Get running services: wmic service where "state='running'" get displayname,state, pathname,processid
Get Users: wmic USERACCOUNT Get Domain,Name, Sid
List Users (netlogin): wmic netlogin get name,numberoflogons,badpasswordcount
Running Processes: wmic process get name,processid,parentprocessid,executablepath,sessionid
List antivirus products: wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname, productState, pathToSignedProductExe
Show startup programs: wmic startup list brief
Get list of running services: wmic service where 'State="Running"' list brief
if failing, try switching around the ' and "
Nics on the system: wmic nic list full
Computer system Info: wmic computersystem list brief
List system drives: wmic volume list brief
Log files: wmic NTEVENT WHERE "LogFile='Security'" GET LogFile,SourceName,EventType,Message,TimeGenerated /FORMAT:list
Additional details of running services: wmic service where ‘State="Running"’ get name,processId,installDate,pathName, StartMode,Caption
Get products with version and install location: wmic path win32_product get name, version, installlocation
More detailed products with version: wmic product get Description, InstallDate, Name, Vendor, Version, ProcessID
Port Scan single IP Ports (1..1024)
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("[IP Address]",$_)) "Port $_ is open!"} 2>$null
IP Scan / Ping
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" [First 3 octets].$ip}
Program Versions
Get-WmiObject Win32_Product | Select-Object Name,Version
Hash full Directories
Get-FileHash 'C:\Program Files (x86)\path\to\directory\*' -Algorithm MD5 | Format-List
Log Search
Get-EventLog "Windows Powershell" -After (Get-Date).AddHours(-2) | where {($_.EventId -eq 400) -or ($_.EventId -eq 500)-or ($_.EventId -eq 501) -or ($_.EventId -eq 800) -or ($_.EventId -eq 4104) -or ($_.EventId -eq 4106)}
Enable SMB1
Enable-WIndowsOptionalFeature -Online -FeatureName smb1protocol
Start Powershell version 2
powershell -version 2
Check current Powershell version
$psversiontable
Check version Windows Defender
Get-MpComputerStatus
EventLog query (change event ID number)
Get-EventLog "Security" | where-object {$_.EventId =eq 4624}
Logs written to since you logged in
Get-WinEvent -ListLog * | ? {$_.lastwritetime -gt 'Tuesday, May 14, 2019 3:15:42 PM'}
Logs created since you logged in
Get-WinEvent -ListLog * | ? {$_.lastwritetime -gt 'Tuesday, May 14, 2019'}
Single Port Scan
Test-NetConnection [IP address] -Port 80
Antivirus on system
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Netstat with pid and Process name
get-nettcpconnection | sort-object -Property state | format-table local*,remote*,state,OwningProcess, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
Startup Programs
Get-CimInstance Win32_StartupCommand |Select-Object Name, command, Location, User |Format-List
PowerShell Logging
wevtutil gl "Windows PowerShell"
wevtUtil gl "Microsoft-Windows-PowerShell/Operational"
wevtutil qe "Windows Powershell" /rd:false /c:25 /f:text
wevtutil qe "Microsoft-Windows-PowerShell/Operational" /rd:false /c:25 /f:text
Get-EventLog "Windows Powershell" -After (Get-Date).AddHours(-2) | where {($_.EventId -eq 400) -or ($_.EventId -eq 500)-or ($_.EventId -eq 501) -or ($_.EventId -eq 800) -or ($_.EventId -eq 4104) -or ($_.EventId -eq 4106)}