Microsoft Command Line Tools
This is a guide on Microsoft command line tools.
Navigating the File System
And I've launched File Explorer here and over on the left navigation pane, if I open up this PC I can see there's a C drive, a D drive, an E drive, and a G drive. Now, It's easy to navigate when there's a GUI. But what happens if there's no GUI?
So here from the taskbar, I've pinned the command line, the command tool.
And here in the command line, we want to take a look at a couple of simple commands that let me move around. And one of the things to be aware of when I'm working in the command line, is that the list of commands that I've previously run are stored for this session in memory. And I can call those commands. So rather than have me do a lot of typing here, right, I've already done this. And I can scroll through the list using the arrow keys on the keyboard of all the commands that I've previously run in this session. And let's start with the dir command, right, the directory command.
If I just ask for the directory, I get the directory of the current volume. And I know that I'm looking at the directory of the C drive, because I see the prompt, C colon there. And so these are the folders that are available in the local drive. If I wanted to drill down in this list, for example, there's the program files folder. And if I wanted to change the directory to the program files folder, I could do cd, change directory. And then because there's a space in the name, program files, I'm going to use quotes. And I'm going to enclose the entire path in quotes, c:\program files, close quotes.
And now, I'm in the Program Files directory. If I wanted to go back to the root directory, I can cd \ period to bring me back up the tree to the C drive.
And it's worth knowing, that if I don't want to use those quotes, I can call the chdir, the change directory command without the quotes. And it'll work even though there's a space in there.
And I can see there I'm back into the Program Files directory. Now here, if I want to change to any of the root directories, right, any of the principle drives attached to this machine, I can just type the drive letter with a colon.
So if I want to switch from c:\Program Files to the D drive, I can jump right over to D, I can jump right over to E.
I can ask for the directory of E.
There's a directory of E. And this is the way that we can get around here. And of course, here I can come back to C.
And you'll note that that takes me back to the working directory that I was in, the last time that I was at the C prompt. I can go back up to the root.
And then if I've got a full screen and I've got a lot of stuff on the screen, I can clear screen, cls, clear screen.
That'll clear the screen, but it remembers the commands that I've run. And I can still call those back here, just like this. And there you can see the whole list of commands we've just run. So this is the way that we can navigate when no GUI is available to us. This is a look at navigation in the command line using change directory, and the dir command.
Networking Diagnostics
In this demonstration, we want to take a look at the command line tools that are commonly used for networking diagnostics. And one of the most common and useful tools that we have at our disposal is the ipconfig command.
And if I do an ipconfig, what I get is the local IP address, whether it's static or fixed, and the subnet mask if there's a default gateway assigned.
I can see I get IPv6 addresses as well.
Connection-specific DNS suffixes. This is the name of my Internet service provider, I see that there.
And then whether or not the media is disconnected, right, and I can see that in these cases, some of the software interfaces are in fact disconnected. Because they're not in use. Now, this is the basic ipconfig cmdlet that gives me basic addressing information. And I can see my IPv4 local addressing scheme here.
As well as any self-assigned IPv6 addresses. And I know that that's a self-assigned address because it's fe80.
In the same way that I know that an IPv4 is self-assigned if it's 169.254 range, right? That's what we call the APIPA addresses. Now, we can get a lot more information if we do an ipconfig/all.
And this really gives me all of the information. It shows me where my DNS servers are, and what my DNS server addresses are.
Here, I see the local for my domain, DNS server addresses. And if we look up here, Again I see whether or not it's DHCP enabled.
Is Autoconfiguration enabled? Yes, it is, right?
So this IP address comes from a DHCP server, and I can see that right there.
I see the machine name, I see the domain that it's in.
The NetBIOS node type is set to hybrid, which is less of a concern these days, we don't think about NetBIOS node types anymore the way that we used to.
And if I want to get the current IP address information, ipconfig is going to do it for me every time. Now, the ping cmdlet is used for testing connections. And I can do things with ping like 127.0.0.1, which is the loopback address, right? That's the address that all machines use to refer to themselves.
And by running that ping, I know that IPv4 is installed and bound to the local NIC card. So if I were having communication difficulties with this machine, I could start by checking is IPv4 there, and is it bound to the NIC? This tells me that it is, okay? Now, I could ping, The actual IP address to determine, is that IP, Assigned and bound to the local NIC?
Can it talk to itself? Yep, it can. Now, I can ping the gateway to see if we can get off this machine. Can we get to the router? There we can get to the router.
And then, maybe I want to try something on the other side of the router. And just off the top of my head, I know that this address is for the Google DNS servers. And so, we could try to ping them out on the public Internet.
So I've got full communication with this machine, dig it? You can ping by name as well. And so, I could ping Google.com, for example.
