Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacker/rootkit via bluetooth phone to laptop


  • This topic is locked This topic is locked
3 replies to this topic

#1 sadlittleacer

sadlittleacer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 31 July 2012 - 02:01 AM

I am a very tired, desperate woman about to lose my job over this. Nothing I've found on the web seems to be related to the hack/rootkit that's become a private little hell for me. I stay up half the night trying to figure it out, and then go into work in the morning with my work unfinished because my only home computer (laptop) is messed up.
I want to say: If this sounds like a hack with physical access to my laptop, it isn't.
I live alone, no one has access to my phone or laptop, and they're always with me.
LAPTOP 1: I've been going through this since April. It started when my Acer Aspire netbook / Win7 Starter (I'll call this "Laptop 1) picked up a remote hacker/root kit (?). (There were other things too, booting up was a daily adventure; My laptop screen resolution changed to one for a large desktop monitor, I lost all administrative power to a remote, nameless domain controller, on and on. My efforts to "takeown" and disable larger screen monitor resulted in that laptop being disabled.

LAPTOP 2: I have to have a laptop for work; I bought another one (using money that I should have paid bills with - you knew I didn't have money or I wouldn't have been using an Acer to begin with, right? In spite of following the letter to the rule (disabled remote access, file sharing, all those initial vulnerablities that Win7 is preloaded with. Spent my last $60 on Norton Antivirus (which was the second thing I did when I finally felt like I was locked down enough to risk an internet connection (the first was MS Updates of course)
Laptop 2 was infected within the first day.
I assumed it was something in the MS Office Excel documents (that I need for work) and had to download via email.
ANDROID PHONE 1: Then my phone, which had a great battery, began to drain within an hour or so. (Android TMobile Comet). The settings had been changed to "roaming" and some kind of "extended Blue Tooth search" . (I'm sorry, I can't remember the exact name of that original Bluetooth thing was) . Anyway, I could not shut off (Not even with hard reset). It also had a voice recorder installed that could not be shut off, and in the logs these recordings were being streamed to a remote "Private Network". I'd had this phone for a year, knew every setting on it. The recorder, a second camera, the extended Bluetooth - none of these were on ever on my phone until then.
ANDROID PHONE 2: When I tried to disable the recorder, the phone stopped recognizing my T-Mobile SIM card.
You can guess the solution they offered me a the T-Mobile store was can't you? They wanted me to buy a new phone. I had to. Galaxy Samsung II (or "Phone 2)
Took laptop 2 in to a computer repair place and they recommended removing the mother board and doing a low reformat. I disabled the internet adapters and took it home, planning to lock all the settings down before I connected to the internet.
This was great, it was amazing to see a laptop that functioned normally. It lasted about 4 hours - and then, without ever connecting to the internet - the rootkit / hacker reinstalled.
How? I decided it had to be the repair shop, the must have reinstalled original drivers (containing script? Because I could see when the script / tasks for the remote domain had
reinstalled in the event logs.) They insisted they didn't.
LAPTOP 3: Now it's July. I still haven't caught up with the unpaid June bills. I have 2 disabled laptops, 1 disabled phone and another phone that's streaming audio / video to a remote hacker. And - I'm going to lose my job because I can't do my work without a laptop. On a borrowed credit card I buy a laptop. I bring it home, I disable the adapters and begin securing the default remote access settings and ... I get an error message that the connection to the remote server is lost. My phone is sitting on the couch beside me, and I realize that the thing that made me notice it is that the backlight came back on.
I check the settings, Bluetooth (which I had disabled) is now on, and it's been reset to "Bluetooth Share".
I'm typing this on LAPTOP 3. Before I connected to the internet, I saved some logs (event logs and tasks) that show what happened.
A few of the programs that I've noticed seem to be used by this root/hacker:
Windows Power Shell /Desktop InI files / Skype / Windows Live Messenger and Mesh/ Zune
/ Broadcom Netlink / Bing Bar / Intell Trusted Connect Service Client

I'm posting them here.
NOTE: I am "TrustedInstaller" in these logs. The logs are after a system repair / restore (laptop shut down and wouldn't boot on restart as I was trying to gather this info into txt files and onto a USB drive).
When I did the system restore from boot and had to choose a user name I tried "TrustedInstaller" and it allowed me to use the name. I thought it might be some work-around for the admin privileges I can't keep.


--------- EVENT LOG NEW ACCOUNT -------------
Source: Microsoft-Windows-Security-Auditing
Date: 7/25/2012 8:56:41 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: 5898OGardensDr
Description:
An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: WIN-NRHRT7J9C9D$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-07-26T03:56:41.697413900Z" />
<EventRecordID>967</EventRecordID>
<Correlation />
<Execution ProcessID="600" ThreadID="3888" />
<Channel>Security</Channel>
<Computer>5898OGardensDr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-NRHRT7J9C9D$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x240</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
-------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/25/2012 8:56:41 PM
Event ID: 4672
Task Category: Special Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: 5898OGardensDr
Description:
Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-07-26T03:56:41.697413900Z" />
<EventRecordID>968</EventRecordID>
<Correlation />
<Execution ProcessID="600" ThreadID="3888" />
<Channel>Security</Channel>
<Computer>5898OGardensDr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>
------------------------------- TASK items related to remote server ----------------------------------
Pref Track Background Config Surveyor Task:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<Description>Performance Tracing Idle Task: Background configuration surveyor</Description>
<URI>Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor</URI>
<SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<IdleTrigger>
<Enabled>true</Enabled>
</IdleTrigger>
<CalendarTrigger>
<StartBoundary>2008-05-30T03:00:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="LocalService">
<UserId>S-1-5-19</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>false</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalService">
<ComHandler>
<ClassId>{EA9155A3-8A39-40B4-8963-D3C761B18371}</ClassId>
</ComHandler>
</Actions>
</Task>
-------------------------------
Takes Control Task:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<Version>1.0</Version>
<Description>This task updates the cached list of folders and the security permissions on any new files in a userís shared media library.</Description>
<URI>Microsoft\Windows\Windows Media Sharing\UpdateLibrary</URI>
<SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;
&lt;Query
Id="0"
Path="System"
&gt;
&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WMPNSS-Service'] and (EventID=14210)]]&lt;/Select&gt;
&lt;/Query&gt;
&lt;/QueryList&gt;</Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="AuthenticatedUsers">
<GroupId>S-1-5-11</GroupId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="AuthenticatedUsers">
<Exec>
<Command>"%ProgramFiles%\Windows Media Player\wmpnscfg.exe"</Command>
</Exec>
</Actions>
</Task>
------------------
Recording Restart Task:
<Source>Microsoft Corporation</Source>
<Date>1982-01-15T16:30:00-08:00</Date>
<Description>Restarts recordings after a power failure.</Description>
<URI>Microsoft\Windows\Media Center\RecordingRestart</URI>
<SecurityDescriptor>D:(A;;FRFWSDWDWO;;;BA)(A;;FRFWSDWDWO;;;SY)(A;;FRFWFXDTDCSDWD;;;NS)(A;;FXFR;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<BootTrigger>
<Enabled>true</Enabled>
</BootTrigger>
</Triggers>
<Principals>
<Principal id="NetworkService">
<UserId>S-1-5-20</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>false</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>6</Priority>
</Settings>
<Actions Context="NetworkService">
<Exec>
<Command>%SystemRoot%\ehome\ehrec</Command>
<Arguments>/RestartRecording</Arguments>
</Exec>
</Actions>
</Task>

---------------------------EVENT LOG POWER SHELL EVENTS------------------
Level,Date and Time,Source,Event ID,Task Category
Information,7/25/2012 8:55:57 PM,PowerShell,403,Engine Lifecycle,"Engine state is changed from Available to Stopped.

Details:
NewEngineState=Stopped
PreviousEngineState=Available

SequenceNumber=10

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=2.0
RunspaceId=a3fefa91-1f9c-4aee-86da-a3cfbb1c9386
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:54 PM,PowerShell,400,Engine Lifecycle,"Engine state is changed from None to Available.

Details:
NewEngineState=Available
PreviousEngineState=None

SequenceNumber=9

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=2.0
RunspaceId=a3fefa91-1f9c-4aee-86da-a3cfbb1c9386
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Certificate"" is Started.

Details:
ProviderName=Certificate
NewProviderState=Started

SequenceNumber=8

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Variable"" is Started.

Details:
ProviderName=Variable
NewProviderState=Started

SequenceNumber=7

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Registry"" is Started.

Details:
ProviderName=Registry
NewProviderState=Started

SequenceNumber=6

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Function"" is Started.

Details:
ProviderName=Function
NewProviderState=Started

SequenceNumber=5

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""FileSystem"" is Started.

Details:
ProviderName=FileSystem
NewProviderState=Started

SequenceNumber=4

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Environment"" is Started.

Details:
ProviderName=Environment
NewProviderState=Started

SequenceNumber=3

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Alias"" is Started.

