Copia sezione

systeminfo
Displays detailed OS configuration, hardware, patches (hotfixes).

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" (Quick OS details)
systeminfo /s  (Query remote system - requires permissions)

whoami
Displays current user context.
whoami (Current user)
whoami /groups (Group memberships)
whoami /priv (User privileges - essential for capability assessment) (Admin Required often needed to see all)
whoami /fqdn (Fully qualified domain name)
whoami /all (Combines user, groups, privileges)

ver / winver
Displays Windows version.
hostname (Displays the computer's hostname.)
ver (Command-line version)
winver (GUI window with build number)

getmac
Displays MAC address(es).
getmac /v (Verbose, shows adapter name)

bcdedit (Manages Boot Configuration Data. (Admin Required))
bcdedit /enum all (Check for unusual boot entries)

driverquery (Displays installed device drivers.)
driverquery /v (Verbose, includes signature info)
driverquery /si (Signed drivers)

msinfo32 (Opens System Information GUI)
msinfo32 /report C:\temp\sysinfo.txt (Saves report to file)

path (Displays or sets the command search path.)

wmic (Deprecated in favor of PowerShell Get-CimInstance, but still encountered)
wmic os get Caption,Version,BuildNumber,OSArchitecture
wmic product get name,version (Installed software - can be slow)
wmic qfe list brief (Installed patches)
wmic process list brief (Running processes)
wmic logicaldisk get caption,description,filesystem,size,freespace
wmic useraccount list brief
wmic netlogin get name,lastlogon (Requires permissions)

Attacker Usage Examples (Detection & Understanding):
wmic /node:"" process call create "cmd.exe /c " (Remote exec)
wmic startup create Name="evil", Command="C:\path\payload.exe" (Persistence)
wmic process where name="calc.exe" delete (Terminate process)

powercfg
powercfg /a (Shows available sleep states)
powercfg /energy (Generates energy efficiency report)
powercfg /lastwake (Shows what woke the system)

fsutil (File system utility)
fsutil fsinfo drives (List drives)
fsutil fsinfo volumeinfo C: (Detailed volume info)
fsutil dirty query C: (Check if volume is marked 'dirty') (Admin Required)
fsutil usn readjournal C: (Read USN change journal - advanced forensics) (Admin Required)

set (Environment variables)
set (Show all variables)
set PROCESSOR_ARCHITECTURE (Show specific variable)

msconfig (Opens System Configuration utility)

Copia sezione

ipconfig
ipconfig (Basic IP/Subnet/Gateway)
ipconfig /all (Detailed info including MAC, DNS, DHCP)
ipconfig /displaydns (Show DNS resolver cache contents)
ipconfig /flushdns (Clear DNS resolver cache) (Admin Required)
ipconfig /registerdns (Register DNS name and IP) (Admin Required)
ipconfig /release & ipconfig /renew (DHCP operations)

ping
ping 8.8.8.8
ping -n 20 
ping -t 

netstat
netstat -ano (Show TCP/UDP, listening ports, PIDs)
netstat -anob (Includes executable name) (Admin Required)
netstat -p tcp -ano (Filter by protocol)
netstat -r (Routing table)
netstat -e (Ethernet statistics)
netstat -s (Per-protocol statistics)

tracert
tracert 8.8.8.8
tracert -d  (No DNS — faster)

pathping
pathping 8.8.8.8
pathping -n -q 15 google.com (No hostname resolution, 15 queries per hop)

nslookup
nslookup google.com (A record)
nslookup -type=mx google.com (MX records)
nslookup google.com 8.8.8.8 (Specific DNS server)
nslookup (Interactive mode)

arp
arp -a (Show ARP cache)
arp -d * (Delete ARP cache) (Admin Required)

netsh (Admin Required for most writes)
netsh interface ip show config (Alt to ipconfig)
netsh advfirewall firewall show rule name=all (All firewall rules)
netsh advfirewall set currentprofile state off (Disable firewall — caution!)
netsh wlan show profiles (Saved Wi-Fi profiles)
netsh wlan show profile name="ProfileName" key=clear (Show saved Wi‑Fi password) (Admin Required)
netsh interface show interface (List interfaces)

route
route print
route print -4 (IPv4 only)
route add  MASK   METRIC  IF  (Admin Required)
route delete  (Admin Required)

