information collection in windows environment

Posted by tzul at 2020-04-01

In the process of penetration testing, we usually encounter the most windows environments. However, after we get the permission of a Windows system, we need to carry out horizontal or vertical penetration, which is particularly important for information collection of windows. Let's talk about what information we need to know under windows, which information is important for us in the subsequent penetration testing How can I help you.

Essential information

The basic information of the system generally includes: host name, domain, environment variable, etc. the commands involved are as follows:

Get host name:

Hostname or echo% computername%

Get domain information:


From this command, you can not only see the information about the domain name, but also many useful information, such as: startup time, installation time, patch repair, system version and so on.

Get environment variable:


From the environment variable, we can see some common software, directory of temporary files and some information related to users.

Obtain software information of system installation

By obtaining the software installation information, we can find out the software that we can use, or the software that can obtain further permission information, such as: SecureCRT, FileZilla and other software. You can also get a general idea of the security software of the system. You can use the registry to obtain these information. The command is as follows:

Registry information everywhere:

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg.txt

Match the software in the registry information:

find "DisplayName" reg.txt |find /V "ParentDisplayName" > tmplist.txt

Get the final result:

for /f "tokens=2,3 delims==" %%a in (tmplist.txt) do (echo %%a >> software.txt)

The screenshot of the final result is shown in the figure below:

Get system patches

Obtaining the patch information can play a guiding role in the operation of lifting the right. We can use exp overflow to lift the right according to the patch situation. Although the previous systeminfo command can obtain the patch, the content it obtains is not very complete, only the patch number can be seen. The following command can obtain the complete patch information.

wmic qfe list

Wmic is a very powerful tool that can do a lot of things and has many opportunities to use it in penetration testing. Some screenshots are as follows:

Get service information of system registration

From the service information, we can see which services the system provides, and there are different ways to use them for different servers. The command is as follows:

sc query state= all

Some screenshots are as follows;

Get online host information

Generally, the way to obtain online hosts is to scan the IP segment. In the intranet of the domain, we can obtain the list of hosts in the same network segment or associated hosts through one command. The command is as follows:

Net view

Because of the problem of my host's environment, there is no list of hosts. You can test this command in the domain.

Collect local user and group information

This is very important in the intranet penetration test, which is a command to be executed on any windows host. The functions of this command include: determining whether the host is in the domain, what is the host administrator group, what are the local administrator users, etc.

Get local user group:

net localgroup

Get local user:

Net user

Get local administrator information:

net localgroup administrators

Get local share information

The local shared directory is also the directory we need to pay attention to. There may be many important files that are helpful for us to upgrade our permissions. The command is as follows:

net view /a \%COMPUTERNAME%

Get IP information

In fact, this command should be executed at the beginning. From the result of this command, you can roughly see the network environment of the intranet, DNS server IP, domain name information, etc. the command is as follows:

ipconfig /all

Some results are as follows:

Get local port opening and connection information

Here you can see which ports are open in the local system, which services are provided, and which intranet hosts communicate with the local computer. Here you can also see the list of surviving hosts in the intranet. The command is as follows:

Netstat -ano

Some results are as follows:

View local scheduled tasks

From the planned tasks, we can know what tasks this host does every day, or what operations the current user often does. Even through the planned task information, we can get the user's other account password information. The command is as follows:

At or schtask

These two commands can only be executed under the system permission, otherwise, you will be prompted to deny access.

List sites for IIS

On the system with IIS service installed, we can execute the following command to obtain the site information:

%windir%\system32\inetsrv\AppCmd.exe list site

Save all registry information on the system

These commands are quite violent. Sometimes we need to query the registry information several times, so we need to execute many commands. We can dump all the registry information of the system, analyze it locally, and try to reduce the number of commands executed, the amount of logs, and the probability of being found

reg export HKLM hklm.reg
reg export HKCU hkcu.reg
reg export HKCU hkcr.reg
reg export HKCU hku.reg
reg export HKCU hkcc.reg

Get system log information

Log information is very important in any system, so in the aspect of windows information collection, collecting log information is an essential operation. There are two ways to get the log: one is to copy the log of the system back to the local for analysis, the other is to use the official windows tool to export and save the log to the local.

Copy log file:

copy C:\Windows\System32\winevt\Logs\System.evtx copy C:\Windows\System32\winevt\Logs\security.evtx copy C:\Windows\System32\winevt\Logs\application.evtx

Export using tools:

..\psloglist -x system > system.log
..\psloglist -x security > security.log
..\psloglist -x application > application.log


The information collected on the windows system is almost the same here. There are some user related information not mentioned here. Next time, I have the opportunity to list the important information generated by the user's use on the system. Finally, I'd like to share a bat script written by God. Click the original link to download the script and psloglist.exe, a software mentioned above. Attached is a result chart of script execution:

If there is anything incomplete or wrong, please don't hesitate to comment.