And then I'll get back the IP addresses associated with that. Now, you can also trace the route. You can do a traceroute to determine the path, the hops to another machine. So for example, on my network here, I have a machine called k9dc. Yes, and one millisecond round trip.
There's the IP address for k9dc. I know it's up and running. You could do this out on the public Internet, but a lot of times those requests time out because the routers between me and thee are configured not to respond to these requests, right? The folks that own those routers don't necessarily want this information shared with just anybody. netstat will tell me what open connections this machine has to other connections.
So I can see that it's talking to k9dc, which is good, right? I want to know that my domain controllers are talking to each other. It's talking to a client machine. And then, we see that ::1. That's the IPv6 loopback, and so it's talking to itself as well.
Finally, for testing DNS, there's nslookup. And I can enter nslookup and I see that I'm using my local server as my DNS server.
I could look for particular types of records. For example, I could set type=soa, the start of authority record. Then specify the domain.
And then I get back the details on the DNS, the start of authority record for. And I can quit nslookup and return to the command prompt with the quit command.
This is a look at the command line tools used for networking.
System Maintenance
In this demonstration, we want to take a look at some of the command line tools that are available for managing the system processes and the disk. Now, the tricky bit with this demo, guys, is if I execute any of these commands the demo is going to be over. So let's take a look at a couple of things here.
The first thing is the diskpart utility.
Now, diskpart is the disk partition command line tool, and so if I ask for some help on that, I see that there's really only one switch, and that's the script switch. And diskpart wants me to call a script.
And here's an example of what a diskpart script might look like. And this is a script that I use to create a Windows recovery environment partition into which I load a custom set of tools that are used in the event that I have to do a system recovery or restore. And so, the first line of the script is to specify which disk. Now, when we're talking about physical disks, physical devices always start counting at 0. Logical devices start counting at 1. So a logical partition on a drive would be partition 1, then 2, 3, etc. While a physical disk, the first installed disk, is always disk 0 and so I select disk 0, and I tell it to clean. Now, can you guess what clean means? Clean means to wipe all data from the drive, then convert it to a GUID partition table disk. Create a primary partition, and I specify the size at 800 megs because that's how much room I need for my custom tool set. I do a quick format, the file system is NTFS.
I see that I call the format command, quick, file system NTFS, and I give it a label, Windows RE, and I assign a letter to it, the letter R for recovery, right?
So a simple script that I can use with the diskpart utility.
Now, The format command, which you saw included in the diskpart utility, will format the drive.
Now, I can format either the full physical drive or I can format a partition on that drive, a logical partition on that drive. And I can call things like the q switch for a quick format.
If I'm doing NTFS as the file system and of course here, I call filesystem, FS, and then specify the filesystem type, FAT, FAT32, exFAT, NTFS, UDF, or the new resilient file system from Microsoft.
And I can assign a label to it, etc., etc., etc.
Again, I don't want to format this drive, or we're going to be in trouble. From format, there's the shutdown command.
And I can, from the command line, if I needed to shut down this machine, I could go ahead and shut it down. Again, that'll bring the demo to a halt, right? From shutdown, here's one, The system file checker.
And the system file checker will scan the integrity of all protected system files and replace incorrect versions with the correct Microsoft versions, right?
TASKKILL, now, commonly, if I want to kill a process, I would call TASKKILL and then give the process ID. And process IDs can be determined in a number of ways. Today, Task Manager reports process IDs.
And so if I can't kill a task in Task Manager, or if it's not responsive in Task Manager, I might come into the command prompt with administrative credentials and try to kill it here. chkdsk is the one that can run here, and that is the last of the ones in this demo that I have to cover.
And so I'll go and I'll run chkdsk. And chkdsk will check the file system, it'll look for bad sectors on the disk. It'll check file linkages, looking for broken files. It'll check the integrity of the file system structure. And now we can see the first thing here is that it tells us what the file system is, NTFS. Then stage one is to examine the basic file system structure. Stage two, examining file name linkage, looking for broken links, looking for files that are missing. Some of the data that's associated with them or that might be able to be repaired using the chkdsk utility. Now, in our example here, I did not call the F parameter, so chkdsk is running in read only mode. It won't make any changes, it's just going to take a look and report back to us what it finds. And stage two completes. And we see zero unindexed files, so everything has been indexed. Zero unindexed files were recovered to be lost and found, so there were no files that needed to be recovered. And then finally, stage three is running examining the security descriptors, validating the integrity of the files on the disk. And here we get a final report 0. This is what I'm really interested in with this. 0 KB in bad sectors.
So the disk is in good shape, and this is a look at some of the command line utilities for disk management in Windows.
