Identify Common Survey Commands¶
Survey commands are commonly used by system administrators, incident responders, and forensic investigators to gather important system information during an investigation or while troubleshooting a system. These commands help to quickly assess the state of the system, identify running processes, network activity, disk usage, system information, and other critical data. Below are some of the most frequently used survey commands in Command Prompt (CMD) and PowerShell.
Instructor Tip: Instructors should demonstrate the use of both CMD and PowerShell commands in tandem to provide students with a comprehensive toolkit for data collection during incident response.
1. Command Prompt (CMD) Survey Commands¶
The Command Prompt (CMD) is one of the primary tools used in Windows environments for gathering system information.
1.1 System Information:¶
systeminfo
- Displays detailed information about the computer, including the OS version, architecture, memory configuration, and installed updates.
-
Example:
-
hostname
- Displays the computer's hostname (name of the machine on the network).
- Example:
1.2 Process Information:¶
tasklist
- Lists all currently running processes along with their Process ID (PID), memory usage, and other details. This is useful for identifying active applications and background services.
-
Example:
-
taskkill
- Used to terminate a running process by PID or name.
- Example:
1.3 Network Information:¶
netstat
- Displays the current active network connections, open ports, and network protocol statistics. This is useful for checking open ports and network activity.
-
Example:
-
ipconfig
- Displays the network configuration, including IP addresses, subnet masks, and gateway details. It is useful for diagnosing network issues.
- Example:
1.4 Service Information:¶
sc
- Used to query and control Windows services. The
sc
command can start, stop, and query the status of services, among other functions. - Examples:
sc query
– Lists the status of all services.- Example:
sc start <service_name>
– Starts a specific service.- Example:
1.5 Registry Information:¶
reg
- The
reg
command can be used to read, set, and export Windows registry keys, which is helpful for gathering configuration settings or investigating potential issues in the registry. -
Examples:
reg query
– Queries registry keys.- Example:
-
dir
- Lists the contents of a directory. This is useful for checking files and folders in specific locations.
- Example:
2. PowerShell Survey Commands¶
PowerShell provides more advanced functionality compared to Command Prompt, allowing you to gather detailed system information, manage services, network activity, and more, using cmdlets.
2.1 System Information:¶
Get-ComputerInfo
- Retrieves comprehensive information about the computer's configuration, including hardware and OS details.
-
Example:
-
Get-ItemProperty
- Allows you to retrieve specific properties of a registry key or file system object.
- Example:
2.2 Process Information:¶
Get-Process
- Lists all running processes, their CPU and memory usage, and other relevant details. It is useful for identifying resource-hogging processes or malicious activity.
-
Example:
-
Stop-Process
- Used to stop a running process, similar to
taskkill
in CMD. - Example:
2.3 Service Information:¶
Get-Service
- Retrieves the status (running, stopped, etc.) of all services installed on the system.
-
Example:
-
Start-Service
/Stop-Service
- Used to start or stop specific services.
- Example:
2.4 Network Information:¶
Get-NetTCPConnection
- Displays active TCP/IP network connections, including local and remote IP addresses and ports, and connection states (established, listening, etc.).
-
Example:
-
Test-NetConnection
- Tests network connectivity to a remote host or service, similar to
ping
. - Example:
2.5 File and Directory Information:¶
Get-ChildItem
- Lists files and directories within a specified path. This is similar to the
dir
command in CMD. -
Example:
-
Get-Content
- Retrieves the content of a file, useful for reviewing log files or configuration files.
- Example:
Summary of Common Survey Commands:¶
Category | Command | Purpose | Example Usage |
---|---|---|---|
System Information | systeminfo |
Displays detailed system information | systeminfo |
hostname |
Shows the computer's hostname | hostname |
|
Process Information | tasklist |
Lists all running processes | tasklist |
Get-Process |
Retrieves all running processes in PowerShell | Get-Process |
|
Network Information | netstat |
Shows active network connections and ports | netstat -ano |
ipconfig |
Displays network configuration information | ipconfig |
|
Get-NetTCPConnection |
Lists active TCP/IP connections | Get-NetTCPConnection |
|
Service Information | sc query |
Queries the status of services | sc query |
Get-Service |
Lists all installed services in PowerShell | Get-Service |
|
File System | dir |
Lists files and directories | dir C:\Windows |
Get-ChildItem |
Lists files and directories in PowerShell | Get-ChildItem -Path C:\Windows |
Summary¶
Common survey commands in Command Prompt (CMD) and PowerShell provide administrators and forensic investigators with the ability to quickly gather important system information. Whether you need to check running processes, view network connections, query system services, or inspect the file system, these commands are vital for diagnosing issues, conducting incident response, or performing forensic investigations. Understanding and effectively using these commands can help streamline troubleshooting and improve the efficiency of security operations.