We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.
WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:#wmic process list
Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief
Start an Application
#wmic process call create "calc.exe"
#wmic process call create "calc.exe"
Terminate an Application
#wmic process where name="calc.exe" call terminate
#wmic process where name="calc.exe" call terminate
Change Process Priority
#wmic process where name="explorer.exe" call setpriority 64
#wmic process where name="explorer.exe" call setpriority 64
Get List of Process Identifiers
#wmic process where (Name='svchost.exe') get name,processid
Find a specific Process
#wmic process list brief find "cmd.exe"
You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list
#wmic process list brief find "cmd.exe"
You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list
OS/System Report HTML Formatted
#wmic /output:c:os.html os get /format:hform
#wmic /output:c:os.html os get /format:hform
Products/Programs Installed Report HTML Formatted
#wmic /output:c:product.html product get /format:hform
#wmic /output:c:product.html product get /format:hform
Turn on Remoted Desktop Remotely
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number
#wmic /node:<ID Address> bios get serialnumber
#wmic /node:<ID Address> bios get serialnumber
Get PC Product Number
#wmic /node:"HOST" baseboard get product
#wmic /node:"HOST" baseboard get product
Find stuff that starts on boot
#wmic STARTUP GET Caption, Command, User
#wmic STARTUP GET Caption, Command, User
Reboot or Shutdown
#wmic os where buildnumber="2600" call reboot
#wmic os where buildnumber="2600" call reboot
Get Startup List
#wmic startup list full
#wmic startup list full
Information About Harddrives
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about os
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
Information about files
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>] Usage information.
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>] Usage information.
Use Case Examples 01:
Use of WMIC to query remote servers to get the hardware serial numbers.
In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.
I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:
#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv
Use Case Example 02:
While investigating suspicious behaviours recorded on windows computers, I have some times seen entries shown as below which suspicious
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"
#wmic /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"
0 comments:
Post a Comment