Skip to main content

Table Of Contents

  • Windows System Enumeration
    • Operating System Information
    • Process & Service Enumeration
    • Windows Account Enumeration
    • Network Info & Configuration
    • Registry Commands & Important Keys
    • Remote System Enumeration

WINDOWS SYSTEM ENUMERATION

  • Note: This section details important and useful system enumeration commands that can be used to query important operating system, user, and even remote system information.

OPERATING SYSTEM INFORMATION

Enumerate Windows version information

ver

Display hotfixes and service packs

wmic qfe list

Display whether 32 or 64 bit system

wmic cpu get datawidth /format:list

Enumerate OS architecture - The existence of Program Files (x86) means machine is 64bit

dir /a c:\

Display OS configuration, including service pack levels

systeminfo

Display drives

fsutil fsinfo drives

Display logical drives

wmic logicaldisk get description,name

Display environment variables

set

Date of last reboot - Created date of pagefile.sys is last startup

dir /a c:\pagefile.sys

Display shares

net share

Display local sessions

net session

List user mounted shares – MUST BE RUN IN THE CONTEXT OF THE USER

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

PROCESS & SERVICE ENUMERATION

Display services hosted in each process

tasklist /svc

Display detailed information for running processes that are not running as SYSTEM

tasklist /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /V

Force all instances of a process and child processes to terminate (terminate specific PID with /PID <PID>)

taskkill /F /IM <PROCESS_NAME> /T

Terminate all instances of a process

wmic process where name="<PROCESS_NAME>" call terminate

Display the executable path and PID of all running processes

wmic process get name,executablepath,processid

Display Anti-Virus products commonly registered as AntiVirusProduct (PowerShell command)

Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ErrorAction Stop

Run a file as a specific user (prompts for password)

runas /user:<DOMAIN>\<USERNAME> "<FILE_PATH> [ARGS]"

Display processes that match a certain string

tasklist /v | findstr "<STRING_TO_SEARCH>"

Display processes (including command line arguments used to launch them)

wmic process get processid,commandline

Display services (space after state=)

sc query state= all

WINDOWS ACCOUNT ENUMERATION

Display current user

echo %USERNAME%

List number of times user has logged on

wmic netlogin where (name like "%<USERNAME>%") get Name,numberoflogons"

Display local Administrators

net localgroup "Administrator"

NETWORK INFO & CONFIGURATION

Network interface information

ipconfig /all

Display local DNS cache

ipconfig /displaydns

Display all connections and ports with associated process ID

netstat -ano

Write netstat output to file every 3 seconds

netstat –anop tcp 3 >> <FILE_PATH>

Display only listening ports

netstat –an | findstr LISTENING

Display routing table

route print

Display ARP table

arp -a

Attempt DNS zone transfer

nslookup
server <FQDN>
set type=ANY
ls -d <DOMAIN> > <FILEPATH>
exit

Domain SRV lookup (other options: _ldap, _kerberos, _sip)

nslookup –type=SRV _www._tcp.<URL>

Disable firewall (*Old)

netsh firewall set opmode disable

Display saved wireless profiles

netsh wlan show profiles

Export wireless profiles to include plaintext encryption keys

netsh wlan export profile folder=. key=clear

List interface IDs/MTUs

netsh interface ip show interfaces

Set IP

netsh interface ip set address name= "<INTERFACE_NAME>" static <NEW_IP> <NEW_SUBNET_MASK> <NEW_GATEWAY>

Set DNS server

netsh interface ip set dnsservers name= "<INTERFACE_NAME>" static <DNS_SERVER_IP>

Set interface to use DHCP

netsh interface ip set address name= "<INTERFACE_NAME>" source=dhcp

REGISTRY COMMANDS & IMPORTANT KEYS

Search registry for password

reg query HKLM /f password /t REG_SZ /s

Save security hive to file -- (Requires SYSTEM privileges)

reg save HKLM\Security security.hive

OS information

HKLM\Software\Microsoft\Windows NT\CurrentVersion 
/v ProductName
/v InstallDate
/v RegisteredOwner
/v SystemRoot

Time zone (offset in minutes from UTC)

HKLM\System\CurrentControlSet\Control\TimeZoneInformation /v ActiveTimeBias

Mapped network drives

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Mounted devices

HKLM\System\MountedDevices

USB devices

HKLM\System\CurrentControlSet\Enum\USB

Audit policy enumeration -- (Requires SYSTEM privileges)

HKLM\Security\Policy\PolAdTev

Kernel/user services

HKLM\SYSTEM\CurrentControlSet\Services

Installed software for all users

HKLM\Software

Installed software for current user

HKCU\Software

Recent WordPad documents

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Recent typed entries in the Run dialog box

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Typed URLs

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Last registry key accessed via regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit /v LastKey

Saved User SSH Connection Information

HKCU\Software\SimonTatham\Putty\Sessions

REMOTE SYSTEM ENUMERATION

Display sessions for remote system

net session \\<IP_ADDRESS>

Display logged in user on remote machine

wmic /node: <IP_ADDRESS> computersystem get username

Execute file hosted over SMB on remote system with specified credentials

wmic /node: <IP_ADDRESS> /user:<DOMAIN>\<USERNAME> /password:<PASSWORD> process call create "\\<IP_ADDRESS>\<SHARE_FOLDER>\<FILE_PATH>"

Display process listing every second for remote machine

wmic /node: <IP_ADDRESS> process list brief /every:1

Query remote registry

reg query \\<IP_ADDRESS>\<REG_HIVE>\<REG_KEY> /v <REG_VALUE>

Display process listing on remote system

tasklist /S <IP_ADDRESS> /v

Display system information for remote system

systeminfo /S <IP_ADDRESS> /U <DOMAIN>\<USERNAME> /P <PASSWORD>

Display shares of remote computer

net view \\<IP_ADDRESS> /all

Connect to remote filesystem with specified user account

net use * \\<IP_ADDRESS>\<SHARE_FOLDER> /user:<DOMAIN>\<USERNAME> <PASSWORD>

Add registry key to remote system

REG ADD "\\<IP_ADDRESS>\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "<FILE_PATH>"

Copy remote folder

xcopy /s \\<IP_ADDRESS>\<SHARE_FOLDER> <LOCAL_DIR>

Display system uptime - look for creation date of pagefile.sys. This is the last time the system started

dir \\<IP_ADDRESS>\c$

Display processes (look for AV, logged on users, programs of interest, etc.)

tasklist /v /s <IP_ADDRESS>

Display system architecture - Presence of "Program Files (x86)" means 64-bit system

dir \\<IP_ADDRESS>\c$