All Windows tools are updated to run on Windows 10.
Skip straight to tools for Windows and FreeDOS (for forensic purposes).
BrowseList retrieves the browse list on a Windows network.
CPUID shows various properties of your CPU.
Pass CrashProcess a PID, and it crashes the process if you have sufficient permissions. It can be useful for testing stuff.
DBProbe checks the directed broadcast ping amplification factor for a network.
DumpUsers can dump account names and information even though RestrictAnonymous has been set to 1.
EFSView lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.
EtherChange can change the Ethernet address of the network adapters in Windows.
ExploreLibs is a tool for viewing the contents of LIB files.
FindIDT searches for and prints the IDTs in a physical memory dump.
GPList lists information about the applied Group Policies.
GSD (Get Service DACL) gives you the DACL (Discretionary Access Control List) of any service you specify as a command line option.
Inzider shows which processes listen at which ports. Inzider was the first tool that could do that in Windows, back in the 1990s. This updated version shows more information than before, including IPv6 information, svchost.exe service information, and the date and time each port was opened.
IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled. It was the first IPSec scanner out there.
ListDrivers lists the loaded kernel drivers.
ListModules lists the modules (EXE's and DLL's) that are loaded into a process.
ListObj prints the entire Windows object space.
LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams).
MACMatch lets you search for files by their last write, last access or creation time without changing any of these times.
NSCopy works as a copy command with one big difference from others. If you have the "Back up files and directories" user right, you can copy files even if you don't have any explicit permission to read them. It doesn't take ownership of the file to do it.
PEriscope is a PE file inspection tool. It works on ordinary 32-bit files as well as 64-bit and .NET ones.
PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.
PromiscDetect checks locally if your network adapter(s) is running in promiscuous mode, which may be a sign that you have a sniffer running on your computer. It was the first tool that could do that in Windows.
Allows you to set file ownership to any account, as long as you have the "Restore files and directories" user right.
A tool that retrieves the ICCID and IMSI from a GSM SIM card.
UndeleteSMS can recover deleted SMS messages from a GSM SIM card.
Uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.
WKML (Windows Kernel Module Loader) is a tool for loading and unloading kernel modules in Windows. It can also display a list of the currently loaded modules.
WPSweep is a simple ping sweeper, that is, it pings a range of IP addresses and lists the ones that reply.
TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA controller. It can retrieve various information about a hard disk, as well as look at and change the HPA and DCO settings.
Copyright © 2021 Arne Vidstrom. All Rights Reserved.