Category Archives: CLI Secrets

Network trace without NetMon, wireShark, etc… Part 2

MC91021636214As I told you in the previous episode, there is more than just capturing without installing any software. Much more, actually. There is a .cab file which contains many files: 33 to be accurate (at least in my case). The files contain the heck of information about the computer’s networking configuration as well as logs. Let’s take a look at those files:


1) adapterinfo.txt: contains info about your NICs’ drivers:


How can this be useful? Easily, say, you see the driver for a physical NIC which was issued 5 years ago: why not to upgrade it first? Anyway, this can give you the starting point for troubleshooting.

2) dns.txt: this one contains the output for ipconfig /displaydns command which gives us the content of the DNS client cache


3) envinfo.txt: all you want and even more about the wireless network. Drivers with supported authentication and cipher options, interfaces and their state, hosted networks, WLAN settings, profiles and more and more…


4) filesharing.txt: nbtstat –n, nbtstat –c, net config rdr, net config srv, net share


5) gpresult.txt: no comments

6) neighbors.txt: arp –a, netsh interface ipv6 show neighbors (yeah, calling netsh from netsh… inception… 😉 )

7) netiostate.txt: in my case there were Terede settings


8) osinfo.txt: at first it looks like systeminfo output, but actually it is somewhat different, yet can prove useful.


9) Report.etl: trace log file. I haven’t yet took a look into it. Probably it can be good for a deep troubleshooting

10) wcninfo.txt: wireless computer network information. Services status, files information and again interfaces info, ipconfig, and more…


11) wfpfilters.xml: I haven’t yet undertook a close investigation on the file, but seems like the file contains firewall rules in XML format

12) windowsfirewallconfig.txt: config for the firewall. Is it turned on, global settings and all that stuff

13) several other files, which contain various event logs related to networking, registry keys dumps and other info


14) Report.html: an .html file which contains links to the files above


Well, that’s it. Actually, while troubleshooting some incidents I was forced to request some info several time, just because I didn’t know what exactly I was going to need and I didn’t want to frustrate users with many commands or sending them a .bat file. Now I can give them only two commands and voila! I love it, really. IMHO this ability is just awesome even without taking network traffic capture, so I strongly advise to remember it!

Network trace without NetMon, WireShark, etc…

MC910216362[1]It is often necessary to capture and analyze some network traffic to troubleshoot a problem. Usually, it requires to install some software package similar to several stated in the subject to this article. It’s ok, when the computer in question is, say, your laptop, or its user is at least advanced user, has administrative permissions and it is permitted by a security policy to install some new software. But what if it is not the case? A user is some sales manager who don’t want to spend their time installing anything? Or this is a server, where you cannot change anything?

To cut a long story short, recently I’ve run into a totally awesome blogpost, where among other truly interesting things (the blog is in the top 5 of my most favorite, if not the most interesting, BTW) there was a solution for such a situation.

In short, you don’t have to install, say, Network Monitor onto a Windows7/2008 R2 box to get network capture. It can be done with the built-in tool, that is netsh. You still need

1) to be a local admin on the computer you are tracing

2) NetMon to analyze the package you receive after the capture is complete. But you can do it on any computer you wish.

How does it work? Just excellent 😉

1) Start the trace

netsh trace start capture=yes tracefile=<PathToFile>


2) Then reproduce the problem. I started my chrome (to much open tabs in IE 😉 ) and went to

3) Then stop the trace:

netsh trace stop


Please notice, that the trace created two files: .etl and .cab. The ETL one is where our network trace is placed. The second… It makes the method even more awesome, but I will dedicate the next blog post to it.

4) Open the trace on any computer where you have Network Monitor installed:


Oops… What’s with parsers? If we take a closer look at the interface we’ll see the following:

Process: Windows stub parser: Requires full Common parsers. See the “How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)” help topic for tips on loading these parser sets.

Well, some parsers are definitely not turned on. Let’s do it now, it’s easy (I have NetMon 3.4). Go to tools->options


Look at Parser Profiles tab:


and turn on the Windows profile by right clicking it and selecting Set As Active option:


That’s what we were looking for:


5) Now do all the NetMon stuff, for example I was looking for Chrome activity and, say, I need to look at DNS requests:


Isn’t that great? No, it is simply awesome, because we haven’t yet take a look at .cab file, which contains tons of useful info. But we’ll do it in the next article.

%systemroot%System32 secrets: defrag

The next command also seems to be used the further the less. Partly, probably, because performance of modern computers allows forgetting about the problem of fragmentation unless it is too late becomes huge. Partly because some myths about it have successfully died. But mostly because it is running by default once a week. Earlier (in 9x age) we had a nice GUI-based defragmentation program, now we have only a command line tool and very reduced (without that visualized fragmentation status: it was totally useless, but absolutely awesome. Hey, I believe that the fact we don’t have this magic now is probably the main reason we don’t need defrag 😉 ) GUI to manage it. Running this command in background (with low priority, by the way) on a regular basis means that we don’t have much of fragmentation:


But we also don’t have the magic =(

Anyway, if you don’t want “this bloody computer to operate your data” or are just not satisfied with the schedule, then you can switch it off in dfrgui program:


Change the time it runs in the same place, or create some sophisticated schedule in the task scheduler:


You can even implement some advanced logic, if you wish. Say, why even bother to run defrag if you see the picture like this:


You can write a script which checks for fragmentation, does defragmentation if needed, consolidates free space once in a while and do nothing at all other times.

