Windows Fundamentals

Commands and programs that all Windows users need to know (but many don't!).

Last updated 4 hours ago

Was this helpful?

Windows Fundamentals

Commands and programs that all Windows users need to know (but many don't!).

Sysinternals

If you don't know about Mark Russinovich's amazing tools then go and check them out. Many, many use cases for a lot of these tools, from enumeration, persistence, threat-hunting, to ordinary system administration.

Red-teamers and penetration testers can leverage Sysinternals tools for enumeration, privilege escalation, and lateral movement. This table includes a few of the Sysinternals tools useful for offensive security:

Tool

Description

Example Use Case

Cyber Kill Chain Phase

PsExec

Executes processes remotely on another system.

Used for lateral movement by executing commands on remote hosts.

Lateral Movement

AccessChk

Checks user permissions for files, registry keys, and objects.

Identify privilege escalation opportunities by analyzing access control settings.

Privilege Escalation

ProcMon (Process Monitor)

Captures real-time system activity, including file, registry, and network events.

Monitor security controls and detect potential weaknesses in endpoint defenses.

Exploitation

TCPView

Monitors active TCP/UDP connections in real time.

Identify open ports and active connections for reconnaissance.

Reconnaissance

Autoruns & Autorunsc

Displays all auto-start programs, services, and registry entries.

Find persistence mechanisms used by malware or adversaries.

Persistence

Handle

Lists open handles to files, registry keys, and other system objects.

Investigate (i.e. unlock) locked files that may contain sensitive data or credentials.

Credential Access

ListDLLs

Displays loaded DLLs for running processes.

Identify DLL injection opportunities for stealthy code execution (i.e. Running malware)

Defense Evasion

SigCheck

Verifies digital signatures of files.

Detect unsigned or tampered executables that may be malicious.

Execution

Strings

Extracts readable text from binary files.

Analyze malware binaries for embedded commands or indicators of compromise.

Reconnaissance

PsSuspend

Suspends processes without terminating them.

Disable security tools temporarily during red-team operations.

Defense Evasion

A full list of the current tools can be found .
Sysinternals tools can be linked to directly and run in-memory from
- This command maps the current full list of Sysinternals tools to the first available drive letter as a network share, ready for use!
```
net use * //live.sysinternals.com
```

Windows Shells

CMD.EXE

The Windows Command Prompt (cmd.exe) is an essential interface for executing text-based commands that control the operating system, automate tasks, and troubleshoot system issues. Unlike a graphical user interface (GUI), cmd.exe provides direct access to system functionalities through typed commands, making it a powerful tool for administrators, developers, and security professionals.

Use Cases for `cmd.exe`

System Administration: Modify system settings, manage processes, and configure user accounts.
Networking: Troubleshoot connectivity, scan ports, and manage network shares.
Security & Forensics: Analyze logs, check permissions, and identify suspicious activities.
Scripting & Automation: Write batch scripts for repetitive tasks and scheduled jobs.
File & Directory Management: Copy, move, delete, and modify file attributes efficiently.

Types of Commands in `cmd.exe`

There are two primary types of commands that can be executed in cmd.exe:

Built-in Commands:
- These commands are directly processed within the cmd.exe shell, meaning they do not rely on external programs to execute.
- Built-ins provide essential functionality such as file manipulation, directory navigation, and environment management.
- Examples: cd (change directory), dir (list files), echo (display text), set (manage environment variables), and exit (close command prompt).
External Executables:
- These commands call separate .exe files, typically stored in system directories like C:\Windows\System32\.
- External commands extend the shell’s capabilities by invoking system utilities and tools.
- Examples: ping.exe (network testing), ipconfig.exe (network configuration), tasklist.exe (list running processes), and robocopy.exe (advanced file copy operations).

For example:

cd, dir, echo, set, exit are all built-ins handled directly by cmd.exe.
Commands like ping, ipconfig, tasklist, and robocopy are external, i.e. they invoke separate .exe files located in system directories (e.g. C:\Windows\System32\).

