wmic命令收集整理

时间:2023-01-02 17:57:41

内网渗透中有诸多的渗透利器,wmic绝对排的上号,这里记录一下,备忘

★★连接远程的电脑,不过好象对要开RPC服务

wmic /node:"192.168.203.131" /password:"password" /user:"administrator"

★★查看bios版本型号

wmic bios get Manufacturer,Name

★★查看工作组/域

wmic computersystem get domain

★★更改计算机名abc为123

wmic computersystem where "name='abc'" call rename 123

★★查看cpu型号

wmic cpu get name

DATAFILE - DataFile 管理
★★查找e盘下test目录(不包括子目录)下的cc.cmd文件

wmic datafile where "drive='e:' and path='\\test\\' and FileName='cc' and Extension='cmd'" list

★★查找e盘下所有目录和子目录下的cc.cmd文件,且文件大小大于1K

wmic datafile where "drive='e:' and FileName='cc' and Extension='cmd' and FileSize>'1000'" list

★★删除e盘下文件大小大于10M的.cmd文件

wmic datafile where "drive='e:' and Extension='cmd' and FileSize>'10000000'" call delete

★★删除e盘下test目录(不包括子目录)下的非.cmd文件

wmic datafile where "drive='e:' and Extension<>'cmd' and path='test'" call delete

★★复制e盘下test目录(不包括子目录)下的cc.cmd文件到e:,并改名为aa.bat

wmic datafile where "drive='e:' and path='\\test\\' and FileName='cc' and Extension='cmd'" call copy "e:\aa.bat"

★★改名c:\hello.txt为c:\test.txt

wmic datafile "c:\\hello.txt" call rename c:\test.txt

★★查找h盘下目录含有test,文件名含有perl,后缀为txt的文件

wmic datafile where "drive='h:' and extension='txt' and path like '%\\test\\%' and filename like '%perl%'" get name

★★获取temp环境变量

wmic ENVIRONMENT where "name='temp'" get UserName,VariableValue

★★更改path环境变量值,新增e:\tools

wmic ENVIRONMENT where "name='path' and username='<system>'" set VariableValue="%path%;e:\tools"

★★新增系统环境变量home,值为%HOMEDRIVE%%HOMEPATH%

wmic ENVIRONMENT create name="home",username="<system>",VariableValue="%HOMEDRIVE%%HOMEPATH%"

★★删除home环境变量

wmic ENVIRONMENT where "name='home'" delete

FSDIR - 文件目录系统项目管理
★★查找e盘下名为test的目录

wmic FSDIR where "drive='e:' and filename='test'" list

★★删除e:\test目录下除过目录abc的所有目录

wmic FSDIR where "drive='e:' and path='\\test\\' and filename<>'abc'" call delete

★★删除c:\good文件夹

wmic fsdir "c:\\good" call delete

★★重命名c:\good文件夹为abb

wmic fsdir "c:\\good" rename "c:\abb"

LOGICALDISK - 本地储存设备管理
★★获取硬盘系统格式、总大小、可用空间等

wmic LOGICALDISK get name,Description,filesystem,size,freespace

PROCESS - 进程管理
★★列出进程的核心信息,类似任务管理器

wmic process list brief
(wmic startup list brief插播一条)

★★结束svchost.exe进程,路径为非C:\WINDOWS\system32\svchost.exe的

wmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe'" call Terminate

★★新建notepad进程

wmic process call create notepad

★★wmic 获取进程名称以及可执行路径:

wmic process get name,executablepath

★★wmic 删除指定进程(根据进程名称):

wmic process where name="qq.exe" call terminate  或者用  wmic process where name="qq.exe" delete

★★wmic 删除指定进程(根据进程PID):

wmic process where pid="123" delete

SERVICE - 服务程序管理
★★查看服务列表

wmic service list brief 

★★运行spooler服务

wmic SERVICE where name="Spooler" call startservice

★★停止spooler服务

wmic SERVICE where name="Spooler" call stopservice

★★暂停spooler服务

wmic SERVICE where name="Spooler" call PauseService

★★更改spooler服务启动类型[auto|Disabled|Manual] 释[自动|禁用|手动]

wmic SERVICE where name="Spooler" set StartMode="auto"

★★删除服务

wmic SERVICE where name="test123" call delete

SHARE - 共享资源管理
★★删除共享

wmic SHARE where name="e$" call delete

★★添加共享

WMIC SHARE CALL Create "","test","3","TestShareName","","c:\test",0

STARTUP - 用户登录到计算机系统时自动运行命令的管理
★★查看msconfig中的启动选项

wmic STARTUP list

SYSDRIVER - 基本服务的系统驱动程序管理

wmic SYSDRIVER list

★★关闭本地计算机

wmic process call create shutdown.exe

★★重启远程计算机

wmic /node:192.168.1.10/user:administrator /password:123456 process call create "shutdown.exe -r -f -m"

★★查看系统中开启的日志

wmic nteventlog get path,filename,writeable

★★清除相关的日志(这里是全部清除)

wevtutil cl "windows powershell"
wevtutil cl "security"
wevtutil cl "system"

★★查看系统中安装的软件以及版本

wmic product get name,version
wmic product list brief

★★查看某个进程的详细信息

wmic process where name="chrome.exe" list full

★★获取存储在注册表中所有包含密码的键值:

REG query HKCU  /v "pwd" /s  #pwd可替换为password \ HKCU 可替换为HKCR

★★显示系统中的曾经连接过的无线密码

netsh wlan show profiles 
netsh wlan show profiles name="profiles的名字" key=clear

★★查看当前系统是否是VMWARE

wmic bios list full | find /i "vmware"

参考 http://www.jb51.net/article/49987.htm