Wed May 28 21:50:20 UTC 2008

Examining the internal state of Windows

--

Very few people know how to get Microsoft Windows systems to tell you about their internal state in the same way that we are commonly used to in the Unix and Linux worlds. Here, via Bruce Schneier's blog is a nice set of articles from Ed Skoudis.

• http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1303709,00.html
• http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1313370,00.html
• http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1267982,00.html

These discuss things such as the Windows Management Instrumentation Command-line (WMIC), which provides a great level of detail about running processes; tasklist, which fills in some of the information missing from WMIC like open DLLs; and the openfiles command, which is almost as useful as lsof, but not quite.

Of course, this is still windows. There's a large performance hit to using some of these, so don't get carried away …