Details:
ProviderName=Alias
NewProviderState=Started

SequenceNumber=2

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""WSMan"" is Started.

Details:
ProviderName=WSMan
NewProviderState=Started

SequenceNumber=1

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="

------------------------------------- Command Prompt Info --------------------------
C:\Windows\system32>IPCONFIG

Windows IP Configuration


Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter isatap.{A48B0D30-C0EC-4443-BA28-EC95E44DB029}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\Windows\system32>NETSTAT -A

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:445 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49152 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49153 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49154 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49155 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49157 5898OGardensDr:0 LISTENING
TCP [::]:135 5898OGardensDr:0 LISTENING
TCP [::]:445 5898OGardensDr:0 LISTENING
TCP [::]:49152 5898OGardensDr:0 LISTENING
TCP [::]:49153 5898OGardensDr:0 LISTENING
TCP [::]:49154 5898OGardensDr:0 LISTENING
TCP [::]:49155 5898OGardensDr:0 LISTENING
TCP [::]:49157 5898OGardensDr:0 LISTENING
TCP [::1]:49156 5898OGardensDr:0 LISTENING
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:49153 *:*
UDP [::1]:1900 *:*
UDP [::1]:49152 *:*

C:\Windows\system32>TASKLIST

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 304 K
smss.exe 260 Services 0 816 K
csrss.exe 412 Services 0 2,836 K
csrss.exe 472 Console 1 23,088 K
wininit.exe 480 Services 0 1,216 K
winlogon.exe 528 Console 1 4,452 K
services.exe 576 Services 0 6,352 K
lsass.exe 600 Services 0 6,848 K
lsm.exe 608 Services 0 3,064 K
svchost.exe 712 Services 0 5,256 K
svchost.exe 788 Services 0 6,172 K
svchost.exe 404 Services 0 26,744 K
svchost.exe 564 Services 0 8,612 K
svchost.exe 1096 Services 0 92,960 K
svchost.exe 1144 Services 0 15,112 K
wlanext.exe 1900 Services 0 2,572 K
conhost.exe 1908 Services 0 768 K
svchost.exe 1944 Services 0 19,276 K
MsMpEng.exe 432 Services 0 35,024 K
spoolsv.exe 708 Services 0 6,008 K
svchost.exe 952 Services 0 7,392 K
armsvc.exe 700 Services 0 1,680 K
dsiwmis.exe 1360 Services 0 4,004 K
ePowerSvc.exe 1512 Services 0 3,472 K
LMutilps32.exe 1524 Console 1 4,596 K
HeciServer.exe 1576 Services 0 1,912 K
Jhi_service.exe 1584 Services 0 2,388 K
UpdaterService.exe 440 Services 0 2,100 K
rpcnetp.exe 1704 Services 0 2,300 K
Ath_WlanAgent.exe 2036 Services 0 3,388 K
SearchIndexer.exe 2284 Services 0 20,684 K
taskhost.exe 2996 Console 1 3,920 K
dwm.exe 3064 Console 1 73,108 K
explorer.exe 1708 Console 1 47,820 K
SeaPort.EXE 2960 Services 0 2,560 K
svchost.exe 1504 Services 0 4,548 K
IAStorDataMgrSvc.exe 1448 Services 0 8,756 K
LMS.exe 1816 Services 0 2,444 K
UNS.exe 2340 Services 0 4,684 K
wmpnetwk.exe 1912 Services 0 2,496 K
ZuneLauncher.exe 2504 Console 1 3,364 K
msseces.exe 1600 Console 1 6,912 K
hkcmd.exe 896 Console 1 3,108 K
igfxpers.exe 2400 Console 1 6,332 K
RAVCpl64.exe 2268 Console 1 7,216 K
igfxsrvc.exe 1672 Console 1 4,428 K
ETDCtrl.exe 3076 Console 1 6,912 K
ePowerTray.exe 3084 Console 1 5,088 K
igfxext.exe 3368 Console 1 2,788 K
ETDCtrlHelper.exe 3440 Console 1 2,668 K
unsecapp.exe 3448 Console 1 3,480 K
WmiPrvSE.exe 3492 Services 0 5,172 K
ePowerEvent.exe 3552 Console 1 1,836 K
LManager.exe 3772 Console 1 7,448 K
MMDx64Fx.exe 3844 Console 1 3,352 K
LMworker.exe 3896 Console 1 2,616 K
cmd.exe 3036 Console 1 2,964 K
conhost.exe 2720 Console 1 8,604 K
notepad.exe 3668 Console 1 20,696 K
tasklist.exe 3828 Console 1 5,492 K
WmiPrvSE.exe 3892 Services 0 6,036 K

DisplayName= <display name>
password= <password>

C:\Windows\system32>sc config lanmanworkstation start= disabled
[SC] ChangeServiceConfig SUCCESS


