Windows

Cheat sheet for Windows.

Windows Basics

List files from current directory, including hidden files

dir /a:hd
dir /a:hd C:\

Show current directory

cd
# Display file content
type filename.txt
# Display file content, interactive mode
more filename.txt

Show hostname

hostname

Show IP address

ipconfig

Traceroute

tracert hostname

System information (OS, domain, etc.)

systeminfo

Reboot

shutdown /r

List users

See Active Directory.

dir c:\users

Groups for current user

whoami /groups

Run commands as another user

runas /user:DOMAIN\username C:\Windows\System32\cmd.exe
[password]

Clear terminal

cls

Copy file

copy source-file.txt destination-file.txt

Rename a file

ren "oldname.txt" "newname.txt"

MD5 of file

certUtil -hashfile file.txt MD5

List shares

net share

Accessing file share

\\MachineName\c$\

When users are not local admins, they could bypass access to the C drive by using a web browser and this:

\\127.0.0.1\c$
\\localhost\c$

Unzip a .zip file in current directory

powershell -c "Expand-Archive <filename>.zip ."

Environment variables

List all environment variables

set

Set an environment variable

SET ORACLE_SID=SID

Registry

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

List registry (recursively)

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s

Access rights

See Official Documentation for icacls.

  • F – Full access
  • M- Modify access
  • RX – Read and execute access
  • R – Read-only access
  • W – Write-only access
icacls "<file>"
icacls "C:\Program Files\Windows Media Player\wmplayer.exe"

Processes

tasklist
tasklist <process name without file extension>

To get program arguments, use this:

WMIC path win32_process get Caption,Processid,Commandline > processes.txt

Kill a process

# Kill a process by name
taskkill /IM "notepad.exe" /F

# Kill a process by PID
taskkill /F /PID 1234
# In the job scheduler
taskkill /IM "process.exe" /F >> "C:\Users\<username>\Desktop\kill_process.log"
where /r c:\ *.exe
where /r c:\ flag.txt

Search for a file in all subdirectories

cd C:\somedir
dir secret.doc /s /p
dir secret.doc /s /p | find -i "some string in filename"
<some command> | findstr /i LocalPort | sort /unique

Search text in file

find /i "password" c:\somedir\myfile.txt
# Search text "flag" in files
findstr /s /i flag *.*
findstr /s /i somestring *.*

# Find all occurrences of the word "Windows" (case sensitive) in the file Proposal.txt
findstr Windows proposal.txt

# See Powershell section

Search largest files

Size > 1GB (1024 * 1024 * 1024 = 1073741824). @fzize is in bytes.

forfiles /S /C "cmd /c if @fsize GTR 1073741824 echo @path"

Size > 10GB (1024 * 1024 * 1024 * 10 = 10737418240)

forfiles /S /C "cmd /c if @fsize GTR 10737418240 echo @path"

Alternative (DOES NOT SEEM TO WORK…): Using the graphical File Explorer, go to your disk (like C:). Search:

Size > 10 GB

Host file (“/etc/hosts”)

This file is used to resolve hosts names before DNS.

C:\Windows\System32\drivers\etc\hosts

Mount Drive

wmic logicaldisk get caption || fsutil fsinfo drives

List volumes

mountvol

Mount volume

mountvol DRIVE-LETTER:\ VOLUME-NAME
mountvol e:\ \\?\Volume{...}\

Permanently delete files

Delete the file from the recycle bin first or this will not work.

powershell cipher /w:C:
powershell cipher /w:C:\Users\Jim\Documents

Screenshot & Videos

  • PrintScreen -> copied to clipboard
  • Windows key + PrintScreen -> file created in Pictures\Screenshots
  • Windows key + Shift + S -> section of screen copied to clipboard (Snip and Sketch)

Screen recording

Record using the Game Bar (Windows 10+)

  • Press keys Windows+G

Windows Services

Managing services in Windows.

For specific services, see Ports & Protocols.

Managing services using the GUI

%windir%\system32\services.msc

Start a service

net start service <service name>

Stop a service

net stop <service name>

Service status

netstat -ant
netstat

Windows Lab

Free Windows 10 VM

Download virtual machine:
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines

The VM will require a minimum of 8GB of RAM and at least 70GB of disk space.

  • Username: User
  • Password: <none>

Windows Sandbox

Windows Sandbox is currently not supported on Windows Home edition.

Run a command prompt as administrator:

powershell
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

Reboot to apply the changes. Create a configuration file, like machine1.wsb:

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Users\somefolder</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Shared</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <ClipboardRedirection>true</ClipboardRedirection>
  <Networking>true</Networking>
  <ProtectedClient>false</ProtectedClient>
</Configuration>false</ProtectedClient>
</Configuration>

Double-click on the file to start the sandbox.

Windows Recall

Only on Copilot+PC.

You can turn on or off saving snapshots at any time by going to
Settings -> Privacy & security -> Recall & snapshots.