查看表征異常
系統卡慢、宕機、CPU和內存占用高、網絡擁塞或斷網、磁盤空余空間無理由大幅度縮小等,根據以上表征,可以初步猜測系統面臨的問題。
windows 下查看系統基本信息
PS C:\Users\bobac\Desktop> systeminfo
windows 下查看CPU和內存消耗:
根據下圖可以進行倒序排列
或者使用命令
PS C:\Users\bobac\Desktop> tasklist /V > 1.txt
windows 下查看網絡通信情況
入侵點異常排查
看連接
PS C:\Users\bobac\Desktop> netstat -abo | findstr TCP
TCP 0.0.0.0:135 WIN-8JQH4CQEJIR:0 LISTENING 708
TCP 0.0.0.0:445 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP 0.0.0.0:49152 WIN-8JQH4CQEJIR:0 LISTENING 376
TCP 0.0.0.0:49153 WIN-8JQH4CQEJIR:0 LISTENING 760
TCP 0.0.0.0:49154 WIN-8JQH4CQEJIR:0 LISTENING 884
TCP 0.0.0.0:49155 WIN-8JQH4CQEJIR:0 LISTENING 484
TCP 0.0.0.0:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716
TCP 0.0.0.0:49157 WIN-8JQH4CQEJIR:0 LISTENING 492
TCP 172.16.204.128:139 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP [::]:135 WIN-8JQH4CQEJIR:0 LISTENING 708
TCP [::]:445 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP [::]:49152 WIN-8JQH4CQEJIR:0 LISTENING 376
TCP [::]:49153 WIN-8JQH4CQEJIR:0 LISTENING 760
TCP [::]:49154 WIN-8JQH4CQEJIR:0 LISTENING 884
TCP [::]:49155 WIN-8JQH4CQEJIR:0 LISTENING 484
TCP [::]:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716
TCP [::]:49157 WIN-8JQH4CQEJIR:0 LISTENING 492
PS C:\Users\bobac\Desktop>
看進程
PS C:\Users\bobac\Desktop> tasklist | findstr 1716
svchost.exe 1716 Services 0 18,232 K
PS C:\Users\bobac\Desktop>
看服務
PS C:\Users\bobac\Desktop> tasklist /SVC
映像名稱 PID 服務
========================= ======== ============================================
System Idle Process 0 暫缺
System 4 暫缺
smss.exe 244 暫缺
csrss.exe 324 暫缺
wininit.exe 376 暫缺
services.exe 484 暫缺
lsass.exe 492 SamSs
lsm.exe 500 暫缺
svchost.exe 600 DcomLaunch, PlugPlay, Power
vmacthlp.exe 668 VMware Physical Disk Helper Service
svchost.exe 708 RpcEptMapper, RpcSs
svchost.exe 760 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe 852 AudioEndpointBuilder, CscService, Netman,
PcaSvc, TrkWks, UxSms
svchost.exe 884 Appinfo, Browser, gpsvc, IKEEXT, iphlpsvc,
LanmanServer, ProfSvc, Schedule, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe 272 EventSystem, netprofm, nsi, sppuinotify,
WdiServiceHost
svchost.exe 496 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
spoolsv.exe 1144 Spooler
svchost.exe 1172 BFE, DPS, MpsSvc
VGAuthService.exe 1332 VGAuthService
vmtoolsd.exe 1392 VMTools
svchost.exe 1668 bthserv
svchost.exe 1716 PolicyAgent
TPAutoConnSvc.exe 1808 TPAutoConnSvc
dllhost.exe 1988 COMSysApp
msdtc.exe 1212 MSDTC
WmiPrvSE.exe 1064 暫缺
SearchIndexer.exe 2888 WSearch
svchost.exe 2896 FontCache
sppsvc.exe 1868 sppsvc
ManagementAgentHost.exe 2492 VMwareCAFManagementAgentHost
svchost.exe 904 WinDefend
csrss.exe 3656 暫缺
winlogon.exe 3668 暫缺
taskhost.exe 2708 暫缺
dwm.exe 3844 暫缺
explorer.exe 3836 暫缺
TPAutoConnect.exe 3212 暫缺
conhost.exe 3980 暫缺
vmtoolsd.exe 2500 暫缺
cmd.exe 2744 暫缺
conhost.exe 2768 暫缺
PCHunter64.exe 1068 暫缺
taskmgr.exe 1352 暫缺
powershell.exe 3360 暫缺
conhost.exe 2640 暫缺
notepad.exe 2652 暫缺
tasklist.exe 3356 暫缺
PS C:\Users\bobac\Desktop>
看動態鏈接庫
C:\Windows\system32>tasklist /M > 2.txt
看日志
進程日志和登錄日志
路徑 C:\Windows\System32\winevt\Logs
登錄日志
系統日志
服務日志或WEB日志
請配置syslog,WEB日志也是文件,可以使用自動化分析工具
看注冊表
查看啟動項和計划任務
看賬戶
看防火牆配置
