Windows

Cheat sheet for Windows.

Table of Contents

Windows Basics

Clear terminal

cls

Host & Network information

Show hostname

hostname

Show IP address

ipconfig

Traceroute

tracert hostname

System information (OS, domain, etc.)

systeminfo

Host file (“/etc/hosts”)

This file is used to resolve hosts names before DNS.

C:\Windows\System32\drivers\etc\hosts

Files & Folders

List files from current directory, including hidden files

dir /a:hd
dir /a:hd C:\

Show current directory

cd

Copy file

copy source-file.txt destination-file.txt

Rename a file

ren "oldname.txt" "newname.txt"

MD5 of file

certUtil -hashfile file.txt MD5

Unzip a .zip file in current directory

powershell -c "Expand-Archive <filename>.zip ."

Display file content

type filename.txt
# Interactive mode
more filename.txt

Permanently delete files

Delete the file from the recycle bin first or this will not work.

powershell cipher /w:C:
powershell cipher /w:C:\Users\Jim\Documents
where /r c:\ *.exe
where /r c:\ flag.txt

Search for a file in all subdirectories

cd C:\somedir
dir secret.doc /s /p
dir secret.doc /s /p | find -i "some string in filename"
<some command> | findstr /i LocalPort | sort /unique

Search text in file

find /i "password" c:\somedir\myfile.txt
# Search text "flag" in files
findstr /s /i flag *.*
findstr /s /i somestring *.*

# Find all occurrences of the word "Windows" (case sensitive) in the file Proposal.txt
findstr Windows proposal.txt

# See Powershell section

Search largest files

Use the Disk Cleanup tool to save some space. Run as Administrator: C:\Windows\System32\cleanmgr.exe

Using PowerShell:

Best option

powershell -c "Get-ChildItem -Path C:\somepath -Recurse | Where-Object {$_.Length -gt 1GB}"
powershell -c "Get-ChildItem -Path C:\somepath -Recurse | Where-Object {$_.Length -gt 10GB}"

For the Windows search to work, set the indexation options in the Windows settings to include “C:”.

Does not seem to work properly 🙁

Using the graphical File Explorer, go to your disk (like C:). In the Search bar, enter:

size:>1GB
size:>10GB

Using command line:

  • Size > 1GB (1024 * 1024 * 1024 = 1073741824). @fzize is in bytes.
  • Size > 10GB (1024 * 1024 * 1024 * 10 = 10737418240)

Often says file path is too long.

forfiles /S /C "cmd /c if @fsize GTR 1073741824 echo @path"
forfiles /S /C "cmd /c if @fsize GTR 10737418240 echo @path"

Users & Groups

List users

See Active Directory.

dir c:\users

Groups for current user

whoami /groups

Run commands as another user

runas /user:DOMAIN\username C:\Windows\System32\cmd.exe
[password]

System

Reboot

shutdown /r

Shares

List shares

net share

Connect a share

net use S: \\<KALI-IP>\myshare /user:myprecious /persistent:no
[enter password]

Create a share, read-only

net share myshare=C:\Shared /grant:DOMAIN\myuser,READ

Delete a share

net share myshare /delete

Accessing file share

\\MachineName\c$\

When users are not local admins, they could bypass access to the C drive by using a web browser and this:

\\127.0.0.1\c$
\\localhost\c$

Environment variables

List all environment variables

set

Set an environment variable

SET ORACLE_SID=SID

Registry

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

List registry (recursively)

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s

Access rights

See Official Documentation for icacls.

  • F – Full access
  • M- Modify access
  • RX – Read and execute access
  • R – Read-only access
  • W – Write-only access
icacls "<file>"
icacls "C:\Program Files\Windows Media Player\wmplayer.exe"

Processes

tasklist
tasklist <process name without file extension>

To get program arguments, use this:

WMIC path win32_process get Caption,Processid,Commandline > processes.txt

Kill a process

If a process is locking a file, use File Locksmith (Microsoft) from PowerToys (Microsoft).

# Kill a process by name
taskkill /IM "notepad.exe" /F

# Kill a process by PID
taskkill /F /PID 1234
# In the job scheduler
taskkill /IM "process.exe" /F >> "C:\Users\<username>\Desktop\kill_process.log"

Mount Drive

wmic logicaldisk get caption || fsutil fsinfo drives

List volumes

mountvol

Mount volume

mountvol DRIVE-LETTER:\ VOLUME-NAME
mountvol e:\ \\?\Volume{...}\

Screenshot & Videos

  • PrintScreen -> copied to clipboard
  • Windows key + PrintScreen -> file created in Pictures\Screenshots
  • Windows key + Shift + S -> section of screen copied to clipboard (Snip and Sketch)

Screen recording

Record using the Game Bar (Windows 10+)

  • Press keys Windows+G

Windows Services

Managing services in Windows.

For specific services, see Ports & Protocols.

Managing services using the GUI

%windir%\system32\services.msc

Start a service

sc start <service name>
net start service <service name>

Stop a service

sc stop <service name>
net stop <service name>

Service status

sc query <service name>
netstat -ant
netstat

Configure the service startup type

sc config <service name> start= {boot | system | auto | demand | disabled | delayed-auto}

Windows Lab

To use Linux on Windows, see Windows Subsystem for Linux (WSL)

Windows Evaluation versions

Evaluation versions of Windows will expire. The desktop background will turn black, you will see a persistent desktop notification indicating that the system is not genuine, and the PC will shut down every hour.

For Windows 10:

  • Download PsExec from Sysinternals.
  • Open a command prompt (run as Administrator)
  • Disable the Windows Licensing Monitoring Service (wlms.exe).
cd <path to PsExec>\PSTools
.\PsExec.exe -s powershell -Command "Set-Service -Name 'WLMS' -StartupType Disabled;"

Reboot the computer and the WLMS service will not start.

For Windows 11:
Open a command prompt (Run as Administrator):

slmgr /ipk <KMS client key>
slmgr /skms kms.msguides.com
slmgr /ato

KMS client keys:

  • Windows Home: TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
  • Windows Home N: 3KHY7-WNT83-DGQKR-F7HPR-844BM
  • Windows Pro: W269N-WFGWX-YVC9B-4J6C9-T83GX
  • Windows Pro N: MH37W-N47XK-V7XM9-C7227-GCQG9
  • Windows Education: NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
  • Windows Education N: 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ

Free Windows 11 VM – Evaluation version

Download virtual machine:
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines

The VM will require a minimum of 8GB of RAM and at least 70GB of disk space.

  • Username: User
  • Password: <none>

Free Windows 11

If the downloads gives an error, use a VPN.

Windows Sandbox

Windows Sandbox provides a lightweight, disposable virtual environment. It creates a temporary Windows installation inside a secure container. Changes are lost once closed.

Windows Sandbox uses some Hyper-V features.

Windows Sandbox is currently not supported on Windows Home edition.

Run a command prompt as administrator:

powershell -c "Enable-WindowsOptionalFeature -FeatureName \"Containers-DisposableClientVM\" -All -Online"

Reboot to apply the changes. Create a configuration file, like machine1.wsb:

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Users\Public</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <ClipboardRedirection>true</ClipboardRedirection>
  <Networking>true</Networking>
  <ProtectedClient>false</ProtectedClient>
</Configuration>

Double-click on the file to start the sandbox.

Windows Recall

Only on Copilot+PC.

You can turn on or off saving snapshots at any time by going to
Settings -> Privacy & security -> Recall & snapshots.

Reference