Cheat sheet for Windows.
- Windows commands (Microsoft)
- For Users & Groups, see Users & Groups & Active Directory (AD)
- For PowerShell commands, see Powershell Cheat Sheet.
- Connect to databases with OLE DB
Windows Basics
List files from current directory, including hidden files
dir /a:hd
dir /a:hd C:\
Show current directory
cd
# Display file content
type filename.txt
# Display file content, interactive mode
more filename.txt
Show hostname
hostname
Show IP address
ipconfig
Traceroute
tracert hostname
System information (OS, domain, etc.)
systeminfo
Reboot
shutdown /r
List users
See Active Directory.
dir c:\users
Groups for current user
whoami /groups
Run commands as another user
runas /user:DOMAIN\username C:\Windows\System32\cmd.exe
[password]
Clear terminal
cls
Copy file
copy source-file.txt destination-file.txt
Rename a file
ren "oldname.txt" "newname.txt"
MD5 of file
certUtil -hashfile file.txt MD5
List shares
net share
Accessing file share
\\MachineName\c$\
When users are not local admins, they could bypass access to the C drive by using a web browser and this:
\\127.0.0.1\c$
\\localhost\c$
Unzip a .zip file in current directory
powershell -c "Expand-Archive <filename>.zip ."
Environment variables
List all environment variables
set
Set an environment variable
SET ORACLE_SID=SID
Registry
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
List registry (recursively)
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s
Access rights
See Official Documentation for icacls.
- F – Full access
- M- Modify access
- RX – Read and execute access
- R – Read-only access
- W – Write-only access
icacls "<file>"
icacls "C:\Program Files\Windows Media Player\wmplayer.exe"
Processes
tasklist
tasklist <process name without file extension>
To get program arguments, use this:
WMIC path win32_process get Caption,Processid,Commandline > processes.txt
Kill a process
# Kill a process by name
taskkill /IM "notepad.exe" /F
# Kill a process by PID
taskkill /F /PID 1234
# In the job scheduler
taskkill /IM "process.exe" /F >> "C:\Users\<username>\Desktop\kill_process.log"
File Search
- Official Documentation (Microsoft) – findstr
where /r c:\ *.exe
where /r c:\ flag.txt
Search for a file in all subdirectories
cd C:\somedir
dir secret.doc /s /p
dir secret.doc /s /p | find -i "some string in filename"
<some command> | findstr /i LocalPort | sort /unique
Search text in file
find /i "password" c:\somedir\myfile.txt
# Search text "flag" in files
findstr /s /i flag *.*
findstr /s /i somestring *.*
# Find all occurrences of the word "Windows" (case sensitive) in the file Proposal.txt
findstr Windows proposal.txt
# See Powershell section
Search largest files
Size > 1GB (1024 * 1024 * 1024 = 1073741824). @fzize is in bytes.
forfiles /S /C "cmd /c if @fsize GTR 1073741824 echo @path"
Size > 10GB (1024 * 1024 * 1024 * 10 = 10737418240)
forfiles /S /C "cmd /c if @fsize GTR 10737418240 echo @path"
Alternative (DOES NOT SEEM TO WORK…): Using the graphical File Explorer, go to your disk (like C:). Search:
Size > 10 GB
Host file (“/etc/hosts”)
This file is used to resolve hosts names before DNS.
C:\Windows\System32\drivers\etc\hosts
Mount Drive
wmic logicaldisk get caption || fsutil fsinfo drives
List volumes
mountvol
Mount volume
mountvol DRIVE-LETTER:\ VOLUME-NAME
mountvol e:\ \\?\Volume{...}\
Permanently delete files
Delete the file from the recycle bin first or this will not work.
powershell cipher /w:C:
powershell cipher /w:C:\Users\Jim\Documents
Screenshot & Videos
- PrintScreen -> copied to clipboard
- Windows key + PrintScreen -> file created in Pictures\Screenshots
- Windows key + Shift + S -> section of screen copied to clipboard (Snip and Sketch)
Screen recording
Record using the Game Bar (Windows 10+)
- Press keys Windows+G
Windows Services
Managing services in Windows.
For specific services, see Ports & Protocols.
Managing services using the GUI
%windir%\system32\services.msc
Start a service
net start service <service name>
Stop a service
net stop <service name>
Service status
netstat -ant
netstat
Windows Lab
Free Windows 10 VM
Download virtual machine:
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines
The VM will require a minimum of 8GB of RAM and at least 70GB of disk space.
- Username: User
- Password: <none>
Windows Sandbox
Windows Sandbox is currently not supported on Windows Home edition.
- Windows Sandbox (Microsoft)
- Windows Sandbox configuration (Microsoft)
Run a command prompt as administrator:
powershell
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
Reboot to apply the changes. Create a configuration file, like machine1.wsb:
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\somefolder</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Shared</SandboxFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<ClipboardRedirection>true</ClipboardRedirection>
<Networking>true</Networking>
<ProtectedClient>false</ProtectedClient>
</Configuration>false</ProtectedClient>
</Configuration>
Double-click on the file to start the sandbox.
Windows Recall
Only on Copilot+PC.
- Privacy and control over your Recall experience (Microsoft)
You can turn on or off saving snapshots at any time by going to
Settings -> Privacy & security -> Recall & snapshots.