Windows Command Line

System Information and Configuration:
- systeminfo: Provides detailed information about the system, including OS version, patches, and system uptime.
- netstat -ano: Lists all ports that are currently open and the corresponding process IDs. Useful for identifying unexpected network connections.
- ipconfig /all: Displays all network configuration details, including IP addresses, DNS servers, and MAC addresses.
- tasklist: Shows all currently running processes, which is vital for identifying suspicious activity.
- sc query: Lists the status of all services. This can help identify unauthorized or rogue services.
- driverquery: Lists all installed drivers, useful for finding hidden or malicious drivers.
User Account and Login Information:
- net users: Lists all user accounts on the system.
- quser: Displays information about logged on users.
- net user [username]: Provides detailed information about a specific user account.
- wevtutil qe Security /f:text /rd:true /c:10: Queries the Security event log for the last 10 entries, which can include logon events.
File and Directory Analysis:
- dir /a /s /b: Lists all files and directories, including hidden ones. Useful for a quick directory traversal.
- fc /b [file1] [file2]: Compares two files byte-by-byte, which can be useful for checking file integrity.
- findstr /s /i [string] *.*: Searches for a string in all files, helpful for finding specific content.
Network Configuration and Analysis:
- route print: Displays the current routing table, which can reveal unexpected routes.
- arp -a: Shows the ARP table, useful for identifying local network devices.
- nslookup: A tool for querying DNS to resolve hostnames to IP addresses and vice versa.
Forensic Tools:
- powershell "Get-WinEvent -ListLog *": Lists all event logs, useful for identifying available logs for deeper analysis.
- wmic process list full: Provides comprehensive information about running processes, including their execution path, which can reveal malicious processes.
- vssadmin list shadows: Lists Volume Shadow Copies, which can contain backups of critical files or evidence of tampering.
Miscellaneous:
- sfc /scannow: Scans and verifies the integrity of all protected system files.
- chkdsk: Checks the file system and file system metadata for logical and physical errors.
- gpresult /H gpresult.html: Generates a report of group policy settings, which can help identify unauthorized changes.

PreviousWindows Quick Tips NextWorkstation File/Folder Locations

Last updated 1 year ago

Was this helpful?

Windows Command Line

System Information and Configuration:
- systeminfo: Provides detailed information about the system, including OS version, patches, and system uptime.
- netstat -ano: Lists all ports that are currently open and the corresponding process IDs. Useful for identifying unexpected network connections.
- ipconfig /all: Displays all network configuration details, including IP addresses, DNS servers, and MAC addresses.
- tasklist: Shows all currently running processes, which is vital for identifying suspicious activity.
- sc query: Lists the status of all services. This can help identify unauthorized or rogue services.
- driverquery: Lists all installed drivers, useful for finding hidden or malicious drivers.
User Account and Login Information:
- net users: Lists all user accounts on the system.
- quser: Displays information about logged on users.
- net user [username]: Provides detailed information about a specific user account.
- wevtutil qe Security /f:text /rd:true /c:10: Queries the Security event log for the last 10 entries, which can include logon events.
File and Directory Analysis:
- dir /a /s /b: Lists all files and directories, including hidden ones. Useful for a quick directory traversal.
- fc /b [file1] [file2]: Compares two files byte-by-byte, which can be useful for checking file integrity.
- findstr /s /i [string] *.*: Searches for a string in all files, helpful for finding specific content.
Network Configuration and Analysis:
- route print: Displays the current routing table, which can reveal unexpected routes.
- arp -a: Shows the ARP table, useful for identifying local network devices.
- nslookup: A tool for querying DNS to resolve hostnames to IP addresses and vice versa.
Forensic Tools:
- powershell "Get-WinEvent -ListLog *": Lists all event logs, useful for identifying available logs for deeper analysis.
- wmic process list full: Provides comprehensive information about running processes, including their execution path, which can reveal malicious processes.
- vssadmin list shadows: Lists Volume Shadow Copies, which can contain backups of critical files or evidence of tampering.
Miscellaneous:
- sfc /scannow: Scans and verifies the integrity of all protected system files.
- chkdsk: Checks the file system and file system metadata for logical and physical errors.
- gpresult /H gpresult.html: Generates a report of group policy settings, which can help identify unauthorized changes.

PreviousWindows Quick Tips NextWorkstation File/Folder Locations

Last updated 1 year ago

Was this helpful?