Windows Utilities and Tips
(saved from my Powerpoint presentation, 2007)
I. Windows's own tools
cmd: Use dark color text on light color background. Easier to read than reverse color.
control: fast way to launch Control Panel
dir /s: search recursively; dir /od: look for latest files.
fc: file compare, like UNIX diff
net use: show mapped network shares in DOS so it's easy to copy correctly
net share: show your own shares
net view [\\]remotecomputer: show remote computer's shares
net statistics {workstation|server}: show uptime
netstat -ano: map ports to process IDs
sc query state= all | grep -i somestring: if you forget the service name (for grep, see Third Party Tools)
start /b: starts a program in background, like & appended to a UNIX command
taskkill /pid 1234: e.g., wscntfy.exe can be killed without being restarted as taskmgr or tskill would
tasklist /svc 2>&1 | grep -i somestring
tasklist /fi "pid eq 1234"
taskmgr: The fastest way to launch is Shift-Ctrl-Esc.
tskill 1234
title "Windows Title"
II. Third Party Tools (tools from unxutils.sourceforge.net not shown as hypertext)
cksum
depends: very useful, like ldd on UNIX
df
diff: better than Windows fc
err: e.g., err 80010012 (Ref: support.microsoft.com/kb/186063); those 800xxxxx errors are from Windows DDK WinErr.h but can be checked with this err.exe utility; unofficial updated version
find: Windows's find can't accept input from stdin or | (but findstr can)
fmt and fold: `fmt -sw80 longlinefile.txt > shortlinefile.txt'
gawk
grep: easier to use than findstr
gzip and gunzip
handle -a > tmp.txt: like UNIX fuser and lsof
head
tail: I use `tail -f' and `dir/od|tail' a lot
pdftotext: To check for a string in all PDF files in the current folder, `for %i in (*.pdf) do pdftotext "%i" - 2>nul: | grep -l -i "searchstring"'.
periscope: `periscope %oracle_home%\bin\oracle.exe'; check for "2 Gb" and find what DLL a symbol is imported
from
psexec: `psexec -s -i -d taskmgr' to lower priority of service processes started by SYSTEM, such as those for virus scan; verify a LOCAL SYSTEM account can/cannot do something as service does
regfind: -y is case-insensitive search, much faster than search in regedt32 or regedit
sleep
sort: sort on a field, Windows's sort can only sort on a specific column, which is useless
split
strings
which and Yong's own which.bat
XNResourceEditor: check and possibly modify "resources" in the binary, such as images
clearmem, empty: trim working set (Mem Usage in Task Manager); IE or Opera does this automatically when minimized but Firefox does not
Third party tools explained in details
filemon: Add a filter to check for, e.g., where tnsnames.ora is read from
procexp: I can't imagine you can live without this extremely useful tool! too much to cover here
sigcheck: essential tool to check authenticity of a binary, also useful as a quick way to find the description of the binary
tcpview: map processes to ports even on pre-XP Windows; watch for suspicious network connections (Why does Google Desktop Search connect to their unpublished servers, etc?)
tlist: `tlist -t', `tlist 1234 | head' to quick check full path of the process executable
strace (Set registry value as instructed; no need to reboot; when done, delete the value)
C:\>strace -p 1234
For Windows XP, the registry value:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection
must be set to 0 (type REG_DWORD) for strace to work.
Please read the included documentation to determine whether you want to disable write protection, and, if so, set the value appropriately and
reboot.
III. Yong's Tools
pstats.hta: must run from where this script resides
topio.pl: need modify path of pio in it; `perl topio.pl -n4 -s3'
IV. Malware ("rogue software") Check
Regular check:
cd /d c:\windows\system32
dir/od | tail (see if there's anything new)
sigcheck -q suspect.exe (check for signature and description)
XNResourceEditor suspect.exe
notepad suspect.exe (any readable text?)
Google search, especially add "site:microsoft.com", "site:liutilities.com" as search string, and google.com/microsoft.html
Be familiar with common processes in Task Manager
Be alert to your system load spike. Check top-CPU processes regularly and check for unknown connections in TCPView.
Malware fix:
`notepad badfile.exe' and save it as a 0-byte size same-name file
`regfind 3721' and `regfind -y cns', delete all related entries (take the infamous CNS 3721 malware as an example)
Links
sysinternals.com unxutils.sourceforge.net Debugging Tools for Windows Windows Server 2003 Resource Kit (works for XP too) Google Microsoft Search Running process environment Windows topio Windows process stats Tracing oracle.exec process UWin Cygwin MKS Software C Shell for Windows No experience: 4NT Microsoft Powershell
To my Miscellaneous Page