Windows CMD built-in commands

Windows cmd.exe built-in commands provide essential functionality for managing files, processes, networking, and system settings directly from the command line. Built-in commands are internal functions of cmd.exe, meaning they run within the shell itself rather than calling external binaries.

Command

Description

Example Use Case

Changes the current directory.

cd C:\Users\tester\Documents – Navigate to the Documents folder for user tester.

dir

Lists files and directories in the current folder.

dir /s /b – List all files in the current directory and subdirectories.

echo

Displays text or variables in the command prompt.

echo Hello, World! – Print "Hello, World!" to the screen.

set

Sets or displays environment variables.

set PATH – Show the current PATH variable.

exit

Closes the command prompt.

exit – Close the terminal session.

cls

Clears the command prompt screen.

cls – Wipe the screen clean.

ver

Displays the Windows version.

ver – Show the OS version number.

help

Displays help information for CMD commands.

help dir – Show details on how to use the dir command.

copy

Copies files from one location to another.

copy file.txt D:\Backup\ – Copy file.txt to the Backup folder.

move

Moves files from one location to another.

move file.txt D:\Backup\ – Move file.txt to the Backup folder.

del

Deletes files.

del /F /Q file.txt – Force delete file.txt without confirmation.

ren

Renames a file or folder.

ren oldname.txt newname.txt – Rename oldname.txt to newname.txt.

mkdir

Creates a new directory.

mkdir C:\NewFolder – Create a folder named NewFolder.

rmdir

Deletes a directory.

rmdir /s /q C:\OldFolder – Remove OldFolder and its contents.

attrib

Changes file attributes (hidden, read-only, etc.).

attrib +H file.txt – Hide file.txt.

title

Changes the title of the command prompt window.

title Custom CMD Window – Set the window title to "Custom CMD Window".

prompt

Changes the command prompt display style.

prompt $P$G – Set prompt to display the current path followed by >.

The 'Net' Commands

The Windows net commands are a set of command-line tools that allow administrators and users to perform essential tasks related to system configurations, network services, and security. Here’s a brief overview of some key net commands:

Command

Description

Example Use Case

Common Options

net user

Manages user accounts on a computer. You can add, remove, and modify users.

net user tester /add – Adds a new user named tester.

/delete – Remove a user, /domain – Execute on a domain controller.

net localgroup

Manages local groups on the computer. You can add, remove, and list members.

net localgroup Administrators tester /add – Adds tester to the Administrators group.

/delete – Remove a group, /add – Create a new group.

net share

Creates, deletes, and manages shared resources on the network.

net share myshare=C:\MyFolder /grant:tester,full – Creates a share named myshare with full access for user tester.

/delete – Stop sharing a resource, /grant – Assign access permissions.

net start / stop

Starts or stops network services.

net start "Web Client" – Starts the Web Client service.

Specify service names to start or stop.

net session

Displays all current sessions or disconnects them.

net session \\RemotePC /delete – Disconnects the session with RemotePC.

/delete – End a session.

net use

Connects, disconnects, and displays shared network resources.

net use Z: \\Server\Share – Maps the network share at \\Server\Share to the Z: drive.

/delete – Disconnect a network drive, /persistent – Make the connection persistent across reboots.

net view

Displays a list of computers or network resources.

net view \\Server – Shows shared resources on the server named Server.

/domain – List domains or computers in a domain.

net accounts

Displays or modifies password and logon policies for user accounts.

net accounts /maxpwage:90 – Set maximum password age to 90 days.

/forcelogoff – Force logoff after inactivity, /minpwlen – Set minimum password length.

net statistics

Displays statistics for network services like Workstation or Server.

net statistics workstation – View workstation statistics.

Specify workstation or server for different stats.

net print

Displays or manages print jobs on a network printer.

net print \\Server\Printer – View print jobs on a shared printer.

