System Date and Time
C:\WINDOWS\system32>date /t
Sun 07/31/2011
C:\WINDOWS\system32>time /t
03:06 AM
http://support.microsoft.com/kb/927229
C:\Tools>now
Sun Jul 31 03:07:22 2011
C:\Tools>
System Identifiers
C:\Tools>hostname
Bala-PC
C:\Tools>whoami
bala-pc\bala
C:\Tools>ver
Microsoft Windows [Version 6.0.6001]
C:\Tools>
If we want to know if a particular interface is in Promiscuous mode or not go to the following link and run promiscdetect.exe
http://www.ntsecurity.nu/toolbox/promiscdetect/
System Uptime
We can see how long the system is running by using the uptime command from the URL
http://support.microsoft.com/kb/232243
C:\Tools>uptime
\\BALA-PC has been up for: 0 day(s), 0 hour(s), 16 minute(s), 26 second(s)
http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
C:\Tools>PsInfo.exe
PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\BALA-PC:
Uptime: 0 days 0 hours 18 minutes 52 seconds
Kernel version: Windows Vista
Product type: Professional
Product version: 6.0
Service pack: 1
Kernel build number: 6001
Registered organization:
Registered owner: Bala
IE version: 7.0000
System root: C:\Windows
Processors: 1
Processor speed: 1 GHz
Processor type: Intel(R) Core(TM) CPU T6600
Physical memory: 256 MB
Video driver: VirtualBox Graphics Adapter
C:\Tools>
http://www.niiconsulting.com/innovation/tools.html.
C:\Tools>DumpWin.exe
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)
Parameters :
-i : List installed Programs. -d : Drive Information.
-s : System Information. -m : Check for Modem Drivers.
-h : List shares present. -t : List Startup Programs.
-p : List active Processes. -v : List of Services.
-g : List Local Group Accounts -u : List User Accounts.
-l : dumpACL -n : Account Lockout Policy -a : All of a
bove.
Dont forget to check the new releases of DumpWin.
C:\Tools>DumpWin.exe -d
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)
=====================
Drive Information
=====================
Drive C:\ : Fixed
Drive D:\ : CD-ROM
Drive E:\ : Network drive
Drive Z:\ : Network drive
C:\Tools>
Identifying Users Logged into the System.
We can find which user has currently logged on to the system with the help of psloggedon.exe which is part of the sysinternals tool suite.
C:\Tools>PsLoggedon.exe
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Users logged on locally:
31-07-2011 16:17:40 Bala-PC\Bala
No one is logged on via resource shares.
C:\Tools>
We can also user Netusers to find out the last logon date of each users.
http://www.systemtools.com/free.htm
We can also user logonsessions.exe -p tool to see all the processes which are running in the logged-on sessions.
