Assessment
Due to the current circumstance of the initial foothold being established as both sqlsvc and miscsvc accounts from the 2 different exploitation methods, I will be conducting the basic enumeration as the sqlsvc account as the account has higher privileges
System/Kernel
PS C:\Windows\system32> systeminfo ; Get-ComputerInfo
Host Name: DC1
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA258
Original Install Date: 26/01/2020, 17:53:40
System Boot Time: 20/11/2023, 08:39:38
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,460 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,056 MB
Virtual Memory: In Use: 1,743 MB
Page File Location(s): C:\pagefile.sys
Domain: scrm.local
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.168
[02]: fe80::489:296d:9719:61ba
[03]: dead:beef::489:296d:9719:61ba
[04]: dead:beef::248
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 26/01/2020 17:53:40
WindowsProductId : 00429-00521-62775-AA258
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
OsServerLevel : FullServer
TimeZone : (UTC+00:00) Dublin, Edinburgh, Lisbon, London
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffMicrosoft Windows Server 2019 Standard
10.0.17763 N/A Build 17763
1809
FullServer
x64
2 Processor(s)
Networks
ps c:\Windows\system32> ipconfig /all ; arp -a
Windows IP Configuration
host name . . . . . . . . . . . . : DC1
primary dns suffix . . . . . . . : scrm.local
node type . . . . . . . . . . . . : Hybrid
ip routing enabled. . . . . . . . : No
wins proxy enabled. . . . . . . . : No
dns suffix search list. . . . . . : scrm.local
htb
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
physical address. . . . . . . . . : 00-50-56-B9-E9-B9
dhcp enabled. . . . . . . . . . . : No
autoconfiguration enabled . . . . : Yes
ipv6 address. . . . . . . . . . . : dead:beef::248(Preferred)
lease obtained. . . . . . . . . . : 20 November 2023 08:39:59
lease expires . . . . . . . . . . : 20 November 2023 16:09:58
ipv6 address. . . . . . . . . . . : dead:beef::489:296d:9719:61ba(Preferred)
link-local ipv6 address . . . . . : fe80::489:296d:9719:61ba%14(Preferred)
ipv4 address. . . . . . . . . . . : 10.10.11.168(Preferred)
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%14
10.10.10.2
dhcpv6 iaid . . . . . . . . . . . : 369119318
dhcpv6 client duid. . . . . . . . : 00-01-00-01-2C-EC-D3-B6-00-50-56-B9-E9-B9
dns servers . . . . . . . . . . . : 8.8.8.8
127.0.0.1
netbios over tcpip. . . . . . . . : Enabled
connection-specific dns suffix search list :
htb
interface: 10.10.11.168 --- 0xe
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static ps c:\Windows\system32> netstat -ano | Select-String LIST
tcp 0.0.0.0:80 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:88 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:135 0.0.0.0:0 LISTENING 896
tcp 0.0.0.0:389 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:445 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:464 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:593 0.0.0.0:0 LISTENING 896
tcp 0.0.0.0:636 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:1433 0.0.0.0:0 LISTENING 5992
tcp 0.0.0.0:3268 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:3269 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:4411 0.0.0.0:0 LISTENING 2260
tcp 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:9389 0.0.0.0:0 LISTENING 2880
