75+ Vital Windows Commands Every Cybersecurity Analyst Should Master

Open the Command Prompt by pressing Win + R, typing "cmd", and pressing Enter.

No Explanation Sample Usage

ipconfig /all
1 ipconfig Displays IP configuration information
ipconfig /?

2 systeminfo Displays system information systeminfo

3 netstat Displays network statistics netstat -ano

4 whoami Displays current user whoami

Displays MAC address

5 getmac /v switch adds verbose output, providing getmac /v
more detailed information

6 hostname Displays computer name hostname

7 ver Displays Windows version ver

8 winver Displays Windows version and build winver

Tests network connectivity

ping google.com
9 ping Replace n [number] with the number of
ping -n google.com
pings you want to send

10 tracert Traces route to a destination tracert microsoft.com

11 nslookup Queries DNS servers nslookup google.com

12 tasklist Lists running processes tasklist

Terminates processes taskkill /IM notepad.exe /F

/IM stands for "Image Name" taskkill /PID process_id /F
13 taskkill
The /F flag forces termination of the taskkill /IM chrome* /F
process taskkill /PID PID1 /PID PID2 /F

14 sfc Scans and repairs system files sfc /scannow

in/harunseker/ 1
 15 chkdsk Checks disk for errors chkdsk C: /f

16 diskpart Manages disks and partitions diskpart then list disk

17 format Formats a disk format C: /fs:ntfs

18 xcopy Copies files and directories xcopy C:\source D:\dest /E

19 robocopy Advanced file copy utility robocopy C:\source D:\dest /E

20 dir Lists files and directories dir C:\

21 cd Changes directory cd C:\Users

22 md Creates a new directory md NewFolder

23 rd Removes a directory rd OldFolder

24 del Deletes files del C:\file.txt

25 copy Copies files copy C:\file.txt D:\

26 move Moves files move C:\file.txt D:\

27 ren Renames files or directories ren oldname.txt newname.txt

28 type Displays contents of a text file type C:\file.txt

29 find Searches for a text string in files find "error" C:\log.txt

30 findstr Searches for strings in files ipconfig /all | findstr DNS

Sort the contents of a file named

31 sort sort < names.txt
"names.txt" alphabetically.

32 comp Compares contents of two files comp file1.txt file2.txt

33 fc Compares files and displays differences fc file1.txt file2.txt

34 tree Displays directory structure graphically tree C:\

in/harunseker/ 2
 35 attrib Changes file attributes attrib +r C:\file.txt

36 cipher Displays or alters file encryption cipher /e C:\SecretFolder

37 compact Displays or alters file compression compact /c C:\folder

38 powercfg Manages power settings powercfg /energy

39 shutdown Shuts down or restarts computer shutdown /r /t 0

40 gpupdate Updates Group Policy settings gpupdate /force

41 gpresult Displays Group Policy results gpresult /r

42 net user Manages user accounts net user JohnDoe newpassword

net
43 Manages local groups net localgroup Administrators
localgroup

44 net start Starts a network service net start "Print Spooler"

45 net stop Stops a network service net stop "Print Spooler"

46 netsh Network configuration tool netsh wlan show profiles

47 sc Manages Windows services sc query

48 reg Manages registry reg query HKLM\Software

49 runas Runs a program as a different user runas /user:Admin cmd

schtasks /create /tn "MyTask"

50 schtasks Schedules commands and programs
/tr notepad.exe /sc daily

in/harunseker/ 3
 wmic os get
name,version,buildnumber
This retrieves basic OS information.

Software inventory:
wmic product get name,version
This lists installed software.

Remote code execution:

wmic /node:"victim_ip" process
call create "powershell.exe
Windows Management Instrumentation
-enc base64_encoded_payload"
Command-line,
This executes a malicious PowerShell
script on a remote system.
51 wmic It is a powerful Windows utility that can
be used for both legitimate system
administration tasks and potentially
Malware persistence:
abused by attackers.
wmic startup create
name="malware",command="C:\malw
are.exe"
This adds malware to the startup folder.

Evasion technique:
wmic process where
name="antivirus.exe" delete
Attackers may try to terminate security
software.

Displays or modifies file extension

52 assoc assoc .txt
associations

53 ftype Displays or modifies file types ftype txtfile

54 driverquery Displays installed device drivers driverquery

55 msinfo32 Displays system information msinfo32

56 mmc Opens Microsoft Management Console mmc

57 eventvwr Opens Event Viewer eventvwr

58 services.msc Opens Services management console services.msc

in/harunseker/ 4
 59 devmgmt.msc Opens Device Manager devmgmt.msc

60 diskmgmt.msc Opens Disk Management diskmgmt.msc

61 taskmgr Opens Task Manager taskmgr

62 perfmon Opens Performance Monitor perfmon

63 resmon Opens Resource Monitor resmon

64 msconfig Opens System Configuration msconfig

65 control Opens Control Panel control

66 mstsc Opens Remote Desktop Connection mstsc

67 cleanmgr Opens Disk Cleanup cleanmgr

68 defrag C: Defragments a drive defrag C:

fsutil
69 fsinfo File system utility fsutil fsinfo drives
drives
Displays or sets PATH environment
70 path path
variable
Displays, sets, or removes environment
71 set set
variables
Displays messages or turns command
72 echo echo Hello World
echoing on/off

73 cls Clears the screen cls

Displays information about processes

query process *
74 query that are running on a Remote Desktop
To show all processes
Session Host (RD Session Host) server.
List installed applications:
winget list
Search for an application:
Winget is Microsoft's official package
winget search <app name>
manager for Windows 10 and Windows
Install an application:
75 winget 11. It allows users to easily discover,
winget install <app id>
install, upgrade, remove and configure Upgrade an application:
applications from the command line. winget upgrade <app id>

in/harunseker/ 5
 Pathping is a command-line utility that
pathping -q 10 -n -p 100
combines functionality of the ping and
example.com
tracert commands. It traces the route
76 pathping between a source and destination while
This sets 10 queries per hop,
providing detailed information about disables hostname resolution,
network latency and packet loss at each and sets 100ms between pings
hop along the path

Resources:
Windows Commands Most Used by Attackers:
https://www.cybrary.it/blog/windows-commands-used-attackers

Top Windows Command Line Cheat Sheet (2024)

https://www.stationx.net/windows-command-line-cheat-sheet/

in/harunseker/ 6