--- title: Live response command examples description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- # Live response command examples **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Learn about common commands used in live response and see examples on how they are typically used. Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on devices using live response](live-response.md). ## analyze ``` # Analyze the file malware.txt analyze file c:\Users\user\Desktop\malware.txt ``` ``` # Analyze the process by PID analyze process 1234 ``` ## connections ``` # List active connections in json format using parameter name connections -output json ``` ``` # List active connections in json format without parameter name connections json ``` ## dir ``` # List files and sub-folders in the current folder dir ``` ``` # List files and sub-folders in a specific folder dir C:\Users\user\Desktop\ ``` ``` # List files and subfolders in the current folder in json format dir -output json ``` ## fileinfo ``` # Display information about a file fileinfo C:\Windows\notepad.exe ``` ## findfile ``` # Find file by name findfile test.txt ``` ## getfile ``` # Download a file from a machine getfile c:\Users\user\Desktop\work.txt ``` ``` # Download a file from a machine, automatically run prerequisite commands getfile c:\Users\user\Desktop\work.txt -auto ``` >[!NOTE] > > The following file types **cannot** be downloaded using this command from within Live Response: > > * [Reparse point files](/windows/desktop/fileio/reparse-points/) > * [Sparse files](/windows/desktop/fileio/sparse-files/) > * Empty files > * Virtual files, or files that are not fully present locally > > These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/). > > Use PowerShell as an alternative, if you have problems using this command from within Live Response. ## processes ``` # Show all processes processes ``` ``` # Get process by pid processes 123 ``` ``` # Get process by pid with argument name processes -pid 123 ``` ``` # Get process by name processes -name notepad.exe ``` ## putfile ``` # Upload file from library putfile get-process-by-name.ps1 ``` ``` # Upload file from library, overwrite file if it exists putfile get-process-by-name.ps1 -overwrite ``` ``` # Upload file from library, keep it on the machine after a restart putfile get-process-by-name.ps1 -keep ``` ## registry ``` # Show information about the values in a registry key registry HKEY_CURRENT_USER\Console ``` ``` # Show information about a specific registry value registry HKEY_CURRENT_USER\Console\\ScreenBufferSize ``` ## remediate ``` # Remediate file in specific path remediate file c:\Users\user\Desktop\malware.exe ``` ``` # Remediate process with specific PID remediate process 7960 ``` ``` # See list of all remediated entities remediate list ``` ## run ``` # Run PowerShell script from the library without arguments run script.ps1 ``` ``` # Run PowerShell script from the library with arguments run get-process-by-name.ps1 -parameters "-processName Registry" ``` ## scheduledtask ``` # Get all scheduled tasks scheduledtasks ``` ``` # Get specific scheduled task by location and name scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition ``` ``` # Get specific scheduled task by location and name with spacing scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" ``` ## undo ``` # Restore remediated registry undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize ``` ``` # Restore remediated scheduledtask undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition ``` ``` # Restore remediated file undo file c:\Users\user\Desktop\malware.exe ```