So you are sitting at a command prompt on a Windows 7 PC and you need to enumerate live systems on your subnet. You don’t have your normal toolbox. What’s a poor ol’ Sysadmin to do?  Try this:

c:\for /L %V in (1 1 254) do PING -n 1 your.network.%V | FIND /I “Reply”

Example:

C:\Users\me> for /L %V in (1 1 254) do PING -n 1 10.10.10.%V | FIND /I “Reply”

The output is:

C:\Users\me>PING -n 1 10.10.10.1 | FIND /I “Reply”
Reply from 10.10.10.1: bytes=32 time=1ms TTL=255

C:\Users\me>PING -n 1 10.10.10.2 | FIND /I “Reply”
Reply from 10.10.10.2: bytes=32 time=1ms TTL=128

C:\Users\me>PING -n 1 10.10.10.3 | FIND /I “Reply”
Reply from 10.10.10.3: bytes=32 time<1ms TTL=128

C:\Users\me>PING -n 1 10.10.10.4 | FIND /I “Reply”
Reply from 10.10.10.4: Destination host unreachable.

So what does this command mean. Can I break it down for you? Sure.

1) FOR /L %variable IN (start,step,end) DO command [command-parameters]

The set (in parenthesis) is a sequence of numbers from start to end, by step amount.
So (1 1 254) would generate the sequence 1 2 3 4 5 through 254 IP addresses in a /24 and (254,-1,1) would generate the sequence (5 4 3 2 1) in reverse.

2) PING -n 1

The count “Number” of echo requests to send. In this case its 1.

3) 10.10.10.%V

This is the network (/24) I am pinging. The %V variable is the for /L %V count 1, 2, 3, 4, 5, 6->254 as described in #1 above. Its pings 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, etc., all the way to 10.10.10.254.

4) | FIND /I “Reply”

This pipes “|” the output of the ping command to FIND, the /I tells find.exe to ignore case and “Reply” is the string you are searching for. This gives you the “Reply from” string to determine if the IP is in use for unreachable.