Commands that display information about the configuration of the victim and are usually executed from the context of the cmd.exe or command.exe prompt.
- Command:
c:\windows\system32\gathernetworkinfo.vbs - Command with arguments: NA
- Description: Windows 7 Only Script included gathers data about the system and stores output in files in the
c:\windows\system32\configdirectory. External link here. - Output:
- NA
- Command:
echo - Command with arguments:
echo %COMSPEC%% - Description: Determine the location of the command line interpreter such as cmd.exe.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>echo %COMSPEC%
C:\Windows\system32\cmd.exe
-
- Command:
set - Command with arguments:
fsutil fsinfo drives - Description: Must be ADMIN to run this. Lists the current drives on the system.
- Output:
-
**Windows 2008:** Show/Hide
C:\Windows\system32>fsutil fsinfo drives
Drives: A:\ C:\ D:\
-
- Command:
gpresult - Command with arguments:
gpresult /z - Description: Extremely verbose output of GPO (Group policy) settings as applied to the current system and user.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/15/2013 at 7:02:05 PM
RSOP data for LAB\johndoe on WIN-0P19ULL2NB6 : Logging Mode
------------------------------------------------------------
OS Configuration: Primary Domain Controller
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\johndoe
Connected over a slow link?: No
USER SETTINGS
--------------
CN=johndoe,CN=Users,DC=lab,DC=sky,DC=net
Last time Group Policy was applied: 10/12/2013 at 6:20:23 PM
Group Policy was applied from: WIN-0P19ULL2NB6.lab.sky.net
Group Policy slow link threshold: 500 kbps
Domain Name: LAB
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Resultant Set Of Policies for User
-----------------------------------
-
- Command:
set - Command with arguments: NA
- Description: Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\johndoe\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN-0P19ULL2NB6
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\johndoe
LOCALAPPDATA=C:\Users\johndoe\AppData\Local
LOGONSERVER=\\WIN-0P19ULL2NB6
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\johndoe\AppData\Local\Temp\1
TMP=C:\Users\johndoe\AppData\Local\Temp\1
TRACE_FORMAT_SEARCH_PATH=\\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18005.090410-1830\x86fre\symbols.pri\TraceFormat
USERDNSDOMAIN=LAB.SKY.NET
USERDOMAIN=LAB
USERNAME=johndoe
USERPROFILE=C:\Users\johndoe
windir=C:\Windows
-
- Command:
whoami - Command with arguments:
whoami /all - Description: Lists information about the user you are currently logged in as. Helpful for showing what groups, sid and privileges of this user. Not available in all versions of Windows but is in Windows Vista and more recent. According to Wikipedia, this command can be added to Windows 2000 using the resource kit and is installed in Windows XP SP2 Support Tools.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>whoami
lab\johndoe
C:\Users\johndoe>whoami/all
USER INFORMATION
----------------
User Name SID
=========== ===========================================
lab\johndoe S-1-5-21-60789211-843652525-1994898995-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
-
- Command:
systeminfo - Command with arguments: NA
- Description:In computing, systeminfo.exe, a command-line utility shipped with Microsoft Windows versions from Windows XP onwards, produces summary output of Windows hardware/software operating-environment parameters.
- Output:
*Windows 2008: Show/Hide
C:\Windows\system32>systeminfo
Host Name: ADMIN-PC
OS Name: Microsoft Windows 2008
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: johndoe
Registered Organization:
Product ID: 00426-OEM-8992662-00400
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
...
- Command:
type - Command with arguments:
type %WINDIR%\System32\drivers\etc\hosts - Description: Show the contents of a file. In this case, you can get the system's host file which does the local translation of IP address to hostname. This file may contain important servers.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>type %WINDIR%\System32\drivers\etc\hosts
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
-
For more information: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true or http://www.petri.co.il/reg_command_in_windows_xp.htm
- Command with arguments:
reg add [\\TargetIPaddr\] [RegDomain\Key] - Description: Adds a key to target machine's registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to insert.
- Output:
- NA
- Command with arguments:
reg export [RegDomain\Key] [OUTFILE] - Description: Exports a key to a file. Replace [RegDomain\Key] with the registry domain and key you'd like to insert and [OUTFILE] with the name of the file you would like to save the registry key in.
- Output:
- NA
- Command with arguments:
reg import [INFILE] - Description: Imports content to target machine's registry. Replace [INFILE] with the file that has the content you wish to insert.
- Output:
- NA
- Command with arguments:
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" - Description: Securely registered executables within the system registry.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\TPVCGateway.exe
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe
(Default) REG_SZ C:\Program Files\Internet Explorer\iexplore.exe
LocalizedString REG_SZ @C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-1008
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-101
(Default) REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareTray.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\rpctool.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\unzip.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\Common Files\VMware\Drivers\vss\comreg.exe
-
- Command with arguments:
reg query [\\TargetIPaddr\] [RegDomain\Key] /v [ValueName] - Description: Retrieves a key and value from target machine's registry. Replace [\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to query.
