Help Center/ Security Technologies and Applications/ Best Practices/ Host Security Checks/ Host Security Check (Windows)/ Troubleshooting Process/ Method 2: Using DOS System Commands to Check Processes
Updated on 2026-02-25 GMT+08:00
View PDF
Share

Method 2: Using DOS System Commands to Check Processes

This section describes how to use DOS commands to check processes.

Common Commands

Command

Description

cd

Switch the directory.

  • Current directory: [./] It can be omitted.
  • One level up: [../]
  • Two levels up: [../../]

dir /a: (disk)

Display all files (including system files and hidden files) by default.

more

Display file contents in the split-screen mode.

tasklist

Check process status.

netstat -ano

View links.

wmic startup list full

View automatic startup programs.

net user

View users.

Example:

  • Search for the files that contain DR under the D:\Apps\ directory: dir /a-d /s "D:\Apps\IDE" | findstr "DR"
  • Search for the files and directories that contain exe in drive C: dir /s C: | findstr "exe"

Procedure

  1. Check whether abnormal processes exist.

    Command: tasklist

    Based on the query result, locate abnormal processes that are neither system processes nor service application processes.

  2. View the network analysis result to check whether abnormal IP addresses are connected to the server.

    Query command: netstat -ano

    1. Based on the query result, locate the suspicious addresses that are neither service connection ports nor external addresses used for service connections.
    2. Check whether the suspicious address is an international address of malicious or abnormal services.
    3. Locate the target process (for example, vchost.exe) in the query result based on the PID value of the abnormal connection (for example, 2240).

  3. Check for abnormal users.

    1. Run the following command: net user

    2. Run the following command to query the time when the user changed the server password: net user username (for example, administrator)

    3. Run the following command to check whether the system has been restarted: systeminfo

      When a server is restarted, certain data is automatically cleared. To query file directories, go to Step 4.

  4. Check for abnormal files.

    Run the following command: dir /s file_directory (for example, C:) | findstr "exe"

    Query the .exe files and directories on a disk (for example, C:). Based on the query result, locate the abnormal files, which are neither system files nor application-created files. Lock abnormal files.

    You are advised to check the following directories: windows, windows\system32, windows\system32\drivers, c:\program files\internet explorer\, c:\program files\internet explorer\plugin, and c:\program files\common files\microsoft shared (temporary folder).

  5. View the Windows server login log (login success event ID: 4624) to check for abnormal logins to the server.

    1. Open Control Panel, choose Administrative Tools > Computer Management > System Tools > Event Viewer > Windows Logs > Security, and click Filter Current Log on the right.
    2. Enter 4624 in the Includes/Excludes Event IDs box.
      Figure 1 Filtering current logs
    3. The query results are displayed. See Figure 2.
      Figure 2 Viewing results

  6. If the problem persists, you can submit a service ticket.
Parent topic: Troubleshooting Process