Bytes Suspeitos

Anotações sobre forense digital

Windows Variables

Standard (built-in) Variables

Variable Dynamic (update every time used)
Volatile (Set at Logon)
Shell Variable User Environment Variable
(SETX)
System Environment Variable
(SETX /M)
Default value assuming the system drive is C:
ALLUSERSPROFILE     Y     C:\ProgramData
Predefined machine-wide system variable.
APPDATA   Y Y     C:\Users\{username}\AppData\Roaming
CD Y   Y     The current directory (string).
ClientName   Y Y     Terminal servers only - the ComputerName of a remote host.
CMDEXTVERSION Y   Y     The current Command Processor Extensions version number. (NT = "1", Win2000+ = "2".)
CMDCMDLINE Y   Y     The original command line that invoked the Command Processor.
CommonProgramFiles     Y     C:\Program Files\Common Files
COMMONPROGRAMFILES(x86)     Y     C:\Program Files (x86)\Common Files
COMPUTERNAME     Y     {computername}
COMSPEC         Y C:\Windows\System32\cmd.exe or if running a 32 bit WOW - C:\Windows\SysWOW64\cmd.exe
Comspec is used whenever the command shell spawns a new process, e.g. the FOR command, if comspec is not defined those processes will fail to launch.
DATE Y   Y     The current date using same region specific format as DATE.
ERRORLEVEL Y   Y     The current ERRORLEVEL value, automatically set when a program exits.
FPS_BROWSER_APP_PROFILE_STRING
FPS_BROWSER_USER_PROFILE_STRING

    Y     Internet Explorer
Default
These are undocumented variables for the Edge browser in Windows 10.
HighestNumaNodeNumber Y (hidden)   Y     The highest NUMA node number on this computer.
HOMEDRIVE   Y Y     C:
HOMEPATH   Y Y     \Users\{username}
HOMESHARE   Y       Network home folder.
LOCALAPPDATA   Y Y     C:\Users\{username}\AppData\Local
LOGONSERVER   Y Y     \\{domain_logon_server}
NUMBER_OF_PROCESSORS         Y The Number of processors running on the machine.
OneDrive       Y   OneDrive synchronisation folder.
OS         Y Operating system on the user's workstation.
PATH       Y Y C:\Windows\System32\;C:\Windows\;C:\Windows\System32\Wbem;{plus program paths}
PATHEXT  
    Y .COM; .EXE; .BAT; .CMD; .VBS; .VBE; .JS ; .WSF; .WSH; .MSC
Determine the default executable file extensions to search for and use, and in which order, left to right.
The syntax is like the PATH variable - semicolon separators.
PROCESSOR_ARCHITECTURE         Y AMD64/IA64/x86 This doesn't tell you the architecture of the processor but only of the current process, so it returns "x86" for a 32 bit WOW process running on 64 bit Windows.
PROCESSOR_ARCHITEW6432           =%PROCESSOR_ARCHITECTURE% (but only available to 64 bit processes)
PROCESSOR_IDENTIFIER         Y Processor ID of the user's workstation.
PROCESSOR_LEVEL         Y Processor level of the user's workstation.
PROCESSOR_REVISION         Y Processor version of the user's workstation.
ProgramW6432           =%ProgramFiles%(but only available when running under a 64 bit OS)
ProgramData     Y     C:\ProgramData
ProgramFiles     Y     C:\Program Files or C:\Program Files (x86)
ProgramFiles(x86)     Y     C:\Program Files (x86)   (but only available when running under a 64 bit OS)
PROMPT     Y     Code for current command prompt format,usually $P$G
C:>
PSModulePath         Y %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
Public     Y     C:\Users\Public
RANDOM Y         A random integer number, anything from 0 to 32,767 (inclusive).
%SessionName%           Terminal servers only - for a terminal server session, SessionName is a combination of the connection name, followed by #SessionNumber. For a console session, SessionName returns "Console".
SYSTEMDRIVE     Y     C:
SYSTEMROOT     Y     By default, Windows is installed to C:\Windows but there's no guarantee of that, Windows can be installed to a different folder, or a different drive letter.
systemroot is a predefined machine-wide read-only system variable that will resolve to the correct location.
Defaults in early Windows versions are C:\WINNT, C:\WINNT35 and C:\WTSRV
TEMP and TMP       Y Y C:\Users\{Username}\AppData\Local\Temp
Under XP this was \{username}\Local Settings\Temp
TIME Y         The current time using same format as TIME.
UserDnsDomain   Y
  Y   Set if a user is a logged on to a domain and returns the fully qualified DNS domain that the currently logged on user's account belongs to.
USERDOMAIN   Y Y     {userdomain}
USERDOMAIN_roamingprofile   Y       The user domain for RDS or standard roaming profile paths. Windows 8/10/2012.
USERNAME   Y     Y Defined as "SYSTEM", resolves as {username}
USERPROFILE   Y Y     %SystemDrive%\Users\{username}
This is equivalent to the $HOME environment variable in Unix/Linux
WINDIR         Y

Set by default as windir=%SystemRoot%
%WinDir% pre-dates Windows NT, its use in many places has been replaced by the system variable: %SystemRoot%

Undocumented Dynamic variables (read only)

%__APPDIR__%
The directory path to the current application .exe, terminated with a trailing backslash.
%__CD__%
The current directory, terminated with a trailing backslash.
%=C:%
The current directory of the C: drive.
%=D:%
The current directory of the D: drive if drive D: has been accessed in the current CMD session.
%DPATH%
Related to the (deprecated) DPATH command.
%=ExitCode%
The most recent exit code returned by an external command, such as CMD /C EXIT n, converted to hex.
%=ExitCodeAscii%
The most recent exit code returned by an external command, as ASCII.
%FIRMWARE_TYPE%
The boot type of the system: Legacy, UEFI, Not implemented, Unknown (Windows 8/2012).
%KEYS%
Related to the (deprecated) KEYS command.

Referências externas


Histórico
DataVersãoBase/AlteraçãoAutor
06-abr-20211.0MobaxtermCH4172

Anotação:1096, última modificação:30-Jul-2021, tema:Windows