/delete – Remove a print job.

net file

Displays open files on a network and allows closing them.

net file – View open files.

/close – Close an open file.

net group

Manages global groups on a domain.

net group "IT Admins" /add – Creates a new global group named "IT Admins".

/delete – Remove a group, /add – Create a new group.

net time

Synchronizes the system clock with a network time server.

net time \\Server /set /yes – Sync time with Server.

/querysntp – Query the SNTP time server.

File Manipulation

File Attributes

Windows file attributes are metadata properties assigned to files and folders that define their visibility, accessibility, and behavior. These attributes help control read/write access, security settings, and system file classifications.

File attributes can be modified using built-in commands like attrib in cmd.exe or PowerShell. Some attributes, such as Read-Only and Hidden, are commonly used for file protection and organizational purposes, while system attributes ensure that essential files are safeguarded from accidental modifications.

Here is a list of the most common Windows file attributes:

Attribute

Description

Example Use Case

Read-Only (R)

Prevents modifications to the file.

Used on important documents to avoid accidental changes.

Hidden (H)

Hides the file from standard directory views.

Hiding configuration files from casual users.

System (S)

Marks a file as a system file, restricting user modifications.

Applied to critical Windows system files.

Archive (A)

Flags the file for backup or archiving purposes.

Automatically marked when a file is edited, useful for backup software.

Compressed (C)

Indicates the file is compressed via NTFS compression.

Reduces file size on NTFS partitions.

Encrypted (E)

Encrypts the file using NTFS encryption.

Protects sensitive data by restricting unauthorized access.

Temporary (T)

Indicates the file is for temporary use.

Used by applications for cache storage.

Sparse (P)

Allocates disk space efficiently by storing only non-zero data.

Used for database and virtualization scenarios.

Offline (O)

Marks the file as offline, meaning it's stored remotely.

Useful for files managed by cloud storage systems.

Managing File Attributes

You can view and change file attributes using the following commands:

CMD: attrib +H secret.txt → Hide secret.txt attrib -R report.docx → Remove Read-Only from report.docx
PowerShell: $file = Get-Item "C:\example.txt"; $file.Attributes += 'Hidden' → Hide the file

Example: Set a file as Hidden (-h) using attrib.

This can also be used to change other file property flags such as (a) Archive and (r) ReadOnly.
Flags must be added separately (-h -a -r not -har).

# Show the file attributes
attrib <C:\path\filename>

# Add the 'hidden' attribute
attrib +h <C:\path\filename>

# Remove the 'hidden' property
attrib -h <C:\path\filename>

Example: Set a file as Hidden. (This can also be used to change other file property flags such as Archive and ReadOnly)

# Get File attributes
$file = (Get-ChildItem <file>) # Need the file as an object to get attributes directly
$file.attributes # Show the file's attributes
#Normal

# Flip the bit of the Hidden attribute using xor
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Hidden

# Change attribute with direct assignment (beware, using = will set ONLY that attribute)
$file.Attributes += 'Hidden'

# To remove the 'Hidden' attribute, flip the bit back using xor (or direct assignement)
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Normal

NTFS Permissions

NTFS (New Technology File System) permissions are a security feature in Windows that controls who can access files and folders on NTFS-formatted drives. These permissions allow administrators to restrict or grant access to users and groups, ensuring data security and integrity.

NTFS permissions are more granular than share permissions and apply at the file system level, meaning they remain in effect regardless of how the file or folder is accessed (locally or over a network). Permissions can be explicitly assigned or inherited from parent folders.

NTFS Permission Types & Applicability

Below is a table describing the different NTFS permissions:

Permission

Description

Applicable To

Example Use Case

Full Control

Grants complete access, including modifying permissions and taking ownership.

Files & Folders

Administrators managing system files.

Modify

Allows reading, writing, and deleting files/folders.

Files & Folders

Users editing documents but restricted from changing permissions.

Read & Execute

Allows viewing and executing files but prevents modifications.

Files & Folders

Running applications without modifying them.

