Skip to content

Identify Common Survey Commands

Survey commands are commonly used by system administrators, incident responders, and forensic investigators to gather important system information during an investigation or while troubleshooting a system. These commands help to quickly assess the state of the system, identify running processes, network activity, disk usage, system information, and other critical data. Below are some of the most frequently used survey commands in Command Prompt (CMD) and PowerShell.

Instructor Tip: Instructors should demonstrate the use of both CMD and PowerShell commands in tandem to provide students with a comprehensive toolkit for data collection during incident response.

1. Command Prompt (CMD) Survey Commands

The Command Prompt (CMD) is one of the primary tools used in Windows environments for gathering system information.

1.1 System Information:

  • systeminfo
  • Displays detailed information about the computer, including the OS version, architecture, memory configuration, and installed updates.
  • Example:

    systeminfo
    

  • hostname

  • Displays the computer's hostname (name of the machine on the network).
  • Example:
    hostname
    

1.2 Process Information:

  • tasklist
  • Lists all currently running processes along with their Process ID (PID), memory usage, and other details. This is useful for identifying active applications and background services.
  • Example:

    tasklist
    

  • taskkill

  • Used to terminate a running process by PID or name.
  • Example:
    taskkill /PID <ProcessID>
    

1.3 Network Information:

  • netstat
  • Displays the current active network connections, open ports, and network protocol statistics. This is useful for checking open ports and network activity.
  • Example:

    netstat -ano
    

  • ipconfig

  • Displays the network configuration, including IP addresses, subnet masks, and gateway details. It is useful for diagnosing network issues.
  • Example:
    ipconfig
    

1.4 Service Information:

  • sc
  • Used to query and control Windows services. The sc command can start, stop, and query the status of services, among other functions.
  • Examples:
    • sc query – Lists the status of all services.
    • Example:
      sc query
      
    • sc start <service_name> – Starts a specific service.
    • Example:
      sc start wuauserv
      

1.5 Registry Information:

  • reg
  • The reg command can be used to read, set, and export Windows registry keys, which is helpful for gathering configuration settings or investigating potential issues in the registry.
  • Examples:

    • reg query – Queries registry keys.
    • Example:
      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      
  • dir

  • Lists the contents of a directory. This is useful for checking files and folders in specific locations.
  • Example:
    dir C:\Windows
    

2. PowerShell Survey Commands

PowerShell provides more advanced functionality compared to Command Prompt, allowing you to gather detailed system information, manage services, network activity, and more, using cmdlets.

2.1 System Information:

  • Get-ComputerInfo
  • Retrieves comprehensive information about the computer's configuration, including hardware and OS details.
  • Example:

    Get-ComputerInfo
    

  • Get-ItemProperty

  • Allows you to retrieve specific properties of a registry key or file system object.
  • Example:
    Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
    

2.2 Process Information:

  • Get-Process
  • Lists all running processes, their CPU and memory usage, and other relevant details. It is useful for identifying resource-hogging processes or malicious activity.
  • Example:

    Get-Process
    

  • Stop-Process

  • Used to stop a running process, similar to taskkill in CMD.
  • Example:
    Stop-Process -Name "notepad"
    

2.3 Service Information:

  • Get-Service
  • Retrieves the status (running, stopped, etc.) of all services installed on the system.
  • Example:

    Get-Service
    

  • Start-Service / Stop-Service

  • Used to start or stop specific services.
  • Example:
    Start-Service -Name "wuauserv"
    Stop-Service -Name "wuauserv"
    

2.4 Network Information:

  • Get-NetTCPConnection
  • Displays active TCP/IP network connections, including local and remote IP addresses and ports, and connection states (established, listening, etc.).
  • Example:

    Get-NetTCPConnection
    

  • Test-NetConnection

  • Tests network connectivity to a remote host or service, similar to ping.
  • Example:
    Test-NetConnection -ComputerName "google.com" -Port 80
    

2.5 File and Directory Information:

  • Get-ChildItem
  • Lists files and directories within a specified path. This is similar to the dir command in CMD.
  • Example:

    Get-ChildItem -Path C:\Windows
    

  • Get-Content

  • Retrieves the content of a file, useful for reviewing log files or configuration files.
  • Example:
    Get-Content C:\Windows\System32\drivers\etc\hosts
    

Summary of Common Survey Commands:

Category Command Purpose Example Usage
System Information systeminfo Displays detailed system information systeminfo
hostname Shows the computer's hostname hostname
Process Information tasklist Lists all running processes tasklist
Get-Process Retrieves all running processes in PowerShell Get-Process
Network Information netstat Shows active network connections and ports netstat -ano
ipconfig Displays network configuration information ipconfig
Get-NetTCPConnection Lists active TCP/IP connections Get-NetTCPConnection
Service Information sc query Queries the status of services sc query
Get-Service Lists all installed services in PowerShell Get-Service
File System dir Lists files and directories dir C:\Windows
Get-ChildItem Lists files and directories in PowerShell Get-ChildItem -Path C:\Windows

Summary

Common survey commands in Command Prompt (CMD) and PowerShell provide administrators and forensic investigators with the ability to quickly gather important system information. Whether you need to check running processes, view network connections, query system services, or inspect the file system, these commands are vital for diagnosing issues, conducting incident response, or performing forensic investigations. Understanding and effectively using these commands can help streamline troubleshooting and improve the efficiency of security operations.