Windows Command Shell Quick Reference

In this article I have collected together some of my most commonly used Windows Command Prompt oneliners and commands for penetration testing and CTF challenges. It’s primarily here for my own convenience, but is shared here for the benefit of fellow infosec propellerheads.

Process Information

The following commands can be used to gather information about processes running on the system.

  • sc query - Lists status overview of all system services.
  • sc qc [srv] - Lists configuration details for service srv.
  • tasklist - Lists all running processes.
  • wmic process list full - Alternative list of all running processes.
  • tasklist /src - List all running processes including system services contained within processes.
  • tasklist /m - List all running processes showing DLLs in use by each process.
  • tasklist /m [dll] - Lists running processes which have loaded dll.

Useful GUIs

Here are some handy GUI commands which can also be used from the Run start menu dialog.

  • taskmgr.exe - Windows Task Manager.
  • taskschd.msc - Windows Task Scheduler.
  • services.msc - Service Control.
  • secpol.msc - Security Policy Settings.
  • lusrmgr.msc - User/group Management.
  • eventvwr.msc - Event Viewer (logs).
  • control - Windows Control Panel.

Windows Networking

  • netstat -nao - List active TCP/UDP connections including associated processes.
  • netstat -s -p [ip|icmp|tcp|udp] - List detailed TCP/IP statistics.
  • netstat -nao [n] | find [port] - Check for use of port every n seconds.
  • netsh firewall set opmode disable - Disable the Windows firewall.
  • netsh interface ip set address local dhcp - Change the default network interface to use a DHCP address.
  • netsh interface ip set address local static [ip] [netmask] [gw] 1 - Change the IP address of the default network interface.
  • `netsh interface ip set dns local static [ipaddr] - Change the DNS resolver of the default network interface.
  • netsh interface show interface | findstr /C:"Wireless" /C:"Name" - Check for active WiFi connection(s).

Registry Manipulation

  • reg add HKLM\Software\MyCo - Add an empty registry key to local host.
  • reg add HKLM\Software\MyCo /v ValueName /t REG_DWORD /d 123 - Add a registry key to local host with a value key pair within it.
  • reg add [\\host]\[rootkey\][subkey] - Add a registry key to remote [host].
  • reg export [rootkey\][subkey] file.reg - Backs up specified registry structure to file.reg.
  • reg import file.reg - Restores registry structure contained within file.reg.
  • reg query [\\host\][rootkey\][key] /s /v [valuename] - Query registry to find value of specified key value pair.

User Management

  • wmic useraccount where name='username' set passwordExpires=false - Disable expiry of a given account’s password.
  • wmic useraccount where name='currentname' rename newname - Rename a user account.
  • net user [/domain] [username] /active:yes - Unlock/enable a user account.
  • net user /add [username] [password] - Create a new local user account.
  • net localgroup administrators [username] /add - Add local user account to local administrators group.

To create a domain administrator account use the above two commands but add the /domain option to both, and put the new user in the Domain Admins group.

Log Management

Clear all event logs with the following three commands:

WEVTUTIL EL > .\LOGLIST.TXT
for /f %%a in ( .\LOGLIST.TXT ) do WEVTUTIL CL "%%a"
del .\LOGLIST.TXT

Installing Windows Features

On older versions of Windows up to Vista, use pkgmgr:

  • pkgmgr /iu:"TelnetServer" - Installs the Telnet server service.
  • pkgmgr /iu:"TelnetClient" - Installs the Telnet client package.
  • pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI - Installs IIS and it’s dependencies.

Packages can be uninstalled by replacing /iu with /uu.

pkgmgr will work on Windows 10 but there will be a GUI warning dialog advising to use DISM instead:

  • dism /online /Enable-Feature /FeatureName:TelnetClient - Installs the Telnet server service.
  • dism /online /Enable-Feature /FeatureName:TelnetServer - Installs the Telnet client package.
  • dism /online /Get-Features /Format:Table - Shows a listing of available Windows components.
  • dism /online /Enable-Feature /FeatureName:IIS-DefaultDocument /All - Installs IIS and it’s dependencies.
  • dism /online /Enable-Feature /FeatureName:IIS-ASPNET45 /All - Adds support for ASP to IIS.

Power Management

  • shutdown /r /t 0 - Reboot immediately.
  • shutdown /s /t 300 - Shutdown in five minutes.
  • shutdown /a - Cancel pending shutdown/reboot.
  • powercfg.exe -change -standby-timeout-ac 0 - Prevent computer going to sleep.

Additional Reference Materials

Did you like this article? Please consider supporting this site.

Page last updated: