System/Kernel
PS C:\Windows\system32> systeminfo ; Get-ComputerInfo
Host Name: DC1
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA656
Original Install Date: 1/8/2024, 1:09:13 PM
System Boot Time: 7/2/2024, 5:37:39 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 1,712 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,060 MB
Virtual Memory: In Use: 2,739 MB
Page File Location(s): C:\pagefile.sys
Domain: blazorized.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.22
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 1/8/2024 7:09:13 PM
WindowsProductId : 00429-00521-62775-AA656
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
BiosCharacteristics : {4, 7, 9, 11...}
BiosBIOSVersion : {INTEL - 6040000, VMW71.00V.21805430.B64.2305221826,
VMware, Inc. - 10000}
BiosDescription : VMW71.00V.21805430.B64.2305221826
BiosEmbeddedControllerMajorVersion : 255
BiosEmbeddedControllerMinorVersion : 255
BiosFirmwareType : Uefi
BiosManufacturer : VMware, Inc.
BiosName : VMW71.00V.21805430.B64.2305221826
BiosPrimaryBIOS : True
BiosReleaseDate : 5/21/2023 7:00:00 PM
BiosSeralNumber : VMware-42 14 b8 1c ed 7d a1 48-f7 26 0f 92 9b c7 c3 4a
BiosSMBIOSBIOSVersion : VMW71.00V.21805430.B64.2305221826
BiosSMBIOSMajorVersion : 2
BiosSMBIOSMinorVersion : 7
BiosSMBIOSPresent : True
BiosSoftwareElementState : Running
BiosStatus : OK
BiosSystemBiosMajorVersion : 255
BiosSystemBiosMinorVersion : 255
BiosTargetOperatingSystem : 0
BiosVersion : INTEL - 6040000
CsAdminPasswordStatus : Enabled
CsAutomaticManagedPagefile : True
CsAutomaticResetBootOption : True
CsAutomaticResetCapability : True
CsBootOptionOnLimit : DoNotReboot
CsBootOptionOnWatchDog : DoNotReboot
CsBootROMSupported : True
CsBootStatus : {0, 0, 0, 33...}
CsBootupState : Normal boot
CsCaption : DC1
CsChassisBootupState : Safe
CsCurrentTimeZone : -300
CsDaylightInEffect : True
CsDescription : AT/AT COMPATIBLE
CsDNSHostName : DC1
CsDomain : blazorized.htb
CsDomainRole : PrimaryDomainController
CsEnableDaylightSavingsTime : True
CsFrontPanelResetStatus : Unknown
CsHypervisorPresent : True
CsInfraredSupported : False
CsKeyboardPasswordStatus : Unknown
CsManufacturer : VMware, Inc.
CsModel : VMware7,1
CsName : DC1
CsNetworkAdapters : {Ethernet0}
CsNetworkServerModeEnabled : True
CsNumberOfLogicalProcessors : 2
CsNumberOfProcessors : 1
CsProcessors : {AMD EPYC 7513 32-Core Processor }
CsOEMStringArray : {[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],
Welcome to the Virtual Machine}
CsPartOfDomain : True
CsPauseAfterReset : 3932100000
CsPCSystemType : Desktop
CsPCSystemTypeEx : Desktop
CsPowerOnPasswordStatus : Disabled
CsPowerState : Unknown
CsPowerSupplyState : Safe
CsPrimaryOwnerName : Windows User
CsResetCapability : Other
CsResetCount : -1
CsResetLimit : -1
CsRoles : {LM_Workstation, LM_Server, SQLServer,
Primary_Domain_Controller...}
CsStatus : OK
CsSystemType : x64-based PC
CsThermalState : Safe
CsTotalPhysicalMemory : 4293939200
CsPhyicallyInstalledMemory : 4194304
CsWakeUpType : PowerSwitch
OsName : Microsoft Windows Server 2019 Standard
OsType : WINNT
OsOperatingSystemSKU : StandardServerEdition
OsVersion : 10.0.17763
OsBuildNumber : 17763
OsHotFixes : {}
OsBootDevice : \Device\HarddiskVolume3
OsSystemDevice : \Device\HarddiskVolume4
OsSystemDirectory : C:\Windows\system32
OsSystemDrive : C:
OsWindowsDirectory : C:\Windows
OsCountryCode : 1
OsCurrentTimeZone : -300
OsLocaleID : 0409
OsLocale : en-US
OsLocalDateTime : 7/2/2024 7:38:45 AM
OsLastBootUpTime : 7/2/2024 5:37:39 AM
