Windows Auditing


This post is a comprehensive list of the things you would want to check while conducting Windows auditing.

Step 1:

Explanation: List all installed programs (after you cd to C:\Program Files)
  1. Command: dir /p /n > Path\<output-file>
  2. Command: tree /A /F > Path\<output-file>
Step 2:

Explanation: List security policies
  1. Command: auditpol /get /category:*  (as Admnistrator)
  2. Command: auditpol /backup /file:c:\<output>.csv (as Admnistrator)
Step 3a:

Explanation: List Windows running/stopped services
  1. Command: sc query type= service > Path\<output-file>
  2. Command: sc query type= service state= inactive > Path\<output-file>
  3. Command: sc query type= service state= all > Path\<output-file> (running and not running)
  4. Command: net start > Path\<output-file>
Step 3b:

Explanation: List Windows service running privilages

  1. Command: sc qprivs <service name> > Path\<output-file>
Step 4:

Explanation: Identifying the windows security patches  using WMIC
  1. Command: wmic qfe get description,installedOn > Path\<output-file>
Step 5:

Explanation: List Windows processes with relevant information
  1. Command: wmic process > Path\<output-file>
  2. Command: wmic process list brief > Path\<output-file>
  3. Command: wmic process list full > Path\<output-file>
  4. Command: wmic process list system > Path\<output-file>
Step 6:

Explanation: List Windows startup programs
  1. Command: wmic startup > Path\<output-file>
  2. Command: wmic startup list full > Path\<output-file>
  3. Command: wmic startup list brief > Path\<output-file>
  4. Command: wmic startup list system > Path\<output-file>
Step 7:

Explanation: List Windows current connections with ownership
  1. Command: netstat -nab > Path\<output-file>