Useful Windowws Commands

Windows CMD/DOS/Batch commands

CMD commands

appwiz.cpl -- Control Panel plug-in for add/remove porgramms

certmgr.msc -- certificate manager
mmc certmgr.msc [/a | /64 | /32]

devmgmt.msc -- device manager
mmc devmgmt.msc

eventvwr.msc -- Event viewer

gpedit.msc -- Group Policy Editor

intl.cpl -- configure system region and language settings. Changes to the settings require one to logoff then back to take effect.

secpol.msc -- Security Policy

services.msc -- Services

taskmgr.exe [/s] -- Task Manager

wuapp.exe [/s] -- Windows Update App

winver.exe - get windows version information.

driverquery /v /fo csv > textfile.csv -- list installed drivers

mstsc.exe [.RDP filename][/admin][/f] -- run remote desktop using RDP file name, in adimin mode, and /f is to force full screen mode on startup.

msiexec.exe - Use the following command line options to update a program using msiexec.exe. This may be executed from either the comjmand line or through sccm.

msiexec.exe /fvo filename.msi

Test-NetConnection -- Test network connection to another computer

wevtutil [e|p|l] -- lets you list, or query windows event logs.
In Example 1 below, we list the contents with a create time greather than April 30, 2015, from the Windows System event log. We then port that information out to a file called test.evtx. The .evtx file type may be read by the enentvwr.exe program.
In Example 2 below, we just list the availabe Windows event log types that we may query.

Ex. 1.
wevtutil epl System /q:"*[System[TimeCreated[@SystemTime>='2015-04-30T00:00:00']]]" c:\temp\test.evtx

Ex. 2.
wevtutil el

Available event logs.

Systeminfo / msiinfo32 - displays the system information and can write the same to a file.
In Example 1 below we run the systeminfo with the file output (/fo) option and requesting list format. We redirect the output to a text file.
In Example 2, we use the msinfo32 command to write a text based report to a file. this is very similar to the systeminfo executed above.
In Example 3, we run the msifo32 command this time requesting the native .nfo format. The resulting .NFO file may be read by the MSINFO.exe command later.

Ex 1.
Systeminfo /fo list > systeminfo.txt

Ex 2.
Msiinfo32 /report systeminfo.txt

Ex 3.
Msinfo32 /nfo systeminfo.nfo

Get registry information

How to add/modify/delete registry and sub-key information
To query the registry for a key and all its values we use the reg query command. The following are the valid command line switches for the regcommand

/v = get value
/s = get all sub-keys, recursively.
/k = get key names only
/d = search in data only
/z = include the numeric equiv for the registry type

An example of querying the registry keys is give below. This is a query of the OfficeScan tree.

C:\Users\gleng>reg query HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc. /s | more

