Windows security commands
May 11, 2011
The following is a haphazard list of Windows commands useful to know for security-related tasks. Some of these do not work on all Windows platforms, or require administrator privileges to run properly.
Verify the integrity of critical Windows files by examining their digital signatures:sigverif
Show the recent DNS lookups:ipconfig /displaydns
Show the ARP cache:arp -a
Show TCP ports that are listening for connections:netstat -an | findstr LISTEN
Show the process name that is listening on a given TCP port:netstat -anpb tcp
Show the process name that is listening on a given UDP port:netstat -anpb udp
Show all open sessions:net session
Show all currently running processes:tasklist
Show all currently running services:net start
Show all registry subkeys and entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run:reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s
Search for all files that have "string" within their filenames:attrib /s *string*
Lists files in current directory from oldest to newest:dir /od
Search for a string within the file example.txt (case insensitive, and quotes must be specified in the command):find /i "string" example.txt
Show the NetBIOS computer name and MAC address for a Windows computer with IP address 192.168.1.100:nbtstat -A 192.168.1.100
Show local user accounts:net user
Show the domain administrator accounts within a domain:net group "domain admins" /domain
Show the system uptime (in the output look for a line saying "statistics since"). High uptime may indicate that the device hasn't been patched in a while:net statistics server
Show windows firewall configuration:netsh firewall show config