Windows Fundamentals
Commands and programs that all Windows users need to know (but many don't!).
Sysinternals
If you don't know about Mark Russinovich's amazing tools then go and check them out. Many, many use cases for a lot of these tools, from enumeration, persistence, threat-hunting, to ordinary system administration. https://docs.microsoft.com/en-us/sysinternals/
Red-teamers and penetration testers can leverage Sysinternals tools for enumeration, privilege escalation, and lateral movement. This table includes a few of the Sysinternals tools useful for offensive security:
PsExec
Executes processes remotely on another system.
Used for lateral movement by executing commands on remote hosts.
Lateral Movement
AccessChk
Checks user permissions for files, registry keys, and objects.
Identify privilege escalation opportunities by analyzing access control settings.
Privilege Escalation
ProcMon (Process Monitor)
Captures real-time system activity, including file, registry, and network events.
Monitor security controls and detect potential weaknesses in endpoint defenses.
Exploitation
TCPView
Monitors active TCP/UDP connections in real time.
Identify open ports and active connections for reconnaissance.
Reconnaissance
Autoruns & Autorunsc
Displays all auto-start programs, services, and registry entries.
Find persistence mechanisms used by malware or adversaries.
Persistence
Handle
Lists open handles to files, registry keys, and other system objects.
Investigate (i.e. unlock) locked files that may contain sensitive data or credentials.
Credential Access
ListDLLs
Displays loaded DLLs for running processes.
Identify DLL injection opportunities for stealthy code execution (i.e. Running malware)
Defense Evasion
SigCheck
Verifies digital signatures of files.
Detect unsigned or tampered executables that may be malicious.
Execution
Strings
Extracts readable text from binary files.
Analyze malware binaries for embedded commands or indicators of compromise.
Reconnaissance
PsSuspend
Suspends processes without terminating them.
Disable security tools temporarily during red-team operations.
Defense Evasion
A full list of the current tools can be found here.
Sysinternals tools can be linked to directly and run in-memory from https://live.sysinternals.com/
This command maps the current full list of Sysinternals tools to the first available drive letter as a network share, ready for use!
Windows Shells
CMD.EXE
The Windows Command Prompt (cmd.exe
) is an essential interface for executing text-based commands that control the operating system, automate tasks, and troubleshoot system issues. Unlike a graphical user interface (GUI), cmd.exe
provides direct access to system functionalities through typed commands, making it a powerful tool for administrators, developers, and security professionals.
Use Cases for cmd.exe
cmd.exe
System Administration: Modify system settings, manage processes, and configure user accounts.
Networking: Troubleshoot connectivity, scan ports, and manage network shares.
Security & Forensics: Analyze logs, check permissions, and identify suspicious activities.
Scripting & Automation: Write batch scripts for repetitive tasks and scheduled jobs.
File & Directory Management: Copy, move, delete, and modify file attributes efficiently.
Types of Commands in cmd.exe
cmd.exe
There are two primary types of commands that can be executed in cmd.exe
:
Built-in Commands:
These commands are directly processed within the
cmd.exe
shell, meaning they do not rely on external programs to execute.Built-ins provide essential functionality such as file manipulation, directory navigation, and environment management.
Examples:
cd
(change directory),dir
(list files),echo
(display text),set
(manage environment variables), andexit
(close command prompt).
External Executables:
These commands call separate
.exe
files, typically stored in system directories likeC:\Windows\System32\
.External commands extend the shell’s capabilities by invoking system utilities and tools.
Examples:
ping.exe
(network testing),ipconfig.exe
(network configuration),tasklist.exe
(list running processes), androbocopy.exe
(advanced file copy operations).
For example:
cd
,dir
,echo
,set
,exit
are all built-ins handled directly bycmd.exe
.Commands like
ping
,ipconfig
,tasklist
, androbocopy
are external, i.e. they invoke separate.exe
files located in system directories (e.g.C:\Windows\System32\
).
