Windows cheat sheet

This cheat sheet provides new and experienced users with a number of miscellaneous references and commands for the Windows operating system.

Windows Versions

Version Product Name
NT 3.1 Windows NT 3.1
NT 3.5 Windows NT 3.5
NT 3.51 Windows NT 3.51
NT 4.0 Windows NT 4.0
NT 5.0 Windows 2000
NT 5.1 Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2 Windows XP (64-bit, Pro 64-bit), Windows Server 2003 & R2 (Standard, Enterprise), Windows Home Server
NT 6.0 Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
NT 6.1 Windows 7 (Starter, Home, Pro, Enterprise, Ultimate), Windows Server 2008 (Foundation, Standard, Enterprise), Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2 Windows 8 (x86/64, Pro, Enterprise), Windows RT (ARM), Windows Phone 8, Windows Server 2012 (Foundation, Essentials, Standard)

Windows Files

Command / Location Description
%SYSTEMROOT% Typically C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts DNS entries
%SYSTEMROOT%\System32\drivers\etc\networks Network settings
%SYSTEMROOT%\System32\config\SAM User & Password hashes
%SYSTEMROOT%repair\SAM Backup copy of SAM
%SYSTEMROOT%\System32\config\RegBack\SAM Backup copy of SAM
%WINDIR%\system32\config\AppEvent.Evt Application Log
%WINDIR%\system32\config\SecEvent.Evt Security Log
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ Startup Location
%USERPROFILE%\Start Menu\Programs\Startup\ Startup Location
%SYSTEMROOT%\Prefetch Prefetch Dir (EXE, logs)

Startup Directories

Version Location
NT 3.50 NT 3.51 NT 4.0 %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
Win 9x %SystemDrive%\wmiOWS\Start Menu\Programs\Startup
NT 5.0 NT 5.1 NT 5.2 %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
NT 6.0 NT 6.1 All Users %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Specific Users %SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

System Info Commands

Command Description
ver Show OS version
sc query state=all Show services
tasklist /svc Show processes & services
tasklist /m Show all process & DLLs
tasklist /S <ip> /v Remote process listing
taskkill /PID <pid> /F Force process to terminate
systeminfo /S <ip> /U domain\user /P passwd Remote system info
reg query \\<ip>\<RegDomain>\<Key> /v Query remote registry, /s = all values
reg query HKLM /f password /t REG_SZ /s Search registry for password
fsutil fsinfo drives List drives
dir /a /s /b c:\*.pdf Search drive C: for all PDFs
dir /a /b c:\windows\kb* Search for patches
findstr /si password *.txt Search files for password
tree /F /A c:\ Directory listing of C:
reg save HKLM\Security > security.hive Save sercurity hive to file
echo %USERNAME% Current user

NET/Domain Commands

Command Description
net view /domain Hosts in current domain
net view /domain:[MYDOMAIN] Hosts in [MYDOMAIN]
net user /domain All users in current domain
net user <user> <passwd> /add Add user
net localgroup "Administrators" <user> /add Add user to Administrators
net accounts /domain Domain password policy
net localgroup "Administrators" List local Admins
net group /domain List domain groups
net group "Domain Admins" /domain List users in Domain Admins
net group "Domain Controllers" /domain List DCs for current domain
net share Current SMB shares
net session | find / "\\" Active SMB sessions
net user <user> /ACTIVE:yes /domain Unlock domain user account
net user <user> <passwd> /domain Change domain user passwd
net share <share> c:\share /GRANT:Everyone,FULL Share folder

Remote Commands

Command Description
tasklist /S <ip> /v Remote process listing
systeminfo /S <ip> /U domain\user /P passwd Remote systeminfo
net share \\<ip> Shares of remote computer
net use \\<ip> Remote filesystem (IPC$)
net use z: \\<ip>\share <passwd> /user:DOMAIN\<user> Map drive with specified credentials
reg add \\<ip>\<regkey>\<value> Add registry key remotely
sc \\<ip> create <service> binpath=C:\Windows\Systems32\x.exe start= auto Create a remote service (space after start=)
xcopy /s \\<ip>\dir C:\local Copy remote folder
shutdown /m \\<ip> /r /t 0 /f Remotely reboot machine

Network Commands

Command Description
ipconfig /all IP configuration
ipconfig /displaydns Local DNS cache
netstat -ano Open connections
netstat -anop tcp 1 netstat loop
netstat -an | findstr LISTENING LISTENING ports
route print Routing table
arp -a Known MACs (ARP table)
nslookup set type=any ls -d domain > results.txt exit DNS zone xfer
nslookup -type=SVR Domain SRV lookup (_ldap, _kerebos, _sip)
tftp -I <ip> GET <remote-file> TFTP file transfer
netsh wlan show profiles Saved wireless profiles
netsh firewall set opmode disable Disable firewall
netsh wlan export profile folder=. key=clear Export wifi plaintext passwd
netsh interface ip show interfaces List interface IDs/MTUs
netsh interface ip set address local static <ip> <nmask> <gway> <ID> Set IP
net interface ip set dns local static <ip> Set DNS server
netsh interface ip set address local dhcp Set interface to use DHCP

Utility Commands

Command Description
type <file> Display file contents
del <path>\. /a /s /q /f Forceably delete all files in <path>
find /I "str" <filename> Find "str"
<command> | find /c /v "" Line count of <command> output
at HH:MM <file> [args] Schedule <file> to run
runas /user:<user> "<file> [args]" Run <file> as <user>
restart /r /t 0 Restart now
makecab <file> Native compression
wusa.exe /uninstall /kb:### Uninstall patch
cmd.exe "wevtuntil qe Application /c:40 /f:text /rd:true" CLI Event viewer
lusrmgr.msc Local user manager
services.msc Services control panel
taskmgr.exe Task manager
secpol.msc Security policy manager
eventvwr.msc Event viewer