-
Notifications
You must be signed in to change notification settings - Fork 0
Windows Command‐Line‐Interface Guide
What follows are some useful PowerShell and CMD commands for review and investigation of Windows OS settings, configuration, and artifacts, broken down categorically, with roughly equivalent commands for both PowerShell and CMD:
Get help with PowerShell commands in general:
NOTE: "Ctrl + L" = Clear the Screen!
get-help
Get help with a specific command:
get-help get-childitem
Get help with a specific command, showing example commands:
get-help get-childitem -examples
Get commands by specifying a complete or partial verb or noun:
get-command -verb get
get-command -noun *tcp*
Count (measure) the output of a command:
get-command | measure
Show PowerShell version information:
$psversiontable
Get help with cmd:
NOTE: "cls" = Clear the Screen!
help
Get help, searching the output ("|" = pipe output from first command to the next command) for a case-insensitive ("/i") string, eg "task":
help | findstr /i task
Get help for a specific cmd command:
help tasklist
Show running processes:
tasklist
Show running processes, paginate output:
takslist | more
Show running processes with greater detail ("/v" = verbose):
tasklist /v | more
Show running processes and search ("/fi" = filter) output looking for processes associated with the user named "security":
tasklist /v /fi “username eq security”
Check the hostname and then write output of "tasklist" to a text file (">>" = append output to file):
NOTE: I like to name my output files as descriptively as possible, including the "host," the date/timestamp, and a description of the contents!
hostname
tasklist /v >> tasklist-host123-06052024.txt
Alternatively, output to a csv file:
tasklist /v /fo csv >> tasklist-host123-06052024.csv
Search for commands that include the word "process":
get-command *process
Get help on the "get-process" cmdlet:
get-help get-process
Get help, with examples, and note "aliases" (eg "ps"):
get-help get-process -examples
Run the "get-process" cmdlet:
get-process
Use the "ps" alias to run "get-process":
ps | more
View the components of the "get-process" command by sending the output of the "get-process" alias to the "get-member cmdlet:
ps | get-member
View the available "properties" for the "get-process" cmdlet:
ps | get-member | where membertype -eq “Property”
View specific "properties" for processes:
ps | select-object processname,sessionid,id
Create a "hostname" variable to use in the name of our output file, then write select properties of the ps command to a CSV file, don't include command header output ("-NoTypeInformation"):
$hostname=hostname
NOTE: Change the output file path as desired!
ps | select-object processname,sessionid,id | export-csv c:\users\security\desktop\ps-$hostname-06052024.csv -NoTypeInformation
View "ip configuration" command help:
ipconfig /?
View "all" (detailed info) ip configuration:
ipconfig /all
View cached DNS records on this "host":
ipconfig /displaydns
Get help using the "netstat" command, then view network socket information (tcp/ip connection info):
netstat /?
View "all" sockets (-a), show associated "executable" (-b), show the "owning" process for the connection (-o):
netstat -abo
Repeat the above command but just show "tcp" protocol connections:
netstat -abo -p tcp
Search netstat output (-q = all connections, listening and non-listening, bound and unbound) for the case-insensitive string ("/i") "listen," to show listening ports:
netstat -q | findstr /i LISTEN
Use "ping" to test connectivity to "cisco.com," using IPv4:
ping cisco.com -4
Use "ping" to test connectivity to "cisco.com" continuously (-t), using IPv6 [hit "Ctrl+C" to cancel the "ping" command]:
ping cisco.com -6 -t
Use the "tracert" command to "trace" the route from your host to "cisco.com" (max 30 hops by default):
tracert cisco.com
Find all PowerShell commands with a "noun" containing "tcp" or "netip":
get-command -noun *tcp*
get-command -noun *netip*
Show tcp connection info using the "get-nettcpconnection" command:
get-nettcpconnection
Show all available properties:
get-nettcpconnection | select *
Show tcp settings:
get-nettcpsetting
Show IP addresses on this host:
get-netipaddress
Use "test-netconnection" to test connectivity to "cisco.com" using "ICMP/Ping" (default):
test-netconnection cisco.com
Test connectivity to "cisco.com" on TCP port "443":
test-netconnection cisco.com -port 443
Trace the route from your host to "cisco.com":
test-netconnection -traceroute cisco.com
Search "cmd" help for commands containing "file":
help | findstr /i file
Clear the screen!:
cls
Get help on the "dir" command:
help dir
Run the "dir" command to view contents of the current directory:
dir
Move "up" on directory ("parent" of the current path), then view your current "working" directory (where you are in the file system):
NOTE: "." = the current directory!