Windows CMD built-in commands
Windows cmd.exe built-in commands provide essential functionality for managing files, processes, networking, and system settings directly from the command line. Built-in commands are internal functions of cmd.exe
, meaning they run within the shell itself rather than calling external binaries.
cd
Changes the current directory.
cd C:\Users\tester\Documents
– Navigate to the Documents folder for user tester
.
dir
Lists files and directories in the current folder.
dir /s /b
– List all files in the current directory and subdirectories.
echo
Displays text or variables in the command prompt.
echo Hello, World!
– Print "Hello, World!" to the screen.
set
Sets or displays environment variables.
set PATH
– Show the current PATH variable.
exit
Closes the command prompt.
exit
– Close the terminal session.
cls
Clears the command prompt screen.
cls
– Wipe the screen clean.
ver
Displays the Windows version.
ver
– Show the OS version number.
help
Displays help information for CMD commands.
help dir
– Show details on how to use the dir
command.
copy
Copies files from one location to another.
copy file.txt D:\Backup\
– Copy file.txt
to the Backup
folder.
move
Moves files from one location to another.
move file.txt D:\Backup\
– Move file.txt
to the Backup
folder.
del
Deletes files.
del /F /Q file.txt
– Force delete file.txt
without confirmation.
ren
Renames a file or folder.
ren oldname.txt newname.txt
– Rename oldname.txt
to newname.txt
.
mkdir
Creates a new directory.
mkdir C:\NewFolder
– Create a folder named NewFolder
.
rmdir
Deletes a directory.
rmdir /s /q C:\OldFolder
– Remove OldFolder
and its contents.
attrib
Changes file attributes (hidden, read-only, etc.).
attrib +H file.txt
– Hide file.txt
.
title
Changes the title of the command prompt window.
title Custom CMD Window
– Set the window title to "Custom CMD Window".
prompt
Changes the command prompt display style.
prompt $P$G
– Set prompt to display the current path followed by >
.
The 'Net' Commands
The Windows net
commands are a set of command-line tools that allow administrators and users to perform essential tasks related to system configurations, network services, and security. Here’s a brief overview of some key net
commands:
net user
Manages user accounts on a computer. You can add, remove, and modify users.
net user tester /add
– Adds a new user named tester
.
/delete
– Remove a user, /domain
– Execute on a domain controller.
net localgroup
Manages local groups on the computer. You can add, remove, and list members.
net localgroup Administrators tester /add
– Adds tester
to the Administrators group.
/delete
– Remove a group, /add
– Create a new group.
net share
Creates, deletes, and manages shared resources on the network.
net share myshare=C:\MyFolder /grant:tester,full
– Creates a share named myshare
with full access for user tester
.
/delete
– Stop sharing a resource, /grant
– Assign access permissions.
net start / stop
Starts or stops network services.
net start "Web Client"
– Starts the Web Client service.
Specify service names to start or stop.
net session
Displays all current sessions or disconnects them.
net session \\RemotePC /delete
– Disconnects the session with RemotePC
.
/delete
– End a session.
net use
Connects, disconnects, and displays shared network resources.
net use Z: \\Server\Share
– Maps the network share at \\Server\Share
to the Z:
drive.
/delete
– Disconnect a network drive, /persistent
– Make the connection persistent across reboots.
net view
Displays a list of computers or network resources.
net view \\Server
– Shows shared resources on the server named Server
.
/domain
– List domains or computers in a domain.
net accounts
Displays or modifies password and logon policies for user accounts.
net accounts /maxpwage:90
– Set maximum password age to 90 days.
/forcelogoff
– Force logoff after inactivity, /minpwlen
– Set minimum password length.
net statistics
Displays statistics for network services like Workstation or Server.
net statistics workstation
– View workstation statistics.
Specify workstation
or server
for different stats.
net print
Displays or manages print jobs on a network printer.
net print \\Server\Printer
– View print jobs on a shared printer.
/delete
– Remove a print job.
net file
Displays open files on a network and allows closing them.
net file
– View open files.
/close
– Close an open file.
net group
Manages global groups on a domain.
net group "IT Admins" /add
– Creates a new global group named "IT Admins".
