Windows CMD line cheat sheet (hunter-gatherer)

Another quick note this time for Windows CMDline, this is pretty much a shortlist of things I found interesting from Rob Fuller's google doc..

Generic Commands
whoami /all Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
systeminfo Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed
qwinsta Displaying information about RDP sessions. /CONNECT can be added
qprocess * Much like tasklist, but a bit easier to read. It has username, login mqappsrvethod, session id, pid, and binary name.
schtasks /query /fo csv /v > %TEMP% Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look.
net start
sc query
Lists services
sc getkeyname “XXXXX” You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.
sc queryex “XXXXX” Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service.
tasklist /m  or tasklist /m blah.dll Lists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each process, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>
Kill processes by name or pid (with force option)
fsutil fsinfo drives Must be an administrator to run this, but it lists the current drives on the system.
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" Locates insecurely registered executables within the system registry on Windows 7.
netstat -nabo netstat with process exe
netstat -na | findstr :445 just like grep :)
net user %USERNAME% /domain Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain Lists all of the domain users
net localgroup administrators Prints the members of the Administrators local group
net localgroup administrators /domain as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
gpresult /z Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc query display services /state type and other info
rundll32.exe user32.dll, LockWorkStation lock the screen (that WOULD piss people off!!)
wscript.exe <script js/vbs> run things...
cscript.exe <script js/vbs/c#> run more things..

Remote access
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable remote desktop.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f Enable remote assistance

Reg Commands
reg save HKLM\Security security.hive   Save security hive to a file
reg save HKLM\System system.hive Save system hive to a file
reg save HKLM\SAM sam.hive Save sam to a file
reg add [\\TargetIPaddr\] [RegDomain][ \Key ] What it says on the tin
reg export [RegDomain]\[Key] [FileName] What it says on the tin
reg import [FileName ] What it says on the tin
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] ( ) You can to add /s for recurse all values

Deleting Logs
wevtutil el List logs
wevtutil cl <LogName> Clear specific log
del %WINDIR%\*.log /a /s /q /f What it says on the tin

Non interactive pkg management
wmic product get name /value Get the name
wmic product where name="XXX" call uninstall /nointeractive Uninstall
pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” Install Telnet Service
pkgmgr /iu:”TelnetClient” Install the client

Stay tuned for more :)

Popular Posts