List Folder Contents

Allows viewing folder contents but prevents file modifications.

Folders Only

Browsing directories without altering files.

Read

Grants permission to view files and folder contents.

Files & Folders

Users needing access to reference documents.

Write

Allows creating and modifying files but prevents deletion.

Files & Folders

Users adding new files to a shared directory.

Traverse Folder / Execute File

Allows navigating through folders or executing files.

Files & Folders

Running scripts or accessing nested directories.

Delete

Grants permission to remove files or folders.

Files & Folders

Users managing temporary files.

Change Permissions

Allows modifying NTFS permissions for files and folders.

Files & Folders

Administrators adjusting access control settings.

Take Ownership

Allows users to take ownership of files or folders.

Files & Folders

Recovering access to locked files.

Key Features of NTFS Permissions

Inheritance: Permissions assigned to a parent folder automatically apply to its subfolders and files unless explicitly overridden.
Explicit vs. Inherited Permissions: Explicit permissions are manually set, while inherited permissions come from parent directories.
Deny Overrides Allow: If a user has both "Allow" and "Deny" permissions, "Deny" takes precedence.
Combining Permissions: If a user belongs to multiple groups, their permissions are combined.

Windows uses two types of permissions to control access to files and folders: Share Permissions and NTFS Permissions. While they serve similar purposes, they function differently and apply in different scenarios.

Apply only to shared folders accessed over a network (not local access).
Three levels of access:
- Read - Users can view files and folders but cannot modify them.
- Change - Users can read, modify, and delete files.
- Full Control - Users can read, modify, delete, and change permissions.
Set at the folder level (not individual files).
Cannot be inherited - each shared folder has its own permissions.

NTFS Permissions

Apply to both local and network access.
More granular control: permissions can be set for individual files and folders.
Can be inherited: permissions assigned to a parent folder apply to subfolders and files.
Includes advanced permissions like Modify, Read & Execute, Write, and Full Control.

When a user accesses a shared folder over the network, both Share and NTFS permissions apply. The most restrictive permission takes precedence.

Permission Type

Explicit vs. Inherited

Allow vs. Deny

Precedence Level

Explicit Deny (NTFS)

Directly assigned to a file or folder

Deny

Highest Precedence

Explicit Deny (Share)

Directly assigned to a shared folder

Deny

High Precedence

Explicit Allow (NTFS)

Directly assigned to a file or folder

Allow

Medium Precedence

Explicit Allow (Share)

Directly assigned to a shared folder

Allow

Medium Precedence

Inherited Deny (NTFS)

Inherited from a parent folder

Deny

Lower Precedence

Inherited Allow (NTFS)

Inherited from a parent folder

Allow

Lowest Precedence

Key Takeaways

Deny always overrides Allow: if a user is explicitly denied access via NTFS or Share permissions, they cannot access the resource.
NTFS permissions apply to both local and network access, while Share permissions apply only to network access.
File permissions override folder permissions, unless Full Control is granted at the folder level.
The most restrictive permission applies: if NTFS allows access but Share denies it, the user is denied.

Access Control Lists (ACLs)

In Windows, Access Control Lists (ACLs) are security structures that define who can access files and folders and what actions they can perform. ACLs consist of Access Control Entries (ACEs), which specify users, groups, or processes and their corresponding permissions.

Every file and folder has an ACL that determines its accessibility:

ACLs contain a list of permissions assigned to different users or groups.
Permissions can be explicitly assigned or inherited from a parent directory.
ACLs help enforce security policies and protect sensitive data.

To view an ACL for a file or folder: right-click on the item in Explorer and select 'Properties'. Click on the 'Security' tab, the view the section marked 'Permissions for '.

Windows ACL Components

Discretionary Access Control List (DACL) - Defines who has allow or deny permissions.
System Access Control List (SACL) - Used for auditing access attempts.
Owner - The user who controls the resource and can change permissions.
Inheritance - Determines if child files/folders receive permissions from a parent directory.

