CMD Commands
Reg Command
WMIC
Adding Keys and Values:
C:\> reg add
[\\TargetIPaddr\][RegDomain]\[Key]
Fundamental grammar:
C:\> wmic [alias] [where clause] [verb clause] Add a key to the registry on machine
[TargetIPaddr] within the registry domain
[RegDomain] to location [Key]. If no remote machine is specified, the current machine is assumed. Useful [aliases]: process service share nicconfig startup useraccount qfe (Quick Fix Engineering – shows patches)
Export and Import:
C:\> reg export [RegDomain]\[Key]
[FileName]
Example [where clauses]: where name="nc.exe" where (commandline like "%stuff") where (name="cmd.exe" and parentprocessid!="[pid]") Export all subkeys and values located in the domain
[RegDomain] under the location [Key] to the file
[FileName]
Import all registry entries from the file [FileName]
Example [verb clauses]: list [full|brief] get [attrib1,attrib2…] call [method] delete Import and export can only be done from or to the local machine.
List all attributes of [alias]:
C:\> wmic [alias] get /?
Query for a specific Value of a Key:
C:\> reg query
[\\TargetIPaddr\][RegDomain]\[Key] /v
[ValueName]
List all callable methods of [alias]:
C:\> wmic [alias] call /?
C:\> reg import [FileName]
Query a key on machine [TargetIPaddr] within the registry domain [RegDomain] in location
[Key] and get the specific value [ValueName] under that key. Add /s to recurse all values.
Example:
List all attributes of all running processes:
C:\> wmic process list full
Make WMIC effect remote [TargetIPaddr]:
C:\> wmic /node:[TargetIPaddr]
/user:[User] /password:[Passwd] process list full
Windows
Command Line
Cheat Sheet
By Ed Skoudis
POCKET REFERENCE GUIDE http://www.sans.org Purpose
The purpose of this cheat sheet is to provide tips on how to use various Windows command that are frequently referenced in
SANS 504, 517, 531, and 560.
Process and Service Information
List all
WMIC
Adding Keys and Values:
C:\> reg add
[\\TargetIPaddr\][RegDomain]\[Key]
Fundamental grammar:
C:\> wmic [alias] [where clause] [verb clause] Add a key to the registry on machine
[TargetIPaddr] within the registry domain
[RegDomain] to location [Key]. If no remote machine is specified, the current machine is assumed. Useful [aliases]: process service share nicconfig startup useraccount qfe (Quick Fix Engineering – shows patches)
Export and Import:
C:\> reg export [RegDomain]\[Key]
[FileName]
Example [where clauses]: where name="nc.exe" where (commandline like "%stuff") where (name="cmd.exe" and parentprocessid!="[pid]") Export all subkeys and values located in the domain
[RegDomain] under the location [Key] to the file
[FileName]
Import all registry entries from the file [FileName]
Example [verb clauses]: list [full|brief] get [attrib1,attrib2…] call [method] delete Import and export can only be done from or to the local machine.
List all attributes of [alias]:
C:\> wmic [alias] get /?
Query for a specific Value of a Key:
C:\> reg query
[\\TargetIPaddr\][RegDomain]\[Key] /v
[ValueName]
List all callable methods of [alias]:
C:\> wmic [alias] call /?
C:\> reg import [FileName]
Query a key on machine [TargetIPaddr] within the registry domain [RegDomain] in location
[Key] and get the specific value [ValueName] under that key. Add /s to recurse all values.
Example:
List all attributes of all running processes:
C:\> wmic process list full
Make WMIC effect remote [TargetIPaddr]:
C:\> wmic /node:[TargetIPaddr]
/user:[User] /password:[Passwd] process list full
Windows
Command Line
Cheat Sheet
By Ed Skoudis
POCKET REFERENCE GUIDE http://www.sans.org Purpose
The purpose of this cheat sheet is to provide tips on how to use various Windows command that are frequently referenced in
SANS 504, 517, 531, and 560.
Process and Service Information
List all