Windows XP
Resource Kit Tools
With Wndows XP, the Resource Kit Tools (Archive) needed to be installed to provide some helpful commands, usually under %ProgramFiles%\Windows Resource Kits\Tools:
oh
NOTE:
The system global flag 'maintain object type lists' is not enabled for this system. Please use 'oh +otl' to enable it and then reboot.
Find all open handles:
WINXP# oh -p 0 | qgrep -e "Documents and Settings" [...] 000007A0 cmd.exe File 000c \Documents and Settings\Administrator 000004B8 oh.exe File 000c \Documents and Settings\Administrator 000000A8 qgrep.exe File 000c \Documents and Settings\Administrator 0000050C qgrep.exe File 000c \Documents and Settings\Administrator
pmon
A top like utility:
WINXP# pmon
Memory: 523796K Avail: 321572K PageFlts: 12 InRam Kernel: 1400K P:17292K
Commit: 215472K/ 172892K Limit: 621464K Peak: 355364K Pool N: 4604K P:17640K
Mem Mem Page Flts Commit Usage Pri Hnd Thd Image
CPU CpuTime Usage Diff Faults Diff Charge NonP Page Cnt Cnt Name
55160 8 1086984 2 File Cache
96 43:43:53 28 0 0 0 0 0 0 0 0 1 Idle Process
0 0:26:06 236 0 3238 0 28 0 0 8 239 44 System
0 0:00:00 400 0 239 0 156 0 6 11 26 2 smss.exe
qgrep
qgrep actually understands a few regular expressions:
WINXP# tasklist | qgrep -v "K$" Image Name PID Session Name Session# Mem Usage ========================= ====== ================ ======== ============ WINXP# tasklist | qgrep "^s" smss.exe 424 Console 0 400 K services.exe 556 Console 0 5,428 K svchost.exe 772 Console 0 5,600 K svchost.exe 816 Console 0 4,248 K svchost.exe 932 Console 0 3,932 K svchost.exe 948 Console 0 3,168 K svchost.exe 980 Console 0 28,656 K sched.exe 1036 Console 0 768 K
qwinsta, rwinsta
How to query (and terminate) RDP sessions:
$ qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
console 0 Conn wdcon
rdp-tcp 65536 Listen rdpwd
>rdp-tcp#3 Administrator 1 Active rdpwd
bob 2 Disc rdpwd
$ rwinsta 2
tasklist
$ tasklist /fi "memusage gt 8192" Image Name PID Session Name Session# Mem Usage ========================= ====== ================ ======== ============ winlogon.exe 512 Console 0 10,140 K svchost.exe 980 Console 0 28,956 K avguard.exe 1128 Console 0 8,740 K explorer.exe 1160 RDP-Tcp#3 1 8,316 K firefox.exe 3772 RDP-Tcp#3 1 54,240 K
Sometimes we want to know which program[1] occupies a certain network port. Running tasklist in a loop with netstat can emulate something like netstat -p in Linux:
@echo off
:loop
echo %time%
for /f "tokens=1-5" %%a ^
in ('netstat -ano ^| find "10.0.0.3"') ^
do echo "REMOTE %%c PID: %%e" & ^
tasklist /FO CSV /V /FI "PID eq %%e" /NH & ^
echo.
goto loop
Windows' own netstat has an option to display not only the PIDs but the program name - but it's awfully slow and it needs Administrator privileges:
$ netstat -anob Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748 Can not obtain ownership information TCP 10.5.13.2:1279 10.5.1.21:22 ESTABLISHED 5336 [putty.exe] [...]
taskkill
Similar to tasklist, there's taskkill to terminate processes:
$ tasklist | find "Job" JobServer.exe 16224 Services 0 90,436 K JobServerChild.exe 21796 Services 0 127,936 K JobServerChild.exe 13768 Services 0 129,164 K
$ taskkill /PID 21796 /PID 13768 /f SUCCESS: The process with PID 21796 has been terminated. SUCCESS: The process with PID 13768 has been terminated.
Directories that are safe to delete
Windows saves a lot of things to disk, never deleting them. So %SystemRoot% grows and grows and sometimes we need to free up some space, quickly:
%SystemRoot%\$NtUninstallKB*, should be a safe thing to do%SystemRoot%\ServicePackFilesshould be safe to delete too%SystemRoot%\SoftwareDistribution\Downloadcan be deleted, if necessary%SystemRoot%\$hf_mig$should NOT be deleted! (see also KB 824994)c:\MSOCACHEcan be deleted too
Screen Lock, Hibernation, Standby
To lock the screen:
rundll32.exe user32.dll,LockWorkStation
To put the system into hibernation or standby:
rundll32.exe powrprof.dll,SetSuspendState
Use Powercfg.cpl to check if hibernation is enabled: if it is, the system will go into hibernation, otherwise the system will go into standby.
One can also click on the taskbar, hit ALT+F4 and a popup window appears to choose from standby, hibernate, restart and shutdown. If hibernate is not listed, try pressing H to force hibernation.
- How To Put the System into hibernation or Standby from Run menu
- Command-line (cmd) command to lock a windows machine
- What can go wrong when you mismatch the calling convention? (calling
LockWorkStationviarundll32is discouraged)
Suspend to RAM (STR) can be possible if the hardware supports it:
- suspend to ram (blog entry)
dumppo.exe - helper tool to find out about power capabilities.
Multiple TerminalServer Sessions
This should work immediately, w/o restarting the machine:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\fSingleSessionPerUser = 0x0 (DWORD)
- How to force a single session or allow multiple Remote Desktop sessions per user
- Windows Server 2003: fSingleSessionPerUser
- Enabling More than One Remote Desktop Session on Windows XP SP3
- Enable Multiple Concurrent Remote Desktop Connections or Sessions in Windows XP
Telnet
Server
As Windows XP still came w/o a SSH server installed. Being in a trusted environment, let's use Telnet then:
- Go to
Control Panel→Program & Features→Turn Windows Features on or off - Enable "Telnet Server"
- Enable "Telnet" via
services.msc - Start "Telnet" (e.g.
net start Telnet)
Client
In some later Windows versions, even the telnet client is disabled, for whatever reasons. Here's how to enable[2] the client again in Windows 7 or Windows 8:
- Open
Control Panel→Programs and Features→Turn Windows features on or off - Enable "
Telnet Client" in "Windows Features" - Click
OK