tcp 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:49664 0.0.0.0:0 LISTENING 484
tcp 0.0.0.0:49665 0.0.0.0:0 LISTENING 1152
tcp 0.0.0.0:49666 0.0.0.0:0 LISTENING 1612
tcp 0.0.0.0:49667 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:49673 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:49674 0.0.0.0:0 LISTENING 636
tcp 0.0.0.0:49697 0.0.0.0:0 LISTENING 2976
tcp 0.0.0.0:49698 0.0.0.0:0 LISTENING 616
tcp 0.0.0.0:49700 0.0.0.0:0 LISTENING 2844
tcp 0.0.0.0:49709 0.0.0.0:0 LISTENING 2916
tcp 10.10.11.168:53 0.0.0.0:0 LISTENING 2976
tcp 10.10.11.168:139 0.0.0.0:0 LISTENING 4
tcp 127.0.0.1:53 0.0.0.0:0 LISTENING 2976
tcp [::]:80 [::]:0 LISTENING 4
tcp [::]:88 [::]:0 LISTENING 636
tcp [::]:135 [::]:0 LISTENING 896
tcp [::]:389 [::]:0 LISTENING 636
tcp [::]:445 [::]:0 LISTENING 4
tcp [::]:464 [::]:0 LISTENING 636
tcp [::]:593 [::]:0 LISTENING 896
tcp [::]:636 [::]:0 LISTENING 636
tcp [::]:1433 [::]:0 LISTENING 5992
tcp [::]:3268 [::]:0 LISTENING 636
tcp [::]:3269 [::]:0 LISTENING 636
tcp [::]:5985 [::]:0 LISTENING 4
tcp [::]:9389 [::]:0 LISTENING 2880
tcp [::]:47001 [::]:0 LISTENING 4
tcp [::]:49664 [::]:0 LISTENING 484
tcp [::]:49665 [::]:0 LISTENING 1152
tcp [::]:49666 [::]:0 LISTENING 1612
tcp [::]:49667 [::]:0 LISTENING 636
tcp [::]:49673 [::]:0 LISTENING 636
tcp [::]:49674 [::]:0 LISTENING 636
tcp [::]:49697 [::]:0 LISTENING 2976
tcp [::]:49698 [::]:0 LISTENING 616
tcp [::]:49700 [::]:0 LISTENING 2844
tcp [::]:49709 [::]:0 LISTENING 2916
tcp [::1]:53 [::]:0 LISTENING 2976
tcp [dead:beef::248]:53 [::]:0 LISTENING 2976
tcp [dead:beef::489:296d:9719:61ba]:53 [::]:0 LISTENING 2976
tcp [fe80::489:296d:9719:61ba%14]:53 [::]:0 LISTENING 29760.0.0.0:4411
Users & Groups
PS C:\Windows\system32> NET user ; NET users /DOMAIN ; ls C:\Users
User accounts for \\DC1
-------------------------------------------------------------------------------
administrator asmith backupsvc
ehooker Guest jhall
khicks krbtgt ksimpson
miscsvc rsmith sdonington
sjenkins sqlsvc tstar
The command completed successfully.
User accounts for \\DC1
-------------------------------------------------------------------------------
administrator asmith backupsvc
ehooker Guest jhall
khicks krbtgt ksimpson
miscsvc rsmith sdonington
sjenkins sqlsvc tstar
The command completed successfully.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 05/11/2021 21:28 administrator
d----- 03/11/2021 19:31 miscsvc
d-r--- 26/01/2020 17:54 Public
d----- 01/06/2022 14:58 sqlsvc PS C:\Windows\system32> NET localgroup ; NET groups /DOMAIN
Aliases for \\DC1
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*SQLServer2005SQLBrowserUser$DC1
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\DC1
-------------------------------------------------------------------------------
*AllUsers
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*HRShare
*ITShare
*ITUsers
*Key Admins
*NoAccess
*ProductionFloor1
*ProductionShare
*Protected Users
*Read-only Domain Controllers
*SalesShare
*SalesUsers
*Schema Admins
The command completed successfully.SQLServer2005SQLBrowserUser$DC1
HRShare
ITShare
SalesShare
ITUsers
SalesUsers
NoAccess
ProductionFloor1
ProductionShare
Processes
ps c:\Windows\system32> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
377 31 12372 20248 2844 0 certsrv
74 5 2164 3736 0.00 5892 0 cmd
152 9 6584 12680 1464 0 conhost
137 8 6484 11452 0.06 2224 0 conhost
559 20 2304 5472 376 0 csrss
