Get-ChildItem -Path C:\Users\user\Desktop\Files\Windows -Include *.txt, *.

html,
*.pdf -Recurse | Select-String -Pattern "archive.org"

Get-Service | Where-Object { $_.Status -eq "Running"} | Format-List

Name,DisplayName
Get-ChildItem *.txt | Where-Object {$_.LastWriteTime.Year -eq (Get-Date).Year} |
Format-Table Name,Length -AutoSize

In case archive.org gets taken down becuase of legal issues, need to resolve
article links otherwise content may be lost forever.

Windows NT Information URL

https://en.wikipedia.org/wiki/Windows_NT
Windows NT Architecture URL
https://en.wikipedia.org/wiki/Architecture_of_Windows_NT
Microsoft Windows version history URL
https://en.wikipedia.org/wiki/Microsoft_Windows_version_history
What are Domains and Forests URL
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2003/cc759073(v=ws.10)
Active Directory Flexible Single Master Operation (FSMO) URL
https://support.microsoft.com/en-in/help/197132/active-directory-fsmo-roles-
in-windows
List of Operating Systems URL
https://en.wikipedia.org/wiki/List_of_operating_systems
Comparison of Operating Systems URL
https://en.wikipedia.org/wiki/Comparison_of_operating_systems
Comparison of command shells URL
https://en.wikipedia.org/wiki/Comparison_of_command_shells
Protection Ring URL
https://en.wikipedia.org/wiki/Protection_ring
Intel Management Engine URL
https://en.wikipedia.org/wiki/Intel_Management_Engine
Overly detailed information regarding virtualization of Operating Systems URL
https://www.virtualbox.org/manual/ch10.html#swvirt-details
90-day Windows 10 VMs URL
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
180-day Windows Server 2008R2 VM URL
https://www.microsoft.com/en-us/download/details.aspx?id=2227
Guide to building a Windows VM learning environment URL
https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-
server-2016-build-a-windows-domain-lab-at-home-for-free.aspx
Microsoft self-paced labs URL
https://www.microsoft.com/handsonlabs/SelfPacedLabs
Building an ESXI home test lab
https://www.vmwareblog.org/build-home-lab-using-pc-part-1-esxi-6-7-u1/
SecLists
https://github.com/danielmiessler/SecLists

Don't get rusty on system survey skills

echo %date%-%time%
Wed 10/25/2017-06:09 PM

Systeminfo
Host Name: Sammy_Home
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00330-80195-76511-AA925
Original Install Date: 07/11/2015, 4:05:11 PM
System Boot Time: 10/23/2017, 9:40:19 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 58 Stepping 9 GenuineIntel
~2301 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 7/2/2015
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,095 MB
Available Physical Memory: 897 MB
Virtual Memory: Max Size: 2,671 MB
Virtual Memory: Available: 1,354 MB
Virtual Memory: In Use: 1,317 MB
Page File Location(s): C:\pagefile.sys
Domain:
Logon Server:
Hotfix(s): 0 Hotfix(s) Installed.

Network Card(s): 1 NIC(s) Installed.

[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 192.168.1.11
[02]: fe80::20a6:6396:f4c8:5176
Hyper-V Requirements: A hypervisor has been detected. Features required for
Hyper-V will not be displayed.
netstat -an
Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49691 0.0.0.0:0 LISTENING
TCP 192.168.1.11:139 0.0.0.0:0 LISTENING
TCP 192.168.1.11:49779 10.10.1.1:445 ESTABLISHED
TCP 192.168.1.11:49780 10.10.1.1:445 ESTABLISHED
TCP 192.168.1.11:49781 10.10.1.1:445 ESTABLISHED
TCP 192.168.1.11:49783 100.20.11.16:80 ESTABLISHED
 TCP 192.168.1.11:49784 106.57.110.9:80 ESTABLISHED
TCP 192.168.1.11:3724 57.21.21.187:2136 ESTABLISHED
TCP 192.168.1.11:1119 57.21.21.187:8670 ESTABLISHED
TCP 192.168.1.11.6012 57.21.21.187:9248 ESTABLISHED
TCP 192.168.1.11:49782 10.10.1.1:445 ESTABLISHED
TCP 192.168.1.11:11111 0.0.0.0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5050 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 192.168.1.11:137 *:*
UDP 192.168.1.11:138 *:*
UDP 192.168.1.11:1900 *:*
UDP 192.168.1.11:63681 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:52839 *:*
UDP 127.0.0.1:55063 *:*
UDP 127.0.0.1:55066 *:*
UDP 127.0.0.1:63682 *:*

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Sammy_Home

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet0:

Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection

Physical Address. . . . . . . . . : 00-0C-29-1E-71-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::20a6:6396:f4c8:5176%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

net share

Share name Resource Remark

-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
Movies C:\torrentz\dankfilms
Games C:\torrentz\gamesandcracks

The command completed successfully.

net user

User accounts for \\Sammy_Home

-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
Sammy
The command completed successfully.

