[QueryCorner][August2022] Live Response - Five Basics for Windows

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This post is to highlight response actions that an operator of the Sophos Central XDR tools may encounter. These response actions will be used on XDR with the full Intercept X engine or in our future launch of the XDR Sensors.

We will cover (5) key actions that you may perform daily or in an incident response activity:

  1. Windows Firewall
  2. Registry Keys
  3. Modify Processes
  4. Programs
  5. Services
  6. Bonus Commands

We are going to focus on working out of Powershell.

You can run native commands from Live Response within the Windows Command Prompt utility, you can use their reference of available commands.


You must have XDR enabled in your environment. This is entirely a Live Discover query.

This is intended for Windows only.

To call Powershell, you can perform the simple command: "powershell.exe"

Windows Firewall

View Firewall Enabled Profiles Get-NetFirewallProfile -Enabled True
Enable Domain, Private, & Public Profiles Set-NetFirewallProfile -Enabled True
View Firewall Enabled Rules Get-NetFirewallRule -Enabled True
Remove Firewall Rule by Name Remove-NetFirewallRule -Display Name
Remove Firewall Rule by Program Remove-NetFirewallRule -Program "C:\Programs FIles\Some\App.exe"
Reset Firewall Settings to Default (New-Object -ComObject HNetCfg.FwPolicy2).RestoreLocalFirewallDefaults()


Create Registry Property New-ItemProperty -Path 'HKLM:\Software\Policies\Some\Path' -Name 'SomeName' -Value "value" -PropertyType propertyType -Force
Remove Registry Property Remove-ItemProperty -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName'
Remove Registry Key Remove-Item -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName'


Stop Process by name Stop-Process -Name Name
Stop Process by wildcard Stop-Process -Name Name*
Stop Process by PID Stop-Process -Id PID


Get List of Programs Get-WmiObject -Class Win32_Product | Select-Object -Property Name
Get Program Name via Search $someProgram =Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "someProgram"}
Get Program Name via ID $someProgram = Get-WmiObject -Class Win32_Product -Filter “IdentifyingNumber = ‘{XXXXXXXX-XXXX-XXXX-XXX}'”
Stop Process by PID $someProgram.Uninstall()
Get List of Packages Get-Package -Provider Programs -IncludeWindowsInstaller
Uninstall-Package Uninstall-Package -Name Name


Show Services Get-Service
Stop Service by name Stop-Service -Name Name
Stop Services by wildcard Stop-Service -Name Name, "Name*"
Stop Service with Console Output Stop-Service -Name Name -PassThru
Stop Service by Display Name Stop-Service -DisplayName "Display Name"
Stop Service Force Stop-Service -DisplayName "Display Name" -Force
Remove Service Using Name Remove-Service -Name "Name"
Remove Service Using Display Name Remove-Service -DisplayName "Display Name"


Restart Machine Restart-Computer
Delete Files Remove-Item C:\Some\Path\to\name.file
Delete Any Document that does not have a 1 in its name Remove-Item * -Include *.docs -Exclude *1*
Delete CSV Files From Subfolders in Current Path Get-ChildItem * -Include *.csv -Recursive | Remove-Item


Happy querying!


Added Disclaimer
[edited by: GlennSen at 3:49 PM (GMT -7) on 5 Apr 2023]