Modify

Processes

start <ProgramName>

Starts a program or command in a new window.

Start-Process Notepad.exe

Uses Process.Start Method of the System.Diagnostics.Process class

Start-Process <FilePath>

Starts one or more processes on the local computer.

Start-Process <FilePath> -ArgumentList <Arguments>

Starts a process with arguments.

Start-Process <FilePath> -Verb RunAs

Starts a process with elevated permissions (as administrator).

Start-Job {Start-Process <FilePath>}

Starts a process in a background job.

(Get-Process calculator*).kill()

Uses the kill() method directly

Stop-Process -name calculator*

Cmdlet calls the Process.Kill method

Stop-Process -name notepad

Uses Process.Kill Method of the System.Diagnostics.Process class

Stop-Process -Id <ProcessID>

Stops (ends) the process with the specified process ID.

taskkill /IM <ProcessName>

Kill by name

taskkill /PID <ProcessID>

Kill by PID

taskkill /T /IM <ProcessName>

Kill process and child processes

taskkill /F /IM <ProcessName>

Force Kill by name

taskkill /F /PID <ProcessID>

Force Kill by PID

wmic process where name="<ProcessName>" delete

Terminates a process with the specified name.

wmic process where processid="<ProcessID>" delete

Terminates a process with the specified process ID.

wmic process call create "<Command>"

Creates (starts) a process running a specified command.

Run as the user creds you supply:

runas /password /user:<username> C:\sus.exe

Quietly start your malicious installer:

msiexec /quiet /qn /i C:\sus.msi

Sysinternals

psexec

Execute remote processes

DLLs

Registers a DLL file with the system.

This command is used to register a DLL file with the system.

When a DLL is registered, the information about its classes and interfaces is added to the Windows Registry, allowing COM clients to use the DLL.

WARNING: May execute code if the DLL has a DllRegisterServer entry point:

regsvr32 <DLLName>

Unregisters a DLL file from the system. This command unregisters a DLL file from the system, removing its class and interface information from the Windows Registry:

regsvr32 /u <DLLName>

Executes a function located in a specified DLL. Typically used for DLLs that expose functions compatible with the rundll32 requirements:

rundll32.exe <DLLName>,<EntryPoint>

Uses PowerShell to load a DLL and execute a specific method:

PowerShell -Command "[System.Reflection.Assembly]::LoadFile('<FullPathToDLL>').GetType('<Namespace.ClassName>').GetMethod('<MethodName>').Invoke($null, $null)"

Registry Locations

Processes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Contains entries for programs and processes that are launched automatically at startup for all users.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Contains entries for programs and processes that are launched automatically at startup for the current user.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Contains entries for programs and processes that are run once and then removed the next time the system starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Contains entries for programs and processes that are run once for the current user and then removed the next time the user logs in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Contains options and settings for debugging and customizing the execution of specific executable files, including processes.

DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

Contains paths and reference counts for shared DLLs used by multiple applications.

HKEY_CLASSES_ROOT\CLSID{CLSID}\InprocServer32

Contains registration information for COM DLLs, including the path to the DLL file and threading model for each class identified by its CLSID.

HKEY_CLASSES_ROOT\TypeLib{TypeLibID}

Contains information about the type libraries, which may include DLLs, registered on the system.

Each type library is identified by a unique ID.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Contains names of DLLs to be loaded into every process that uses User32.dll.

This feature is often used by software for customization or extension purposes, but it can also be abused by malware.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Lists the names of DLLs that are known to the system and are loaded from a trusted location, typically used to improve performance and security.

PreviousEnumerate NextServices

Last updated 1 year ago

Was this helpful?

Modify

Processes

start <ProgramName>

Starts a program or command in a new window.

Start-Process Notepad.exe

Uses Process.Start Method of the System.Diagnostics.Process class

Start-Process <FilePath>

Starts one or more processes on the local computer.

Start-Process <FilePath> -ArgumentList <Arguments>

Starts a process with arguments.

Start-Process <FilePath> -Verb RunAs

Starts a process with elevated permissions (as administrator).

Start-Job {Start-Process <FilePath>}

Starts a process in a background job.

(Get-Process calculator*).kill()

Uses the kill() method directly

Stop-Process -name calculator*

Cmdlet calls the Process.Kill method

Stop-Process -name notepad

Uses Process.Kill Method of the System.Diagnostics.Process class

Stop-Process -Id <ProcessID>

Stops (ends) the process with the specified process ID.

taskkill /IM <ProcessName>

Kill by name

taskkill /PID <ProcessID>

Kill by PID

taskkill /T /IM <ProcessName>

Kill process and child processes

taskkill /F /IM <ProcessName>

Force Kill by name

taskkill /F /PID <ProcessID>

Force Kill by PID

wmic process where name="<ProcessName>" delete

Terminates a process with the specified name.

wmic process where processid="<ProcessID>" delete

Terminates a process with the specified process ID.

wmic process call create "<Command>"

Creates (starts) a process running a specified command.

Run as the user creds you supply:

runas /password /user:<username> C:\sus.exe

Quietly start your malicious installer:

msiexec /quiet /qn /i C:\sus.msi

Sysinternals

psexec

Execute remote processes

DLLs

Registers a DLL file with the system.

This command is used to register a DLL file with the system.

When a DLL is registered, the information about its classes and interfaces is added to the Windows Registry, allowing COM clients to use the DLL.

WARNING: May execute code if the DLL has a DllRegisterServer entry point:

regsvr32 <DLLName>

Unregisters a DLL file from the system. This command unregisters a DLL file from the system, removing its class and interface information from the Windows Registry:

regsvr32 /u <DLLName>

Executes a function located in a specified DLL. Typically used for DLLs that expose functions compatible with the rundll32 requirements:

rundll32.exe <DLLName>,<EntryPoint>

Uses PowerShell to load a DLL and execute a specific method:

PowerShell -Command "[System.Reflection.Assembly]::LoadFile('<FullPathToDLL>').GetType('<Namespace.ClassName>').GetMethod('<MethodName>').Invoke($null, $null)"