Query Windows
cnquery provides the answers you need about your Windows assets. For example, you can retrieve the Windows version, user information, or security settings.
For a list of Windows resources you can query, read Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
Requirements
To explore a Windows asset with cnquery, you must have:
- cnquery installed on your workstation
- Access to the asset
Query a Windows asset
To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
To launch a shell into your local Windows environment, enter:
cnquery shell
To launch a shell into a remote Windows environment, enter:
cnquery shell ssh Administrator@IP_ADDRESS --ask-pass
For IP_ADDRESS, substitute the IP address of the remote Windows asset.
If you prefer WinRM for remote access, enter:
cnquery shell winrm Administrator@IP_ADDRESS --ask-pass
For IP_ADDRESS, substitute the IP address of the remote Windows asset.
Discover capabilities with the help command
Once inside the shell, use the help command to learn what Windows resources you can query. This command lists all the operating system resources:
help os
From the resulting list, you can drill down further. For example, enter this command to list the OS update information you can retrieve:
help os.update
You can also learn about available Windows resources in the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
Get simple answers in the shell
Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
This query asks the device name:
asset.name
cnquery returns the pretty hostname:
asset.name: "Mwezi's demo lappy"
This query asks the version of the operating system:
asset.version
Query users
To request a list of all users on a machine, enter this query in the shell:
users
Request full details in results
For a more detailed report, you can specify that you want all fields:
users { * }
For every user, cnquery provides information about their settings.
Specify fields to include in results
If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's name, group, and whether it's enabled:
users { name group enabled }
Filter results
You can filter results based on any fields. Specify the criteria using the where function and standard boolean operators.
For example, this filters results based on group name:
users.where(group.name == "admins") { name uid }
cnquery returns all users in the admins group. It includes the name and UID for each user.
Learn more about querying Windows
- To learn more about how the MQL query language works, read Write Effective MQL.
- For a list of all the Windows resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
Analyze your environment with query packs
Mondoo makes these core Windows query packs available in GitHub:
- Windows Asset Inventory Pack provides information about all your Windows assets and their configuration.
- Windows Incident Response Pack helps you investigate and minimize damage when a security incident occurs.
To run one of these purpose-built collections of Windows-specific queries:
-
In Mondoo's cnquery-packs GitHub repo, go to the
coredirectory and find the Windows query pack you want to run. -
Download the YAML file to a local directory and, in your terminal, move to that directory.
-
Use the
cnquery scancommand, specifying the file and the query pack:
cnquery scan -f mondoo-windows-incident-response.mql.yaml --querypack mondoo-incident-response-windows
You can also create your own query packs to meet your specific needs. To learn more about query packs, read Run a Query Pack.