/delete
– Remove a group, /add
– Create a new group.
net time
Synchronizes the system clock with a network time server.
net time \\Server /set /yes
– Sync time with Server
.
/querysntp
– Query the SNTP time server.
File Manipulation
File Attributes
Windows file attributes are metadata properties assigned to files and folders that define their visibility, accessibility, and behavior. These attributes help control read/write access, security settings, and system file classifications.
File attributes can be modified using built-in commands like attrib
in cmd.exe
or PowerShell. Some attributes, such as Read-Only and Hidden, are commonly used for file protection and organizational purposes, while system attributes ensure that essential files are safeguarded from accidental modifications.
Here is a list of the most common Windows file attributes:
Attribute
Description
Example Use Case
Read-Only (R)
Prevents modifications to the file.
Used on important documents to avoid accidental changes.
Hidden (H)
Hides the file from standard directory views.
Hiding configuration files from casual users.
System (S)
Marks a file as a system file, restricting user modifications.
Applied to critical Windows system files.
Archive (A)
Flags the file for backup or archiving purposes.
Automatically marked when a file is edited, useful for backup software.
Compressed (C)
Indicates the file is compressed via NTFS compression.
Reduces file size on NTFS partitions.
Encrypted (E)
Encrypts the file using NTFS encryption.
Protects sensitive data by restricting unauthorized access.
Temporary (T)
Indicates the file is for temporary use.
Used by applications for cache storage.
Sparse (P)
Allocates disk space efficiently by storing only non-zero data.
Used for database and virtualization scenarios.
Offline (O)
Marks the file as offline, meaning it's stored remotely.
Useful for files managed by cloud storage systems.
Managing File Attributes
You can view and change file attributes using the following commands:
CMD:
attrib +H secret.txt
→ Hidesecret.txt
attrib -R report.docx
→ Remove Read-Only fromreport.docx
PowerShell:
$file = Get-Item "C:\example.txt"; $file.Attributes += 'Hidden'
→ Hide the file
Example: Set a file as Hidden (-h
) using attrib
.
This can also be used to change other file property flags such as (
a
) Archive and (r
) ReadOnly.Flags must be added separately (
-h -a -r
not-har
).
NTFS Permissions
NTFS (New Technology File System) permissions are a security feature in Windows that controls who can access files and folders on NTFS-formatted drives. These permissions allow administrators to restrict or grant access to users and groups, ensuring data security and integrity.
NTFS permissions are more granular than share permissions and apply at the file system level, meaning they remain in effect regardless of how the file or folder is accessed (locally or over a network). Permissions can be explicitly assigned or inherited from parent folders.
NTFS Permission Types & Applicability
Below is a table describing the different NTFS permissions:
Permission
Description
Applicable To
Example Use Case
Full Control
Grants complete access, including modifying permissions and taking ownership.
Files & Folders
Administrators managing system files.
Modify
Allows reading, writing, and deleting files/folders.
Files & Folders
Users editing documents but restricted from changing permissions.
Read & Execute
Allows viewing and executing files but prevents modifications.
Files & Folders
Running applications without modifying them.
List Folder Contents
Allows viewing folder contents but prevents file modifications.
Folders Only
Browsing directories without altering files.
Read
Grants permission to view files and folder contents.
Files & Folders
Users needing access to reference documents.
Write
Allows creating and modifying files but prevents deletion.
Files & Folders
Users adding new files to a shared directory.
Traverse Folder / Execute File
Allows navigating through folders or executing files.
Files & Folders
Running scripts or accessing nested directories.
Delete
Grants permission to remove files or folders.
Files & Folders
Users managing temporary files.
Change Permissions
Allows modifying NTFS permissions for files and folders.
Files & Folders
Administrators adjusting access control settings.
Take Ownership
Allows users to take ownership of files or folders.
Files & Folders
Recovering access to locked files.
Key Features of NTFS Permissions
Inheritance: Permissions assigned to a parent folder automatically apply to its subfolders and files unless explicitly overridden.