GPO Tools
In this demonstration, we want to take a look at using the command line tools for group policy management and application. Now, if you're not familiar with group policy, to put it in a nutshell, group policy is a collection of user settings and computer settings. So there's two pieces to this. The computer settings are applied when the machine starts up. It contacts a domain controller and processes its group policy. Then when you log in, your authentication triggers the application of your profile settings. And these are commonly set by the administrator. Now and then they're applied to everybody, right, or to a subset of users.
Now, I can do a gpresult with the question mark, right, to get some help on this.
And what I see is that I can do things like I can model this for a particular user.
I can specify the remote domain controller to connect to, if there's a particular domain controller I need to use.
And if I'm modeling it for a particular user, I'm going to need that user's password. And I can limit the scope of this. I can generate a file either in XML or HTML.
I can overwrite existing files if they exist.
And I can display summary data, which is what I'm going to do in just a second here.
And then the verbose and super-verbose, we tend not to use these, they just generate so much information. If you were doing real deep troubleshooting for a policy application, you might use these.
But otherwise, I would avoid them, frankly. And so I'm going to go ahead and I'm going to call gpresult with the R switch, so that I get a nice little summary report. That's easy to see and easy to understand.
And what I see here is the machine that I'm on, SRV01, its configuration, right, whether or not it's detected a slow link.
Which will change, you can edit group policy so that it doesn't apply all of its settings if a slow link is detected. Right, it can be big, it can be lots of data to come down. Now, the Applied Group Policy Objects, there's only one that tests gpresults. I wanted this to be as simple and clear as we could get it.
The local group policy is not applied at all, because at the domain level I have specified do not process local group policy.
I don't want that interfering with my domain based group policy objects. And then down here are all the groups that I'm a member of.
Now, this Test GPResults policy. It's only got one setting, and it's a very simple setting.
If I launch Internet Explorer, I will see, and I do that just by hitting the Internet Explorer icon down there on the taskbar. I will see that I come up on my homepage here on Bing.
Now, maybe I'd like to change that. Well, if I look in the Internet options from the Settings icon in the right hand bar there, I see Internet Options.
And I look and this option is grayed out, and it's grayed out because the administrator has said, you can't change that, we've agreed that this will be our homepage for all company machines, and that's what it's going to be.
Now, as you can imagine, you might get a lot of push back on that.
So what happens, if I've received push back on this, and I'm going to change the group policy setting. I'm switching consoles now to the domain controller.
And on the domain controller, I have opened the Group Policy Management Console.
And if I look, the Test GPResults group policy object is associated with the IT USERS OU, so the account, my account, is a member of IT USERS, that's where my account lives.
So these settings should apply to me.
And I can see on the Settings tab of this group policy object, under User Configuration > Administrative Templates > Windows Components > Internet Explorer.
Disable changing home page settings. That setting is enabled. Well, I'm going to edit this policy.
And again, that's a user setting, Policy > Administrative Templates > Internet Explorer, A Windows component, sorry. Windows components, Internet Explorer.
And I can easily sort these alphabetically by clicking the Settings choice at the top.
And there's a choice right here to disable changing home page settings.
I'm going to disable this policy setting, which should mean that the user can now change their homepage.
To test this, we'll return to the machine where I was logged in.
And I'm going to call the GPUPDATE choice, and I'm going to call the Force switch. Now, I don't actually have to, but I need to introduce that to you. You gotta spell it right when you're in the command line. There really are points off for spelling. gpupdate. Now, the force switch actually reprocesses all of group policy. This is great to know if you deal with remote clients, who sometimes don't connect regularly to the domain. And lose their security association, their trust relationship to the domain. When you reconnect those clients to the domain, you want to force them to reprocess all of group policy. Now, you'll notice here, I'm told that the updating computer policy update has completed successfully. User policy update has completed successfully.
That looks good to me. If we do that gpresult again, with the R switch, again, Test GPResults was applied.
I can see that here under Applied Group Policy Objects.
Now, let's go ahead and launch Internet Explorer and see if the change has taken effect.
And now, wait a minute, I didn't open Bing, I opened my old home page, Google. That's what I want to see, that's exactly what I want to see. So this is a look at GPResults and GPUpdate.
Imaging Tool
And in here, I have some custom Windows image files that I've created for deploying Windows 2016, Windows 10, etc. And if I look, I can see that there's a boot.wim in here and an Install.wim. And these are the default Windows image files that are to be found in the sources directory of any Windows installation media since Windows Vista. Now, those wim files are the way that we deploy Windows today, right? We take a Windows image from the sources directory. We load it onto a machine. Customize it, and then capture that image for deployment, commonly. And the tool that we can use to service these images when they're offline like this, say, to keep an image updated with the latest updates from Microsoft update, for example, is the deployment and imaging services tool.
So here in the command prompt, DISM is a command line tool, I've set the directory to where the wim files are found. So I'm in e wims. Now, if I run just the DISM command, you can see what we get here.
