Abstract: WMIC has completed more than a decade of existence without having the limelight in terms of its features, though windows command line geeks have always had a soft spot for this embedded interface to WMI or Windows Management Instrumentation exposed in cmd.exe. Here we plan to take a look at the various commands provided and their switches. In normal cmd.exe commands we use find or findstr as a counterpart to grep to find the relevant string item often using wildcards as well. WMIC uses a SQL like language forming WQL – WMIC Query Language as an alternative declarative syntax to get and format data from the default listings. We will look into some of the differences from regular cmd.exe commands usage and of course wmic in relevant detail.
We don’t really have any built-in malware detection or remediation capabilities in either the Windows Command Prompt or the PowerShell Prompt, since these apps essentially just provide an alternative interface for controlling and configuring applications that are built into Windows, or that are installed by a user. Malwarebytes Breach Remediation command line functionality is discussed in detail beginning on page 10. License Key Status Malwarebytes Breach Remediation uses a license key, which was provided to you upon your purchase of the client. Are There Command Line/Command Prompt Options for running the Malwarebytes Toolset? Yes, command line options are available to utilize some components of the Malwarebytes Toolset quickly for automation and/or scripting purposes. These options can be passed to MBTSLauncher.exe or MBTS.exe. Below is a list of those options and their applicable. Use the Windows key + I keyboard shortcut to open the Power User menu and select Command Prompt (Admin), then: To trigger a signature update, type the following command and press Enter.
WMIC – à la carte.
Nov 04, 2016 Command Line How to use Windows Defender with Command Prompt on Windows 10 You can use Windows Defender with command lines to run the antivirus manually or to automate certain tasks, and in this.
WMIC comes loaded from Windows XP and upwards.
To set the mode to wmic in cmd type wmic.
The prompt changes to wmic:rootcli> instead of the regular C:> prompt (default drivedefault path).
Type exit/quit at the wmi prompt to exit from the wmic mode within cmd.exe without exiting cmd.exe.
The advantage of not getting into the wmic console would mean that simple commands like type, fc, sort and find can be used along with the WMIC commands.
Lets enumerate the commands contained in the wmic extension in cmd.exe, just type /?
You get a long list, the screen pauses for user continuity as there is no need for more in this case.
You see a very well listed command and description listings.
A quick count of the wmic /? Help listings of commands (here it’s the default terminal mode as wmic has no facility for counting its own lines)–
C: wmic /? | find /c /v “”
The display results in 118. Ignoring the additional lines here and there as, there are about 110 + commands in WMIC that generate information from the system after working with the WMI API interface. WMI works to build better security through authorization features built in and would certainly come in handy for remote administration as its one of the primary uses that it was engineered for.
Most of wmic commands have a common tenor in terms of the syntax :
WMIC [alias or the command keywords displayed on /?] where (filter= “filter string” AND|OR| filter = “filter string”) get|call|list|every
Get/Call/List/Every are the most common verbs supported by wmic and typing a further /? reveals a lot more options that can be plugged into the verbs for additional functions.
Get is used to extract values from the filter headers of the wmic self formatted output. E.g. get processed
Call is used to invoke subfunctions specific to the command.
The default tabular view can be formatted for vertical (up/down) scrolling by the use of the list verb. The list verb takes brief and full as two arguments that you will find useful to format the data as per the requirements.
Every is used to denote a timer interval switch “every:” <insert number> seconds.
Lets look at the /output switch (or alias according to the wmic jargon),
/OUTPUT:STDOUT|CLIPBOARD|<filename>
/OUTPUT:CLIPBOARD – redirects the output of the stream to the clipboard, good for quick copy and paste instead of selecting the stdout display from cmd.exe.
/OUTPUT:”C:TESTdummy.txt” – This saves the output to the filename written. It creates a new one if there is none with the same name. No appending is done.
/OUTPUT:STDOUT – resets the output stream to the stdout in cmd.exe, good for restoring display after the above commands.
Nonetheless, the file is overwritten on each command run. To alleviate this concern the /APPEND switch can be used instead.
/APPEND: C:TESTdummy.txt – this would append the future command outputs to the end of the file. Note quotations are needed if spaces are present in the filename.
