Getting a list of logical and physical drives from the command line


It’s often useful to know what logical and physical drives are available to Windows, and sometimes this needs to be done from the command line.

Logical drives

Here’s a handy command to return a list of logical drives in Windows.

The Win32_LogicalDisk WMI class represents a data source that resolves to an actual local storage device on a computer system running Windows. While Caption, Description, DriveType, ProviderName, and VolumeName are useful in most cases, more properties are available, and a complete list is available at The output will be formatted as a table, the properties will be the column headings, and they will be placed into alphabetical order.

Caption is the drive letter of the logical disk. The Name property also returns the drive letter.

Description is the type of disk. For example: Local Fixed Disk, CD-ROM Disc, or Removable Disk.

DriveType is returned as an integer that corresponds to the type of disk drive the logical disk represents (and this matches the Description, making DriveType sort of superfluous).

0 = Unknown
1 = No Root Directory
2 = Removable Disk
3 = Local Disk
4 = Network Drive
5 = Compact Disc
6 = RAM Disk

ProviderName is the network path to the logical device.

VolumeName is the volume name of the logical disk.

Physical drives

And here is a command to return a list of physical drives.

The Win32_DiskDrive WMI class represents a physical disk drive as seen by a computer running Windows. Like the Win32_LogicalDisk WMI class, it has lots of properties, as listed at

For simplicity, though, and ease of reading in command window, wmic diskdrive list brief /format:list does the trick, particularly in combination with wmic logicaldisk.

118 total views, 4 views today

Shutdown or Wake Up a PC on a LAN



Shutdown or Wake Up a PC on a LAN

In addition to serving as a host, a LAN (or local area network) also gives users a certain amount of control over the PCs that are connected to a network. Included in this is the ability to turn a computer on or off from a remote location.

This article will explain how to use the Shutdown command to turn off a computer remotely as well as how to use the WakeOnLan standard to wake or boot a PC.

This method was tested using a Windows XP Professional computer.

Remotely Shutdown a Computer on a LAN

In order to control a computer remotely, please note that you must be connected to the same local network as the target PC. You must also know the username and password required for login.

The first step is to open TCP port 445 on the target computer. To do this, open your Start menu and then go to Settings > Control Panel > Security Center.

Open Windows Firewall and click the Exceptions tab.

Select the line that reads File Sharing and printers and press OK. If this line is missing, click Add Port and choose TCP port 445 .

Next, head to Start > Settings > Control Panel > System. Select the Remote tab and check the option that reads Allow users to connect remotely to this computer.

It is now time to open the command prompt.

Head to Start/Run or use the keyboard shortcut Windows + R. Next, type cmd and then hit OK. This will open your command prompt.

To obtain the necessary rights to run a shutdown command on the target machine, you must first run the net use command. Use the Windows + R keyboard shortcut and then enter net use \\ip_address_of_target_machine. Enter an administrator username and password for the target computer to connect to the target PC.

Once connected to the target PC, we can run the shutdown command. An example of the command is given below, whereby instructions are given for the target computer to close all active applications and shutdown after 30 seconds of inactivity. Please note that you can substitute any of the variables according to your network or PC specifics:

-s: Shutdown the PC

-f: Force active applications to close without warning

-t xx: Set a countdown in seconds

-m \\ The IP address of the target computer

The GUI is available by typing shutdown -i.

For any additional information about this command, type shutdown /?.

The WakeOnLAN Command

WakeOnLAN, as the name already suggests, is a tool that can boot or wake a computer by sending a Magic Packet to the network adapter of the target computer. It is important to note that not all network cards and BIOS are compatible with, or support, the use of Magic Packet.

In order to use the WakeOnLAN command, you must be connected to the same local area network (LAN) as the target computer. Knowledge of the physical location (MAC) and IP address of the target computer is also required.

Retrieve IP and MAC Address

The first step is to retrieve the IP address and MAC address of the target computer. To do this, go to Start/Run or use the keyboard shortcutWindows + R and type cmd > OK.

The command prompt will open. Now type ipconfig /all:

Copy the IP and physical (MAC) address of the target PC.

Compatibility Checks

It’s now time to check if your network card is compatible with Magic Packets. To do this, right-click on My Computer and click Manage. Next, go to Device Manager/Network Cards and do a right-click on your Network Card. Then click Properties.

Do a search for the following words and verify that all options that relate to them are currently active: Magic Packet, Wake On Magic Packet, Wake On Lan, or Wake. If none of these words appear, you may be required to update the drivers for your Network Card.

To see if your computer is BIOS compatible, enter the BIOS when you start the computer. You can do this by pressing ESC, F2, F5, F12 or DEL (depending on your system).

Once in the BIOS, go Power Options and enable Wake-On-LAN, or any similar option:

Open Port 8900

You can open Port 8900 in the same way as you would Port 445.

Wake On LAN (WOL)

Start by downloading the Symantec WOL tool on the source computer. Launch the tool and then fill in the empty fields using the information gathered above.

Mac Address: MAC address (the target machine)

Internet Address: Local IP address (target machine)

Subnet Mask:

Send Options: Local Subnet

Remote Port Number: 8900

Click the button: Wake Me Up

Once the packet has been received, the target computer will boot:

161 total views, 5 views today

Restore corrupt files. DISM for SFC replacement.


Thought I would share this little gem I just found out about. I have always used the System File Checker in Windows to detect and (sometimes) repair corrupted system files. Although, at times, it finds files that it cannot repair. This is when things get aggravating and I would have to skim over the CBS.log file in order to find what file was corrupt and try to manually replace it.

Today, I came across this issue and decided to do some searching. I found a command that I had never before been introduced to:
DISM /Online /Cleanup-Image /RestoreHealth

The Development Image Servicing and Management tool ! With the specified /online switch, it recovers corrupted files for the OS that is currently running. No more, inserting installation disks and searching for the file or searching through backups.

As you can see in the attached screen shot, my SFC found a corrupt file and was unable to restore it. I ran the DISM and it recovered the corrupted file. Another SFC afterwards confirmed, no more corrupted system files.

I hope that this helps and excites some of you like it did me. For those of you who already knew about it… don’t rub it in!

Have a wonderful Weekend!

585 total views, no views today

Exploiting Wildcards On Linux/Unix



DefenseCode released an advisory in which researcher Leon Juranic details security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug.

There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress out the risks accompanying practice of using the * wildcard with Linux/Unix commands.

The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users – root as well.

One of the examples provided is the tar arbitrary command execution. The binary has two options that can be used for poisoning:

display progress messages every NUMBERth record (default 10)

execute ACTION on each checkpoint

By using tar with these options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.

Running tar cf archive.tar * on a folder with these files seems pretty straightforward and benign.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php

The problem arises if the user created a couple of fake files and a shell script that contains any arbitrary command.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-r–r–. 1 leon leon 0 Oct 28 19:19 –checkpoint=1
-rw-r–r–. 1 leon leon 0 Oct 28 19:17 –checkpoint-action=exec=sh
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php
-rwxr-xr-x. 1 leon leon 12 Oct 28 19:17

By using the * wildcard in the tar command, these files will be understood as passed options to the tar binary and will be executed as root.

The advisory in question details other similar exploitation methods. Also, around the same time when Mr. Juranic informed us about his work, another researcher posted to the Full Disclosure mailing list a similarly themed research focused on exploiting wildcards.

Is there a workaround? To quote the most upvoted post on a recent Reddit thread regarding wildcard exploitation: “./* Done”.

438 total views, no views today