Anyway, I’m quite comfortable with the default behavior, but even this fact doesn’t mean I have to know nothing about my options.

%SystemRoot%System32 Secrets: compact & convert

I’ve been quite busy for some time, so there is a quick run over two utilities: compact and convert. The first one can be used sometimes while the second, I think, has almost died out. Let’s take a look on them.


Remember cipher? The same stuff: cipher deals with encryption, this one – with compression on an NTFS volume. You need to script it or find it boring to use all that GUI? It’s for you. But seriously: do many people use it? I don’t like the feature, actually. But anyway, if you need it, you get it.


This command I haven’t used for years. Really, who has a file system which can be converted to NTFS now? Probably, on some thumb drive. Yet it was very useful back then, in time when we all were moving from windows 9x to Windows 2000 or XP. I used it quite often, so when I found it still placed on my W7 system, I decided to honor it even if it is worthless now. BTW, probably, it isn’t? Then tell me =)

%SystemRoot%system32 secrets: cipher

Next command in my list is what you never remember about unless user comes in with a cry: “I’ve reset my password and now all my EFS-encrypted files are gone!!!”. Are you familiar with the situation? I am not, fortunately, but I heard some related horror stories. Backup the encryption keys is the key. And updating of keys on the files. And creating of recovery keys. And backing up the encryption keys. All that the utility in the question can do for you.

There are plenty of articles about the actions described above. But when I tried to look at the utility’s description more closely, I found one new function: cipher with arguments “/W” and a folder will remove all data from unused disk space on the volume where the folder is placed. What it is doing is:

1) Creating folder EFSTMPWP on the volume:

2) Creating there a temp file (or several, according to some sources)


3) Writing there zeros, then ones, and polishes it with some random values:


It does each step until the whole disk is filled up and then repeats:




Of course it is quite time consuming, especially on large volumes. But if I was the person to design the command, I’d rather made it to write not just zeros and ones, but just encrypt every free cluster with a random key. Luckily it wasn’t me, so it is not even more long procedure 😉

The command asks you to close all the applications to make the effort as effective as it is possible, mostly to eliminate all the temp files with data in them.

Further reading:

cipher /?

BITS Transfer PowerShell cmdlets

One friend of mine told me that I shouldn’t have spread knowledge about BITSAdmin command while there was the PowerShell cmdlets in place. Well, to some extent he is definitely right:

  • 1) PowerShell is better self-documented.

2) It is waaaay easier to script with.

3) It is more simple to use in some basic situations like “just give me that darn file”.

4) Many people just like PoSh.

So, the tasks I did in my post about BITSAdmin seems to be done in one command:

Start-BitsTransfer –source <URL> –destination <PathToFile>

but one need to do his homework better:


Seems like the module for BITS is not imported by default. Let’s correct the mistake:


and now we have our cmdlets:


So, let’s our download begin:


Excellent, isn’t it (it even show the progress very visually)? No, it isn’t. Because when I turned my network connection off the download was cancelled:


Even though it was stated that “BITS will try again” – it wouldn’t and there wasn’t any job registered with BITS. I don’t know why, actually (I hope my friend will explain it to me), but I found a “workaround”. Just add “-Asynchronous” option to the string and it will fork just fine for you although you won’t be able to see that beautiful download bar:



But even when the state changed to “Transferred”, there was only a .tmp file in my directory. Actually, when I started the command without “-Asynchronous” option, I’ve got the file immediately after the end of the transfer, but you already know that you cannot then resume the transfer if it was interrupted. Therefore, I had to complete the transfer manually:


Not very big difference from what we did with BITSAdmin, I guess. And I couldn’t tell how to do is to monitor my jobs in fasion BITSAsmin /MONITOR does.

So, let’s sum it up:

1) PoSh is best for scripting

2) You can use for interactive tasks whichever command set you are used to, but remember, that BITSAdmin can be discontinued any moment

So, my best approach is, do everything I can with PoSh and monitor with BITSAdmin, until someone tells me how to do it with PoSh 😉

%SystemRoot%system32 secrets: Choice

We won’t assess the next three commands – chglogon, chgport and chguser – because they are all replaced by change. Therefore the next candidate in the race is


While not being helpful alone it could be useful in batch scripts. Those can be actually very powerful, still I like PowerShell more because it allows me to do stupid things faster and of more quality. But just in case you want to do some *.bat files with not linear logic depending on a user’s input, you can use it. For example, you can ask something like this:


=))) Moreover, you can set default choice and auto accept it after some time:


I haven’t pressed a key here, but the command substituted “b” after 5 seconds of waiting.

Getting out the user’s choice is not perfectly straightforward. It doesn’t return the result as I’m used to. It put the result into %ERRORLEVEL% variable. It is not a big deal, but… I’d rather use PowerShell for it, really. Nevertheless, if you are still addicted to DOS shell, it is sometimes your “choice” 😉