############################################################################# # Windows Forensic Toolchest(TM) (WFT) (2008_07_03) # Copyright (C) 2003-2008 Monty McDougal. All rights reserved. # URL: http://www.foolmoon.net/security/ # EMAIL: wft(at)foolmoon(dot)net ############################################################################# ############################################################################# # Windows Forensic Toolchest(TM) (WFT) V3.0.03 CONFIG FILE # Verified 06/16/2007 by Monty McDougal ############################################################################# # If you make any improvements to this config file, please make sure to send # them to me so I can make them available to security community -- Monty # # Hint: You can edit this file in Excel as a tab-delimited file ############################################################################# ############################################################################# #Changes in config file; iX, Sebastian Krause Ernst & Young AG # #--set the ACTION "W" for all tools that are not necessary for live response # or that write to disk # ############################################################################# ############################################################################# # This is the config file used to generate this report. It is formatted as follows: # # ACTION EXECUTABLE WFTCHECKSUM COMMAND OUTPUT MENU DESCRIPTION # Note: Each of these items is separated by a TAB (white space will not work). # Note: Lines beginning with # are treated as comments. # # ACTION tells Windows Forensic Toolchest(TM) (WFT) how to process each line. # Valid ACTIONs are: # V Perform MD5/SHA1 verification of EXECUTABLE. # E Build a COMMAND to execute. # N COMMAND produces NO output to checksum. # H Build a HTML report. # M Add a menu heading. # S Skip COMMAND if -noslow option is used. # W Skip COMMAND if -nowrite option is used. # # WFT 3.0 adds new Valid ACTIONS: # I Outputs "NOTE:" information from DESCRIPTION before execution # O Only executes if EXECUTABLE prior to '\' matches OS # Also required for OS file hash lookups # P Prompt before running command if -prompt option is used # T Add a tool list report entry # R Hacks for tools with known issues such as sysinternals new /accepteula # Note: Multiple ACTIONS can be combined on a line # # EXECUTABLE tells Windows Forensic Toolchest(TM) (WFT) what Executable this line will be using. # # WFTCHECKSUM is the WFTCHECKSUM of EXECUTABLE. # # COMMAND tells Windows Forensic Toolchest(TM) (WFT) how to build the command line to be invoked. # # For most executables, COMMAND should be: "<%toolpath%><%executable%> > <%dst%><%output%>". # This expands to the command line: "[-toolpath argument]EXECUTABLE > [-dst argument]OUTPUT.txt". # See the explanation of WFT macros for how this works. # # OUTPUT is the filename (no extension) to be used for the raw report. # # MENU sets the text to be used in the Report link or Menu header. # # DESCRIPTION describes the EXECUTABLE and its purpose. # ############################################################################# # # Windows Forensic Toolchest(TM) (WFT) MACRO Substitutions # # WFT 2.0 adds new macro expansions for COMMANDs specified at run time via the command line, # via the WFT config file, or from the system properties. This overcomes the previous # limitation of not being able to perform actions on output that was written to the # dynamically supplied -dst path (i.e. you could not chain commands). It also adds a # lot of new power to WFT's config file and command line options # # <%executable%> -- the EXECUTABLE specified in the config file # <%output%> -- the value OUTPUT + '.txt' as specified in the config file # <%toolpath%> -- the -toolpath directory specified at run time (defaults to '.\') # <%dst%> -- the -dst directory specified at run time (defaults to '.\') # <%cfg%> -- the -cfg config file specified at run time (defaults to '.\wft.cfg') # <%shell%> -- the -shell specified at run time (defaults to 'cmd.exe') # <%drive%> -- which is an expanding macro and requires further explanation below # # WFT 3.0 adds new macro expansion for OS specific COMMANDs. OS is auto detected or can # be overwritten by the -os command line parameter # # <%os%> -- the run time OS provided to WFT (defaults to SYSTEM OS) # # In addition to COMMANDs, these macros also work on the -dst arguments using '$' notation # to replace the '<%' and '%>' such as $magic$, $systemname$, $date$, or $time$ # # <%magic%> -- expands to '<%systemname%>\<%date%>\<%time%>' and is always done first # <%systemname%> -- system name of the computer for the current run # <%date%> -- date of the current run in the format 'YYYY_MM_DD' # <%time%> -- time of the current run in the format 'HH_MM_SS' # # WFT 2.0 adds a new "macro expansion" option when the <%drive%> tag is used on a line # The -drive argument should be a list of drive letters to iterate through on commands # Note that -drives defaults to 'C' unless specified at run time # Each line that has a <%drive%> tag will iterate for each drive in the -drives argument # Note that COMMAND, OUTPUT, and MENU must all have this tag if it is being used # or else output may be overwritten (this is enforced via WFT for safety) # # WFT 3.0 adds a 'auto' option which automatically populates the -drive argument with # all of the fixed disk drive letters or it can be set manually as indicated below # # For example if [-drive argument] was 'CEF' and the COMMAND, OUTPUT, and MENU were: # # <%toolpath%><%executable%> /C dir <%drive%>:\*.* <%drive%>_dir DIR <%drive%> # # Then this would expand to three normal entries as: # # <%toolpath%><%executable%> /C dir C:\*.* C_dir DIR C # <%toolpath%><%executable%> /C dir E:\*.* E_dir DIR E # <%toolpath%><%executable%> /C dir F:\*.* F_dir DIR F # ############################################################################# # Acknowledgements: Please see the readme.txt or WFT -about for a list of # people to whom I owe thanks for helping improve the usefulness of WFT ############################################################################# ############################################################################# #ACTION EXECUTABLE WFTCHECKSUM COMMAND OUTPUT MENU DESCRIPTION # ############################################################################# ######################## # PERFORM A SELF-CHECK # ############################################################################# # All commands specified in this file are invoked via the wft.exe in the # current directory or in the -toolpath if specified. It is vital to ensure # the integrity of the wft.exe executable before proceeding # # WFT will not allow execution of commands until this step is performed # ############################################################################# VT wft.exe BE25AB6FDC862ACDDF97B9E930087B8E:7A17FB139535E48148B6CD7B0F4787BDAF0A4021 NA NA NA wft   (http://www.foolmoon.net/security/)

wft -- trusted Windows Forensic Toolchest™ binary

################## # VERIFY CMD.EXE # ############################################################################# # All commands specified in this file should be invoked via a trusted shell # found in the <%toolpath%><%os%> directory. It is vital to ensure the # integrity of the shell executable before proceeding. # # Note: The default shell is <%toolpath%><%os%>\cmd.exe if the -shell flag # is not set. If you want to use a different shell, use the "-shell " # or "-os " options to override the default shell # # If the -shell option is used, all <%shell%> references in this file will # automatically replaced. You can also use a full path to a shell on the # system such as c:\winnt\system32\cmd.exe # # Note: As of WFT 2.0, it will no longer halt execution of commands until this # verification is performed. This was changed because so many people are using # WFT for auditing. It is HIGHLY recommended that the shell be verified # # Note: It is also important that proper version of cmd.exe is used for each # OS or else some utilities produce erroneous output (some even crash) # ############################################################################# ######################### # OS SPECIFIC FILES: 2k # ############################################################################# OT 2k\cmd.exe 6E6B078275E583496EDE4512DF3036ED:FC1AD635FD83A20E7964CE62D6A5C08B8C287D27 NA NA NA cmd   (from a trusted Win2k system)

cmd -- shell from a trusted system

OT 2k\mem.exe 86CBCF547AA3B128DB6DED40BC5EBDE0:6A16461F61B03BF15FD8B70C37704CB5C77E2C2E NA NA NA mem   (from a trusted Win2k system)

mem -- displays status of programs currently loaded in memory

OT 2k\hostname.exe 164E71AE02761F892E70F9639ADF5964:698E53A4F113DC94DFC8644875837E131BE653F8 NA NA NA hostname   (from a trusted Win2k system)

hostname -- set or print name of current host system

OT 2k\net.exe 8F9F01A95318FC4D5A40D4A6534FA76B:E13013CA1ABF68ABD62B1B479C6E9BD1D6C22F76 NA NA NA net   (from a trusted Win2k system)

net -- lists domain info for the computer

OT 2k\ipconfig.exe 2CAA7C99890F90414E50A031B3874B8A:EC7CB4FAAA23B1BD0BF2FCAE1EDF964A0AE3656A NA NA NA ipconfig   (from a trusted Win2k system)

ipconfig -- show network interface configuration information

OT 2k\arp.exe 6BF868C93D144A37F323C39C8C5DC4DE:83A2CF1E88E1F59CF650F6A08398922E7C92C429 NA NA NA arp   (from a trusted Win2k system)

arp -- displays entries in the Address Resolution Protocol (ARP) cache

OT 2k\route.exe 5DC6252304BDBA6298E46262264A2033:4712F547488EE4D1421733F7B4B9905E8DC7C820 NA NA NA route   (from a trusted Win2k system)

route -- displays routing table information

OT 2k\netstat.exe 325BD4A595C85BE163B5559DB8C78D8A:ECDE51BE4549422C5CF6C3B5AD1701698869F41F NA NA NA netstat   (from a trusted Win2k system)

netstat -- displays all connections and listening ports

OT 2k\ipxroute.exe 44FFA874C4DFCA0061C6FA5DDEC8D5B5:AD16C3EC44826DF53D17ED013DD5C25CECC92C41 NA NA NA ipxroute   (from a trusted Win2k system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OT 2k\nbtstat.exe FEBDF2C81A3A569D8EE17C16F368CFB2:798819F2A15B13E0652E8C8F26D1ECCDA48658EB NA NA NA nbtstat   (from a trusted Win2k system)

nbtstat -- displays the NetBIOS name table of the local computer

OT 2k\at.exe 5EB81501805C037F0DBE7B00B89D6BE5:68BFDCF21788CD216252D29AD7EF2FA3A0213F2C NA NA NA at   (from a trusted Win2k system)

at -- shows user scheduled tasks to be performed at a later date and time

OT 2k\doskey.exe 5E9AE7E199D0F30DC04EAF4EF3078FD1:733FDDBC0E081E2998AD84940E6CCCA725E19B6B NA NA NA doskey   (from a trusted Win2k system)

doskey -- displays MS-DOS command history for a system

#OT 2k\tasklist.exe 00000000000000000000000000000000:0000000000000000000000000000000000000000 NA NA NA tasklist   (from a trusted Win2k system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

