【应急响应】Windows应急响应操作手册

2023年12月3日发(作者：)

【应急响应】Windows应急响应操作手册查看表征异常系统卡慢、宕机、CPU和内存占用高、网络拥塞或断网、磁盘空余空间无理由大幅度缩小等，根据以上表征，可以初步猜测系统面临的问题。windows 下查看系统基本信息PS C:UsersbobacDesktop> systeminfowindows 下查看CPU和内存消耗根据下图可以进行倒序排列或者使用命令PS C:UsersbobacDesktop> tasklist /V > dows 下查看网络通信情况入侵点异常排查看连接PS C:UsersbobacDesktop> netstat -abo | findstr TCP TCP 0.0.0.0:135 WIN-8JQH4CQEJIR:0 LISTENING 708 TCP 0.0.0.0:445 WIN-8JQH4CQEJIR:0 LISTENING 4 TCP 0.0.0.0:49152 WIN-8JQH4CQEJIR:0 LISTENING 376 TCP 0.0.0.0:49153 WIN-8JQH4CQEJIR:0 LISTENING 760 TCP 0.0.0.0:49154 WIN-8JQH4CQEJIR:0 LISTENING 884 TCP 0.0.0.0:49155 WIN-8JQH4CQEJIR:0 LISTENING 484 TCP 0.0.0.0:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716 TCP 0.0.0.0:49157 WIN-8JQH4CQEJIR:0 LISTENING 492 TCP 172.16.204.128:139 WIN-8JQH4CQEJIR:0 LISTENING 4 TCP [::]:135 WIN-8JQH4CQEJIR:0 LISTENING 708 TCP [::]:445 WIN-8JQH4CQEJIR:0 LISTENING 4 TCP [::]:49152 WIN-8JQH4CQEJIR:0 LISTENING 376 TCP [::]:49153 WIN-8JQH4CQEJIR:0 LISTENING 760 TCP [::]:49154 WIN-8JQH4CQEJIR:0 LISTENING 884 TCP [::]:49155 WIN-8JQH4CQEJIR:0 LISTENING 484 TCP [::]:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716 TCP [::]:49157 WIN-8JQH4CQEJIR:0 LISTENING 492PS C:UsersbobacDesktop>看进程PS C:UsersbobacDesktop> tasklist | findstr 1716 Services 0 18,232 KPS C:UsersbobacDesktop>看服务PS C:UsersbobacDesktop> tasklist /SVC映像名称 PID 服务========================= ======== ============================================System Idle Process 0 暂缺System 4 暂缺 244 暂缺 324 暂缺 376 暂缺 484 暂缺 492 500 暂缺 600 DcomLaunch, PlugPlay, 668 VMware Physical Disk Helper 708 RpcEptMapper, 760 AudioSrv, Dhcp, eventlog, lmhosts, 852 AudioEndpointBuilder, CscService, Netman, PcaSvc, TrkWks, 884 Appinfo, Browser, gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, 272 EventSystem, netprofm, nsi, sppuinotify, 496 CryptSvc, Dnscache, LanmanWorkstation, 1144 1172 BFE, DPS, 1332 1392 1668 1716 1808 1988 1212 1064 暂缺 2888 2896 1868 2492 904 3656 暂缺 3668 暂缺 2708 暂缺 3844 暂缺 3836 暂缺 3212 暂缺 3980 暂缺 2500 暂缺 2744 暂缺 2768 暂缺 1068 暂缺 1352 暂缺 3360 暂缺 2640 暂缺 2652 暂缺 3356 暂缺PS C:UsersbobacDesktop>看动态链接库C:Windowssystem32>tasklist /M > 看日志进程日志和登录日志路径 C:WindowsSystem32winevtLogs登录日志系统日志服务日志或WEB日志请配置syslog，WEB日志也是文件，可以使用自动化分析工具看注册表查看启动项和计划任务看账户看防火墙配置