Live response command examples
Want to experience Defender for Endpoint? Sign up for a free trial.
Learn about common commands used in live response and see examples on how they're typically used.
Depending on the role you have, you can run basic or advanced live response commands. For more information on basic and advanced commands, see Investigate entities on devices using live response.
# Analyze the file malware.txt
analyze file c:\Users\user\Desktop\malware.txt
# Analyze the process by PID
analyze process 1234
# List active connections in json format using parameter name
connections -output json
# List active connections in json format without parameter name
# List files and sub-folders in the current folder (by default it will show relative paths [-relative_path])
# List files and sub-folders in the current folder, with their full path
# List files and sub-folders in a specific folder
# List files and subfolders in the current folder in json format
dir -output json
# Display information about a file
# Find file by name
# Download a file from a machine
# Download a file from a machine, automatically run prerequisite commands
getfile c:\Users\user\Desktop\work.txt -auto
The following file types cannot be downloaded using this command from within Live Response:
- Reparse point files
- Sparse files
- Empty files
- Virtual files, or files that are not fully present locally
These file types are supported by PowerShell.
Use PowerShell as an alternative, if you have problems using this command from within Live Response.
# List files in the library
# Delete a file from the library
library delete script.ps1
# Show all processes
# Get process by pid
# Get process by pid with argument name
processes -pid 123
# Get process by name
processes -name notepad.exe
# Upload file from library
# Upload file from library, overwrite file if it exists
putfile get-process-by-name.ps1 -overwrite
# Upload file from library, keep it on the machine after a restart
putfile get-process-by-name.ps1 -keep
# Show information about the values in a registry key
# Show information about a specific registry value (the double backslash \\ indicates a registry value versus key)
# Remediate file in specific path
remediate file c:\Users\user\Desktop\malware.exe
# Remediate process with specific PID
remediate process 7960
# See list of all remediated entities
# Run PowerShell script from the library without arguments
# Run PowerShell script from the library with arguments
run get-process-by-name.ps1 -parameters "-processName Registry"
For long running commands such as 'run' or 'getfile', you may want to use the '&' symbol at the end of the command to perform that action in the background. This will allow you to continue investigating the machine and return to the background command when done using 'fg' basic command.
When passing parameters to a live response script, do not include the following forbidden characters: ';', '&', '|', '!', and '$'.
# Get all scheduled tasks
# Get specific scheduled task by location and name
# Get specific scheduled task by location and name with spacing
scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
# Restore remediated registry
undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize
# Restore remediated scheduledtask
undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
# Restore remediated file
undo file c:\Users\user\Desktop\malware.exe
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.