When performing a system triage on a Windows device, follow these steps to gather key information:

• Year and Windows Version:
  • Location: Settings > About
  • Check the Windows version and system year to ensure the device is running an up-to-date OS.
• Who Logged in Last:
  • Method 1: Use Event Viewer to check Security Logs:
    • Open Event Viewer: Event Viewer > Windows Logs > Security
    • Filter by Event ID 4624 (This logs successful login attempts).
  • Method 2: Command Prompt:
    • Command: net user <username> (Replace <username> with the actual username).
  • Method 3: PowerShell:
    • Command: Get-LocalUser (lists all local users).
• Check Who Has Admin Access:
  • Location: Computer Management > Local Users and Groups > Groups > Administrators
  • Review the list of users who have administrator privileges.
• Check for Special Privileges Assigned:
  • Open Event Viewer and navigate to:
    • Event Viewer > Windows Logs > Security
    • Filter by Event ID 4672 (This logs any accounts that have been assigned special privileges, like administrator rights or security-sensitive access).
• Hosts File:
  • What it Does: The Hosts file maps IP addresses to hostnames.
  • What to Check: Look for suspicious entries or websites being redirected to localhost (127.0.0.1) that shouldn’t be. This can indicate malware or malicious activity.
  • Location: C:\\Windows\\System32\\Drivers\\etc\\hosts
• See Routing Table:
  • Command: netstat -r
  • This will display the device’s routing table, which shows how network traffic is being routed and whether there are any unusual routes.
• Look for Programs Run at Startup:
  • Location: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
  • Check this registry key for programs that are configured to start automatically when Windows boots.
• Check for Open Ports:
  • Use the Windows Firewall to check which ports are open and verify whether there are any unusual or unauthorized open ports.