We get all the switches that are available to me. And in the time that we have available for this demonstration, I want to take a look at mounting an image. And so that I can service that image, right? I can add files to it, remove files from it, etc. You can see there are lots of commands in here if I wanted to delete an existing image.
If I wanted to get a list of the files and folders in the specific image.
For our purposes, let's go ahead and start by mounting an image. And so I'll begin by getting image info. I'll run dism / get-imageinfo for the imagefile:install.wim. And I need only specify the file name, because I've set the working directory to the directory where the file is found.
And I get all this information about that. And what I'm particularly interested in, is the index number. I'm going to need the index number to call the specific installation image, because of course I can do a server core install from these image files. I can do a server with GUI that's index 2 etc. So I'm going to call dism /mount-wim, /wimfile, and then I'm going to specify the full path to it there with the index number. And I'm going to set up a mount directory. If I use the read-only switch, that will prevent any changes being made to this image while it's mounted. And I'm doing that because for the purposes of this demonstration, I just want to mount the image, show you what we get when it's mounted. And then unmount that image, ensuring that no changes have been made to my image. The great thing about this tool and this very simple process of mounting these image files, is that once the image is mounted, we can actually come out of the command line. And we can go into File Explorer, and we can browse the file system as if this image were installed, right? We'll see all the directories in there. We'll see the program files directory. We'll see the Windows directory, users directory, everything that you would expect from an installed image. And that process goes pretty quickly.
Operation completed successfully. Now, let's take a look in File Explorer at what we get out of that.
And here, if I open the mount directory, there it all is, right. I can browse this tree.
I can add file, delete files. Not in this example, because I called the read-only switch. But if I hadn't, I'd be able to edit these and save those changes, so that my installation image is up to date.
For our purposes, I'm going to come back into the wims directory. Minimize that and jump back over to the command line.
And now, what we'll do is we'll unmount that image. And there's two switches that I want to be aware of, the discard and the commit switch. Commit would commit any changes I had made. Discard ensures that no changes are kept. And so I call dism /unmount-wim /mountdir, and then specify the path to that mount directory. And that mount directory is just a folder that I called mount that I keep on the drive, so anytime I want to mount an image, I just call e: \mount. And then of course the discard switch, to ensure that any changes that were made are discarded. And we're closing that all down. And now that'll go very quickly to the end.
Bang, and if we return to File Explorer for just a moment and we were to open that mount directory, we can see that that directory is now empty.
This is an Introduction to the Deployment and Imaging Services Tool, the DISM command line tool for working with Windows images.
Copy, Xcopy, and Robocopy
You can copy files just fine in the graphical user interface, right, I have File Explorer open here. I can grab a bunch of files and copy them fine. The thing is, for repetitive tasks, if you have a bunch of, say, performance logs that you want to copy off this machine to a network location where they can be collated and that happens every week.
Well, you're going to want to script that solution, right? And when Windows first premiered, we used the copy command for that, but the copy command was very limited. And so what we used to do was we used to install this thing called xcopy, which was originally developed by IBM. Eventually, xcopy was licensed and included with the Microsoft software, though, so it was built in. So before XP, you had to install it, after XP, it was right there for you. But xcopy had its own limitations, and so Microsoft developed Robocopy. I think it was Mark Russinovich's group, Sysinternals, that was bought by Microsoft that actually did the work on that.
And so for anybody that's actually working in the business today, Robocopy is where it's at, right? Either that or some of the options that are available to you in PowerShell for this sort of thing. Now, for those of us taking the A plus certification exam, my best advice to you guys is to actually go in and use the old copy command, get familiar with it. Use the old xcopy command, get familiar with it, enough at least to pass the test. Right, have some idea what the switches do, and how they work. But where you want to spend your time in real life, for all your real scripting needs today, is with Robocopy. So, real quick, let's start with the old copy command. And so down here on the taskbar, I'm going to go ahead and launch a command prompt.
And if I ask for help on the copy command, and to give you some sense of this thing, how old it is, look at it. There's no space there, there's no dash. You've gotta do a whack copy, or whack question mark to get the help.
And I see that there's a couple basic switches there and a couple of parameters that I have to specify the source, the destination. And but this works best and easiest, I have found, if I do this. I'm going to change the directory to a folder that contains the files I want to copy. That's what you want to do. And so I'm going to change the directory to this folder that I've called to copy, right, and there's a bunch of files in there that I can, for example purposes.
Now, if I want to copy from this folder to a folder I called tocopy, or I'm sorry, that I called copied, right, I can call the Copy command and then specify the destination. And let's say I want to copy all the text files that are in there. So I can use a wild card, and wild cards you can use for all these, wild card txt, so all, copy all text files from the current directory to the folder called copied.
Now, there are existing files there, do I want to overwrite them all? Yes, I'll say this for all.