Common ACL Permissions

Permission

Description

Example Use Case

Full Control

Grants complete access, including modifying ACLs and taking ownership.

Used by administrators to manage security settings.

Modify

Allows reading, writing, and deleting files/folders.

Editors and contributors modifying shared project files.

Read & Execute

Allows viewing and running files but prevents modifications.

Running applications without altering them.

List Folder Contents

Allows browsing directories without modifying files.

Users needing access to a directory’s structure without altering data.

Read

Grants permission to view files and folder contents.

Viewing reference documents without editing.

Write

Allows creating and modifying files but prevents deletion.

Users adding new content to shared folders without deletion rights.

Change Permissions

Allows modifying ACL settings for files and folders.

Administrators adjusting access control settings.

Take Ownership

Allows users to take ownership of files or folders.

Recovering access to locked files.

Key Takeaways

ACLs control file/folder access by assigning permissions to users and groups.
Explicit Deny overrides Allow when conflicting permissions exist.
Inheritance determines whether child objects receive parent permissions.

Managing ACLs in Windows

Using File Explorer

Right-click a file or folder → Properties → Security tab.
Click Edit to modify permissions.
Add, remove, or adjust permissions for users and groups.

Using the shell

Using icacls

View ACLs:

icacls C:\SensitiveData

Grant Full Control:

icacls C:\SensitiveData /grant tester:F

Remove Permissions:

icacls C:\SensitiveData /remove tester

Copy permissions from one file or directory to another

Get-ACL C:\File1 | Set-Acl C:\File2

Remove permissions from a folder or file

$path = "C:\temp" #Replace with whatever file you want to do this to.
$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false #Gets all non inherited rules.
#Filter your $rules however you want to remove permissions.

#For example, to target a specific user or group:
$targetrule = $rules | where IdentityReference -eq "$Domain\$User" #Leave domain off for local accounts.

$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path

Advanced: Add a specific list of permissions to a Folder (or file)

function Edit-Perms {
Param
(   
    $Path = "C:\temp", #Replace with whatever file you want to do this to.
    $User = "$env:username", #Format: "$domain\$useraccount" User account to grant permisions too.
    $Rights = "Read, ReadAndExecute, ListDirectory", #Comma seperated list.
    $InheritSettings = "Containerinherit, ObjectInherit", #Controls how permissions are inherited by children
    $PropogationSettings = "None", #Usually set to none but can setup rules that only apply to children.
    $RuleType = "Allow" #Allow or Deny.
)
$acl = Get-Acl $path
$perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
}

Windows Rights (TODO: finish this)

Valid settings for Rights are as follows:

Setting

Description

AppendData

Specifies the right to append data to the end of a file.

ChangePermissions

Specifies the right to change the security and audit rules associated with a file or folder.

CreateDirectories

Specifies the right to create a folder.

CreateFiles

Specifies the right to create a file.

Delete

Specifies the right to delete a folder or file.

DeleteSubdirectoriesAndFiles

Specifies the right to delete a folder and any files contained within that folder.

ExecuteFile

Specifies the right to run an application file.

FullControl

Specifies the right to exert full control over a folder or file, and to modify access control and audit rules. This value represents the right to do anything with a file and is the combination of all rights in this enumeration.

ListDirectory

Specifies the right to read the contents of a directory.

Modify

Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.

Read

Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.

ReadAndExecute

Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.

ReadAttributes

Specifies the right to open and copy file system attributes from a folder or file. For example, this value specifies the right to view the file creation or modified date. This does not include the right to read data, extended file system attributes, or access and audit rules.

ReadData

Specifies the right to open and copy a file or folder. This does not include the right to read file system attributes, extended file system attributes, or access and audit rules.

ReadExtendedAttributes

Specifies the right to open and copy extended file system attributes from a folder or file. For example, this value specifies the right to view author and content information. This does not include the right to read data, file system attributes, or access and audit rules.