wmic:root\cli>wmic.exe
wmic.exe - Alias not found.
wmic:root\cli>process get
Caption CommandLine CreationClassName CreationDate CSCreationClassName CSName Description ExecutablePath
System Idle Process Win32_Process Win32_ComputerSystem 5898OGARDENSDR System Idle Process
System Win32_Process 20120728110202.651205-420 Win32_ComputerSystem 5898OGARDENSDR System
smss.exe \SystemRoot\System32\smss.exe Win32_Process 20120728110202.760405-420 Win32_ComputerSystem 5898OGARDENSDR smss.exe
csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 Win32_Process 20120728110214.039225-420 Win32_ComputerSystem 5898OGARDENSDR csrss.exe C:\Windows\system32\csrss.exe
csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 Win32_Process 20120728110215.942428-420 Win32_ComputerSystem 5898OGARDENSDR csrss.exe C:\Windows\system32\csrss.exe
wininit.exe wininit.exe Win32_Process 20120728110215.989228-420 Win32_ComputerSystem 5898OGARDENSDR wininit.exe C:\Windows\system32\wininit.exe
winlogon.exe winlogon.exe Win32_Process 20120728110216.504029-420 Win32_ComputerSystem 5898OGARDENSDR winlogon.exe C:\Windows\system32\winlogon.exe
services.exe C:\Windows\system32\services.exe Win32_Process 20120728110217.455631-420 Win32_ComputerSystem 5898OGARDENSDR services.exe C:\Windows\system32\services.exe
lsass.exe C:\Windows\system32\lsass.exe Win32_Process 20120728110217.861232-420 Win32_ComputerSystem 5898OGARDENSDR lsass.exe C:\Windows\system32\lsass.exe
lsm.exe C:\Windows\system32\lsm.exe Win32_Process 20120728110217.923632-420 Win32_ComputerSystem 5898OGARDENSDR lsm.exe C:\Windows\system32\lsm.exe
svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch Win32_Process 20120728110220.794037-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k RPCSS Win32_Process 20120728110221.652038-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
MsMpEng.exe "C:\Program Files\Microsoft Security Client\MsMpEng.exe" Win32_Process 20120728110221.854839-420 Win32_ComputerSystem 5898OGARDENSDR MsMpEng.exe C:\Program Files\Microsoft Security Client\MsMpEng.exe
svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted Win32_Process 20120728110222.978041-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\System32\svchost.exe
svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted Win32_Process 20120728110223.446042-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\System32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs Win32_Process 20120728110223.461642-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k LocalService Win32_Process 20120728110225.255645-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k NetworkService Win32_Process 20120728110226.753247-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
wlanext.exe C:\Windows\system32\WLANExt.exe 4291824 Win32_Process 20120728110230.824855-420 Win32_ComputerSystem 5898OGARDENSDR wlanext.exe C:\Windows\system32\WLANExt.exe
conhost.exe \??\C:\Windows\system32\conhost.exe "-517290637-18650335591488411524-79222352-1325834754-2670131341610288941796086666 Win32_Process 20120728110230.980855-420 Win32_ComputerSystem 5898OGARDENSDR conhost.exe C:\Windows\system32\conhost.exe
spoolsv.exe C:\Windows\System32\spoolsv.exe Win32_Process 20120728110233.617259-420 Win32_ComputerSystem 5898OGARDENSDR spoolsv.exe C:\Windows\System32\spoolsv.exe
taskhost.exe "taskhost.exe" Win32_Process 20120728110234.787261-420 Win32_ComputerSystem 5898OGARDENSDR taskhost.exe C:\Windows\system32\taskhost.exe
dwm.exe "C:\Windows\system32\Dwm.exe" Win32_Process 20120728110235.036862-420 Win32_ComputerSystem 5898OGARDENSDR dwm.exe C:\Windows\system32\Dwm.exe
svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork Win32_Process 20120728110235.270862-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
explorer.exe C:\Windows\Explorer.EXE Win32_Process 20120728110235.660863-420 Win32_ComputerSystem 5898OGARDENSDR explorer.exe C:\Windows\Explorer.EXE
ZuneLauncher.exe "C:\Program Files\Zune\ZuneLauncher.exe" Win32_Process 20120728110244.833679-420 Win32_ComputerSystem 5898OGARDENSDR ZuneLauncher.exe C:\Program Files\Zune\ZuneLauncher.exe
msseces.exe "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey Win32_Process 20120728110245.660481-420 Win32_ComputerSystem 5898OGARDENSDR msseces.exe C:\Program Files\Microsoft Security Client\msseces.exe
hkcmd.exe "C:\Windows\System32\hkcmd.exe" Win32_Process 20120728110245.785281-420 Win32_ComputerSystem 5898OGARDENSDR hkcmd.exe C:\Windows\System32\hkcmd.exe
igfxpers.exe "C:\Windows\System32\igfxpers.exe" Win32_Process 20120728110245.910081-420 Win32_ComputerSystem 5898OGARDENSDR igfxpers.exe C:\Windows\System32\igfxpers.exe
RAVCpl64.exe "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s Win32_Process 20120728110246.190882-420 Win32_ComputerSystem 5898OGARDENSDR RAVCpl64.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
ETDCtrl.exe "C:\Program Files\Elantech\ETDCtrl.exe" Win32_Process 20120728110246.643282-420 Win32_ComputerSystem 5898OGARDENSDR ETDCtrl.exe C:\Program Files\Elantech\ETDCtrl.exe
ePowerTray.exe "C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe" Win32_Process 20120728110246.861683-420 Win32_ComputerSystem 5898OGARDENSDR ePowerTray.exe C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
LManager.exe "C:\Program Files (x86)\Launch Manager\LManager.exe" Win32_Process 20120728110255.816098-420 Win32_ComputerSystem 5898OGARDENSDR LManager.exe C:\Program Files (x86)\Launch Manager\LManager.exe
MMDx64Fx.exe "C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe" Win32_Process 20120728110257.719302-420 Win32_ComputerSystem 5898OGARDENSDR MMDx64Fx.exe C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
igfxext.exe C:\Windows\system32\igfxext.exe -Embedding Win32_Process 20120728110258.468103-420 Win32_ComputerSystem 5898OGARDENSDR igfxext.exe C:\Windows\system32\igfxext.exe
igfxsrvc.exe C:\Windows\system32\igfxsrvc.exe -Embedding Win32_Process 20120728110258.561703-420 Win32_ComputerSystem 5898OGARDENSDR igfxsrvc.exe C:\Windows\system32\igfxsrvc.exe
armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" Win32_Process 20120728110303.132511-420 Win32_ComputerSystem 5898OGARDENSDR armsvc.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
SeaPort.EXE "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" Win32_Process 20120728110303.506912-420 Win32_ComputerSystem 5898OGARDENSDR SeaPort.EXE C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
dsiwmis.exe "C:\Program Files (x86)\Launch Manager\dsiwmis.exe" Win32_Process 20120728110304.952517-420 Win32_ComputerSystem 5898OGARDENSDR dsiwmis.exe C:\Program Files (x86)\Launch Manager\dsiwmis.exe
ePowerSvc.exe "C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe" Win32_Process 20120728110305.126520-420 Win32_ComputerSystem 5898OGARDENSDR ePowerSvc.exe C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
LMworker.exe "C:\Program Files (x86)\Launch Manager\LMworker.exe" Win32_Process 20120728110305.352522-420 Win32_ComputerSystem 5898OGARDENSDR LMworker.exe C:\Program Files (x86)\Launch Manager\LMworker.exe
LMutilps32.exe "C:\Program Files (x86)\Launch Manager\LMutilps32.exe" --system-level-mutex="Local\{B904A927-FE6B-48fd-8C83-6B807BED1F9C}" --enable-wmi-window Win32_Process 20120728110305.606532-420 Win32_ComputerSystem 5898OGARDENSDR LMutilps32.exe C:\Program Files (x86)\Launch Manager\LMutilps32.exe
HeciServer.exe "C:\Program Files\Intel\iCLS Client\HeciServer.exe" Win32_Process 20120728110308.012538-420 Win32_ComputerSystem 5898OGARDENSDR HeciServer.exe C:\Program Files\Intel\iCLS Client\HeciServer.exe
Jhi_service.exe "C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe" Win32_Process 20120728110308.082538-420 Win32_ComputerSystem 5898OGARDENSDR Jhi_service.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
UpdaterService.exe "C:\Program Files\Acer\Acer Updater\UpdaterService.exe" Win32_Process 20120728110308.232538-420 Win32_ComputerSystem 5898OGARDENSDR UpdaterService.exe C:\Program Files\Acer\Acer Updater\UpdaterService.exe
rpcnetp.exe C:\Windows\System32\rpcnetp.exe Win32_Process 20120728110313.092547-420 Win32_ComputerSystem 5898OGARDENSDR rpcnetp.exe C:\Windows\System32\rpcnetp.exe
wmpnetwk.exe "C:\Program Files\Windows Media Player\wmpnetwk.exe" Win32_Process 20120728110327.553773-420 Win32_ComputerSystem 5898OGARDENSDR wmpnetwk.exe C:\Program Files\Windows Media Player\wmpnetwk.exe
Ath_WlanAgent.exe "C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe" Win32_Process 20120728110329.098176-420 Win32_ComputerSystem 5898OGARDENSDR Ath_WlanAgent.exe C:\Program Files (x86)\Atheros\Ath_WlanAgent.exe
svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation Win32_Process 20120728110330.860979-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
SearchIndexer.exe C:\Windows\system32\SearchIndexer.exe /Embedding Win32_Process 20120728110331.703380-420 Win32_ComputerSystem 5898OGARDENSDR SearchIndexer.exe C:\Windows\system32\SearchIndexer.exe
WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe Win32_Process 20120728110333.200983-420 Win32_ComputerSystem 5898OGARDENSDR WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding Win32_Process 20120728110336.523789-420 Win32_ComputerSystem 5898OGARDENSDR unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe
ETDCtrlHelper.exe "C:\Program Files\Elantech\ETDCtrlHelper.exe" Win32_Process 20120728110337.584590-420 Win32_ComputerSystem 5898OGARDENSDR ETDCtrlHelper.exe C:\Program Files\Elantech\ETDCtrlHelper.exe
ePowerEvent.exe "C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe" Win32_Process 20120728110340.002595-420 Win32_ComputerSystem 5898OGARDENSDR ePowerEvent.exe C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
cmd.exe "C:\Windows\system32\cmd.exe" Win32_Process 20120728110404.750639-420 Win32_ComputerSystem 5898OGARDENSDR cmd.exe C:\Windows\system32\cmd.exe
conhost.exe \??\C:\Windows\system32\conhost.exe "827960521-203989571079271113-1445699191409465509-403460884580195765383553165 Win32_Process 20120728110404.828639-420 Win32_ComputerSystem 5898OGARDENSDR conhost.exe C:\Windows\system32\conhost.exe
IAStorDataMgrSvc.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" Win32_Process 20120728110533.187194-420 Win32_ComputerSystem 5898OGARDENSDR IAStorDataMgrSvc.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
LMS.exe "C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe" Win32_Process 20120728110536.993601-420 Win32_ComputerSystem 5898OGARDENSDR LMS.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
UNS.exe "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" Win32_Process 20120728110542.516010-420 Win32_ComputerSystem 5898OGARDENSDR UNS.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
WMIC.exe wmic.exe Win32_Process 20120728111620.042330-420 Win32_ComputerSystem 5898OGARDENSDR WMIC.exe C:\Windows\System32\Wbem\WMIC.exe
WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe Win32_Process 20120728111941.594684-420 Win32_ComputerSystem 5898OGARDENSDR WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe

wmic:root\cli>bootconfig get


BootDirectory Caption ConfigurationPath Description LastDrive Name ScratchDirectory SettingID TempDirectory
C:\Windows \Device\Harddisk0\Partition2 C:\Windows \Device\Harddisk0\Partition2 C: BootConfiguration C:\Windows\system32\config\systemprofile\AppData\Local\Temp C:\Windows\system32\config\systemprofile\AppData\Local\Temp