There's only one file, it was copied, it overwrote the old one. Now, if I didn't want it to overwrite it, I could say no and I could specify parameters to give it new names, etc. If I wanted to copy all of the files in there rather than specify the txt, I could again use a wild card here. Copy all, right?
Do I want to overwrite them all? A for all. Yes there all 14 files are copied over.
And that gives you a sense of the copy command. And really, everything else builds on that understanding. And so if we were to look at, let's say, xcopy, right, which, again, is not going to be preferred in daily use today. Instead, I'm going to prefer to go right to Robocopy, and the reason for that is because of the switches.
Now, you look here and you can see there's a wildly larger number of options than I had with copy, which is why we acquired the xcopy command in the first place, right? Prompts you before creating each destination file.
If the destination does not exist, then it assumes the destination must be a directory.
Do you want to create it? Do you want to overwrite read-only files?
Copies hidden in system files, which the copy command could not do?
And so that gives you some idea of how xcopy was built on top of copy, and then Robocopy is just an extension of all that. And right, and look at how the help goes on and on and on.
And, I mean, not only does it go on and on and on, but it gives me examples which I don't have with the others, right? Just take a look here. So all of these are intended to let you script repetitive file copying tasks. And today, the one you want to spend your time on is Robocopy. Now, if you're taking the A+ certification exam, one of the things they always hammered you on was the distinction between xcopy and copy.
That you had to install the xcopy command, it wasn't native to Windows. And if you needed to copy hidden or system files and folders, you would need xcopy, because copy did not do that. So those are some test suggestions and test nuggets for those of you getting ready for the A+ certification exam.
Net Use
And I can see that This PC has a C drive, that's the hard drive where the operating system is installed. And then there's a DVD drive, the D drive. Now, everybody knows the A drive was the floppy drive, right? Well, what about B? What was the B drive? Well, there was a time before we had hard drives that you'd load your operating system with a floppy disk in A. And then if you wanted to run Lotus 1-2-3 or WordStar, you'd put that disk in A, and you'd put a blank disk in B, and you'd save your work to B, right?
You'd run your applications from A, save your work to B. So A, B, and C are verboten for mapping network drives, we do not use those letters. So that leaves another 23 letters of the alphabet to use, and then mount points if you run out of letters. And probably most of the folks listening to this demonstration know that you can right-click on the PC, and there's a choice to map a network drive.
I want to point to some share out on the network and make that data repository available on this machine. And in the GUI, we're prompted for the drive letter that we want to assign to this mapped drive. The UNC path name, which always looks like this, right, whack, whack, computer name, And then share name, which in our example is Share.
Do I reconnect at login? Well, that's what we call a persistent connection. And do I connect using the current credentials, or do I connect using different credentials? And I could specify those credentials here. If I choose to connect using different connection credentials, when I finish, it will prompt me for that credential set.
Now, in our example here, we don't actually want to create the mapped drive using the GUI. Although I think looking at it here is valuable because we see all the options that we're going to call from the command line.
So I'm going to minimize the File Explorer window and come into the command prompt.
And in the command prompt, I'll go ahead, and I'll call the command. This is just like right-clicking on the PC and saying, map a network drive. I'm going to say net use. Now, the GUI suggested that we use Z, and that's a good practice to start at the lower end of the alphabet so you don't run into conflicts with those first few letters. And again, the path, the UNC, the Universal Naming Convention, name is the computer name, With the share name, which in our example is simply Share. Now, if I want to reconnect at log-in, then what I want is for a persistent connection. And that's got a binary value, either yes or no.
And so I do a :yes for that. And then, if I'm going to reconnect every time, am I using the current credentials, or am I using another set of credentials? If I were using another set of credentials, then I would have to specify the User parameter with a password. Or if I'm using my own credentials, as we are here, I can do a SAVECRED, and it'll save my current logged-on credentials in order to reconnect. And so what we have here, then, is net use, the drive letter specification, the path to the share, whether the connection reconnects at login, it's persistent. And are we using the current credentials and saving them, or would you like to specify a user? And if I go ahead and hit Enter, it tells me the command completed successfully.
And so down here on the taskbar, we can validate that if we jump back to File Explorer, and we refresh this view.
There is the Share, and I see that I have access to everything that's in there. Now, it's worth pointing out that in addition to net use to create a mapped network drive, you can use it to delete a mapped network drive. Just so, net use z: /DELETE. Deleted successfully. If we jump back over to the File Explorer window, And take a look at This PC, we can see that that drive mapping has been removed. This is a look at net use for mapping network drives from the command line.
Net User
And I want to preface this with a couple of comments. First of all, the net commands have almost all been deprecated. Net use and net user are two of the few that are left to us out of a slew. I mean, I can't tell you how many times in my career the net time command came in handy.
