IT Blog

Windows CheatSheet

17 April 2024

Table of Contents

Users and Groups

Whoami – User, Group and Privileges information

Microsoft Documentation

Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.

Syntax

whoami [/upn | /fqdn | /logonid]
whoami {[/user] [/groups] [/priv]} [/fo <Format>] [/nh]
whoami /all [/fo <Format>] [/nh]
Examples:

To display the domain and user name of the person who is currently logged on to this computer, type:

whoami

To display all of the information in the current access token, type:

whoami /all

Displays the user groups to which the current user belongs.

whoami /groups

Group Policy Object (GPO)

Microsoft Documentation

Module : GroupPolicy

The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter.

Syntax

Get-GPO
   [-Guid] <Guid>
   [[-Domain] <String>]
   [[-Server] <String>]
   [-All]
   [<CommonParameters>]
Examples:

Get a single GPO from a domain

Get-GPO -Name "Group Policy Test"

Get all GPOs from a domain

Get-GPO -All -Domain "sales.contoso.com"

PowerShell Files And Directories

Files and Directory access control entry (ACE)

Cmd.exe – ICALCS

Microsoft Documentation

An access control entry (ACE) is an individual record or permission rule which controls the individual permission levels of a user/group on a file object. Let me list out the high-level basic permissions available for an ACL:

  • F (Full Control): This permission grants full control over the file or directory. Users with this permission can read, write, execute, and modify permissions.

  • M (Modify): This permission grants the ability to read, write, and delete files, as well as change attributes.

  • RX (Read and Execute): This permission grants the ability to read and execute files.

  • R (Read): This permission grants the ability to read files.

  • W (Write): This permission grants the ability to write to files.

  • D (Delete): This permission grants the ability to delete the file or directory.

  • WDAC (Write DAC): This permission grants the ability to modify the discretionary access control list (DACL) of the file or directory.

  • WO (Write Owner): This permission grants the ability to change the owner of the file or directory.

  • S (Synchronize): This permission grants the ability to use the file or directory for synchronization.

  • GA (Generic All): This permission grants generic read, write, execute, and delete permissions.

  • CI (Container Inherit): This permission indicates that the ACE should be inherited by subfolders.

  • OI (Object Inherit): This permission indicates that the ACE should be inherited by files.

Syntax

icacls <filename> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d]] <sid>[...]] [/t] [/c] [/l] [/q] [/setintegritylevel <Level>:<policy>[...]]

icacls <directory> [/substitute <sidold> <sidnew> [...]] [/restore <aclfile> [/c] [/l] [/q]]
Examples:

Get the permission levels of filename.txt file for actual User

icacls filename.txt
See Also

Powershell – Get-Acl

Microsoft Documentation

Module: Microsoft.PowerShell.Security

The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.

This cmdlet is only available on the Windows platform.

Syntax
Get-Acl
   [[-Path] <String[]>]
   [-Audit]
   [-Filter <String>]
   [-Include <String[]>]
   [-Exclude <String[]>]
   [<CommonParameters>]

Examples

This example gets the security descriptor of the C:\Windows directory.

Get-Acl C:\Windows

This example uses the Get-Acl cmdlet to get the security descriptor of the Control subkey HKLM:\SYSTEM\CurrentControlSet\Control of the registry.

Get-Acl -Path HKLM:\System\CurrentControlSet\Control | Format-List
See Also

Find in Files / Objects (As Grep)

Cmd.exe – Findstr command

Findstr, the Windows command-line tool, is often the first answer you’re looking for when searching strings using command prompt. It’s a native Windows utility equivalent to grep in Windows.
Syntax and Usage:

findstr "specific strings" filename.txt

PoweShell – Select-String

Syntax and Usage:

Get-Content specific_file.txt | Select-String -Pattern "regular expression"

Select-Object

Microsoft Documentation

Module : Microsoft.PowerShell.Utility

The Select-Object cmdlet selects specified properties of an object or set of objects. It can also select unique objects, a specified number of objects, or objects in a specified position in an array.

