wmi一些操作

  • A+
所属分类:安全博客

使用wmic识别安装到系统中的补丁情况

1
C:> wmic qfe get description,installedOn

外部调用获取补丁情况

1
2
select * from Win32_QuickFixEngineering
SELECT * FROM Win32_OperatingSystemQFE

识别正在运行的服务

1
2
C:>sc query type= service
C:>net start

识别开机启动的程序,包括路径

1
C:>wmic startup list full

查看系统中网卡的IP地址和MAC地址

1
D:>wmic nicconfig get ipaddress,macaddress

用户列表

1
D:>wmic useraccount list brief

查看当前系统是否有屏保保护,延迟是多少

1
D:>wmic desktop get screensaversecure,screensavertimeout

域控机器

1
D:>wmic ntdomain list brief

登录用户

1
D:>wmic logon list brief

查看系统中开放的共享

1
2
D:>wmic share get name,path
D:>net share

卸载和重新安装程序

1
2
wmic product where "name like '%Office%'" get name
wmic product where name="Office" call uninstall

来源:
查看系统中开启的日志

1
C:>wmic nteventlog get path,filename,writeable

清除相关的日志(这里是全部清除)

1
2
3
wevtutil cl "windows powershell"
wevtutil cl "security"
wevtutil cl "system"

博主注:建议使用tr 或sed 或其他方法替换关键字符
*
查看系统中安装的软件以及版本**

1
C:>wmic product get name,version

查看某个进程的详细信息 (路径,命令行参数等)

1
C:>wmic process where name="chrome.exe" list full

终止一个进程

1
2
3
D:>wmic process where name="xshell.exe" call terminate
D:>ntsd -c q -p 进程的PID
D:>taskkill -im pid

获取存储在注册表中所有包含密码的键值:

1
REG query HKCU  /v "pwd" /s  #pwd可替换为password  HKCU 可替换为HKCR

显示系统中的曾经连接过的无线密码

1
2
D:>netsh wlan show profiles 
D:>netsh wlan show profiles name="profiles的名字" key=clear

博主首发:
一键获取:

1
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

查看当前系统是否是VMWARE

1
C:>wmic bios list full | find /i "vmware"

获取进程服务名称 PID

1
2
tasklist /svc | findstr "TermService" 
netstat -ano | findstr "PID"

杀毒软件

1
Get-WmiObject -Namespace rootSecurityCenter2 -Class AntiVirusProduct

虚拟机检测

  1. 判断TotalPhysicalMemory和NumberOfLogicalProcessors

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    $VMDetected = $False
    $Arguments = @{
    Class = 'Win32_ComputerSystem'
    Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
    }
    if (Get-WmiObject @Arguments) {
    $VMDetected = $True
    "In vm"
    }
    else{
    "Not in vm"
    }
  2. 判断虚拟机进程

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    $VMwareDetected = $False
    $VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
    "%VMware%" OR Name LIKE "%VMware%"'
    $VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
    $VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
    if ($VMAdapter -or $VMBios -or $VMToolsRunning)
    { $VMwareDetected = $True
    "in vm"
    }
    else
    {
    "not in vm"
    }

来源:权限维持-WMI

获取电脑产品编号和型号信息

1
2
wmic baseboard get Product,SerialNumber
wmic bios get serialnumber

安装软件

1
2
wmic product get name,version
wmic product list brief

程序运行时间

1
wmic process get CreationDate

检查服务路径中包含空格且没有双引号的服务
*博主首发

1
wmic service where   "((state='running') and  (pathname like '% %') and not (pathname like '%"%') and not (pathname like '%system32%') and not (pathname like '%syswow64%'))"  get pathname,name,displayname,startname

Source:wolvez.club | Author:wolvez

相关推荐: 打造专属 Cobalt Strike

环境准备 VPS CentOS 8 CobaltStrike4.0 ServerChan SCKEY 配置 VPS 使用dnf安装常用软件 1dnf install vim net-tools wget –y 修改主机名 123echo 'Cathe…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: