System/Kernel
PS C:\Users\edavies\Documents> systeminfo ; Get-ComputerInfo
systeminfo : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
WindowsCurrentVersion : 6.3
WindowsEditionId : Education
WindowsInstallationType : Client
WindowsInstallDateFromRegistry : 18/11/2021 22:57:05
WindowsProductId : 00328-10000-00001-AA030
WindowsProductName : Windows 10 Education
WindowsRegisteredOwner : Natasha
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
TimeZone : (UTC+00:00) Dublin, Edinburgh, Lisbon, London
LogonServer : \\ATSSERVER
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffWindows 10 Education
6.3
19041.1.amd64fre.vb_release.191206-1406
Natasha
Networks
PS C:\Users\edavies\Documents> cmd /c "ipconfig /all && arp -a"
Windows IP Configuration
Host Name . . . . . . . . . . . . : Acute-PC01
Primary Dns Suffix . . . . . . . : acute.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : acute.local
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-E8-0A-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9513:4361:23ec:64fd%14(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.22.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.22.1
DHCPv6 IAID . . . . . . . . . . . : 251663709
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-29-1F-44-00-15-5D-E8-02-00
DNS Servers . . . . . . . . . . . : 172.16.22.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 172.16.22.2 --- 0xe
Internet Address Physical Address Type
172.16.22.1 00-15-5d-e8-0a-00 dynamic
172.16.22.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
239.255.255.250 01-00-5e-7f-ff-fa static
Interface: 172.16.22.2 --- 0xe
Internet Address Physical Address Type
172.16.22.1 00-15-5d-e8-0a-00 dynamic
172.16.22.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
239.255.255.250 01-00-5e-7f-ff-fa static acute.local
172.16.22.1
PS C:\Users\edavies\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 732
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 2468
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 752
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 408
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49707 0.0.0.0:0 LISTENING 660
TCP 172.16.22.2:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 888
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 2468
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 668
TCP [::]:49665 [::]:0 LISTENING 564
TCP [::]:49666 [::]:0 LISTENING 752
TCP [::]:49667 [::]:0 LISTENING 408
TCP [::]:49670 [::]:0 LISTENING 668
TCP [::]:49707 [::]:0 LISTENING 6600.0.0.0:135
0.0.0.0:445
0.0.0.0:5040
0.0.0.0:5985
0.0.0.0:7680
Users & Groups
PS C:\Users\edavies\Documents> net user ; net user /DOMAIN
User accounts for \\
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Natasha WDAGUtilityAccount
The command completed with one or more errors.
The request will be processed at a domain controller for domain acute.local.
net : System error 1722 has occurred.
+ CategoryInfo : NotSpecified: (System error 1722 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The RPC server is unavailable.
The request will be processed at a domain controller for domain acute.local.
PS C:\Users\edavies\Documents> ls C:\Users
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/21/2021 1:01 PM administrator.ACUTE
d----- 12/22/2021 1:26 AM edavies
d----- 12/21/2021 10:50 PM jmorgan
d----- 11/19/2021 9:29 AM Natasha
d-r--- 11/18/2020 11:43 PM Public Natasha
jmorgan
administrator.ACUTE
PS C:\Users\edavies\Documents> net localgroup
Aliases for \\ACUTE-PC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.
PS C:\Users\edavies\Documents> net group /DOMAIN
The request will be processed at a domain controller for domain acute.local.
net : System error 1722 has occurred.
