by which process, on your local system.
You need to enable the "local", or "maintain object list", ennumeration first, by using "openfiles /local". There is some resemblence to the "handle" utility of the SysInternal's suite. (Run as Administrator): C:\> openfiles /local #enable local open files gathering. Likely to require a reboot, C:\> openfiles /Query #shows all open files, and by which process. C:\> openfiles /Query > c:\temp\of.txt #as above, but places the output in a txt file. C:\> openfiles /Query | find /I "mbam" #filter on mbam (malwarebytes AV processes, as an example). Somewhat related: C:\> net file C:\> net share #shows your local shared entities. C:\> net use #shows your connections to remote shares. ================== tasklist command: ================== C:\> tasklist #shows all processes C:\> tasklist /svc #shows processes, and shows which are a service C:\> tasklist > c:\temp\processlist.txt #shows all processes and put it in a txt file C:\> tasklist /FI "memusage gt 40000" #shows only processes where the "filter" (FI) memusage gt 40000 is true C:\> tasklist /FI "cputime gt uu:mm:ss" #shows only processes with cpu >"cputime" using the filter cputime in uu:mm:ss C:\> tasklist /svc | find "svchost" #shows which services run under svchosts processes C:\> tasklist | find /I "Ora" #shows only the processses with details, with a name where "Ora" is part of. (case non-sensitive due to /I) ================== netstat command: ================== C:\> netstat -a #shows all tcp/ip connections. C:\> netstat -b #shows connections, and executables involved. C:\> netstat -a > C:\temp\listing.txt #put the listing in a txt file, for easy browsing. C:\> netstat -a | find "1433" #filter the listing if port 1433 is used. C:\> netstat -a | find "10.10" #filter the listing if any connection to networks *10.10* exists. C:\> netstat -a -b -f #shows all the networkconnections, including fully qualified domain names (-f) C:\> netstat -r #shows the routingtable as used by your local machine Related: C:\> netsh dump #extensive net info. C:\> netsh dump > C:\temp\net.txt #put the info in a txt file. ================== schtasks command: ================== C:\> schtasks #shows scheduled tasks. C:\> schtasks | find "somestring" /I #filter on an identifier ================== checking patches: ================== C:\> wmic qfe list C:\> wmic qfe get C:\> wmic qfe get > c:\temp\patchlist.txt C:\> wmic qfe list | find /I "text you want to filter output on" C:\> systeminfo | find /I "kb" ================== Disk info: ================== C:\> fsutil fsinfo drives C:\> mountvol C:\> diskpart DISKPART> list disk DISKPART> exit Both fsutil and mountvol have extensive switches and options. ================== General system info: ================== C:\> systeminfo C:\> sc query C:\> net start C:\> net start | more C:\> net start > c:\temp\services.txt --Ofcourse, using the GUI, you can see the services running. --Instead of endlessly browsing through such a list, you can --quickly search from the the prompt. Say that you are --looking for mysql service, then: C:\> net start | find /I "mysql" C:\> net start | find /I "what_you_search_for" C:\> wmic service get caption, PathName > c:\temp\services.txt C:\> driverquery C:\> driverquery > c:\temp\drivers.txt C:\> cscript eventquery.vbs /FI "whatyousearchfor" #note: eventquery.vbs not on all win systems. ================== Shutdown system: ================== C:\> shutdown -s -t 0 #shutdown local system now (t=0) C:\> shutdown -r -t 0 #reboot local system now C:\> shutdown -r -f -m \\Trex -t 60 #reboot remote Server "Trex" in 60 seconds C:\> shutdown -r -o -t 0 #reboot local system to "Options menu/Recovery Environment" ================== Show accounts: ================== C:\> wmic useraccount get name,sid ================== Just a suggestion (1): Linux emulation: Cygwin ================== Ofourse, you can implement a "Linux Virtual Machine" (VM) in your Windows Host, but a very simple but effective application (yes, application), with a very small footprint, as a Linux emulation, is possible too. That's Cygwin. No, I do not have shares in Cygwin, but I simply like it, because it's "so small", and "so inexpensive" on your system. It's just as agile as a regular CMD/DOS box on your system. Would you not love to have the vi editor, and commands like strings, sed, awk, tr and many more shell commands, fully Unix/Linux style? I can recommend to try it. Easy to install, easy to uninstall. It's not a really a "sandbox", or shielded VM or something, but it might extend your command toolbox significantly. EOF