Useful Windows Built-in Cmd Commands And Programs

  1. Command line commands:
    1. “ver” – displays windows version
    2. “win” – allows shutting down and rebooting computer as explained here:
    3. “mem /p”, “mem /c” – display information about windows memory
    4. “vol c:” – display volume information
    5. “prompt” – has some cool flags to display information and manipulate the prompt:
      $t states the time
      $d states the date
      $p lists your current directory and drive letter
      $v adds your DOS version (Or Windoze 95 version)
      $n lists just your current drive
      $g the > character
      $l the < character
      $b the | character
      $q the = character
      $h a backspace, it deletes the last letter of your prompt
      $e the escape character, can be A LOT of fun
      $_ does a carriage return after listing your prompt
  2. “hh c:\” – allows to browse the harddisk using html help without using explorer
  3. “runas /trustlevel:0x020000 cmd” – trustlevel flag used to choose priveleges under which the cmd will run
  4. “eudcedit” – private character editor
  5. “attrib /s *.exe” – ATTRIB with the /S option will search all subdirectories for the designated files. This is much faster than the method of using FIND on the output of DIR /S /B. In fact, it runs about twice as fast as the Windows 95 “Find Files or Folders” function.
  6. “psr” – Part of the in-built diagnostic tools that we use internally to send feedback on the product, the Problem Steps Recorder provides a simple screen capture tool that enables you to record a series of actions. Once you hit “record”, it tracks your mouse and keyboard and captures screenshots with any comments you choose to associate alongside them. Once you stop recording, it saves the whole thing to a ZIP file, containing an HTML-based “slide show” of the steps. . psr = built in keylogging \screen capture 😉
  7. “isoburn” – built in windows iso files burner
  8. calc -> view -> Unit Convesion/ Date calculation/ Worksheets
  9. “tzutil /g” – returns time zone which can be used for forensics
  10. “Rundll32 User32.dll,LockWorkStation”
    Lock Windows Desktop – similar to “Lock This Computer”
    “Rundll32 Printui.dll,PrintUIEntry /?”
    To bring up command line version of Windows printer user interface to manage printer devices in batch file or Windows shell scripts.
    “Rundll32 User32.dll,SwapMouseButton”
    Swap the left mouse-button to function as right-mouse button and right-mouse button to function as left-mouse button – convenient to left-handed users! However, to reverse back, you have to do it in the Mouse Properties dialog box (see next example)!
    “Rundll32 Shell32.dll,Control_RunDLL main.cpl @0,0”
    Bring up Mouse Properties dialog box that used to configure the behavior of computer mouse!
    “Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll”
    This command is nice to know if the “Safely Remove Hardware” icon doesn’t appears in or is missing from the System-Tray (bottom-right, near to time display area), when you want to safely unplug an USB Mass Storage device.
  11. “rundll32.exe url.dll, FileProtocolHandler” – Open Microsoft Internet Explorer (IE) to a specific Web site.
    “rundll32.exe printui.dll, PrintUIEntry /il /c \\teca4” – Add a printer to a remote computer. Rundll32 can launch the Add Printer Wizard for a local or remote computer.
  12. “rundll32.exe advpack.dll,LaunchINFSection myinf.inf,DefaultInstall,1” runs rundll32 in quiet mode
  13. Internet Explorer Specific Commands which can be used to conver the tracks of the attack:
    Delete Temporary Internet Files:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8”
    Delete Cookies:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2”
    Delete History:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1”
    Delete Form Data:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16”
    Delete Passwords:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32”
    Delete All:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255”
    Delete All + files and settings stored by Add-ons:
    “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351”
  14. “vssadmin list shadowstorage” – Show used storage and other Shadow Copy information.
  15. “bcdedit.exe /set nocheckintegritys ON” – Disable Windows driver signing (integrity checks).
  16. “Regedit /m” – Use this command to open multiple instances of Regedit.
  17. “slmgr” – windows lisencing
  18. many nice ones here:
  19. Win+X – keyboard shortcut to open windows mobility center on laptops running windows 7
  20. “chcp” – language code, can be used for forensics
  21. “wusa” – windows update standalone installer can be used to extract cab file to system32 bypassing UAC because wusa is signed
  22. “makecab” – creates cab files
  23. “bitsadmin” – manages the BIT service (Background Intelligent Transfer service) – allows to create a download file task for the BITS which is a good way to download file without being detected by the antivirus
  24. “w32tm” – NTP commands
  25. Run javascript from cmd using rundll32 type confusion:

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script>"+(new%20ActiveXObject("WScript.Shell")).Run("calc"))

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo')


  26. “set HTTP_PROXY=” – Configure http websites proxy by setting the environment variable HTTP_PROXY
  27. “set HTTPS_PROXY=” – Configure http websites proxy by setting the environment variable HTTPS_PROXY
  28. “set NO_PROXY=localhost,,” – Configure some websites to be accessed without proxy (can be used by malware) by setting the environment variable NO_PROXY

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s