Logprase
download link:
https://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=24659
use
Security Log
The main administrator login to view the normal time period if
the Trojans run time whether the administrator login time and correspondence
1
|
LogParser -i:EVT -o DATAGRID "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings,8,'|') as LogonType, EXTRACT_TOKEN(Strings,17,'|') as ProcessName, EXTRACT_TOKEN(Strings,18,'|') as SourceIP FROM Security where EventID=4624 AND TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') and TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
System Log
The main view the service name, service path
1
|
LogParser -i:EVT -o:DATAGRID "SELECT TimeWritten,EventID,EventType,EventTypeName,SourceName,EXTRACT_TOKEN(Strings,0,'|') as service_name,EXTRACT_TOKEN(Strings,1,'|') as service_path,Message from system WHERE TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') AND TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
Application Log
The main viewing program run time
1
|
LogParser -i:EVT -o:DATAGRID "SELECT * FROM Application WHERE TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') AND TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
WMIC
View command line parameters process
1
2
3
4
5
6
7
|
Process GET Caption WMIC, the CommandLine / value> tmp.txt
WMIC the Brief Service List
WMIC Process List the Brief
WMIC the Startup List the Brief
// Check to install the patch and the time information
WMIC QFE
WMIC QFE GET Caption, the Description, the HotFixID, InstalledOn
|
DOS command
to you
1
2
3
4
5
6
7
8
|
DIR [drive:] [path] [filename] [/ A [[:] attributes]] [/ B] [/ C] [/ D] [/ L] [/ N] [/ O [[:] sortorder] ] [/ P] [/ Q] [/ R & lt] [/ S] [/ T [[:] TimeField]] [/ W is] [/ X-] [/. 4]
/ a exhibits a specified attribute file
attributes: D R H directory read-only file a hidden file ready for archiving
S file system I no content index file analysis point L - indicates "NO", the prefix
/ S display the specified directory and subdirectory
/ W with a wide format display list
/ P display a full-screen pause, press any key to continue to display the next screen
/ Q to display the file owner
|
copy and xcopy
copy only copy files, not copy the folder
xcopy can copy folders and files
1
2
3
4
5
|
xcopy parameter
/ S Copies directories and subdirectories except empty directory
/ E Copies directories and subdirectories, including empty directories
/ C ignore the error continues to copy
/ H Copies hidden and system files
|
del、deltree、rd
del can only delete one or more files, folders can not be deleted
deltree is an external command, you can delete files and folders, as well as its sub-folders
rd delete empty folders, you need the absolute path to an empty folder
1
2
3
|
del parameter
/ s recursive delete folders and file
/ q are not prompted to confirm the deletion
|
move
Moving one or more files
1
2
|
/ Y have the same name if the files in the destination folder, ignore the prompt, overwrite the original file directly
/ -Y WARNING
|
attrib
Change the file attributes
1
2
3
4
5
6
7
|
Parameter attrib
+ setting properties
- Delete Attribute
R Read-only files
A archive
S System files
H hidden files
|
netstat
View network connections, port information
1
2
3
4
5
6
7
8
9
10
11
12
13
|
The NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-R & lt] [-s] [-t] [-v] [interval The]
-a display connector and listening port
-b included in the display to create a connection or listening port of each executable components; required permissions
-e displays Ethernet statistics
-n display in digital form address and port number
-o display ID associated with each connection belongs processes
-p proto specified protocol shows the connection; can be TCP, UDP, TCPv6, UDPv6
-r displays the routing table
-s to display statistics by protocol
-t displays the current connection unloaded state
-x display NetworkDirect connect, listen, and share endpoints
-y show all connections TCP connection template; can not be combined with other options to use
the number of seconds interval to re-display the selected statistics, each display pause between. Press CTRL + C to stop re-display statistics.
|
Linux is netstat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vWnNcaeol] [<Socket> ...]
netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }
-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-W, --wide don't truncate IP addresses
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-o, --timers display timers
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all display all sockets (default: connected)
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
-Z, --context display SELinux security context for sockets
<Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
{-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
|
用户操作
1
2
3
4
5
|
net user chessur password /add
net localgroup administrators chessur /add
net user chessur /active:yes
net user chessur /actice:no
net user chessur /del |