systeminfo # Full system info
hostname # Computer name
whoami # Current user
whoami /priv # Current user privileges
whoami /groups # Group memberships
net user # List local users
net localgroup administrators # List local admins
wmic os get caption # OS version
wmic cpu get name # CPU info
ipconfig /all # Full network config
ipconfig /flushdns # Flush DNS cache
netstat -ano # Active connections + PIDs
netstat -anob # Connections with process names
nslookup domain.com # DNS lookup
route print # Routing table
arp -a # ARP table
net share # List network shares
dir /a /s C:\ # List all files recursively
dir /a:h # Show hidden files
tree /f # Directory tree with files
type file.txt # Print file contents
copy src dst # Copy file
move src dst # Move file
del file.txt # Delete file
mkdir folder # Create directory
attrib +h file.txt # Hide a file
attrib -h file.txt # Unhide a file
icacls file.txt # View/modify permissions
tasklist # List running processes
tasklist /svc # Processes with services
taskkill /PID 1234 /F # Kill process by PID
taskkill /IM notepad.exe /F # Kill process by name
sc query # List services
sc query type= all # List all services
sc start ServiceName # Start service
sc stop ServiceName # Stop service
net start # List running services
Get-Process # List processes
Get-Service # List services
Get-LocalUser # List local users
Get-LocalGroup # List local groups
Get-NetIPAddress # Network interfaces
Get-NetTCPConnection # Active TCP connections
Get-ChildItem -Force # List files including hidden
Get-Content file.txt # Print file
Get-FileHash file.txt # File hash (SHA256 default)
Invoke-WebRequest -Uri URL # Download file
Set-ExecutionPolicy Bypass # Allow script execution
net user username password /add # Create local user
net user username /delete # Delete user
net localgroup administrators username /add # Add to admins
net user username /active:no # Disable account
net accounts # Password policy
reg query HKLM\SOFTWARE\... # Query registry key
reg add HKLM\... /v Name /t REG_SZ /d Value # Add key
reg delete HKLM\... /v Name /f # Delete value
reg export HKLM\... backup.reg # Export registry
wevtutil qe Security /c:10 /f:text # Last 10 security events
wevtutil qe System /c:10 /f:text # Last 10 system events
eventvwr # Open Event Viewer GUI
Get-EventLog -LogName Security -Newest 20
Get-WinEvent -LogName Security -MaxEvents 20
| ID | Description |
|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Logon using explicit credentials |
| 4720 | User account created |
| 4722 | User account enabled |
| 4725 | User account disabled |
| 4732 | User added to security group |
| 4768 | Kerberos TGT requested |
| 4769 | Kerberos service ticket requested |
| 7045 | New service installed |