Anyway, there's a slew of these net commands that have all been deprecated, and this one is on its way out too. If it weren't for the fact that they still test on it on the A+ certification exam, I would tell you to not waste any time on it at all, and instead, learn some PowerShell with the new ADUser commandlet. That's where you ought to be spending your time in my opinion. But this is on the A+ test, so we're looking at it here as part of the A+ certification prep.
Now, if I just do a net user /?, I get the syntax of the command, the basic switches that are available with it. And I can see right away that its function is to create and delete user accounts, right? That's what it's for. It's the command line interface for managing, defining, creating, and deleting local user accounts, primarily local user accounts. Now, I say that because you'll note that there is a domain switch. And so if I specify the domain switch, I'm saying, no, no, no, don't create it in the local SAM file database. Create it out on the network at a domain controller in the Active Directory database, dig it?
And so there's always this, whenever we're talking about user accounts, we want to make sure that we understand, are we talking about a user account that is restricted to the local machine? Or does it live in a central repository like an Active Directory database? And I can use that account anywhere on the network. And this command line can be used for either of those, but again, not where you want to spend your energy. It's really not, guys, you want to be learning PowerShell today. PowerShell will keep you employed in the 21st century. The net use command and net user commands are likely to be gone in the near term.
Now right off the bat, when I say I can use this to create a domain account, well, I've got to have administrative rights in the domain to do that, right? I might be an administrator on the local machine, but if I'm not an Active Directory administrator with a user account management right, then that's going to fail for me. And so who can use this command and whether or not the switches that you invoke will work for you is absolutely a function of who you are. Now if I look up here, I can see that it says username and password. Okay, well, that absolutely makes sense. I'm creating a new user, the user's going to have to have a password, and so I'm going to have to input a username and a password for that user object. But then there's this option, and this is all that there is of help.
So how do I get some more help to tell me what those options are?
Well, if we do a net help user, and this works too with other of these net commands.
Now, look at all the action here, right? Now, I've got all of the kinds of object properties that I would expect I'd be able to specify in a command line creation of the user object. Is the account, here they use the old language, is it active? Today, we would say, enabled, disabled.
Today, we will say description.
They used to call it a comment on the account.
Country Code, Does the account expire?
A great setting when you're hiring temp employees, you're hiring contractors. They might have administrative rights on your network. I can't tell you how many places I've done consulting in, and I go back 6 months, a year, in one case, 12 years later. I walk back in the place, my account is still on the network, still active, and in point of fact was still using the same password. And I could have logged onto that thing anytime I wanted and been a full admin on that network over 12 years. Or the account could have been exploited against them by somebody else. So for those accounts, you want to set an expiration date, make sure they get disabled.
Right, then you got the full name, the home directory where there is particularly if you've got roaming user profiles, right, the paths to the user's home directory.
Can the user change their password?
Specifies whether a user account must have a password, what?
You got to be kidding me, how long has, okay, so that gives you an idea of just how out of date this thing is, right? And if you didn't have to understand this for the A+ test, you would never waste a second of your life looking at it. But they're still testing on it. So you want to know what it is, you want to know what it does.
And more importantly, you want to know that you're not ever going to count on this in your job, not unless you're working for somebody that's still running XP. And if you're working for somebody that's still running XP, you ought to get your resume ready, in my opinion. This is a look at the net user command.
Services.msc
And this is a simple interface. When I look over at the left hand navigation pane, there's just services there.
There's nowhere else to go. And then over here on the right are all the services running on this machine.
And when I look at these services, I can see that at the very top here there's the service name. There's a description of that service, why I'm interested in that service, and its current status. And then the startup type, whether that startup type is manual, automatic, if the service is disabled, etc. And then finally here, the last column is the Log On As.
And now here's the gig with this. All of these services, when they launch and they interact with the operating system, have to run under some set of credentials, right? Those credentials give them access to the restricted, the privileged, the protected, the kernel mode components of the operating system, so that they can interact with that operating system. And each of these accounts, the local system, the local service account, the network service account, they have sets of rights that let them perform the job, right?
And there's an important distinction to make there. Rights define the way that a user or a service interacts with the operating system. As opposed to a permission set, which gives me a subset of permissions over objects in the directory. And the two words are commonly interchanged, right people say rights when they mean permissions, they say permissions when they mean rights. And I don't want to make this a discussion of the semantics of that, but it's worth pointing out that there is a distinction. Rights define the ways in which I can interact with the operating system. Right. Can I shut the operating system down?
That's a right as opposed to can I read this file or execute this application, which is a permission, right the read and execute permissions, to be precise. And so, I do think that it's important to make that distinction. Now, one of the things that this machine does for me here on the network is it acts as a DNS server.
And if I launch the DNS service properties just by finding it in the list and double-clicking it, I can see in here what the official service name is, right? Because there's a distinction between the display name and the service name. And if I were calling this service in a script, I would want to refer to the service name, commonly. Then there´s the description of the service, where the executable that's associated with this service lives.