174 13 1696 4748 492 1 csrss
391 33 16372 23252 2916 0 dfsrs
158 8 2092 6328 3388 0 dfssvc
256 14 4024 13648 3984 0 dllhost
10381 7410 130012 128152 2976 0 dns
540 22 23280 48460 64 1 dwm
53 6 1660 4388 5044 1 fontdrvhost
53 6 1500 4116 5052 0 fontdrvhost
0 0 56 8 0 0 Idle
134 12 2028 5740 3044 0 ismserv
476 26 10784 47124 5152 1 LogonUI
2193 244 79588 72016 636 0 lsass
592 31 38632 51176 2880 0 Microsoft.ActiveDirectory.WebServices
225 13 3044 10312 4472 0 msdtc
102 7 1032 4088 0.02 6016 0 nc64
718 30 74140 88784 1.27 3840 0 powershell
366 23 44940 47516 0.20 4724 0 powershell
0 16 524 114800 88 0 Registry
277 15 17212 18696 2260 0 ScrambleServer
634 14 6160 13460 616 0 services
53 3 532 1208 292 0 smss
756 31 71444 77964 4728 0 sqlceip
847 58 395172 292144 4.45 5992 0 sqlservr
139 9 1860 7936 2516 0 sqlwriter
168 9 3164 7952 144 0 svchost
261 13 3540 11128 340 0 svchost
322 18 6712 23616 648 0 svchost
132 16 3924 7992 656 0 svchost
321 16 16688 18340 728 0 svchost
89 5 904 3952 836 0 svchost
741 16 5532 14980 856 0 svchost
209 12 1692 7388 892 0 svchost
745 19 5068 10756 896 0 svchost
236 10 1720 6952 944 0 svchost
190 11 1804 8368 1064 0 svchost
138 7 1304 5972 1076 0 svchost
221 9 2352 7876 1136 0 svchost
363 13 10584 15068 1152 0 svchost
260 15 3740 9760 1196 0 svchost
368 18 4752 13140 1312 0 svchost
412 32 11244 19368 1396 0 svchost
261 16 3380 12872 1416 0 svchost
219 12 2300 9444 1476 0 svchost
328 10 2536 8644 1500 0 svchost
236 12 2596 11892 1548 0 svchost
433 9 2748 9108 1560 0 svchost
121 7 1188 5708 1580 0 svchost
360 17 4868 14496 1612 0 svchost
134 9 1372 5912 1740 0 svchost
317 13 2044 9076 1792 0 svchost
138 9 1664 6772 1828 0 svchost
189 12 2188 8484 1896 0 svchost
165 8 2176 7556 1928 0 svchost
133 8 2992 9724 1944 0 svchost
178 9 1772 8476 1968 0 svchost
143 9 1644 6848 2012 0 svchost
421 16 13504 23096 2044 0 svchost
468 19 3456 12516 2136 0 svchost
238 25 3744 12888 2204 0 svchost
191 15 6028 10396 2268 0 svchost
133 7 1676 6408 2424 0 svchost
138 8 1488 6292 2464 0 svchost
164 10 1920 7596 2552 0 svchost
207 11 2316 8588 2604 0 svchost
297 20 9316 15744 2804 0 svchost
115 7 1144 5568 2852 0 svchost
167 12 3876 11008 2860 0 svchost
129 7 1240 5808 2872 0 svchost
497 21 18860 32608 2944 0 svchost
265 13 2588 8044 3004 0 svchost
224 14 4704 11980 3336 0 svchost
269 15 3748 13424 3360 0 svchost
168 10 2112 13220 3372 0 svchost
236 13 2320 8344 3532 0 svchost
407 26 3660 13328 3864 0 svchost
170 11 2360 13040 4868 0 svchost
229 12 2636 12456 5204 0 svchost
152 9 1752 6908 5312 0 svchost
253 14 3300 12844 5668 0 svchost
1740 0 192 156 4 0 System
213 16 2416 10712 3880 0 vds
174 11 2924 11168 2460 0 VGAuthService
148 8 1700 7240 2336 0 vm3dservice
141 10 1800 7684 3640 1 vm3dservice
137 9 1716 7468 5688 1 vm3dservice
401 23 10932 22896 2588 0 vmtoolsd
173 11 1520 6892 484 0 wininit
244 12 2668 18244 544 1 winlogon
399 20 19496 30508 3900 0 WmiPrvSE
451 25 45392 62792 992 0 wsmprovhost
924 29 49092 72244 3436 0 wsmprovhost certsrv
ScrambleServer
Services
PS C:\Windows\system32> Get-Service | Where-Object {$_.Status -eq "Running"}
Status Name DisplayName
------ ---- -----------
Running ADWS Active Directory Web Services
Running AppHostSvc Application Host Helper Service
Running AzureAttestService AzureAttestService
Running BFE Base Filtering Engine
Running BrokerInfrastru... Background Tasks Infrastructure Ser...