Explicit vs. Inherited Permissions: Explicit permissions are manually set, while inherited permissions come from parent directories.
Deny Overrides Allow: If a user has both "Allow" and "Deny" permissions, "Deny" takes precedence.
Combining Permissions: If a user belongs to multiple groups, their permissions are combined.
Windows Share Permissions
Windows uses two types of permissions to control access to files and folders: Share Permissions and NTFS Permissions. While they serve similar purposes, they function differently and apply in different scenarios.
Share Permissions
Apply only to shared folders accessed over a network (not local access).
Three levels of access:
Read - Users can view files and folders but cannot modify them.
Change - Users can read, modify, and delete files.
Full Control - Users can read, modify, delete, and change permissions.
Set at the folder level (not individual files).
Cannot be inherited - each shared folder has its own permissions.
NTFS Permissions
Apply to both local and network access.
More granular control: permissions can be set for individual files and folders.
Can be inherited: permissions assigned to a parent folder apply to subfolders and files.
Includes advanced permissions like Modify, Read & Execute, Write, and Full Control.
Precedence of Share vs. NTFS Permissions
When a user accesses a shared folder over the network, both Share and NTFS permissions apply. The most restrictive permission takes precedence.
Permission Type
Explicit vs. Inherited
Allow vs. Deny
Precedence Level
Explicit Deny (NTFS)
Directly assigned to a file or folder
Deny
Highest Precedence
Explicit Deny (Share)
Directly assigned to a shared folder
Deny
High Precedence
Explicit Allow (NTFS)
Directly assigned to a file or folder
Allow
Medium Precedence
Explicit Allow (Share)
Directly assigned to a shared folder
Allow
Medium Precedence
Inherited Deny (NTFS)
Inherited from a parent folder
Deny
Lower Precedence
Inherited Allow (NTFS)
Inherited from a parent folder
Allow
Lowest Precedence
Key Takeaways
Deny always overrides Allow: if a user is explicitly denied access via NTFS or Share permissions, they cannot access the resource.
NTFS permissions apply to both local and network access, while Share permissions apply only to network access.
File permissions override folder permissions, unless Full Control is granted at the folder level.
The most restrictive permission applies: if NTFS allows access but Share denies it, the user is denied.
Access Control Lists (ACLs)
In Windows, Access Control Lists (ACLs) are security structures that define who can access files and folders and what actions they can perform. ACLs consist of Access Control Entries (ACEs), which specify users, groups, or processes and their corresponding permissions.
Every file and folder has an ACL that determines its accessibility:
ACLs contain a list of permissions assigned to different users or groups.
Permissions can be explicitly assigned or inherited from a parent directory.
ACLs help enforce security policies and protect sensitive data.
To view an ACL for a file or folder: right-click on the item in Explorer and select 'Properties'. Click on the 'Security' tab, the view the section marked 'Permissions for '.
Windows ACL Components
Discretionary Access Control List (DACL) - Defines who has allow or deny permissions.
System Access Control List (SACL) - Used for auditing access attempts.
Owner - The user who controls the resource and can change permissions.
Inheritance - Determines if child files/folders receive permissions from a parent directory.
Common ACL Permissions
Permission
Description
Example Use Case
Full Control
Grants complete access, including modifying ACLs and taking ownership.
Used by administrators to manage security settings.
Modify
Allows reading, writing, and deleting files/folders.
Editors and contributors modifying shared project files.
Read & Execute
Allows viewing and running files but prevents modifications.
Running applications without altering them.
List Folder Contents
Allows browsing directories without modifying files.
Users needing access to a directory’s structure without altering data.
Read
Grants permission to view files and folder contents.
Viewing reference documents without editing.
Write
Allows creating and modifying files but prevents deletion.
Users adding new content to shared folders without deletion rights.
Change Permissions
Allows modifying ACL settings for files and folders.
Administrators adjusting access control settings.
Take Ownership
Allows users to take ownership of files or folders.
Recovering access to locked files.
Key Takeaways
ACLs control file/folder access by assigning permissions to users and groups.