OsUptime : 02:01:05.6571480
OsBuildType : Multiprocessor Free
OsCodeSet : 1252
OsDataExecutionPreventionAvailable : True
OsDataExecutionPrevention32BitApplications : True
OsDataExecutionPreventionDrivers : True
OsDataExecutionPreventionSupportPolicy : OptOut
OsDebug : False
OsDistributed : False
OsEncryptionLevel : 256
OsForegroundApplicationBoost : Maximum
OsTotalVisibleMemorySize : 4193300
OsFreePhysicalMemory : 1753080
OsTotalVirtualMemorySize : 4914196
OsFreeVirtualMemory : 2098528
OsInUseVirtualMemory : 2815668
OsSizeStoredInPagingFiles : 720896
OsFreeSpaceInPagingFiles : 614052
OsPagingFiles : {C:\pagefile.sys}
OsHardwareAbstractionLayer : 10.0.17763.4644
OsInstallDate : 1/8/2024 1:09:13 PM
OsManufacturer : Microsoft Corporation
OsMaxNumberOfProcesses : 4294967295
OsMaxProcessMemorySize : 137438953344
OsMuiLanguages : {en-US}
OsNumberOfProcesses : 113
OsNumberOfUsers : 23
OsArchitecture : 64-bit
OsLanguage : en-US
OsProductSuites : {TerminalServices, TerminalServicesSingleSession}
OsPortableOperatingSystem : False
OsPrimary : True
OsProductType : DomainController
OsRegisteredUser : Windows User
OsSerialNumber : 00429-00521-62775-AA656
OsServicePackMajorVersion : 0
OsServicePackMinorVersion : 0
OsStatus : OK
OsSuites : {TerminalServices, TerminalServicesSingleSession}
OsServerLevel : FullServer
KeyboardLayout : en-US
TimeZone : (UTC-06:00) Central Time (US & Canada)
PowerPlatformRole : Desktop
HyperVisorPresent : True
DeviceGuardSmartStatus : Off
PS C:\Windows\system32> cmd /c ver
Microsoft Windows [Version 10.0.17763.5936]Microsoft Windows Server 2019 Standard
10.0.17763.5936
x64-based PC
1 Processor(s)
Networks
PS C:\Windows\system32> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC1
Primary Dns Suffix . . . . . . . : blazorized.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : blazorized.htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-94-77-91
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.11.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 10.10.11.22 --- 0xf
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-1b-d3 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Unable to initialize device PRNPS C:\Windows\system32> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 900
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 900
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 3068
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2852
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 472
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1208
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1652
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 1872
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49776 0.0.0.0:0 LISTENING 3068
TCP 0.0.0.0:49799 0.0.0.0:0 LISTENING 68
TCP 0.0.0.0:49853 0.0.0.0:0 LISTENING 5232
TCP 10.10.11.22:53 0.0.0.0:0 LISTENING 68
TCP 10.10.11.22:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 68
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 640
TCP [::]:135 [::]:0 LISTENING 900
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 640
TCP [::]:593 [::]:0 LISTENING 900
TCP [::]:1433 [::]:0 LISTENING 3068
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2852
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 472
TCP [::]:49665 [::]:0 LISTENING 1208
TCP [::]:49666 [::]:0 LISTENING 1652
TCP [::]:49667 [::]:0 LISTENING 640
TCP [::]:49669 [::]:0 LISTENING 1872
TCP [::]:49670 [::]:0 LISTENING 640
