oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Ten Essential Windows 2000 Commands

by Æleen Frisch

Windows NT and 2000 are GUI-based operating systems. That's the way they were designed, and that's the way most people interact with them. However, many system administrators have little patience for the inflexibility and unnecessary verboseness of GUI system administration tools. Thus, it was no surprise when people often complained--quite legitimately--about the dearth of command-line ways of performing many Windows NT tasks. In many cases, you had to use the GUI or not get the job done.

This is one aspect of Windows 2000 that is much improved over the earlier operating system. As a colleague at Microsoft likes to put it, "If you think you can't do much from the command line, then you don't know Windows 2000." This is a true statement now, provided that you install all of the additional tools that are available with/for it. The most important of these is the Resource Kit, which you have to buy separately, but it's worth every penny (when installed, these files live in %SystemRoot%\Program Files\Resource Kit). In addition, be sure to install all the additional tools that come on the distribution CD:

  • \Support\Tools\Setup: Installs tools into %SystemRoot%\Program Files\Support Tools.

  • \I386\AdminPak.MSI: Installs tools into standard system software tree (i.e., under %SystemRoot%).

  • \Support\Tools\Deploy.Cab: Contains system installation automation tools which are installed manually to whatever location you desire.

  • \ValueAdd\3rdParty\Mgmt\Winstel\SwiAdmLE.MSI: Installs MSI file-related tools into %SystemRoot%\Program Files\VERITAS Software.

The first two packages are of general interest, and the second two contain tools related to automating the installation and deployment of the operating system and other software.

In this brief article, I'll introduce you to ten important Windows 2000 commands useful for system administrators and programmers (almost all of which come from the Resource Kit). The commands are divided between ones useful for streamlining and automating administration tasks and ones which bring or support new functionality to Windows 2000. They are listed in the following table (in alphabetical order within each column):

Windows Folks Start Here:
Commands for Automation and Streamlining
UNIX Folks Start Here:
Commands for UNIX-Like Features
dnscmd: monitor or administer DNS. linkd: create a reparse point (quasi-symbolic link).
delsrv: remove a service. ps.vbs and pmon: list running processes (ps and top).
forfiles: run a command on each of a set of files. rkill: list and terminate processes on a remote system (kill and killall for remote systems).
regfind: registry search and optional replace utility. runas: execute a command as a different user (su).
subinacl: modify ACLs from the command line. where: find executable or matching files (which + limited find).

dnscmd: administer dns

The domain name service (DNS) provides the foundation network name resolution services upon which the entire Active Directory superstructure rests. The dnscmd command lets you monitor and manage the DNS service (server process) on the local system or a specified remote system. The command has the following general syntax:

dnscmd [server] /action [additional options/args]

where the first option indicates what you want the command to do, and any additional options and/or arguments supply the information required to carry it out. The command has lots of options. Several of the most important are:

  • /info: Display general information about the DNS server.

  • /statistics: Display detailed statistics about the DNS server. It can optionally be followed by a mask specifying the desired statistics (use dnscmd /statistics /help to get a list), or by /clear to reset all counters. For example, the following command lists the server uptime and memory use statistics:

  • C:\> dnscmd /statistics 00010001
    DNS Server . statistics:
    DNS Server Time Statistics
    Server start time    4/10/2001 3:21:18 PM
    Seconds since start       87495
    Stats last cleared   4/10/2001 3:21:18 PM
    Seconds since clear       87495
    Memory Stats:
       Total Memory    =      58332
       Alloc Count     =       5881
       Free Count      =       5636
  • /zoneinfo: Display information about the DNS zone given as the next argument.

  • /restart: Restart the DNS server process on the specified computer.

  • /clearcache: Clear the name cache on the specified server.

  • /zoneadd: One of many options used to configure the DNS server. This one adds a new zone to its control. For example, the following command causes the local system to become a secondary server for the zone, specifying the host dalton as the primary server for that zone:

  • C:\> dnscmd /zoneadd /secondary dalton

See the command documentation for more information. You may also be interested in the netsh command, which performs many other networking and network service-related tasks from the command line.

delsrv: Remove a Service

Windows 2000 services are generally quite easy to administer and to install. Many applications install them automatically, and the Resource Kit's instsrv command provides a wizard for doing the same job. You can even use the srvany facility to make almost any application run as a service. The one thing that was hard to do was to remove a service. The delsrv command does just that. You specify the service to be removed as its argument. For example, the following command removes the Remote Kill service (which supports the rkill command):

C:\> net stop "remote process killer"
C:\> delsrv "remote process killer"

You can use the sclist command to get the official names for installed services:

C:\> sclist
- Service list for Local Machine
running     Alerter                  Alerter
stopped     AppMgmt                  Application Management
running     Browser                  Computer Browser  
running     Remote Process Killer    Remote Process Killer

forfiles: Process a Set of Files

The forfiles command is a new addition to the Windows NT/2000 scripting language. It executes a command on each of a set of files. It has the general syntax:

forfiles options -c"command"

where the initial options specify the desired set of files and the -c option indicates the command to run. All of the options are optional; forfiles without any arguments displays the names of all files in the current directory.

