In my March 2008 tip, I covered some of the most useful command-line tools in Windows, including the WMIC, net, openfiles, netstat and find commands. This month, I'll round out that top ten list by addressing five more useful commands and analyzing how security professionals can use each one to help them do their jobs better.
Interacting with processes using tasklist
In my previous tip, I looked at how the WMIC command offers interesting insights into running processes. The tasklist command also has some nice features worthy of inclusion, pulling some process attributes that are difficult or impossible to discern using WMIC.
When run by itself with no options, the tasklist command shows a list of all running processes, displaying their names, PID numbers and other statistics. To get even more out of tasklist, consider running it like this:
C:\> tasklist /svc
This command tells tasklist to show which services are running inside of each process. Many Windows users don't understand the relationship between services and processes, having at best a murky idea that they are different but related entities. In reality, each service on a Windows box must run inside of a process, and some processes have multiple services living inside of them. Thus, there is a one-to-many relationship between processes and services, which the tasklist command can reveal.
Another helpful invocation of the tasklist command is:
C:\> tasklist /m
The "m" stands for "modules", or the way that tasklist refers to DLLs, libraries of code loaded by processes as they run to do their bidding on machines. When invoked this way, tasklist shows every DLL currently loaded into all running processes. This provides users with a wealth of information about what is happening on their machines at a given time. While analysis of this output is a daunting task, the information included is helpful for malware researchers trying to determine the nature of the processes running on their boxes. Google searches for specific processes and DLLs may return descriptions of malware from antivirus vendor sites, which provides useful insight into attackers' motives with a given specimen.
The reg command for fine-grained registry analysis
The reg command lets users interact with the registry of their machines at the command line. Instead of using the cumbersome regedit GUI to navigate the registry, security pros can simply pop open a Windows command shell and run the reg command to read or update the registry. However, the reg command doesn't allow for interactive browsing of the registry; users need to know the full path to the registry keys they want to view or alter. But given that path, the reg command is an easy way to make changes.
To view the settings of a given registry key, use the "query" option of the reg command as follows:
C:\> reg query hklm\software\microsoft\windows\currentversion\run
This key controls various auto-start programs on Windows that run when a machine is booted up and subsequently when users log on to the system. Many malware specimens alter this key to ensure that they run when the system is rebooted.
To export individual keys or complete sections of the registry to a file for analysis or installation on a separate system, the reg command supports the "reg export" function. In addition to reading and exporting registry settings, the reg command can update them as well. The "reg add" command will update the value of an existing key, or create a key if it doesn't exist. The "reg import" command can import multiple registry keys.
Using ipconfig for DNS analysis
Most serious Windows users are familiar with the ipconfig command, which is useful for showing the network settings of a Windows box. But there's a particularly useful feature of ipconfig that a lot of folks aren't aware of -- a function that is quite beneficial to security pros given the capabilities of today's botnets. The ipconfig command can display the local Windows machine's DNS cache as follows:
C:\> ipconfig /displaydns
The output of the command shows the various cached domain names, their associated IP addresses and the time to live (in seconds) for the DNS record. If users run the command repeatedly, they can see the time to live decreasing until records expire and are discarded, or get renewed. Watching the DNS cache and time to live (TTL) values is particularly important when investigating fast-flux botnets, which utilize DNS records with small TTLs to force constant updates and confuse investigators regarding the location of the hacker's critical back-end servers. Admittedly, ipconfig doesn't have as many fancy options as the other commands covered in this series, like tasklist and reg. But this one use of the command is immensely helpful.
Running repeatedly with FOR /L loops
Sometimes administrators or security professionals want to run a command repeatedly, perhaps at five-second intervals to look for changes in its output. To accomplish this goal, they can rely on Windows FOR loops. Windows supports five different kinds of FOR loops, which can iterate over file integers, file names, directory names, file contents and strings. The focus here will be on the simplest of these loops, specifically the FOR /L variety, which iterates over integers since they can be used to make commands run continuously. The syntax of a FOR /L loop is:
C:\> for /L %[var] in ([start],[step],[stop]) do [command]
The [var] is our iterator variable, a single alphabetic letter that will take on different integer values at each step through the loop. The user then specifys the starting value of the variable, the amount it should be incremented at each step through the loop, and its maximum value that will stop the loop. A command to run at each step through the loop should also be specified. To illustrate, consider the following:
C:\> for /L %i in (1,1,10) do @echo %i
This loop will use %i as a variable, starting at a value of 1. At each iteration through the loop, %i will be incremented by 1, going up to 10. Then, in the loop, the user can simply print the value of the iterator variable on the screen using the echo command. The @ tells the system not to print out the command itself, making the output a little prettier. The user just told the system to count from 1 to 10.
Now, let's see how to use this command to make the tasklist command run continuously:
C:\> for /L %i in (1,0,2) do @tasklist
With this command, a user is telling the machine to start a loop with a variable at 1, counting by zero, all the way up to 2. That'll count forever, until the user hits CTRL-C to stop it. A user can simply run the tasklist command at each iteration.
To add a delay of a few seconds between iterations, simply ping the localhost (127.0.0.1) multiple times at each iteration through the loop, by adding "& ping --n 6 127.0.0.1 > nul" as follows:
C:\> for /L %i in (1,0,2) do @tasklist & ping --n 6 127.0.0.1 > nul
Since the Windows command line has no built-in sleep function to wait for a given delay, users can make a delay happen with ping. The command above will ping the localhost address six times (-n 6), introducing a delay of five seconds (the first ping happens immediately, followed by one ping per second for five seconds). We're dumping the ugly output of ping into nul, making it disappear. The result is a command that runs tasklist every five seconds. This technique can be used to run each of the commands covered in this series repeatedly, letting users more carefully scrutinize the output. More complex syntax can even parse the output of the command to allow generation of custom scripts for detailed system analysis, but such syntax goes beyond the scope of these monthly tips.
Launching admin GUIs via the command line
While the Windows command line has many powerful tools, believe it or not, sometimes a GUI tool can do the job better than the command line. However, memorizing the obscure locations where Microsoft has buried various controls in its GUI is a bewildering task.
Fortunately, users don't have to dig through the GUI to find what they want; instead they can rely on command-line shortcuts. For example, instead of going to the start menu to find and run local user manager GUI, users can go to the nearest command prompt and type:
There are numerous other GUI controls that can be launched from the command line in this way, which saves a lot of time. Here are some of my favorites:
- Secpol.msc: This is the local security policy manager, used to configure hundreds of security settings on the box.
- Services.msc: This command launches the services control panel GUI.
- Control: This command brings up the overall control panel set of tools.
- Taskmgr.exe: This command launches the Task Manager.
- Explorer.exe: To invoke the Windows file explorer in a handy fashion, run this command.
- Eventvwr.msc: This command runs the Windows Event Viewer, useful for log analysis.
At first, it may seem that the various Windows commands covered in these tips are obscure or hard to memorize. But, with diligent practice, these Windows command-line tools can help administrators and security pros wield far more power over their Windows machines, configuring them more securely and analyzing them in greater detail when they get attacked.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in May 2008