To select objects from a collection, use the First, Last, Unique, Skip, and Index parameters. To select object properties, use the Property parameter. When you select properties, Select-Object returns new objects that have only the specified properties.

Syntax

Select-Object
      [-InputObject <PSObject>]
      [[-Property] <Object[]>]
      [-ExcludeProperty <String[]>]
      [-ExpandProperty <String>]
      [-Unique]
      [-CaseInsensitive]
      [-Last <Int32>]
      [-First <Int32>]
      [-Skip <Int32>]
      [-Wait]
      [<CommonParameters>]

Examples:

This example creates objects that have the Name, ID, and working set (WS) properties of process objects.

Get-Process | Select-Object -Property ProcessName, Id, WS

This example creates objects that have the DisplayName properties of Group Policy Object (GPO) objects.

Get-GPO -All | Select-Object -ExpandProperty DisplayName

This example uses the Unique parameter of Select-Object to get unique characters from an array of characters.

"a","b","c","a","A","a" | Select-Object -Unique
    a
    b
    c
    A

This example gets the first (newest) and last (oldest) events in the Windows PowerShell event log.

Get-WinEvent gets all events in the Windows PowerShell log and saves them in the $a variable. Then, $a is piped to the Select-Object cmdlet. The Select-Object command uses the Index parameter to select events from the array of events in the $a variable. The index of the first event is 0. The index of the last event is the number of items in $a minus 1.

$a = Get-WinEvent -LogName "Windows PowerShell"
$a | Select-Object -Index 0, ($a.count - 1)

New Item – Create Files, Directories and More.

Microsoft Documentation

Module: Microsoft.PowerShell.Management

Syntax

New-Item
   [-Path] <String[]>
   [-ItemType <String>]
   [-Value <Object>]
   [-Force]
   [-Credential <PSCredential>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Create a file in the current directory

This command creates a text file that is named "testfile1.txt" in the current directory. The dot (‘.’) in the value of the Path parameter indicates the current directory. The quoted text that follows the Value parameter is added to the file as content.

New-Item -Path . -Name "testfile1.txt" -ItemType "file" -Value "This is a text string."

Create a directory

This command creates a directory named "Logfiles" in the C: drive. The ItemType parameter specifies that the new item is a directory, not a file or other file system object.

New-Item -Path "c:\" -Name "logfiles" -ItemType "directory"

Cmd.exe

Files and Directories

Delete Files or Folders on CMD using DEL Command

Note: DEL Command is used to delete a file. Here, we will take our sample file “hello.txt” located on the desktop, and try to delete it using the del command in CMD. Follow the steps given below to delete the file:

del hello.txt

Delete Files or Folders on CMD using RMDIR Command

Note: RMDIR Command is used to delete the entire folder or directory. Here, we will take our sample folder named “Tasks” placed on the desktop and try to delete it using RMDIR Command in CMD.

rmdir tasks

File compare

File compare (or fc) is a great command line tool that can be used to compare files to see if there are any content or binary code differences that you can access if you are using a PC.

Switches:

  • /b – This switch will perform a binary comparison.
  • /c – If you need to do a case insensitive comparison, use this switch.
  • /a – This switch will make FC show only the first and last lines for each group of differences.
  • /u – Use this switch to compare files as Unicode text files.
  • /l – This will compare your files as ASCII text.
  • /n – This switch can only be used with ASCII but it will show all the corresponding line numbers.

Syntax:
Simply type “fc” and then the directory path and file name of the two files you want to compare.

fc [switches] [pathname1] [pathname2]

Processes

These are the commands which can help us to get the list of all processes running on our computer, and we can also close them by using these commands. These commands are very useful to get to know what tasks are running on someone’s machine. It gives us a list of processes that are running in our background.

Wmic process

  • list of processes running 
    wmic process list

We can terminate these tasks by using the command:

    wmic process where name="name_of_file" call terminate

Note: Put the name of the ‘.exe file’ in place of “name_of_file”

Example:

Let’s say, we want to terminate the calculator. So, open a calculator in the system and terminate the process by using the following steps:

    wmic process where name="Calculator.exe" call terminate

Tasklist

In Windows, we can get the list of processes running on the system from command prompt also. We can use ‘tasklist‘ command for this purpose.
Using this command we can selectively list the processes based on criteria like the memory space used, running time, image file name, services running in the process etc.