wmic:root\cli>sysaccount get
Caption Description Domain InstallDate LocalAccount Name SID SIDType Status
5898OGARDENSDR\Everyone 5898OGARDENSDR\Everyone 5898OGARDENSDR TRUE Everyone S-1-1-0 5 OK
5898OGARDENSDR\LOCAL 5898OGARDENSDR\LOCAL 5898OGARDENSDR TRUE LOCAL S-1-2-0 5 OK
5898OGARDENSDR\CREATOR OWNER 5898OGARDENSDR\CREATOR OWNER 5898OGARDENSDR TRUE CREATOR OWNER S-1-3-0 5 OK
5898OGARDENSDR\CREATOR GROUP 5898OGARDENSDR\CREATOR GROUP 5898OGARDENSDR TRUE CREATOR GROUP S-1-3-1 5 OK
5898OGARDENSDR\CREATOR OWNER SERVER 5898OGARDENSDR\CREATOR OWNER SERVER 5898OGARDENSDR TRUE CREATOR OWNER SERVER S-1-3-2 5 OK
5898OGARDENSDR\CREATOR GROUP SERVER 5898OGARDENSDR\CREATOR GROUP SERVER 5898OGARDENSDR TRUE CREATOR GROUP SERVER S-1-3-3 5 OK
5898OGARDENSDR\OWNER RIGHTS 5898OGARDENSDR\OWNER RIGHTS 5898OGARDENSDR TRUE OWNER RIGHTS S-1-3-4 5 OK
5898OGARDENSDR\DIALUP 5898OGARDENSDR\DIALUP 5898OGARDENSDR TRUE DIALUP S-1-5-1 5 OK
5898OGARDENSDR\NETWORK 5898OGARDENSDR\NETWORK 5898OGARDENSDR TRUE NETWORK S-1-5-2 5 OK
5898OGARDENSDR\BATCH 5898OGARDENSDR\BATCH 5898OGARDENSDR TRUE BATCH S-1-5-3 5 OK
5898OGARDENSDR\INTERACTIVE 5898OGARDENSDR\INTERACTIVE 5898OGARDENSDR TRUE INTERACTIVE S-1-5-4 5 OK
5898OGARDENSDR\SERVICE 5898OGARDENSDR\SERVICE 5898OGARDENSDR TRUE SERVICE S-1-5-6 5 OK
5898OGARDENSDR\ANONYMOUS LOGON 5898OGARDENSDR\ANONYMOUS LOGON 5898OGARDENSDR TRUE ANONYMOUS LOGON S-1-5-7 5 OK
5898OGARDENSDR\PROXY 5898OGARDENSDR\PROXY 5898OGARDENSDR TRUE PROXY S-1-5-8 5 OK
5898OGARDENSDR\SYSTEM 5898OGARDENSDR\SYSTEM 5898OGARDENSDR TRUE SYSTEM S-1-5-18 5 OK
5898OGARDENSDR\ENTERPRISE DOMAIN CONTROLLERS 5898OGARDENSDR\ENTERPRISE DOMAIN CONTROLLERS 5898OGARDENSDR TRUE ENTERPRISE DOMAIN CONTROLLERS S-1-5-9 5 OK
5898OGARDENSDR\SELF 5898OGARDENSDR\SELF 5898OGARDENSDR TRUE SELF S-1-5-10 5 OK
5898OGARDENSDR\Authenticated Users 5898OGARDENSDR\Authenticated Users 5898OGARDENSDR TRUE Authenticated Users S-1-5-11 5 OK
5898OGARDENSDR\RESTRICTED 5898OGARDENSDR\RESTRICTED 5898OGARDENSDR TRUE RESTRICTED S-1-5-12 5 OK
5898OGARDENSDR\TERMINAL SERVER USER 5898OGARDENSDR\TERMINAL SERVER USER 5898OGARDENSDR TRUE TERMINAL SERVER USER S-1-5-13 5 OK
5898OGARDENSDR\REMOTE INTERACTIVE LOGON 5898OGARDENSDR\REMOTE INTERACTIVE LOGON 5898OGARDENSDR TRUE REMOTE INTERACTIVE LOGON S-1-5-14 5 OK
5898OGARDENSDR\IUSR 5898OGARDENSDR\IUSR 5898OGARDENSDR TRUE IUSR S-1-5-17 5 OK
5898OGARDENSDR\LOCAL SERVICE 5898OGARDENSDR\LOCAL SERVICE 5898OGARDENSDR TRUE LOCAL SERVICE S-1-5-19 5 OK
5898OGARDENSDR\NETWORK SERVICE 5898OGARDENSDR\NETWORK SERVICE 5898OGARDENSDR TRUE NETWORK SERVICE S-1-5-20 5 OK
5898OGARDENSDR\BUILTIN 5898OGARDENSDR\BUILTIN 5898OGARDENSDR TRUE BUILTIN S-1-5-32 3 OK

wmic:root\cli>




wmic:root\cli>useraccount get
AccountType Caption Description Disabled Domain FullName InstallDate LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status


512 5898OGardensDr\Administrator Built-in account for administering the computer/domain TRUE 5898OGardensDr TRUE FALSE Administrator TRUE FALSE TRUE S-1-5-21-2988173791-368692562-383624461-500 1 Degraded


512 5898OGardensDr\Guest Built-in account for guest access to the computer/domain TRUE 5898OGardensDr TRUE FALSE Guest FALSE FALSE FALSE S-1-5-21-2988173791-368692562-383624461-501 1 Degraded


512 5898OGardensDr\TrustedInstaller FALSE 5898OGardensDr TRUE FALSE TrustedInstaller TRUE FALSE FALSE S-1-5-21-2988173791-368692562-383624461-1000 1 OK

wmic:root\cli>



wmic:root\cli>port get
Alias Caption CreationClassName CSCreationClassName CSName Description EndingAddress InstallDate Name StartingAddress Status
FALSE 0x00000040-0x00000043 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000040-0x00000043 67 0x00000040-0x00000043 64 OK
FALSE 0x00000050-0x00000053 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000050-0x00000053 83 0x00000050-0x00000053 80 OK
FALSE 0x00002088-0x0000208F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002088-0x0000208F 8335 0x00002088-0x0000208F 8328 OK
FALSE 0x00002094-0x00002097 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002094-0x00002097 8343 0x00002094-0x00002097 8340 OK
FALSE 0x00002080-0x00002087 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002080-0x00002087 8327 0x00002080-0x00002087 8320 OK
FALSE 0x00002090-0x00002093 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002090-0x00002093 8339 0x00002090-0x00002093 8336 OK
FALSE 0x00002060-0x0000207F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002060-0x0000207F 8319 0x00002060-0x0000207F 8288 OK
FALSE 0x00000000-0x0000001F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000000-0x0000001F 31 0x00000000-0x0000001F 0 OK
FALSE 0x00000081-0x00000091 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000081-0x00000091 145 0x00000081-0x00000091 129 OK
FALSE 0x00000093-0x0000009F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000093-0x0000009F 159 0x00000093-0x0000009F 147 OK
FALSE 0x000000C0-0x000000DF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000C0-0x000000DF 223 0x000000C0-0x000000DF 192 OK
FALSE 0x00000060-0x00000060 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000060-0x00000060 96 0x00000060-0x00000060 96 OK
FALSE 0x00000064-0x00000064 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000064-0x00000064 100 0x00000064-0x00000064 100 OK
FALSE 0x00000D00-0x0000FFFF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000D00-0x0000FFFF 65535 0x00000D00-0x0000FFFF 3328 OK
FALSE 0x00000070-0x00000077 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000070-0x00000077 119 0x00000070-0x00000077 112 OK
FALSE 0x0000002E-0x0000002F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000002E-0x0000002F 47 0x0000002E-0x0000002F 46 OK
FALSE 0x0000004E-0x0000004F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000004E-0x0000004F 79 0x0000004E-0x0000004F 78 OK
FALSE 0x00000061-0x00000061 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000061-0x00000061 97 0x00000061-0x00000061 97 OK
FALSE 0x00000063-0x00000063 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000063-0x00000063 99 0x00000063-0x00000063 99 OK
FALSE 0x00000065-0x00000065 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000065-0x00000065 101 0x00000065-0x00000065 101 OK
FALSE 0x00000067-0x00000067 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000067-0x00000067 103 0x00000067-0x00000067 103 OK
FALSE 0x00000068-0x00000068 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000068-0x00000068 104 0x00000068-0x00000068 104 OK
FALSE 0x0000006C-0x0000006C Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000006C-0x0000006C 108 0x0000006C-0x0000006C 108 OK
FALSE 0x00000080-0x00000080 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000080-0x00000080 128 0x00000080-0x00000080 128 OK
FALSE 0x00000092-0x00000092 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000092-0x00000092 146 0x00000092-0x00000092 146 OK
FALSE 0x000000B2-0x000000B3 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B2-0x000000B3 179 0x000000B2-0x000000B3 178 OK
FALSE 0x00000680-0x0000069F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000680-0x0000069F 1695 0x00000680-0x0000069F 1664 OK
FALSE 0x0000FD60-0x0000FD63 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000FD60-0x0000FD63 64867 0x0000FD60-0x0000FD63 64864 OK
FALSE 0x00001000-0x0000100F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00001000-0x0000100F 4111 0x00001000-0x0000100F 4096 OK
FALSE 0x0000FFFF-0x0000FFFF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000FFFF-0x0000FFFF 65535 0x0000FFFF-0x0000FFFF 65535 OK
FALSE 0x00000400-0x00000453 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000400-0x00000453 1107 0x00000400-0x00000453 1024 OK
FALSE 0x00000458-0x0000047F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000458-0x0000047F 1151 0x00000458-0x0000047F 1112 OK
FALSE 0x00000500-0x0000057F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000500-0x0000057F 1407 0x00000500-0x0000057F 1280 OK
FALSE 0x0000164E-0x0000164F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000164E-0x0000164F 5711 0x0000164E-0x0000164F 5710 OK
FALSE 0x000000F0-0x000000F0 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000F0-0x000000F0 240 0x000000F0-0x000000F0 240 OK
FALSE 0x00000062-0x00000062 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000062-0x00000062 98 0x00000062-0x00000062 98 OK
FALSE 0x00000066-0x00000066 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000066-0x00000066 102 0x00000066-0x00000066 102 OK
FALSE 0x00002040-0x0000205F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002040-0x0000205F 8287 0x00002040-0x0000205F 8256 OK
FALSE 0x00000454-0x00000457 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000454-0x00000457 1111 0x00000454-0x00000457 1108 OK
FALSE 0x00002000-0x0000203F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002000-0x0000203F 8255 0x00002000-0x0000203F 8192 OK
FALSE 0x000003B0-0x000003BB Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000003B0-0x000003BB 955 0x000003B0-0x000003BB 944 OK
FALSE 0x000003C0-0x000003DF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000003C0-0x000003DF 991 0x000003C0-0x000003DF 960 OK
FALSE 0x00000020-0x00000021 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000020-0x00000021 33 0x00000020-0x00000021 32 OK
FALSE 0x00000024-0x00000025 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000024-0x00000025 37 0x00000024-0x00000025 36 OK
FALSE 0x00000028-0x00000029 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000028-0x00000029 41 0x00000028-0x00000029 40 OK
FALSE 0x0000002C-0x0000002D Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000002C-0x0000002D 45 0x0000002C-0x0000002D 44 OK
FALSE 0x00000030-0x00000031 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000030-0x00000031 49 0x00000030-0x00000031 48 OK
FALSE 0x00000034-0x00000035 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000034-0x00000035 53 0x00000034-0x00000035 52 OK
FALSE 0x00000038-0x00000039 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000038-0x00000039 57 0x00000038-0x00000039 56 OK
FALSE 0x0000003C-0x0000003D Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000003C-0x0000003D 61 0x0000003C-0x0000003D 60 OK
FALSE 0x000000A0-0x000000A1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A0-0x000000A1 161 0x000000A0-0x000000A1 160 OK
FALSE 0x000000A4-0x000000A5 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A4-0x000000A5 165 0x000000A4-0x000000A5 164 OK
FALSE 0x000000A8-0x000000A9 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A8-0x000000A9 169 0x000000A8-0x000000A9 168 OK
FALSE 0x000000AC-0x000000AD Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000AC-0x000000AD 173 0x000000AC-0x000000AD 172 OK
FALSE 0x000000B0-0x000000B1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B0-0x000000B1 177 0x000000B0-0x000000B1 176 OK
FALSE 0x000000B4-0x000000B5 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B4-0x000000B5 181 0x000000B4-0x000000B5 180 OK
FALSE 0x000000B8-0x000000B9 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B8-0x000000B9 185 0x000000B8-0x000000B9 184 OK
FALSE 0x000000BC-0x000000BD Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000BC-0x000000BD 189 0x000000BC-0x000000BD 188 OK
FALSE 0x000004D0-0x000004D1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000004D0-0x000004D1 1233 0x000004D0-0x000004D1 1232 OK

