Windows CMD line cheat sheet (hunter-gatherer)
Another quick note this time for Windows CMDline, this is pretty much a shortlist of things I found interesting from Rob Fuller's google doc..
| Generic Commands | |
| whoami /all | Lists current user, sid, groups current user is a member of and their sids as well as current privilege level. |
| systeminfo | Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed |
| qwinsta | Displaying information about RDP sessions. /CONNECT can be added |
| qprocess * | Much like tasklist, but a bit easier to read. It has username, login mqappsrvethod, session id, pid, and binary name. |
| schtasks /query /fo csv /v > %TEMP% | Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look. |
| net start OR sc query |
Lists services |
| sc getkeyname “XXXXX” | You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on. |
| sc queryex “XXXXX” | Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service. |
| tasklist /m or tasklist /m blah.dll | Lists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each process, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls |
| taskkill [/f] /pid <pid> taskkill [/f] /im <image_name> |
Kill processes by name or pid (with force option) |
| fsutil fsinfo drives | Must be an administrator to run this, but it lists the current drives on the system. |
| reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" | Locates insecurely registered executables within the system registry on Windows 7. |
| netstat -nabo | netstat with process exe |
| netstat -na | findstr :445 | just like grep :) |
| net user %USERNAME% /domain | Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership |
| net user /domain | Lists all of the domain users |
| net localgroup administrators | Prints the members of the Administrators local group |
| net localgroup administrators /domain | as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins |
| gpresult /z | Extremely verbose output of GPO (Group policy) settings as applied to the current system and user |
| sc query | display services /state type and other info |
| rundll32.exe user32.dll, LockWorkStation | lock the screen (that WOULD piss people off!!) |
| wscript.exe <script js/vbs> | run things... |
| cscript.exe <script js/vbs/c#> | run more things.. |
| Remote access | |
| reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | Enable remote desktop. |
| reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f | Enable remote assistance |
| Reg Commands | |
| reg save HKLM\Security security.hive | Save security hive to a file |
| reg save HKLM\System system.hive | Save system hive to a file |
| reg save HKLM\SAM sam.hive | Save sam to a file |
| reg add [\\TargetIPaddr\] [RegDomain][ \Key ] | What it says on the tin |
| reg export [RegDomain]\[Key] [FileName] | What it says on the tin |
| reg import [FileName ] | What it says on the tin |
| reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] ( ) | You can to add /s for recurse all values |
| Deleting Logs | |
| wevtutil el | List logs |
| wevtutil cl <LogName> | Clear specific log |
| del %WINDIR%\*.log /a /s /q /f | What it says on the tin |
| Non interactive pkg management | |
| wmic product get name /value | Get the name |
| wmic product where name="XXX" call uninstall /nointeractive | Uninstall |
| pkgmgr usefull /iu :”Package” | |
| pkgmgr usefull /iu :”TelnetServer” | Install Telnet Service |
| pkgmgr /iu:”TelnetClient” | Install the client |
Stay tuned for more :)