3 Things You Didn't Know about Windows Command Prompt
HTML-код
- Опубликовано: 1 авг 2024
- j-h.io/snyk || Special Thank You to Snyk for sponsoring this video! Get started with Snyk FOR FREE ➡ j-h.io/snyk
🔥 RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
This 8191 limitation is not specific to the command prompt, but rather it is a limitation of the Windows API function GetCommandLineW, which is used by the command prompt to retrieve the command line. The GetCommandLineW function returns a pointer to the command line string, which is stored in a buffer. The size of the buffer is 8192 characters, and the last character is reserved for the null terminator, so that's why..
As a software engineer this has caused me problems building some opensource c++ code with very long filenames in deeply nested paths. The workaround for one project was that I had to use the subst command map a drive letter to a path to shorten it enough for the build to succeed. It was so frustrating to me that this still existed in 20XX.
@@drescherjm just use the \\?\ prefix and be done with it.
@@DutchRider Thankfully I build the two problematic libraries in a different way now using vcpkg and don't have the issue. With that said I am not sure if the build tools (CMake and QMake) would allow for UNC paths. I have never tried that.
durrp
The reason for this behavior is a long standing limitation in Windows on how the pipes work. When you start a command prompt (cmd.exe) in Windows it needs to connect to its input and output pipes with the host window (conhost.exe), so that you can see and interact with the command prompt. Unfortunately in Windows a pipe can only be connected exactly once - in this case to the conhost Window. Therefore the input & output pipes of the command line interpreter cannot be piped or redirected anymore. So when you start a command that gets piped or redirected the command line interpreter has to start this in a sub-shell (via COMSPEC) to be able to construct the pipe/redirection. Technically this would not be needed if the first command of the pipe was an executable file (and not an cmd-internal command), but the shell uses the COMSPEC sub-shell anyway (maybe for consistency reasons).
An additional execution of COMSPEC happens for each cmd-internal command along the pipe.
interesting... i wouner what happends if u do
[set COMSPEC="cmd.exe(pipesign)cmd.exe"]... an endless loop?, or maby an loop that ends when some calling stack is full? ... maby someone could try this?
or maby
[set COMSPEC="cmd.exe >(pipesign)notepad.exe(pipesign)notepad.exe"]?
sounds like the behaviour would be rly odd.... maby each cmd has its own stack?
The double firing of calc is likely because the commands you are executing are internal commands to CMD. So the Windows Subsystem likely still knows those commands can be executed and the COMSPEC is what needs to be ran to execute. However, with you having it set to Calc.exe it fires that twice...the weirdness that is windows. Great content though.
It's the | char ..... That's the "pipe" command ... There's literally two commands on that one line.
@@eidodk no not the pipe itself, it's like AckZero wrote: it's the internal commands of CMD. type, dir and echo are internal commands, whereas clip and whoami are external commands (standalone programs or scripts). You can see in the video that calc.exe isn't run twice when John piped into clip and whoami.
@@eidodk Yeah exactly when you string commands together with pipe it executes one command at a time
FYI, you can use terminal to handle both powershell and command prompt sessions. You just need to hit the little "down" arrow next to the new tab and select command prompt.
Kind of forgot, but you can also split the pane within each tab. Just right-click the tab and click split pane. Just thought I'd share that bit too. Both methods would probably help keep things smooth when you're recording 👍
In any case, really cool stuff covered here. I think I learned more than 3 things though lol I didn't know set on its own would display the environment variables
You can also switch shells on-the-fly same as in Linux:
PS currentPath> cmd
currentPath> wsl
/currentPath>exit
currentPath> exit
PS currentPath>
seeing John Hammnod executing Linux commands like (CTRL L and clear) while in Windows is kinda funny to me 😂😂..shows how much time he spends on the Linux World
yee
Windows is werid when ls doesent work
clear is a powershell cmdlet
@BrightHades5968 technically an alias for clear-host. But the alias is made to be friendly for linux users. Another example is "ls" which is one of the aliases for get-childitem
Also, he seems to needlessly reinvoke his SET command every time he runs CLS. It's just clearing the screen, not running a new instance of CMD!
Yo Bro I love your videos!!! I try and follow along sometimes and rewatch and pause and go along and it is always a super fun trip everytime!!! I have just build my first computer last year and I am having a blast learning all this stuff...Thank you!!
Gotta love Windows content! Didn't know about the comspec variable and I can see this being used in a penetration testing setting for several things..