Running CDPSvc Connected Devices Platform Service
Running CertSvc Active Directory Certificate Services
Running ClipSVC Client License Service (ClipSVC)
Running COMSysApp COM+ System Application
Running CoreMessagingRe... CoreMessaging
Running CryptSvc Cryptographic Services
Running DcomLaunch DCOM Server Process Launcher
Running Dfs DFS Namespace
Running DFSR DFS Replication
Running Dhcp DHCP Client
Running DiagTrack Connected User Experiences and Tele...
Running DNS DNS Server
Running Dnscache DNS Client
Running DPS Diagnostic Policy Service
Running DsmSvc Device Setup Manager
Running DsSvc Data Sharing Service
Running EventLog Windows Event Log
Running EventSystem COM+ Event System
Running FontCache Windows Font Cache Service
Running gpsvc Group Policy Client
Running IKEEXT IKE and AuthIP IPsec Keying Modules
Running iphlpsvc IP Helper
Running IsmServ Intersite Messaging
Running Kdc Kerberos Key Distribution Center
Running KeyIso CNG Key Isolation
Running LanmanServer Server
Running LanmanWorkstation Workstation
Running LicenseManager Windows License Manager Service
Running lmhosts TCP/IP NetBIOS Helper
Running LSM Local Session Manager
Running mpssvc Windows Defender Firewall
Running MSDTC Distributed Transaction Coordinator
Running MSSQLSERVER SQL Server (MSSQLSERVER)
Running NcbService Network Connection Broker
Running Netlogon Netlogon
Running netprofm Network List Service
Running NlaSvc Network Location Awareness
Running nsi Network Store Interface Service
Running PcaSvc Program Compatibility Assistant Ser...
Running PlugPlay Plug and Play
Running PolicyAgent IPsec Policy Agent
Running Power Power
Running ProfSvc User Profile Service
Running RasMan Remote Access Connection Manager
Running RpcEptMapper RPC Endpoint Mapper
Running RpcSs Remote Procedure Call (RPC)
Running SamSs Security Accounts Manager
Running Schedule Task Scheduler
Running ScrmOrders Scramble Sales Orders Server
Running SENS System Event Notification Service
Running ShellHWDetection Shell Hardware Detection
Running SQLTELEMETRY SQL Server CEIP service (MSSQLSERVER)
Running SQLWriter SQL Server VSS Writer
Running SstpSvc Secure Socket Tunneling Protocol Se...
Running StateRepository State Repository Service
Running SysMain SysMain
Running SystemEventsBroker System Events Broker
Running tapisrv Telephony
Running Themes Themes
Running TimeBrokerSvc Time Broker
Running UALSVC User Access Logging Service
Running UserManager User Manager
Running UsoSvc Update Orchestrator Service
Running vds Virtual Disk
Running VGAuthService VMware Alias Manager and Ticket Ser...
Running vm3dservice VMware SVGA Helper Service
Running VMTools VMware Tools
Running W32Time Windows Time
Running W3SVC World Wide Web Publishing Service
Running WAS Windows Process Activation Service
Running Wcmsvc Windows Connection Manager
Running WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running Winmgmt Windows Management Instrumentation
Running WinRM Windows Remote Management (WS-Manag...
