Documentation & Tools →
Sign In
Free Reference

Native Windows Forensic Commands for Incident Response

When KAPE can't be deployed and EZ Tools aren't installed, the OS still ships with everything you need for the first 15 minutes.

Volatile data capture with cmd and PowerShell — running processes with command lines and parent relationships, active network connections mapped to process, logged-in users, DNS cache, scheduled tasks, services, registry Run keys, WMI persistence, and event logs. Every command below is grouped by the investigation question it answers, with what it proves and what to look for in the output.

You're on a call with a panicking sysadmin. A server is behaving strangely and they think it's compromised. You need volatile data — running processes, network connections, logged-in users — before anyone reboots. They don't have KAPE. They don't have EZ Tools. They have a command prompt and PowerShell. What do you tell them to run?

Every dedicated forensic tool is superior to native commands for its specific purpose. KAPE's two-pass collection captures locked files native commands can't touch. EZ Tools parse binary artifacts into structured timelines native commands can't produce. But tools require deployment, and every deployment step can be blocked: application whitelisting (AppLocker, WDAC) blocks unknown binaries, USB ports may be disabled by Group Policy, change management may prohibit deploying software to production without a 24–48 hour approval, and during an insider investigation, visible forensic tools alert the subject.

Native Windows commands work in all of those scenarios. They're built into the OS, they execute regardless of application whitelisting because they're signed Microsoft binaries, they require no file transfer, and they leave minimal footprint. They provide the evidence for the first 15 minutes: the triage that decides whether this is a false positive, an active incident needing immediate containment, or a historical compromise needing full preservation. The experienced responder knows both — the optimal dedicated tool AND the native fallback when that tool can't be deployed.

Process investigation: what is running and who spawned it?

Process data is the most volatile native evidence. Processes terminate constantly — the process running when you logged in may be gone five minutes later. Collect it first.

# Complete process inventory with command lines and parent relationships
# Native equivalent of Volatility PsList + CmdLine + PsTree
$processes = Get-CimInstance Win32_Process | ForEach-Object {
    $parent = Get-CimInstance Win32_Process -Filter "ProcessId=$($_.ParentProcessId)" -ErrorAction SilentlyContinue
    $owner = try { $_.GetOwner() } catch { $null }
    [PSCustomObject]@{
        PID            = $_.ProcessId
        Name           = $_.Name
        PPID           = $_.ParentProcessId
        ParentName     = if ($parent) { $parent.Name } else { "N/A (exited)" }
        CommandLine    = $_.CommandLine
        ExecutablePath = $_.ExecutablePath
        Owner          = if ($owner) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
        CreationDate   = $_.CreationDate
        SessionId      = $_.SessionId
    }
}
$processes | Export-Csv "C:\IR\Evidence\processes_native.csv" -NoTypeInformation

What to look for:

Suspicious parent-child relationships. Normal patterns are well documented: services.exe spawns svchost.exe, explorer.exe spawns user applications, cmd.exe and powershell.exe spawn what the user launched. Suspicious: outlook.exe spawning powershell.exe (phishing payload execution, T1566.001), svchost.exe spawning cmd.exe (svchost rarely spawns shells), wmiprvse.exe spawning powershell.exe (WMI lateral movement, T1047), rundll32.exe with no parent or an unusual one (injection staging, T1218.011).

Processes running from unusual paths. Legitimate system processes run from C:\Windows\System32\ or C:\Program Files\. An svchost.exe running from C:\Users\Public\ or C:\ProgramData\ is almost certainly a payload named after a legitimate process to avoid casual detection (T1036.005, masquerading).

Encoded PowerShell command lines. A powershell.exe process with -enc, -encodedcommand, -nop -w hidden, or Base64 strings in the command line is a strong indicator. Legitimate administrative PowerShell rarely uses encoded commands with hidden windows.

Worked finding — adapt for your IR reports

Finding: Native process inventory identified svchost.exe (PID 7284) running from C:\ProgramData\Microsoft\Crypto\svchost.exe with parent wmiprvse.exe (PID 3012). The legitimate svchost.exe resides in C:\Windows\System32\. The executable path and the WMI parent indicate a masquerading payload launched via WMI remote execution.

Doesn't prove

What the payload does, when it was first deployed, or who initiated the WMI command.

Next step

Collect the binary for hash analysis. Check network connections for PID 7284 to identify C2. Query the WMI event log for the originating system.

# CMD fallback if PowerShell is restricted or unavailable
tasklist /v /fo csv > C:\IR\Evidence\tasklist.csv
wmic process get processid,parentprocessid,name,commandline,executablepath,creationdate /format:csv > C:\IR\Evidence\wmic_processes.csv

Network investigation: who is this system talking to?

