netstat -ano

netstat -anvb

netstat -s -p [tcp|udp|ip|icmp]

# 关闭/打开防火墙

netsh firewall set opmode disable

netsh firewall set opmode enable

# 当前运行中的进程

tasklist /m    /svc

# 查看所有服务状态及指定服务

sc query [ServiceName]

# 查看本机所有驱动

driverquery

# AccessChk V.6.12 工具下载地址

https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

用法:

accesschk64  "administrator" e:\1   #  查找e:\1目录下所有 存在administrator权限的文件

Using AccessChk

Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>

Parameter Description
-a Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-d Only process directories or top-level keys
-e Only show explicitly set-Integrity Levels (Windows Vista Vista and higher only)
-f If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
-h Name is a file or printer share. Specify '*' as the name to show all shares.
-i Ignore objects with only inherited ACEs when dumping full access control lists.
-k Name is a Registry key, e.g. hklm\software
-l Show full security descriptor. Add -i to ignore inherited ACEs.
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q Omit Banner
-r Show only objects that have read access
-s Recurse
-t Object type filter, e.g. "section"
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

Examples

The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:

accesschk "power users" c:\windows\system32

This command shows which Windows services members of the Users group have write access to:

accesschk users -cw \*

To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

accesschk -wuo everyone \basednamedobjects

# 要查看与当前帐户使用关联的权限

whoami /priv

# 一个好玩的“隐写术”

^"%LOCALAPPDATA:~-3%^%SYSTEMROOT:~0,1%^"    # calc

^%LOCALAPPDATA:~0,1%^%Programdata:~9,1%^%SYSTEMROOT:~-4,1%^   # cmd

rundll32.exe user32.dll LockWorkStation  # 锁屏功能

%APPDATA:~-7,1%^%APPDATA:~3,1%^%comspec:~5,1%^%OS:~3,1%^%TEMP:~-6,1%^%TEMP:~-6,1%^32^%comspec:~-4%^ %temp:~3,4%^32^.d^%TEMP:~-6,1%^%TEMP:~-6,1%^ LockWorkStation

参考:

http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html

https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

http://blog.51cto.com/rangercyh/497497

https://xz.aliyun.com/t/2519

windows 命令巧用(持续更新)的更多相关文章

  1. [转帖]各种命令,以及FAQ..持续更新.....

    各种命令,以及FAQ..持续更新..... https://www.cnblogs.com/jicki/p/5548668.html Linux 篇: CentOs 7 修改主机名 hostnamec ...

  2. Python常用组件、命令大总结(持续更新)

    Python开发常用组件.命令(干货) 持续更新中-关注公众号"轻松学编程"了解更多. 1.生成6位数字随机验证码 import random import string def ...

  3. Ubuntu命令集(持续更新)

    Ubuntu命令集,生活工作汇总,没有顺序.(持续更新...) 1 pwd:没有参数,在终端现实我们当前所处的文件夹位置:ctrl+l:清除当前终端屏: 2 --------------------- ...

  4. windows常用运行命令收集(持续更新)

    快捷键打开运行窗口:Windows + R > calc(计算器) > gpedit.msc(本地组策略编辑器) > regedit(注册表) > mstsc(远程桌面) &g ...

  5. SVN经常使用命令总结(持续更新)

    如今流行的协同管理工具预计就属SVN和Git了.这两者都使用过,只是如今正在使用的是SVN.故将常常使用的命令总结下来. 无论是Windows端的svnclient还是eclipse的subversi ...

  6. 各种命令,以及FAQ..持续更新.....

    Linux 篇: CentOs 7 修改主机名 hostnamectl --static set-hostname <host-name> 统计最多的10条记录 awk '{print $ ...

  7. tar 命令详解(持续更新)

    可以用man tar查看tar命令使用的权威解释 Main operation mode: -c: 建立压缩档案 -r:向压缩归档文件末尾追加文件 -t:查看内容 -u:更新原压缩包中的文件 -x:解 ...

  8. Linux必知必会的命令全集(持续更新)

    Linux有超过五百多种命令,每个命令还有十几二十种选项,令人抓狂,本文旨在整理本人工作常用的Linux命令,希望对大家有所帮助! 1.cd 跳转文件夹 最常用的命令,没有之一. cd    # 进入 ...

  9. Linux 常用命令笔记 (持续更新)

    声明:本文是转载前辈的,地址:http://www.cnblogs.com/tovep/articles/2473147.html 在tomcat的bin目录下执行 ./shutdown.sh 为了查 ...

随机推荐

  1. uva1411 最小值转最大值+二分图匹配

    这题给了n个白点和n个黑点坐标,计算出他们两两配对的总路程最少, 我们算出他们之间的距离,为d,然后 w[j][i]=-d; 就将求最小值转化为求最大值,然后采用km进行匹配计算 #include & ...

  2. Data Center Drama 欧拉回路的应用

    这题说的是给了n个点 和m条边, 这m条边是无向的,任务是将这些边变成有向的,并且添加最少的有向边使得这个图中每个点的入度为偶数, 出度为偶数. 我们可以考虑使用欧拉回路来解决这个问题,这样说,假如一 ...

  3. MySQL从删库到跑路_高级(五)——触发器

    作者:天山老妖S 链接:http://blog.51cto.com/9291927 一.触发器简介 1.触发器简介 触发器是和表关联的特殊的存储过程,可以再插入,删除或修改表中的数据时触发执行,比数据 ...

  4. Linux中Postfix邮件认证配置(五)

    Postfix+Dovecot+Sasl工作原理 1.A用户使用MUA客户端借助smtp协议登陆smtpd服务器,需要先进行用户和密码认证,而SMTPD服务器端支持sasl认证,例如有一个sasl客户 ...

  5. cojs 强连通图计数1-2 题解报告

    OwO 题目含义都是一样的,只是数据范围扩大了 对于n<=7的问题,我们直接暴力搜索就可以了 对于n<=1000的问题,我们不难联想到<主旋律>这一道题 没错,只需要把方程改一 ...

  6. corejDay1

    1.内部类: 有什么用? 1.可以访问该类定义所在作用域中的数据,包括私有数据. 2.当想定义一个回调函数而不想编写大量代码时,使用匿名内部类比较便捷. 3.内部类可以对同一个包中的其他类隐藏起来. ...

  7. 04: Mysql性能优化

    MySQL其他篇 目录: 参考网站 1.1 Mysql数据库的优化技术 1.2 数据库表设计 1.3 SQL优化 1.为查询缓存优化你的查询 2.EXPLAIN 你的 SELECT 查询 3. 当只要 ...

  8. 2018-2019-1 20189218《Linux内核原理与分析》第四周作业

    构造简单的Linux内核 显然用实验楼配好的环境做这个实验太简单了,按照没有困难制造困难也要上的原则,在自己的64位虚拟机上做这个实验. 按照课本(视频)上的步骤一直做下去,到编译生成init时出现了 ...

  9. nmap参数思维导图

    链接:https://pan.baidu.com/s/1vD0A6olQbVNmCCirpHBm0w 提取码:o994

  10. Harmonic Number (调和级数+欧拉常数)题解

    Harmonic Number In mathematics, the nth harmonic number is the sum of the reciprocals of the first n ...