Skip to content

Latest commit

 

History

History
113 lines (103 loc) · 7.65 KB

Windows Systems Hints.md

File metadata and controls

113 lines (103 loc) · 7.65 KB
Raw

WINDOWS FILES

  • %SYSTEMROOT% - Typically C:\Windows
  • %SYSTEMROOT%\System32\drivers\etc\hosts - DNS entries
  • %SYSTEMROOT%\System32\drivers\etc\networks - Network settings
  • %SYSTEMROOT%\System32\config\SAM - User & password hashes
  • %SYSTEMROOT%\repair\SAM - Backup copy of SAM
  • %SYSTEMROOT%\System32\config\RegBack\Sam\ - Backup copy of SAM
  • %WINDIR%\system32\config\AppEvent.Evt - Application Log
  • %WINDIR%\system32\config\SecEvent.Evt - Security Log
  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ - Startup Location
  • %USERPROFILE%\Start Menu\Programs\Startup - Startup Location
  • %SYSTEMROOT%\Prefetch - Prefetch dir (EXE logs)

WINDOWS SYSTEM INFO COMMANDS

  • ver - Get OS version
  • sc query state=all - Show services
  • tasklist /svc - Show processes & services
  • tasklist /m - Show all processes & DLLs
  • tasklist /S ip /v - Remote process listing
  • taskkill /PID pid /F - Force process to terminate
  • systeminfo /S ip /U domain\user /P Pwd - Remote system info
  • reg query\ ip \ RegDomain \ Key /v - Query remote registry,
  • Value - /s=all values
  • reg query HKLM /f password /t REG SZ /s - Search registrj for password
  • fsutil fsinfo drives – - List drives •must be admin
  • dir /a /s /b c:\’.pdf’ - Search for all PDFs
  • dir /a /b c:\windows\kb’ - Search for patches
  • findstr /si password’ .txt I •.xmll •.xls - Search files for password
  • tree /F /A c:\ - tree.txt
  • reg save HKLM\Security security.hive - Save securitj hive to file
  • echo %USERNANE% - Current user

WINDOWS NET/DOMAIN COMMANDS

  • net view /domain - Hosts in current domain
  • net view /domain: [MYDOMAIN] - Hosts in [MYDOMAIN]
  • net user /domain - All users in current domain
  • net user user pass /add - Add user
  • net localgroup “Administrators” user /add - Add user to Administrators
  • net accounts /domain - Domain password policy
  • net localgroup “Administrators” - List local Admins
  • net group /domain - List domain groups
  • net group “Domain Adrnins” /domain - List users in Domain Adrnins
  • net group /domain "Domain Admins"
  • net group “Domain Controllers 11 /domain - List DCs for current domain
  • net share - Current SMB shares
  • net session I find I “\” - Active SHB sessions
  • net user user /ACTIVE:jes /domain - Unlock domain user account
  • net user user ” newpassword ” /domain - Change domain user password
  • net share share c:\share /GRANT:Everyone,FULL - Share folder
  • net user username password /ADD /DOMAIN
  • net group "Domain Admins" username /ADD /DOMAIN

WINDOWS REMOTE COMMANDS

  • tasklist /S ip /v - Remote process listing
  • systeminfo /S ip /U domain\user /P Pwd - Remote systeminfo
  • net share \ ip - Shares of remote computer
  • net use \ ip - Remote filesystem (IPC$)
  • net use z: \ ip \share password /user: D0l1AIN\ user - Map drive, specified credentials
  • reg add \ ip \ regkej \ value - Add registry key remotely
  • sc \ ip create service - Create a remote service
  • binpath=C:\Windows\System32\x.exe start= auto - (space after start=)
  • xcopy /s \ ip \dir C:\local - Copy remote folder
  • shutdown /m \ ip /r /t 0 /f - Remotely reboot machine

WINDOWS NETWORK COMMANDS

  • ipconfig I all - IP configuration
  • ipconfig /displaydns - Local DNS cache
  • netstat -ana - Open connections
  • netstat -anop tcp 1 - Netstat loop
  • netstat -ani findstr LISTENING - LISTENING ports
  • route print - Routing table
  • arp -a - Known l1ACs (ARP table I
  • nslookup, set type=any, ls -d domain results.txt, exit - DNS Zone Xfer
  • nslookup -type=SRV _www._tcp.url.com - Domain SRV lookup (_ldap,_kerberos, _sip)
  • tftp -I ip GET remotefile - TFTP file transfer
  • netsh wlan show profiles - Saved wireless profiles
  • netsh firewall set opmode disable - Disable firewall (‘Old)
  • netsh wlan export profile folder=. key=clear - Export wifi plaintext pwd
  • netsh interface ip show interfaces - List interface IDs/MTUs
  • netsh interface ip set address local static - ip nmask gw ID
  • netsh interface ip set dns local static ip - Set DNS Server
  • netsh interface ip set address local dhcp - Set interface to use DHCP

WINDOWS UTILITY COMMANDS

  • type file - Display file contents
  • del path .’ /a /s /q /f - Force delete all files in path
  • runas /user: user ” file [args]” - Run file as user
  • restart /r /t 0 - Restart now
  • tr -d ‘\15\32’ win.txt unix.txt - Removes CR & ‘Z (‘nix)
  • makecab file - Native compression
  • Wusa.exe /uninstall /kb: ### - Uninstall patch
  • cmd.exe “wevtutil qe Application /c:40 /f:text /rd:true” - CLI Event Viewer
  • lusrrngr.rnsc - Local user manager
  • services.msc - Services control panel
  • taskmgr.exe - Task manager
  • secpool.rnsc - Security policy manager
  • eventvwr.rnsc - Event viewer

WMIC

  • wmic [alias] get /? - List all attributes
  • wmic [alias] call /? - Callable methods
  • wmic process list full - Process attributes
  • wmic startupwmic service - Starts wmic service
  • wmic ntdomain list - Domain and DC info
  • wmic qfe - List all patches
  • wmic process call create “process name” - Execute process
  • wmic process where name=”process” call terminate - Terminate process
  • wmic logicaldisk get description,name - View logical shares
  • wmic cpu get DataWidth /format:List - Display 32 I I 64 bit