Windows Reference

Windows Versions

Kernal	Version
NT 3.1	Windows NT 3.1 (All)
NT 3.5	Windows NT 3.5 (All)
NT 3.51	Windows NT 3.51 (All)
NT 4.0	Windows NT 4.0 (All)
NT 5.0	Windows 2000 (All)
NT 5.1	Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2	Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise) Windows Home Server
NT 6.0	Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate) Windows Server 2008 (Foundation, Standard, Enterprise)
NT 6.1	Windows ~ (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2	Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)

Windows FIles

Command	Description
%SYSTEMROOT%	Typically C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts	DNS entries
%SYSTEMROOT%\System32\drivers\etc\networks	Network settings
%SYSTEt~ROOT% \ system32 \ config\SAM	User & password hashes
%SYSTEMROOT%\repair\SAM	Backup copy of SAt~
%SYSTEMROOT%\System32\config\RegBack\SAM	Backup copy of SAt~
%WINDIR%\system32\config\AppEvent.Evt	Application Log
%WINDIR%\system32\config\SecEvent.Evt	Security Log
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\	Startup Location
%USERPROFILE%\Start Menu\Programs\Startup\	Startup Location
%SYSTEMROOT%\Prefetch	Prefetch dir (EXE logs)

Windows System Info Commands

Command	Description
ver	Get OS version
sc query state=all	Show services
tasklist /svc	Show processes & services
tasklist /m	Show all processes & DLLs
tasklist /S ip /v	Remote process listing
taskkill /PID pid /F	Force process to terminate
systeminfo /S ip /U domain\user /P Pwd	Remote system info
reg query\\ ip \ RegDomain \ Key /v	Query remote registry,
Value	/s=all values
reg query HKLM /f password /t REG SZ /s	Search registry for password
fsutil fsinfo drives -	List drives (must be admin)
dir /a /s /b c:\'.pdf'	Search for all PDFs
dir /a /b c:\windows\kb'	Search for patches
findstr /si password' .txt I •.xmll •.xls	Search files for password
tree /F /A c:\ tree.txt	Directory listing of C:
reg save HKLl~\Security security.hive	Save security hive to file
echo %USERNAl~E%	Current user

Windows System NET/Domain Commands

Command	Description
net view /domain	Hosts in current domain
net view /domain: [t~YDOHAIN]	Hosts in [l~YDOl1AIN]
net user /domain	All users in current domain
net user user pass /add	Add user
net localgroup "Administrators" user /add	Add user to Administrators
net accounts /domain	Domain password policy
net localgroup "Administrators"	List local Admins
net group /domain	List domain groups
net group "Domain Adrnins" /domain	List users in Domain Adrnins
net group "Domain Controllers 11 /domain	List DCs for current domain
net share	Current SMB shares
net session I find I "\\"	Active SHB sessions
net user user /ACTIVE:jes /domain	Unlock domain user account
net user user '' newpassword '' /domain	Change domain user password
net share share c:\share /GRANT:Everyone,FULL	Share folder

## Windows Remote Commands

Command	Description
tasklist /S ip /v	Remote process listing
systeminfo /S ip /U domain\user /P Pwd	Remote systeminfo
net share \\ ip	Shares of remote computer
net use \\ ip	Remote filesystem (IPC$)
net use z: \\ ip \share password /user: D0l1AIN\ user	Map drive, specified credentials
reg add \\ ip \ regkej \ value	Add registry key remotely
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto	Create a remote service (space after start=)
xcopy /s \\ ip \dir C:\local	Copy remote folder
shutdown /m \\ ip /r /t 0 /f	Remotely reboot machine

Windows Network Commands

command	Description
type file	Display file contents
del path\' .• /a /s /q /f	Forceably delete all files in path
file	Find "str"
find /I ''str'' filename	Line count of
command I find /c /v	Schedule file
at HH:Ml1 file [args] (i.e. at 14:45 cmd /c)	cmd output to run
runas /user: user " file [args] 11	Run file as user
restart /r /t 0	Restart now
tr -d '\15\32' win.txt unix.txt	Removes CR & 'Z ('nix)
makecab file	Native compression
Wusa.exe /uninstall /kb: ###	Uninstall patch
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true"	CLI Event Viewer
lusrrngr.rnsc	Local user manager
services.msc	Services control panel
taskmgr.exe	Task manager
secpool.rnsc	Security policy
eventvwr.rnsc	Event viewer

Windows Utility Commands

Wire Shark Display Filters

Ethernet

eth.dst	eth.lg	eth.trailer
eth.ig	eth.multicast	eth.type

IPv4

ip.checksum	ip.fragment.toolongfragment
ip.checksum_bad	ip.fragments
ip.checksum_good	ip.hdr_len
ip.dsfield	ip.host
ip.dsfield.ce	ip.id
ip.dsfield.dscp	ip.len
ip.dsfield.ect	ip.proto
ip.dst	ip.reassembled_in
ip.dst_host	ip.src
ip.flags	ip.src_host
ip.flags.df	ip.tos
ip.flags.mf	ip.tos.cost
ip.flags.rb	ip.tos.delay
ip.frag_offset	ip.tos.precedence
ip.fragment	ip.tos.reliability
ip.fragment.error	ip.tos.throughput
ip.fragment.multipletails	ip.ttl
ip.fragment.overlap	ip.version

IPv6

ipv6.class	ipv6.host
ipv6.dst	ipv6.mipv6_home_address
ipv6.dst_host	ipv6.mipv6_length
ipv6.dst_opt	ipv6.mipv6_type
ipv6.flow	ipv6.nxt
ipv6.fragment	ipv6.opt.pad1
ipv6.fragment.error	ipv6.opt.padn
ipv6.fragment.more	ipv6.plen
ipv6.fragment.multipletails	ipv6.reassembled_in
ipv6.fragment.offset	ipv6.routing_hdr
ipv6.fragment.overlap	ipv6.routing_hdr.addr
ipv6.fragment.overlap.conflict	ipv6.routing_hdr.left
ipv6.fragment.toolongfragment	ipv6.routing_hdr.type
ipv6.fragments	ipv6.src
ipv6.fragment.id	ipv6.src_host
ipv6.hlim	ipv6.version

IEEE 802.1Q

vlan.cfi	vlan.id	vlan.priority
vlan.etype	vlan.len	vlan.trailer