- Output:
- NA
- Command with arguments:
reg save [HIVE] [OUTFILE] - Description: Must be run as an administrator. Saves part of the registry to a file. Replace [HIVE] with HKLM\Security, HKLM\System, or HKLM\SAM and [OUTFILE] with the name of the file you would like to save the registry in.
- Output:
-
**Windows 2008:** Show/Hide
c:\temp>reg save HKLM\Security security.hive && dir
The operation completed successfully.
Volume in drive C has no label.
Volume Serial Number is 1A09-5F16
Directory of c:\temp
10/26/2013 11:17 PM.
10/26/2013 11:17 PM..
10/26/2013 11:17 PM 32,768 security.hive
1 File(s) 32,768 bytes
2 Dir(s) 33,312,219,136 bytes free
-
sc.exe retrieves and sets control information about services. You can use sc.exe for testing and debugging service programs. For more information: http://technet.microsoft.com/en-us/library/bb490995.aspx.
Help details can be found if you expand this section here: Show/Hide
C:\Users\tester>sc
DESCRIPTION:
SC is a command line program used for communicating with the
Service Control Manager and services.
USAGE:
sc [command] [service name] ...
The option <server> has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistent).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
failureflag-----Changes the failure actions flag of a service.
sidtype---------Changes the service SID type of a service.
privs-----------Changes the required privileges of a service.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
qfailureflag----Queries the failure actions flag of a service.
qsidtype--------Queries the service SID type of a service.
qprivs----------Queries the required privileges of a service.
qtriggerinfo----Queries the trigger parameters of a service.
qpreferrednode--Queries the preferred NUMA node of a service.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
showsid---------Displays the service SID string corresponding to an arbitrary name.
triggerinfo-----Configures the trigger parameters of a service.
preferrednode---Sets the preferred NUMA node of a service.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.
The following commands don't require a service name:
sc <server> <command> <option>
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService
- Command with arguments:
sc qc [servicename] - Description: Queries the configuration information for a service. Things to look at here are the path to the executable, the start type (does it start at boot or on demand?), and service names.
- Output:
-
**Windows 2008:** Show/Hide
c:\Users\johndoe>sc qc browser
-
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: browser
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME : LocalSystem
- Command with arguments:
sc query [servicename] - Description: Queries the status for a service, or enumerates the status for types of services.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>sc query browser
SERVICE_NAME: browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
-
- Command with arguments:
sc queryex [servicename] - Description: Queries the status for a service, or enumerates the status for types of services.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>sc queryex browser
-
SERVICE_NAME: browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
According to Microsoft (http://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx), "the WMI command-line (WMIC) utility provides a command-line interface for WMI. WMIC is compatible with existing shells and utility commands." Additional information can also be found here https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229.
For some of these wmic commands that pull information (versus perform an action) you can add list full to the end and retrieve the data in a non-table format. Sometimes this view is easier to read. Using list brief shows less data. The examples below show several output formats.
- Command with arguments:
wmic bios [list full] - Description: Retrieves BIOS information including system serial number.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic bios list full
BiosCharacteristics={4,7,8,9,10,11,12,14,15,16,19,26,27,28,29,30,32,39,40,41,42,50,57,58}
BuildNumber=
CodeSet=
CurrentLanguage=
Description=PhoenixBIOS 4.0 Release 6.0
IdentificationCode=
InstallableLanguages=
InstallDate=
LanguageEdition=
ListOfLanguages=
Manufacturer=Phoenix Technologies LTD
Name=PhoenixBIOS 4.0 Release 6.0
OtherTargetOS=
PrimaryBIOS=TRUE
ReleaseDate=20120920000000.000000+000
SerialNumber=VMware-56 4d 8b 9d 3b a9 3a b4-a7 09 2d ff 09 9a e2 26
SMBIOSBIOSVersion=6.00
SMBIOSMajorVersion=2
SMBIOSMinorVersion=4
SMBIOSPresent=TRUE
SoftwareElementID=PhoenixBIOS 4.0 Release 6.0
SoftwareElementState=3
Status=OK
TargetOperatingSystem=0
Version=INTEL - 6040000
-
- Command with arguments:
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber - Description: Retrieve information about the harddrive.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
FileSystem FreeSpace Name Size SystemName VolumeSerialNumber
NTFS 33311481856 C: 42947571712 WIN-0P19ULL2NB6 1A095F16
-
- Command with arguments:
wmic qfe get hotfixid - Description: Retrieves information about the patches installed on the system.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic qfe get hotfixid
HotFixID
KB955430
-
- Command with arguments:
wmic process call create [EXECUTABLE] - Description: Launches an executable. Replace [EXECUTABLE] with the name of the executable you'd like to launch (for example: calc.exe). Do not include quotes around the value (for example: DO use calc.exe; do NOT use "calc.exe"). Another option for this command comes from Rob Fuller's talk:
wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt" - Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process call create calc.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 1936;
ReturnValue = 0;
};
-
- Command with arguments:
wmic process get caption,executablepath,commandline - Description: Retrieves process names, captions, executable paths and command line flags.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process get caption,executablepath,commandline
Caption CommandLine ExecutablePath
System Idle Process
System
smss.exe
csrss.exe
[...SNIP...]