Yup gotta keep Windows and top security companies always on their toes huh lols 😆 always vulnerabilities and penetrations for them to constantly forever keep patching out or working around always. Glad this kind of stuff goes online so Windows and the like can see what's going on under the hood, cuz I bet there is alot that goes unseen/unuploaded/unshared and are kept as potential 0 Days. Tbh I think Windows needs to rework more than just this, they need a new design cuz Windows 7 was my last fave OS version and then it got all weird with the new stuff.
This bring memories. I am cursed that Batch file is my first "programming language" (if you want to call it that hahaha).
To remove quotes in notepad, for SET command, you should either 1) remove quotes and spaces between equals, as in SET comspec=notepad , because everything after the space after SET is part of the first argument. For example, typing SET comspec = notepad (note the spaces) DOESN'T assign "notepad" to %comspec%, but assign " notepad" to %comspec % (note again the spaces)!
The 2) is to put quotes in the whole first argument like SET "=" (again no space between equals). This emphasizes the first argument thingy, and this is how I do it because it looks clearer than 1).
In ECHO command, quotes will be part of the string to be displayed. I prefer writing ECHO this way: ECHO(. I put parenthesis so that even if is empty, it just displays new line. Some people use ECHO: (colon instead of parenthesis), but I just prefer parenthesis.
The comspec thing is new to me, but I am not suprised. CMD is full of bugs like this. Maybe I'll explore a bit on this.
test.bat "String"
echo DB "%1", FF>>tmp.deb
debugoutput.txt
The output of a attached string into a memory location from a batch file using debug in DOS have no quote bytes.
This was so interesting. Thanks John!!
Brings back memories. Wondering if the code written fails due to certain delimiters being inadvertently evoked. If you have two commands with different extensions “.com” vs “.exe” . “.com” wins. Also wondering if there’s an option to “call” versus run. I have very little experience in the new environments but wondered if that could be helpful.
This is pure gold
I did not know you were involved in the Cyberforce competition! I've done it on the blue and red team side!
Try using the RTL or LTR character in charmap and inputting a mirrored commandline to run an application.
The next time you need a "random" port for something, use 8191 as a callback to this. Like, 'nc -nlvp 8191'
Great work.
I have seen an old vulnerability with older versions of windows, where you could pipe and redirect procedure calls through Wordpad + the font functions to execute malicious code. It works similarly to what you are attempting to do with com spec. I find this interesting. You can find a vulnerability here. You will need a hex editor, though, not the proc monitor. I don't think cmd.exe runs in protected memory by default. I see your logic here. But Dutch Rider is correct about the 8192; it's a buffer size, not the actual pointer or memory address. I wonder if you can run a command line argument within the API call to retrieve variables outside its defined scope. That would be cool.
Never could have known that something this cool exists had you not pointed it out...Awesome
What if you made a .cmd file (or bat file, whatever) and set that as COMSPEC? You can tell the bat file to ignore those few switches up front. When you run your pipe command, it executes the bat file and ignores the crud. Might work
I think it runs the calc.exe, because the | has to be dealt with by cmd. I also tried it with the && and it works the same, but let's say I make a simple C++ program that outputs hi, then I write echo "test" && prog.exe , that would result in outputting "test", hi and also running the calculator.
C:\Users\\OneDrive\Desktop\test>echo "test" && test3.exe
"test"
hi
(the command above also runs the calc.exe as mentioned in my comment)
@user-rb5we8ms4m Hell yeah! Oh wait... it's a scam.. what a shame
the pipe takes the output of the first command and pass them as parameters to the second command executing it with the set cmd. if you replace it to a notepad, then the first part should produce the parameter you need. echo "c:\\test.txt"|rem would open the test file
You owe me one fact about the Windows command prompt, since I knew the one with the maximum length already (we were trying to abuse commands for file transfer a few weeks back). ;)
I have no clue what changing the comspec is good for. But I watched the video anyway! ;-)
Good stuff
And the notepad thing, I think that is explainable as well. Notepad can take an input. The calculator can't. That means that when terminal gives notepad the commands, notepad thinks that it is a path to a file to open. It isn't. And so notepad is saying, "I can't find this file! I don't even think this is the path to a file!"
No! COMSPEC is a path to the command to be interpreted, NOT a path plus a variable to be passed to that command. Notepad isn't saying "I can't find this file", windows is saying "I cant find a file called 'notepad test.txt'".
I think when you pipe in the command to cmd it treats each command separately and executes them individually and this is why calc pops up twice
Can you please make a video on this but using it to make a reverse shell or something like that?