Copia sezione

tasklist
tasklist (Basic list)
tasklist /svc (Services hosted in each process) (Admin often)
tasklist /m  (Processes using a DLL)
tasklist /v (Verbose, user context, window title)
tasklist /fi "IMAGENAME eq chrome.exe" (Filter)
tasklist /s  (Remote query - permissions)

query process / query user / query session
query process * (All users)
query user (Logged-on users)
query session (Session info) / qwinsta (alias)

taskkill (Admin often needed, esp. /F)
taskkill /IM notepad.exe
taskkill /PID 
taskkill /IM  /F
taskkill /PID  /PID  /F
taskkill /T /IM  /F (Kill tree)

schtasks (Task Scheduler)
schtasks /query /fo LIST /v (All tasks verbose)
schtasks /query /tn "MyTask" (Specific task)
schtasks /create /tn "MyTask" /tr "C:\path\script.bat" /sc ONLOGON
schtasks /delete /tn "TaskName" /f
schtasks /run /tn "TaskName"
schtasks /end /tn "TaskName"

sc (Service Control) (Admin for most)
sc query (Running services)
sc query state= all (All services)
sc qc  (Configuration: binpath, deps, start type)
sc queryex  (PID, flags)
sc getdisplayname 
sc getkeyname "Display Name"
sc start 
sc stop 
sc config  start= disabled
sc delete  (Danger — removes service)

net start / net stop
net start (List running services)
net start "Print Spooler"
net stop "Print Spooler" (Admin Required)

taskmgr (Opens Task Manager GUI)

Copia sezione

dir
dir C:\Windows
dir /a (Hidden/system)
dir /s (Recursive)
dir /b (Bare)
dir /o:d (Sort by date)
dir /tc (Show creation time)

cd / chdir
cd C:\Users
cd .. (Up one)

md / mkdir
md C:\Temp\NewFolder

rd / rmdir
rd C:\Temp\OldFolder (Only if empty)
rd /s /q C:\Temp\OldFolder (Remove dir + contents — caution)

copy / move / ren
copy C:\file.txt D:\backup\
move C:\file.txt D:\
move C:\OldFolderName C:\NewFolderName
ren oldname.txt newname.txt

del / erase (Destructive!)
del C:\Temp\file.txt
del /f /q C:\Temp\*.tmp (Force + quiet)

xcopy (legacy) / robocopy (preferred)
xcopy C:\source D:\dest /E /H /I /Y
robocopy C:\source D:\dest /E /COPYALL /R:3 /W:10
robocopy C:\source D:\dest /MIR (Mirror — deletes extras!)

type / find / findstr / sort / comp / fc / tree
type C:\Windows\System32\drivers\etc\hosts
find "error" C:\logs\app.log
findstr /i /s /c:"password" C:\Users\*.txt
ipconfig /all | findstr /i "DNS Servers"
type names.txt | sort
sort < names.txt > sorted_names.txt
comp file1.bin file2.bin
fc file1.txt file2.txt
tree C:\Windows /F

attrib
attrib C:\Windows\System32\ntdll.dll (Show attributes)
attrib +h C:\secret.txt (Hide — often Admin)
attrib -r C:\config.ini (Remove read-only)

cipher (EFS)
cipher /c  (Encryption status)
cipher /e C:\SecretFolder (Encrypt folder)
cipher /w:C: (Wipe free space — long) (Admin)

compact (NTFS compression)
compact /c /s:C:\Logs (Compress dir)
compact /u /s:C:\Logs (Uncompress)

diskpart (Admin) — destructive if misused!
list disk | select disk  | list partition | list volume | detail disk
clean (WIPES disk) | create partition primary | format fs=ntfs quick | assign letter=E

format (Destructive)
format D: /fs:ntfs /q

chkdsk
chkdsk C:
chkdsk C: /f (Fix errors — may reboot)
chkdsk C: /r (Scan bad sectors — includes /f)

takeown (Admin)
takeown /f 
takeown /f  /r /d y

icacls (Admin)
icacls  (Show perms)
icacls  /grant Administrators:F
icacls  /inheritance:d
icacls  /reset /t

openfiles (Admin)
openfiles /local on (Enable tracking — reboot needed)
openfiles /query /v