http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
c:\Tools>logonsessions.exe -p
Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com
[0] Logon session 00000000:000003e7:
User name: WORKGROUP\BALA-PC$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 31-07-2011 16:17:14
Logon server:
DNS Domain:
UPN:
380: smss.exe
456: csrss.exe
500: wininit.exe
508: csrss.exe
536: winlogon.exe
576: services.exe
588: lsass.exe
596: lsm.exe
764: svchost.exe
812: VBoxService.exe
896: svchost.exe
1052: svchost.exe
1068: svchost.exe
1160: svchost.exe
1492: spoolsv.exe
1724: eEyeUpdateSvc.exe
1896: RetinaEngine.exe
2016: svchost.exe
256: SearchIndexer.exe
3676: eeyeevnt.exe
3196: WmiPrvSE.exe
[1] Logon session 00000000:000090ea:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 31-07-2011 16:17:15
Logon server:
DNS Domain:
UPN:
[2] Logon session 00000000:000003e4:
User name: WORKGROUP\BALA-PC$
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-20
Logon time: 31-07-2011 16:17:16
Logon server:
DNS Domain:
UPN:
860: svchost.exe
1176: SLsvc.exe
1364: svchost.exe
1872: svchost.exe
[3] Logon session 00000000:000003e5:
User name: NT AUTHORITY\LOCAL SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-19
Logon time: 31-07-2011 16:17:18
Logon server:
DNS Domain:
UPN:
1024: svchost.exe
1208: svchost.exe
1516: svchost.exe
1984: svchost.exe
[4] Logon session 00000000:00015279:
User name: NT AUTHORITY\ANONYMOUS LOGON
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-7
Logon time: 31-07-2011 16:17:25
Logon server:
DNS Domain:
UPN:
[5] Logon session 00000000:0001cbb7:
User name: Bala-PC\Bala
Auth package: NTLM
Logon type: Interactive
Session: 1
Sid: S-1-5-21-2753564925-3547717165-4264054735-1000
Logon time: 31-07-2011 16:17:38
Logon server: BALA-PC
DNS Domain:
UPN:
3488: cmd.exe
1868: logonsessions.exe
[6] Logon session 00000000:0001cbcc:
User name: Bala-PC\Bala
Auth package: NTLM
Logon type: Interactive
Session: 0
Sid: S-1-5-21-2753564925-3547717165-4264054735-1000
Logon time: 31-07-2011 16:17:38
Logon server: BALA-PC
DNS Domain:
UPN:
2336: taskeng.exe
2480: dwm.exe
2516: explorer.exe
2592: MSASCui.exe
2600: VBoxTray.exe
2620: sidebar.exe
2820: cmd.exe
2704: wuauclt.exe
1572: wsqmcons.exe
[7] Logon session 00000000:00038117:
User name: Bala-PC\IUSER_RETINA
Auth package: NTLM
Logon type: Interactive
Session: 0
Sid: S-1-5-21-2753564925-3547717165-4264054735-1001
Logon time: 31-07-2011 16:19:02
Logon server: BALA-PC
DNS Domain:
UPN:
c:\Tools>
C:\WINDOWS\system32>date /t
Sun 07/31/2011
C:\WINDOWS\system32>time /t
03:06 AM
http://support.microsoft.com/kb/927229
C:\Tools>now
Sun Jul 31 03:07:22 2011
C:\Tools>
System Identifiers
C:\Tools>hostname
Bala-PC
C:\Tools>whoami
bala-pc\bala
C:\Tools>ver
Microsoft Windows [Version 6.0.6001]
C:\Tools>
If we want to know if a particular interface is in Promiscuous mode or not go to the following link and run promiscdetect.exe
http://www.ntsecurity.nu/toolbox/promiscdetect/
System Uptime
We can see how long the system is running by using the uptime command from the URL
http://support.microsoft.com/kb/232243
C:\Tools>uptime
\\BALA-PC has been up for: 0 day(s), 0 hour(s), 16 minute(s), 26 second(s)
http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
C:\Tools>PsInfo.exe
PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\BALA-PC:
Uptime: 0 days 0 hours 18 minutes 52 seconds
Kernel version: Windows Vista
Product type: Professional
Product version: 6.0
Service pack: 1
Kernel build number: 6001
Registered organization:
Registered owner: Bala
IE version: 7.0000
System root: C:\Windows
Processors: 1
Processor speed: 1 GHz
Processor type: Intel(R) Core(TM) CPU T6600
Physical memory: 256 MB
Video driver: VirtualBox Graphics Adapter
C:\Tools>
http://www.niiconsulting.com/innovation/tools.html.
C:\Tools>DumpWin.exe
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)
Parameters :
-i : List installed Programs. -d : Drive Information.
-s : System Information. -m : Check for Modem Drivers.
-h : List shares present. -t : List Startup Programs.
-p : List active Processes. -v : List of Services.
-g : List Local Group Accounts -u : List User Accounts.
-l : dumpACL -n : Account Lockout Policy -a : All of a
bove.
Dont forget to check the new releases of DumpWin.