So if I'm having trouble with the service, maybe I take a look, are the files in that folder corrupt? Has some invasive application corrupted the files in that folder? What is its startup type, and do I want to change that startup type? And I can set it to automatic, delayed start. Automatic, it automatically starts. Manual, I have to go in here and turn it on. Or disabled, it should not start under normal circumstances. Delayed start is handy if this service depends on another service to start first.
And we can see that on the Dependencies tab. If I go over here and I look at dependencies, I can see that this service depends on the following system components.
Now, right off the bat, if I'm experiencing trouble with the DNS service, well, one of the questions that I want to ask is am I really having a problem with this service? Or is one of the services that it depends on not starting? If I first notice the problem is with DNS, but then I look at dependencies and I see, okay, well this is dependent on this and this and this, and then I go and I see that Active Directory Domain Services have not started.
Maybe the problem is not with DNS. Maybe the problem is with an underlying service. And so I can get the dependencies list there.
On the Recovery tab, we can specify what do we do in the event that this service fails? And I can restart it there, or tell it how to restart, or where to restart, or run another program.
And on the Login tab, I see the service that this or the local account, rather, that this service uses as its credentials. And it gets the associated rights with the local system account, so it can do all the things that it needs to do. In the Windows world today, it's worth mentioning, I think, that a lot of the times what we do is we create a service account.
And a service account is a particular type of Active Directory object that's designed just for services.
And then finally, returning to the General tab here, you can see, I could stop the service, pause the service. If you've stopped it, you need to restart it. If you pause it, you need to resume it, right?
These two go together, and these two go together.
And that's a quick look at the services.msc and how I can use it to start, stop, restart, and pause services, as well as determine service file locations and service dependencies.
GUI Tools
In this demonstration, we want to take a look at some of the graphical tools for systems management that you might not think of, necessarily, as tools for systems management. And I'll start with Notepad. And this is so important to me. Notepad is such a part of my daily existence that I have it pinned to the Start, or to the task bar here. I have it pinned to the Start menu, too, but it's right here on the task bar, it's always available to me, and you may ask yourself, well, why?
And the reason for that is because this is a simple text editor that supports no formatting options, really. And you know the kind of thing I'm talking about. If you've ever copied a webpage, or data off a webpage, and you try to paste it into Word. And you get funny symbols, and you get @ signs, and you get other garbage in there that you don't want. Well, that's because something happened in the formatting translation. So I can take anything from anywhere pretty much. Drop it in here, text, that is, right, text. Drop it in here, and all the formatting is stripped away. Further, if I'm in PowerShell, let's say, and I'm doing something new in PowerShell. I haven't done this before. And let's say I'm, no, let's say I'm going to create a new-aduser object.
And I think to myself, I work through the command line switches for this thing. I write the whole thing out. I don't want to just hit Enter and get it done. I want to grab it and save it. So the next time that I have to call this cmdlet, it's a simple matter of editing the text file, and there you go. I'm good to go, right? I just copy and paste, run it again, or I can even save this Notepad document as a PowerShell script. Edit the script anytime I want and run the script. Notepad is your best friend. It's my best friend, and I literally use it every day. It comes in so handy.
Down here on the task bar, I also have a File Explorer.
And file explorer, everybody knows it, I would assume, right. We know that it's how we get around here in the GUI, right. There's my discs, I can move from disc to disc and see what's on each disc, and access the files that are on there. And I can see, actually, if I select the C disk, I can see that this machine is a SQL server, it's an Exchange server, right, it does a lot of things for me.
And when I think about this from the perspective of systems management, well, here's my log files.
What's happened on this machine that I need to know about? Well, it's probably right there in the log files. The Windows installation directory is here.
I use this as a distribution point for software installations.
Right, all the setup files that are required for the software that I'm going to push out are in the distribution point. It's a DFS root, for distributed file system, right, for file replication services.
And so, I can replicate data from here.
And then the last thing that we want to touch on is Windows Updates, which I've opened Windows Update Settings already.
But you could get to this from the start menu, type Windows Update, you'll get Windows Update Settings. Now, this should be on for everybody, you want automated updates all the time.
And there's better ways to do it than in here, but this is local on the machine, and it'll be local on every Windows machine everywhere. And the beauty of this tool now, if I choose update history, there's a choice right there to uninstall the update. So at the time of this recording, it just so happens this week was a Super Patch Tuesday.
And so right, the second Tuesday of every month, Microsoft releases its updates. And some geeks call that Super Patch Tuesday. And these updates were just installed for me.
And it happened all quite automatically, well, why? Well, because updates are on, and if I look here, here's active hours.