Reg Query HKEY_LOCAL_MACHINE\system\currentcontrolset\control\hivelist

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\hivelist
\REGISTRY\MACHINE\HARDWARE REG_SZ
\REGISTRY\MACHINE\SECURITY REG_SZ
\Device\HarddiskVolume1\Windows\System32\config\SECURITY
\REGISTRY\USER\.DEFAULT REG_SZ
\Device\HarddiskVolume1\Windows\System32\config\DEFAULT
\REGISTRY\MACHINE\SAM REG_SZ
\Device\HarddiskVolume1\Windows\System32\config\SAM
\REGISTRY\MACHINE\SYSTEM REG_SZ
\Device\HarddiskVolume1\Windows\System32\config\SYSTEM
\REGISTRY\MACHINE\SOFTWARE REG_SZ
\Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
\REGISTRY\MACHINE\BCD00000000 REG_SZ \Device\HarddiskVolume1\Boot\BCD
\REGISTRY\USER\S-1-5-20 REG_SZ
\Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
\REGISTRY\USER\S-1-5-19 REG_SZ
\Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
\REGISTRY\USER\S-1-5-21-16913396378-174064525-815733227-1120 REG_SZ
\Device\HarddiskVolume1\Users\sammy\NTUSER.DAT
\REGISTRY\USER\S-1-5-21-16913396378-174064525-815733227-1120_Classes REG_SZ
\Device\HarddiskVolume1\Users\sammy\AppData\Local\Microsoft\Windows\UsrClass.dat