TCP [::]:49671 [::]:0 LISTENING 640
TCP [::]:49672 [::]:0 LISTENING 640
TCP [::]:49678 [::]:0 LISTENING 620
TCP [::]:49776 [::]:0 LISTENING 3068
TCP [::]:49799 [::]:0 LISTENING 68
TCP [::]:49853 [::]:0 LISTENING 5232
TCP [::1]:53 [::]:0 LISTENING 680.0.0.0:389
0.0.0.0:636
Users & Groups
PS C:\Windows\system32> net users ; ls C:\Users
User accounts for \\DC1
-------------------------------------------------------------------------------
Administrator Guest krbtgt
LSA_3211 LSA_3212 LSA_3213
NU_1055 NU_1056 NU_1057
NU_1058 RSA_4810 RSA_4811
RSA_4812 RSA_4813 RSA_4814
SSA_6010 SSA_6011 SSA_6012
SSA_6013
The command completed successfully.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/2/2024 4:13 PM Administrator
d----- 2/25/2024 2:41 PM NU_1055
d-r--- 10/6/2021 3:46 PM Public
d----- 2/1/2024 8:36 AM RSA_4810
d----- 6/19/2024 8:39 AM SSA_6010RSA_4810
SSA_6010
PS C:\Windows\system32> net localgroup ; net group /DOMAIN
Aliases for \\DC1
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*SQLServer2005SQLBrowserUser$DC1
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\DC1
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Local_Support_Administrators
*Normal_Users
*Protected Users
*Read-only Domain Controllers
*Remote_Support_Administrators
*Schema Admins
*Super_Support_Administrators
The command completed successfully.SQLServer2005SQLBrowserUser$DC1
Normal_Users
Remote_Support_Administrators
Super_Support_Administrators
Processes
PS C:\Windows\system32> cmd /c tasklist /svc ; ps
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 88 N/A
smss.exe 288 N/A
csrss.exe 368 N/A
wininit.exe 472 N/A
csrss.exe 480 N/A
winlogon.exe 540 N/A
services.exe 620 N/A
lsass.exe 640 N/A
svchost.exe 840 N/A
svchost.exe 860 N/A
svchost.exe 900 N/A
svchost.exe 944 N/A
svchost.exe 340 N/A
svchost.exe 716 N/A
svchost.exe 656 N/A
dwm.exe 1032 N/A
svchost.exe 1068 N/A
svchost.exe 1076 N/A
svchost.exe 1132 N/A
svchost.exe 1168 N/A
svchost.exe 1208 N/A
svchost.exe 1360 N/A
svchost.exe 1400 N/A
svchost.exe 1448 N/A
svchost.exe 1488 N/A
svchost.exe 1500 N/A
svchost.exe 1508 N/A
svchost.exe 1592 N/A
svchost.exe 1652 N/A
svchost.exe 1720 N/A
svchost.exe 1796 N/A
svchost.exe 1864 N/A
svchost.exe 1872 N/A
svchost.exe 1880 N/A
svchost.exe 1888 N/A
svchost.exe 1980 N/A
svchost.exe 1440 N/A
svchost.exe 2104 N/A
svchost.exe 2112 N/A
svchost.exe 2248 N/A
svchost.exe 2696 N/A
fontdrvhost.exe 2780 N/A
fontdrvhost.exe 2788 N/A
svchost.exe 2816 N/A
svchost.exe 2824 N/A
svchost.exe 2836 N/A
svchost.exe 2844 N/A
Microsoft.ActiveDirectory 2852 N/A
svchost.exe 2928 N/A
svchost.exe 3040 N/A
sqlservr.exe 3068 N/A
svchost.exe 2320 N/A
sqlwriter.exe 2292 N/A
sqlbrowser.exe 2488 N/A
vm3dservice.exe 2212 N/A
svchost.exe 2188 N/A
svchost.exe 2576 N/A
VGAuthService.exe 2232 N/A
vmtoolsd.exe 2076 N/A
svchost.exe 1372 N/A
dfssvc.exe 916 N/A
svchost.exe 3028 N/A
vm3dservice.exe 3336 N/A
svchost.exe 3384 N/A
svchost.exe 3808 N/A
WmiPrvSE.exe 3964 N/A
dllhost.exe 4064 N/A
msdtc.exe 4376 N/A
LogonUI.exe 5004 N/A
svchost.exe 2968 N/A
vm3dservice.exe 5224 N/A
svchost.exe 1948 N/A
svchost.exe 5668 N/A
sqlceip.exe 2512 N/A
svchost.exe 2464 N/A
svchost.exe 5844 N/A
ismserv.exe 744 N/A
dns.exe 68 N/A
dfsrs.exe 5232 N/A
vds.exe 1224 N/A
cmd.exe 5368 N/A
conhost.exe 2072 N/A
powershell.exe 4716 N/A
svchost.exe 5084 N/A
wsmprovhost.exe 2304 N/A
wsmprovhost.exe 4816 N/A
svchost.exe 5904 N/A
w3wp.exe 3744 N/A
w3wp.exe 2588 N/A
w3wp.exe 4592 N/A
conhost.exe 6228 N/A
conhost.exe 6280 N/A
cmd.exe 1564 N/A
