Cheat sheet for Windows.
- Windows commands (Microsoft)
- For Users & Groups, see Users & Groups & Active Directory (AD)
- For PowerShell commands, see Powershell Cheat Sheet.
- Connect to databases with OLE DB
Windows Basics
List files from current directory, including hidden files
dir /a:hd
dir /a:hd C:\
Show current directory
cd
# Display file content
type filename.txt
# Display file content, interactive mode
more filename.txt
Show hostname
hostname
Show IP address
ipconfig
Traceroute
tracert hostname
System information (OS, domain, etc.)
systeminfo
Reboot
shutdown /r
List users
See Active Directory.
dir c:\users
Groups for current user
whoami /groups
Clear terminal
cls
Copy file
copy source-file.txt destination-file.txt
Rename a file
ren "oldname.txt" "newname.txt"
MD5 of file
certUtil -hashfile file.txt MD5
List shares
net share
Accessing file share
\\MachineName\c$\
When users are not local admins, they could bypass access to the C drive by using a web browser and this:
\\127.0.0.1\c$
\\localhost\c$
Unzip a .zip file in current directory
powershell -c "Expand-Archive <filename>.zip ."
Environment variables
List all environment variables
set
Set an environment variable
SET ORACLE_SID=SID
Registry
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
List registry (recursively)
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s
Access rights
See Official Documentation for icacls.
- F – Full access
- M- Modify access
- RX – Read and execute access
- R – Read-only access
- W – Write-only access
icacls "<file>"
icacls "C:\Program Files\Windows Media Player\wmplayer.exe"
Processes
tasklist
tasklist <process name without file extension>
To get program arguments, use this:
WMIC path win32_process get Caption,Processid,Commandline > processes.txt
Kill a process
# Kill a process by name
taskkill /IM "notepad.exe" /F
# Kill a process by PID
taskkill /F /PID 1234
# In the job scheduler
taskkill /IM "process.exe" /F >> "C:\Users\<username>\Desktop\kill_process.log"
File Search
- Official Documentation (Microsoft) – findstr
where /r c:\ *.exe
where /r c:\ flag.txt
Search for a file in all subdirectories
cd C:\somedir
dir secret.doc /s /p
dir secret.doc /s /p | find -i "some string in filename"
<some command> | findstr /i LocalPort | sort /unique
Search text in file
find /i "password" c:\somedir\myfile.txt
# Search text "flag" in files
findstr /s /i flag *.*
findstr /s /i somestring *.*
# Find all occurrences of the word "Windows" (case sensitive) in the file Proposal.txt
findstr Windows proposal.txt
# See Powershell section
Host file (“/etc/hosts”)
This file is used to resolve hosts names before DNS.
C:\Windows\System32\drivers\etc\hosts
Mount Drive
wmic logicaldisk get caption || fsutil fsinfo drives
List volumes
mountvol
Mount volume
mountvol DRIVE-LETTER:\ VOLUME-NAME
mountvol e:\ \\?\Volume{...}\
Permanently delete files
Delete the file from the recycle bin first or this will not work.
powershell cipher /w:C:
powershell cipher /w:C:\Users\Jim\Documents
Screenshot & Videos
- PrintScreen -> copied to clipboard
- Windows key + PrintScreen -> file created in Pictures\Screenshots
- Windows key + Shift + S -> section of screen copied to clipboard (Snip and Sketch)
Screen recording
Record using the Game Bar (Windows 10+)
- Press keys Windows+G
Windows Services
Managing services in Windows.
For specific services, see Ports & Protocols.
Managing services using the GUI
%windir%\system32\services.msc
Start a service
net start service <service name>
Stop a service
net stop <service name>
Service status
netstat -ant
netstat