# Active connections mapped to owning process (Volatility NetScan equivalent)
Get-NetTCPConnection |
    Where-Object { $_.State -eq 'Established' -or $_.State -eq 'Listen' } |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State,
    @{N='ProcessName'; E={(Get-Process -Id $_.OwningProcess -EA 0).ProcessName}},
    @{N='PID'; E={$_.OwningProcess}},
    @{N='ProcessPath'; E={(Get-Process -Id $_.OwningProcess -EA 0).Path}} |
    Export-Csv "C:\IR\Evidence\connections_native.csv" -NoTypeInformation
# DNS cache — recently resolved domains persist for minutes after a connection closes
Get-DnsClientCache | Select-Object Entry, RecordName, RecordType, Data, TimeToLive |
    Export-Csv "C:\IR\Evidence\dns_cache_native.csv" -NoTypeInformation
# ARP table — hosts this system has communicated with on the local network
Get-NetNeighbor | Where-Object { $_.State -ne 'Unreachable' } |
    Select-Object IPAddress, LinkLayerAddress, State, InterfaceAlias |
    Export-Csv "C:\IR\Evidence\arp_native.csv" -NoTypeInformation
# Active SMB sessions — who is connected to this system
Get-SmbSession -ErrorAction SilentlyContinue |
    Select-Object ClientComputerName, ClientUserName, NumOpens |
    Export-Csv "C:\IR\Evidence\smb_sessions_native.csv" -NoTypeInformation

Investigation interpretation: Cross-reference connections with the process inventory. For every Established connection to an external IP, identify the owning process by PID, check whether that process is expected to make external connections (browsers yes, svchost.exe to unknown IPs no), and check whether the remote IP resolves to a known service or an unknown VPS provider. The DNS cache adds context — domains that resolved to the remote IP reveal whether the connection is to a legitimate CDN or a suspicious host.

Worked finding

Finding: Native network inventory identified PID 7284 (svchost.exe from C:\ProgramData\) maintaining an Established TCP connection to 203.0.113.47:443. DNS cache contains an entry for update-service.northgateeng.com resolving to 203.0.113.47 — this is not a legitimate Northgate Engineering domain and uses a typosquat pattern consistent with C2 infrastructure.

Doesn't prove

What data is being exfiltrated, how long the connection has been active, or whether other endpoints talk to the same C2.

Next step

Block 203.0.113.47 at the firewall. Isolate the endpoint. Hunt for the same C2 domain across the fleet with Velociraptor or Defender XDR Advanced Hunting.

Persistence investigation: what survives a reboot?

# Scheduled tasks — the most common persistence mechanism (T1053.005)
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } | ForEach-Object {
    $info = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        TaskName = $_.TaskName
        TaskPath = $_.TaskPath
        Actions  = ($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "
        RunAs    = $_.Principal.UserId
        LastRun  = $info.LastRunTime
    }
} | Export-Csv "C:\IR\Evidence\schtasks_native.csv" -NoTypeInformation
# Services — service persistence (T1543.003)
Get-CimInstance Win32_Service |
    Select-Object Name, DisplayName, State, StartMode, PathName, StartName |
    Export-Csv "C:\IR\Evidence\services_native.csv" -NoTypeInformation
# Registry Run keys — autostart persistence (T1547.001)
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($key in $runKeys) {
    if (Test-Path $key) { Get-ItemProperty $key | Out-File "C:\IR\Evidence\run_keys.txt" -Append }
}
# Local accounts and admins — attacker-created accounts / privilege escalation (T1136.001)
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, SID |
    Export-Csv "C:\IR\Evidence\local_users_native.csv" -NoTypeInformation
Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue |
    Select-Object Name, ObjectClass, PrincipalSource |
    Export-Csv "C:\IR\Evidence\local_admins_native.csv" -NoTypeInformation
# WMI event subscriptions — advanced persistence (T1546.003)
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue |
    Select-Object Name, Query | Export-Csv "C:\IR\Evidence\wmi_filters_native.csv" -NoTypeInformation
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue |
    Select-Object Name, CommandLineTemplate | Export-Csv "C:\IR\Evidence\wmi_consumers_native.csv" -NoTypeInformation

What makes a task or service suspicious: executables running from AppData, Temp, ProgramData, Public, or user-profile directories. Names that mimic legitimate Windows tasks with slight variations ("WindowsUpdate" instead of "Windows Update"). Service binary paths containing PowerShell, CMD, mshta, wscript, cscript, or rundll32. WMI event subscriptions are particularly suspicious — legitimate applications rarely use WMI persistence, but advanced attackers frequently do (T1546.003).

Event log investigation: what happened chronologically?