#OT 2k\schtasks.exe 00000000000000000000000000000000:0000000000000000000000000000000000000000 NA NA NA schtasks   (from a trusted Win2k system)

schtasks -- displays all scheduled tasks

OT 2k\gpresult.exe 1C7A83279E5F8E2AEDF50348E567432E:47C990BC257AEF3046C9232A2CA62E820E71822F NA NA NA gpresult   (from a trusted Win2k system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

########################## # OS SPECIFIC FILES: 2k3 # ############################################################################# OT 2k3\cmd.exe 3C77C39347A6FA560A74587B0498FE84:8B0E5CDC3D2D8E8A11F052F0D31E974774BCE176 NA NA NA cmd   (from a trusted Win2k3 system)

cmd -- shell from a trusted system

OT 2k3\mem.exe 390762963E6B4C861E5E0CA5A3E56E40:E15DCC14576EFAC976E94FC0B65496007D541C75 NA NA NA mem   (from a trusted Win2k3 system)

mem -- displays status of programs currently loaded in memory

OT 2k3\hostname.exe C8002839D3E0F599DB85E5517B4FBA0D:3337B857CC2172BC64A9809A0818A6EF37D5BF25 NA NA NA hostname   (from a trusted Win2k3 system)

hostname -- set or print name of current host system

OT 2k3\net.exe 97372F24FA9D70CC6A36C2C4F294385F:45FC084E6ACAE2F6E510D1BC6DCF57CA895D3B4E NA NA NA net   (from a trusted Win2k3 system)

net -- lists domain info for the computer

OT 2k3\ipconfig.exe B80B3CC5B8C93476CDEF4FB701AF03AF:DD367FB536445E0755FDBFB786F6355FDF58BA8D NA NA NA ipconfig   (from a trusted Win2k3 system)

ipconfig -- show network interface configuration information

OT 2k3\arp.exe 7EA3799A9B277911C3F4D5D80035205A:8187D1461092EAB0590131561C23F512D208C53D NA NA NA arp   (from a trusted Win2k3 system)

arp -- displays entries in the Address Resolution Protocol (ARP) cache

OT 2k3\route.exe E564463104C90897530CBD6D080BEDB9:509C6340B3769A516DEC37A1CC473CF52D1E78DC NA NA NA route   (from a trusted Win2k3 system)

route -- displays routing table information

OT 2k3\netstat.exe 1DFFDF70A518FC93A1F2EAA7023695FE:E7C861D8E92BBECFBB15EABAC6AC730B2CD9CAB9 NA NA NA netstat   (from a trusted Win2k3 system)

netstat -- displays all connections and listening ports

OT 2k3\ipxroute.exe 305661856BF8F703CCE08F7C19568007:6EB165B849E7EFA817C4AD99A6E9293700D6A3CA NA NA NA ipxroute   (from a trusted Win2k3 system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OT 2k3\nbtstat.exe 11271082BE62CDFA1AB6C6C9E24A5EC4:B0D96DB86072DD32E964E3DF69880C55BC06E895 NA NA NA nbtstat   (from a trusted Win2k3 system)

nbtstat -- displays the NetBIOS name table of the local computer

OT 2k3\at.exe 420942C21EB2EAB46B320EB569202756:503D13566FF241CD55BA840E2D8EF4D5FC67933B NA NA NA at   (from a trusted Win2k3 system)

at -- shows user scheduled tasks to be performed at a later date and time

OT 2k3\doskey.exe E24256B937FC47B19D798E234E1A6E7D:68DEA96354E07A041ACE3166EBBB9DF879CB9FA3 NA NA NA doskey   (from a trusted Win2k3 system)

doskey -- displays MS-DOS command history for a system

OT 2k3\tasklist.exe 3D565F8F2B6090D6D9B107707BDCE8A7:A54A3810432743AA7CFFF5619B2B0F9EFCAC3F28 NA NA NA tasklist   (from a trusted Win2k3 system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

OT 2k3\schtasks.exe BACBF4AEF04FA93509B9E966D08280C3:80C78FA9378F81D799E09BDD35FA5F4951DA980C NA NA NA schtasks   (from a trusted Win2k3 system)

schtasks -- displays all scheduled tasks

OT 2k3\gpresult.exe 21A77297D26E7E959FF8766447A6F5E4:E2DF0769B9E9959E71E2038F1AA7A2D8C71630B1 NA NA NA gpresult   (from a trusted Win2k3 system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

######################### # OS SPECIFIC FILES: XP # ############################################################################# OT xp\cmd.exe EEB024F2C81F0D55936FB825D21A91D6:DD47FF16176412EC2E170CDA441B4A220FF52F46 NA NA NA cmd   (from a trusted WinXP system)

cmd -- shell from a trusted system

OT xp\mem.exe 390762963E6B4C861E5E0CA5A3E56E40:E15DCC14576EFAC976E94FC0B65496007D541C75 NA NA NA mem   (from a trusted WinXP system)

mem -- displays status of programs currently loaded in memory

OT xp\hostname.exe 13253731D13168EF06DCA97F70AD57CC:12FBF1B9D28D4340471AE68CBA0CBA93DB9C9F86 NA NA NA hostname   (from a trusted WinXP system)

hostname -- set or print name of current host system

OT xp\net.exe 29ED429A12DEEAEE5E40307C5215E8D8:4069BA1D5314124D6FAA4DC84227F424CC3CE0DB NA NA NA net   (from a trusted WinXP system)

net -- lists domain info for the computer

OT xp\ipconfig.exe 7F7C195E9E5E81EB7F39A32CD7D637CF:2B804D6E9263952DABB47F951B7AA7CB753583FE NA NA NA ipconfig   (from a trusted WinXP system)

ipconfig -- show network interface configuration information

OT xp\arp.exe 33F9B0E02D9D93F920605D02FB53F3FD:4A22E401AD5ADB7B3DE8F819E86D8461D764D195 NA NA NA arp   (from a trusted WinXP system)

arp -- displays entries in the Address Resolution Protocol (ARP) cache

OT xp\route.exe 67D442F0DBEE60CFB43F821B554F44F6:31282AD39FD1A06A4A4DE7462EC48B0366308832 NA NA NA route   (from a trusted WinXP system)

route -- displays routing table information

OT xp\netstat.exe 368314E76FC8C0C05E4BA52A91807C31:1519393638939F583A5EAF9921D1CD9B930A0453 NA NA NA netstat   (from a trusted WinXP system)

netstat -- displays all connections and listening ports

OT xp\ipxroute.exe A57F40DC553A2D63438668AABC99344F:A81EF0146D563F97150BCED20C2D0B8271641087 NA NA NA ipxroute   (from a trusted WinXP system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OT xp\nbtstat.exe 4827686E0DAE2C302B02578DF7941B15:CB20A0AE926C2558FDE46853345C310E7943B075 NA NA NA nbtstat   (from a trusted WinXP system)

nbtstat -- displays the NetBIOS name table of the local computer

OT xp\at.exe 9BDF13167FBEF8DA3A4E9A558B169E5E:9093ADAC07776A7C71B8B795B46A5D9F13F41E95 NA NA NA at   (from a trusted WinXP system)

at -- shows user scheduled tasks to be performed at a later date and time

OT xp\doskey.exe D7325A9F12013345434E1CC58B58D98C:3B3F03F8BE8E341A3E655A3CAE837DFA34C7D35F NA NA NA doskey   (from a trusted WinXP system)

doskey -- displays MS-DOS command history for a system

OT xp\tasklist.exe 70363A3228DF8FC8CFF4E78F36B31C45:67A3482B629B1EE013DA449112D3D24AAD6FA957 NA NA NA tasklist   (from a trusted WinXP system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

OT xp\schtasks.exe 86E33A8D9174DB2DB5001D0FD5DCFB8D:154C1F0D675518A44B415D274E62FB28F7BDF439 NA NA NA schtasks   (from a trusted WinXP system)

schtasks -- displays all scheduled tasks

OT xp\gpresult.exe AB25F5F8899CC9E37B0E436D1B4E0149:BB68201597B1107CB8A6A26575C676B6318042C9 NA NA NA gpresult   (from a trusted WinXP system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

