Windows ist ein von [[Microsoft]] entwickeltes [[Betriebssystem]] speziell für Desktop PC, Notebook und Laptop.
=====WMI=====
Siehe [[WMI]], [[WMIC]], [[CIM]]
====MSI Pakete====
# Per MSI installierte Pakete
Get-WMIObject -Class Win32_Product
PSComputerName : VIE-NB-GBI016
Name : Python 3.12.9 Executables (64-bit)
Version : 3.12.9150.0
InstallState : 5
__GENUS : 2
__CLASS : Win32_Product
__SUPERCLASS : CIM_Product
__DYNASTY : CIM_Product
__RELPATH : Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
__PROPERTY_COUNT : 27
__DERIVATION : {CIM_Product}
__SERVER : VIE-NB-GBI016
__NAMESPACE : root\cimv2
__PATH : \\VIE-NB-GBI016\root\cimv2:Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
AssignmentType : 0
Caption : Python 3.12.9 Executables (64-bit)
Description : Python 3.12.9 Executables (64-bit)
HelpLink :
HelpTelephone :
IdentifyingNumber : {8F708501-AF68-42E7-8A6E-D239CA6DA1A8}
InstallDate : 20250309
InstallDate2 :
InstallLocation :
InstallSource : C:\Users\admin\AppData\Local\Package Cache\{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}v3.12.9150.0\
Language : 1033
LocalPackage : C:\WINDOWS\Installer\30dc9ec0.msi
PackageCache : C:\WINDOWS\Installer\30dc9ec0.msi
PackageCode : {682163C2-28D3-44AB-89CD-BD21EA3B274A}
PackageName : exe.msi
ProductID :
RegCompany :
RegOwner :
SKUNumber :
Transforms :
URLInfoAbout :
URLUpdateInfo :
Vendor : Python Software Foundation
WordCount : 0
Scope : System.Management.ManagementScope
Path : \\VIE-NB-GBI016\root\cimv2:Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
Options : System.Management.ObjectGetOptions
ClassPath : \\VIE-NB-GBI016\root\cimv2:Win32_Product
Properties : {AssignmentType, Caption, Description, HelpLink...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
====Winget====
# Per Winget installierte Pakete?
Get-WingetPackage
InstalledVersion : 10.0.60828
Name : Microsoft Visual Studio 2010 Tools for Office Runtime
Id : Microsoft.VSTOR
IsUpdateAvailable : True
Source : winget
AvailableVersions : {10.0.60917, 10.0.60912, 10.0.60828}
====64 Bit Programme====
# 64 bit uninstallers
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,UninstallString
DisplayName : LM Studio 0.3.9
UninstallString : "C:\Program Files\LM Studio\Uninstall LM Studio.exe" /allusers
QuietUninstallString : "C:\Program Files\LM Studio\Uninstall LM Studio.exe" /allusers /S
DisplayVersion : 0.3.9
DisplayIcon : C:\Program Files\LM Studio\LM Studio.exe,0
Publisher : LM Studio
NoModify : 1
NoRepair : 1
EstimatedSize : 1374783
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c6dbe996-22a9-5998-b542-7abe33da3b83
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
PSChildName : c6dbe996-22a9-5998-b542-7abe33da3b83
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
====32 Bit Programme====
# 32 bit uninstallers
Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,UninstallString
DisplayName : Visual Studio Community 2022
InstallDate : 20240525
InstallLocation : C:\Program Files\Microsoft Visual Studio\2022\Community
DisplayVersion : 17.13.1
Publisher : Microsoft Corporation
DisplayIcon : C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe
UninstallString : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" uninstall --installPath "C:\Program Files\Microsoft Visual
Studio\2022\Community"