+ CategoryInfo : NotSpecified: (System error 1722 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The RPC server is unavailable.Processes
PS C:\Users\edavies\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
331 14 1576 4264 496 0 csrss
317 14 1724 4432 572 1 csrss
196 13 2364 10608 0.08 3052 1 dllhost
766 32 25800 46456 968 1 dwm
1877 66 27684 86648 53.08 3428 1 explorer
37 6 1696 3412 788 1 fontdrvhost
37 6 1444 2632 796 0 fontdrvhost
0 0 60 8 0 0 Idle
1131 31 5760 17020 668 0 lsass
0 0 340 104232 1792 0 Memory Compression
210 12 1892 380 3156 0 MicrosoftEdgeUpdate
383 18 16076 16540 5944 0 MoUsoCoreWorker
205 14 6784 16416 0.28 276 1 msedge
899 42 22144 63592 6.03 440 1 msedge
309 18 97708 23844 0.36 4100 1 msedge
244 15 8420 24888 0.77 4108 1 msedge
135 9 1928 6532 0.05 4864 1 msedge
713 82 199300 85068 2136 0 MsMpEng
211 11 4260 9896 3872 0 NisSrv
558 35 12940 55380 1.56 3048 1 OneDrive
0 12 3092 12756 72 0 Registry
208 11 2472 16020 0.06 2116 1 RuntimeBroker
261 14 3108 15568 0.73 3328 1 RuntimeBroker
196 11 2728 16404 0.16 4664 1 RuntimeBroker
318 17 6892 22792 1.05 4968 1 RuntimeBroker
1094 68 49268 72220 3.61 4772 1 SearchApp
286 13 2828 11612 2660 0 SecurityHealthService
408 13 3936 9828 660 0 services
105 7 3136 6204 5748 0 SgrmBroker
555 25 9660 38524 0.33 4688 1 ShellExperienceHost
478 17 4928 22528 1.66 3076 1 sihost
360 22 8056 22284 0.92 1148 1 smartscreen
53 3 1072 948 384 0 smss
612 28 17492 49684 2.91 4524 1 StartMenuExperienceHost
1951 110 35392 59040 408 0 svchost
393 16 3584 9620 448 0 svchost
207 12 1808 6720 656 0 svchost
730 37 9024 20248 732 0 svchost
761 20 16380 21648 752 0 svchost
1430 25 9092 25260 804 0 svchost
837 19 5580 11528 888 0 svchost
569 25 35080 47800 900 0 svchost
364 19 17272 18064 1028 0 svchost
829 50 8828 21332 1132 0 svchost
469 25 3896 12240 1444 0 svchost
409 31 11360 11984 1484 0 svchost
321 17 3636 10860 1548 0 svchost
126 8 1488 5560 1924 0 svchost
362 12 2196 7504 1952 0 svchost
298 17 4004 14972 2468 0 svchost
183 10 5588 13440 2912 0 svchost
197 11 1848 7256 3036 0 svchost
609 26 10732 34820 3.47 3084 1 svchost
141 9 2560 8976 3264 0 svchost
231 12 2940 15732 1.69 3628 1 svchost
220 14 1904 6684 4544 0 svchost
240 14 7096 14732 5332 0 svchost
214 12 2504 9196 6044 0 svchost
1864 0 196 144 4 0 System
509 36 7792 18696 2.23 3192 1 taskhostw
111 7 1348 6120 5820 0 uhssvc
162 11 1340 5928 564 0 wininit
242 11 2272 8260 620 1 winlogon
175 11 3260 9532 4396 0 WmiPrvSE
480 26 48240 43292 0.34 5024 0 wsmprovhost
802 29 63160 81628 1.27 5520 0 wsmprovhost explorer
OneDrive
NisSrv and MsMpEng; Defender
Tasks
PS C:\Users\edavies\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Get-ScheduledTask : Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
Firewall & AV
PS C:\Users\edavies\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .PS C:\Users\edavies\Documents> Get-MpComputerStatus
PS C:\Users\edavies\Documents> Get-MpPreference | Select-Object -Property ExclusionPath
PS C:\Users\edavies\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\IpAddresses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Utils REG_DWORD 0x0
C:\Windows\System32 REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPathsAV is enabled and enforced
However, there is an exclusion path; C:\Utils
Session Architecture
PS C:\Users\edavies\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
PS C:\Users\edavies\Documents> cmd /c dir /s C:\Windows\Microsoft.NET\Framework\msbuild ; cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x80ff4
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x80ff4
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x80ff4
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x80ff4
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04084
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.04084