I'm pretty well-versed with cmd/pwsh/bash but curiosity prevailed and clicked to watch - however 3/4 of the video I started expecting John to come up with 0-day PoC the way he was pushing our mind with those limitation: 8191 🤣🤣😂😂😂😂
Last thing about the notepad thing, I think that terminal is waiting for notepad to tell it what to do and the like before it invokes the second command and that's why the second part isn't getting sent to notepad.
ECHO, TYPE, DIR are all commands, the extra firing is because you are adding extra commands, & would have the same effect as the | in your example
i think its because the pipe " | " ,its programmed to use new cmd to execute the piped syntax
my thinking too
That's 100% correct. There's nothing funny going on here. The thing does exactly what you asked of it.
8,191 characters...got it...
Scratch 8,191 characters off Bucket List...
pretty sure it is because 'type' is internal to cmd.exe, while whoami is an executable?it has been awhile, but it fits what I do recall from several decades ago.
What if you put the spaces before the “notepad.exe” or the cmd.exe? Or a combination of spaces before and after?
16:20 What about se on Linux.the shift command, could that help?
fun video to watch :)
@15:13 Is the PATHEXT Env variable potentially being show as a hint for what is allowed when setting the COMSPEC variable? i.e. it needs to be an executable and the reason why Notepad and Calc work so well is because they are in System32 and Windows knows them to be an inherent part of the system.
Those are my speculations.
Am I the only one who was surprised that in the IDLE shell you can retrieve the output of ' '*8191 from that expandable box? I would have just used the print function and copied the output! The way you did it is way easier
Yaay new video :3
John Hammond your my hero
What kind of parties do you go to?
this is similar to an old dos bug I found in HS, I believe related to 16 or 32bit charachter lengths. If you create a directory within another directory and then iterate once your directory length exceeds that length the whole directory structure wigs out and you will see the contents of your root directory at the bottom of your directory tree well; and since you can't delete your root directory you can't remove the nested directories once the glitch is enabled. I obviously used cusswords and this script to Borg a machine in the school shop and got called in the next day ; finding they had resolved the issue by renaming all my directories....didn't think to change the creation date and got caught; DOH!!!
Why does it have to be your own executable, can you have it load up another powershell or batch script instead to parse out the arguments?
2:47 It is NOT DOS. Windows does NOT come with DOS anymore. It is the Windows Command Prompt, it seems kind of like DOS because it has commands PORTED from DOS. But they are ports, the underline code is totally different because modern Windows cannot run DOS programs. Yes it can still do batch files.
the good part starts at 25:55
Way back in the 80's power users tried to squeeze as much conventional memory as possible from their DOS PC. Some Lotus 1-2-3 users would set their CONFIG.SYS SHELL to point directly to 123.exe. That would give them a few dozen more K to use.
Of course they would have to boot from a floppy to rename or edit CONFIG.SYS to restore the normal functionality.
8191 * 4 = 32764 which is 3 short of the environment variables limitation. making room for c:\ maybe? don't know why just noticed.
3:50 Who else types clear whenever they go into Command prompt. I do it way too much.
To me, CALC.exe is fired when you execute a CMD.EXE internal command, like echo, dir, type.
Internal commands fire CMD.exe as CMD.exe has to execute it as they they are internal into the CMD.exe, CMD.EXE tryes to Run these internal command into a second CMD.EXE instance. But you have CMDSPEC set to CALC.exe, so CALC fires up instead of CMD.exe. The reason that the intenal command still is execute is because your CMD that you have running contains them also offcourse :D, as CALC.exe cannot executre that command so it is reflected back tou you already running/executing CMD.exe.
In windows/DOS trhe 'pipe' command is iitterly a internal command so it fires CALC.exe.
For 1st example, Maybe it behaves differently because they are DOS INTERNAL commands?
"Netstats" in cmd the lines linked ips how would you remove them obviously someone got access to com, antivirus can't detect and a text file with webscript
The only method I found to use this is simply pass some arguments to another batch file. Like this:
Batch File:
@echo off
set arg=%~4
if defined arg echo Working! Detected arg is %arg%
Command Line:
set COMSPEC=
break|echo " "
not that much gamebreaking but kinda cool
& is a thing in command prompt. You can always just & cmd.exe which then would still run anything that was called. Cmd takes the variables. Somehow mitm permissions for cross app memory snooping. Idk
Hey John! The maximum length of the string that you can use at the command prompt is 8191 characters. 😂
The Win32 limitation for environment variables is 32,767 characters. 😂
You should change the title to "3 Things You Didn't Know about Windows Command Prompt, None of which are useful"
Enter backspace characters in your passed command text to delete the cmd switches and see what happens.
dir, type, rem etc. are not actual programs, and Windows will launch COMSPEC to let it handle it. If you type the command “where calc”, you will get the path to “calc.exe” as it is a command found in the path, but “where dir” will tell you that no such program exists. If you type in "which ls" on Linux, you will get the path to the program, as it is an actual program/script on Linux.
what if u do a null byte would it still still fire it twice?