These are the most useful options:

  • -pdir: Specify the starting directory (defaults to the current directory).

  • -s: Recurse subdirectories.

  • -mstring: Filename matching specification (defaults to *.*).

  • -d±date-or-number: Select only files modified before(-)/after(+) the specified date (format: mmddyyyy) or number of days ago.

  • -c"command": Command to run on each matching file found (defaults to "cmd /c echo @FILE"). The following case-sensitive constructs can be used within the command to include various parts of the filename and other information within it: @FILE, @FNAME_WITHOUT_EXT, @EXT, @PATH, @RELPATH, @ISDIR, @FSIZE, @FDATE, and @FTIME.

Let's look at some examples. The following command prints the name of each file having an extension of .raw anywhere under the current directory:

C:\> forfiles -s -m*.raw

The following command changes the extension for all .raw files on drive E: to .dat:

C:\> forfiles -pe:\ -s -m*.raw -c"cmd /c ren @FILE 

The following command removes all files under F:\Scratch but leaves subdirectories alone:

C:\> forfiles -pf:\scratch -s -m*.* -c"cmd /c if @ISDIR==FALSE del 

The following command runs the indicated Perl script on each .c file in the current directory:

C:\> forfiles -m*.c -c" @FILE"

Unix folks will see similarities between forfiles and the Unix foreach (C shell) and find commands.

linkd: Create a Link

Windows 2000 introduces a new filesystem construct known as reparse points in its new version of NTFS. These entities are somewhat similar to Unix symbolic links, although they operate only on directories (folders) and not on individual files. The linkd command may be used to create such a link to a folder or drive, taking the link name and then the target directory as its arguments. For example, the following command creates C:\RK as a link to C:\Program Files\Resource Kit:

C:\> linkd c:\rk "c:\program files\resource kit"

RK looks like this in directory listings:

Volume in drive C is System Volume Serial Number is 40F8-C78D

Directory of C:\

04/09/2001  04:10p      <DIR>          Documents and Settings
04/09/2001  04:18p      <DIR>          Program Files
04/12/2001  09:48a      <JUNCTION>     RK
04/11/2001  04:10p      <DIR>          temp
04/11/2001  03:34p      <DIR>          WINNT
               0 File(s)              0 bytes
               5 Dir(s)   1,459,015,680 bytes free

(A junction is the name given to a reparse point linking to a subdirectory.)

Be aware that you must use the delrp command to remove a reparse point and not the normal del command (which is interpreted as applying to the target in most contexts).

ps.vbs and pmon: List Running Processes

Whenever I sit down at a new system, there are two things I want to know: what's running and how much disk space is there. There are two commands that are useful for listing the processes currently running on a Windows 2000 system. The first of these is one of the 80-odd Visual Basic sample scripts included with the Resource Kit. ps.vbs provides a quick list of processes including the process ID, image name, and full path to the executable file:

C:\> cscript "c:\program files\resource kit\ps.vbs"

  0              System Idle Pr (null)
  8              System         (null)
  172            smss.exe       C:\WINNT\System32\smss.exe
  200            csrss.exe      (null)
  220            winlogon.exe   C:\WINNT\system32\winlogon.exe
  248            services.exe   C:\WINNT\system32\services.exe 

ps.vbs' display is simple, but it provides information excluded by many other process display commands and GUI utilities. (You can eliminate the need for cscript [and the path to the resource kit files] if you make cscript the default scripting engine: cscript /h:cscript /s.)

In contrast, pmon provides a wealth of data about each running process, giving a continuously-updated display like the following (the output is truncated):

View display output.

This output provides a variety of useful data relating the processes' CPU and memory usage and page faulting rates. Note that the first line displays the account of memory currently in use as a file buffer cache.

Unix folks will see similarities between these commands and the Unix ps and top commands.

regfind: Registry Search and Replace

Registry searching was one of the weaknesses of Windows NT. This is fixed in Windows 2000 with regfind. It has the following general syntax:

regfind [/m host] [options] search-string[/r replace-string]

The /m option may be used to specify the host on which to execute the command. Other useful options are:

  • /pkey: Start searching at this key.
  • /n: Search key and value names as well as data.
  • /y: Perform a case-insensitive search.