wmic:root\cli>




----------------------------------------------------------------------------------------------------------------------------------------------------------------------



CommandPath=
CommandLine="} Windows PowerShell Provider "Certificate" is Sta
rted. Details: ProviderName=Certificate NewProviderState=Started SequenceNumber=8 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
78 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"Variable", "Started", "ProviderName=Variable
NewProviderState=Started

SequenceNumber=7

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "Variable" is
Started. Details: ProviderName=Variable NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
77 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"Registry", "Started", "ProviderName=Registry
NewProviderState=Started

SequenceNumber=6

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "Registry" is
Started. Details: ProviderName=Registry NewProviderState=Started SequenceNumber=6 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
76 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"Function", "Started", "ProviderName=Function
NewProviderState=Started

SequenceNumber=5

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "Function" is
Started. Details: ProviderName=Function NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
75 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"FileSystem", "Started", "ProviderName=FileSystem
NewProviderState=Started

SequenceNumber=4

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "FileSystem" is St
arted. Details: ProviderName=FileSystem NewProviderState=Started SequenceNumber=4 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
74 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"Environment", "Started", "ProviderName=Environment
NewProviderState=Started

SequenceNumber=3

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "Environment" is Sta
rted. Details: ProviderName=Environment NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
73 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"Alias", "Started", "ProviderName=Alias
NewProviderState=Started

SequenceNumber=2

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "Alias"
is Started. Details: ProviderName=Alias NewProviderState=Started SequenceNumber=2 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
72 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information
6 Provider Lifecycle 5898OGardensDr 600 600 3 {"WSMan", "Started", "ProviderName=WSMan
NewProviderState=Started

SequenceNumber=1

HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="} Windows PowerShell Provider "WSMan"
is Started. Details: ProviderName=WSMan NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=2.0 HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
71 PowerShell 20120726035553.000000-000 20120726035553.000000-000 Information

wmic:root\cli>sysaccount get
Caption Description Domain InstallDate LocalAccount Name SID SIDType Status
5898OGARDENSDR\Everyone 5898OGARDENSDR\Everyone 5898OGARDENSDR TRUE Everyone S-1-1-0 5 OK
5898OGARDENSDR\LOCAL 5898OGARDENSDR\LOCAL 5898OGARDENSDR TRUE LOCAL S-1-2-0 5 OK
5898OGARDENSDR\CREATOR OWNER 5898OGARDENSDR\CREATOR OWNER 5898OGARDENSDR TRUE CREATOR OWNER S-1-3-0 5 OK
5898OGARDENSDR\CREATOR GROUP 5898OGARDENSDR\CREATOR GROUP 5898OGARDENSDR TRUE CREATOR GROUP S-1-3-1 5 OK
5898OGARDENSDR\CREATOR OWNER SERVER 5898OGARDENSDR\CREATOR OWNER SERVER 5898OGARDENSDR TRUE CREATOR OWNER SERVER S-1-3-2 5 OK
5898OGARDENSDR\CREATOR GROUP SERVER 5898OGARDENSDR\CREATOR GROUP SERVER 5898OGARDENSDR TRUE CREATOR GROUP SERVER S-1-3-3 5 OK
5898OGARDENSDR\OWNER RIGHTS 5898OGARDENSDR\OWNER RIGHTS 5898OGARDENSDR TRUE OWNER RIGHTS S-1-3-4 5 OK
5898OGARDENSDR\DIALUP 5898OGARDENSDR\DIALUP 5898OGARDENSDR TRUE DIALUP S-1-5-1 5 OK
5898OGARDENSDR\NETWORK 5898OGARDENSDR\NETWORK 5898OGARDENSDR TRUE NETWORK S-1-5-2 5 OK
5898OGARDENSDR\BATCH 5898OGARDENSDR\BATCH 5898OGARDENSDR TRUE BATCH S-1-5-3 5 OK
5898OGARDENSDR\INTERACTIVE 5898OGARDENSDR\INTERACTIVE 5898OGARDENSDR TRUE INTERACTIVE S-1-5-4 5 OK
5898OGARDENSDR\SERVICE 5898OGARDENSDR\SERVICE 5898OGARDENSDR TRUE SERVICE S-1-5-6 5 OK
5898OGARDENSDR\ANONYMOUS LOGON 5898OGARDENSDR\ANONYMOUS LOGON 5898OGARDENSDR TRUE ANONYMOUS LOGON S-1-5-7 5 OK
5898OGARDENSDR\PROXY 5898OGARDENSDR\PROXY 5898OGARDENSDR TRUE PROXY S-1-5-8 5 OK
5898OGARDENSDR\SYSTEM 5898OGARDENSDR\SYSTEM 5898OGARDENSDR TRUE SYSTEM S-1-5-18 5 OK
5898OGARDENSDR\ENTERPRISE DOMAIN CONTROLLERS 5898OGARDENSDR\ENTERPRISE DOMAIN CONTROLLERS 5898OGARDENSDR TRUE ENTERPRISE DOMAIN CONTROLLERS S-1-5-9 5 OK
5898OGARDENSDR\SELF 5898OGARDENSDR\SELF 5898OGARDENSDR TRUE SELF S-1-5-10 5 OK
5898OGARDENSDR\Authenticated Users 5898OGARDENSDR\Authenticated Users 5898OGARDENSDR TRUE Authenticated Users S-1-5-11 5 OK
5898OGARDENSDR\RESTRICTED 5898OGARDENSDR\RESTRICTED 5898OGARDENSDR TRUE RESTRICTED S-1-5-12 5 OK
5898OGARDENSDR\TERMINAL SERVER USER 5898OGARDENSDR\TERMINAL SERVER USER 5898OGARDENSDR TRUE TERMINAL SERVER USER S-1-5-13 5 OK
5898OGARDENSDR\REMOTE INTERACTIVE LOGON 5898OGARDENSDR\REMOTE INTERACTIVE LOGON 5898OGARDENSDR TRUE REMOTE INTERACTIVE LOGON S-1-5-14 5 OK
5898OGARDENSDR\IUSR 5898OGARDENSDR\IUSR 5898OGARDENSDR TRUE IUSR S-1-5-17 5 OK
5898OGARDENSDR\LOCAL SERVICE 5898OGARDENSDR\LOCAL SERVICE 5898OGARDENSDR TRUE LOCAL SERVICE S-1-5-19 5 OK
5898OGARDENSDR\NETWORK SERVICE 5898OGARDENSDR\NETWORK SERVICE 5898OGARDENSDR TRUE NETWORK SERVICE S-1-5-20 5 OK
5898OGARDENSDR\BUILTIN 5898OGARDENSDR\BUILTIN 5898OGARDENSDR TRUE BUILTIN S-1-5-32 3 OK