Copia sezione

net user
net user (List local users)
net user  (Details)
net user   (Change password) (Admin)
net user  /active:no (Disable) (Admin)
net user  /add  (Add user) (Admin)
net user  /delete (Delete user) (Admin)

net localgroup (Admin)
net localgroup (List local groups)
net localgroup Administrators (List members)
net localgroup Administrators  /add
net localgroup Administrators  /delete
net localgroup NewGroup /add

gpupdate
gpupdate (Update policies)
gpupdate /force (Re-apply all) (Sometimes Admin)

gpresult
gpresult /r (Summary for current user/computer)
gpresult /Scope Computer /v (Verbose computer policy) (Admin)
gpresult /Scope User /v (Verbose user policy)
gpresult /h C:\temp\gp_report.html (HTML report) (Admin)

runas
runas /user:DOMAIN\Administrator cmd.exe
runas /user:LocalAdmin /savecred "notepad.exe C:\windows\system32\drivers\etc\hosts" (Use with caution)

assoc / ftype
assoc .txt (Show association)
ftype txtfile (Command used for 'txtfile' type)

control (Control Panel)
control | control printers | control userpasswords2

Copia sezione

wevtutil (Admin for Security/System)
wevtutil el (List logs)
wevtutil qe Security /c:10 /rd:true /f:text (10 newest Security events)
wevtutil qe System /q:"*[System[Level=2]]" /c:5 /f:text (5 newest System Errors)
wevtutil epl Security C:\Backup\SecurityLog.evtx (Export Security log)
wevtutil cl Security (CLEAR Security log — erases evidence!)

eventvwr
eventvwr (Open GUI)
eventvwr Security (Open specific log)

Copia sezione

sfc (System File Checker — Admin)
sfc /scannow (Scan + repair)
sfc /verifyonly (Scan only)

bitsadmin (BITS)
bitsadmin /list /allusers (List jobs)
bitsadmin /info  /verbose (Details)
bitsadmin /reset (Cancel all)

auditpol (Admin)
auditpol /get /category:* (Show audit policy)
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable (Enable detailed process auditing)

certutil
certutil -hashfile  SHA256 (Calculate hash)
certutil -hashfile  MD5
Attacker usage:
certutil -urlcache -split -f  
certutil -encode  
certutil -decode  

fltmc
fltmc instances (Active filter drivers)
fltmc filters (Installed filters)

Copia sezione

Start powershell.exe or pwsh.exe (Admin often needed)

Process:
Get-Process
Stop-Process -Id  -Force

Service:
Get-Service
Start-Service 
Stop-Service 
Get-Service  | Select-Object *

Network:
Get-NetIPConfiguration
Test-NetConnection  -Port 
Get-NetTCPConnection
Resolve-DnsName 

Event Log:
Get-WinEvent -LogName Security -MaxEvents 10
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 50

Files/Registry:
Get-ChildItem (ls, dir)
Get-Content (cat, type)
Get-FileHash  -Algorithm SHA256
Select-String -Path  -Pattern "error"
Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion

System Info:
Get-ComputerInfo
Get-HotFix

WMI/CIM (modern):
Get-CimInstance -ClassName Win32_OperatingSystem

Users/Groups:
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators

Security:
Get-MpComputerStatus (Defender status)

Remote:
Invoke-Command -ComputerName  -ScriptBlock { Get-Process }

Copia sezione

cls (Clear screen)

echo
echo Investigation Started: %DATE% %TIME%

clip (Copy to clipboard)
ipconfig /all | clip

shutdown (Admin)
shutdown /r /t 0 (Restart now)
shutdown /s /t 0 (Shutdown now)
shutdown /a (Abort scheduled shutdown)

mmc (Microsoft Management Console)

Common MMC/GUI tools:
diskmgmt.msc (Disk Management)
services.msc (Services)
devmgmt.msc (Device Manager)
perfmon (Performance Monitor)
resmon (Resource Monitor)
cleanmgr (Disk Cleanup)
defrag (Defragment — SSDs less relevant)
mstsc (Remote Desktop)

winget (Package Manager)
winget list
winget install 
winget search 

Copia sezione

Download from Microsoft Sysinternals.

Autoruns / autorunsc:
View/manage startup locations (Registry, Services, Tasks…).
autorunsc.exe -a * -ct -h

Process Explorer (procexp.exe):
Advanced Task Manager (DLLs, handles, tree, signature verification).

Process Monitor (procmon.exe):
Real-time file/registry/process/network tracing — extremely powerful.

PsExec (psexec.exe):
Execute processes remotely. (Admin)

Sigcheck (sigcheck.exe):
Check signatures & hashes, VirusTotal integration.
sigcheck.exe -i -vt 

TCPView (tcpview.exe):
Real-time GUI of network endpoints (like netstat live).