查看表征异常
系统卡慢、宕机、CPU和内存占用高、网络拥塞或断网、磁盘空余空间无理由大幅度缩小等,根据以上表征,可以初步猜测系统面临的问题。
windows 下查看系统基本信息
PS C:UsersobacDesktop> systeminfo
windows 下查看CPU和内存消耗:
根据下图可以进行倒序排列
或者使用命令
PS C:UsersobacDesktop> tasklist /V > 1.txt
windows 下查看网络通信情况
入侵点异常排查
看连接
PS C:UsersobacDesktop> netstat -abo | findstr TCP
TCP 0.0.0.0:135 WIN-8JQH4CQEJIR:0 LISTENING 708
TCP 0.0.0.0:445 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP 0.0.0.0:49152 WIN-8JQH4CQEJIR:0 LISTENING 376
TCP 0.0.0.0:49153 WIN-8JQH4CQEJIR:0 LISTENING 760
TCP 0.0.0.0:49154 WIN-8JQH4CQEJIR:0 LISTENING 884
TCP 0.0.0.0:49155 WIN-8JQH4CQEJIR:0 LISTENING 484
TCP 0.0.0.0:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716
TCP 0.0.0.0:49157 WIN-8JQH4CQEJIR:0 LISTENING 492
TCP 172.16.204.128:139 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP [::]:135 WIN-8JQH4CQEJIR:0 LISTENING 708
TCP [::]:445 WIN-8JQH4CQEJIR:0 LISTENING 4
TCP [::]:49152 WIN-8JQH4CQEJIR:0 LISTENING 376
TCP [::]:49153 WIN-8JQH4CQEJIR:0 LISTENING 760
TCP [::]:49154 WIN-8JQH4CQEJIR:0 LISTENING 884
TCP [::]:49155 WIN-8JQH4CQEJIR:0 LISTENING 484
TCP [::]:49156 WIN-8JQH4CQEJIR:0 LISTENING 1716
TCP [::]:49157 WIN-8JQH4CQEJIR:0 LISTENING 492
PS C:UsersobacDesktop>
看进程
PS C:UsersobacDesktop> tasklist | findstr 1716
svchost.exe 1716 Services 0 18,232 K
PS C:UsersobacDesktop>
看服务
PS C:UsersobacDesktop> tasklist /SVC
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
smss.exe 244 暂缺
csrss.exe 324 暂缺
wininit.exe 376 暂缺
services.exe 484 暂缺
lsass.exe 492 SamSs
lsm.exe 500 暂缺
svchost.exe 600 DcomLaunch, PlugPlay, Power
vmacthlp.exe 668 VMware Physical Disk Helper Service
svchost.exe 708 RpcEptMapper, RpcSs
svchost.exe 760 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe 852 AudioEndpointBuilder, CscService, Netman,
PcaSvc, TrkWks, UxSms
svchost.exe 884 Appinfo, Browser, gpsvc, IKEEXT, iphlpsvc,
LanmanServer, ProfSvc, Schedule, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe 272 EventSystem, netprofm, nsi, sppuinotify,
WdiServiceHost
svchost.exe 496 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
spoolsv.exe 1144 Spooler
svchost.exe 1172 BFE, DPS, MpsSvc
VGAuthService.exe 1332 VGAuthService
vmtoolsd.exe 1392 VMTools
svchost.exe 1668 bthserv
svchost.exe 1716 PolicyAgent
TPAutoConnSvc.exe 1808 TPAutoConnSvc
dllhost.exe 1988 COMSysApp
msdtc.exe 1212 MSDTC
WmiPrvSE.exe 1064 暂缺
SearchIndexer.exe 2888 WSearch
svchost.exe 2896 FontCache
sppsvc.exe 1868 sppsvc
ManagementAgentHost.exe 2492 VMwareCAFManagementAgentHost
svchost.exe 904 WinDefend
csrss.exe 3656 暂缺
winlogon.exe 3668 暂缺
taskhost.exe 2708 暂缺
dwm.exe 3844 暂缺
explorer.exe 3836 暂缺
TPAutoConnect.exe 3212 暂缺
conhost.exe 3980 暂缺
vmtoolsd.exe 2500 暂缺
cmd.exe 2744 暂缺
conhost.exe 2768 暂缺
PCHunter64.exe 1068 暂缺
taskmgr.exe 1352 暂缺
powershell.exe 3360 暂缺
conhost.exe 2640 暂缺
notepad.exe 2652 暂缺
tasklist.exe 3356 暂缺
PS C:UsersobacDesktop>
看动态链接库
C:Windowssystem32>tasklist /M > 2.txt
看日志
进程日志和登录日志
路径 C:WindowsSystem32winevtLogs
登录日志
系统日志
服务日志或WEB日志
请配置syslog,WEB日志也是文件,可以使用自动化分析工具
看注册表
查看启动项和计划任务
看账户
看防火墙配置