dllhost.exe
dwm.exe "C:\Windows\system32\Dwm.exe" C:\Windows\system32\Dwm.exe
taskeng.exe taskeng.exe {72464C44-C181-4387-A20A-569E0267D2AF} C:\Windows\system32\taskeng.exe
TPAutoConnect.exe TPAutoConnect.exe -q -i vmware -a COM1 -F 30 C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
explorer.exe C:\Windows\Explorer.EXE C:\Windows\Explorer.EXE
VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" C:\Program Files\VMware\VMware Tools\VMwareTray.exe
vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
cmd.exe "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
cmd.exe
TrustedInstaller.exe
WMIC.exe wmic process get caption,executablepath,commandline C:\Windows\System32\Wbem\WMIC.exe
WmiPrvSE.exe
-
- Command with arguments:
wmic process where name="[PROCESS]" call terminate - Description: Terminates a process. Replace [PROCESS] with the name of the process you'd like to terminate and you DO need the quotes around it (for example: calc.exe).
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic process where name="calc.exe" call terminate
Executing (\\WIN-0P19ULL2NB6\ROOT\CIMV2:Win32_Process.Handle="1936")->terminate()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
-
- Command with arguments:
wmic service [list full] - Description: Retrieves ton of information about all the services installed on the system.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic service list full
AcceptPause=FALSE
AcceptStop=TRUE
Caption=Application Experience
CheckPoint=0
CreationClassName=Win32_Service
Description=Processes application compatibility cache requests for applications as they are launched
DesktopInteract=FALSE
DisplayName=Application Experience
ErrorControl=Normal
ExitCode=0
InstallDate=
Name=AeLookupSvc
PathName=C:\Windows\system32\svchost.exe -k netsvcs
ProcessId=1056
ServiceSpecificExitCode=0
ServiceType=Share Process
Started=TRUE
StartMode=Auto
StartName=localSystem
State=Running
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=WIN-0P19ULL2NB6
TagId=0
WaitHint=0
AcceptPause=FALSE
AcceptStop=FALSE
Caption=Application Layer Gateway Service
CheckPoint=0
CreationClassName=Win32_Service
Description=Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
DesktopInteract=FALSE
DisplayName=Application Layer Gateway Service
ErrorControl=Normal
ExitCode=1077
InstallDate=
Name=ALG
PathName=C:\Windows\System32\alg.exe
ProcessId=0
ServiceSpecificExitCode=0
ServiceType=Own Process
Started=FALSE
StartMode=Manual
StartName=NT AUTHORITY\LocalService
State=Stopped
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=WIN-0P19ULL2NB6
TagId=0
WaitHint=0
[...Truncated for brevity...]
-
- Command with arguments:
wmic share [list brief] - Description: Retrieve information about local shares.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic share list brief
-
Description Name Path
Remote Admin ADMIN$ C:\Windows
Default share C$ C:
Remote IPC IPC$
Logon server share NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS
Logon server share SYSVOL C:\Windows\SYSVOL\sysvol
- Command with arguments:
wmic startup [list brief] - Description: Shows startup items, which user runs them and full paths to the executables.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic startup list brief
Caption Command User
VMware Tools "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" Public
VMware User Process "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Public
-
- Command with arguments:
wmic useraccount [list full] - Description: Retrieve information about the user accounts on the system.
- Output:
-
**Windows 2008:** Show/Hide
C:\Users\johndoe>wmic useraccount list full
AccountType=512
Description=Built-in account for administering the computer/domain
Disabled=FALSE
Domain=LAB
FullName=
InstallDate=
LocalAccount=FALSE
Lockout=FALSE
Name=Administrator
PasswordChangeable=TRUE
PasswordExpires=TRUE
PasswordRequired=TRUE
SID=S-1-5-21-60789211-843652525-1994898995-500
SIDType=1
Status=OK
AccountType=512
Description=Key Distribution Center Service Account
Disabled=TRUE
Domain=LAB
FullName=
InstallDate=
LocalAccount=FALSE
Lockout=FALSE
Name=krbtgt
PasswordChangeable=TRUE
PasswordExpires=TRUE
PasswordRequired=TRUE
SID=S-1-5-21-60789211-843652525-1994898995-502
SIDType=1
Status=Degraded
AccountType=512
Description=
Disabled=FALSE
Domain=LAB
FullName=John Doe
InstallDate=
LocalAccount=FALSE
Lockout=FALSE
Name=johndoe
PasswordChangeable=TRUE
PasswordExpires=TRUE
PasswordRequired=TRUE
SID=S-1-5-21-60789211-843652525-1994898995-1001
SIDType=1
Status=OK
-