Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Search for malware on Windows computers with the command line
Network Administration - Hopefully the title of the article does not make you afraid. The reason we need to say this is because there are many people who want to stay away from the Windows command line utility and are more sympathetic to the complex graphical user interfaces. However when it comes to investigating malware infection, command-line tools have many benefits, while GUI-based tools don't always do this.
First, launch the command prompt.Go to Start -> Run and type 'cmd.exe' . It is very important to type '.exe' at the end of the section; This is a safe way of calling a command prompt. To deceive some users, some malicious programs may try to name 'cmd.com' and in such a case, the malware will be launched if you just type 'cmd'.
'netstat'
Next, when the command prompt appears, run the netstat command. The 'netstat -na' command can provide a list of TCP and UDP ports on the computer. Adding ' o' to the above command can know the process ID of each process using a port. Starting with XP SP2, adding ' b ' will see the EXE file name in use on each port, along with the dynamic link libraries (DLLs) that it loads to communicate with the network. However, it should be noted that adding ' b ' will consume a lot of CPU resources.
But be persistent. Suppose that you want to observe the use of a certain port and see how they change over time. Add a space and then an integer to that netstat command, this time it will be in the form " netstat -nao 1 ", the command will be run at the same frequency as the given integer, in the case This frequency is 1s. The display will continue to be displayed on the screen, as shown in the figure below.
Obviously, to determine which malware is using TCP and UDP ports, you need to know the normal operation of a port. To study how ports work with computers, you can search and research ports on Google. Microsoft also has a list of ports that are generally used for both Windows clients and servers that you can refer to here. In addition, you can also search for additional ports associated with both Microsoft and third-party applications, etc.
If an abnormality occurs on TCP or UDP ports, you can perform a search on Google. Use "site:" and the following is an antivirus company like Symantec, Sophos or McAfee. These sites may have a review of malware using that port. Here is an example of this useful search query:
site: symantec.com tcp port 4444.
'reg'
A review by an antivirus vendor can help you gain more knowledge inside the registry keys that the malware may have modified. To query the registry key with the command line, use the reg command. Even if an antivirus site does not provide registry keys for search purposes, you can research the most common registry keys modified by malware: the keys related to the system's startup and the user's login. use. Known as " run " registry keys, the reg command can help display their values at the command line. However, note that many legitimate software also activate themselves using these keys. After running the command, you will see the items under these registry keys. Next, do a few searches on Google for what is shown to help you eliminate what are the valid settings and what is malware.
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRun
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
We recommend that you run the commands with a relative amount of time, replacing HKLM with HKCU. The alternative will find the auto-start registry key associated with the user, instead of just the entire system settings in HKLM.
'dir'
You should also check the autostart directory to find unwanted programs starting from here. Run the dir command, use / A to display files with or without a set of attributes, as well as hidden and non-hidden files.
C:> dir / A "C: Documents and SettingsAll UsersStart MenuProgramsStartup"
'net users' and 'localgroup administrators'
Some malware can create accounts in your local computer. In that case, we need to run the command 'net users' , which is the command to check accounts defined on the system. In addition, because some bot software can register an account of the local administrators group, then we should run " localgroup administrators ", which is a test of membership of this group. Do you know all the people in the administrator group? The following figure shows an example of this case.
'tasklist / svc'
There are also more vital areas that we need to analyze: running processes. On Windows XP Professional, the tasklist command can provide a lot of useful information. This command itself displays running processes, their process ID numbers and memory usage. However, if running 'tasklist / svc' , you will see all the services that have run out of process, see below. This gives you a lot of information to look for when researching whether the system is infected by bad programs. In particular, svchost.exe processes are often quite busy, running many services. Besides spyware sometimes inserts other services into these processes or services to check or control your computer.
Some of the commands that I will show you in this article will give you a deeper understanding of the configuration of a Windows computer. But practicing a lot will make you perfect. It takes time to analyze 'clean' systems, from which you will gain knowledge of what appears on a normal Windows computer. You can then detect if a computer is infected. With some preparation and practice, command line skills will significantly improve your understanding of Windows computers and prepare you for the battle with malware that is happening every day.
Kareem WintersYou should read it
- Forget the GUI, the Command Line is returning
- Command line parameter in C
- The Nox App Player command line parameters support
- 10 tips for using Command Line Windows 10 users should know
- 5 reasons why people love the Linux command line
- 10 useful commands in Windows you should know
- How to use the Linux command line on Android with Termux
- How to create a command line program in Python with Click
May be interested
- 10 tips for using Command Line Windows 10 users should know
you can use the cmd command to perform some tasks that normally only use mouse, drag and click. the cmd command is also quite useful when you need to create scripts and automated tasks. - Search for files and directories in Linux using the command line interfaceyou can use the graphical file management utility to find files in linux like nautilus in gnome, dolphin in kde and thunar in xfce. however, there are several ways to use the command line to find files in any linux desktop management utility.
- Sub-commands in nslookup Windows command (Part 3)nslookup set recurse, nslookup set retry, nslookup set root, nslookup set search, nslookup set srchlist, nslookup set timeout, nslookup set type, nslookup set vc, and nslookup view in windows
- 5 reasons why people love the Linux command linemany people are afraid of the command line. they see it as something for software developers or geeks. but the command line is merely another way of interacting with a pc, and there are some tasks that are very easy to do with the cli.
- 10 useful commands in Windows you should knowcommand prompt is used to execute batch files, perform tasks quickly, help you troubleshoot and solve some windows problems when the system crashes. however, not all commands in windows are useful and must be done regularly. with the 10 command lines in the following article it is very useful even if you are not an administrator.
- Instructions for using find command in Linuxthe find command is one of the most important and handy commands on a linux system. as its name suggests, the command can find files on a linux pc based on a variety of conditions and variables you set.
- How to use the Linux command line on Android with Termuxandroid is a very operating system 'capacity with more and more desktop accessibility applications. however, sometimes you want to make some things on android that can be as easy as desktop. fortunately, you can use the termux tool, which builds on the existing infrastructure and provides a command line environment that allows you to install real linux applications on your android device.
- How to create a command line program in Python with Clickclick is a python package to write command line interfaces with as little code as possible. this article will show you how to use click to create the command line program.
- Instructions for using Command Promptdeep in windows is a command-line world that is obscure. in this article, we will show you how to solve errors and make your computer more secure.
- How to use the command history function in Command Promptcommand prompt is an extremely familiar command for anyone using windows operating system. besides, a lot of current software also supports the command line to perform actions on the command prompt window, instead of on the screen.
Try the security of security software
10 Firefox add-ons help enhance security
10 common network security design errors
Enhance security with multi-layer defense system
Be cautious when accessing the Internet the last days of the year
Protect your privacy on Google