Help Center/ Security Technologies and Applications/ Best Practices/ Host Security Checks/ Host Security Check (Windows)/ Troubleshooting Process/ Method 2: Using DOS System Commands to Check Processes
Updated on 2024-10-08 GMT+08:00
View PDF
Share

Method 2: Using DOS System Commands to Check Processes

This section describes how to use DOS commands to check processes.

Common Commands

Command

Description

cd

Switch to the following directory:

  • Current directory: [./] It can be omitted.
  • One level up: [../]
  • Two levels up: [../../]

dir /a: (disk)

Display all files (including system files and hidden files) by default.

more

Display file contents in the split-screen mode.

tasklist

Check process status.

netstat -ano

View links.

wmic startup list full

View automatic startup programs.

net user

View users.

Example commands are as follows:

  • Search for the files that contain DR under the D:\Apps\ directory: dir /a-d /s "D:\Apps\IDE" | findstr "DR"
  • Search for the files and directories that contain exe in drive C: dir /s C: | findstr "exe"

Procedure

  1. Check whether abnormal processes exist.

    Command: tasklist

    Based on the query result, locate abnormal processes that are neither system processes nor service application processes.

  2. View the network analysis result to check whether abnormal IP addresses are connected to the host.

    Query command: netstat –ano

    1. Based on the query result, locate the suspicious addresses that are neither service connection ports nor external addresses used for service connections.
    2. Check whether the suspicious address is an international address of malicious or abnormal services.
    3. Locate the target process (for example, vchost.exe) from the query result based on the PID value of the abnormal connection (for example, 2240).

  3. Check for abnormal users.

    1. Run the following command: net user

    2. Run the following command to query the time when the user changed the host password: net user username (for example, administrator)

    3. Run the following command to check whether the system has been restarted: systeminfo

      After a host is restarted, data is automatically deleted. To query file directories, perform Step 4.

  4. Check for abnormal files.

    Run the following command: dir /s file_directory (for example, C:) | findstr "exe"

    Query the .exe files and directories in a disk (for example, C:). Based on the query result, locate abnormal files that are not system files or application-created files. Lock abnormal files.

    You are advised to check the following directories: windows, windows\system32, windows/system32 \drivers, c:\program files\internet explorer/, c:\program files\internet explorer\plugin, and c:\program files\common files\microsoft shared.

  5. View the Windows host login log (login success event ID: 4624) to check for abnormal logins to the host.

    1. Open Control Panel, choose Administrative Tools > Computer Management > System Tools > Event Viewer > Windows Logs > Security, and click Filter Current Log on the right.
    2. Enter 4624 in the Includes/Excludes Event IDs box.
      Figure 1 Filtering current logs
    3. The query results are displayed. See Figure 2.
      Figure 2 Viewing results

  6. If the problem persists, you can submit a service ticket.
Parent topic: Troubleshooting Process