Windows
Package Managers
Chocolatey
After reading and understanding the Community Packages Disclaimer, install Chocolatey with in an elevated PowerShell prompt like this:[1]
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
If desired, enable allowGlobalConfirmation [2]:
choco feature enable --name allowGlobalConfirmation
Install packages like this:
choco install putty
Ninite
Ninite TBD
Scoop
Scoop TBD
Winget
TBD
Npackd
Npackd TBD
3rd party programs
Cygwin
TBD
Netcat
Someone was kind enough to upload Netcat for Windows!
$ nc -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, background mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
PortQry
PortQry[3] can be used as a #Netcat substitute.
Scan a single port:
PortQry.exe -n alice -p tcp -e 80
Scan several ports:
PortQry.exe -n alice -p tcp -o 80,443
Scan a range:
PortQry.exe -n alice -p tcp -r 512:1024
rinetd
Together with Disable445Feature.zip[4] we can do magic things.
$ type Disable445Feature.ps1
Function Disable445Feature
{
$netBTParametersPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
IF(Test-Path -Path $netBTParametersPath) {
Set-ItemProperty -Path $netBTParametersPath -Name "SMBDeviceEnabled" -Value 0
}
Set-Service lanmanserver -StartupType Disabled
Stop-Service lanmanserver -Force
}
Disable445Feature
Once disabled, our local port 445 should be free to be used with rinetd:
$ type config.txt 127.0.0.1 445 10.0.0.1 445 $ rinetd.exe -c config.txt $ netstat -an | find "445" TCP 127.0.0.1:445 0.0.0.0:0 LISTENING
Now shares can be mounted from localhost!
Sysinternals Suite
The Sysinternals Suite comes with another set of useful tools:
$ pslist -m explorer Process memory detail for WINXP: Name Pid VM WS Priv Priv Pk Faults NonP Page explorer 1312 103744 22772 13416 14872 40934 14 107
Without any additional tools, all we have is dir, but that's not really useful, as we cannot print directory names and sizes on the same line:
$ dir /o:s /s "c:\Program Files" | find "bytes" | sort
75 File(s) 70,783,134 bytes
81 File(s) 6,992,256 bytes
88 File(s) 899,425 bytes
89 File(s) 907,053 bytes
127 File(s) 119,764,510 bytes
3291 Dir(s) 77,508,915,200 bytes free
3647 File(s) 2,336,559,490 bytes
With du this looks a bit better:
$ du -nobanner -v c:\ | sort Processing... [...] 3,676,260 c:\Windows\WinSxS 3,916,391 c:\Users\dummy 3,919,139 c:\Users 5,263,591 c:\Windows\System32 17,144,086 c:\Windows Directories: 96243 Files: 340178 Size on disk: 26,900,548,576 bytes Size: 29,744,207,359 bytes
But PowerShell of course is here to help:[5]
> $totalsize = [long]0
> Get-ChildItem -File -Recurse -Force -ErrorAction SilentlyContinue | % {$totalsize += $_.Length}
> $totalsize / 1024 / 1024 / 1024
55.0684367781505
UnxUtils
unxutils provide GNU utilities for Win32 systems. But it was last updated in 2014, so better use Cygwin if really necessary.
Wipe
SDelete can do many things. Overwriting free disk space with zeros for example:
sdelete -z c:
cipher.exe can do something similar ("overwrite deleted data on a volume"):
cipher /w:c:
Miscellaneous
Checksums
With fciv only available[6] until Windows XP and Windows Server 2003, we can use certutil[7] to do the job:
$ certutil -hashfile -? | find "algo" Hash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512 $ certutil -hashfile foo.txt SHA256 SHA256 hash of foo.txt: 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 CertUtil: -hashfile command completed successfully.
Control Panels
runas /user:Administrator cmd.exe sysdm.cpl # System Properties firewall.cpl # Windows Firewall
Disk Management
Trying to shrink a volume only allows us to shrink it by a certain amount, although more (free) disk space would be available. The Application log in the system event viewer shows:
A volume shrink analysis was initiated on volume Windows (C:).
This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.
Diagnostic details:
- The last unmovable file appears to be: \System Volume Information\[...]
- The last cluster of the file is: 0x788ecaf
- Shrink potential target (LCN address): 0x1a8842b
- The NTFS file flags are: ---AD
- Shrink phase: <analysis>
To find more details about this file please use the
"fsutil volume querycluster \\?\Volume{d66eabaf-6574-4b9d-ac48-309125edfbc8} 0x788ecaf" command.