Pslist

Process information for Sammy_Home:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 2 0 52 110:37:12.562 56:29:23.569
System 4 8 102 2098 140 0:01:24.328 56:29:23.569
smss 284 11 2 52 444 0:00:00.125 56:29:23.561
csrss 372 13 10 483 1624 0:00:02.531 56:29:21.686
wininit 464 13 1 140 1280 0:00:00.140 56:29:21.523
services 604 9 5 318 3988 0:00:04.046 56:29:21.390
lsass 612 9 8 1057 5176 0:00:12.140 56:29:21.347
svchost 704 8 22 798 11152 0:00:08.890 56:29:20.967
fontdrvhost 740 8 5 45 1592 0:00:00.609 56:29:20.942
svchost 828 8 12 760 5148 0:00:12.031 56:29:20.561
svchost 976 8 57 2603 31840 0:02:26.703 56:29:19.715
svchost 992 8 3 133 1380 0:00:00.093 56:29:19.677
svchost 268 8 18 615 11440 0:00:45.203 56:29:19.569
svchost 400 8 16 639 12516 0:00:09.875 56:29:19.418
svchost 408 8 35 1002 10848 0:00:04.609 56:29:19.416
WUDFHost 844 8 7 419 2816 0:00:00.203 56:29:19.304
svchost 1088 8 19 591 6932 0:00:07.984 56:29:19.148
vmacthlp 1164 8 1 111 1392 0:00:00.031 56:29:18.806
svchost 1248 8 18 371 3796 0:00:00.515 56:29:18.523
svchost 1328 8 23 599 17188 0:00:05.125 56:29:18.401
svchost 1440 8 9 271 2792 0:00:00.312 56:29:18.050
svchost 1580 8 8 244 2108 0:00:00.546 56:29:17.390
svchost 1588 8 4 112 1500 0:00:00.000 56:29:17.380
svchost 1708 8 9 273 5580 0:00:08.531 56:29:16.817
svchost 1848 8 4 141 1652 0:00:00.031 56:29:16.600
spoolsv 1884 8 9 490 8748 0:00:00.187 56:29:16.563
svchost 1388 8 13 431 7948 0:00:05.312 56:29:16.045
vmtoolsd 1880 13 9 371 11244 0:00:51.046 56:29:15.991
VGAuthService 1804 8 2 169 4628 0:00:00.296 56:29:15.984
ManagementAgentHost 320 8 8 154 6296 0:00:04.421 56:29:15.968
MsMpEng 2056 8 21 661 120288 0:01:46.234 56:29:15.951
Memory Compression 2232 8 22 0 316 0:00:15.390 56:29:15.602
dllhost 2708 8 10 228 3864 0:00:00.312 56:29:13.838
WmiPrvSE 2900 8 10 310 9804 0:01:17.156 56:29:12.052
NisSrv 100 8 9 287 10344 0:00:59.718 56:29:10.829
msdtc 2960 8 9 196 3052 0:00:00.171 56:29:10.752
SearchIndexer 488 8 16 766 21108 0:00:02.625 56:27:10.922
csrss 5152 13 11 425 1656 0:00:04.515 54:10:15.986
winlogon 5076 13 6 235 2704 0:00:00.437 54:10:15.962
dwm 5292 13 10 444 101604 0:00:10.531 54:10:15.795
fontdrvhost 5716 8 5 45 3408 0:00:00.500 54:10:15.780
sihost 4160 8 11 461 5528 0:00:03.593 54:09:52.491
svchost 4128 8 12 402 6456 0:00:00.765 54:09:52.486
taskhostw 5372 8 14 453 6804 0:00:01.156 54:09:52.420
explorer 5260 8 84 2475 58548 0:00:38.937 54:09:52.216
SearchUI 1680 8 63 1153 102600 0:00:11.906 54:09:51.580
ShellExperienceHost6128 8 36 1111 29384 0:00:05.531 54:09:51.539
RuntimeBroker 3644 8 17 548 11852 0:00:13.640 54:09:51.291
dllhost 4796 8 6 173 2308 0:00:00.328 54:09:48.050
MSASCuiL 5008 8 1 145 1840 0:00:00.062 54:09:40.308
vmtoolsd 5016 8 8 491 18704 0:01:43.687 54:09:39.872
OneDrive 2100 8 12 464 6492 0:00:00.500 54:09:37.134
notepad 5456 8 2 461 11104 0:00:01.640 54:04:35.648
powershell 972 8 9 470 57796 0:00:07.906 53:51:51.183
conhost 5688 8 3 226 3676 0:00:05.796 53:51:50.948
SkypeHost 5744 8 10 279 4780 0:00:00.078 53:14:20.349
LockAppHost 5244 8 4 236 4132 0:00:00.500 52:56:06.533
Wow 4988 8 1 253 12844 0:00:00.671 56:29:22.461
SearchProtocolHost 2340 4 10 350 2916 0:00:00.109 0:00:53.524
SearchFilterHost 3608 4 6 128 2060 0:00:00.031 0:00:53.504
audiodg 2532 8 8 158 6324 0:00:00.171 0:00:48.456
wowbot 2536 8 8 262 1606 0:00:11.906 56:29:23.906
WmiPrvSE 3224 8 6 157 2120 0:00:00.031 0:00:46.262
TrustedInstaller 4948 8 6 109 1812 0:00:00.031 0:00:46.206
TiWorker 4876 8 6 144 3904 0:00:01.203 0:00:46.186
dllhost 1564 8 7 113 1500 0:00:00.015 0:00:02.286
dllhost 1688 8 7 109 1404 0:00:00.000 0:00:02.219
cmd 5468 8 3 41 4660 0:00:00.062 0:00:02.194
conhost 4444 8 5 175 6192 0:00:00.187 0:00:02.189
pslist 4276 13 3 210 2400 0:00:00.093 0:00:00.093