Parameters:

  • /s Computer : Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
  • /u Domain \ User : Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
  • /p Password : Specifies the password of the user account that is specified in the /u parameter.
  • /fo { TABLE | LIST | CSV } : Specifies the format to use for the output. Valid values are TABLE, LIST, and CSV. The default format for output is TABLE.
  • /nh : Suppresses column headers in the output. Valid when the /fo parameter is set to TABLE or CSV.
  • /fi FilterName : Specifies the types of process(es) to include in or exclude from the query. The following table lists valid filter names, operators, and values.
  • /svc : Lists all the service information for each process without truncation. Valid when the /fo parameter is set to TABLE. Cannot be used with the /m or the /v parameter.
  • /v : Specifies that verbose task information be displayed in the output. Cannot be used with the /svc or the /m parameter.
  • /m [ ModuleName ] : Specifies to show module information for each process. When a module is specified, all the processes using that module are shown. When a module is not specified, all the processes for all the modules are shown. Cannot be used with the /svc or the /v parameter.

Syntax:

tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo {TABLE|LIST|CSV}] [/nh] [/fi FilterName [/fi FilterName2 [ ... ]]] [/m [ModuleName] | /svc | /v]

Example:

tasklist /v /fi “PID gt 1000” /fo csv
tasklist /fi “USERNAME ne NT AUTHORITY\SYSTEM” /fi “STATUS eq running”
tasklist /v /fi “STATUS eq running”
tasklist /s srvmain /nh
tasklist /s srvmain /s srvny
tasklist /s srvmain /u maindom\hiropln /p p@ssW23 /nh

Taskkill

Its sure that you are familiar with the traditional way to kill or end a process in Windows using Task Manager. This method is effective but not nearly as fun as killing a process in Command Prompt. Additionally, killing processes in Command Prompt provides much more control and the ability to end multiple processes at once.

Parameters:

  • /s Computer : Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
  • /u Domain \ User : Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
  • /p Password : Specifies the password of the user account that is specified in the /u parameter.
  • /fi FilterName : Specifies the types of process(es) to include in or exclude from termination. The following are valid filter names, operators, and values.
  • /pid ProcessID : Specifies the process ID of the process to be terminated.
  • /im ImageName : Specifies the image name of the process to be terminated. Use the wildcard (*) to specify all image names.
  • /f : Specifies that process(es) be forcefully terminated. This parameter is ignored for remote processes; all remote processes are forcefully terminated.
  • /t : Specifies to terminate all child processes along with the parent process, commonly known as a tree kill.

Syntax:

taskkill [/s Computer] [/u Domain\User [/p Password]]] [/fi FilterName] [/pid ProcessID]|[/im ImageName] [/f][/t]

Examples:

C:\>taskkill /pid 26356 /f
C:\>taskkill /fi “USERNAME eq Pratik” /f
C:\>taskkill /s VictimsDesktop /u RemoteAccountName /p RemoteAccountPassword /im notepad.exe /f

System Info

Partition Details

The size given here is also in terms of bits. We can convert it into byte by dividing the given size by 8. Given_Ram_Size (in bits) / 8 = New_Ram_Size (int bytes)

    wmic partition get name,size,type

list of all products/software installed

This command gives/returns us the list of all products/software installed on a computer that is developed by a well-known developer and is recognized by the windows[Microsoft]. 

    wmic product
    ::OR
    wmic product get name,version

Mac Address

The command is used to get Mac Address is given below but there other be other ways also by which we can get our Mac Address. 

    wmic nic get macaddress
    ::OR
    getmac

Bios Serial Number

The command is used to get the computer’s serial number. This is very helpful to get the serial number of our bios. We will get our serial number instead of O.E.M.

    wmic bios get serialnumber

System Info

    systeminfo

See Also

PowerShell

Cmd.exe

Related Articles

Tags: