Windows Reference
Windows Versions
NT 3.1
Windows NT 3.1 (All)
NT 3.5
Windows NT 3.5 (All)
NT 3.51
Windows NT 3.51 (All)
NT 4.0
Windows NT 4.0 (All)
NT 5.0
Windows 2000 (All)
NT 5.1
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2
Windows XP (64-bit, Pro 64-bit)
Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
NT 6.0
Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
Windows Server 2008 (Foundation, Standard, Enterprise)
NT 6.1
Windows ~ (Starter, Home, Pro, Enterprise, Ultimate)
Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM))
Windows Phone 8
Windows Server 2012 (Foundation, Essentials, Standard)
Windows FIles
%SYSTEMROOT%
Typically C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts
DNS entries
%SYSTEMROOT%\System32\drivers\etc\networks
Network settings
%SYSTEt~ROOT% \ system32 \ config\SAM
User & password hashes
%SYSTEMROOT%\repair\SAM
Backup copy of SAt~
%SYSTEMROOT%\System32\config\RegBack\SAM
Backup copy of SAt~
%WINDIR%\system32\config\AppEvent.Evt
Application Log
%WINDIR%\system32\config\SecEvent.Evt
Security Log
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
Startup Location
%USERPROFILE%\Start Menu\Programs\Startup\
Startup Location
%SYSTEMROOT%\Prefetch
Prefetch dir (EXE logs)
Windows System Info Commands
ver
Get OS version
sc query state=all
Show services
tasklist /svc
Show processes & services
tasklist /m
Show all processes & DLLs
tasklist /S ip /v
Remote process listing
taskkill /PID pid /F
Force process to terminate
systeminfo /S ip /U domain\user /P Pwd
Remote system info
reg query\\ ip \ RegDomain \ Key /v
Query remote registry,
Value
/s=all values
reg query HKLM /f password /t REG SZ /s
Search registry for password
fsutil fsinfo drives -
List drives (must be admin)
dir /a /s /b c:\'.pdf'
Search for all PDFs
dir /a /b c:\windows\kb'
Search for patches
findstr /si password' .txt I •.xmll •.xls
Search files for password
tree /F /A c:\ tree.txt
Directory listing of C:
reg save HKLl~\Security security.hive
Save security hive to file
echo %USERNAl~E%
Current user
Windows System NET/Domain Commands
net view /domain
Hosts in current domain
net view /domain: [t~YDOHAIN]
Hosts in [l~YDOl1AIN]
net user /domain
All users in current domain
net user user pass /add
Add user
net localgroup "Administrators" user /add
Add user to Administrators
net accounts /domain
Domain password policy
net localgroup "Administrators"
List local Admins
net group /domain
List domain groups
net group "Domain Adrnins" /domain
List users in Domain Adrnins
net group "Domain Controllers 11 /domain
List DCs for current domain
net share
Current SMB shares
net session I find I "\\"
Active SHB sessions
net user user /ACTIVE:jes /domain
Unlock domain user account
net user user '' newpassword '' /domain
Change domain user password
net share share c:\share /GRANT:Everyone,FULL
Share folder
## Windows Remote Commands
tasklist /S ip /v
Remote process listing
systeminfo /S ip /U domain\user /P Pwd
Remote systeminfo
net share \\ ip
Shares of remote computer
net use \\ ip
Remote filesystem (IPC$)
net use z: \\ ip \share password /user: D0l1AIN\ user
Map drive, specified credentials
reg add \\ ip \ regkej \ value
Add registry key remotely
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto
Create a remote service (space after start=)
xcopy /s \\ ip \dir C:\local
Copy remote folder
shutdown /m \\ ip /r /t 0 /f
Remotely reboot machine
Windows Network Commands
type file
Display file contents
del path\' .• /a /s /q /f
Forceably delete all files in path
file
Find "str"
find /I ''str'' filename
Line count of
command I find /c /v
Schedule file
at HH:Ml1 file [args] (i.e. at 14:45 cmd /c)
cmd output to run
runas /user: user " file [args] 11
Run file as user
restart /r /t 0
Restart now
tr -d '\15\32' win.txt unix.txt
Removes CR & 'Z ('nix)
makecab file
Native compression
Wusa.exe /uninstall /kb: ###
Uninstall patch
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true"
CLI Event Viewer
lusrrngr.rnsc
Local user manager
services.msc
Services control panel
taskmgr.exe
Task manager
secpool.rnsc
Security policy
eventvwr.rnsc
Event viewer
Windows Utility Commands
Wire Shark Display Filters
eth.dst
eth.lg
eth.trailer
eth.ig
eth.multicast
eth.type
ip.checksum
ip.fragment.toolongfragment
ip.checksum_bad
ip.fragments
ip.checksum_good
ip.hdr_len
ip.dsfield
ip.host
ip.dsfield.ce
ip.id
ip.dsfield.dscp
ip.len
ip.dsfield.ect
ip.proto
ip.dst
ip.reassembled_in
ip.dst_host
ip.src
ip.flags
ip.src_host
ip.flags.df
ip.tos
ip.flags.mf
ip.tos.cost
ip.flags.rb
ip.tos.delay
ip.frag_offset
ip.tos.precedence
ip.fragment
ip.tos.reliability
ip.fragment.error
ip.tos.throughput
ip.fragment.multipletails
ip.ttl
ip.fragment.overlap
ip.version
ipv6.class
ipv6.host
ipv6.dst
ipv6.mipv6_home_address
ipv6.dst_host
ipv6.mipv6_length
ipv6.dst_opt
ipv6.mipv6_type
ipv6.flow
ipv6.nxt
ipv6.fragment
ipv6.opt.pad1
ipv6.fragment.error
ipv6.opt.padn
ipv6.fragment.more
ipv6.plen
ipv6.fragment.multipletails
ipv6.reassembled_in
ipv6.fragment.offset
ipv6.routing_hdr
ipv6.fragment.overlap
ipv6.routing_hdr.addr
ipv6.fragment.overlap.conflict
ipv6.routing_hdr.left
ipv6.fragment.toolongfragment
ipv6.routing_hdr.type
ipv6.fragments
ipv6.src
ipv6.fragment.id
ipv6.src_host
ipv6.hlim
ipv6.version
vlan.etype
vlan.len
vlan.trailer
Last updated
Was this helpful?