In reference to 18:48 into this video, you typed "notepad.exe" (which is 11 characters), then you pasted 8191 space characters. You showed that it won't let you type anything more. I'm guessing only 8180 of those space characters actually pasted while 11 of them were truncated. Since you already had 11 characters there (from "notepad.exe"), it only let you paste 8180 of the space characters; you had hit your limit and can't type any more. But did you try to backspace a few characters and then type an argument?
Windows 11 replaced notepad with a store app version and maybe that difference is affecting it?
Good olé windows double backslash
What about putting the spaces before notepad.exe. (Maybe you said you tried that and I just misunderstood)
Very inserting.
I suspect that calc fired twice near the start of the video because you were using internal commands for cmd.exe in those cases. I could be wrong though.
0:20 very cool sponsor and service for tech products!
although I hate the part where they can look at the code of my product I find the service very appealing
Back in the days we set COMSPEC to 4DOS
what I don't understand is why echo even executes when COMSPEC isn't cmd.exe. Echo is a command that needs cmd.exe
I guess this is "4 Things You Didn't Know about Windows Command Prompt"
I was hoping you would try to replace the first command 'break' with a path to the notepad
Then you would just be invoking the desired executable just as you regularly would, wouldn't you?
@@_JohnHammond Indeed, just wanted to ensure my thoughts
Ok, this should take about 2 mins… wait what? 35 mins… no way.
Spooky!
The worst thing at all is, that nor windows neither sysmon log the change of environment variables. And thus, in your SIEM it is very hard to tell, if sone env was modified to proceed the attack. Microsoft will fix it in 2030 for sure.
microsoft? fix it?? ummmm there track record isnt good lol
Sometimes, when searching for vulns in my environment, I see they're systems having CVE created when I was a little child getting my first PC. This is not a big deal really ;)
Did he not mention you inherit environment variables from the parent? Ie, Process inherits theirs from the Userprofile, which inherits it from the System environment variables.
Any changes are in their own container and gets passed on, if you in cmd.exe 'set PITA=Yes', then 'cmd.exe' (you start new subprocess cmd.exe) and type 'echo %PITA%', it outputs 'Yes' because it inherits it from the parent (process in this case). Type 'exit' and you are back in the parent cmd.exe process.
Userprofile < inherits from System
|------CreateProcess (Explorer, or whatever) < inherits from userprofile
+----cmd.exe set %PITA%=Yes < inherits from Explorer, or whatever
| `---cmd.exe = echo %PITA% = Yes < inherits from cmd.exe
+----cmd.exe echo %PITA = %PITA% < inherits from Explorer, or whatever
But start a new cmd.exe (new Terminal tab or start from start menu) and 'echo %PITA%' does not exist, it just prints '%PITA%'.
If you have access to change System envvars, you are already admin., if you have access to change User envvars, you are not a limited process. At some point you need to be a parent to manipulate a childs envvars through child process or other ways, but you would then likely have access.
@@TilKenneth Just to clarify. Variables are generally stored in the registry keys. Of course, You can track the changes in user/system registry but formatting of the output in sysmon logs is not that simple - there is no log like "variable changed". In case of processess ofc, precisely theyre stored in PEB structure in process memory and they are inherited by child. The starting values are taken from registry too. Im not sure if there is special process privilege for editing systemwide envvars. My point is, if you were able to produce events for vars in registry, security monitoring would be much easier.
BTW, who cares about security monitoring in microsoft, they need you rather to pay for they're edr to do this, but to my taste it is much to pricey. I prefer to save on software and invest in people, against the market unfortunately.
@@TilKenneth is that a technical way of saying..its running as admin and looking for the file in user admin not user john.... i think if he moves test.exe to c:\ from c:\users\john\ it shouldnt kick the file not found
what is easiest wat to take screenshot from another program.. from keyboard only? win 10 64-- I'm trying to make a game that uses a users desktop objects as charachters and objects in the game. Besy i can imagione is to take screenshot and then slice the image like a spritesheet..
