Wednesday, February 27, 2013

Microsoft DOS find command

Command Description

Microsoft Reference with additional examples for my own reference in a page.

Find

Searches for a specific string of text in a file or files. After searching the specified file or files, find displays any lines of text that contain the specified string.


Syntax

find [/v] [/c] [/n] [/i"string" [[Drive:][Path]FileName[...]]

Parameters


/v Displays all lines that do not contain the specified string.
/c Counts the lines that contain the specified string and displays the total.
/n Precedes each line with the file's line number.
/i Specifies that the search is not case-sensitive.
"string" Required. Specifies the group of characters that you want to search for. You must enclose string in quotation marks (that is, "string").
[Drive:][PathFileName Specifies the location and name of the file in which to search for the specified string.
/? Displays help at the command prompt.

Remarks

Specifying a string
If you do not use /ifind searches for exactly what you specify for string. For example, the find command treats the characters "a" and "A" differently. If you use /i, however, find is not case-sensitive and treats "a" and "A" as the same character.
If the string you want to search for contains quotation marks, you must use two quotation marks for each quotation mark contained within the string (that is,"StringContaining""QuotationMarks").
Using find as a filter
If you omit a file name, find acts as a filter, taking input from the standard input source (usually the keyboard, a pipe, or a redirected file) and then displaying any lines that contain string.
Ordering command syntax
You can type parameters and command-line options for the find command in any order.
Using wildcards
You cannot use wildcards (that is, * and ?) in file names or extensions that you specify with the find command. To search for a string in a set of files that you specify with wildcards, you can use the find command in a for command.
Using /v or /n with /c 
If you use /c and /v in the same command line, find displays a count of the lines that do not contain the specified string. If you specify /c and /n in the same command line, find ignores /n.
Using find with carriage returns
The find command does not recognize carriage returns. When you use find to search for text in a file that includes carriage returns, you must limit the search string to text that can be found between carriage returns (that is, a string that is not likely to be interrupted by a carriage return). For example, find does not report a match for the string "tax file" wherever a carriage return occurs between the word "tax" and the word "file."

Examples
To display all lines from Pencil.ad that contain the string "Pencil Sharpener", type:
find "Pencil Sharpener" pencil.ad
To find a string that contains text within quotation marks, you must first enclose the entire string in quotation marks. Second, you must use two quotation marks for each quotation mark contained within the string. To find "The scientists labeled their paper "for discussion only." It is not a final report." in Report.doc, type:
find "The scientists labeled their paper ""for discussion only."" It is not a final report." report.doc
If you want to search for a set of files, you can use the find command with the for command. To search the current directory for files that have the extension .bat and that contain the string "PROMPT," type:
for %f in (*.bat) do find "PROMPT" %f 
To search your hard disk to find and display the file names on drive C that contain the string "CPU," use the pipe (|) to direct the results of a dir command to find as follows:
dir c:\ /s /b | find "CPU"
Because find searches are case-sensitive and dir produces uppercase output, you must either type the string "CPU" in uppercase letters or use the /i command-line option with find.

Additional Examples

To show only Established connection results for netstat command.

netstat -ano 1 | find /i "Established"

To show all connection results for netstat command excluding lines contains 127.0.0.1
string in result.

netstat -ano | find /v "127.0.0.1"

This will any string with "REM" statement in the autoexec.bat.

find /c "REM" c:\autoexec.bat




Thursday, February 21, 2013

Enabling debug logging for the Net Logon service

Currently, I am using this tool by Microsoft to trace and track which system/users is having account lockout problem either caused by user or by worm_Conficker. Account Lockout and Management Tools

After downloading the executable file, you should extract it to any folder. Before using the tool, you would need to active debug logging on your Domain Controller first.

To active, you need to add a registry key into you Domain Controller. Here is the link to Microsoft webpage.

In short -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag hexadecimal value of 2080FFFF to enable 0 to disable.

Or you could use this command to enable and disable Net Logon Service and debugging too. Remember to restart the netlogon service after enable/disable of the debug logging.


Enable debug logging -> nltest /dbflag:0x2080ffff
Disable debug logging -> nltest /dbflag:0x0

Stop Net Logon Service -> net stop netlogon
Start Net Logon Service -> net start netlogon


Nltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003, Windows XP, and Windows 2000. 

The netlogon.log is normally under debug folder in the Windows system directory of your Domain Controller which you enable the debug logging.

To delete the netlogon.log file after debugging, you would need to stop the netlogon service before deletion. After deletion you can start back the net logon service again. The commands to do so is as follows.

net stop netlogondel netlogon.lognet start netlogon