C:\Tools>DumpWin.exe -d
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)
=====================
Drive Information
=====================
Drive C:\ : Fixed
Drive D:\ : CD-ROM
Drive E:\ : Network drive
Drive Z:\ : Network drive
C:\Tools>
Identifying Users Logged into the System.
We can find which user has currently logged on to the system with the help of psloggedon.exe which is part of the sysinternals tool suite.
C:\Tools>PsLoggedon.exe
PsLoggedon v1.34 - See who's logged on
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Users logged on locally:
31-07-2011 16:17:40 Bala-PC\Bala
No one is logged on via resource shares.
C:\Tools>
We can also user Netusers to find out the last logon date of each users.
http://www.systemtools.com/free.htm
We can also user logonsessions.exe -p tool to see all the processes which are running in the logged-on sessions.
http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
c:\Tools>logonsessions.exe -p
Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com
[0] Logon session 00000000:000003e7:
User name: WORKGROUP\BALA-PC$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 31-07-2011 16:17:14
Logon server:
DNS Domain:
UPN:
380: smss.exe
456: csrss.exe
500: wininit.exe
508: csrss.exe
536: winlogon.exe
576: services.exe
588: lsass.exe
596: lsm.exe
764: svchost.exe
812: VBoxService.exe
896: svchost.exe
1052: svchost.exe
1068: svchost.exe
1160: svchost.exe
1492: spoolsv.exe
1724: eEyeUpdateSvc.exe
1896: RetinaEngine.exe
2016: svchost.exe
256: SearchIndexer.exe
3676: eeyeevnt.exe
3196: WmiPrvSE.exe
[1] Logon session 00000000:000090ea:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 31-07-2011 16:17:15
Logon server:
DNS Domain:
UPN:
[2] Logon session 00000000:000003e4:
User name: WORKGROUP\BALA-PC$
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-20
Logon time: 31-07-2011 16:17:16
Logon server:
DNS Domain:
UPN:
860: svchost.exe
1176: SLsvc.exe
1364: svchost.exe
1872: svchost.exe
[3] Logon session 00000000:000003e5:
User name: NT AUTHORITY\LOCAL SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-19
Logon time: 31-07-2011 16:17:18
Logon server:
DNS Domain:
UPN:
1024: svchost.exe
1208: svchost.exe
1516: svchost.exe
1984: svchost.exe
[4] Logon session 00000000:00015279:
User name: NT AUTHORITY\ANONYMOUS LOGON
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-7
Logon time: 31-07-2011 16:17:25
Logon server:
DNS Domain:
UPN:
[5] Logon session 00000000:0001cbb7:
User name: Bala-PC\Bala
Auth package: NTLM
Logon type: Interactive
Session: 1
Sid: S-1-5-21-2753564925-3547717165-4264054735-1000
Logon time: 31-07-2011 16:17:38
Logon server: BALA-PC
DNS Domain:
UPN:
3488: cmd.exe
1868: logonsessions.exe
[6] Logon session 00000000:0001cbcc:
User name: Bala-PC\Bala
Auth package: NTLM
Logon type: Interactive
Session: 0
Sid: S-1-5-21-2753564925-3547717165-4264054735-1000
Logon time: 31-07-2011 16:17:38
Logon server: BALA-PC
DNS Domain:
UPN:
2336: taskeng.exe
2480: dwm.exe
2516: explorer.exe
2592: MSASCui.exe
2600: VBoxTray.exe
2620: sidebar.exe
2820: cmd.exe
2704: wuauclt.exe
1572: wsqmcons.exe
[7] Logon session 00000000:00038117:
User name: Bala-PC\IUSER_RETINA
Auth package: NTLM
Logon type: Interactive
Session: 0
Sid: S-1-5-21-2753564925-3547717165-4264054735-1001
Logon time: 31-07-2011 16:19:02
Logon server: BALA-PC
DNS Domain:
UPN:
c:\Tools>
No comments:
Post a Comment