/APPEND: STDOUT and CLIPBOARD don’t work as expected as in the clipboard or the stdout the display does not really append.
/RECORD:C:TESTwmi.xml –saves the current command into the xml file in the path provided. This appends the subsequent outputs to the end of the file xml-tagged. This would ostensibly be the best choice for command recollection if you find xml parsing comfortable. To stop recording to the current file you need to redirect or choose a new file name.
The immediate command to be executed can also be written just after the /OUTPUT /APPEND /RECORD switches with their parameters to skip writing two commands after another.
C:wmic /OUTPUT:C:TESTwmi.xml process get name
/INTERACTIVE:ON sets warnings for delete operations, which are recommended while learning wmic or just as a precaution.
Type CONTEXT to see the compact list of settings in the current context such as the interactive mode, node, locale, record filename path, output mode, append mode, authority, role, namespace, and impersonation level.
C:wmic context
Note that WMIC takes its time to display the output as processing ostensibly is more involved than cmd.exe direct commands and executables. This additional overhead is sometimes quite annoying, nonetheless better digging into available data than forego the benefit, Also, the familiar CTRL +C does not seem to work, as the process cancellation does not happen at any moment till some time has passed. This second reason merits the real purpose of working in the regular cmd.exe environment as CTRL+C stops wmic in its tracks.
Enumerating Hardware Info :
Baseboard – Gives motherboard information
A quick thing to remember as we work on the WQL syntax is that the column headers are the very fields that are queried in the WQL queries. To get the baseboard name only:
C:wmic baseboard get manufacturer
The get verb takes header fields to begin the data extraction. This is unlike traditional filtering wherein the use of regular expression is used, this is a 4th generation declarative language syntax to extract the data, Much like LINQ(Language Integrated Query) in C#, where the data mining logic is supported in the language itself.
Bios – Gives the details of the bios vendor
C:wmic bios
Bootconfig – displays the bootpartition and related data
C:wmic bootconfig
Cdrom – displays the details of any optical disc hardware or virtual optical drives (daemon tools, gamedrive) as well.
C:wmic cdrom
CPU – lists the properties of the microprocessor(s) installed.
C:wmic cpu list full
Gives a view of the column headers line by line
Csproduct list full – Gives the serial number and vendor name of the laptop/desktop system as well as the UUID and version number. Very useful for viewing this information without opening your laptop.
C:wmic csproduct
Desktop – Gives a very detailed view of the all available desktop settings. A trivial, though useful thing among the list is the path of the wallpaper in case you need to take a backup of the picture or need to replace it with another one. The one displaying the path is the current desktop.
C:wmic desktop
Environment –Gives a comprehensive tabular listings of the environment variables. Adding list full rearranges the tabular list to a more per variable specific view. Both are useful.
C:wmic environment
Loadorder – gives a list of system services that define execution dependencies.
C:wmic loadorder
Memorychip – gives a comprehensive detail about the RAM slots and their chip types – Size, Part Number, Manufacturer (this value seems interesting), serial number and speed among others. No need to boot to the BIOS to check for such data.
C:wmic memorychip
Logical – gives the selective data of the disks serial numbers and their dive names.
C:wmic logical get volumeserialnumber, caption
Notice that WMIC does not relate the output in accordance with the order of the get parameters. If you wanted the caption to display after the serial number it does not happen by default. Some workaround would be needed I suppose.
NIC – lists a very detailed table of every virtual or hardware device that relates to connectivity of some kind. Bluetooth, Infrared, Wireless b/g/n adapters, virtual machines network drivers and installed 3rd party modem adapters.
NICCONFIG – gives a tabular view of the list of adapters with runtime data and protocol parameters as part of the view. The mac address is commonly queried and can be found out as:
C:wmic nicconfig get macaddress,caption
Logon – gives a much consolidated listing of every logon session recorded as long as the machine is running. This could give a timeline of the number of logins and their timestamps.
C:wmic logon
OS – gives a good listing of various OS related information including startup and running duration, partition, DEP status, debug status, version, service pack, country code, current time zone code, encryption level, install date, maximum supported memory, among others.