    TmListenInitDone    REG_DWORD    0x1
    VDIController01_Status    REG_DWORD    0x0
    ClientHelpZipTimeStamp    REG_SZ    20140408090032
    ECSP    REG_DWORD    0x1
    UADuplicationOptValue    REG_DWORD    0x40
    Uninstall_Pwd    REG_SZ    !CRYPT!5231A81DDC1B6EC5B996FFA60ED115E107ED5CE33ACCEBC0373BA1DBE3B2CFF2BB429A974B37B8BB7B
    Unload_Pwd    REG_SZ    !CRYPT!5231A81DDC1B6EC5B996FFA60ED115E107ED5CE33ACCEBC0373BA1DBE3B2CFF2BB429A974B37B8BB7B013
    ConfirmUninstall    REG_DWORD    0x0
    CheckServerByHTTP    REG_DWORD    0x0
    ExcludeDCFiles    REG_DWORD    0x1
    DirectCheck    REG_DWORD    0x0
    EngineMin    REG_SZ    9.800.1009
    ExcludeExchangeStore    REG_DWORD    0x1
    ExcludeExchangeStoreFiles    REG_SZ
    ExcludeExchangeStoreFolders    REG_SZ
    BkFileKeepDay    REG_DWORD    0x7
    NonSynProxySetting    REG_DWORD    0x0
    FqdnFirstOnOff    REG_DWORD    0x0
    EngineZipVer    REG_SZ    9.850.1008
    ProgramVer    REG_SZ    11.0
    ProductName    REG_SZ    Trend Micro OfficeScan
    BuildNum    REG_DWORD    0x17a6
    NoPwdProtect    REG_DWORD    0x0
    NoProgramUpgrade    REG_DWORD    0x0
    AllowMobile    REG_DWORD    0x0
    DiskReserved    REG_DWORD    0x64
    InstallCTA    REG_DWORD    0x0
    RemoveCTA    REG_DWORD    0x0
    AllowStopScheduleScan    REG_DWORD    0x0
    AllowDelayScheduleScan    REG_DWORD    0x1
    AllowUpdateNow    REG_DWORD    0x1
    AllowUpdateFromTMAU    REG_DWORD    0x1
    Allow Uninstall    REG_DWORD    0x0
    MailScanPageOnOff    REG_DWORD    0x1
    ToolPageOnOff    REG_DWORD    0x0
    Pop3TrapOnOff    REG_DWORD    0x1
    RunPop3Trap    REG_DWORD    0x1
    OutlookScanOnOff    REG_DWORD    0x1
    ProxySettingOnOff    REG_DWORD    0x1
    Updating    REG_DWORD    0x0
    DomainType    REG_DWORD    0x1
    ReferenceHosts    REG_SZ
    RefHostsChkTimeout    REG_DWORD    0x3
    PingServerScheduleInterval    REG_DWORD    0xe10
    PingServerCheckMode    REG_DWORD    0x1
    RefHostsEnable    REG_DWORD    0x1
    RefHostsChkMode    REG_DWORD    0x1
    CookieScanner    REG_DWORD    0x0
    LogCookie    REG_DWORD    0x0
    EnableAssessment    REG_DWORD    0x0
    AssessmentUntil    REG_DWORD    0x559a2770
    EnableAutoStopScheduleScan    REG_DWORD    0x1
    ScheduleScanLimitMinutes    REG_DWORD    0xb4
    wslimit_l    REG_DWORD    0x989680
    wslimit_r    REG_DWORD    0x989680
    wslimit_m    REG_DWORD    0x4c4b40
    wsperiod_l    REG_DWORD    0x7530
    wsperiod_r    REG_DWORD    0x7530
    wsperiod_m    REG_DWORD    0x7530
    Update_Agent_Direct_Update    REG_DWORD    0x1
    EnableEventLog    REG_DWORD    0x0
    EventLogForPatternUpdate    REG_DWORD    0x0
    HeartbeatFrequency    REG_DWORD    0x0
    PollingFrequency    REG_DWORD    0x3c
    UnreachableNetworkScopeCount    REG_DWORD    0x0
    ShowMailScan    REG_DWORD    0x1
    AllowConfigNotification    REG_DWORD    0x0
    EnableScheduleScanWarning    REG_DWORD    0x0
    EnableVirEmailWarning    REG_DWORD    0x1
    AllowPromptRebootForCleanup    REG_DWORD    0x1
    GlobalHeartbeat    REG_DWORD    0x0
    LaunchBelowUsage    REG_DWORD    0x14
    LaunchMustContinueBelow    REG_DWORD    0xf
    LaunchCheckUsageFrequency    REG_DWORD    0x2
    LaunchCheckTimeout    REG_DWORD    0xb4
    DelayCheckFile    REG_DWORD    0x1
    DelayLoadAEGIS    REG_DWORD    0x1
    DelayLoadFirewall    REG_DWORD    0x1
    DelayLoadDlp    REG_DWORD    0x1
-- More  --
We may also export and import information from/to the registry. We use the export and import command line options with the reg command. We may export data registry trees to a text file and, by the same token, import that information into the registry structure as well.
reg export HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp outputfile.reg
reg import outputfile.reg
To delete a registry key with a .reg file, put a hyphen (-) in front of the RegistryPath in the .reg file. For example, to delete the Test subkey from the following registry key: HKEY_LOCAL_MACHINE\Software put a hyphen in front of the following registry key in the .reg file: HKEY_LOCAL_MACHINE\Software\Test. The following example has a .reg file that can perform this task.
To delete a registry value with a .reg file, put a hyphen (-) after the equals sign following the DataItemName in the .reg file. For example, to delete the TestValue registry value from the following registry key: HKEY_LOCAL_MACHINE\Software\Test put a hyphen after the "TestValue"= in the .reg file. The following example has a .reg file that can perform this task.

To create the .reg file, use Regedit.exe to export the registry key that you want to delete, and then use Notepad to edit the .reg file and inser

Create Recovery

To create a Windows7 restore point on your local hard disk drive, follow the instructions outlined here.
To create a Windows7 repair disk on a DVD, follow the instructures outline here

Terminal Server Keys

From the Microsoft&tm; Knowledge Base article 186624... Task-switching hotkeys operate on the local computer level and are not passed through to the Terminal Server. However, some alternative hotkeys have been provided in the RDP Client:

CTRL+ALT+END starts the Windows NT Security dialog box. Similar to Windows NT/2000 CTRL+ALT+DEL.
ALT+PAGE UP switches between programs from left to right. Similar to Windows ALT+TAB.
ALT+PAGE DOWN switches between programs from right to left. Similar to Windows SHIFT+ALT+TAB.
ALT+INSERT cycles through the programs in most recently used order. Similar to Windows ALT+ESC.
ALT+HOME displays the Start menu. Similar to Windows CTRL+ESC.
CTRL+ALT+BREAK switches the Client between a window and a full screen.
ALT+DELETE Displays the Windows menu.
CTRL+ALT+MINUS (Minus as in the - symbol on the numeric keypad) Places a snapshot of the active window, within the client, on the Terminal server clipboard (provides the same functionality as pressing ALT+PrintScrn on a local computer.)
CTRL+ALT+PLUS (Plus as in the + symbol on the numeric keypad) Places a snapshot of the entire client window area on the Terminal server clipboard (provides the same functionality as pressing PrintScrn on a local computer.)

Note the keyboard shortcuts listed above many not be supported on embedded devices.

Retrieve the registered system serial number. See Microsoft KB 558124 for more information.
C:\Users\geen>wmic bios get serialnumber

Firefox NTLM autentication trusted URIs

In the Firefox address bar type about:config. Then click the button in the middle of the screen promissing to be careful. In the search box type in ntlm. Look for network.automatic-ntlm-auth.trusted-uris. Double click on that line and you are presented with a dialogue box. In the text field of the dialogue box enter the list of URIs that you wish to trust. Seperate each one with a comma.

Microsoft Configuration

Run the msconfig.exe command to review the configuration of the operating system. Look at the Startup tab to see the Terminate Stay Resident (TSR) programs. Also review the Boot and Services tabs to make sure that you do not have extra services running that you do not need. This can slow your system down considerably.


The netsh command is used to configure certain aspects of the Windows server. Among those is setting a proxy server. In the example below you will see me display and set the windows proxy server.

C:\> netsh winhttp show proxy

Current WinHTTP proxy settings:

    Proxy Server(s) :
	Bypass List     :  (none)

C:\> netsh winhttp set proxy proxy-server=""

Performance Monitor

Performance monitor counters to monitor to check the general health of a system.
  1. SQL Server Best Practices Analyzer. This is a server management tool that helps administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2. To know more about the BPA tool, refer to the Microsoft article:
  2. Counters to monitor
    1. CPU: %Processor Time, %Privileged Time
    2. sqlserver.exe process: %Processor Time, %Privileged Time
  3. Memory: Available Mbytes
  4. SQL server: Buffer Manager
    1. Lazy writes/sec
    2. page life expectancy
    3. page reads/sec
    4. page writes/sec
  5. SQL Server Memory Manager
    1. Total Server Memory (KB)
    2. Target Server Memory (KB)
  6. Disk: Avg. Disk sec/read, Avg. Disk Bytes/Read, Avg. Disk sec/Write, Avg. Bytes/Write. Microsoft recommends for i/o latencies: <8ms = excellent, <12ms = good, <20ms = fair, >20ms = poor performance.
  7. Network
    1. Network Adapter: Bytes Received/sec, Bytes Sent/sec, Bytes Total/sec

List Processes

From a Windows command shell execute tasklist. IF you are looking for a specific process in the list and you know the exact name then you use the /fi (find) switch.

Other ways of listing processes and services.

  • Execute services.msc to use the GUI interface to review the list of running services.
  • Execute net start from a CMD shell to display a simple list of running services.
  • Execute sc query type= service from a CMD shell to get a detailed list of running services. Add the 'state= all' to include services not in a running state.

      C:\>tasklist /fi "imagename eq chrome.exe"
      Image Name                     PID Session Name        Session#    Mem Usage
      ========================= ======== ================ =========== ============
      chrome.exe                    7156 Console                    1    113,040 K
      chrome.exe                    5800 Console                    1    108,992 K
      chrome.exe                    6936 Console                    1     28,956 K
      chrome.exe                    8048 Console                    1     34,732 K
      chrome.exe                    5768 Console                    1     80,632 K
      chrome.exe                    8484 Console                    1     71,152 K
      chrome.exe                    5240 Console                    1     38,008 K

      For the PowerShell you can simply add the name of the process that you are looking for. The optoinal "-Name" flag may be used. Note that the string is not case sensitive.

Net User

There are a couple of command to list the accounts on a computer.
net user
This first command displays a simple list of accounts on the computer.
net localgroup
This second one may be a bit more useful. This command without any parameters displays a list of groups on the computer. By providing a local group name such as Administrators the command displays a list of accounts that are members of the group.


Wireshark is a very useful packet analysis tool that has become the industry standard. The software is available for free and is on my list of recommended software. Part of the software include the tshark.exe command. This is a text version of Wireshark and is my preferred method for performing package captures as it is not encombered by the graphical interface.

To query the list of network interfaces on your computer use the -D command line option. This returns a list of available network interfaces both physical and logical interfaces.

C:\Program Files\Wireshark>tshark -D
1. \Device\NPF_{A0F24A18-4C32-4A9E-887D-B67E2DFFD3AA} (VMware Network Adapter VMnet8) 
2. \Device\NPF_{5BFDAE3B-91A0-4187-B0A4-2C1042CBA68B} (VMware Network Adapter VMnet1)
3. \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} (Local Area Connection)
4. \Device\NPF_{6C25E520-B632-4254-80DB-882E0081DB50} (Wireless Network Connection)
5. \Device\NPF_{DEE651A1-41F5-4D13-B19A-E4BDA74F465A} (Local Area Connection* 214)
6. \Device\NPF_{1905F85A-8799-4FFC-8AC4-9558EDC34796} (Wireless Network Connection 2)
In a Windows environment as I show here, look for the interface described as (Local Area Connection). This is your physical copper wire connection and likely the one you want to use for your packet capture. Copy the device Hex string into your buffer as the interface name, such as \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2}, in our example.


Next we perform a simple capture using the information that we now know. The -i command line option is for the interface name. This is the Hex encoded device name specified above. The -n tells tshark not to perform DNS look ups. This is to increase the speed of the lookups and reduce the number of packets missed. Finally the -w option tells tshark where to write its ouput. In the second example we see the use of our first capture filter, host and the IP address. In this example the host with match bosth source and destination IP addresses.

C:\Program Files\Wireshark>tshark -i \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} -n -w test.pcap
C:\Program Files\Wireshark>tshark -i \Device\NPF_{BB5EFBEB-CA22-4E9A-8A92-3DF15D344CC2} -n host