My personal Windows system administration reference
- Table of Contents
- Resources
- Misc
- Graphical System Utilities
- PowerShell
- System32 / Command Prompt
- External Utilities
- Other
- Windows documentation: https://learn.microsoft.com/en-us/windows
- Common types of unmovable files are the paging file, hibernation file, and system restore points
Note: The .msc extension is only required if launching via the Run menu
- Computer Management (
compmgmt.msc) - Event Viewer (
eventvwr) - Registry Editor (
regedit) - Disk Management (
diskmgmt.msc) - Windows Defender Firewall with Advanced Security (
wf.msc) - Control Panel (
control)- Programs (
appwiz.cpl)
- Programs (
- System Configuration (
msconfig) (Provides some limited configuration options, including boot options) - System Information (
msinfo32) - Windows Installer (
msiexec)
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS.
- Windows PowerShell Reference: https://learn.microsoft.com/en-us/powershell/
- Module Browser: https://learn.microsoft.com/en-us/powershell/module
Select-String(sls) (Finds text in strings and files)
- Help
Get-Help(help) (Displays help about Windows PowerShell cmdlets and concepts)Get-Help <command>to show the name, syntax, aliases, and remarks for the command
<command> -?to get help with the command (same output asGet-Help)
- Commands
Get-Command(gcm) (Gets all commands)- Default command information: CommandType, Name, Version, Source
Get-Commandto list all available PowerShell commands and their informationGet-Command -CommandType Applicationto list all available applications (external executables) in the path and their informationGet-Command -Module <module>to show all commands available from the module and their informationGet-Command <command>to show the command's information
- Modules
Get-Module(gmo) (Lists the modules imported in the current session or that can be imported from the PSModulePath)- Default module information: ModuleType, Version, Name, ExportedCommands
Get-Moduleto list PowerShell modules loaded in the current session (modules are loaded on first use)Get-Module -ListAvailableto list all available PowerShell modulesGet-Module <module>to list information for the module
- Formatting output
Select-Object(select) (Selects objects or object properties)<command> | Select-Object *to list all objects provided from the command instead of the default view
Format-List(fl) (Displays formatted text of the output as a list of properties)<command> | Format-List *to list all objects provided from the command instead of the default view, in text format (loses object orientation)- Eg:
Get-Module <module> | Format-List *to view all information provided by the output ofGet-Module <module>instead of the default set of information
- Eg:
Get-Process(ps) (Gets the processes that are running on the local computer)Get-Processto see all processesGet-Process <name>to view the process
Get-NetFirewallRule(Retrieves firewall rules from the target computer)Get-NetFirewallRuleto get all firewall rules- Filters
-Direction <Inbound|Outbound>-Action <NotConfigured|Allow|Block>-DisplayName <name>
- Filters
Set-NetFirewallRule(Modifies existing firewall rules)Set-NetFirewallRule -Name "FPS-ICMP4-ERQ-In" -Enabled <True|False>to enable/disable ICMPv4 pings
Command Prompt reference: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands
wmic(Windows Management Instrumentation Command-line; deprecated since10.0.19043)
help <command>(Provides help information for Windows commands)findstr(Searches for patterns of text in files)/ifor case insensitive/vto invert matches/mto only list files with matches
tar(Manipulates archive files; since10.0.17063)tar --help
curl(since10.0.17063)curl --help
start(Starts a separate Command Prompt window to run a specified program or command)start "<title>" <program>"<title>"(required) to set the new Command Prompt window title/waitto block parent batch program until finished
call(Calls one batch program from another without stopping the parent batch program)call <program>
cmd(Starts a new instance of the command interpreter, cmd.exe)cmd <program>(or just<program>) to pass on control to<program>and not return to scriptcmd /c <program>(Carries out the command specified by and then exits the command processor)cmd /k <program>(Carries out the command specified by and keeps the command processor running)
doskey(Edits command lines, recalls Windows commands, and creates macros)doskey /historyto see command history
<command> >nul 2>&1to redirectstdoutandstderrtonulecho %ERRORLEVEL%if errorlevel 1 echo ERRORto printERRORif the last%ERRORLEVEL%>=1
sc(Interface to Service Control Manager and services)fltmc(Manage MiniFilter drivers)- See minifilter documentation https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers
fltmc [filters]to list loaded minifilters
ver(Displays the Windows version)systeminfo(Displays operating system configuration information for a local or remote machine, including service pack levels)
diskpart(Manages disks, partitions, volumes, and virtual hard disks; interactive)fsutil(Performs tasks related to FAT and NTFS file systems, such as managing reparse points, handling sparse files, or dismounting a volume)sfc(Scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions)/scannowto perform the scan on all files and repair/scanfile <file>to perform only on the file
/verifyonlyto perform the scan on all files but not repair/verifyfile <file>to perform only on the file
- Offline
/offwindir <offline-windows-dir>to perform the scan and repairs on an offline Windows directory/offbootdir <offline-boot-dir>to perform the scan and repairs on an offline boot directory/offlogfile=<file>to specify log file for offline scan and repairs
defrag- NOTE! Do not use the traditional defragmentation option with SSDs, which is default. Use with
/o(see below) instead. defrag c: /a /u /vto perform an fragmentation analysis only (/a) on C:, print progress (/u), and use verbose output (/v)/o(Perform the proper optimization for each media type)
- NOTE! Do not use the traditional defragmentation option with SSDs, which is default. Use with
reg(Performs operations on registry subkey information and values in registry entries; NOTE! Use with caution: This can break your system)- Query