C:wmic os get encryptionlevel, debug,install date
Startup – gives a good list of the various registry locations having “run” as one of the key strings, as well as the executable path and related data of the startup list.
C:wmic startup
Useraccount – gives a list of related parameters to the user accounts in the system like account type, SID, enabled/disabled status, lockout status and description.
C:wmic useraccount
Sysdriver – gives a detailed list of the loaded drivers and their paths, short names, description among other fields.
C:wmic sysdriver
QFE (Quick Fix Engineering)– a sort of patch management command. It gives a good list of the available updates installed as well as their KB numbers, type (security update/hotfix/update), installation date and installation url.
C:wmic qfe
Product – gives a list of all the installed software much like the control panel Add/Remove programs list but with a lot more detail.
C:wmic product
Pagefile – immediate pagefile location and information like size.
C:wmic pagefile
RecoverOS – memory dump information like path for all types of crash dumps (full/kernel/mini)
C:wmic recoveros
Group – gives a list of the groups as well as their descriptions.
C:wmic group
Share- enumerates the local shares including hidden shares having suffix $.
C:wmic share
Services – Comprehensive listing of the services and their descriptions among other info.
C:wmic services
Process – very detailed listing of process parameters. Use list full verb to give a per process scrolling view for ease of parsing.
C:wmic process list full
Nteventlog – gives a per event view as recorded in the event log.
C:wmic nteventlog list full
Combo power
The use of wmic and regular cmd.exe commands enable greater leverage of features provided in cmd.exe especially when using the WQL keywords like where in association with find or findstr. Further, the use of logical statements +WQL wildcards+cmd.exe commands means full leverage of the terminal environment.
Lets get back to the cmd.exe terminal mode – type quit at the wmic prompt if still there.
Using logical conditions and specifying the field to focus on requires the use of the following:
Where clause to specify the column header as seen in the default outputs in wmic commands. These header fields are passed as parameters to filter out the data line within the lists.
The = verb is used to assign the filter string to the field string after the where clause as in:
C:wmic process where processid=”536″
The use of quotations is mandatory or the command will fail.
Conditions like AND/OR is used in parenthesis encapsulating the fields and their filter strings as in:
C:wmic process where (processid=”536″ and name=”malware.exe”)
Further filtering for searching for a particular numeric sequence or a substring can use the find/findstr commands.
C:wmic process where (processid=”536″ and name=”malware.exe”) | find “32”
The use of the delete clausewill cause the selected process to terminate as in:
C:wmic process where name=”malware.exe” delete
Finding command line arguments passed to a particular executable are done using filters:
C:wmic process where name = “mal.exe” list full
displays the full block where the process listing has been made for the particular executable.
C:wmic process where name= “mal.exe” get commandline
ParentProcessID is a valid parameter for many malware that launch child processes to stay resident in memory or keep launching new processes. Thus as a filter it would be very useful indeed.
C:wmic process where (name=”mal.exe” or parentprocessid=”246″) delete
Call verb in certain commands in WMIC enable some special use of functions that are called by that command.
To debug a certain executable process, the process command can be used as:
C:wmic process where name = “mal.exe” call attachdebugger
At this the default debugger set in the AEDebug registry key will be activated. You could set any debugger to this registry key and it will launch to debug the process. Cool eh?!
Other functions supported by the call method in process command are:
GetOwner, GetOwnerSid, SetPriority, Terminate.
Termination as:
C:wmic process where name=”mal.exe” call terminate
The /format /? switch displays the list of formats the command can output. It seems that a few of the formats are not supported anymore even thought the options are present.
/format:table also works.
C:wmic /output:C:ownzplist.txt process list full /format:table
Use the line above to get a tabular format.
/format:htable for html table and hform for html form do not work with this settings. It seems xml is made to be used to issue a standard data exchange format, especially with all Microsoft development platforms going xml with everything.
The patches list can be very quickly queried for a particular KB number, using find
C:wmic qfe list full | find “<number>”
Using a timer within WMIC. The every switch takes in a numeric as a time to repeat the command preceding the switch.