To free these unmovable objects we need to:
- (temporarily) disable the paging file[8]
- disable system protection (which will in effect delete the system's shadow copies[9])
EFI boot loader
Booted into Windows to apply some firmware updates and it altered the boot order. So Windows would still boot, but the GRUB menu was gone and there was no way to boot into Linux again. Use bcdedit[10] to point to the correct path again:
bcdedit /set {bootmgr} path \EFI\fedora\grubx64.efi
With that, the GRUB menu was restored.
Environment Variables
PATH=%PATH%;%ProgramFiles%\UnxUtils\usr\local\wbin;%ProgramFiles%\Windows Resource Kits\Tools;%ProgramFiles%\SysinternalsSuite PROMPT=%COMPUTERNAME%# DIRCMD=/a/ogn/p
Filesystem Links
Hardlinks can be created with fsutil:
fsutil hardlink create %systemroot%\foo.exe "%programfiles%\application\this-app.exe"
Symbolic links for directories can be created via junction:
junction %systemroot%\target "%programfiles%\source"
Windows Vista introduced support symbolic links for files and directories via mklink:
runas /user:administrator mklink %systemroot%\target.exe "%programfiles%\source.exe"
Note:
- Be careful with junctions - when deleting the target directory, the (content of the) source directory is also deleted! That's what you get when hardlinking directories.
- mklink needs explicit permissions to create symbolic links! Sometimes a dedicated administrator shell is necessary:
$ runas /user:administrator cmd Enter the password for administrator: Attempting to start cmd as user "LOCALHOST\administrator" ...
Hibernation
From an administrator shell:
powercfg.exe /hibernate off
This will also remove the (large) hiberfil.sys file.
Minimized Applications
start /min %systemroot%\system32\taskmgr.exe
- Windows7: take "real" ownership of files:
takeown /f directory_name /r /d y icacls directory_name /grant administrators:F /t
0 - Title text is truncated 1 - Title text wraps to the next line
Runas
The basic usage of runas is:
runas /noprofile /user:admin "some\program.exe"
In some Windows versions, the Run as... right-click option is disabled for .bat and .cmd files. To enable those, use the following registry snippet:[11]
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\batfile\shell\runas\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\cmdfile\shell\runas\command] @="\"%1\" %*"
Note: runas will still ask for a password, namely the password for the specified /user: above. We could create an auxiliary admin user with a different name (and member of the "Administrators" group), but that still is no substitute for SUID or sudo approaches.
UTC System Time
To configure Windows to use UTC instead of local time[12], a registry key must be set:
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_QWORD /f
Windows Build
From within Windows:
$ systeminfo | findstr /B /C:"OS Name" /C:"OS Version" OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19043 N/A Build 19043
Or, via wmic:
$ wmic os get BuildNumber,Version /value BuildNumber=19043 Version=10.0.19043
Even ver still works:
$ ver Microsoft Windows [Version 10.0.19043.1348]
Display the Windows version and build without running Windows, i.e. from a Linux machine with the Windows disk mounted:[13][14]
$ iconv -f UTF-16 -t UTF-8 < some.log | grep -Po 'Data.OsBuild.{40}'
Data.OsBuild": 18362, "Data.OsBuildRevision": 476, "
$ hivexget /mnt/disk/Windows/System32/config/SOFTWARE 'Microsoft\Windows NT\CurrentVersion' | grep -Ew 'ProductName|CurrentBuild'
"CurrentBuild"="18362"
"ProductName"="Windows 10 Pro"
$ cat /mnt/disk/ProgramData/Microsoft/Diagnosis/osver.txt
10.0.18362
See also
- Backup
- Eventlog
- Scripting
- Live CD
- WSUS - Windows Server Update Services
- WSL - Windows Subsystem for Linux
Links
- Windows lifecycle fact sheet
- Sysinternals
- fix-windows-privacy (Windows 10, x64)
- NoSleep.exe - Prevents Screensaver and PC Locking (Archive) (local copy)
- simplewall (Windows Filtering Platform, WFP)
- Windows installer images
References
- ↑ Install Chocolatey for Individual Use
- ↑ Chocolatey: Configuration
- ↑ PortQry Command Line Port Scanner Version 2.0
- ↑ How to disable feature of opened port 445 on Windows by PowerShell
- ↑ How can I check the size of a folder from the Windows command line?
- ↑ How to compute the MD5 or SHA-1 cryptographic hash values for a file
- ↑ Certutil
- ↑ Optimize Windows for better performance
- ↑ Vssadmin delete shadows
- ↑ BCD System Store Settings for UEFI
- ↑ “Run as” for a .bat file
- ↑ System time: UTC in Windows
- ↑ How do I tell what version and edition of Windows is on the filesystem?
- ↑ How to find Windows Product Key using Command Prompt or PowerShell