Windows Reference

Windows Versions

Kernal	Version
NT 3.1	Windows NT 3.1 (All)
NT 3.5	Windows NT 3.5 (All)
NT 3.51	Windows NT 3.51 (All)
NT 4.0	Windows NT 4.0 (All)
NT 5.0	Windows 2000 (All)
NT 5.1	Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2	Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise) Windows Home Server
NT 6.0	Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate) Windows Server 2008 (Foundation, Standard, Enterprise)
NT 6.1	Windows ~ (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2	Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)

Kernal

Version

NT 3.1

Windows NT 3.1 (All)

NT 3.5

Windows NT 3.5 (All)

NT 3.51

Windows NT 3.51 (All)

NT 4.0

Windows NT 4.0 (All)

NT 5.0

Windows 2000 (All)

NT 5.1

Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)

NT 5.2

Windows XP (64-bit, Pro 64-bit)
Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server

NT 6.0

Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
Windows Server 2008 (Foundation, Standard, Enterprise)

NT 6.1

Windows ~ (Starter, Home, Pro, Enterprise, Ultimate)
Windows Server 2008 R2 (Foundation, Standard, Enterprise)

NT 6.2

Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM))
Windows Phone 8
Windows Server 2012 (Foundation, Essentials, Standard)

Windows FIles

Command	Description
%SYSTEMROOT%	Typically C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts	DNS entries
%SYSTEMROOT%\System32\drivers\etc\networks	Network settings
%SYSTEt~ROOT% \ system32 \ config\SAM	User & password hashes
%SYSTEMROOT%\repair\SAM	Backup copy of SAt~
%SYSTEMROOT%\System32\config\RegBack\SAM	Backup copy of SAt~
%WINDIR%\system32\config\AppEvent.Evt	Application Log
%WINDIR%\system32\config\SecEvent.Evt	Security Log
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\	Startup Location
%USERPROFILE%\Start Menu\Programs\Startup\	Startup Location
%SYSTEMROOT%\Prefetch	Prefetch dir (EXE logs)

Command

Description

%SYSTEMROOT%

Typically C:\Windows

%SYSTEMROOT%\System32\drivers\etc\hosts

DNS entries

%SYSTEMROOT%\System32\drivers\etc\networks

Network settings

%SYSTEt~ROOT% \ system32 \ config\SAM

User & password hashes

%SYSTEMROOT%\repair\SAM

Backup copy of SAt~

%SYSTEMROOT%\System32\config\RegBack\SAM

Backup copy of SAt~

%WINDIR%\system32\config\AppEvent.Evt

Application Log

%WINDIR%\system32\config\SecEvent.Evt

Security Log

%ALLUSERSPROFILE%\Start Menu\Programs\Startup\

Startup Location

%USERPROFILE%\Start Menu\Programs\Startup\

Startup Location

%SYSTEMROOT%\Prefetch

Prefetch dir (EXE logs)

Windows System Info Commands

Command	Description
ver	Get OS version
sc query state=all	Show services
tasklist /svc	Show processes & services
tasklist /m	Show all processes & DLLs
tasklist /S ip /v	Remote process listing
taskkill /PID pid /F	Force process to terminate
systeminfo /S ip /U domain\user /P Pwd	Remote system info
reg query\\ ip \ RegDomain \ Key /v	Query remote registry,
Value	/s=all values
reg query HKLM /f password /t REG SZ /s	Search registry for password
fsutil fsinfo drives -	List drives (must be admin)
dir /a /s /b c:\'.pdf'	Search for all PDFs
dir /a /b c:\windows\kb'	Search for patches
findstr /si password' .txt I •.xmll •.xls	Search files for password
tree /F /A c:\ tree.txt	Directory listing of C:
reg save HKLl~\Security security.hive	Save security hive to file
echo %USERNAl~E%	Current user

Command

Description

ver

Get OS version

sc query state=all

Show services

tasklist /svc

Show processes & services

tasklist /m

Show all processes & DLLs

tasklist /S ip /v

Remote process listing

taskkill /PID pid /F

Force process to terminate

systeminfo /S ip /U domain\user /P Pwd

Remote system info

reg query\\ ip \ RegDomain \ Key /v

Query remote registry,

Value

/s=all values

reg query HKLM /f password /t REG SZ /s

Search registry for password

fsutil fsinfo drives -

List drives (must be admin)

dir /a /s /b c:\'.pdf'

Search for all PDFs

dir /a /b c:\windows\kb'

