Category Archives: Windows

Windows tips, howtos, scripts

Windows: List all users who are currently logged on


if you want to list all Users which are currently logged on to the box use the query command.

List all sessions

c:\> query session
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
>rdp-tcp#0         user1                     2  Active  rdpwd
 rdp-tcp                                 65536  Listen

Or list all users

c:\> query user
>user1                 rdp-tcp#0           2  Active          .  21.02.2015 19:42

You can also list the processes of the user

c:\> query process
 USERNAME              SESSIONNAME         ID    PID  IMAGE
>user1                 rdp-tcp#0            2   6076  taskhost.exe
>user1                 rdp-tcp#0            2   6592  rdpclip.exe
>user1                 rdp-tcp#0            2   4840  dwm.exe
>user1                 rdp-tcp#0            2   4680  explorer.exe
>user1                 rdp-tcp#0            2   7092  vmtoolsd.exe


Windows: Initate a kernel memory dump


for deeper inspection of Windows it is sometimes necessary to get a memory dump of the machine to analyse these output with tools like volatility .

There are several ways to provoke windows to write a dump.
Continue reading Windows: Initate a kernel memory dump

Windows: Read Bitlocker encrypted drive in Windows PE


in WinPE it is possible to read bitlocker encrypted drives.

Check state
manage-bde -status c:

If the drive is only protected by a password use
manage-bde -unlock c: -pw
Continue reading Windows: Read Bitlocker encrypted drive in Windows PE

Windows: Recover lost passwords from memory


if a User is logged on and forget it’s password you can dump to lsa process and recover the password from a dump file.

Two tools are needed:

  • Microsoft’s sysinternals procdump
  • mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself.  Its very easy

Lets start. Login as a User with administrator permissions and dump the lsass process
Continue reading Windows: Recover lost passwords from memory

Windows: Extract all files from a msi file


first post in 2015 🙂

msiexec offers the ability to extract all files included in an msi file to a specified folder by alter the TARGETDIR proberty of the msi package.

Syntax is
msiexec /a msifile.msi /qb TARGETDIR=D:\target
Continue reading Windows: Extract all files from a msi file