conhost.exe 6672 N/A
powershell.exe 2572 N/A
mimikatz.exe 5576 N/A
w3wp.exe 552 N/A
cmd.exe 5484 N/A
conhost.exe 6600 N/A
powershell.exe 4320 N/A
cmd.exe 4708 N/A
conhost.exe 4952 N/A
powershell.exe 6508 N/A
nc64.exe 2636 N/A
powershell.exe 6888 N/A
cmd.exe 1756 N/A
conhost.exe 4532 N/A
powershell.exe 1576 N/A
nc64.exe 5136 N/A
powershell.exe 6852 N/A
svchost.exe 6684 N/A
cmd.exe 6876 N/A
tasklist.exe 4356 N/A
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
87 5 2608 4252 1564 0 cmd
80 5 4344 3968 0.00 1756 0 cmd
80 5 2276 3944 0.00 4708 0 cmd
80 5 2128 3844 0.02 5368 0 cmd
80 5 2260 3844 0.02 5484 0 cmd
80 5 4312 3944 0.02 6800 0 cmd
141 8 6492 11176 0.02 2072 0 conhost
143 8 6516 11316 0.05 4532 0 conhost
143 8 6472 11160 0.02 4952 0 conhost
158 10 6656 12636 6228 0 conhost
158 10 6656 12644 6280 0 conhost
141 8 6484 11240 0.14 6600 0 conhost
142 8 6480 4184 6672 0 conhost
141 9 6528 11184 0.02 7132 0 conhost
643 24 2356 5804 368 0 csrss
172 13 1768 4944 480 1 csrss
487 33 20544 29328 5232 0 dfsrs
162 9 2028 6168 916 0 dfssvc
265 14 3988 13948 4064 0 dllhost
5377 3700 68684 69284 68 0 dns
531 21 22396 41600 1032 1 dwm
64 7 1804 5000 2780 1 fontdrvhost
64 7 1732 4824 2788 0 fontdrvhost
0 0 56 8 0 0 Idle
145 12 2072 5932 744 0 ismserv
469 25 10240 46560 5004 1 LogonUI
2219 184 51812 68248 640 0 lsass
464 35 51408 64676 2852 0 Microsoft.ActiveDirectory.WebServices
218 12 2208 4184 5576 0 mimikatz
234 13 2936 10740 4376 0 msdtc
102 7 888 3828 0.02 2636 0 nc64
102 7 916 3844 0.00 5136 0 nc64
442 23 45804 47776 0.19 1576 0 powershell
490 30 118864 4180 2572 0 powershell
461 26 119932 128912 2.98 4320 0 powershell
639 46 133420 153076 4.28 4716 0 powershell
474 25 46572 49012 0.33 6496 0 powershell
442 22 45736 47944 0.22 6508 0 powershell
922 30 107520 120308 1.09 6852 0 powershell
528 25 80196 88024 0.48 6888 0 powershell
0 8 548 70840 88 0 Registry
616 14 5756 13856 620 0 services
53 3 492 1216 288 0 smss
167 12 1624 6000 2488 0 sqlbrowser
955 31 98756 102464 2512 0 sqlceip
1021 222 497616 356824 3068 0 sqlservr
153 10 1888 8272 2292 0 sqlwriter
277 13 4716 12040 340 0 svchost
219 12 1848 7996 656 0 svchost
141 16 3352 7660 716 0 svchost
96 5 964 4304 840 0 svchost
801 16 5308 14964 860 0 svchost
687 20 4204 10948 900 0 svchost
251 11 1800 7368 944 0 svchost
194 11 1828 8572 1068 0 svchost
165 7 1372 6276 1076 0 svchost
215 9 1848 7260 1132 0 svchost
253 13 3380 9260 1168 0 svchost
358 14 11288 16000 1208 0 svchost
404 32 8444 17600 1360 0 svchost
285 17 5356 15820 1372 0 svchost
369 18 4056 12328 1400 0 svchost
150 9 1556 6876 1440 0 svchost
256 15 2884 12200 1448 0 svchost
271 13 3180 12328 1488 0 svchost
436 9 2740 9240 1500 0 svchost
128 7 1244 6032 1508 0 svchost
332 10 2528 8784 1592 0 svchost
370 18 5504 15204 1652 0 svchost
141 10 1380 6208 1720 0 svchost
324 13 2076 9244 1796 0 svchost
268 13 2544 8264 1864 0 svchost
168 12 1704 7556 1872 0 svchost
175 9 1928 7588 1880 0 svchost
182 11 1956 8500 1888 0 svchost
231 12 2624 12452 1948 0 svchost
432 16 12452 21788 1980 0 svchost
223 12 2248 9560 2104 0 svchost
460 16 3104 11716 2112 0 svchost
176 10 2116 13288 2188 0 svchost
178 9 1756 8668 2248 0 svchost
145 8 1556 6700 2320 0 svchost
282 20 8000 13936 2464 0 svchost
275 16 5316 13372 2576 0 svchost
256 13 2960 11584 2696 0 svchost
116 7 1160 5784 2816 0 svchost
174 12 3904 11500 2824 0 svchost
136 7 1284 6056 2836 0 svchost
189 22 2588 10540 2844 0 svchost
429 20 18712 32092 2928 0 svchost
177 11 2412 13420 2968 0 svchost