For example, the following command searches all value settings (data) for the string "dog", finding one match:

C:\>regfind dog
Scanning \Registry registry tree
Search for 'dog'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
            Description = Logical Disk Manager Watchdog Service

The following command changes all instances of "e:\scratch" to "F:\New_Scratch" regardless of case:

C:\> regfind /y e:\scratch /r F:\New_Scratch
Scanning \Registry registry tree
Case Insensitive Search for 'e:\scratch'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
Will replace each occurrence with: 'F:\New_Scratch'

Note that this utility requires care in use (a good idea any time . . .). In particular, the utility does no error checking of any kind, so you can cause quite a mess with regfind if you are reckless.

rkill: List or Kill Remote Processes

Most people know that the Windows 2000 kill command can be used to terminate a local process. The Resource Kit provides the additional Remote Kill facility which extends this ability to remote systems. In order to use the associated command, rkill, this service must be running on the remote system (i.e., the one whose processes you want to be able to kill). You can install it on a system using the command's /install option. For example, the following command installs the service on host dalton:

C:\> rkill /install \\dalton

Once installed, you can use the /view option to list current processes on the specified host, and the /kill option to terminate a process. For example, the following command kills process 2288 on remote host newton:

C:\> rkill /kill \\newton 2288

The following command kills all command shells running on the same host:

C:\> rkill /kill \\newton cmd

Unix folks will see some similarities to the Unix kill and killall commands.

runas: Run a Command as a Different User

Best system administrative practices call for running commands as Administrator only when it is absolutely necessary and using an unprivileged user account the rest of the time. Under Windows NT, this was not possible. With Windows 2000, however, it is easy to accomplish via the runas command. This command allows you to run a specified command as a different user by providing the proper password.

One of the most convenient ways to use this is to create a separate command window for Administrator while logged in as your normal user, as in this example:

C:\> runas / cmd
Enter password for **********
Attempting to start "cmd" as user 

runas prompts you for the required password and then starts another command shell in a new window. Note that you must provide the fully qualified username of the desired user account when running this command in a Windows 2000 domain.

Unix folks will see similarities to the Unix su command.

subinacl: Modify ACLs

subinacl is a powerful utility for modifying the access control lists (ACLs) on a group of files in a single operation. It has the following general syntax:

subinacl options /type items /action

where the type option indicates the sort of entity whose ACLs are being modified (/file, /share, /subdirectories [traverse directory tree], /keyreg and /subkeyreg [registry keys, with or without recursion], /service, /printer, or /kernelobject), items are the specific items to be modified, and /action specifies the operation to perform. There are many available action options, of which the following are among the most important:

  • /owner=user: Set item ownership.

  • /replace=olduser=newuser: Rewrite entries for olduser to apply to newuser.

  • /changedomain=olddomain=newdomain: Replace olddomain with newdomain in all applicable entries.

  • /grant=name=perm: Grant the specified access permissions to the specified user or group. /deny works similarly except that it denies the specified permissions. /revoke=name can be used to remove any entry applying to the specified user or group.

You can specify multiple actions on the same command. For example, the following command replaces user harvey with user chavez in the relevant entries in the ACLs for all files under D:\Data and also grants read access to user claire for the same files:

C:\> subinacl /subdirectories \\mango\D$\Data^
        /replace=harvey=chavez /grant=claire=R

Note that the local path is specified in UCE format. This is necessary so that the RPC facility can be correctly located. If you forget and enter a local pathname, you'll get an error like the following:

... The RPC server is unavailable.

Finally, the /testmode option may be specified to preview the actions that would be taken without actually changing any ACL entries.

where: Determine Executable or Locate Files

Like most other user environments, Windows 2000 uses a search path to locate the corresponding executable file whenever a user runs a command. The Windows 2000 where command now makes it easy to determine which executable is used. For example, this command indicates the path to the notepad command by searching the components of the search path for any file whose name begins with "notepad":

C:\> where notepad*

When more than one file is found, they are listed in the order in which they are encountered.

In a separate mode, where may also be used to search for files within the filesystem in general. For example, the following command lists all files with names beginning with "que" in the Windows 2000 system directories (/r), displaying the size and modification time for each one (/t):

C:\> where /r c:\winnt /t que*
  1410832  12-07-99   8:00a  c:\winnt\system32\dllcache\query.dll
    10512  12-07-99   8:00a  c:\winnt\system32\dllcache\query.exe
  1410832  12-07-99   8:00a  c:\winnt\system32\query.dll
    10512  12-07-99   8:00a  c:\winnt\system32\query.exe

In this mode, where performs a similar function to the forfiles command in its default mode.

Unix folks will see similarities to the Unix which and find commands.

Æleen Frisch has been a system administrator for over 20 years. Currently, she looks after a very heterogeneous network of Windows NT and Unix systems. Her other books include Essential System Administration, 2nd Edition, Essential Windows NT System Administration (both for O'Reilly), and Exploring Chemistry with Electronic Structure Methods (Gaussian, Inc.). She has degrees from Caltech and Pitt and is an MCSE.

O'Reilly & Associates recently released (March 2001) Windows 2000 Commands Pocket Reference.