« Sysinternals » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(→PsExec) |
|||
(7 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 1 : | Ligne 1 : | ||
[[Category:Logiciels]] | |||
[[Category:Hack]] | |||
= Utilisation = | = Utilisation = | ||
[https://docs.microsoft.com/en-us/sysinternals/downloads/ Sysinternals Utilities Index]<br /> | [https://docs.microsoft.com/en-us/sysinternals/downloads/ Sysinternals Utilities Index]<br /> | ||
Ligne 6 : | Ligne 8 : | ||
</kode> | </kode> | ||
= PsExec = | = [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] = | ||
Allow to execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally. | |||
<kode lang='ps'> | <kode lang='ps'> | ||
psexec -i -u | # run an interactive command prompt on a remote system | ||
psexec -i \\remote cmd | |||
# copy the program test.exe to the remote system and execute it interactively | |||
psexec -i \\remote -c test.exe | |||
# run as the remote admin | |||
psexec \\remote -u remote\administrator -p adminpass ipconfig | |||
# if -p is omited, it prompts you to enter the password | |||
# the password is sent in clear text from the local system | |||
# run regedit on the local system in the System account | |||
psexec -sid c:\windows\regedit.exe | |||
# -s run in the System account | |||
# -i interactive: useful only when you want to run a GUI application on the local system where you can interact with it | |||
# -d don't wait for process to terminate (non-interactive) | |||
</kode> | </kode> | ||
* [https://www.itprotoday.com/windows-server/psexec-explainer-mark-russinovich PsExec Explainer by Mark Russinovich] | |||
= [https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete SDelete] = | = [https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete SDelete] = | ||
Ligne 57 : | Ligne 76 : | ||
= [https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Junction - lien symbolique] = | = [https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Junction - lien symbolique] = | ||
{{warn | Preferably use [[Batch_commandes#MKLINK|mklink]]}} | |||
<kode lang=dos> | <kode lang=dos> | ||
REM junction <link> <target> | |||
junction C:\Lien-Symbolique "C:\Mon Dossier" | junction C:\Lien-Symbolique "C:\Mon Dossier" | ||
REM path has to be absolute | |||
</kode> | </kode> | ||
Ligne 85 : | Ligne 106 : | ||
Permet de lister toutes les dll chargées par un processus.<br/> | Permet de lister toutes les dll chargées par un processus.<br/> | ||
Listdlls.exe [Nom de l’exécutable ou PID] | Listdlls.exe [Nom de l’exécutable ou PID] | ||
Dernière version du 7 février 2022 à 18:59
Utilisation
Sysinternals Utilities Index
Installer dans C:\Program Files\SysinternalsSuite et l'ajouter au PATH
choco install sysinternals |
PsExec
Allow to execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally.
# run an interactive command prompt on a remote system psexec -i \\remote cmd # copy the program test.exe to the remote system and execute it interactively psexec -i \\remote -c test.exe # run as the remote admin psexec \\remote -u remote\administrator -p adminpass ipconfig # if -p is omited, it prompts you to enter the password # the password is sent in clear text from the local system # run regedit on the local system in the System account psexec -sid c:\windows\regedit.exe # -s run in the System account # -i interactive: useful only when you want to run a GUI application on the local system where you can interact with it # -d don't wait for process to terminate (non-interactive) |
SDelete
sdelete64 -s -p 3 .\dossier # -s suppression des sous-dossiers # -p 3 number of passes (default 1) # Deletes the free disk space on drive C: securely. sdelete64 -c c: # Zeroes the free disk space of drive c: sdelete64 -z c: # The -z parameter overwrites the free disk space with zeroes instead which is faster. |
Mettre un \ à la fin des chemins pose problème |
add.reg |
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\*\shell\SDelete] @="Secure delete" "NoWorkingDirectory"="" "Icon"="imageres.dll,-5320" [HKEY_CLASSES_ROOT\*\shell\SDelete\Command] @="C:\ProgramData\chocolatey\bin\sdelete64.exe -p 3 \"%1\"" [HKEY_CLASSES_ROOT\Directory\shell\SDelete] @="Secure delete" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")" "NoWorkingDirectory"="" "Icon"="imageres.dll,-5320" [HKEY_CLASSES_ROOT\Directory\shell\SDelete\command] @="C:\ProgramData\chocolatey\bin\sdelete64.exe -p 3 -s \"%1\"" |
remove.reg |
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\*\shell\SDelete] [-HKEY_CLASSES_ROOT\Directory\shell\SDelete] |
Junction - lien symbolique
Preferably use mklink |
REM junction <link> <target> junction C:\Lien-Symbolique "C:\Mon Dossier" REM path has to be absolute |
Process Monitor
Permet de lister toutes les opérations effectuées par un processus: accès aux fichiers et au registre.
L'utilisation des filtres permet de réduire les (nombreuses) données affichées. Un filtre « Include » exclut toutes les lignes ne correspondant pas au test.
Surveiller l'activité du disque
Après avoir collecté des données → Tools → File Summary
|
Handle
Permet de lister les processus utilisants un fichier.
handle "chemin\fichier" REM lancement d'un terminal en mode administrateur, puis éxecution de handle Elevate64 cmd /k handle "chemin\fichier" |
Ce programme nécessite des droits administrateur, il faut donc le lancer depuis un terminal possédant les droits administrateur. Cocher "Compatibility → Run this program as an administrator" ouvre un second terminal et ne permet pas de lire le résultat. |
ListDLLs
Permet de lister toutes les dll chargées par un processus.
Listdlls.exe [Nom de l’exécutable ou PID]