Use the available remote shell commands to investigate Windows endpoints.

Note
Note
When specifying a file location, be aware that UNC paths are not supported.
Command
Description
Syntax
Example
Supported on
cat
Output the content of the selected file (max size 1MB)
cat <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads):
    Downloads>cat example.txt
  • To output the content of the example.txt file located in the C:\temp directory:
    Downloads>cat c:\temp\example.txt
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
cd
Change the current working directory
cd <path>
Note
Note
For the <path>, specify the absolute or relative path.
cd C:\
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
clear
Clear screen
clear
clear
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
cp
Copy a file or directory to specific destination
cp <source_object> <destination_object> [--force]
Note
Note
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
  • Use the --force parameter to overwrite existing objects.
  • To copy the Finances directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:
    Downloads>cp Finances C:\example --force
  • To copy the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:
    Downloads>cp C:\Users\Administrator\Downloads\example.txt C:\temp --force
  • XDR Endpoint Sensor
drivelist
Lists drives with details
Note
Note
User Account Control (UAC) may prevent users from accessing network drives mounted by other user accounts. To address this, the system retrieves drive information based on currently active local users. If multiple users are logged in concurrently, the system collects and displays drive information for the active local user who most recently logged in.
drivelist
drivelist
XDR Endpoint Sensor
env
List environment variables
env
env
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
fileinfo
List detailed file properties
fileinfo <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
  • To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads):
    Downloads>fileinfo example.txt
  • To list the file properties of the example.txt file located in the C:\temp directory:
    fileinfo C:\temp\example.txt
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
get
Collect a specific file and upload to Trend Vision One
Maximum file size: 4 GB
get <file_location_and_extension>
Note
Note
For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.
This command does not support collecting protected Windows files.
WARNING
WARNING
Downloading suspicious samples may potentially harm your endpoint. Take necessary precautions before continuing. Trend Vision One automatically stores the collected samples in a password-protected .zip archive.
  • To collect the file example.txt file in the current directory (C:\Users\Administrator\Downloads):
    Downloads>get example.txt
  • To collect the file example.txt file located in the C:\temp directory:
    get C:\temp\example.txt
  • To collect a protected Windows file in a System folder with write access, try to use the cp command to copy the file outside of the System folder and then use the get command.
  • XDR Endpoint Sensor
group list
List local group information
group list
group list
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
help
Display help information
help
help
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
ipconfig
Display network configuration information
ipconfig
ipconfig
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
kill
Terminate a running process
kill <PID>
Important
Important
You cannot use the kill command to terminate Trend Micro processes.
kill 1234
  • XDR Endpoint Sensor
listenports
List listening ports
listenports
listenports
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
ls
List contents of the directory
ls [path]
Note
Note
For the <path>, specify the absolute or relative path.
ls
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
memdump
Create a process memory dump available as an encrypted archive from the Trend Vision One console
memdump [--ma] [--mm] --pid <pid>
--ma: Creates a full process memory dump.
-mm: Create a mini process memory dump.
--pid: Required parameter to specify process ID <pid>
Note
Note
memdump does not support dumping system processes or creating dump files larger than 4GB.
memdump --mm --pid 1234
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
mkdir
Create a new directory
mkdir <path>
Note
Note
For the <path>, specify the absolute or relative path.
  • To create the temporary directory in the current directory (C:\Users\Administrator\Downloads):
    Downloads>mkdir temporary
  • To create the temporary directory in the C:\temp directory:
    Downloads>mkdir C:\temp\temporary
  • XDR Endpoint Sensor
mv
Move a file or directory to specific destination
mv <source_object> <destination_object> [--force]
Note
Note
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
  • Use the --force parameter to overwrite existing objects.
  • To move the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:
    Downloads>mv temporary C:\example --force
  • To move the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:
    Downloads>mv C:\Users\Administrator\Downloads\example.txt C:\temp --force
  • XDR Endpoint Sensor
netstat
List network statistics and active connections
netstat
netstat
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
ps
List running process information
ps
ps
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
pwd
Display current directory
pwd
pwd
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
reg query
List registry information
reg query <key> [--value=<value_name>]
  • To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:
    C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
  • To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:
    C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
rm
Delete a file or directory (and all sub-directories)
rm <source_object> [--force]
Note
Note
  • For the <source_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
  • Use the --force parameter to delete objects configured as read only.
  • To delete the temporary directory in the current directory (C:\Users\Administrator\Downloads) and all read-only objects:
    Downloads>rm temporary --force
  • To delete the example.txt file in the directory C:\Users\Administrator\Downloads:
    Downloads>rm C:\Users\Administrator\Downloads\example.txt
  • XDR Endpoint Sensor
run
Execute a previously uploaded script
run <script_name_and_extension> [arguments]
run demo.ps1 1 "22 33" 44
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
scheduletasks
List scheduled tasks
scheduletasks
scheduletasks
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
service list
List service information
service list
service list
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
systeminfo
List system information
systeminfo
systeminfo
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
taskstatus
List status of response tasks created in the current session
taskstatus [--id=<task_id>]
<task_id>: Optional parameter to specify the identifier of the response task.
taskstatus [--id=RM-20241207-00025]
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
user info
List account properties
user info <username>
user info john_doe
  • XDR Endpoint Sensor
user list
List local user accounts
user list
user list
  • XDR Endpoint Sensor
  • Deep Security Agent (managed by Trend Cloud One - Endpoint & Workload Security)
zip
Compress a file or directory in a zip archive and optionally encrypt the archive with a password
zip <source_object1> [<source_object2...> <source_objectn>] <destination_object> [--password <password>] [--force]
Note
Note
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).
  • Use the --force parameter to overwrite existing objects.
  • To zip the contents of the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example\directoryArchive.zip, set the password to P@ssw0rd and overwrite the existing file:
    Downloads>zip temporary C:\example\directoryArchive.zip --password P@ssw0rd --force
  • To zip the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp\exampleArchive.zip and overwrite the existing file:
    Downloads>zip C:\Users\Administrator\Downloads\example.txt C:\temp\exampleArchive.zip --force
  • XDR Endpoint Sensor