Sign In
← Back to Blog

Native Windows Forensic Commands for Incident Response — When You Have Nothing but the OS

20 May 2026 Incident Response 9 min read
VOLATILE DATA CAPTURE — NATIVE WINDOWS COMMANDS PROCESSES tasklist, wmic What is running now NETWORK netstat, ipconfig Who is it talking to USERS query user, net session Who is logged in PERSISTENCE schtasks, sc query What survives reboot DNS CACHE ipconfig /displaydns Where it resolved to ORDER MATTERS — VOLATILE DATA DISAPPEARS ON REBOOT Capture processes and network first → users and sessions → persistence → DNS → services ALL COMMANDS BELOW RUN IN CMD OR POWERSHELL — NO TOOLS REQUIRED

You are on a call with a sysadmin. A server is behaving strangely — unexpected outbound connections, high CPU, a user account that logged in at 3 AM. The sysadmin thinks it is compromised. You need them to capture volatile data before anyone reboots the machine or runs cleanup.

They do not have KAPE. They do not have EZTools or Velociraptor. They have a command prompt and PowerShell.

This is not the ideal scenario. Every forensic tool in the Practical IR toolkit setup is superior to native commands for its specific purpose. But the ideal scenario requires pre-deployment, and most organizations have not deployed forensic collection tools to every server. When the call comes in, you work with what is available.

Here are the native Windows commands that capture the volatile evidence you need, in the order you need to run them.

Processes — what is running right now

Running processes are the most volatile evidence on the system. A reboot destroys them. A scheduled task might terminate them. Capture these first.

The baseline command:

tasklist /V > C:\IR\processes.txt

This gives you every running process with PID, session, memory usage, and status. But it does not give you the parent process or the command line — the two fields that matter most for investigation.

For parent-child relationships and full command lines, use PowerShell:

Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine, CreationDate | Export-Csv C:\IR\processes_detail.csv -NoTypeInformation

What you are looking for: processes running from unusual paths (C:\Users\Public, C:\ProgramData, \AppData\Local\Temp), processes with encoded PowerShell command lines (-enc or -EncodedCommand), and processes whose parent does not match the expected chain (e.g., cmd.exe spawned by winword.exe).

Network connections — who is the machine talking to

Active network connections tell you whether the machine is communicating with attacker infrastructure right now.

netstat -anob > C:\IR\network.txt

The -b flag shows the executable associated with each connection. The -o flag shows the PID. The -n flag prevents DNS resolution (which would add network traffic and slow the capture).

For a structured output you can filter:

Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess, @{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name}} | Export-Csv C:\IR\tcp_connections.csv -NoTypeInformation

What you are looking for: established connections to external IP addresses on unusual ports, connections from processes that should not have network access, and listening ports that do not match the server's role.

Capture the DNS cache before it ages out:

ipconfig /displaydns > C:\IR\dns_cache.txt

This records every DNS resolution the machine has made recently. If the machine resolved a command-and-control domain, the evidence is here — but only until the TTL expires or the cache flushes.

Logged-in users and sessions

query user > C:\IR\users.txt

This shows interactive sessions — who is logged on right now, whether the session is active or disconnected, and how long it has been idle. An unexpected RDP session from an unknown user or at an unusual hour is an immediate red flag.

For network sessions (who is connecting to shared resources):

net session > C:\IR\sessions.txt

Persistence — what survives reboot

If an attacker has persistence, they have already modified the system to maintain access. The evidence is less volatile than processes and network connections, but you should still capture it before remediation begins.

Scheduled tasks:

schtasks /query /fo CSV /v > C:\IR\scheduled_tasks.csv

Services:

sc query state= all > C:\IR\services.txt

Or in PowerShell with more detail:

Get-Service | Select-Object Name, DisplayName, Status, StartType | Export-Csv C:\IR\services_detail.csv -NoTypeInformation

Startup items:

Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, User | Export-Csv C:\IR\startup.csv -NoTypeInformation

What you are looking for: scheduled tasks created in the last 30 days with unusual actions (PowerShell execution, binary paths outside Program Files), services in unusual locations, and startup entries pointing to temp directories.

The complete capture script

Every command above assembled into a single script. Create C:\IR\ first, then run:

$out = "C:\IR"
New-Item -ItemType Directory -Path $out -Force | Out-Null
$ts = Get-Date -Format "yyyyMMdd_HHmmss"

# Volatile — capture first
tasklist /V > "$out\01_processes_$ts.txt"
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine, CreationDate | Export-Csv "$out\02_process_detail_$ts.csv" -NoTypeInformation
netstat -anob > "$out\03_network_$ts.txt"
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess, @{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name}} | Export-Csv "$out\04_tcp_connections_$ts.csv" -NoTypeInformation
ipconfig /displaydns > "$out\05_dns_cache_$ts.txt"

# Users and sessions
query user > "$out\06_users_$ts.txt"
net session > "$out\07_sessions_$ts.txt" 2>&1

# Persistence
schtasks /query /fo CSV /v > "$out\08_scheduled_tasks_$ts.csv"
Get-Service | Select-Object Name, DisplayName, Status, StartType | Export-Csv "$out\09_services_$ts.csv" -NoTypeInformation
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, User | Export-Csv "$out\10_startup_$ts.csv" -NoTypeInformation

Write-Host "Capture complete: $out"

Numbered file prefixes enforce the capture order. The timestamp in each filename proves when the evidence was collected — chain of custody starts here.

What native commands cannot do

Native commands capture what is running and what is connected. They do not parse binary forensic artifacts (MFT, prefetch, registry hives, event logs). They do not capture memory. They do not provide the structured timeline analysis that EZTools produces from raw artifacts.

Think of native commands as the triage layer — they tell you whether the machine is compromised and what the attacker is doing right now. The forensic tools in the IR toolkit setup give you the investigation layer — the timeline, the artifacts, the evidence that answers how the attacker got in and what they accessed.

If you want to build the complete responder's toolkit — KAPE for evidence collection, EZTools for parsing, Velociraptor for enterprise-scale hunting, and native commands for the scenarios where nothing else is available — the first two modules of Practical Incident Response are free and cover all of it.

Next week: KQL queries for Entra ID sign-in log analysis — the queries SOC analysts paste into Google and what they actually mean.

Ridgeline Cyber Defence Written by security practitioners. Published weekly on Tuesdays.
Share
Was this useful?
← PreviousService Principal Ownership Is the Attack Path Nobody GovernsNext →KQL Sign-In Log Analysis — What ResultType != 0 Actually Tells You

Get security ops insights weekly

One email every Tuesday. Detection techniques, investigation methods, and operational security. Unsubscribe anytime.

Ridgeline Training

Want to go deeper?

Hands-on courses covering Incident Response with labs, deployable artifacts, and free foundation modules.

Practical Incident Response → Incident Triage and First Response →