C:wmic process list brief /every:1 | find “mal.exe”
Conclusion: We have taken a second round at the possibilities of the cmd.exe and the now 11+ years running wmic extension that is not used as often as one would like. WMIC has a lot to offer in terms of its depth of information, especially on the system overview front and bios/hardware related data. It pretty much beating the programs masqueraded as commands in cmd,exe in terms of reporting depth, though the cmd.exe commands have great use of their own, especially with the fast search and sort commands. Much of its commands negate the use to log into the BIOS unless we need to change the device boot order or something of that nature and not just to check the RAM Chip data. Furthermore, the efficacy in reporting through xml means that data exchange will be standard issue. The use of a declarative syntax means that data mining is intuitive and accurate. The next part will continue on the features of WMIC/CMD and get into other commands that merit explanation. Thereafter we will delve into PowerShell and finally conclude with a round up of the most essential list of commands that can be used for pretty much most of the triage and corroborative activities as security professionals.
Viruses may attack files/folders, storage devices, or Windows operating systems. To remove a virus from an infected USB drive, SD card, pen drive and more on a Windows 10 computer, you can use CMD to get things done. If the virus delete or hide your files, don't hesitate to use EaseUS Data Recovery Wizard to recover them with ease.
On this page, we include four practical methods to help you remove viruses and help you restore virus removed or deleted files with powerful EaseUS file recovery software. If you are in this dilemma, follow fixes here to clean up virus and bring your files back:
Workable Solutions | Step-by-step Troubleshooting |
---|---|
Fix 1. Remove Virus with CMD | Run Command Prompt as Administrator or EaseUS M Tool > Clear virus with attrib -s -h -r /s /d *.* command...Full steps |
Fix 2. Run Antivirus | Run installed antivirus software, execute clean operation if virus is detected...Full steps |
Fix 3. Run Windows Defender | Go to Settings > 'Update & Security' > 'Windows Security' > 'Virus & threat protection' ...Full steps |
Fix 4. Format Infected Device | If the hard drive partition or external storage device was infected by virus, formatting it can help...Full steps |
Bonus Tip. Recover Files | If files get hidden or deleted by the virus, run EaseUS Data Recovery Wizard > Scan device and recover...Full steps |
What Damage Could Viruses Do
We loathe computer viruses, undoubtedly. But do you know exactly how viruses can damage your computer? There are many types of viruses, and they behave in different ways. To sum it up, a computer virus is simply a type of program that causes your computer to act in an undesirable way. It can be a dangerous infiltration designed to drag your computer down, erase important files, track your habits, or gives hackers access to your personal information... A virus is a great nuisance. Some viruses like the Locky virus and CryptoLocker, also known as ransomware, delete computer files, encrypt them, even change the file extension to .locky or .encypt. Other viruses hide files and leave users with nowhere to unhide them.
It's certainly true that a virus is something you will want to remove once you find it. Among the multiple choices, many users attempt to remove viruses using CMD.
Why Can You Remove a Virus Using CMD
In fact, using command lines doesn't directly check and remove viruses from your computer or external storage device. CMD helps to achieve your goal of removing viruses by showing the hidden viruses on a partition or drive. Afterward, you can delete the suspicious files. Since viruses always conceal themselves, you need to make them appear and then delete the virus files. Then how can you show the potentially hidden virus files using CMD? All you need is the attrib command.
The attrib command is a Command Prompt command used to display, set, or remove the attributes of the files or folders in the selected location. By canceling the 'hidden' attribute of the virus, you can see it appearing in the folder. And then you will know where to find and remove it.
How to Remove Virus Using CMD
Now, follow the steps below to delete viruses from your computer or storage device using CMD.
Step 1. Type cmd in the search bar, right-click 'Command Prompt' and choose 'Run as an administrator'.
Step 2. Type F: and press 'Enter'. (Replace 'F' with the drive letter of the infected partition or device.)
Step 3. Type attrib -s -h -r /s /d *.* and hit 'Enter'.
Step 4. Type dir and hit 'Enter'. Now you will see all the files under the assigned drive. (The dir command displays a list of a directory's files and subdirectories.)
Step 5. For your information, a virus name may contain words like 'autorun' and with '.inf' as the extension. Thus, if you find such suspicious files, type del autorun.inf to remove the virus.
