Windows XP

From Segfault
Jump to navigation Jump to search

Resource Kit Tools

With Wndows XP, the Resource Kit Tools (Archive) needed to be installed to provide some helpful commands, usually under %ProgramFiles%\Windows Resource Kits\Tools:



 The system global flag 'maintain object type lists' is not enabled
 for this system. Please use 'oh +otl' to enable it and then reboot.

Find all open handles:

WINXP# oh -p 0 | qgrep -e "Documents and Settings"
000007A0 cmd.exe        File           000c \Documents and Settings\Administrator
000004B8 oh.exe         File           000c \Documents and Settings\Administrator
000000A8 qgrep.exe      File           000c \Documents and Settings\Administrator
0000050C qgrep.exe      File           000c \Documents and Settings\Administrator


A top like utility:

WINXP# pmon
 Memory:  523796K Avail: 321572K  PageFlts:    12 InRam Kernel: 1400K P:17292K
 Commit: 215472K/ 172892K Limit: 621464K Peak: 355364K  Pool N: 4604K P:17640K

                Mem  Mem   Page   Flts Commit  Usage   Pri  Hnd Thd  Image
CPU  CpuTime  Usage Diff   Faults Diff Charge NonP Page     Cnt Cnt  Name

              55160    8  1086984    2                             File Cache
96  43:43:53     28    0        0    0      0    0    0  0    0  1 Idle Process
 0   0:26:06    236    0     3238    0     28    0    0  8  239 44 System
 0   0:00:00    400    0      239    0    156    0    6 11   26  2 smss.exe


qgrep actually understands a few regular expressions:

WINXP# tasklist | qgrep -v "K$"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============

WINXP# tasklist | qgrep  "^s"
smss.exe                     424 Console                 0        400 K
services.exe                 556 Console                 0      5,428 K
svchost.exe                  772 Console                 0      5,600 K
svchost.exe                  816 Console                 0      4,248 K
svchost.exe                  932 Console                 0      3,932 K
svchost.exe                  948 Console                 0      3,168 K
svchost.exe                  980 Console                 0     28,656 K
sched.exe                   1036 Console                 0        768 K

qwinsta, rwinsta

How to query (and terminate) RDP sessions:

$ qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 console                                     0  Conn    wdcon
 rdp-tcp                                 65536  Listen  rdpwd
>rdp-tcp#3         Administrator             1  Active  rdpwd
                   bob                       2  Disc    rdpwd

$ rwinsta 2


$ tasklist /fi "memusage gt 8192"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
winlogon.exe                 512 Console                 0     10,140 K
svchost.exe                  980 Console                 0     28,956 K
avguard.exe                 1128 Console                 0      8,740 K
explorer.exe                1160 RDP-Tcp#3               1      8,316 K
firefox.exe                 3772 RDP-Tcp#3               1     54,240 K

Sometimes we want to know which program[1] occupies a certain network port. Running tasklist in a loop with netstat can emulate something like netstat -p in Linux:

@echo off

echo %time%
for /f "tokens=1-5" %%a ^
  in ('netstat -ano ^| find ""') ^
do echo "REMOTE %%c PID: %%e" & ^
  tasklist /FO CSV /V /FI "PID eq %%e" /NH & ^

goto loop

Windows' own netstat has an option to display not only the PIDs but the program name - but it's awfully slow and it needs Administrator privileges:

$ netstat -anob

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP                LISTENING       748
  Can not obtain ownership information
  TCP           ESTABLISHED     5336


Similar to tasklist, there's taskkill to terminate processes:

$ tasklist | find "Job"
JobServer.exe                16224 Services                   0     90,436 K
JobServerChild.exe           21796 Services                   0    127,936 K
JobServerChild.exe           13768 Services                   0    129,164 K
$ taskkill /PID 21796 /PID 13768 /f
SUCCESS: The process with PID 21796 has been terminated.
SUCCESS: The process with PID 13768 has been terminated.

Directories that are safe to delete

Windows saves a lot of things to disk, never deleting them. So %SystemRoot% grows and grows and sometimes we need to free up some space, quickly:

Screen Lock, Hibernation, Standby

To lock the screen:

rundll32.exe user32.dll,LockWorkStation

To put the system into hibernation or standby:

rundll32.exe powrprof.dll,SetSuspendState

Use Powercfg.cpl to check if hibernation is enabled: if it is, the system will go into hibernation, otherwise the system will go into standby.

One can also click on the taskbar, hit ALT+F4 and a popup window appears to choose from standby, hibernate, restart and shutdown. If hibernate is not listed, try pressing H to force hibernation.

Suspend to RAM (STR) can be possible if the hardware supports it:

Multiple TerminalServer Sessions

This should work immediately, w/o restarting the machine:

 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\fSingleSessionPerUser = 0x0  (DWORD)



As Windows XP still came w/o a SSH server installed. Being in a trusted environment, let's use Telnet then:

  1. Go to Control PanelProgram & FeaturesTurn Windows Features on or off
  2. Enable "Telnet Server"
  3. Enable "Telnet" via services.msc
  4. Start "Telnet" (e.g. net start Telnet)


In some later Windows versions, even the telnet client is disabled, for whatever reasons. Here's how to enable[2] the client again in Windows 7 or Windows 8:

  1. Open Control PanelPrograms and FeaturesTurn Windows features on or off
  2. Enable "Telnet Client" in "Windows Features"
  3. Click OK