Windows Commands Cheat Sheet

Windows CMD command reference — files, users, networking, services, and enumeration commands for admins and pentesters.

Utilities & Shellscmdcommand-lineenumerationsysadminwindowsUpdated 2026-06-17

Overview

The classic Windows cmd.exe commands for files, users, services, and networking—still the fastest way to enumerate a Windows host on a foothold where PowerShell may be restricted. Includes the net, wmic, and tasklist commands you'll use during post-exploitation.

Authorized use only. Run commands only on systems you own or have permission to access.

Files & directories

List all files including hidden/system

dir /a

Recursive search for matching paths

dir /s /b C:\ | findstr /i password

Print a file (like cat)

type file.txt

Copy / move / delete files

copy / move / del

Find files by name recursively

where /r C:\ *.kdbx

Grep file contents for a string

findstr /si password *.xml *.ini *.txt

Users & groups

Current user, groups, and privileges

whoami /all

List local users

net user

Details of a specific account

net user administrator

Members of the local admins group

net localgroup administrators

Add a local admin (authorized testing/persistence)

net user hacker P@ss123 /add && net localgroup administrators hacker /add

System & processes

OS version, patches, and hardware

systeminfo

Running processes and their services

tasklist /svc

Force-kill a process

taskkill /F /PID 1234

Installed patches (for missing-KB exploits)

wmic qfe get HotFixID,InstalledOn

Show environment variables

set

Networking

Full network configuration

ipconfig /all

Connections and listening ports with PIDs

netstat -ano

ARP cache — nearby hosts

arp -a

Routing table (find other subnets)

route print

Browse / mount remote shares

net view \\TARGET   /   net use \\TARGET\C$ /user:dom\u p

Locate domain controllers

nslookup -type=srv _ldap._tcp.dc._msdcs.corp.local

Services & scheduled tasks

List services / inspect one's config

sc query   /   sc qc <service>

Start / stop a service

sc start <service>   /   sc stop <service>

List scheduled tasks (verbose)

schtasks /query /fo LIST /v

Create a task (authorized persistence)

schtasks /create /tn t /tr C:\Windows\Temp\p.exe /sc onlogon

Enumeration one-liners

Search the registry for passwords

reg query HKLM /f password /t REG_SZ /s

List saved credentials

cmdkey /list

Dump wireless passwords

netsh wlan show profile name="SSID" key=clear

Show firewall state

netsh advfirewall show allprofiles

List domain admins

net group "Domain Admins" /domain

Tips

whoami /all is the single best first command — privileges like SeImpersonate lead straight to SYSTEM.
Use findstr /si to grep files and reg query /s to grep the registry for credentials.
net commands work even when PowerShell is locked down by Constrained Language Mode.
wmic is deprecated on newer Windows — fall back to PowerShell Get-CimInstance if it's missing.