Here are the basic attributes of the 'attrib' command:
R – represents the 'Read-only' attribute of a file or folder. Read-only means the file cannot be written on or executed.
H – the 'Hidden' attribute.
A – stands for 'Archiving' which prepares a file for archiving.
S – the 'System' attribute changes the selected files or folders from user files into system files.
I - 'not content indexed file' attribute.
The 'attrib' Syntax:
ATTRIB [+ attribute | – attribute] [pathname] [/S [/D]]
In the above command, let's see what the different parameters and switches are:
'+ / –': To enact or to cancel the specified attribute.
'attribute': As explained above.
'/S': Searching throughout the entire path including subfolders.
'/D': Include any process folder.
'pathname': Path where the target file or folder is located.
Here is the proper syntax order for attrib command:
ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D] [/L]]
- Warning
- Be careful while using the Command Prompt. Improper use of cmd can result in system damage.
If you receive the message 'Access denied', you should:
- Make sure you have run Command Prompt as an administrator
- Make sure the file/folder is not in use
- Check the permission of the current account and make sure you have full control over the file/folder (right-click the file/folder/partition and go to 'Security')
- Use CHKDSK command to check for file system errors (run Command prompt and enter chkdsk /f [drive letter]:)
Manual input of the command line is suitable for computer professionals since wrong commands can cause more severe problems. Therefore, for security and usability, we strongly recommend you try an automatic command line alternative. EaseUS Tools M is a practical tool that enables you to check and fix files system error, enable/disable write protection and system update with one-click instead of typing intricate command lines.
Follow the simple steps below to show hidden files with this 1-click-fix software.
Step 1. DOWNLOAD EaseUS Tools M for Free.
Step 2. Start EaseUS Tools M, choose 'File Showing' on the left pane. Next, choose the target drive for scanning.
Step 3. After the operation completes, click the View button to check the hidden files.
3 Other Ways to Remove Virus
In addition to using CMD, there are other methods available to remove a virus from your computer or storage device, like using antivirus software, Windows Defender, and formatting the storage device.
Run Malwarebytes From Command Prompt
Method 1. Run Antivirus
Almost every computer has antivirus software installed. Whenever you find your computer is infected by a virus, running the antivirus software may help.
Method 2. Run Windows Defender Antivirus
Windows Defender Antivirus is the built-in antivirus protection in Windows 10. It provides protection against viruses, malware, and spyware for your computer and connected devices. If you don't have third-party antivirus software, using the built-in utility is advisable.
Step 1. Go to 'Settings' > 'Update & Security' > 'Windows Security'.
Step 2. Click 'Virus & threat protection'.
Step 3. In the 'Threat history' section, click 'Scan now' to scan for viruses on your computer.
Method 3. Format the Infected Device
The format is the process of erasing the existing files on the selected partition or drive. It will certainly remove the virus, too. Since formatting a partition/drive will cause data loss, make sure you don't have any important files stored on the device.
How to Recover Files Deleted/Hidden by Viruses
Don't forget to use a data recovery tool in case the virus deleted or hid your important files on USB and other drives. Using commands can only help remove the virus but can do nothing to restore damaged and lost files. EaseUS file recovery software is able to complete virus file recovery in just three steps.
Learn the 3-step file recovery in this video guide.
How to Prevent Virus or Malware Infections
Except for knowing how to cope with a virus attack, you should also know how to prevent virus infection on your computer or external storage device. For you to protect your computer or USB drives better, here are some feasible tips on virus prevention for you:
Install professional antivirus software on your computer and keep it updated
Be cautious with the origins of the programs you want to install
Avoid suspicious websites and think before you make a click
Make sure the network connection is safe
Besides, regularly making backups of your files with free backup software is also recommended to avoid complete data loss that may be caused by a virus infection.
The Bottom Line
Run Malwarebytes Free Scan
Removing a virus using CMD is a roundabout solution. Yet it works in some cases. If the attrib command fails, try the three more tips provided to get rid of the malicious file. Besides, virus attacks are always accompanied by data loss. In that case, use the hard drive recovery software - EaseUS Data Recovery Software to rescue the lost files as soon as possible.