ModifyPath : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" modify --installPath "C:\Program Files\Microsoft Visual
Studio\2022\Community"
RepairPath : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" repair --installPath "C:\Program Files\Microsoft Visual
Studio\2022\Community"
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\374cbfa0
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
PSChildName : 374cbfa0
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
====Network Adapter====
Get-WMIObject -Class Win32_NetworkAdapter
PSComputerName : VIE-NB-GBI016
Availability : 3
Name : Microsoft Kernel Debug Network Adapter
Status :
StatusInfo :
DeviceID : 0
__GENUS : 2
__CLASS : Win32_NetworkAdapter
__SUPERCLASS : CIM_NetworkAdapter
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_NetworkAdapter.DeviceID="0"
__PROPERTY_COUNT : 40
__DERIVATION : {CIM_NetworkAdapter, CIM_LogicalDevice, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : VIE-NB-GBI016
__NAMESPACE : root\cimv2
__PATH : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter.DeviceID="0"
AdapterType :
AdapterTypeId :
AutoSense :
Caption : [00000000] Microsoft Kernel Debug Network Adapter
ConfigManagerErrorCode : 0
ConfigManagerUserConfig : False
CreationClassName : Win32_NetworkAdapter
Description : Microsoft Kernel Debug Network Adapter
ErrorCleared :
ErrorDescription :
GUID :
Index : 0
InstallDate :
Installed : True
InterfaceIndex : 17
LastErrorCode :
MACAddress :
Manufacturer : Microsoft
MaxNumberControlled : 0
MaxSpeed :
NetConnectionID :
NetConnectionStatus :
NetEnabled :
NetworkAddresses :
PermanentAddress :
PhysicalAdapter : False
PNPDeviceID : ROOT\KDNIC\0000
PowerManagementCapabilities :
PowerManagementSupported : False
ProductName : Microsoft Kernel Debug Network Adapter
ServiceName : kdnic
Speed :
SystemCreationClassName : Win32_ComputerSystem
SystemName : VIE-NB-GBI016
TimeOfLastReset : 20250314082916.500000+060
Scope : System.Management.ManagementScope
Path : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter.DeviceID="0"
Options : System.Management.ObjectGetOptions
ClassPath : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter
Properties : {AdapterType, AdapterTypeId, AutoSense, Availability...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
====Network Adapter Configuration====
Get-WMIObject -Class Win32_NetworkAdapterConfiguration
PSComputerName : VIE-NB-GBI016
DHCPLeaseExpires :
Index : 0
Description : Microsoft Kernel Debug Network Adapter
DHCPEnabled : True
DHCPLeaseObtained :
DHCPServer :
DNSDomain :
DNSDomainSuffixSearchOrder :
DNSEnabledForWINSResolution :
DNSHostName :
DNSServerSearchOrder :
DomainDNSRegistrationEnabled :
FullDNSRegistrationEnabled :
IPAddress :
IPConnectionMetric :
IPEnabled : False
IPFilterSecurityEnabled :
WINSEnableLMHostsLookup :
WINSHostLookupFile :
WINSPrimaryServer :
WINSScopeID :
WINSSecondaryServer :
__GENUS : 2
__CLASS : Win32_NetworkAdapterConfiguration
__SUPERCLASS : CIM_Setting
__DYNASTY : CIM_Setting
__RELPATH : Win32_NetworkAdapterConfiguration.Index=0
__PROPERTY_COUNT : 61
__DERIVATION : {CIM_Setting}
__SERVER : VIE-NB-GBI016
__NAMESPACE : root\cimv2
__PATH : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
ArpAlwaysSourceRoute :
ArpUseEtherSNAP :
Caption : [00000000] Microsoft Kernel Debug Network Adapter
DatabasePath :
DeadGWDetectEnabled :
