Investigation Windows Command Line Kungfu

I thought I would end 2009 off with posting a couple of Windows command lines that I came up with a couple of months ago in the spirit of www.commandlinekungfu.com . I wanted a way from the command line to be able to search all the Window machines on a subnet and dump out the output to a log file for review. Using the command line below allowed me to identify any potential machines on a network that may need to be more closely reviewed for inappropriate content based on the OpenSaveMRU registry values.


The final command line that I created was:-


for /L %i in (1,1,254) do @ping -n 1 -w 1 10.1.1.%i | (find "TTL=12" >null && echo 10.1.1.%i) > live.txt & for /F %s in (live.txt) do @echo %s & for /F "skip=2 tokens=2 delims=\" %t in ('reg query \\%s\hku') do @reg query \\%s\hku\%t\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /s



If we break this down into sections we first have:-


for /L %i in (1,1,254) do @ping -n 1 -w 1 10.1.1.%i | (find "TTL=12" >null && echo 10.1.1.%i) > live.txt


This performs a loop from 1 to 254, counting by 1’s, and storing the current count in the variable %i. For each loop I ping the associated IP in the subnet 10.1.1.. The output of the ping is piped to a find to command for a basic Windows fingerprint based on time-to-live value. If the find is TRUE and we can echo (which should always be true) the && should evaluate to TRUE and so the echo will be redirected into the working file “live.txt”. Note I am not appending to the text file, so each run through the loop will overwrite the previous IP.


The next nested “for” loop (which runs each time the main loops runs (so for each IP value)) due to the “&” is:-


for /F %s in (live.txt) do @echo %s


The for loop here is reading the current entries in “live.txt”, which should only be the current IP, and echo’s this value out again for the third nested “for” loop. I cant remember why I had to use a file to write and read the IP to get this working, but it may be just how I evolved the kungfu. It has been a couple of months and a 3 week holidays since I created it.


The final “for” loop (which again gets run for each IP value) is:-


for /F "skip=2 tokens=2 delims=\" %t in ('reg query \\%s\hku') do @reg query \\%s\hku\%t\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /s


Here we are using the IP read from “live.txt” in the previous loop, and using it to perform a “reg query \\\\hku”. This will grab all the root keys in the Users registry HIVE. I grab each of the key names (which I believe are each of the User SID values) and store them in the variable %t, which then finally allows me to query for all over the OpenSaveMRU key values (/s will output all subkeys also) for that machine.

There are probably better ways to do this, but it works well. From this I have create a couple of other handy kungfu command lines based on the registry settings.


This one I gave to the server/desktop team for double checking that all PC’s had the correct WSUS settings (yes even though GPO’s are used):-


for /L %i in (1,1,255) do @ping -n 1 -w 1 10.1.1.%i | (find "TTL=12" >null && echo 10.1.1.%i) > live.txt & for /F %s in (live.txt) do @echo %s >> wsus-audit.txt & reg query \\%s\hklm\Software\policies\Microsoft\Windows\WindowsUpdate /v WUServer >> wsus-audit.txt


If you want to check for what is running on end users login, you can modify my OpenSaveMRU to instead look at the Run and RunOnce values which can be found at:-


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run



And that’s all for 2009.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: