This document provides a cheat sheet for common Windows command line commands and tools such as reg, wmic, tasklist, netstat, and netsh. It summarizes how to use these tools to view and manage processes, services, the registry, network configuration and connections. Specific examples are given for tasks like adding registry keys, querying process and service information, searching for files, and installing packages on Windows Vista.

1. Reg Command WMIC Windows
Command Line
Adding Keys and Values: Fundamental grammar:
C:> reg add C:> wmic [alias] [where clause] [verb Cheat Sheet
[TargetIPaddr][RegDomain][Key] clause] By Ed Skoudis
POCKET REFERENCE GUIDE
Add a key to the registry on machine Useful [aliases]:
[TargetIPaddr] within the registry domain process service http://www.sans.org
[RegDomain] to location [Key]. If no remote share nicconfig
machine is specified, the current machine is startup useraccount Purpose
assumed. qfe (Quick Fix Engineering – shows patches) The purpose of this cheat sheet is to provide
tips on how to use various Windows
Export and Import: Example [where clauses]: command that are frequently referenced in
C:> reg export [RegDomain][Key] where name="nc.exe" SANS 504, 517, 531, and 560.
[FileName] where (commandline like "%stuff")
where (name="cmd.exe" and Process and Service Information
Export all subkeys and values located in the domain parentprocessid!="[pid]")
[RegDomain] under the location [Key] to the file List all processes currently running:
[FileName] Example [verb clauses]: C:> tasklist
list [full|brief]
C:> reg import [FileName] get [attrib1,attrib2…] List all processes currently running and the DLLs
call [method] each has loaded:
Import all registry entries from the file [FileName] delete C:> tasklist /m
Import and export can only be done from or to the List all attributes of [alias]: Lists all processes currently running which have the
local machine. C:> wmic [alias] get /? specified [dll] loaded:
C:> tasklist /m [dll]
Query for a specific Value of a Key: List all callable methods of [alias]:
C:> reg query C:> wmic [alias] call /? List all processes currently running and the services
[TargetIPaddr][RegDomain][Key] /v hosted in those processes:
[ValueName] Example: C:> tasklist /svc
List all attributes of all running processes:
Query a key on machine [TargetIPaddr] within C:> wmic process list full Query brief status of all services:
the registry domain [RegDomain] in location C:> sc query
[Key] and get the specific value [ValueName] Make WMIC effect remote [TargetIPaddr]:
under that key. Add /s to recurse all values. C:> wmic /node:[TargetIPaddr] Query the configuration of a specific service:
/user:[User] /password:[Passwd] process C:> sc qc [ServiceName]
list full

2. Shutdown and Restart File Search and Counting Lines Invoking Useful GUIs at the Command Line
Search directory structure for a file in a specific Local User Manager (includes group management):
Shutdown Windows immediately: C:> lusrmgr.msc
C:> shutdown /s /t 0 directory:
C:> dir /b /s [Directory][FileName]
Services Control Panel:
Note: Command may not power down the hardware. C:> services.msc
Count the number of lines on StandardOuy of
Restart Windows immediately: [Command]:
C:> [Command] | find /c /v "" Task Manager:
C:> shutdown /r /t 0 C:> taskmgr.exe
Abort shutdown/restart countdown: Finds the count (/c) of lines that do not contain (/v)
Security Policy Manager:
C:> shutdown /a nothing (""). Lines that do not have nothing are all C:> secpol.msc
lines, even blank lines, which contain CR/LF
Useful Netstat Syntax Event Viewer:
C:> eventvwr.msc
Show all TCP and UDP port usage and process ID: Command Line FOR Loops
C:> netstat –nao
Counting Loop: Control Panel:
C:> for /L %i in C:> control
Look for usage of port [port] every [N] seconds:
C:> netstat –nao [N] | find [port] ([start],[step],[stop]) do [command]
Close GUI windows by hitting Alt-F4
Dump detailed protocol statistics: Set %i to an initial value of [start] and increment Interacting with the Network Using Netsh
C:> netstat –s –p [tcp|udp|ip|icmp] it by [step] at every iteration until its value is equal
to [stop]. For each iteration, run [command]. The Turn off built-in Windows firewall:
Installing Built-in Packages on Vista iterator variable %i can be used anywhere in the C:> netsh firewall set opmode disable
command to represent its current value.
Install telnet service on Vista: Configure interface “Local Area Connection” with
C:> pkgmgr /iu:"TelnetServer" [IPaddr] [Netmask] [DefaultGW]:
Iterate over file contents:
C:> for /F %i in ([file-set]) do C:> netsh interface ip set address
Install telnet client on Vista: [command] local static [IPaddr] [Netmask]
C:> pkgmgr /iu:"TelnetClient" [DefaultGW] 1
Iterate through the contents of the file on a line-by-
Install IIS on Vista: Configure DNS server for “Local Area Connection”:
line basis. For each iteration, store the contents of
C:> pkgmgr /iu:IIS-WebServerRole;WAS- C:> netsh interface ip set dns local
the line into %i and run [command].
WindowsActivationService;WAS- static [IPaddr]
ProcessModel; WAS-NetFxEnvironment;WAS-
ConfigurationAPI Configure interface to use DHCP:
C:> netsh interface ip set address
To remove any of these packages, replace install
local dhcp
update (/iu) with uninstall update (/uu)