Who's logged on to a machine? wmic /node:remotecomputer computersystem get username Kill a process wmic process where name="evilprocess.

exe" delete Remotely display machine's mac address wmic /node:machinename nic get macaddress,description Remotely list running processes every second wmic /node:machinename process list brief /every:1 Delete ARP Cache netsh int ip delete arpcache arp - a Get all IP addresses used in a DNS round robin for a website nslookup -d www.google.com 8.8.8.8 2>$null Select-String 'internet address' Select-Object -Expand Line Sort-Object Tell CMD to F Off! (Turns of tab completion so you can actuall tab in commands) C:\> cmd /F:off Tells you what executable is involved in creating each connection or listening p ort netstat -bn Like above but gives you exact location of related process. (need this powershel l script: http://poshcode.org/560) Get-Netstat % { Add-Member -InputObject $_ -MemberType NoteProperty -Name Path -Value (Get-Process -Id $_.PID).Path -Force -PassThru } % { Add-Member -Input Object $_ -MemberType NoteProperty -Name CreationTime -Value (ls $_.Path).Creati onTime -Force -PassThru } Find out who logged on to your machine and when (Win7 only) Get-WinEvent -FilterHashtable @{LogName="Security";Id=4647,4648} e Select-String "intrudersname" } ? { $_.Messag

Change cmd window title example from cmd: title h@xor at work Example from powershell: (Get-Host).UI.RawUI.WindowTitle = "Shell to Take over t he World" Display path statement in list format From powershell: $env:path -replace ";","`n" From cmd: for %i in ("%PATH:;=" "%") do @echo %i Create local user From cmd: net user timmy * /add Gather information about 3rd party products installed on a Windows system (Usefu l for finding out what an ID string belongs to) From cmd: wmic /output:c:\products.htm product list full /format:hform.xsl Creates a beautiful HTML file you can look at in a web browser on the c: drive Troubleshooting laptops System might be low on power or overheating if...

From cmd: wmic cpu get currentclockspeed,maxclockspeed If you see a big difference in these numbers, it could be due to a couple of rea sons. First off, your system may be running under a low power condition, so it s lows down the processor to save power, making currentclockspeed lower than maxcl ockspeed. That's nothing to worry about. The other condition, however, is that y our system has gotten kinda hot, so it's slowing itself down. That's something t o worry about. If you suspect a temperature issue: cmd: wmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CurrentTe mperature you'll get something like 3202 which is 320.2F. Google F to C conversion and you get 160C Do you think a customer's hard drive is going bad? There's a command for that cmd: wmic /namespace:\\root\wmi PATH MSStorageDriver_FailurePredictStatus get pr edictfailure Remotely get a users desktop resolution: cmd: wmic /node:dcarey /user:fdeverax desktopmonitor get screenwidth, screenheig ht cmd (even better): for /f "skip=1 tokens=1,2" %i in ('"wmic /node:dcarey /user:f deverax desktopmonitor get screenheight, screenwidth"') do @echo %jX%i powershell: gwmi win32_desktopmonitor -comp dcarey -cred (Get-Credential) sele ct screen* Show what powershell snap-ins are installed powershell: Get-PSSnapin -Registered additional snap-ins means additional cmdlets and additional fun, fun, fun! Find established connections cmd: netstat na find EST Find systems on the same subnet the computer has talked to recently cmd: arp -a Check DNS cache to see which names the computer has resolved recently cmd: ipconfig /displaydns Find current SMB Connections cmd: net use x-account won't return anything because you're mapped with your regular account Get list cmd: net cmd: net cmd: net of users and groups as well as members of the administrators group user localgroup localgroup administrators

Telnet Client Win7 cmd install: pkgmgr /iu:"TelnetClient" cmd uninstall: pkgmgr /uu: "TelnetClient" iu = install update, uu = uninstall update Get information on all USB devices ever plugged into a system powershell: gci -recurse HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR Path -match ".*Disk&Ven[^\\]*$" } select PSChildName Registry from command line! powershell: cd HKLM: dos commands work here! ? { $_.PS

Powershell commands discovery: powershell: Get-Command -Type cmdlet powershell: Get-Command -Verb Get wmic cmd: cmd: cmd: command discovery: wmic /?:full wmi process get /? wmi process call /?

Sort-Object noun

Group-Object noun

net discovery cmd: net /? cmd: net use /? show domain account security settings cmd: net accounts /domain CMD has shell history!!!! Hit F7 Or use doskey /history if you're from the 80s setx /?