Active hours tells the machine that I'm working here from 8 to 5. If my schedule were to change, I can change those hours in here. And then it won't forcibly restart to finish updates during that time.
Here's restart options, well restart options to finish installing updates when you tell us to. Okay, that's a good idea. And in this example, I don't have the option to do that, because there's a group policy setting that comes down from the domain level that impacts this here.
And, but on a scannable machine, certainly be able to make that choice.
And then in Advanced Options, because this machine is also an Exchange server, and a SQL server, and other things, I can choose to give me updates for other Microsoft products when I update Windows.
So I get those critical security updates for Exchange and SQL, as well as for the Windows interface here. This is a look at some of the GUI tools for systems management, and why I'm interested in them.
Systems Management
Now, and I've accessed regedit just by launching the Start menu, typing regedit, and there it is, and I can go ahead and launch it. And it opens up to the last place I was, I had been drilled down in there.
And so, if I collapse that from the navigation bar on the left, you can see what's here. We start at the top with HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG.
Now, these HKEYs are what we call hives, registry hives. And where you spend most of your time in here, is in HKEY_LOCAL_MACHINE. It's machine registry settings that we tend to have go in and tweak. Tend to, right? Now, it's true there are other keys in here that you might have to go in and edit, you might have to go in and change. But not commonly, and there's a good reason for that, right, things like the current config.
Well, the current config is exactly that, the current config. And that registry hive is rebuilt dynamically, as is HKEY_LOCAL_MACHINE. Every time I reboot this machine, because I could shut the machine down, I could add a piece of hardware, I could install new memory. I could install new hard disks, whatever it happens to be, and when the machine reboots, it's going to detect those and it's going to build its current config. And so, that's a volatile hive. That is to say, that it changes regularly and quite in a quite automated fashion. I don't know in 30 years in this business if I ever changed the CURRENT_CONFIG, honestly, or the HKEY_CLASSES_ROOT for that matter.
Now, HKEY_USERS, if we open this up, I see these in here and they don't tell me very much, they don't give me very much information. Because this is where hidden, you can't even see it here, is the SAM file database. That's the Security Accounts Manager database, the database of local users and groups on this machine, and I don't even have access to that.
Then, you've got HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE, and this, my friends, is where all the action is at.
For anybody that's spent anytime with group policy, HKEY_CURRENT_USER maps to the user portion of group policy. While HKEY_LOCAL_MACHINE maps to the machine portion of group policy. So when I change a group policy setting that affects the local machine, well, this is where it's going to make its change.
Now I come in here and I see a couple things, right? Now, you might be saying to yourself, well Murph, wait a minute, there's the Sam folder, right? You just told me this thing was hidden and it's not even in this hive, well, it is and it isn't.
Now, first of all, you'll notice there's nothing I can do here,
but in point of fact, these are pointers to what's actually stored securely safely in a hashed fashion over here in HKEY_USERS.
Now, coming back in here, we see that there's some other register keys in the tree, SECURITY, SOFTWARE, SYSTEM.
And under SYSTEM there is a CurrentControlSet, and the CurrentControlSet is exactly that.
Right, these are the current settings configurations for things like services running on this machine.
And if you scroll down through the list, look at all the services on this one single machine, and this is very common, right.
We don't tend to come in here unless we've got a good reason.
And so for example, if I come down here to DNS parameters, here's a look at particular settings for the DNS service, this machine happens to be a DNS server. And there are keys in here that control certain settings. Now some of these keys, if you're following along on your own DNS server, you don't see. And you don't see them because you've added these keys, or you have not yet added these keys.
So for example, I can right click anywhere in here, say New > Key, and then I can specify the data type. Is it a string, just a text string, is it a binary value, yes, no? Is it a dword, write 32 bit or 64 bit, multi-string value, etc.
Now, if you take a look with me, there's something called the SocketPoolSize.
And I can display that value as either hexadecimal or decimal value, and I have the SocketPoolSize set to 2,500, and that's a setting that I enforced for my own reasons.
It makes my machine more secure, I followed the Microsoft best practice guidance for this, and I configured this in this way following that guidance.
The SocketPoolExcludedPortRange, what ports do I not use for DNS?
Right, I can specify that there again, added the key following the Microsoft best practice recommendations. Now, ladies and gentlemen, with all due respect, it is not advisable to come in here and muck around too much. What you want to do is when there's guidance, good guidance, particularly security guidance like to enable cache locking, and set a percentage for it, for your DNS server.
You follow the tree, you follow the guidance, you add they key, you give it the value they tell you, and you save your changes and you walk away. And for most of us, that's what we want to understand about this. I don't go in here, writing my own registry keys, commonly like some folks do. These folks are few and far between that know what they are doing in my experience, because you do this wrong and you are going to have problems. You follow the guidance, you'll be more secure, things will work, this is a look at regedit.