Explicit Deny overrides Allow when conflicting permissions exist.
Inheritance determines whether child objects receive parent permissions.
Managing ACLs in Windows
Using File Explorer
Right-click a file or folder → Properties → Security tab.
Click Edit to modify permissions.
Add, remove, or adjust permissions for users and groups.
Using the shell
Using icacls
View ACLs:
Grant Full Control:
Remove Permissions:
Windows Rights (TODO: finish this)
Valid settings for Rights are as follows:
AppendData
Specifies the right to append data to the end of a file.
ChangePermissions
Specifies the right to change the security and audit rules associated with a file or folder.
CreateDirectories
Specifies the right to create a folder.
CreateFiles
Specifies the right to create a file.
Delete
Specifies the right to delete a folder or file.
DeleteSubdirectoriesAndFiles
Specifies the right to delete a folder and any files contained within that folder.
ExecuteFile
Specifies the right to run an application file.
FullControl
Specifies the right to exert full control over a folder or file, and to modify access control and audit rules. This value represents the right to do anything with a file and is the combination of all rights in this enumeration.
ListDirectory
Specifies the right to read the contents of a directory.
Modify
Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.
Read
Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.
ReadAndExecute
Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.
ReadAttributes
Specifies the right to open and copy file system attributes from a folder or file. For example, this value specifies the right to view the file creation or modified date. This does not include the right to read data, extended file system attributes, or access and audit rules.
ReadData
Specifies the right to open and copy a file or folder. This does not include the right to read file system attributes, extended file system attributes, or access and audit rules.
ReadExtendedAttributes
Specifies the right to open and copy extended file system attributes from a folder or file. For example, this value specifies the right to view author and content information. This does not include the right to read data, file system attributes, or access and audit rules.
ReadPermissions
Specifies the right to open and copy access and audit rules from a folder or file. This does not include the right to read data, file system attributes, and extended file system attributes.
Synchronize
Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation.
TakeOwnership
Specifies the right to change the owner of a folder or file. Note that owners of a resource have full access to that resource.
Traverse
Specifies the right to list the contents of a folder and to run applications contained within that folder.
Write
Specifies the right to create folders and files, and to add or remove data from files. This right includes the WriteData right, AppendData right, WriteExtendedAttributes right, and WriteAttributes right.
WriteAttributes
Specifies the right to open and write file system attributes to a folder or file. This does not include the ability to write data, extended attributes, or access and audit rules.
WriteData
Specifies the right to open and write to a file or folder. This does not include the right to open and write file system attributes, extended file system attributes, or access and audit rules.
WriteExtendedAttributes
Specifies the right to open and write extended file system attributes to a folder or file. This does not include the ability to write data, attributes, or access and audit rules.
Valid Inherit settings:
ContainerInherit
The ACE is inherited by child container objects.
None
The ACE is not inherited by child objects.
ObjectInherit
The ACE is inherited by child leaf objects.
Valid Propagation Settings:
InheritOnly
Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.
None
Specifies that no inheritance flags are set.
NoPropagateInherit
Specifies that the ACE is not propagated to child objects.
Shared Folders/SMB
Mount a remote CIFS/SMB share
A great example is to mount the Sysinternals Live drive to use the tools directly from Microsoft:
You can thank me later.
To remove a previously mounted share:
Environment Variables
The command set
will display all current environment variables and their values in cmd.exe. In PowerShell use Get-ChildItem env:
(or one of its aliases!) to list environment variables.
Many of the environment variables in the cmd.exe column can be used in other places inside Windows as well, such as the Address Bar of a browser or Explorer window.
You can find more about Windows environment variables on the PowerShell page.
Below is a comparison between the environment variables used in PowerShell versus those used in the classic cmd.exe environment (which are also used in many other places throughout Windows, such as Task Scheduler, Event logs, and more).