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize"to query personalization registry subkeysreg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightThemeto queryAppsUseLightThemeregistry entry
- Add/modify
reg add <keyname> /v <valuename> /t <data-type> /d <data> /fto add/modify registry entry values (/fto overwrite existing entry)
- Query
setx(Creates or modifies environment variables in the user or system environment. Can set variables based on arguments, regkeys or file input.)set(Displays, sets, or removes cmd.exe environment variables)- Update system path:
set "NEW_PATH=%PATH%;C:\new\dir" setx /M PATH "%NEW_PATH%"
winget comes pre-installed as the default package manager since 10.0.17763
Winget documentation: https://learn.microsoft.com/en-us/windows/package-manager/winget
winget listto list installed packageswinget search <command>to search for package candidateswinget show <package>to show details of package candidateswinget install <package>to install a package--accept-package-agreementsto accept any license agreements, and avoid the prompt--accept-source-agreementsto accept any source license agreements, and avoid the prompt
tasklist(Displays a list of currently running processes on the local computer or on a remote computer)tasklistto see the tasklist- Default task information: Image Name, PID, Session Name, Session#, Mem Usage
tasklist /vto see the verbose tasklist- Verbose task information: Image Name, PID, Session Name, Session#, Mem Usage, Status, User Name, CPU Time, Window Title
tasklist /fi "imagename eq procexp*"to filter processes for Process Explorer
taskkill(Ends one or more tasks or processes)- Examples
taskkill /im procexp*to filter for and kill Process Explorertaskkill /pid <pid>to filter for and kill the process by PID
- Parameters
/im <imagename>/pid <pid>to kill by PID/fi <filter>/fto kill forcefully/tto kill child processes along with parent
- Examples
whoami(Shows information about the user, groups, and privileges for the account currently logged on to the local system)whoamito showdomain\usernamewhoami /allto show information on the user, their groups, privileges, security IDs, and morewhoami /privto show the security privileges of the current userwhoami /groupsto show the group memberships of the current user
netto perform operations on groups, users, account policies, shares, and morenet sessionto determine who's using resources on local computernet user(Details, adds, modifies, or deletes user accounts)net user <username>to see details of the user
tracert(Traces the route to a destination)pathping(Traces the route to a destination and calculates latency and loss between hops)netstat(Displays active network connections and statistics)netstat 1to run and refresh every 1 secondnetstat -baoto display all active/listening TCP and UDP connections/ports (-a), display executable names (-b), and display PIDs (-o)netstat -rto display routing tablenetstat -eto display Ethernet statistics
ipconfig(Displays network configuration and refreshes DHCP and DNS settings)/release(Releases the IPv4 address for the specified adapter)/renew(Renews the IPv4 address for the specified adapter)/flushdns(Purges the DNS resolver cache)/registerdns(Refreshes all DHCP leases and re-registers DNS names)/displaydns
netsh(Network shell; Displays and modifies network settings, automates tasks, and troubleshoots network issues locally or remotely)- Note: The netsh docs are very helpful: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netsh
netshto start an interactive netsh session- Wireless network information
netsh wlan show allto show all wireless device and networks information- Profiles
netsh wlan show profileto list stored profilesnetsh wlan show profile *to show details for all profilesnetsh wlan show profile "<profile-name>"to show details for the profilekey=clearto display security key in plaintext
- Firewall
netsh advfirewall show allprofilesto show all firewall profilesnetsh advfirewall firewall show rule name=allto show all firewall rules- Add
remoteip=<ip>program=<path>name=<firewall-rule-name>- Example:
netsh advfirewall firewall add rule name="<firewall-rule-name>" action=allow localport=8080 protocol=TCP dir=into add a firewall rule to allow inbound TCP traffic to port 8080 on the local host
netsh advfirewall firewall show rule name="<firewall-rule-name>"to show the firewall rule detailsnetsh advfirewall firewall delete rule name="<firewall-rule-name>"to delete the firewall rule
- Interfaces
netsh interface ip show configto list interfaces' configurationsnetsh interface show interface [interface]to list interfaces and their statesnetsh interface set interface <interface> [admin=]<enabled|disabled>to enable/disable an interfacenetsh interface ip set address <interface> <static [address] | dhcp | source=<dhcp|static> [static-address]>to set address source and address
- Port forwarding
netsh interface portproxy add v4tov4 listenaddress=<src-address> listenport=<src-port> connectaddress=<dst-address> connectport=<dst-port>to add a persistent TCP ipv4-to-ipv4portproxyrule to forward traffic received from local<src-address>: <src-port>to<dst-address>:<dst-port>
- Switch system to dark mode (
reg,taskkill)reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v SystemUsesLightTheme /t REG_DWORD /d 0 /fto switch system theme to dark modereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme /t REG_DWORD /d 0 /fto switch apps to dark modetaskkill /f /im explorer.exe && start explorer.exeto restart Explorer, which refreshes the desktop and applies the dark theme
- See the Sysinternals page: https://learn.microsoft.com/en-us/sysinternals
- See the list of tools: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
- Process Explorer
- Process Monitor
- TCPView (Shows detailed listings of all TCP and UDP endpoints)
- Autoruns (Shows the configured auto-start applications)
- DiskView (Shows a graphical map of the disk)
autorunsc(Command-line version of Autoruns)sigcheck(Shows file information including signature details and performs optional VirusTotal scan)listdlls(Reports DLLs loaded into processes)contig(Performs single-file defragmentation)stringspsloglist(Dumps the contents of an Event Log on the local or a remote computer)tcpvcon(Command-line version of TCPView)-ato show all endpoints-nto not resolve addresses
dumpbin(Microsoft COFF/PE Dumper)/summary/all/disasm/rawdata(hex dump)/headers/symbols/exports