Windows Reference
Windows Versions
Kernal | Version |
---|---|
NT 3.1 | Windows NT 3.1 (All) |
NT 3.5 | Windows NT 3.5 (All) |
NT 3.51 | Windows NT 3.51 (All) |
NT 4.0 | Windows NT 4.0 (All) |
NT 5.0 | Windows 2000 (All) |
NT 5.1 | Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) |
NT 5.2 |
|
NT 6.0 |
|
NT 6.1 |
|
NT 6.2 |
|
Windows FIles
Command | Description |
---|---|
%SYSTEMROOT% | Typically C:\Windows |
%SYSTEMROOT%\System32\drivers\etc\hosts | DNS entries |
%SYSTEMROOT%\System32\drivers\etc\networks | Network settings |
%SYSTEt~ROOT% \ system32 \ config\SAM | User & password hashes |
%SYSTEMROOT%\repair\SAM | Backup copy of SAt~ |
%SYSTEMROOT%\System32\config\RegBack\SAM | Backup copy of SAt~ |
%WINDIR%\system32\config\AppEvent.Evt | Application Log |
%WINDIR%\system32\config\SecEvent.Evt | Security Log |
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ | Startup Location |
%USERPROFILE%\Start Menu\Programs\Startup\ | Startup Location |
%SYSTEMROOT%\Prefetch | Prefetch dir (EXE logs) |
Windows System Info Commands
Command | Description |
---|---|
ver | Get OS version |
sc query state=all | Show services |
tasklist /svc | Show processes & services |
tasklist /m | Show all processes & DLLs |
tasklist /S ip /v | Remote process listing |
taskkill /PID pid /F | Force process to terminate |
systeminfo /S ip /U domain\user /P Pwd | Remote system info |
reg query\\ ip \ RegDomain \ Key /v | Query remote registry, |
Value | /s=all values |
reg query HKLM /f password /t REG SZ /s | Search registry for password |
fsutil fsinfo drives - | List drives (must be admin) |
dir /a /s /b c:\'.pdf' | Search for all PDFs |
dir /a /b c:\windows\kb' | Search for patches |
findstr /si password' .txt I •.xmll •.xls | Search files for password |
tree /F /A c:\ tree.txt | Directory listing of C: |
reg save HKLl~\Security security.hive | Save security hive to file |
echo %USERNAl~E% | Current user |
Windows System NET/Domain Commands
Command | Description |
---|---|
net view /domain | Hosts in current domain |
net view /domain: [t~YDOHAIN] | Hosts in [l~YDOl1AIN] |
net user /domain | All users in current domain |
net user user pass /add | Add user |
net localgroup "Administrators" user /add | Add user to Administrators |
net accounts /domain | Domain password policy |
net localgroup "Administrators" | List local Admins |
net group /domain | List domain groups |
net group "Domain Adrnins" /domain | List users in Domain Adrnins |
net group "Domain Controllers 11 /domain | List DCs for current domain |
net share | Current SMB shares |
net session I find I "\\" | Active SHB sessions |
net user user /ACTIVE:jes /domain | Unlock domain user account |
net user user '' newpassword '' /domain | Change domain user password |
net share share c:\share /GRANT:Everyone,FULL | Share folder |
## Windows Remote Commands
Command | Description |
---|---|
tasklist /S ip /v | Remote process listing |
systeminfo /S ip /U domain\user /P Pwd | Remote systeminfo |
net share \\ ip | Shares of remote computer |
net use \\ ip | Remote filesystem (IPC$) |
net use z: \\ ip \share password /user: D0l1AIN\ user | Map drive, specified credentials |
reg add \\ ip \ regkej \ value | Add registry key remotely |
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto | Create a remote service (space after start=) |
xcopy /s \\ ip \dir C:\local | Copy remote folder |
shutdown /m \\ ip /r /t 0 /f | Remotely reboot machine |
Windows Network Commands
command | Description |
---|---|
type file | Display file contents |
del path\' .• /a /s /q /f | Forceably delete all files in path |
file | Find "str" |
find /I ''str'' filename | Line count of |
command I find /c /v | Schedule file |
at HH:Ml1 file [args] (i.e. at 14:45 cmd /c) | cmd output to run |
runas /user: user " file [args] 11 | Run file as user |
restart /r /t 0 | Restart now |
tr -d '\15\32' win.txt unix.txt | Removes CR & 'Z ('nix) |
makecab file | Native compression |
Wusa.exe /uninstall /kb: ### | Uninstall patch |
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true" | CLI Event Viewer |
lusrrngr.rnsc | Local user manager |
services.msc | Services control panel |
taskmgr.exe | Task manager |
secpool.rnsc | Security policy |
eventvwr.rnsc | Event viewer |
Windows Utility Commands
Wire Shark Display Filters
eth.dst | eth.lg | eth.trailer |
eth.ig | eth.multicast | eth.type |
Last updated