145 9 1524 6792 3028 0 svchost
223 12 2092 7888 3040 0 svchost
420 26 3460 13396 3384 0 svchost
158 10 1924 7044 3808 0 svchost
177 10 3236 8112 5084 0 svchost
313 16 16212 17928 5668 0 svchost
333 18 6172 22484 5844 0 svchost
135 8 1420 6176 5904 0 svchost
128 7 1588 6436 6684 0 svchost
1901 0 196 152 4 0 System
213 16 2436 10888 1224 0 vds
174 11 3268 11928 2232 0 VGAuthService
155 8 1716 7244 2212 0 vm3dservice
148 10 1820 7708 3336 1 vm3dservice
144 9 1704 7456 5224 1 vm3dservice
400 23 10600 23376 2076 0 vmtoolsd
248 20 6068 16116 552 0 w3wp
243 21 7004 15980 2588 0 w3wp
1074 108 40744 114460 3744 0 w3wp
731 140 188760 263888 4592 0 w3wp
172 11 1392 7108 472 0 wininit
250 13 3516 17536 540 1 winlogon
487 23 15044 26540 3964 0 WmiPrvSE
1393 36 114240 140128 2304 0 wsmprovhost
793 25 62964 79932 4816 0 wsmprovhostsqlservr.exe
sqlwriter.exe
sqlbrowser.exe
sqlceip.exe
Tasks
PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
PS C:\Windows\system32> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Compatibility Appraiser 7/3/2024 3:53:20 AM Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 7/2/2024 12:00:00 PM Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Data Integrity Scan 7/30/2024 8:27:05 AM Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Device 7/3/2024 4:43:04 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Disabled
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
RefreshCache 7/3/2024 6:15:20 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
SecureBootEncodeUEFI 1/1/2026 12:00:00 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting 7/2/2024 8:12:44 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled Start 7/2/2024 7:55:32 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Ready
Recovery-Check N/A DisabledFirewall & AV
PS C:\Windows\system32> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .PS C:\Windows\system32> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
AMEngineVersion : 0.0.0.0
AMProductVersion : 4.18.23110.3
AMRunningMode : Not running
AMServiceEnabled : False
AMServiceVersion : 0.0.0.0
AntispywareEnabled : False
AntispywareSignatureAge : 0
AntivirusEnabled : False
AntivirusSignatureAge : 65535
BehaviorMonitorEnabled : False
ComputerID : CB4C438E-AC60-40E8-8515-493E04FFE6EF
ComputerState : 0
DefenderSignaturesOutOfDate : False
DeviceControlDefaultEnforcement : Unknown
DeviceControlPoliciesLastUpdated : 12/31/1600 6:00:00 PM
DeviceControlState : Unknown
FullScanAge : 4294967295
FullScanOverdue : False
FullScanRequired : False
InitializationProgress : ServiceStartedSuccessfully
IoavProtectionEnabled : False
IsTamperProtected : False
IsVirtualMachine : True
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0
NISSignatureAge : 65535
OnAccessProtectionEnabled : False
ProductStatus : 1
QuickScanAge : 4294967295
QuickScanOverdue : False
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
RebootRequired : False
TamperProtectionSource : N/A
TDTMode : N/A
TDTSiloType : N/A
TDTStatus : N/A
TDTTelemetry : N/A
ExclusionPath : {N/A: Must be an administrator to view exclusions}AV is disabled
Session Architecture
PS C:\Windows\system32> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
PS C:\Windows\system32> cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framew ork Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
ERROR: The system was unable to find the specified registry key or value.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190