C:\ProgramData
$env:ALLUSERSPROFILE
%ALLUSERSPROFILE%
Current User's AppData\Roaming Folder
$env:APPDATA
%APPDATA%
C:\Program Files\Common Files
$env:CommonProgramFiles
%CommonProgramFiles%
C:\Program Files (x86)\Common Files
$env:CommonProgramFiles(x86)
%CommonProgramFiles(x86)%
C:\Program Files\Common Files
$env:CommonProgramW6432
%CommonProgramW6432%
Computer Name
$env:COMPUTERNAME
%COMPUTERNAME%
C:\WINDOWS\system32\cmd.exe
$env:ComSpec
%ComSpec%
C:\Windows\System32\Drivers\DriverData
$env:DriverData
%DriverData%
C:
$env:HOMEDRIVE
%HOMEDRIVE%
Current User's home folder
$env:HOMEPATH
%HOMEPATH%
Current User's AppData\Local folder
$env:LOCALAPPDATA
%LOCALAPPDATA%
UNC Path of Logon Server
$env:LOGONSERVER
%LOGONSERVER%
Number of Processor (cores)
$env:NUMBER_OF_PROCESSORS
%NUMBER_OF_PROCESSORS%
Current User's Onedrive folder
$env:OneDrive
%OneDrive%
Current User's Onedrive folder
$env:OneDriveConsumer
%OneDriveConsumer%
Operating System Family
$env:OS
%OS%
PATH to search when unspecified
$env:Path
%Path%
File Extensions that Windows will search PATH for
$env:PATHEXT
%PATHEXT%
Processor Architecture
$env:PROCESSOR_ARCHITECTURE
%PROCESSOR_ARCHITECTURE%
Processor ID
$env:PROCESSOR_IDENTIFIER
%PROCESSOR_IDENTIFIER%
Processor Level
$env:PROCESSOR_LEVEL
%PROCESSOR_LEVEL%
Processor Revision
$env:PROCESSOR_REVISION
%PROCESSOR_REVISION%
C:\ProgramData
$env:ProgramData
%ProgramData%
C:\Program Files
$env:ProgramFiles
%ProgramFiles%
C:\Program Files (x86)
$env:ProgramFiles(x86)
%ProgramFiles(x86)%
C:\Program Files
$env:ProgramW6432
%ProgramW6432%
PATH for PowerShell Modules
$env:PSModulePath
%PSModulePath%
C:\Users\Public
$env:PUBLIC
%PUBLIC%
Console
$env:SESSIONNAME
%SESSIONNAME%
C:
$env:SystemDrive
%SystemDrive%
C:\WINDOWS
$env:SystemRoot
%SystemRoot%
Current User's AppData\Local\Temp Folder
$env:TEMP
%TEMP%
Current User's AppData\Local\Temp Folder
$env:TMP
%TMP%
Domain Name
$env:USERDOMAIN
%USERDOMAIN%
Roaming Profile Domain
$env:USERDOMAIN_ROAMINGPROFILE
%USERDOMAIN_ROAMINGPROFILE%
User Name
$env:USERNAME
%USERNAME%
User Home Folder
$env:USERPROFILE
%USERPROFILE%
C:\WINDOWS
$env:windir
%windir%
Explorer Navigation
Shortcuts
(TODO: Make tables)
CTRL+N (open new session), CTRL+R (Execute Commands), CTRL+SHIFT+ESC (Task Manager), Windows+E (open explorer), CTRL-B, CTRL-I (Favourites), CTRL-H (History), CTRL-L, CTRL-O (File/Open Dialog), CTRL-P (Print Dialog), CTRL-S (Save As)
Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9
Shell URIs
shell:Administrative Tools
shell:DocumentsLibrary
shell:Libraries
shell:UserProfiles
shell:Personal
shell:SearchHomeFolder
shell:NetworkPlacesFolder
shell:SendTo
shell:UserProfiles
shell:Common Administrative Tools
shell:MyComputerFolder
shell:InternetFolder
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
--> Control Panelshell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
--> This PC/My Computershell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}
--> Network Places
Powershell
PowerShell is a large and important enough topic that it has its own page.
Thanks
If you like this content and would like to see more, please consider buying me a coffee!
Last updated
Was this helpful?