############################ # OS SPECIFIC FILES: VISTA # ############################################################################# OT vista\cmd.exe 349CD4318E6E351C9BB72EE13B7CA807:ABC46ECB05534D731519A9D03C310FC92A76D92E NA NA NA cmd   (from a trusted Vista system)

cmd -- shell from a trusted system

OT vista\mem.exe 390762963E6B4C861E5E0CA5A3E56E40:E15DCC14576EFAC976E94FC0B65496007D541C75 NA NA NA mem   (from a trusted Vista system)

mem -- displays status of programs currently loaded in memory

OT vista\hostname.exe 5C76F26D8DDB400A59150CA3F1F73C79:9584B81479A755FDFC3684B1B4C50A7F35F95EBD NA NA NA hostname   (from a trusted Vista system)

hostname -- set or print name of current host system

OT vista\net.exe 429C8DE2605EA988063DA9C72DB63766:A63E449DD644381D588EBC289E615981B4DF2270 NA NA NA net   (from a trusted Vista system)

net -- lists domain info for the computer

OT vista\ipconfig.exe 1FA8C5689C2227010178F88B70307887:666003CE19C1018D77C076ECC413404742ED80C8 NA NA NA ipconfig   (from a trusted Vista system)

ipconfig -- show network interface configuration information

OT vista\arp.exe 804B01B317D4B7DB3CCC569506082C4A:DBE26E080C89C3E59D81B6CC3B58839ED914B83D NA NA NA arp   (from a trusted Vista system)

arp -- displays entries in the Address Resolution Protocol (ARP) cache

OT vista\route.exe 6DF657C4333AEB324DC2DE373E6456F6:9016D62590880E8C0F3D72B4D0AD269B826CA9BD NA NA NA route   (from a trusted Vista system)

route -- displays routing table information

OT vista\netstat.exe 47B3C7471C0E5C0518EC1E1159CDB4FD:70248C175669BE12767523355DB6D891F2D3B06C NA NA NA netstat   (from a trusted Vista system)

netstat -- displays all connections and listening ports

#OT vista\ipxroute.exe 00000000000000000000000000000000:0000000000000000000000000000000000000000 NA NA NA ipxroute   (from a trusted Vista system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OT vista\nbtstat.exe 1D2C64D5F935837B79B4781FF5B20B6D:7FFACEDB6088AE913F42B88B01AD07D9984B9676 NA NA NA nbtstat   (from a trusted Vista system)

nbtstat -- displays the NetBIOS name table of the local computer

OT vista\at.exe 7A50F0FA2B7F29F2301AF3F4BC494FA9:DE1B205E60F231869F30CBCDF7A5CF780DB51A0F NA NA NA at   (from a trusted Vista system)

at -- shows user scheduled tasks to be performed at a later date and time

OT vista\doskey.exe 3D29C06DC4A59E7CC0175E9BAA603795:29CA62418F46BDB18EDBF1F874DA4A67E802042D NA NA NA doskey   (from a trusted Vista system)

doskey -- displays MS-DOS command history for a system

OT vista\tasklist.exe 92CA46487CA87C7883682E1620F26A24:42D3CEEECC82BA05F88BAD932A463541D4EE38DC NA NA NA tasklist   (from a trusted Vista system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

OT vista\schtasks.exe AADEF985C9ABDC7F9A459BAAFB561BE8:A6440AB4124530BE53F0A00C1F9644DC60FC0B30 NA NA NA schtasks   (from a trusted Vista system)

schtasks -- displays all scheduled tasks

OT vista\gpresult.exe A4B84B0D5E73657FF24C19C12E6ED29B:5D5690AE0761C151B6DCA60AB635C74D0A528AA4 NA NA NA gpresult   (from a trusted Vista system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

######### # START # ############################################################################# M NA NA NA NA START NA EVHT 2k\res_kit\now.exe 1CD2DF306E25FBDDF653A9D9B5DC8A41:78C906DF8D6E1EC450708C8A0AF2E51EA8751333 <%toolpath%><%executable%> "Starting WFT Run..." > <%dst%><%output%> start START TIME now   (http://support.microsoft.com/kb/927229)

now -- displays the current date and time to stdout with optional message

#EVHT foolmoon\fmnow.exe 620C36C07933DBFBCFAF1FE6080492EC:848C491299BBD24CFB07EDF959C00EA98E297C73 <%toolpath%><%executable%> "Starting WFT Run..." > <%dst%><%output%> start_fm START TIME fmnow   (http://www.foolmoon.net/security/fmtools/)

fmnow -- displays the current date and time to stdout with optional message

########## # MEMORY # ############################################################################# M NA NA NA NA MEMORY NA # this is a hack to make dd not run in 2k3 - mdm #OV 2k\..\fau\getopt.dll 0D6F71B9B44C6DA0D71707BF9548C30C:749208934E4011F94667A46645EB75385B47CB4D NA NA NA Required by dd.exe #OV 2k\..\fau\msvcr70.dll 9972A6ED4F2388DBFA8E0A96F6F3FDF1:61B8F573DB448AE6351AE3475C2E7C482D81533C NA NA NA Required by dd.exe #OEVHSTIP 2k\..\fau\dd.exe DB5753A1672DF50746807C1870BE1009:B76DD919335B1FE0AA56BB22A75119846CF3D8A3 <%toolpath%><%executable%> conv=noerror if=\\.\PhysicalMemory of=<%dst%><%output%> dd_img DD MEMORY DUMP dd   (http://users.erols.com/gmgarner/forensics/)

dd -- copies physical memory (or partitions) to a file

NOTE: dd is known to hang on some systems

NOTE: dd will not run properly on Win2k3 with current service pack load

#OV xp\..\fau\getopt.dll 0D6F71B9B44C6DA0D71707BF9548C30C:749208934E4011F94667A46645EB75385B47CB4D NA NA NA Required by dd.exe #OV xp\..\fau\msvcr70.dll 9972A6ED4F2388DBFA8E0A96F6F3FDF1:61B8F573DB448AE6351AE3475C2E7C482D81533C NA NA NA Required by dd.exe #OEVHSTIP xp\..\fau\dd.exe DB5753A1672DF50746807C1870BE1009:B76DD919335B1FE0AA56BB22A75119846CF3D8A3 <%toolpath%><%executable%> conv=noerror if=\\.\PhysicalMemory of=<%dst%><%output%> dd_img DD MEMORY DUMP dd   (http://users.erols.com/gmgarner/forensics/)

dd -- copies physical memory (or partitions) to a file

NOTE: dd is known to hang on some systems

NOTE: dd will not run properly on Win2k3 with current service pack load

#OEVHSTWR 2k\..\sysinternals\strings.exe 8FF243BDF3C47559ADABE8E3521B97E1:66A72D34CC7A1B3162A90CA46A959A30ACE65444 <%toolpath%><%executable%> <%dst%>dd_img.txt > <%dst%><%output%> dd_string DD STRINGS strings   (http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx)

strings -- finds UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters

#OEVHSTWR xp\..\sysinternals\strings.exe 8FF243BDF3C47559ADABE8E3521B97E1:66A72D34CC7A1B3162A90CA46A959A30ACE65444 <%toolpath%><%executable%> <%dst%>dd_img.txt > <%dst%><%output%> dd_string DD STRINGS strings   (http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx)

strings -- finds UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters

EVHTI unxutils\pclip.exe 1C35D256AC672A8738D5A172C06CC125:8E88AA790A7A23C27D41A6A0B4D74F36D75EAD93 <%toolpath%><%executable%> > <%dst%><%output%> pclip PCCLIP pclip   (http://unxutils.sourceforge.net)

pclip -- displays the content of the Windows clipboard

NOTE: pclip will return an error if there is no text on clipboard

#EVHT foolmoon\fmclip.exe A767322F225C970E4C021F933149C0B2:1C4A560EB14ACD1EA3A43CC2741690DF5E3EB8A3 <%toolpath%><%executable%> > <%dst%><%output%> fmclip FMCLIP fmclip   (http://www.foolmoon.net/security/fmtools/)

fmclip -- displays the content of the Windows clipboard

OEVH <%os%>\mem.exe NA <%toolpath%><%executable%> /p > <%dst%><%output%> MEM_P MEM_P mem   (from a trusted system)

mem -- displays status of programs currently loaded in memory

OEVH <%os%>\mem.exe NA <%toolpath%><%executable%> /d > <%dst%><%output%> MEM_D MEM_D mem   (from a trusted system)

mem -- displays status of programs, internal drivers, and other information

############ # MAC TIME # ############################################################################# M NA NA NA NA MAC TIME NA EVHSW <%shell%> NA <%shell%> /C dir <%drive%>:\ /S /OD /TA > <%dst%><%output%> <%drive%>_atime LAST ACCESSED <%drive%> dir   (from a trusted system)

dir -- show last access time based file listing

EVHSW <%shell%> NA <%shell%> /C dir <%drive%>:\ /S /OD /TC > <%dst%><%output%> <%drive%>_ctime LAST CREATED <%drive%> dir   (from a trusted system)

dir -- show last created time based file listing

EVHSW <%shell%> NA <%shell%> /C dir <%drive%>:\ /S /OD /TW > <%dst%><%output%> <%drive%>_mtime LAST MODIFIED <%drive%> dir   (from a trusted system)

dir -- show last modified (written) time based file listing

V perl\p2x561.dll AB773B261948B8D1DED5454DB66CBB41:9DCA9E52AE0E12701F0D7494440214FDABF963A1 NA NA NA Required by mac.exe EVHSWT perl\mac.exe 388631FC7DD59959A26F246FC37034FA:10BCCCFE735A8018B3F2E5E0EE28700C05782879 <%toolpath%><%executable%> -d <%drive%>:\ -s ><%dst%><%output%> <%drive%>_mac MAC <%drive%> mac   (Graciously provided by Harlan Carvey)

mac -- retrieves file MAC times from Windows systems

############### # SYSTEM INFO # ############################################################################# M NA NA NA NA SYSTEM INFO NA EVHTWR sysinternals\psinfo.exe 797D6659261D6E6D31AA6086A90B971A:E9DED0617C1F02EE28DD041AEE788531D762D475 <%toolpath%><%executable%> -d -s -h > <%dst%><%output%> psinfo PSINFO psinfo   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psinfo -- list information about a system including disks, hotfixes, and installed software