# 4624 Successful logons — who logged in, when, from where, how
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-7)} -MaxEvents 2000 -EA 0 |
    Select-Object TimeCreated,
    @{N='User'; E={$_.Properties[5].Value}},
    @{N='LogonType'; E={$_.Properties[8].Value}},
    @{N='SourceIP'; E={$_.Properties[18].Value}} |
    Export-Csv "C:\IR\Evidence\logons_native.csv" -NoTypeInformation
# LogonType 2=Interactive, 3=Network, 5=Service, 10=RemoteInteractive(RDP)
# 4688 Process creation (requires audit policy) — what executed
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 5000 -EA 0 |
    Select-Object TimeCreated,
    @{N='NewProcess'; E={$_.Properties[5].Value}},
    @{N='CommandLine'; E={$_.Properties[8].Value}},
    @{N='ParentProcess'; E={$_.Properties[13].Value}} |
    Export-Csv "C:\IR\Evidence\process_creation_native.csv" -NoTypeInformation
# 7045 Service installed — persistence detection
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 200 -EA 0 |
    Select-Object TimeCreated,
    @{N='ServiceName'; E={$_.Properties[0].Value}},
    @{N='ImagePath'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\service_installs_native.csv" -NoTypeInformation
# 4104 PowerShell ScriptBlock logging — attacker commands in full
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -MaxEvents 1000 -EA 0 |
    Select-Object TimeCreated, @{N='ScriptBlock'; E={$_.Properties[2].Value}} |
    Export-Csv "C:\IR\Evidence\powershell_scripts_native.csv" -NoTypeInformation
# 1102 Audit log cleared — anti-forensics indicator
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 50 -EA 0 |
    Select-Object TimeCreated, @{N='ClearedBy'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\log_cleared_native.csv" -NoTypeInformation

The bridge command: export raw .evtx for full-tool analysis

This is the single most important native IR technique. wevtutil epl exports the binary .evtx files that EvtxECmd parses with 700+ enrichment maps and Hayabusa scans with 4,000+ Sigma rules on the forensic workstation. Native collection on the restricted target feeds directly into the dedicated tool pipeline.

# Export the high-value logs as .evtx for EvtxECmd / Hayabusa analysis
$logsToExport = @(
    'Security', 'System', 'Application',
    'Microsoft-Windows-PowerShell/Operational',
    'Microsoft-Windows-Sysmon/Operational',
    'Microsoft-Windows-TaskScheduler/Operational'
)
foreach ($log in $logsToExport) {
    $safeName = $log -replace '[/\\ ]', '_'
    wevtutil epl $log "C:\IR\Evidence\${safeName}.evtx" 2>$null
    if ($?) { Write-Host "  Exported: $log" -ForegroundColor Green }
}

Native commands versus dedicated tools

What native commands give you that tools don't: immediate availability on any Windows system, no deployment approval, no file transfer, no whitelisting bypass. The fastest path from "alert received" to "evidence collected" — 30 seconds to run a collection script versus 5–10 minutes to deploy and run KAPE.

What dedicated tools give you that native commands don't: raw disk access for locked files (native commands can't copy the $MFT or active registry hives while the OS runs — wevtutil epl exports a copy, not the locked original), binary artifact parsing (Prefetch, Amcache, ShimCache need PECmd and AmcacheParser), structured timeline output, and enterprise-scale collection across the fleet.

The production workflow when tools can't be deployed: run native collection on the restricted target (30 seconds), transfer the output to the forensic workstation, parse the exported .evtx with EvtxECmd and Hayabusa (2–5 minutes), then analyze the native CSVs alongside the parsed logs in Timeline Explorer. This hybrid gives 80–90% of a full KAPE + EZ Tools pipeline: native collection on the target, dedicated analysis on the workstation.

Anti-Pattern

"Native Windows commands aren't forensically useful — you need proper forensic tools." Native commands can't access locked files, can't parse binary artifacts, and can't produce structured timeline output. But they CAN collect running processes with command lines and parents, active connections with process attribution, scheduled tasks, services, Run keys, local accounts, WMI subscriptions, DNS cache, firewall rules, and event logs — 60–70% of what initial triage and containment decisions require. When the choice is native collection now versus dedicated collection in two hours (after approval, transfer, and setup), native wins. Start native for immediate triage. Follow with KAPE when available for the rest.

From collecting evidence to proving what happened

These commands collect the volatile state. Turning that into a defensible account of an intrusion — correlating execution, filesystem, registry, and event-log artifacts into a timeline you can stand behind — is the method taught in Cloud Incident Response (execution and persistence, filesystem and registry, event log analysis) and Windows Endpoint Investigation (the full artifact-by-artifact reconstruction). Start the free IR modules →