wmic:root\cli>useraccount get
AccountType Caption Description Disabled Domain FullName InstallDate LocalAccount Lockout Name PasswordChangeable PasswordExpires PasswordRequired SID SIDType Status
512 5898OGardensDr\Administrator Built-in account for administering the computer/domain TRUE 5898OGardensDr TRUE FALSE Administrator TRUE FALSE TRUE S-1-5-21-2988173791-368692562-383624461-500 1 Degraded
512 5898OGardensDr\Guest Built-in account for guest access to the computer/domain TRUE 5898OGardensDr TRUE FALSE Guest FALSE FALSE FALSE S-1-5-21-2988173791-368692562-383624461-501 1 Degraded
512 5898OGardensDr\TrustedInstaller FALSE 5898OGardensDr TRUE FALSE TrustedInstaller TRUE FALSE FALSE S-1-5-21-2988173791-368692562-383624461-1000 1 OK

wmic:root\cli>ntdomain get
Caption ClientSiteName CreationClassName DcSiteName Description DnsForestName DomainControllerAddress DomainControllerAddressType DomainControllerName DomainGuid DomainName DSDirectoryServiceFlag DSDnsControllerFlag DSDnsDomainFlag DSDnsForestFlag DSGlobalCatalogFlag DSKerberosDistributionCenterFlag DSPrimaryDomainControllerFlag DSTimeServiceFlag DSWritableFlag InstallDate Name NameFormat PrimaryOwnerContact PrimaryOwnerName Roles Status
5898OGardensDr Win32_NTDomain 5898OGardensDr Domain: 5898OGardensDr Unknown

wmic:root\cli>port get
Alias Caption CreationClassName CSCreationClassName CSName Description EndingAddress InstallDate Name StartingAddress Status
FALSE 0x00000040-0x00000043 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000040-0x00000043 67 0x00000040-0x00000043 64 OK
FALSE 0x00000050-0x00000053 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000050-0x00000053 83 0x00000050-0x00000053 80 OK
FALSE 0x00002088-0x0000208F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002088-0x0000208F 8335 0x00002088-0x0000208F 8328 OK
FALSE 0x00002094-0x00002097 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002094-0x00002097 8343 0x00002094-0x00002097 8340 OK
FALSE 0x00002080-0x00002087 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002080-0x00002087 8327 0x00002080-0x00002087 8320 OK
FALSE 0x00002090-0x00002093 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002090-0x00002093 8339 0x00002090-0x00002093 8336 OK
FALSE 0x00002060-0x0000207F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002060-0x0000207F 8319 0x00002060-0x0000207F 8288 OK
FALSE 0x00000000-0x0000001F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000000-0x0000001F 31 0x00000000-0x0000001F 0 OK
FALSE 0x00000081-0x00000091 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000081-0x00000091 145 0x00000081-0x00000091 129 OK
FALSE 0x00000093-0x0000009F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000093-0x0000009F 159 0x00000093-0x0000009F 147 OK
FALSE 0x000000C0-0x000000DF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000C0-0x000000DF 223 0x000000C0-0x000000DF 192 OK
FALSE 0x00000060-0x00000060 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000060-0x00000060 96 0x00000060-0x00000060 96 OK
FALSE 0x00000064-0x00000064 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000064-0x00000064 100 0x00000064-0x00000064 100 OK
FALSE 0x00000D00-0x0000FFFF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000D00-0x0000FFFF 65535 0x00000D00-0x0000FFFF 3328 OK
FALSE 0x00000070-0x00000077 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000070-0x00000077 119 0x00000070-0x00000077 112 OK
FALSE 0x0000002E-0x0000002F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000002E-0x0000002F 47 0x0000002E-0x0000002F 46 OK
FALSE 0x0000004E-0x0000004F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000004E-0x0000004F 79 0x0000004E-0x0000004F 78 OK
FALSE 0x00000061-0x00000061 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000061-0x00000061 97 0x00000061-0x00000061 97 OK
FALSE 0x00000063-0x00000063 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000063-0x00000063 99 0x00000063-0x00000063 99 OK
FALSE 0x00000065-0x00000065 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000065-0x00000065 101 0x00000065-0x00000065 101 OK
FALSE 0x00000067-0x00000067 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000067-0x00000067 103 0x00000067-0x00000067 103 OK
FALSE 0x00000068-0x00000068 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000068-0x00000068 104 0x00000068-0x00000068 104 OK
FALSE 0x0000006C-0x0000006C Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000006C-0x0000006C 108 0x0000006C-0x0000006C 108 OK
FALSE 0x00000080-0x00000080 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000080-0x00000080 128 0x00000080-0x00000080 128 OK
FALSE 0x00000092-0x00000092 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000092-0x00000092 146 0x00000092-0x00000092 146 OK
FALSE 0x000000B2-0x000000B3 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B2-0x000000B3 179 0x000000B2-0x000000B3 178 OK
FALSE 0x00000680-0x0000069F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000680-0x0000069F 1695 0x00000680-0x0000069F 1664 OK
FALSE 0x0000FD60-0x0000FD63 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000FD60-0x0000FD63 64867 0x0000FD60-0x0000FD63 64864 OK
FALSE 0x00001000-0x0000100F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00001000-0x0000100F 4111 0x00001000-0x0000100F 4096 OK
FALSE 0x0000FFFF-0x0000FFFF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000FFFF-0x0000FFFF 65535 0x0000FFFF-0x0000FFFF 65535 OK
FALSE 0x00000400-0x00000453 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000400-0x00000453 1107 0x00000400-0x00000453 1024 OK
FALSE 0x00000458-0x0000047F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000458-0x0000047F 1151 0x00000458-0x0000047F 1112 OK
FALSE 0x00000500-0x0000057F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000500-0x0000057F 1407 0x00000500-0x0000057F 1280 OK
FALSE 0x0000164E-0x0000164F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000164E-0x0000164F 5711 0x0000164E-0x0000164F 5710 OK
FALSE 0x000000F0-0x000000F0 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000F0-0x000000F0 240 0x000000F0-0x000000F0 240 OK
FALSE 0x00000062-0x00000062 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000062-0x00000062 98 0x00000062-0x00000062 98 OK
FALSE 0x00000066-0x00000066 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000066-0x00000066 102 0x00000066-0x00000066 102 OK
FALSE 0x00002040-0x0000205F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002040-0x0000205F 8287 0x00002040-0x0000205F 8256 OK
FALSE 0x00000454-0x00000457 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000454-0x00000457 1111 0x00000454-0x00000457 1108 OK
FALSE 0x00002000-0x0000203F Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00002000-0x0000203F 8255 0x00002000-0x0000203F 8192 OK
FALSE 0x000003B0-0x000003BB Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000003B0-0x000003BB 955 0x000003B0-0x000003BB 944 OK
FALSE 0x000003C0-0x000003DF Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000003C0-0x000003DF 991 0x000003C0-0x000003DF 960 OK
FALSE 0x00000020-0x00000021 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000020-0x00000021 33 0x00000020-0x00000021 32 OK
FALSE 0x00000024-0x00000025 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000024-0x00000025 37 0x00000024-0x00000025 36 OK
FALSE 0x00000028-0x00000029 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000028-0x00000029 41 0x00000028-0x00000029 40 OK
FALSE 0x0000002C-0x0000002D Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000002C-0x0000002D 45 0x0000002C-0x0000002D 44 OK
FALSE 0x00000030-0x00000031 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000030-0x00000031 49 0x00000030-0x00000031 48 OK
FALSE 0x00000034-0x00000035 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000034-0x00000035 53 0x00000034-0x00000035 52 OK
FALSE 0x00000038-0x00000039 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x00000038-0x00000039 57 0x00000038-0x00000039 56 OK
FALSE 0x0000003C-0x0000003D Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x0000003C-0x0000003D 61 0x0000003C-0x0000003D 60 OK
FALSE 0x000000A0-0x000000A1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A0-0x000000A1 161 0x000000A0-0x000000A1 160 OK
FALSE 0x000000A4-0x000000A5 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A4-0x000000A5 165 0x000000A4-0x000000A5 164 OK
FALSE 0x000000A8-0x000000A9 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000A8-0x000000A9 169 0x000000A8-0x000000A9 168 OK
FALSE 0x000000AC-0x000000AD Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000AC-0x000000AD 173 0x000000AC-0x000000AD 172 OK
FALSE 0x000000B0-0x000000B1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B0-0x000000B1 177 0x000000B0-0x000000B1 176 OK
FALSE 0x000000B4-0x000000B5 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B4-0x000000B5 181 0x000000B4-0x000000B5 180 OK
FALSE 0x000000B8-0x000000B9 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000B8-0x000000B9 185 0x000000B8-0x000000B9 184 OK
FALSE 0x000000BC-0x000000BD Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000000BC-0x000000BD 189 0x000000BC-0x000000BD 188 OK
FALSE 0x000004D0-0x000004D1 Win32_PortResource Win32_ComputerSystem 5898OGARDENSDR 0x000004D0-0x000004D1 1233 0x000004D0-0x000004D1 1232 OK