DefaultIPGateway :
DefaultTOS :
DefaultTTL :
ForwardBufferMemory :
GatewayCostMetric :
IGMPLevel :
InterfaceIndex : 17
IPPortSecurityEnabled :
IPSecPermitIPProtocols :
IPSecPermitTCPPorts :
IPSecPermitUDPPorts :
IPSubnet :
IPUseZeroBroadcast :
IPXAddress :
IPXEnabled :
IPXFrameType :
IPXMediaType :
IPXNetworkNumber :
IPXVirtualNetNumber :
KeepAliveInterval :
KeepAliveTime :
MACAddress :
MTU :
NumForwardPackets :
PMTUBHDetectEnabled :
PMTUDiscoveryEnabled :
ServiceName : kdnic
SettingID : {71E995E6-3E53-4F28-A5FD-44BEF6478D8B}
TcpipNetbiosOptions :
TcpMaxConnectRetransmissions :
TcpMaxDataRetransmissions :
TcpNumConnections :
TcpUseRFC1122UrgentPointer :
TcpWindowSize :
Scope : System.Management.ManagementScope
Path : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
Options : System.Management.ObjectGetOptions
ClassPath : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration
Properties : {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
// boot to bios
shutdown /r /fw /t 1
winget
net group // show domain groups on DC
net localgroup // show local groups
net localgroup // list group members
net user // see user info
whoami
whoami /groups
whoami /priv
net user // set new password
net user * // set password interactive
dsquery user -limit 1000
dsquery user -upn max.mustermann@domain.local
dsget user "CN=Max Mustermann,DC=dómain,DC=local"
dsquery user -upn manuel.zarat@akm.at | dsget user -memberof
// sessions anzeigen
query session [/SERVER]
qwinsta [/SERVER]
// session beenden
reset session [/SERVER]
rwinsta [/SERVER]
shutdown -s -t 3600 // sleep timer
shutdown -a // cancel timer
dir /s /b c:\* | findstr /i "test" // find files and folders containing "test"
ps> iwr -Uri http://google.com -UseBasicParsing
// installed patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
// get running services
cmd> net start
ps> Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName,StartMode | Where-Object {$_.State -like 'Running'}
ps> Get-CimInstance -ClassName Win32_Service -Filter "Name='mysql'" | Select-Object StartMode
ps> Restart-Computer -WhatIf // dry run
=====Event-Log=====
[[https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor|Important IDs - Microsoft Docs]], [[https://graylog.org/post/critical-windows-event-ids-to-monitor/|Important IDs to monitor - Graylog]]
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4777 -or $_.Id -eq 4776 -or $_.Id -eq 4775 -or $_.Id -eq 4774}
=====Tastenkombinationen=====
* Windows-E Explorer öffnen
* Strg-Windows-1 Programm aus Taskleiste öffnen (Nummer der Reihenfolge)
* Strg-Windows-D Neuer virt. Desktop
* Windows-Pfeiltaste Bildschirm teilen
* Strg-Windows-Pfeiltaste Zwischen virt. Desktops wechseln
* Windows-M Alle Fenster minimieren
* Windows-Shift-S Screenshot Ausschnitt
* Windows-G Bildschirmaufnahme
* Windows-. Emojis, GIFs etv.
=====Zwischenablage====
Wenn man etwas mit Ctrl-C in die Zwischenablage kopiert kann man es mit Ctrl-V einfügen. Oder mit Windows+V den Verlauf anzeigen.
=====Power Managment=====
powercfg
=====Invoker=====
Wenn ein Programm Admin Rechte zur Installation erfordert.
set __COMPAT_LAYER=RunAsInvoker
start steamsetup.exe
=====ContextMenu=====
add a contextmenu to open current folder in cmd
regedit
Computer\HKEY_CLASSES_ROOT\Directory\Background\shell
addKey
addKey "command"
addKey value "cmd.exe ."