OEVH <%os%>\hostname.exe NA <%toolpath%><%executable%> > <%dst%><%output%> hostname HOSTNAME hostname   (from a trusted system)

hostname -- set or print name of current host system

EVHT unxutils\uname.exe 463CFAC34C9BD65C77BD98C529DF845A:2E2EA8D304A348993AA08749608DD2A7AC860600 <%toolpath%><%executable%> -a > <%dst%><%output%> uname UNAME uname   (http://unxutils.sourceforge.net)

uname -- identify the current system

EVH <%shell%> NA <%shell%> /C ver > <%dst%><%output%> ver OS VERSION ver   (from a trusted system)

ver -- show the operating system version number

EVH <%shell%> NA <%shell%> /C set > <%dst%><%output%> environm ENVIRONMENT set   (from a trusted system)

set -- displays environment variables

#EVHT foolmoon\fmuptime.exe BFEA567C73B87ACDB41F7576FE1BA2D6:6E6A4151196A4246CA484C1B3DDF151234F8F080 <%toolpath%><%executable%> > <%dst%><%output%> fmuptime UPTIME fmuptime   (http://www.foolmoon.net/security/fmtools/)

fmuptime -- show how long system has been up

# this is a hack to make uptime not run in Vista - mdm OEVHSTI 2k\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> > <%dst%><%output%> uptime UPTIME uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSTI 2k3\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> > <%dst%><%output%> uptime UPTIME uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSTI xp\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> > <%dst%><%output%> uptime UPTIME uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSI 2k\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> /a > <%dst%><%output%> uptime_h UPTIME HISTORICAL uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up historically

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSI 2k3\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> /a > <%dst%><%output%> uptime_h UPTIME HISTORICAL uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up historically

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSI xp\..\microsoft\uptime.exe 415EDA8D64E4B487A78218212F5DB282:B565A5B717497950B2B96B8A1EF809F2509F754E <%toolpath%><%executable%> /a > <%dst%><%output%> uptime_h UPTIME HISTORICAL uptime   (http://support.microsoft.com/kb/q232243/)

uptime -- show how long system has been up historically

NOTE: uptime.exe makes a socket connection to TCP port 135 of the machine it is run on

# retired psuptime in favor of psinfo - mdm #EVHSTI sysinternals\psuptime.exe D431832DE90CB994B41FE30B0543910F:1D72BB6243BDF514CE118798A19273B92B4FF857 <%toolpath%><%executable%> > <%dst%><%output%> psuptime PSUPTIME psuptime   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx) [No Longer Available]

psuptime -- shows you how long a system has been running since its last reboot (psuptime's functionality has been included in psinfo.exe)

NOTE: psuptime.exe makes a socket connection to TCP port 135 of the machine it is run on

EVHT unxutils\whoami.exe D166374D267A2B4CF8F5E00ABE8BEDF1:11D1CB7B822AD4829ED9E781F309544CFF2B87C4 <%toolpath%><%executable%> > <%dst%><%output%> whoami WHOAMI whoami   (http://unxutils.sourceforge.net)

whoami -- display the effective current username

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> config rdr > <%dst%><%output%> netdom NET DOMAIN net   (from a trusted system)

net -- lists domain info for the computer

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> user > <%dst%><%output%> netuser NET USER net   (from a trusted system)

net -- lists the user accounts for the computer

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> group > <%dst%><%output%> netgroup NET GROUP net   (from a trusted system)

net -- displays the groups for the domain

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> localgroup > <%dst%><%output%> netlgrp NET LOCALGROUP net   (from a trusted system)

net -- displays the groups for the local computer

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> accounts > <%dst%><%output%> netacct NET ACCOUNTS net   (from a trusted system)

net -- displays the current settings for password, logon limitations, and domain information

OEVHW <%os%>\net.exe NA <%toolpath%><%executable%> accounts /domain > <%dst%><%output%> netacctdom NET DOMAIN ACCOUNTS net   (from a trusted system)

net -- displays the current domain settings for password, logon limitations, and domain information

EVHTW 2k\res_kit\auditpol.exe 2F0050F870B2D49E0880334E4938D528:095915E8067493DABE5031331E78B56374024229 <%toolpath%><%executable%> > <%dst%><%output%> auditpol AUDIT POLICY auditpol   (from Windows 2000 Resource Kit)

auditpol -- enables the user to modify the audit policy of the local computer or of any remote computer

############# # PROCESSES # ############################################################################# M NA NA NA NA PROCESSES NA EVHTWR sysinternals\pslist.exe 61FD7759F215F9F88AE88525FD30AF21:4EAA84860FB53692856F01190C8A63C9C6D856B2 <%toolpath%><%executable%> > <%dst%><%output%> pslist PSLIST pslist   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

pslist -- list detailed information about processes

OEVHTIP 2k\res_kit\pulist.exe DD0F6344D230C12DF30A32E430F6B1B3:E78F68B7C1AD04252238A448EF6E2A923D139258 <%toolpath%><%executable%> > <%dst%><%output%> pulist PULIST pulist   (http://support.microsoft.com/kb/927229)

pulist -- displays processes running on local or remote computers

NOTE: pulist is incompatible with WinXP but runs in Win2k and Win2k3

NOTE: pslist and tlist report similar information (just not as pretty)

# this is a hack to make pulist also run in 2k3 - mdm OEVHTIP 2k3\..\2k\res_kit\pulist.exe DD0F6344D230C12DF30A32E430F6B1B3:E78F68B7C1AD04252238A448EF6E2A923D139258 <%toolpath%><%executable%> > <%dst%><%output%> pulist PULIST pulist   (http://support.microsoft.com/kb/927229)

pulist -- displays processes running on local or remote computers

NOTE: pulist is incompatible with WinXP but runs in Win2k and Win2k3

NOTE: pslist and tlist report similar information (just not as pretty)

EVHSTIPWR sysinternals\listdlls.exe 6DB9565378D0268DCD88288C5E961611:BC1FA1A7769481156B18841C4829B90FC233323E <%toolpath%><%executable%> > <%dst%><%output%> listdlls LISTDLLS listdlls   (http://www.microsoft.com/technet/sysinternals/utilities/ListDlls.mspx)

listdlls -- list all the DLLs that are currently loaded, their location, and version numbers

NOTE: listdlls is known to hang when cygrunsrv.exe & sshd.exe (i.e. the Cygwin OpenSSH port) is running but continues if these are killed via the taskmanager

V cygwin\cygwin1.dll E8CD5A2BA5D93ACCE6C28C26BF5717FB:F65E58D61777E459F5B6C783C3A940469216815C NA NA NA Required by ps.exe EVHT cygwin\ps.exe 52C2ABBC6ACB9C8A48BF200617214A9D:88FCF4BB0F8F447665D5867AC19DC5CF620EC1D6 <%toolpath%><%executable%> -ealW > <%dst%><%output%> ps PS ps   (http://www.cygwin.com)

ps -- report process status

EVHT 2k\res_kit\pstat.exe 83C409F2459F565EC259E021BD23B0F2:3CAE936B6C6B420D4686FD24B3936FD92CEB6298 <%toolpath%><%executable%> > <%dst%><%output%> pstat PSTAT pstat   (http://support.microsoft.com/kb/927229)

pstat -- lists all running threads and displays their status

EVHT microsoft\tlist.exe 48115E59978975D7E6B7109EAA1678CA:73F48A04C123AD367C1C1E40C2F5FA016D866150 <%toolpath%><%executable%> -v > <%dst%><%output%> tlist_v TLIST tlist   (http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx)

tlist -- list verbose information about processes

NOTE: this is the tlist from the Windows Debug tools

EVH microsoft\tlist.exe 48115E59978975D7E6B7109EAA1678CA:73F48A04C123AD367C1C1E40C2F5FA016D866150 <%toolpath%><%executable%> -s > <%dst%><%output%> tlist_s TLIST tlist   (http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx)

tlist -- list service information about processes

NOTE: this is the tlist from the Windows Debug tools

EVH microsoft\tlist.exe 48115E59978975D7E6B7109EAA1678CA:73F48A04C123AD367C1C1E40C2F5FA016D866150 <%toolpath%><%executable%> -c > <%dst%><%output%> tlist_c TLIST tlist   (http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx)

tlist -- list command line information about processes

NOTE: this is the tlist from the Windows Debug tools

EVHT diamondcs\cmdline.exe 2D75635F4FAB479E3385DC0A1EE51F36:FAB9488FCF1CA875C6B33499A572A3A58F9A4825 <%toolpath%><%executable%> > <%dst%><%output%> cmdline CMDLINE cmdline   (http://www.diamondcs.com.au/index.php?page=console-cmdline)

cmdline -- list running processes, the full path to the executable, and any command line parameters

