Basics
Core Commands
# List folders and files
dir
dir C:\Users
dir /a
dir /a C:\Users
# Change directory
E: | C:
cd C:\Users
cd ..
cd Desktop
# Create directory
mkdir test
# Remove directory
rmdir test
rmdir /s non-empty-test
# Move files or folders
move file1.txt folder1
move a.txt b.txt
move folder1 folder2
# Print text
echo "Hello World"
echo "test" > file1.txt
# View content of a file
type file1.txt
# Delete file
del file1.txt
# Copy file
copy a.txt b.txt
copy a.txt folder1
# Rename file
ren a.txt newname.txt
# Change attributes of files or folders
attrib +h a.txt
attrib -h a.txt
attrib +h folder
dir /a:h
# List running processes
tasklist
# Kill running process
taskkill /f /pid 1547
# Display network information
ipconfig
ipconfig /all
# Display active connections
netstat
netstat /ano
# Test network connectivity
ping google.com
# Show path to destination
tracert google.com
# Create links
mklink softlink originalfile
mklink /H hardlink originalfile
mklink /D link dir # Soft link only
File System
C:\ Top level point that hold all the system files.
C:\Windows\ Contains operating system files.
C:\Program Files\ Contains applications files.
C:\Program Files (x86)\ Contains 32bit applications on 64bit operating system.
C:\Users\ Contains users home directories.
C:\ProgramData\ Contains configuration files of applications (Hidden).
File Permissions
Windows has 5 main permission types:
Full Control
Modify
Read & execute
Read
Write
Each user and group on the system has its own permissions:
User1: Read
User2: Read + Write
Group1: Full Control
Inherited permissions, child inherit parent permissions (This is what happens by default in windows).
Explicit permissions, permission applied specially to a file.
Explicit Deny > Explicit Allow > Inherited Deny > Inherited Allow.

Users & Groups
# Create user
net user testuser * /add
# Delete user
net user testuser /delete
# Disable/Enable user account
net user testuser /active:no
net user testuser /active:yes
# Display password policy
net accounts
# Most used groups
Administrators: Full control over system.
Network Operators: Allow to modify network settings (IP, DNS).
Users: Allow access to needed functionality by most users.
# Display groups
net localgroup
# List group members
net localgroup administrators
# Create group
net localgroup testgroup /add
# Add user to group
net localgroup testgroup testuser /add
# Delete user from group
net localgroup testgroup testuser /del
# Delete group
net localgroup testgroup /del
UAC
UAC gives you administrator access for one command, you trigger it by clicking right click on any file then choose run as administrator.

Runas
# runas lets you run command as another user like in linux (su testuser -c whoami)
runas /user:testuser whoami
runas /user:testuser "ping google.com"
Credentials
Credentials (usernames & passwords) are stored in the SAM file.
SAM file location: C:\Windows\System32\config\SAM.
Mostly stores the users' passwords in the NTLM hash.
# Example
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test123:1008:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
Security Policy
Audit policy: Control logs through event viewer.
User rights: Control permissions on the OS (change time, backup, shutdown).
Security options: Rename administrator account, Account policy Password length, complexity, expiration period. Account lockout threshold, duration.
Registry
Registry stores configuration settings and there are 5 types of registry hives:
HKEY_Classes_Root (HKCR): settings for applications
HKEY_Current_User (HKCU): settings for the current user
HKEY_Local_Machine (HKLM): local machine settings
HKEY_USERS (HKU): Settings for every user
HKEY_Current_Config (HKCC): settings for hardware
# Print help
reg /?
# Print help on specific function
reg query /?
# Query specific registry hives
reg query hkcu
reg query hklm
reg query hkcu\software
# Print all startup apps recursively
reg query hklm\software\microsoft\windows\currentversion\run /s
# Add startup key called EvilTest which started the Calculator app at boot time
reg add hklm\software\microsoft\windows\currentversion\run /v "EvilTest" /d "calc.exe"
# Delete EvilTest key
reg delete hklm\software\microsoft\windows\currentversion\run /v "EvilTest"
Windows Sharing (SMB)
# Print help
net /?
# List all devices that is enable sharing on the network
net view
# list all shared resources on specific system
net view \\computer-name
# mapping resource to drive letter
net use z: \\computer-name\resource
# show mapping resources
net use
# delete mapping resource
net use z: /delete
Services
# Display active services
sc query
# Display info about spooler service
sc query spooler
# Display inactive services
sc query state=inactive
# Display all services
sc query state=all
# Start/Stop the spooler service
sc start spooler
sc stop spooler
# Enable/Disable spooler service at boot time
sc config spooler start=disabled
sc config spooler start=auto
Processes
# List all tasks
tasklist
# Find task by it’s name or id
tasklist /fi "imagename eq calc*"
tasklist /pid 4054
# Force kill process
taskkill /f /pid 4054
# List all tasks
wmic process list brief
# Create calculator process
wmic process call create calc.exe
# Search for calculator process
wmic process where (name = "calculator.exe") list brief
wmic process where (name like "calc%") list brief
# Delete calculator process
wmic process where (name = "calculator.exe") delete
Task Scheduling
# Display all scheduled tasks
schtasks
# Create new task to run every minute
schtasks /create /sc minute /mo 1 /tn eviloo /tr calc.exe
# Display information about specific scheduled task
schtasks /query /tn eviloo
# Delete scheduled task
schtasks /delete /tn eviloo
Last updated