Search for patches

findstr /si password' .txt I •.xmll •.xls

Search files for password

tree /F /A c:\ tree.txt

Directory listing of C:

reg save HKLl~\Security security.hive

Save security hive to file

echo %USERNAl~E%

Current user

Windows System NET/Domain Commands

Command	Description
net view /domain	Hosts in current domain
net view /domain: [t~YDOHAIN]	Hosts in [l~YDOl1AIN]
net user /domain	All users in current domain
net user user pass /add	Add user
net localgroup "Administrators" user /add	Add user to Administrators
net accounts /domain	Domain password policy
net localgroup "Administrators"	List local Admins
net group /domain	List domain groups
net group "Domain Adrnins" /domain	List users in Domain Adrnins
net group "Domain Controllers 11 /domain	List DCs for current domain
net share	Current SMB shares
net session I find I "\\"	Active SHB sessions
net user user /ACTIVE:jes /domain	Unlock domain user account
net user user '' newpassword '' /domain	Change domain user password
net share share c:\share /GRANT:Everyone,FULL	Share folder

Command

Description

net view /domain

Hosts in current domain

net view /domain: [t~YDOHAIN]

Hosts in [l~YDOl1AIN]

net user /domain

All users in current domain

net user user pass /add

Add user

net localgroup "Administrators" user /add

Add user to Administrators

net accounts /domain

Domain password policy

net localgroup "Administrators"

List local Admins

net group /domain

List domain groups

net group "Domain Adrnins" /domain

List users in Domain Adrnins

net group "Domain Controllers 11 /domain

List DCs for current domain

net share

Current SMB shares

net session I find I "\\"

Active SHB sessions

net user user /ACTIVE:jes /domain

Unlock domain user account

net user user '' newpassword '' /domain

Change domain user password

net share share c:\share /GRANT:Everyone,FULL

Share folder

## Windows Remote Commands

Command	Description
tasklist /S ip /v	Remote process listing
systeminfo /S ip /U domain\user /P Pwd	Remote systeminfo
net share \\ ip	Shares of remote computer
net use \\ ip	Remote filesystem (IPC$)
net use z: \\ ip \share password /user: D0l1AIN\ user	Map drive, specified credentials
reg add \\ ip \ regkej \ value	Add registry key remotely
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto	Create a remote service (space after start=)
xcopy /s \\ ip \dir C:\local	Copy remote folder
shutdown /m \\ ip /r /t 0 /f	Remotely reboot machine

Command

Description

tasklist /S ip /v

Remote process listing

systeminfo /S ip /U domain\user /P Pwd

Remote systeminfo

net share \\ ip

Shares of remote computer

net use \\ ip

Remote filesystem (IPC$)

net use z: \\ ip \share password /user: D0l1AIN\ user

Map drive, specified credentials

reg add \\ ip \ regkej \ value

Add registry key remotely

sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto

Create a remote service (space after start=)

xcopy /s \\ ip \dir C:\local

Copy remote folder

shutdown /m \\ ip /r /t 0 /f

Remotely reboot machine

Windows Network Commands

command	Description
type file	Display file contents
del path\' .• /a /s /q /f	Forceably delete all files in path
file	Find "str"
find /I ''str'' filename	Line count of
command I find /c /v	Schedule file
at HH:Ml1 file [args] (i.e. at 14:45 cmd /c)	cmd output to run
runas /user: user " file [args] 11	Run file as user
restart /r /t 0	Restart now
tr -d '\15\32' win.txt unix.txt	Removes CR & 'Z ('nix)
makecab file	Native compression
Wusa.exe /uninstall /kb: ###	Uninstall patch
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true"	CLI Event Viewer
lusrrngr.rnsc	Local user manager
services.msc	Services control panel
taskmgr.exe	Task manager
secpool.rnsc	Security policy
eventvwr.rnsc	Event viewer

command

Description

type file

Display file contents

del path\' .• /a /s /q /f

Forceably delete all files in path

file

Find "str"

find /I ''str'' filename

Line count of

command I find /c /v

Schedule file

at HH:Ml1 file [args] (i.e. at 14:45 cmd /c)

cmd output to run

runas /user: user " file [args] 11

Run file as user

restart /r /t 0

Restart now

tr -d '\15\32' win.txt unix.txt

Removes CR & 'Z ('nix)

makecab file

Native compression

Wusa.exe /uninstall /kb: ###

Uninstall patch

cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true"

CLI Event Viewer

lusrrngr.rnsc

Local user manager

services.msc

Services control panel

taskmgr.exe

Task manager

secpool.rnsc

Security policy

eventvwr.rnsc

Event viewer

Windows Utility Commands

Wire Shark Display Filters

eth.dst

eth.lg

eth.trailer

eth.ig

eth.multicast

eth.type

vlan.cfi	vlan.id	vlan.priority
vlan.etype	vlan.len	vlan.trailer

Previouswin Nextpowershell

Last updated 8 months ago