EVHTWR sysinternals\handle.exe 8D4150A8B6DD5B25577D4E39EE0DD6D8:FE92B96817918739AA6DF62C8D27634EF6741197 <%toolpath%><%executable%> -a > <%dst%><%output%> handle PROCESS HANDLES handle   (http://www.microsoft.com/technet/sysinternals/utilities/Handle.mspx)

handle -- list all processes and open handles

EVHT winfingerprint\procinterrogate.exe 59F4952531F1E90F566E0ACE739D8E8A:DA8504B62E6CD9AD89B8B79BAF315FAA9F13462E <%toolpath%><%executable%> -list > <%dst%><%output%> procinterrogate PROCINTERROGATE procinterrogate   (http://winfingerprint.com)

procinterrogate -- lists all processes, process ids, and their associated dlls

############ # SERVICES # ############################################################################# M NA NA NA NA SERVICES NA EVHTWR sysinternals\psservice.exe 5115187A2CC3AD6F983BF8DD6EFA3969:18FEB43076F69230ADA1D2BA593B82EFABC3FA0A <%toolpath%><%executable%> > <%dst%><%output%> psservice PSSERVICE psservice   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psservice -- view and control services

EVHT 2k\res_kit\sc.exe 0C264A329931469DD50EDB6AE446C45A:7689649C32075B50030CF132486872D230B21BDE <%toolpath%><%executable%> queryex > <%dst%><%output%> sc_query_ex SC sc   (http://www.microsoft.com/downloads/details.aspx?familyid=3E972E9A-E08A-49A2-9D3A-C0519479E85A&displaylang=en)

sc -- list extended information for installed services

NOTE: psservice.exe and sc.exe query obtain nearly identical information but sc only queries active (running) services

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> start > <%dst%><%output%> netstart NET START net   (from a trusted system)

net -- lists running services

EVHT netlatency\servicelist.exe EF97AA16ADE0A9F531F0EA8AA88F001D:13BE390FFD8064AAA1497EC165C71736B1121B06 <%toolpath%><%executable%> \\127.0.0.1 > <%dst%><%output%> srvc SERVICELIST servicelist   (http://www.pathsolutions.com/support/tools.asp)

servicelist -- list running services on a system

# this is a hack to make tasklist not run in 2k - mdm OEVH 2k3\tasklist.exe NA <%toolpath%><%executable%> /v > <%dst%><%output%> TaskList_v TASKLIST V tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es) verbosely

OEVH 2k3\tasklist.exe NA <%toolpath%><%executable%> /svc > <%dst%><%output%> TaskList_svc TASKLIST SVC tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

OEVH xp\tasklist.exe NA <%toolpath%><%executable%> /v > <%dst%><%output%> TaskList_v TASKLIST V tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es) verbosely

OEVH xp\tasklist.exe NA <%toolpath%><%executable%> /svc > <%dst%><%output%> TaskList_svc TASKLIST SVC tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

OEVH vista\tasklist.exe NA <%toolpath%><%executable%> /v > <%dst%><%output%> TaskList_v TASKLIST V tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es) verbosely

OEVH vista\tasklist.exe NA <%toolpath%><%executable%> /svc > <%dst%><%output%> TaskList_svc TASKLIST SVC tasklist   (from a trusted system)

tasklist -- displays a list of application(s) and associated task(s)/process(es)

########### # DRIVERS # ############################################################################# M NA NA NA NA DRIVERS NA EVHT 2k\res_kit\drivers.exe 43E2B940767D4F671A7D27A7B29D8A22:3C399FAADF8E97A95443869C4C7A1830BAD197A5 <%toolpath%><%executable%> > <%dst%><%output%> drivers DRIVERS drivers   (http://support.microsoft.com/kb/927229)

drivers -- list information for installed drivers

################ # NETWORK INFO # ############################################################################# M NA NA NA NA NETWORK INFO NA OEVH <%os%>\ipconfig.exe NA <%toolpath%><%executable%> /all > <%dst%><%output%> ipconfig IPCONFIG ipconfig   (from a trusted system)

ipconfig -- show network interface configuration information

EVHT diamondcs\iplist.exe 501008D70AEF2B7E4E010DB29E561598:F7ED4CD4F8C8DFF84AB24E793CFAE946799AB446 <%toolpath%><%executable%> > <%dst%><%output%> iplist IPLIST iplist   (http://www.diamondcs.com.au/index.php?page=console)

iplist -- list all IP interfaces

OEVH <%os%>\arp.exe NA <%toolpath%><%executable%> -a > <%dst%><%output%> arp ARP arp   (from a trusted system)

arp -- displays entries in the Address Resolution Protocol (ARP) cache

OEVH <%os%>\route.exe NA <%toolpath%><%executable%> print > <%dst%><%output%> rtable ROUTE route   (from a trusted system)

route -- displays routing table information

OEVH <%os%>\netstat.exe NA <%toolpath%><%executable%> -a > <%dst%><%output%> netstat NETSTAT -A netstat   (from a trusted system)

netstat -- displays all connections and listening ports

OEVH <%os%>\netstat.exe NA <%toolpath%><%executable%> -an > <%dst%><%output%> netstatn NETSTAT -AN netstat   (from a trusted system)

netstat -- Displays all connections addresses and listening ports in numeric form

EVHT foundstone\fport.exe DBB75488AA2FA22BA6950AEAD1EF30D5:29D2E3C3A9C81274539F7DEE65C337CE37F90202 <%toolpath%><%executable%> > <%dst%><%output%> fport_p FPORT PORT fport   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm)

fport -- displays open ports and maps them to the associated application (sorted by port)

EVH foundstone\fport.exe DBB75488AA2FA22BA6950AEAD1EF30D5:29D2E3C3A9C81274539F7DEE65C337CE37F90202 <%toolpath%><%executable%> > <%dst%><%output%> fport_a FPORT APPS fport   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm)

fport -- displays open ports and maps them to the associated application (sorted by application)

# this is a hack to make openports not run in Vista - mdm OEVHT 2k\..\diamondcs\openports.exe A9373778D62495E1C537AD12AB2EFA3D:F9129C3AEEC51D60F84AB4158ADC53F3E5DBD44A <%toolpath%><%executable%> -path -fport > <%dst%><%output%> openports OPENPORTS openports   (http://www.diamondcs.com.au/openports/)

OpenPorts -- identify unknown open ports and their associated applications

NOTE: DiamondCS OpenPorts is free only for personal use, and use in educational institutions

OEVHT 2k3\..\diamondcs\openports.exe A9373778D62495E1C537AD12AB2EFA3D:F9129C3AEEC51D60F84AB4158ADC53F3E5DBD44A <%toolpath%><%executable%> -path -fport > <%dst%><%output%> openports OPENPORTS openports   (http://www.diamondcs.com.au/openports/)

OpenPorts -- identify unknown open ports and their associated applications

NOTE: DiamondCS OpenPorts is free only for personal use, and use in educational institutions

OEVHT xp\..\diamondcs\openports.exe A9373778D62495E1C537AD12AB2EFA3D:F9129C3AEEC51D60F84AB4158ADC53F3E5DBD44A <%toolpath%><%executable%> -path -fport > <%dst%><%output%> openports OPENPORTS openports   (http://www.diamondcs.com.au/openports/)

OpenPorts -- identify unknown open ports and their associated applications

NOTE: DiamondCS OpenPorts is free only for personal use, and use in educational institutions

# this is a hack to make ipxroute not run in Vista - mdm OEVHSI 2k\ipxroute.exe NA <%toolpath%><%executable%> config > <%dst%><%output%> ipxroute IPXROUTE ipxroute   (from a trusted system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSI 2k3\ipxroute.exe NA <%toolpath%><%executable%> config > <%dst%><%output%> ipxroute IPXROUTE ipxroute   (from a trusted system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVHSI xp\ipxroute.exe NA <%toolpath%><%executable%> config > <%dst%><%output%> ipxroute IPXROUTE ipxroute   (from a trusted system)

ipxroute -- show the IPX routing tables

NOTE: ipxroute.exe makes a socket connection to TCP port 135 of the machine it is run on

OEVH <%os%>\nbtstat.exe NA <%toolpath%><%executable%> -n > <%dst%><%output%> nbtstatn NETBIOS NAMES nbtstat   (from a trusted system)

nbtstat -- displays the NetBIOS name table of the local computer

OEVH <%os%>\nbtstat.exe NA <%toolpath%><%executable%> -c > <%dst%><%output%> nbtstatc NETBIOS CACHE nbtstat   (from a trusted system)

nbtstat -- displays the contents of the NetBIOS name cache for remote machines

OEVH <%os%>\nbtstat.exe NA <%toolpath%><%executable%> -s > <%dst%><%output%> nbtstats NETBIOS SESSIONS nbtstat   (from a trusted system)

nbtstat -- displays NetBIOS client and server sessions

EVHTI foundstone\hunt.exe 356C4848D606D55BBAA7C7075F5A6E1C:F356C98E3819E3F1B28EE56D30C5FB7CAE03F059 <%toolpath%><%executable%> \\127.0.0.1 > <%dst%><%output%> hunt SHARE ENUM hunt   (http://www.foundstone.com/resources/freetools.htm)

hunt -- SMB share enumerator and admin finder

NOTE: Hunt sometimes fails given an IP address

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> share > <%dst%><%output%> netshare NET SHARE net   (from a trusted system)

net -- lists information about all resources being shared on the computer

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> use > <%dst%><%output%> netuse NET USE net   (from a trusted system)

net -- lists the computer's connections

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> view > <%dst%><%output%> netview NET VIEW net   (from a trusted system)

net -- lists the computers in the current domain

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> session > <%dst%><%output%> netsessi NET SESSION net   (from a trusted system)

net -- displays information about all client and server sessions for the local machine

