Launch cmd.exe as local system w/ psexec
psexec -s cmd.exeEnable rdp with CLI
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fLaunch ARP scan
for /L %i in (1,1,255) do @start /b ping -n 1 -w 1 192.168.1.%iCapture all IPv4 traffic, TCP only, which matches the IP address on a 64 bit Windows 7/Windows 2008 or newer box, continue the capture even if the computer restarts, save capture to a nondefault location. Captures can then be analysed with Microsoft's Message Analyser http://www.microsoft.com/en-us/download/details.aspx?id=44226
netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1 Protocol=TCP persistent=yes traceFile=C:\Users\Public\trace.etlStop the capture
netsh trace stop