If it ain't broke don't fix it!
I think the reason that, when you set COMSPEC to calc.exe, the calculator fires up when you do commands, is because COMSPEC is the command interpreter. It is the executable (Or rather, the location of it) that runs the commands. It gets fed the commands and it is expected to spit out the correct actions. Calc.exe doesn't do that, so when terminal tells it to run these commands, it just opens up the calculator.
that is funny that you type clear command in windows😂
1:31 is where the action start (n__n)
2^13 - 1
Nifty
Hello!
set comspec="shutdown /s /f"
The quotes on the command line for that notepad file you were trying to run?
Unnecessary. No spaces on files or folders
EDIT: I just ran a similar command with a notepad file to open a filename with spaces: quotes still threw an error. Filename with spaces ran without quotes. Go figure.
In cmd.. "|" this does not pipe like you think. Its like "|" = "&&" like do this and do that. playing with arguments, and flag's is nothing knew. Documentation has always been limited and for you to figure it out. microsoft(ms) is so old school you will notice that basic commands are not polished off. For instance no error correction fully implemented. You had to program your own error correction.. It was left up to the user to know what there doing. Back then Imagination was the limit. Customization was always allowed. because at the time users where encouraged to program there own. so long as they left the OS alone. But once windows(gui came in with win3.11) the propretary actions started becoming a thing more and more. Yet seems that microsoft(ms) as of late are removing old code, user choices and software's they once had. Calling it legacy and archiving to not use no more. Its a big reason users are migrating away from windows more and more.
its probably built like this by design for the alphabet crew 😅👊
Hmmmm can’t test right now… comspec=“notepad %% | rem”
"how to hack newdez with command prompt 2023"
Wine does not do it in wineconsole elf
Jesus christ since when does john have 500k subs
Me: 8192 characters
John: But...
🤣🤣
You broke mobile comment display lol
With powershell, Microsoft has made a really hard, very inconsistent, under powered mess. Why can't they just copy Linux shell and be done with it?😒
Give DavesGarage a shout, he might know a little more and be able to help,
I would also recommend his channel to any other nerds wanting to know more about comps :)
I don't know what you did but the comment counts are all off by +1. Does RUclips read the comspec env varr? 😂
This has been known since the mid 80's when DOS 2.0 came out. It's funny but absolutely not new. The comspec variable was central to the function of the entire operating system - hackers and viruscreators have used this function since it was created. It has changed since Windows Me came out in 2000, because DOS no longer was the base for the system.
If you want to know why the command line switches are there, try opening a command prompt, then type "cmd /?" and then read and understand why these command line switches are hardcoded.
COMSPEC was one of the first things i learned about dos.
The length of command prompt has never been interesting.
Environment variable size isn't actually interesting, since 32k is quite a lot of text, and it allows for quite a lot of variables.
He's just saying this is something new for most people, Mr. Dunning Krueger
Linux be like, #!/bin/bash . BTW I use Arch.
Damm. Then it means that cmd is dangerous 😁😆
Who would have thought? 🫢
Woooow grape! Cmd is very dangerous chutiya
So you tell me that you were using legacy microsoft code? What could have gone wrong ;)?
@@ukaszgeras6600 i can guess that own microsoft cmd can use in bad things like reverse shell etc... Not just in good😅. Our microsoft frends made it too wrong🫢🫨😅🤷♂️
@@gamergaminghx1625 only thing you need to set the reverse shell is the process or thread in victim process. No matter how you spawn this, the more legacy features you got, the more vector attacks youll find.
worst command shell in computer history. it had many chances to improve and didnt. now we have powershell, which is rubbish as well, together with astonishingly silly commands and parameters, that never makes sense.
But i guess it's in step with an operating system that is mostly useless, until you download or buy programs for. Which is original business model for a bad operating system that everyone got to have/use.
Sir I can't login my gmail because of the backup code can you give me the backup code of my gmail.
Why are we supposed to tell you what's going on? I thought the whole point of the video was that YOU were going to tell US something new, not the other way around. Actually all you've told us that you don't know what you are talking about.
You didn't
Total non scientific approach of trial and error instead of getting into how it was designed for the commands to be parsed.
"3 things you didn't know about cmd"
Other channel's: so, you can change the color of the terminal so you look like a hacker
John Hammond: Hold my beer!
U seriously think your average follower is this rookie :) ?
Unsubscribed, I never want to feel the video is burning my time, also the grunts, groans popular with other streamer so overused I must say goodbye