V perl\p2x588.dll A236999C6D5CF814CD562CFAB4BAB8FA:86D7061CA92EABB642E7637C3B558AEB2EA7718A NA NA NA Required by ndis.exe V perl\re.dll 6239608ECF09DE1BA88D21635C9C1C6A:D2C10C285A7298E782A2051747E705209BDF6AD3 NA NA NA Required by ndis.exe V perl\util.dll 6DBEA3D86C51BF65ECBDAF0A91EE5FEA:D23538D686A7C2B40C7F037E818FBB029DB1FBB3 NA NA NA Required by ndis.exe V perl\ole.dll 08FF61A0FC0509D11D3DD4DDE750311A:83E234A8F1F2940CFB60949612FE16A8FA7469E7 NA NA NA Required by ndis.exe V perl\cwd.dll 4051A8FF7E38F23C037BCE5378B714AD:FCE71E39D1E7718788D78826D6878BA2CAB87B70 NA NA NA Required by ndis.exe EVHT perl\ndis.exe BD49690B71C750EA8D9B3B7E784FD897:E1673E29286DCA17089D066886D47DBD6A9FCB1D <%toolpath%><%executable%> > <%dst%><%output%> ndis NDIS ndis   (Graciously provided by Harlan Carvey)

ndis -- used to detect the presence of the WinPcap packet capture device driver

EVHT ntsecurity\promiscdetect.exe 117EC27602980AE13307A7C2021A5D90:00A1D70DA6EF869B5377C56DAC8FF7D4C89F6D2E <%toolpath%><%executable%> > <%dst%><%output%> promiscdetect PROMISCDETECT promiscdetect   (http://www.ntsecurity.nu/toolbox/promiscdetect/)

promiscdetect -- checks if a local network adapter(s) is running in promiscuous mode (may indicate a sniffer)

########## # LOGINS # ############################################################################# M NA NA NA NA LOGINS NA EVHTWR sysinternals\psloggedon.exe 6500C15F856BBFD0B28BD4EBF6E1662A:A259AE733C29C0780B6842D8072E9D5A609C4D43 <%toolpath%><%executable%> > <%dst%><%output%> psloggedon CURRENT psloggedon   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psloggedon -- see who's logged on locally and via resource sharing

EVHT systemtools\netusers.exe B01A4D9FBB85B387DD890FCA73C212D3:1CAF5E72ABFC852707DA2CBDAA93FE98CF977EA0 <%toolpath%><%executable%> /local > <%dst%><%output%> netusers_local CURRENT netusers   (http://www.systemtools.com/free.htm)

netusers -- see who's logged on locally and via resource sharing

EVH systemtools\netusers.exe B01A4D9FBB85B387DD890FCA73C212D3:1CAF5E72ABFC852707DA2CBDAA93FE98CF977EA0 <%toolpath%><%executable%> /local /history > <%dst%><%output%> netusers_local_history ALL netusers   (http://www.systemtools.com/free.htm)

netusers -- see all users who have logged on locally and via resource sharing

EVHT foundstone\ntlast.exe 1128A558328023F6006327570C4D201F:1F526DB7B4627DD76FCAF1BAE12D1C2627CFD40D <%toolpath%><%executable%> -v -s > <%dst%><%output%> success SUCCESSFUL ntlast   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm)

ntlast -- show last SUCCESSFUL logons

EVH foundstone\ntlast.exe 1128A558328023F6006327570C4D201F:1F526DB7B4627DD76FCAF1BAE12D1C2627CFD40D <%toolpath%><%executable%> -v -f > <%dst%><%output%> failed FAILED ntlast   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm)

ntlast -- show last FAILED logons

EVH foundstone\ntlast.exe 1128A558328023F6006327570C4D201F:1F526DB7B4627DD76FCAF1BAE12D1C2627CFD40D <%toolpath%><%executable%> -v -i > <%dst%><%output%> interact INTERACTIVE ntlast   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm)

ntlast -- show last INTERACTIVE logons

EVH foundstone\ntlast.exe 1128A558328023F6006327570C4D201F:1F526DB7B4627DD76FCAF1BAE12D1C2627CFD40D <%toolpath%><%executable%> -v -r > <%dst%><%output%> remote REMOTE ntlast   (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm)

ntlast -- show last REMOTE logons

############## # EVENT LOGS # ############################################################################# M NA NA NA NA EVENT LOGS NA EVHTW 2k\res_kit\dumpel.exe 3C2447E278318C4E6B50D5095E7028E5:594849B0CD325CE8B5B7D77228DA196CDA95574C <%toolpath%><%executable%> -t -l system -f <%dst%><%output%> syslog SYSTEM LOG dumpel   (http://support.microsoft.com/kb/927229)

dumpel -- dumps the SYSTEM Event Log to a tab-separated text file

EVHW 2k\res_kit\dumpel.exe 3C2447E278318C4E6B50D5095E7028E5:594849B0CD325CE8B5B7D77228DA196CDA95574C <%toolpath%><%executable%> -t -l application -f <%dst%><%output%> applog APPLICATION LOG dumpel   (http://support.microsoft.com/kb/927229)

dumpel -- dumps the APPLICATION Event Log to a tab-separated text file

EVHW 2k\res_kit\dumpel.exe 3C2447E278318C4E6B50D5095E7028E5:594849B0CD325CE8B5B7D77228DA196CDA95574C <%toolpath%><%executable%> -t -l security -f <%dst%><%output%> seclog SECURITY LOG dumpel   (http://support.microsoft.com/kb/927229)

dumpel -- dumps the SECURITY Event Log to a tab-separated text file

EVHTWR sysinternals\psloglist.exe BC4F65879BE48DE9A7C2AA075248D846:0168A9AD28F9B73BC50B7D27076D6D11DD8CD49D <%toolpath%><%executable%> > <%dst%><%output%> evtlog EVENT LOG psloglist   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psloglist -- dump event log records

EVHWR sysinternals\psloglist.exe BC4F65879BE48DE9A7C2AA075248D846:0168A9AD28F9B73BC50B7D27076D6D11DD8CD49D <%toolpath%><%executable%> -s system > <%dst%><%output%> log_sys SYSTEM LOG psloglist   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psloglist -- dump system event log records

EVHWR sysinternals\psloglist.exe BC4F65879BE48DE9A7C2AA075248D846:0168A9AD28F9B73BC50B7D27076D6D11DD8CD49D <%toolpath%><%executable%> -s application > <%dst%><%output%> log_app APPLICATION LOG psloglist   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psloglist -- dump application event log records

EVHWR sysinternals\psloglist.exe BC4F65879BE48DE9A7C2AA075248D846:0168A9AD28F9B73BC50B7D27076D6D11DD8CD49D <%toolpath%><%executable%> -s security > <%dst%><%output%> log_Sec SECURITY LOG psloglist   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psloglist -- dump security event log records

############### # FILE SYSTEM # ############################################################################# M NA NA NA NA FILE SYSTEM NA EVHTWR sysinternals\ntfsinfo.exe C8F3A485E66CBCD3731B22991C85002E:9E01EE6E739B117B7526D27767CDF93CF13C05F5 <%toolpath%><%executable%> <%drive%> > <%dst%><%output%> <%drive%>_ntfsinfo NTFSINFO <%drive%> ntfsinfo   (http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx)

ntfsinfo -- shows you information about NTFS volumes

EVHTWR sysinternals\psfile.exe CB623488009F084EC53CB62E45CBCF72:2DCE99C39C59AAD43D24CD6DD4F20D29D8326E55 <%toolpath%><%executable%> > <%dst%><%output%> psfile REMOTE FILES psfile   (http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx)

psfile -- shows files opened remotely

OEVH <%os%>\net.exe NA <%toolpath%><%executable%> file > <%dst%><%output%> netfile NET FILE net   (from a trusted system)

net -- lists the open files on a server

EVHSW <%shell%> NA <%shell%> /C tree <%drive%>:\ /F /A > <%dst%><%output%> <%drive%>_filestg FILE TREE <%drive%> tree   (from a trusted system)

tree -- show the location of every file on the system

EVHSTW foundstone\hfind.exe E490103DC92D1F0F840848691A99AD96:441458B214DFE3293562EA70B35B2E7DCB0748B5 <%toolpath%><%executable%> <%drive%>:\ > <%dst%><%output%> <%drive%>_hfind HFIND <%drive%> hfind   (http://www.foundstone.com/resources/freetools.htm)

hfind -- hidden file finder with last access times

EVHSW <%shell%> NA <%shell%> /C dir <%drive%>:\ /S /A:H /T:A > <%dst%><%output%> <%drive%>_hidden HIDDEN FILE <%drive%> dir   (from a trusted system)

dir -- show the hidden files on a system

EVHSTIWR sysinternals\streams.exe 9C2318174AFD1535B1F33AFE3D34A255:7F3A45E1AD1C4785824E1A6F3C566FC5BBF7DD6D <%toolpath%><%executable%> -s <%drive%>:\ > <%dst%><%output%> <%drive%>_streams STREAMS <%drive%> streams   (http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx)

streams -- view NTFS file stream information

NOTE: streams.exe will error if you use the wrong cmd.exe for the system you are on

