Under Review

Live Response - Investigating other devices

Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed.

Finding all other hosts that are replying to ping, for example:

workflow Sweep { foreach -parallel -throttlelimit 4 ($i in 1..255) {ping -n 1 -w 100 192.168.0.$i}}; Sweep | Select-String ttl

Adjust the IP as required, in the above case it will ping -, showing a list of devices that reply. E.g.

Reply from bytes=32 time=8ms TTL=64
Reply from bytes=32 time=13ms TTL=64
Reply from bytes=32 time=23ms TTL=64
Reply from bytes=32 time<1ms TTL=128
Reply from bytes=32 time=74ms TTL=64
Reply from bytes=32 time=69ms TTL=64
Reply from bytes=32 time=80ms TTL=64

To check open TCP ports for a particular device ( on say the above list:

138,139,445,902,3389,4444 | % {$tcp= new-object system.net.sockets.tcpclient; $w = $tcp.beginConnect("",$_,$null,$null); ($w.asyncwaithandle.waitone(100,$false)); if ($tcp.Connected){echo "$_ is open"}} | select-string " "

Might print for example:

139 is open
445 is open
3389 is open

For all ports, which would take a while:

1..65536 | % {$tcp= new-object system.net.sockets.tcpclient; $w = $tcp.beginConnect("",$_,$null,$null); ($w.asyncwaithandle.waitone(100,$false)); if ($tcp.Connected){echo "$_ is open"}} | select-string " "

To see if someone is logged on to the computer you are Live Response connected to, there are a number of ways but using query.exe is pretty good:

query user

Example output might read:

user1    console     2  Active none      08/05/2020 17:41

If you need to message all the logged on users:

msg * "call me on xxxxxx"

Or just for a specific user on a multi-user system see msg /?

To consider wireless networks.  NetSh.exe can be used, for example, the following commands might be helpful:

netsh wlan show networks

netsh wlan show all


wmic printer get name,printerstate

Output example:
Name                                    PrinterState
Send To OneNote                         0
HP OfficeJet 200 Mobile Series [FDA582] 128
Microsoft XPS Document Writer           0
Microsoft Print to PDF                  0
Fax                                     0
EPSON WF-3620 Series                    0

Where: 0 = online, 128 = offline

To find the approximate location of the device from the public IP, using the web service ipinfo.io which returns a number of JSON fileds:

$(invoke-webrequest ipinfo.io).Content

Note: If the computer is using a VPN, the information will be related to the location of the VPN server the end-user is connected to. This information could be used I suppose to hint if they are using a VPN.


I will probably update this post over time with additional commands, that have proved helpful.