Windows command-line tools are critical for navigating, enumerating, and gaining persistence on Windows-based systems.
Most global infrastructure still runs on Windows. During real-world engagements or red teaming, a hacker will inevitably encounter a compromised Windows host — and must know how to operate within it. Understanding native Windows commands provides direct access to system behavior, user activity, networking, and privilege structures. Whether working through CMD, PowerShell, or remote shells (e.g., C2 frameworks), this knowledge is essential.
Command Prompt (cmd.exe) is available on virtually every Windows machine, while PowerShell provides a more advanced scripting interface and object-oriented output. Mastering both enhances control, stealth, and capability during post-exploitation.
Navigation & File Management[edit | edit source]
| Command |
Description |
Usage
|
dir |
List directory contents |
dir C:\Users
|
cd |
Change directory |
cd C:\Windows\System32
|
mkdir |
Create a folder |
mkdir backdoor
|
del |
Delete file(s) |
del secret.txt
|
copy |
Copy files |
copy payload.exe D:\payload.exe
|
move |
Move or rename files |
move key.txt ..\keys.txt
|
robocopy |
Robust file copy with options |
robocopy C:\data D:\backup /MIR
|
type |
View file content |
type C:\Windows\win.ini
|
System Information & Monitoring[edit | edit source]
| Command |
Description |
Usage
|
whoami |
Show current user |
whoami
|
hostname |
Show computer name |
hostname
|
systeminfo |
Detailed OS & hardware info |
systeminfo
|
tasklist |
List running processes |
tasklist
|
taskkill |
Kill a process by PID |
taskkill /PID 1234 /F
|
ver |
Display OS version |
ver
|
driverquery |
List installed drivers |
driverquery /V
|
User & Privilege Enumeration[edit | edit source]
| Command |
Description |
Usage
|
net user |
List or modify user accounts |
net user
|
net localgroup |
List or modify groups |
net localgroup administrators
|
wmic useraccount |
Detailed user data |
wmic useraccount get name,sid,status
|
| Command |
Description |
Usage
|
ipconfig |
Show IP/network config |
ipconfig /all
|
ping |
Test network reachability |
ping 8.8.8.8
|
tracert |
Show packet path |
tracert example.com
|
netstat |
Show active network connections |
netstat -ano
|
arp |
View ARP cache |
arp -a
|
nslookup |
Resolve domain to IP |
nslookup google.com
|
| Command |
Description |
Usage
|
schtasks |
Schedule tasks (persistence) |
schtasks /Create /SC minute /TN backdoor /TR C:\payload.exe
|
sc |
Service control manager |
sc qc wuauserv
|
runas |
Run as another user |
runas /user:Administrator cmd
|
Registry & System Internals[edit | edit source]
| Command |
Description |
Usage
|
reg |
Query/edit Windows registry |
reg query HKCU\Software
|
| Command |
Description |
Usage
|
help |
Show available commands |
help
|
command /? |
Help for any command |
netstat /?
|
net localgroup administrators
Create Persistent Backdoor Task[edit | edit source]
schtasks /create /tn "backdoor" /tr "C:\payload.exe" /sc onlogon /ru "SYSTEM"
wmic useraccount get name,sid
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run