1

I know that I can retrieve the commands I've given in a command window up to a certain point. cmd.exe seems to have a certain cache size and once it's exhausted the commands overflow. When I close the command window everything is deleted, right? Or wrong? Does Windows still know which commands I gave and can I retrieve them?

If I run a program in a command window and the program calls cmd.exe to run a command, can I see this command somehow?

Henrik4
  • 464
  • 3
  • 13
  • 2
    cmd.exe has nothing to do with input history. When you're typing in the console window, that's under the control of the console host process, conhost.exe. Meanwhile, cmd.exe is blocked while waiting for `ReadConsoleW` to return. The console's line editor stores input history in a circular buffer, one per attached process (e.g. if you run diskpart.exe from cmd.exe, then two processes are attached to the console). There's a fixed number of buffers for a console window, which is set in the properties or defaults. They get destroyed with the console. There's no way to reload them from disk. – Eryk Sun Nov 29 '19 at 21:34
  • 1
    PowerShell supports storing history on disk across sessions. It can do this because it bypasses the console's high-level cooked read. Instead it uses the console's low-level API (e.g. `ReadConsoleInputW`) and implements its own line editor. – Eryk Sun Nov 29 '19 at 21:39
  • @ErykSun Ahh this is the info I was looking for. So you're confirming that the command history gets destroyed with the command window? It's never stored on disk? – Henrik4 Nov 29 '19 at 23:04
  • CMD simply uses only the console's cooked read, so it depends almost entirely on whatever the console provides -- as do most other simple console applications such as the REPL shell of Python's interpreter. The console has an undocumented function to read the input history of an attached executable. (Though this is limited since multiple instances of an executable can be attached, each with separate history buffers.) However, the console has no function to preload a history buffer, and it has no option to automatically persist input history. – Eryk Sun Nov 29 '19 at 23:41
  • @ErykSun In your first comment you were very clear ("They get destroyed with the console. There's no way to reload them from disk.") . Now you seem to be backtracking: " it has no option to automatically persist input history." This latter statement seems to say that there is a way to make it preserve input history after all. – Henrik4 Nov 30 '19 at 16:13
  • No, I'm not backtracking. The history buffers are stored in memory in the conhost.exe process. It has no option to persist them to the user profile on disk, so obviously they get destroyed when the conhost.exe process exits (i.e. when the console window closes). It has an undocumented API function to query the contents of a history buffer (`GetConsoleCommandHistoryW`), so an attached process could store the input history to disk on its own, but there is no practical way to preload a history buffer with commands, so input history cannot be restored from disk in a new session. – Eryk Sun Nov 30 '19 at 16:49
  • @ErykSun I'm not interested in preloading input history. My concern is security. Can windows or another process spy on me? Can it attach itself to my console and eavesdrop through the GetConsoleCommandHistoryW function? I enter secret passwords on the command line and would like to know how safe that is. – Henrik4 Dec 02 '19 at 19:12
  • A process in the same session as your process that's at the same or higher integrity level (e.g. medium integrity for a standard logon; high integrity for an administrator logon) can call `AttachConsole` to attach to your console. Then call `GetConsoleCommandHistoryW` to read the input history buffer for a given base executable name. Of course that's basically what `doskey.exe /history` does, except it can only implicitly attach to the console of its parent process. – Eryk Sun Dec 02 '19 at 19:28
  • [Keep cmd.exe command history between sessions?](https://superuser.com/q/257855/241386) – phuclv Dec 11 '19 at 01:44

1 Answers1

1

Type doskey /?.

So doskey /history.

It is not a log but a command recaller.

echo %cmdcmdline% shows Cmd's command line. Else you can read the command line in task manager. Right click the headings in Detail tab. Choose Command Line.

This lists all variables https://winsourcecode.blogspot.com/2019/05/listenvironmentexe-list-system-user.html

  • Please read my answer as I gave you three ways. 1 answer to your first question and two answers to your second question. –  Nov 29 '19 at 21:37
  • 1
    The `/history` option of doskey.exe is based on the undocumented console function `GetConsoleCommandHistoryW` which takes the target executable name as a parameter. doskey.exe defaults to "cmd.exe" as the target executable name, but it can be overridden with the `/exename=` argument. There console has no `SetConsoleCommandHistoryW` function, so there's no way to reload history buffers from a previous session. – Eryk Sun Nov 29 '19 at 21:57
  • @Mark My first question is whether command history is destroyed when the command window is closed. How do you answer that? My second question is whether I can see the command given to another instance of cmd.exe . If I do echo %cmdcmdline% it shows me the command which started MY instance of cmd.exe, not the OTHER one. Task manager won't show anything because that other instance has stopped running. – Henrik4 Nov 29 '19 at 23:18
  • 1
    @ErykSun It's not difficult to retrieve the command history BEFORE the command window is closed and from THIS command window. My question was if it's possible afterwards. You answered NO above and I think you're right. – Henrik4 Nov 29 '19 at 23:25