EVHSTW foundstone\sfind.exe C16EA9CADC953125B86FFF45505DBAA6:81BA48992D791C2368236B1F718EDF42B870EF55 <%toolpath%><%executable%> <%drive%>:\ > <%dst%><%output%> <%drive%>_sfind SFIND <%drive%> sfind   (http://www.foundstone.com/resources/freetools.htm)

sfind -- view NTFS file stream information

EVHSTW 2k\res_kit\efsinfo.exe 238EB692A776AE1DC038BC6A0CC2E87E:7373FC0DFA71B2476457FCD1012A65161C6D476E <%toolpath%><%executable%> /S:<%drive%>:\ /U /R /C > <%dst%><%output%> <%drive%>_efsinfo EFSINFO <%drive%> efsinfo   (http://support.microsoft.com/kb/927229)

efsinfo -- shows information about EFS-encrypted files

EVHW <%shell%> NA <%shell%> /C dir "%UserProfile%\Recent" > <%dst%><%output%> recent RECENT dir   (from a trusted system)

dir -- lists recently opened files

EVHW <%shell%> NA <%shell%> /C dir <%drive%>:\recycler /S /OD /TA > <%dst%><%output%> <%drive%>_recycle RECYCLER <%drive%> dir   (from a trusted system)

dir -- lists files in the recycle bin

EVHW <%shell%> NA <%shell%> /C dir "%SystemRoot%\prefetch" > <%dst%><%output%> prefetch PREFETCH dir   (from a trusted system)

dir -- used for boot and application launch prefetching on XP / 2003

EVHTW netlatency\freespace.exe 136BE49B6BD168E07E8078ED1A0F2611:4AFBCE1CEA9B7218335317D9EA3A70198FA8D7A5 <%toolpath%><%executable%> <%drive%>: > <%dst%><%output%> <%drive%>_freesp FREESPACE <%drive%> freespace   (http://www.pathsolutions.com/support/tools.asp)

freespace -- list how much free space exists on a drive or network share

############## # AUTO START # ############################################################################# M NA NA NA NA AUTO START NA EVHTWR sysinternals\autorunsc.exe F0AAB3D6FCA0C5883BD198224CF6D646:5E2B84CB299F627061282C823CEDDBFF7AC4A8B1 <%toolpath%><%executable%> -a -d -e -s -w > <%dst%><%output%> autoruns AUTORUNSC autorunsc   (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx)

autorunsc -- shows you what programs are configured to run during system boot up or login, and shows you the entries in the order Windows processes them

EVHW <%shell%> NA <%shell%> /C type "%SystemDrive%\autoexec.bat" > <%dst%><%output%> autoexec AUTOEXEC.BAT autoexec.bat   (system startup file)

autoexec.bat -- starts every time system boots at DOS level

EVHW <%shell%> NA <%shell%> /C type "%SystemRoot%\win.ini" > <%dst%><%output%> win_ini WIN.INI win.ini   (system startup file)

win.ini -- starts every time Windows starts (look for... load= and run=)

EVHW <%shell%> NA <%shell%> /C type "%SystemRoot%\system.ini" > <%dst%><%output%> sys_ini SYSTEM.INI system.ini   (system startup file)

system.ini -- starts every time Windows starts (look for... Shell=)

EVHW <%shell%> NA <%shell%> /C type "%SystemRoot%\winstart.bat" > <%dst%><%output%> winstart WINSTART.BAT winstart.bat   (system startup file)

winstart.bat -- starts every time Windows starts (operates as normal .bat file)

EVHW <%shell%> NA <%shell%> /C type "%SystemRoot%\wininit.ini" > <%dst%><%output%> init_ini WININIT.INI wininit.ini   (system startup file)

wininit.ini -- Used by setup programs; if file exists, it is run once and deleted by Windows

EVHW <%shell%> NA <%shell%> /C dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup" > <%dst%><%output%> startup STARTUP FOLDER dir   (from a trusted system)

dir -- show applications called from "All Users" Startup folder

EVHW <%shell%> NA <%shell%> /C dir "%UserProfile%\Start Menu\Programs\Startup" > <%dst%><%output%> user_startup USER STARTUP FOLDER dir   (from a trusted system)

dir -- show applications called from current user's Startup folder

EVHW <%shell%> NA <%shell%> /C dir "%SystemRoot%\Tasks" > <%dst%><%output%> tasks SCHEDULED TASKS dir   (from a trusted system)

dir -- show scheduled tasks submitted via at.exe or the Scheduled Tasks Wizard

NOTE: Hidden files do not appear in the Scheduled Tasks via the Control Panel.

OEVHW <%os%>\at.exe NA <%toolpath%><%executable%> > <%dst%><%output%> at AT SCHEDULED at   (from a trusted system)

at -- shows user scheduled tasks to be performed at a later date and time

# this is a hack to make schtasks not run in 2k - mdm OEVHW 2k3\schtasks.exe NA <%toolpath%><%executable%> /Query /FO LIST /V > <%dst%><%output%> schtasks SCHTASKS schtasks   (from a trusted system)

schtasks -- displays all scheduled tasks

OEVHW xp\schtasks.exe NA <%toolpath%><%executable%> /Query /FO LIST /V > <%dst%><%output%> schtasks SCHTASKS schtasks   (from a trusted system)

schtasks -- displays all scheduled tasks

OEVHW vista\schtasks.exe NA <%toolpath%><%executable%> /Query /FO LIST /V > <%dst%><%output%> schtasks SCHTASKS schtasks   (from a trusted system)

schtasks -- displays all scheduled tasks

EVHTW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S > <%dst%><%output%> hklm_r REG: HKLM_R reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run when system starts

NOTE: On 2K and XP, these entries are ignored in Safe Mode unless preceded by "*"

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /S > <%dst%><%output%> hklm_ro REG: HKLM_RO reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run once when the system starts and then the entry is removed

NOTE: Commands are deleted before run unless preceded by "!" which forces deleted after command is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S > <%dst%><%output%> hklm_rox REG: HKLM_ROX reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run once when the system starts and then the entry is removed

NOTE: Commands are deleted before run unless preceded by "!" which forces deleted after command is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices /S > <%dst%><%output%> hklm_rs REG: HKLM_RS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- services to be run when system starts

NOTE: On 2K and XP, these entries are ignored in Safe Mode unless preceded by "*"

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S > <%dst%><%output%> hklm_rso REG: HKLM_RSO reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- services to be run once when the system starts and then the entry is removed

NOTE: Services are deleted before run unless preceded by "!" which forces deleted after service is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Policies\Microsoft\Windows\System\Scripts /S > <%dst%><%output%> hklm_scripts REG: HKLM_SCRIPTS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- scripts to be run for various events (i.e., logon, logoff, shutdown, etc.)

NOTE: This is usually implemented via Group Policy, but can be used in Local Security Policies

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S > <%dst%><%output%> hklm_expl_run REG: HKLM_EXPL_RUN reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run when system starts

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S > <%dst%><%output%> hkcu_r REG: HKCU_R reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run when system starts

NOTE: On 2K and XP, these entries are ignored in Safe Mode unless preceded by "*"

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /S > <%dst%><%output%> hkcu_ro REG: HKCU_RO reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run once when the system starts and then the entry is removed

NOTE: Commands are deleted before run unless preceded by "!" which forces deleted after command is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S > <%dst%><%output%> hkcu_rox REG: HKCU_ROX reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run once when the system starts and then the entry is removed

NOTE: Commands are deleted before run unless preceded by "!" which forces deleted after command is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices /S > <%dst%><%output%> hkcu_rs REG: HKCU_RS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- services to be run when system starts

NOTE: On 2K and XP, these entries are ignored in Safe Mode unless preceded by "*"

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S > <%dst%><%output%> hkcu_rso REG: HKCU_RSO reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- services to be run once when the system starts and then the entry is removed

NOTE: Services are deleted before run unless preceded by "!" which forces deleted after service is run

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Policies\Microsoft\Windows\System\Scripts /S > <%dst%><%output%> hkcu_scripts REG: HKCU_SCRIPTS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- scripts to be run for various events (i.e., logon, logoff, shutdown, etc.)