Auditpol /get /category:*

System audit policy

Category/Subcategory Setting
System
 Security System Extension No Auditing

System Integrity No Auditing

IPsec Driver No Auditing

Other System Events No Auditing

Security State Change No Auditing

Logon/Logoff
Logon No Auditing

Logoff No Auditing

Account Lockout No Auditing

IPsec Main Mode No Auditing

IPsec Quick Mode No Auditing

IPsec Extended Mode No Auditing

Special Logon No Auditing

Other Logon/Logoff Events No Auditing

Network Policy Server No Auditing

User / Device Claims No Auditing

Group Membership No Auditing

Object Access
File System No Auditing

Registry No Auditing

Kernel Object No Auditing

SAM No Auditing

Certification Services No Auditing

Application Generated No Auditing

Handle Manipulation No Auditing

File Share No Auditing

Filtering Platform Packet Drop No Auditing

Filtering Platform Connection No Auditing

Other Object Access Events No Auditing

Detailed File Share No Auditing

Removable Storage No Auditing

 Central Policy Staging No Auditing

Privilege Use
Non Sensitive Privilege Use No Auditing

Other Privilege Use Events No Auditing

Sensitive Privilege Use No Auditing

Detailed Tracking
Process Creation No Auditing

Process Termination No Auditing

DPAPI Activity No Auditing

RPC Events No Auditing

Plug and Play Events No Auditing

Token Right Adjusted Events No Auditing

Policy Change
Audit Policy Change No Auditing

Authentication Policy Change No Auditing

Authorization Policy Change No Auditing

MPSSVC Rule-Level Policy Change No Auditing

Filtering Platform Policy Change No Auditing

Other Policy Change Events No Auditing

Account Management
Computer Account Management No Auditing

Security Group Management No Auditing

Distribution Group Management No Auditing

Application Group Management No Auditing

Other Account Management Events No Auditing

User Account Management No Auditing

DS Access
Directory Service Access No Auditing

Directory Service Changes No Auditing

Directory Service Replication No Auditing

Detailed Directory Service Replication No Auditing

Account Logon
 Kerberos Service Ticket Operations No Auditing

Other Account Logon Events No Auditing

Kerberos Authentication Service No Auditing

Credential Validation No Auditing

PS C:\> autorunsc

Sysinternals Autoruns v13.80 - Autostart program viewer

Copyright (C) 2002-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
rdpclip
rdpclip
RDP Clipboard Monitor
Microsoft Corporation
6.3.15063.0
c:\windows\system32\rdpclip.exe
11/12/1946 10:19 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
Userinit Logon Application
Microsoft Corporation
6.3.15063.0
c:\windows\system32\userinit.exe
12/2/1993 1:42 PM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
SystemPropertiesPerformance.exe
SystemPropertiesPerformance.exe
Change Computer Performance Settings
Microsoft Corporation
6.3.15063.0
c:\windows\system32\systempropertiesperformance.exe
12/22/1968 1:15 AM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
explorer.exe
explorer.exe
Windows Explorer
Microsoft Corporation
6.3.15063.674
c:\windows\explorer.exe
11/5/1948 6:18 PM

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
cmd.exe
cmd.exe
Windows Command Processor
Microsoft Corporation
6.3.15063.0
c:\windows\system32\cmd.exe
5/30/2017 6:10 AM
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wow enhance
c:\wow\wowbot.exe -l 11111 cmd.exe
12/12/1996 3:34 AM
VMware User Process
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
VMware Tools Core Service
VMware, Inc.
10.1.6.4793
c:\program files\vmware\vmware tools\vmtoolsd.exe
3/17/2017 10:20 AM

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /ShowWMP
Microsoft Windows Media Player Setup Utility
Microsoft Corporation
12.0.15063.0
c:\windows\system32\unregmp2.exe
7/30/1925 8:08 AM
Themes Setup
themeui.dll
Windows Theme API
Microsoft Corporation
6.3.15063.447
c:\windows\system32\themeui.dll
12/4/2029 11:24 AM
Microsoft Windows
"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
Windows Mail
Microsoft Corporation
6.3.15063.0
c:\program files\windows mail\winmail.exe
5/18/2022 6:10 PM
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /FirstLogon
Microsoft Windows Media Player Setup Utility
Microsoft Corporation
12.0.15063.0
c:\windows\system32\unregmp2.exe
7/30/1925 8:08 AM
Windows Desktop Update
shell32.dll
Windows Shell Common Dll
Microsoft Corporation
6.3.15063.674
c:\windows\system32\shell32.dll
4/21/1977 1:10 PM
Web Platform Customizations
C:\Windows\System32\ie4uinit.exe -UserConfig
IE Per-User Initialization Utility
Microsoft Corporation
11.0.15063.608
c:\windows\system32\ie4uinit.exe
6/2/2032 1:15 PM
n/a
C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
Windows host process (Rundll32)
 Microsoft Corporation
6.3.15063.0
c:\windows\system32\rundll32.exe
4/6/2011 9:10 AM

HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /ShowWMP
Microsoft Windows Media Player Setup Utility
Microsoft Corporation
12.0.15063.0
c:\windows\syswow64\unregmp2.exe
6/25/2005 2:20 PM
Microsoft Windows
"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
Windows Mail
Microsoft Corporation
6.3.15063.0
c:\program files (x86)\windows mail\winmail.exe
7/16/1996 3:49 AM
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /FirstLogon
Microsoft Windows Media Player Setup Utility
Microsoft Corporation
12.0.15063.0
c:\windows\syswow64\unregmp2.exe
6/25/2005 2:20 PM
n/a
C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
Windows host process (Rundll32)
Microsoft Corporation
6.3.15063.0
c:\windows\syswow64\rundll32.exe
2/29/1956 2:46 AM

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
IconCodecService.dll
IconCodecService.dll
Converts a PNG part of the icon to a legacy bmp icon
Microsoft Corporation
6.3.15063.0
c:\windows\system32\iconcodecservice.dll
4/25/1938 5:45 PM

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OneDrive
"C:\Users\scooper\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Microsoft OneDrive
Microsoft Corporation
17.3.6816.313
c:\users\scooper\appdata\local\microsoft\onedrive\onedrive.exe

echo %date% %time%

3/13/2017 6:58 PM