add a contextmenu to open files with a specific program
regedit
Computer\HKEY_CLASSES_ROOT\SOFTWARE\Classes\*\shell
addKey
addKey "command"
addKey value "program.exe %1"
=====Commands=====
winget [install|uninstall] --id
set [var=var]
findstr [/s] [/r] "Manuel" *.txt
findStr /irc:"Hello" /irc:"World" // find both words
more
attrib
cacls /e /p :<[R]ead|[W]rite|[F]ull> [deprecated] -> Use Icacls
subst : //mount
subst /d //delete
fc : file compare
tasklist
taskkill [/IM |/PID ] [/f]
query [process|user|session] // (Server only)
logoff
net user
net share [=] [/delete]
net use x: \\\
wmic netuse // info about shares
net localgroup /
openfiles [/local on]
robocopy c:\documents d:\backup\documents /copyall /e /r:0 /dcopy:t /mir: sync dirs
dir file.xxx > output.msg [2>output.err|2>&1]
mode con:cols=140 lines=70
nslookup -type=mx zarat.ml
certutil -hashfile file.txt
where // wie which
(Get-Command ).Path // wie which in powershell
doskey ls=dir // alias
wmic qfe [get|list] // show updates and patches
wusa /uninstall /kb: // uninstall update
wmic product get name // list installed programs
wmic product where name=" call uninstall // uninstall program
Siehe auch: [[netsh|netsh]], [[linux|Linux]]
for /f "tokens=1-2 delims= " %a in (test.txt) DO @echo %a %b : wie cut
cat "file.txt" | %{$_ -replace "original", "replacement"} > newfile.txt : wie sed
// cmd piping
dir 2> err.txt
dir > out.txt 2> err.txt
dir 1> out.txt 2>&1 // redirect stderr to stdout
Windows Context Menu Explorer [[https://stackoverflow.com/questions/20449316/how-add-context-menu-item-to-windows-explorer-for-folders]]
[[https://ss64.com/nt/|CMD A-Z]]
====Piping====
Std Handles
* STDIN = 0 Keyboard input
* STDOUT = 1 Text output
* STDERR = 2 Error text output
command 2> filename Redirect any error message into a file
command 2>> filename Append any error message into a file
(command)2> filename Redirect any CMD.exe error into a file
command > file 2>&1 Redirect errors and output to one file
command > fileA 2> fileB Redirect output and errors to separate files
command 2>&1 >filename This will fail!
=====Firewall=====
Siehe [[netsh|netsh]].
=====Password reset with installer disk=====
restart pc with installer inserted (usb,image,..).
once the setup begins, hit Shift+F10 to bring up a shell.
move c:\windows\system32\utilman.exe c:\windows\system32\utilman.exe.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe
reboot. back at the login screen click the utilitymanager which spawns a shell
now add a new user and add to local admin group.
net user /add
net localgroup administrators /add
After a reboot you can log in using th new user.
=====Domain join=====
In den Adapteroptionen des Interfaces den DNS Server auf die IP des [[Active Directory]] DC ändern.
In den Systeminformationen -> Einstellungen ändern -> Domain beitreten
=====Driver=====
[[https://www.youtube.com/watch?v=GTrekHE8A00]]
=====Downloads=====
{{kms_portable.zip|KMSPico}} (https://github.com/zarat/KMSpico_v10.2.0)
=====NTFS=====
Siehe [[Dateisystem]] bzw. [[NTFS]], [[NTFSSecurity]]
=====SAM Database=====
Die SAM Datenbank findet man unter
C:\Windows\System32\config\SAM
Wenn sie von einem anderen Prozess verwendet wird, Daten extrahieren.
reg save hklm/sam C:\tmp\sam.save
reg save hklm/security C:\tmp\security.save
reg save hklm/system C:\tmp\system.save
Mit [[samdump2]] kann man die Hashes extrahieren.
samdump2 system.save sam.save
Oder auch mit [[creddump7]]
cd /usr/share/creddump7
python pwdump.py system.save sam.save
Siehe auch [[Mimikatz]]
=====RDP=====
$thumbprint = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*server1.dom.local*"}).Thumbprint
# String-Wert setzen
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertSHA1Hash" -Value $thumbprint
# Auf älteren Windows Versionen bzw Client Systemen muss man zusätzlich einen Parameter für den binären Wert erstellen
# Binary-Wert setzen
$binThumbprint = ($thumbprint -replace ' ', '') -split '(..)' | Where-Object { $_ } | ForEach-Object { [Convert]::ToByte($_, 16) }
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash" -Value ([byte[]]$binThumbprint)
Restart-Service TermService -Force
=====Links=====
* [[https://ss64.com/nt/|ss64.com]]
* [[https://www.youtube.com/watch?v=4WBuJv1pNtQ|Server Core als 2. DomainController]]
* [[https://www.youtube.com/watch?v=f8jGhLwCa28|Windows Domain Controller Pentest Tutorial]]
* [[https://woshub.com/pswindowsupdate-module/|Update Managment]]