NOTE: This is usually implemented via Group Policy, but can be used in Local Security Policies

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S > <%dst%><%output%> hkcu_expl_run REG: HKCU_EXPL_RUN reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- programs to be run when system starts

############ # REGISTRY # ############################################################################# M NA NA NA NA REGISTRY NA EVHT ntsecurity\gplist.exe 5185F31A90703BC7379725690FA82DB7:CFD93063C9EDCB4ED8FBC15E9403FD313A4D37F9 <%toolpath%><%executable%> > <%dst%><%output%> gplist GROUP POLICY gplist   (http://www.ntsecurity.nu/toolbox/gplist/)

gplist -- lists information about the applied Group Policies

OEVH <%os%>\gpresult.exe NA <%toolpath%><%executable%> /v /scope user > <%dst%><%output%> gpuser GROUP POLICY (USER) gpresult   (from a trusted system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

OEVH <%os%>\gpresult.exe NA <%toolpath%><%executable%> /v /scope system > <%dst%><%output%> gpsys GROUP POLICY (SYSTEM) gpresult   (from a trusted system)

gpresult -- displays information about how Group Policy has affected the current computer and any users who are logged on to the current computer

#EVHT foolmoon\fmrunlist.exe 36286295583858A4F5AA1DA6C44A73D3:A1587F914B19425677D99DC9E8D933EA6E25C8CD <%toolpath%><%executable%> > <%dst%><%output%> fmrunlist RUN HISTORY fmrunlist   (http://www.foolmoon.net/security/fmtools/)

fmrunlist -- lists commands typed into the Start|Run dialog

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /S > <%dst%><%output%> run_hist RUN HISORY reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists commands typed into the Start|Run dialog

#EVHT foolmoon\fmrecentdocs.exe 3477D6D00DCF07EADDBC4C8B4FAA9094:7D8570E99E13951A9BC852951D595E4D8C81FB20 <%toolpath%><%executable%> > <%dst%><%output%> fmrecentdocs RECENT DOCS fmrecentdocs   (http://www.foolmoon.net/security/fmtools/)

fmrecentdocs -- lists Recent Docs

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs /S > <%dst%><%output%> rcnt_doc RECENT DOCS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists Recent Docs (text value is in hex and needs to be converted)

#EVHT foolmoon\fmopensave.exe ECF6587912ABFEDC3817EBFE18BFC7B6:314B66A96CEA094940B0FE0F2D285F36128CAD5F <%toolpath%><%executable%> > <%dst%><%output%> fmopensave LAST FILES SAVED fmopensave   (http://www.foolmoon.net/security/fmtools/)

fmopensave -- lists files opened/saved via explorer-style dialog boxes

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /S > <%dst%><%output%> lastsave LAST FILES SAVED reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists files opened/saved via explorer-style dialog boxes

#EVHT foolmoon\fminstallhistory.exe FDFDB898DBEACEECE7E2ACB3F4476E08:0255DB1E3822C280A23D86856F3AA86C5C59C5BF <%toolpath%><%executable%> > <%dst%><%output%> fminstallhistory INSTALL HISTORY fminstallhistory   (http://www.foolmoon.net/security/fmtools/)

fminstallhistory -- lists applications that have been installed (if they have a registered unistaller)

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S > <%dst%><%output%> installh INSTALL HISTORY reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists applications that have been installed (if they have a registered unistaller)

EVHSTW microsoft\regdmp.exe A92E8BA3A7B8B7FA80D4AC189DBF45FD:30C9B412D0A35BE896691AF73506236C5255628A <%toolpath%><%executable%> > <%dst%><%output%> regdmp REGDMP regdmp   (from Windows 2K Resource Kit)

regdmp -- dumps of all or part of the registry to stdout

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ /S > <%dst%><%output%> hklm_safemin REG: HKLM_SafeMin reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- performs add, change, import, export and other operations on registry subkeys

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ /S > <%dst%><%output%> hklm_safenet REG: HKLM_SafeNet reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- performs add, change, import, export and other operations on registry subkeys

############### # IE ACTIVITY # ############### M NA NA NA NA IE ACTIVITY NA V nirsoft\iehv.chm A8BC3A09B799D516CEF7EDF1C39CF869:5D2B982A6518BD5A78456872D9C1E5F451D092B3 NA NA NA iehv's help file EVHTW nirsoft\iehv.exe 7A6230D01BE0CF93AEB5CBA1C52ADC86:F258F20CFB153A0A1A1A78262549219C0023EDF0 <%toolpath%><%executable%> /stext <%dst%><%output%> iehv IE HISTORY iehv   (http://www.nirsoft.net/utils/iehv.html)

iehv -- displays the list of all URLs that you have visited in IE over the last few days

#EVHT foolmoon\fmtypedurls.exe 7313E61C368C92DE0920EC907880A2DB:39A7D1B9C13EC77B6A721E09800FAA4A0BBE6A7A <%toolpath%><%executable%> > <%dst%><%output%> fmtypedurls TYPED URLS fmtypedurls   (http://www.foolmoon.net/security/fmtools/)

fmtypedurls -- lists URLs typed at the Internet Explorer address bar

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S > <%dst%><%output%> type_url TYPED URLS reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists URLs typed at the Internet Explorer address bar

EVHW microsoft\reg.exe C193E1D68A7921A6AEC298BA50A1AABA:911DBEBC159056857A23A9E441F349042E7416FD <%toolpath%><%executable%> query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}" /S > <%dst%><%output%> search_h SEARCH HISTORY reg   (http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTKit.asp)

reg -- lists explorer search history

EVHTW ntsecurity\pstoreview.exe 3C4D5AF892DB1BB984D81CE12874CC71:561E44101395C88E4B714ABED56C99105FEECF4F <%toolpath%><%executable%> > <%dst%><%output%> pstoreview PSTOREVIEW pstoreview   (http://www.ntsecurity.nu/toolbox/pstoreview/)

PStoreview -- lists the contents of the Protected Storage. It usually contains things like Internet Explorer username and password autocomplete, and Outlook account names and passwords.

######## # MISC # ############################################################################# M NA NA NA NA MISC NA OEVH <%os%>\doskey.exe NA <%toolpath%><%executable%> /history > <%dst%><%output%> doskey DOSKEY doskey   (from a trusted system)

doskey -- displays MS-DOS command history for a system

V perl\p2x588.dll A236999C6D5CF814CD562CFAB4BAB8FA:86D7061CA92EABB642E7637C3B558AEB2EA7718A NA NA NA Required by mdm.exe V perl\re.dll 6239608ECF09DE1BA88D21635C9C1C6A:D2C10C285A7298E782A2051747E705209BDF6AD3 NA NA NA Required by mdm.exe V perl\util.dll 6DBEA3D86C51BF65ECBDAF0A91EE5FEA:D23538D686A7C2B40C7F037E818FBB029DB1FBB3 NA NA NA Required by mdm.exe V perl\ole.dll 08FF61A0FC0509D11D3DD4DDE750311A:83E234A8F1F2940CFB60949612FE16A8FA7469E7 NA NA NA Required by mdm.exe V perl\cwd.dll 4051A8FF7E38F23C037BCE5378B714AD:FCE71E39D1E7718788D78826D6878BA2CAB87B70 NA NA NA Required by mdm.exe EVHT perl\mdm.exe E4B41C5B54F11DE96AE509894861E5E6:46C92A5D252D957367627B47A2E18FC6C20D6212 <%toolpath%><%executable%> > <%dst%><%output%> mdm MDM mdm   (Graciously provided by Harlan Carvey)

mdm -- checks for the existence of a modem driver

# this is a hack to make rootkitrevealer not run in Vista - mdm OV 2k\..\sysinternals\rootkitrevealer.chm F0F3E20B031C0C87586B8DA9020195E8:CC570F58C79EE1C54E8879FFC890033D74A748BA NA NA NA rootkitrevealer's help file OEVHSTIWR 2k\..\sysinternals\rootkitrevealer.exe EE738FE9BCDD605821002CEC8C7206DB:D39E8A3FE92ADC7D7FBC5293EDF8A7B965484A59 <%toolpath%><%executable%> -a <%dst%><%output%> rootkit ROOTKIT REVEALER rootkitrevealer   (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx)

rootkitrevealer -- root kit detection utility

NOTE: rootkitrevealer is a GUI application, but will close when complete (it may run for over an hour)

OV 2k3\..\sysinternals\rootkitrevealer.chm F0F3E20B031C0C87586B8DA9020195E8:CC570F58C79EE1C54E8879FFC890033D74A748BA NA NA NA rootkitrevealer's help file OEVHSTIWR 2k3\..\sysinternals\rootkitrevealer.exe EE738FE9BCDD605821002CEC8C7206DB:D39E8A3FE92ADC7D7FBC5293EDF8A7B965484A59 <%toolpath%><%executable%> -a <%dst%><%output%> rootkit ROOTKIT REVEALER rootkitrevealer   (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx)

rootkitrevealer -- root kit detection utility

NOTE: rootkitrevealer is a GUI application, but will close when complete (it may run for over an hour)

OV xp\..\sysinternals\rootkitrevealer.chm F0F3E20B031C0C87586B8DA9020195E8:CC570F58C79EE1C54E8879FFC890033D74A748BA NA NA NA rootkitrevealer's help file OEVHSTIWR xp\..\sysinternals\rootkitrevealer.exe EE738FE9BCDD605821002CEC8C7206DB:D39E8A3FE92ADC7D7FBC5293EDF8A7B965484A59 <%toolpath%><%executable%> -a <%dst%><%output%> rootkit ROOTKIT REVEALER rootkitrevealer   (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx)

rootkitrevealer -- root kit detection utility

NOTE: rootkitrevealer is a GUI application, but will close when complete (it may run for over an hour)

######## # DONE # ############################################################################# M NA NA NA NA DONE NA EVH 2k\res_kit\now.exe 1CD2DF306E25FBDDF653A9D9B5DC8A41:78C906DF8D6E1EC450708C8A0AF2E51EA8751333 <%toolpath%><%executable%> "WFT Run Complete" > <%dst%><%output%> end END TIME now   (http://support.microsoft.com/kb/927229)

now -- displays the current date and time to stdout with optional message

#EVH foolmoon\fmnow.exe 620C36C07933DBFBCFAF1FE6080492EC:848C491299BBD24CFB07EDF959C00EA98E297C73 <%toolpath%><%executable%> "WFT Run Complete" > <%dst%><%output%> end_fm END TIME fmnow   (http://www.foolmoon.net/security/fmtools/)

fmnow -- displays the current date and time to stdout with optional message