Running wlidsvc Microsoft Account Sign-in Assistant
Running WpnService Windows Push Notifications System S...CertSvc
ScrmOrders
as miscsvc
*evil-winrm* ps c:\Users\miscsvc\Documents> services
Path Privileges Service
---- ---------- -------
c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
"c:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER False MSSQLSERVER
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
c:\Windows\SysWow64\perfhost.exe False PerfHost
c:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411 False ScrmOrders
"c:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
"c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" False SQLBrowser
"c:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i MSSQLSERVER False SQLSERVERAGENT
"c:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlceip.exe" -Service False SQLTELEMETRY
"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" False SQLWriter
c:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"c:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2203.5-0\NisSrv.exe" True WdNisSvc
"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2203.5-0\MsMpEng.exe" True WinDefend
"c:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc Tasks
PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
PS C:\Windows\system32> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Ready
VerifiedPublisherCertStoreCheck N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft Compatibility Appraiser 21/11/2023 03:54:24 Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
License Validation N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 20/11/2023 18:00:00 Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Data Integrity Scan 18/12/2023 18:17:56 Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Device 21/11/2023 04:10:42 Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Disabled
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
RefreshCache 21/11/2023 13:31:24 Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
SmartRetry N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TempSignedLicenseExchange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LoginCheck N/A Disabled
Registration N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting 20/11/2023 16:08:47 Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled Start 21/11/2023 08:38:51 Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Ready
Recovery-Check N/A Disabled Firewall & AV
ps c:\Windows\system32> netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
4411 TCP Enable Inbound Scramble Sales Orders
1433 TCP Enable Inbound SQL Server
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
4411 TCP Enable Inbound Scramble Sales Orders
1433 TCP Enable Inbound SQL Server
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .FW is partially enabled, yet not effective
ps c:\Windows\system32> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
amengineversion : 0.0.0.0
amproductversion : 4.18.2203.5
amrunningmode : Not running
amserviceenabled : False
amserviceversion : 0.0.0.0
antispywareenabled : False
antispywaresignatureage : 4294967295
antispywaresignaturelastupdated :
antispywaresignatureversion : 0.0.0.0
antivirusenabled : False
antivirussignatureage : 4294967295
antivirussignaturelastupdated :
antivirussignatureversion : 0.0.0.0
behaviormonitorenabled : False
computerid : 69402027-314F-FB7F-C5F3-C397EBC6EA91
computerstate : 0
defendersignaturesoutofdate : False
devicecontroldefaultenforcement : N/A
devicecontrolpolicieslastupdated : 01/01/1601 00:00:00
devicecontrolstate : N/A
fullscanage : 4294967295
fullscanendtime :
fullscanoverdue : False
fullscanrequired : False
fullscansignatureversion :
fullscanstarttime :
ioavprotectionenabled : False
istamperprotected : False
isvirtualmachine : True
lastfullscansource : 0
lastquickscansource : 0
nisenabled : False
nisengineversion : 0.0.0.0
nissignatureage : 4294967295
nissignaturelastupdated :
nissignatureversion : 0.0.0.0
onaccessprotectionenabled : False
productstatus : 1
quickscanage : 4294967295
quickscanendtime :
quickscanoverdue : False
quickscansignatureversion :
quickscanstarttime :
realtimeprotectionenabled : False
realtimescandirection : 0
rebootrequired : False
tamperprotectionsource : N/A
tdtmode : N/A
tdtstatus : N/A
tdttelemetry : N/A
pscomputername :
exclusionpath : {N/A: Must be and administrator to view exclusions}AV is disabled
Session Architecture
PS C:\Windows\system32> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
ps c:\Windows\system32> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 5805-B4B6
directory of c:\Windows\Microsoft.NET\Framework
15/09/2018 07:19 <DIR> .
15/09/2018 07:19 <DIR> ..
15/09/2018 07:19 <DIR> v1.0.3705
15/09/2018 07:19 <DIR> v1.1.4322
15/09/2018 07:19 <DIR> v2.0.50727
20/11/2023 08:52 <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 15,979,393,024 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190