-----------------------------------------/

wmic:root\cli>ipconfig get
ipconfig - Alias not found.
wmic:root\cli>rdaccount get
Node - 5898OGARDENSDR
ERROR:
Description = Invalid namespace


wmic:root\cli>RDACCOUNT GET
Node - 5898OGARDENSDR
ERROR:
Description = Invalid namespace


wmic:root\cli>RDNIC get
Node - 5898OGARDENSDR
ERROR:
Description = Invalid namespace


wmic:root\cli>rdpermissions get
Node - 5898OGARDENSDR
ERROR:
Description = Invalid namespace


wmic:root\cli>netuse get
No Instance(s) Available.


wmic:root\cli>nteventlog get
AccessMask Archive Caption Compressed CompressionMethod CreationClassName CreationDate CSCreationClassName CSName Description Drive EightDotThreeFileName Encrypted EncryptionMethod Extension FileName FileSize FileType FSCreationClassName FSName Hidden InstallDate InUseCount LastAccessed LastModified LogfileName Manufacturer MaxFileSize Name NumberOfRecords OverwriteOutDated OverWritePolicy Path Readable Sources


Status System Version Writeable
TRUE c:\windows\system32\winevt\logs\application.evtx FALSE Win32_NTEventlogFile 20120502033342.941281-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\application.evtx c: c:\windows\system32\winevt\logs\applic~1.evt FALSE evtx Application 1118208 evtx File Win32_FileSystem NTFS FALSE 20120502033342.941281-420 20120502033342.941281-420 20120728110327.179372-420 Application 20971520 C:\Windows\System32\Winevt\Logs\Application.evtx 152 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Application", ".NET Runtime", ".NET Runtime Optimization Service", "Application Error", "Application Hang", "Application-Addon-Event-Provider", "ASP.NET 2.0.50727.0", "AutoEnrollment", "BBSvc", "CardSpace 3.0.0.0", "CardSpace 4.0.0.0", "CertCli", "CertEnroll", "Chkdsk", "COM", "COM+", "Customer Experience Improvement Program", "Desktop Window Manager", "DiskQuota", "Dvd Maker", "ESENT", "EventSystem", "Folder Redirection", "Group Policy", "Handwriting Recognition", "IAStorDataMgrSvc", "Intel Control Center", "Intel® Capability Licensing Service Interface", "Intel® ME Application", "IntelDalJhi", "Interactive Services detection", "LMS", "LoadPerf", "LocationNotifications", "Microsoft Fax", "Microsoft Security Client", "Microsoft Security Client Setu
p", "Microsoft-Windows-Application-Experience", "Microsoft-Windows-ApplicationExperienceInfrastructure", "Microsoft-Windows-Audio", "Microsoft-Windows-AxInstallService", "Microsoft-Windows-Backup", "Microsoft-Windows-CAPI2", "Microsoft-Windows-CertificateServicesClient", "Microsoft-Windows-CertificateServicesClient-AutoEnrollment", "Microsoft-Windows-CertificateServicesClient-CertEnroll", "Microsoft-Windows-CertificateServicesClient-CredentialRoaming", "Microsoft-Windows-CertificationAuthorityClient-CertCli", "Microsoft-Windows-Crypto-RNG", "Microsoft-Windows-Defrag", "Microsoft-Windows-DirectShow-Core", "Microsoft-Windows-DirectShow-KernelSupport", "Microsoft-Windows-EapHost", "Microsoft-Windows-EFS", "Microsoft-Windows-EventCollector", "Microsoft-Windows-Folder Redirection", "Microsoft-Windows-LoadPerf", "Microsoft-Windows-PerfCtrs", "Microsoft-Windows-PerfNet", "Microsoft-Windows-PerfOS", "Microsoft-Windows-PerfProc", "Microsoft-Windows-propsys", "Microsoft-Windows-RemoteApp and Desktop Connections", "Microsoft-Windows-RemoteAssistance", "Microsoft-Windows-RestartManager", "Microsoft-Windows-RPC-Events", "Microsoft-Windows-SoftwareRestrictionPolicies", "Microsoft-Windows-TerminalServices-ClientActiveXCore", "Microsoft-Windows-User Profiles General", "Microsoft-Windows-User Profiles Service", "Microsoft-Windows-Video-For-Windows", "Microsoft-Windows-WBioSrvc", "Microsoft-Windows-WindowsSystemAssessmentTool", "Microsoft-Windows-Winsrv", "Microsoft-Windows-XWizards", "Microso
ft.Transactions.Bridge 3.0.0.0", "Microsoft.Transactions.Bridge 4.0.0.0", "MPSampleSubmission", "MSDTC", "MSDTC 2", "MSDTC Client", "MSDTC Client 2", "MsiInstaller", "PDH", "PerfCtrs", "PerfDisk", "Perflib", "PerfNet", "PerfOs", "PerfProc", "Process Exit Monitor", "Profsvc", "RasClient", "SceCli", "SceSrv", "SeaPort", "SecurityCenter", "ServiceModel Audit 3.0.0.0", "ServiceModel Audit 4.0.0.0", "SideBySide", "SkypeUpdate", "Software Protection Platform Service", "SPP", "Standard TCP/IP Port", "System Restore", "System.IdentityModel 3.0.0.0", "System.IdentityModel 4.0.0.0", "System.IO.Log 3.0.0.0", "System.IO.Log 4.0.0.0", "System.Runtime.Serialization 3.0.0.0", "System.Runtime.Serialization 4.0.0.0", "System.ServiceModel 3.0.0.0", "System.ServiceModel 4.0.0.0", "UNS", "usbperf", "Userenv", "VBRuntime", "VSS", "VSSetup", "WerSvc", "Windows Activation Technologies", "Windows Backup", "Windows Error Reporting", "Windows Search Service", "Windows Search Service Profile Notification", "Wininit", "Winlogon", "WinMgmt", "Wlclntfy", "WMI.NET Provider Extension", "Wow64 Emulation Layer", "WSH", "Zune"}
OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\hardwareevents.evtx FALSE Win32_NTEventlogFile 20120502033343.487282-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\hardwareevents.evtx c: c:\windows\system32\winevt\logs\hardwa~1.evt FALSE evtx HardwareEvents 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033343.487282-420 20120502033343.487282-420 20120728101538.908051-420 HardwareEvents 20971520 C:\Windows\System32\Winevt\Logs\HardwareEvents.evtx 0 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"HardwareEvents"}


OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\internet explorer.evtx FALSE Win32_NTEventlogFile 20120502033343.409282-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\internet explorer.evtx c: c:\windows\system32\winevt\logs\intern~1.evt FALSE evtx Internet Explorer 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033343.409282-420 20120502033343.409282-420 20120728101538.908051-420 Internet Explorer 1052672 C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx 0 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Internet Explorer"}


OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\key management service.evtx FALSE Win32_NTEventlogFile 20120502033343.284482-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\key management service.evtx c: c:\windows\system32\winevt\logs\keyman~1.evt FALSE evtx Key Management Service 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033343.284482-420 20120502033343.284482-420 20120728101538.908051-420 Key Management Service 20971520 C:\Windows\System32\Winevt\Logs\Key Management Service.evtx 0 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Key Management Service", "KmsRequests"}


OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\media center.evtx FALSE Win32_NTEventlogFile 20120502033343.190882-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\media center.evtx c: c:\windows\system32\winevt\logs\mediac~1.evt FALSE evtx Media Center 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033343.190882-420 20120502033343.190882-420 20120728101538.908051-420 Media Center 8388608 C:\Windows\System32\Winevt\Logs\Media Center.evtx 0 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Media Center", "ehExtHost", "ehRecvr", "ehSched", "ehshell", "mcstore", "MCUpdate", "Recording"}


OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\security.evtx FALSE Win32_NTEventlogFile 20120502033342.972481-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\security.evtx c: c:\windows\system32\winevt\logs\securi~1.evt FALSE evtx Security 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033342.972481-420 20120502033342.972481-420 20120728110224.335243-420 Security 20971520 C:\Windows\System32\Winevt\Logs\Security.evtx 54 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Security", "DS", "LSA", "Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing", "SC Manager", "Security Account Manager", "ServiceModel 3.0.0.0", "ServiceModel 4.0.0.0", "Spooler", "TCP/IP", "VSSAudit"}


OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\system.evtx FALSE Win32_NTEventlogFile 20120502033342.847681-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\system.evtx c: c:\windows\system32\winevt\logs\system~1.evt FALSE evtx System 1118208 evtx File Win32_FileSystem NTFS FALSE 20120502033342.847681-420 20120502033342.847681-420 20120728110225.006044-420 System 20971520 C:\Windows\System32\Winevt\Logs\System.evtx 271 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"System", "ACPI", "adp94xx", "adpahci", "adpu320", "AeLookupSvc", "AmdK8", "AmdPPM", "amdsata", "amdsbs", "amdxata", "Application Popup", "arc", "arcsas", "AsyncMac", "atapi", "athr", "b06bdrv", "b57nd60a", "BCM43XX", "beep", "Bowser", "Browser", "bScsiSDa", "BugCheck", "cdrom", "DCOM", "DfsSvc", "Dhcp", "Dhcpv6", "Dhcp_QEC", "disk", "Display", "Dnsapi", "Dnscache", "ebdrv", "elxstor", "eventlog", "exFAT", "FltMgr", "fvevol", "HidBth", "HpSAMD", "Http", "i8042prt", "iaStor", "iaStorV", "iirsp", "intelppm", "IPMGM", "IPMIDRV", "IPNATHLP", "IPRouterManager", "isapnp", "iScsiPrt", "k57nd60a", "kbdclass", "kbdhid", "Kerberos", "lltdio", "LmHosts", "LsaSrv", "LSI_FC", "LSI_SAS", "LSI_SAS2", "LSI_SCSI", "LSM", "megasas", "MegaSR", "MEIx64", "Microsoft Antimal
ware", "Microsoft-Windows-Application-Experience", "Microsoft-Windows-BitLocker-API", "Microsoft-Windows-BitLocker-Driver", "Microsoft-Windows-Bits-Client", "Microsoft-Windows-CorruptedFileRecovery-Client", "Microsoft-Windows-CorruptedFileRecovery-Server", "Microsoft-Windows-DfsSvc", "Microsoft-Windows-Dhcp-Client", "Microsoft-Windows-Dhcp-Nap-Enforcement-Client", "Microsoft-Windows-DHCPv6-Client", "Microsoft-Windows-Diagnostics-Networking", "Microsoft-Windows-Directory-Services-SAM", "Microsoft-Windows-DiskDiagnostic", "Microsoft-Windows-DNS-Client", "Microsoft-Windows-DriverFrameworks-UserMode", "Microsoft-Windows-EnhancedStorage-EhStorCertDrv", "Microsoft-Windows-EventCollector", "Microsoft-Windows-Eventlog", "Microsoft-Windows-Fault-Tolerant-Heap", "Microsoft-Windows-FilterManager", "Microsoft-Windows-Firewall", "Microsoft-Windows-FMS", "Microsoft-Windows-FunctionDiscoveryHost", "Microsoft-Windows-GroupPolicy", "Microsoft-Windows-HAL", "Microsoft-Windows-HttpEvent", "Microsoft-Windows-IPBusEnum", "Microsoft-Windows-Iphlpsvc", "Microsoft-Windows-Kernel-Boot", "Microsoft-Windows-Kernel-General", "Microsoft-Windows-Kernel-PnP", "Microsoft-Windows-Kernel-Power", "Microsoft-Windows-Kernel-Processor-Power", "Microsoft-Windows-Kernel-Tm", "Microsoft-Windows-Kernel-WHEA", "Microsoft-Windows-LanguagePackSetup", "Microsoft-Windows-MemoryDiagnostics-Results", "Microsoft-Windows-MemoryDiagnostics-Schedule", "Microsoft-Windows-Power-Troubleshooter", "Microsoft-Windows-RasSstp", "Micro
soft-Windows-Recovery", "Microsoft-Windows-Resource-Exhaustion-Detector", "Microsoft-Windows-ResourcePublication", "Microsoft-Windows-SCPNP", "Microsoft-Windows-Servicing", "Microsoft-Windows-Setup", "Microsoft-Windows-StartupRepair", "Microsoft-Windows-Subsys-SMSS", "Microsoft-Windows-TaskScheduler", "Microsoft-Windows-TBS", "Microsoft-Windows-TerminalServices-LocalSessionManager", "Microsoft-Windows-TerminalServices-RemoteConnectionManager", "Microsoft-Windows-Time-Service", "Microsoft-Windows-TPM-WMI", "Microsoft-Windows-UserPnp", "Microsoft-Windows-WHEA-Logger", "Microsoft-Windows-WindowsUpdateClient", "Microsoft-Windows-Wininit", "Microsoft-Windows-Winlogon", "Microsoft-Windows-WLAN-AutoConfig", "mouclass", "mouhid", "mpio", "mrxsmb", "MSDTC Gateway", "MSDTC WS-AT Protocol", "MSiSCSI", "MTConfig", "Mup", "NAPIPSecEnf", "NdisWan", "NetBIOS", "NetBT", "Netlogon", "nfrd960", "Ntfs", "nvraid", "nvstor", "P2PIMSvc", "Parport", "partmgr", "pcmcia", "PlugPlayManager", "PNRPSvc", "Power", "PptpMiniport", "Print", "PrintFilterPipelineSvc", "Processor", "ql2300", "ql40xx", "RasAuto", "Rasman", "RasSstp", "rdbss", "RemoteAccess", "rspndr", "SAM", "sbp2port", "SCardSvr", "Schannel", "Serial", "sermouse", "Server", "Service Control Manager", "SiSRaid2", "SiSRaid4", "Smb", "SMSvcHost 3.0.0.0", "SMSvcHost 4.0.0.0", "SNMPTRAP", "Srv", "stexstor", "StillImage", "Tcpip", "Tcpip6", "TCPMon", "TermDD", "TermService", "TsUsbFlt", "tunnel", "USER32", "VDS Basic Provider", "VDS Dynamic Provide
r", "VDS Virtual Disk Provider", "vga", "Virtual Disk Service", "volmgr", "Volsnap", "vsmraid", "W32Time", "WacomPen", "Wd", "wdf01000", "wecsvc", "Win32k", "WinDefend", "Windows Disk Diagnostic", "Windows Script Host", "WinHttpAutoProxySvc", "WinRM", "WMIxWDM", "WMPNetworkSvc", "Workstation", "WPC", "WPDClassInstaller", "ZuneNetworkSvc"} OK FALSE TRUE
TRUE c:\windows\system32\winevt\logs\windows powershell.evtx FALSE Win32_NTEventlogFile 20120502033343.081681-420 Win32_ComputerSystem 5898OGARDENSDR c:\windows\system32\winevt\logs\windows powershell.evtx c: c:\windows\system32\winevt\logs\window~1.evt FALSE evtx Windows PowerShell 69632 evtx File Win32_FileSystem NTFS FALSE 20120502033343.081681-420 20120502033343.081681-420 20120728101538.377650-420 Windows PowerShell 15728640 C:\Windows\System32\Winevt\Logs\Windows PowerShell.evtx 10 0 WhenNeeded \windows\system32\winevt\logs\ TRUE {"Windows PowerShell", "PowerShell"}
---------------------------------XML FROM SYSTEM32 FILE "Mobility Manager for VPN Client -----------
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<Description>Provides support for the switching of mobility enabled VPN connections if their underlying interface goes down.</Description>
<URI>Microsoft\Windows\Ras\MobilityManager</URI>
<SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;
&lt;Query
Id="0"
Path="Application"
&gt;
&lt;Select Path="Application"&gt;*[System[Provider[@Name='RasClient'] and (Level=4 or Level=0) and (EventID=20281)]]&lt;/Select&gt;
&lt;/Query&gt;
&lt;/QueryList&gt;</Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="LocalService">
<UserId>S-1-5-19</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalService">
<ComHandler>
<ClassId>{C463A0FC-794F-4FDF-9201-01938CEACAFA}</ClassId>
</ComHandler>
</Actions>
</Task>
-------------------------

BC AdBot (Login to Remove)

 


#2 sadlittleacer

sadlittleacer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 31 July 2012 - 11:25 PM

Update on my little nightmare:
I updated the Windows security downloads, knowing that anything I do like this can be the begining
of the end of another laptop

I checked the Windows updates and the "location" column shows them installed on other drives.
Drives with names like:
\\?\C:\Windows\SoftwareDistribution
and
\\?\E:\OfflineUpdateHotfixToWOS\scratchdir

I should say - I have no drives or anything else hooked to this sad little laptop.

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 9,849 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 05 August 2012 - 02:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463210 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 9,849 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 10 August 2012 - 02:10 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users