cd..
cd
Change to a specific directory using a "path" or a system "variable":
cd c:\users\administrator
cd %userprofile%
View details for a "hidden" (/ah) file named "ntuser.dat" in your current directory or a subdirectory (/s):
dir /ah /s ntuser.dat
View the file attributes (h=hidden,a=archive,s=system, r=read-only, etc.):
attrib c:\users\administrator\ntuser.dat [view file attributes]
Check the cmdlet associated with the "dir" alias:
get-alias dir
Use the "dir" alias to invoke "get-childitem" and view the contents of the current directory: NOTE: Are you running "dir" (cmd command) or "dir" (PowerShell alias)? It depends on your current shell, so pay attention!
dir
Get help with the "get-childitem" cmdlet (note other aliases: gci, ls):
get-help get-childitem
Use the "dir" alias to view the "ntuser.dat" details:
dir c:\users\security\ntuser.dat -force
View all properties for a specific file:
dir c:\users\security\ntuser.dat -force | select *
View all "hidden" files in the current directory:
get-childitem -attributes h
View "access" permissions for a folder:
(get-acl c:\programdata).access
View "access" permissions for "users":
(get-acl c:\programdata).access | where identityreference -like *users*
Search cmd "help" for commands containing the case-insensitive string "service":
help | findstr /i service
Get help with the "service controller" (sc) command:
help sc
Query all services:
sc query
Search PowerShell cmdlets that have a "noun" containing "service":
get-command -noun *service*
Get help:
get-help get-service
Get services that start with "win":
get-service win*
Get all info about the "winrm" service:
get-service winrm | select *
Search cmd help for "task":
help | findstr /i task
Get help on the "schtasks" command:
help schtasks
Get context-specific help for the schtasks command:
schtasks /query /?
Query all scheduled task, with verbose output:
schtasks /query /v
Get info about a specific task (change "taskname" to an actual task on your host):
schtasks /query /tn “taskname”
Get verbose output in CSV format for all tasks ("Ctrl+C" to cancel/interrupt output):
schtasks /query /v /fo csv | more
Search PowerShell cmdlets for "nouns" containing the string "task":
get-command -noun *task*
Get help:
get-help get-scheduledtask
Get info on all scheduled tasks:
get-scheduledtask
Get info about tasks with taskname including "defend":
get-scheduledtask -taskname *defend*
Get detailed info about any task with taskname including "defender sched":
get-scheduledtask -taskname “*defender sched*” | select *
Get help on using "cmdkey":
cmdkey /?
View information about cached (stored) credentials:
cmdkey /list
Remove a "stored" credential:
cmdkey /delete:targetname
Get help using the "net user" command:
net user /?
Run "net user":
net user
Add a user named "bsmith":
net user bsmith P@ssw0rd! /ADD
Get help on the "net localgroup" command:
net localgroup /?
Get info on the local "administrators" group:
net localgroup administrators
View account settings/requirements:
net accounts
Search PowerShell for cmdlets nouns ending in "user" or beginning with "local":
get-command -noun *user
get-command -noun local*
Get all properties for the local user account "Administrator":
get-localuser -name Administrator | select *
Show all local groups:
get-localgroup
Get the security identifier (sid) for the local group "Administrators":
get-localgroupmember -name Administrators | select sid [show sid of Administrators local group]
Please note that the Active Directory PowerShell module must be installed and imported into your session for these to work! Get info on all AD users:
get-aduser –filter *
Show all members of the "domain admins" AD group:
get-adgroupmember “domain admins”
Show the name of all "computers" in AD:
get-adcomputer –filter * | select name
...TO BE CONTINUED...