Remote Shell Commands for Windows Endpoints

Use the available remote shell commands to investigate Windows endpoints.

Command

Description

Syntax

Example

Supported on

cat

Output the content of the selected file (max size 1MB)

cat <file_location_and_extension>

Note:

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

  • To output the content of the example.txt file located in the current directory (C:\Users\Administrator\Downloads):

    Downloads>cat example.txt

  • To output the content of the example.txt file located in the C:\temp directory:

    Downloads>cat c:\temp\example.txt

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

cd

Change the current working directory

cd <path>

Note:

For the <path>, specify the absolute or relative path.

cd C:\

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

clear

Clear screen

clear

clear

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

cp

Copy a file or directory to specific destination

cp <source_object> <destination_object> [--force]

Note:
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).

  • Use the --force parameter to overwrite existing objects.

  • To copy the Finances directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:

    Downloads>cp Finances C:\example --force

  • To copy the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:

    Downloads>cp C:\Users\Administrator\Downloads\example.txt C:\temp --force

  • Trend Micro Endpoint Basecamp

env

List environment variables

env

env

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

fileinfo

List detailed file properties

fileinfo <file_location_and_extension>

Note:

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

  • To list the file properties of the example.txt file in the current directory (C:\Users\Administrator\Downloads):

    Downloads>fileinfo example.txt

  • To list the file properties of the example.txt file located in the C:\temp directory:

    fileinfo C:\temp\example.txt

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

get

Collect a specific file and upload to Trend Micro Vision One

Maximum file size: 4 GB

get <file_location_and_extension>

Note:

For the <file_location_and_extension>, specify the absolute or relative path to the file, the file name, and the file extension.

Warning:

Downloading suspicious samples may potentially harm your endpoint. Ensure that you take the necessary precautions before continuing. Trend Micro Vision One automatically stores the collected samples in a password-protected ZIP archive.

  • To collect the file example.txt file in the current directory (C:\Users\Administrator\Downloads):

    Downloads>get example.txt

  • To collect the file example.txt file located in the C:\temp directory:

    get C:\temp\example.txt

  • Trend Micro Endpoint Basecamp

group list

List local group information

group list

group list

  • Deep Security Agent (managed by Cloud One - Workload Security)

help

Display help information

help

help

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

ipconfig

Display network configuration information

ipconfig

ipconfig

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

kill

Terminate a running process

kill <PID>

Important:

You cannot use the kill command to terminate Trend Micro processes.

kill 1234

  • Trend Micro Endpoint Basecamp

listenports

List listening ports

listenports

listenports

  • Deep Security Agent (managed by Cloud One - Workload Security)

ls

List contents of the directory

ls [path]

Note:

For the <path>, specify the absolute or relative path.

ls

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

mkdir

Create a new directory

mkdir <path>

Note:

For the <path>, specify the absolute or relative path.

  • To create the temporary directory in the current directory (C:\Users\Administrator\Downloads):

    Downloads>mkdir temporary

  • To create the temporary directory in the C:\temp directory:

    Downloads>mkdir C:\temp\temporary

  • Trend Micro Endpoint Basecamp

mv

Move a file or directory to specific destination

mv <source_object> <destination_object> [--force]

Note:
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).

  • Use the --force parameter to overwrite existing objects.

  • To move the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example and overwrite the existing directory:

    Downloads>mv temporary C:\example --force

  • To move the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp and overwrite the existing example.txt file:

    Downloads>mv C:\Users\Administrator\Downloads\example.txt C:\temp --force

  • Trend Micro Endpoint Basecamp

netstat

List network statistics and active connections

netstat

netstat

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

ps

List running process information

ps

ps

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

pwd

Display current directory

pwd

pwd

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

reg query

List registry information

reg query <key> [--value=<value_name>]

  • To list the content of the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:

    C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

  • To list the only the data for the value "Details" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion registry key:

    C:\ >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion --value=Details

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

rm

Delete a file or directory (and all sub-directories)

rm <source_object> [--force]

Note:
  • For the <source_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).

  • Use the --force parameter to delete objects configured as "read only".

  • To delete the temporary directory in the current directory (C:\Users\Administrator\Downloads) and all read-only objects:

    Downloads>rm temporary --force

  • To delete the example.txt file in the directory C:\Users\Administrator\Downloads:

    Downloads>rm C:\Users\Administrator\Downloads\example.txt

  • Trend Micro Endpoint Basecamp

scheduletasks

List scheduled tasks

scheduletasks

scheduletasks

  • Deep Security Agent (managed by Cloud One - Workload Security)

service list

List service information

service list

service list

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

systeminfo

List system information

systeminfo

systeminfo

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

user info

List account properties

user info <username>

user info john_doe

  • Trend Micro Endpoint Basecamp

user list

List local user accounts

user list

user list

  • Trend Micro Endpoint Basecamp

  • Deep Security Agent (managed by Cloud One - Workload Security)

zip

Compress a file or directory in a zip archive and optionally encrypt the archive with a password

zip <source_object1> [<source_object2...> <source_objectn>] <destination_object> [--password <password>] [--force]

Note:
  • For the <source_object> and <destination_object>, specify the absolute or relative path to the directory, and the file name, and the file extension (if required).

  • Use the --force parameter to overwrite existing objects.

  • To zip the contents of the temporary directory in the current directory (C:\Users\Administrator\Downloads) to C:\example\directoryArchive.zip, set the password to "P@ssw0rd" and overwrite the existing file:

    Downloads>zip temporary C:\example\directoryArchive.zip --password P@ssw0rd --force

  • To zip the example.txt file in the directory C:\Users\Administrator\Downloads to C:\temp\exampleArchive.zip and overwrite the existing file:

    Downloads>zip C:\Users\Administrator\Downloads\example.txt C:\temp\exampleArchive.zip --force

  • Trend Micro Endpoint Basecamp