ReadPermissions

Specifies the right to open and copy access and audit rules from a folder or file. This does not include the right to read data, file system attributes, and extended file system attributes.

Synchronize

Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation.

TakeOwnership

Specifies the right to change the owner of a folder or file. Note that owners of a resource have full access to that resource.

Traverse

Specifies the right to list the contents of a folder and to run applications contained within that folder.

Write

Specifies the right to create folders and files, and to add or remove data from files. This right includes the WriteData right, AppendData right, WriteExtendedAttributes right, and WriteAttributes right.

WriteAttributes

Specifies the right to open and write file system attributes to a folder or file. This does not include the ability to write data, extended attributes, or access and audit rules.

WriteData

Specifies the right to open and write to a file or folder. This does not include the right to open and write file system attributes, extended file system attributes, or access and audit rules.

WriteExtendedAttributes

Specifies the right to open and write extended file system attributes to a folder or file. This does not include the ability to write data, attributes, or access and audit rules.

Valid Inherit settings:

Setting

Description

ContainerInherit

The ACE is inherited by child container objects.

None

The ACE is not inherited by child objects.

ObjectInherit

The ACE is inherited by child leaf objects.

Set the $InheritSettings to None if targeting a file instead of a folder.

Valid Propagation Settings:

Setting

Description

InheritOnly

Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.

None

Specifies that no inheritance flags are set.

NoPropagateInherit

Specifies that the ACE is not propagated to child objects.

Shared Folders/SMB

net use z: \\$ip\$sharename
#Adding /persistent:yes will make this survive reboots.

A great example is to mount the Sysinternals Live drive to use the tools directly from Microsoft:

net use z: \live.sysinternals.com\tools\ /persistent:yes

You can thank me later.

net use z: /delete

Environment Variables

The command set will display all current environment variables and their values in cmd.exe. In PowerShell use Get-ChildItem env: (or one of its aliases!) to list environment variables.

Many of the environment variables in the cmd.exe column can be used in other places inside Windows as well, such as the Address Bar of a browser or Explorer window.

Below is a comparison between the environment variables used in PowerShell versus those used in the classic cmd.exe environment (which are also used in many other places throughout Windows, such as Task Scheduler, Event logs, and more).

Meaning

PowerShell

cmd.exe

C:\ProgramData

$env:ALLUSERSPROFILE

%ALLUSERSPROFILE%

Current User's AppData\Roaming Folder

$env:APPDATA

%APPDATA%

C:\Program Files\Common Files

$env:CommonProgramFiles

%CommonProgramFiles%

C:\Program Files (x86)\Common Files

$env:CommonProgramFiles(x86)

%CommonProgramFiles(x86)%

C:\Program Files\Common Files

$env:CommonProgramW6432

%CommonProgramW6432%

Computer Name

$env:COMPUTERNAME

%COMPUTERNAME%

C:\WINDOWS\system32\cmd.exe

$env:ComSpec

%ComSpec%

C:\Windows\System32\Drivers\DriverData

$env:DriverData

%DriverData%

$env:HOMEDRIVE

%HOMEDRIVE%

Current User's home folder

$env:HOMEPATH

%HOMEPATH%

Current User's AppData\Local folder

$env:LOCALAPPDATA

%LOCALAPPDATA%

UNC Path of Logon Server

$env:LOGONSERVER

%LOGONSERVER%

Number of Processor (cores)

$env:NUMBER_OF_PROCESSORS

%NUMBER_OF_PROCESSORS%

Current User's Onedrive folder

$env:OneDrive

%OneDrive%

Current User's Onedrive folder

$env:OneDriveConsumer

%OneDriveConsumer%

Operating System Family

$env:OS

%OS%

PATH to search when unspecified

$env:Path

%Path%

File Extensions that Windows will search PATH for

$env:PATHEXT

%PATHEXT%

Processor Architecture

$env:PROCESSOR_ARCHITECTURE

%PROCESSOR_ARCHITECTURE%

Processor ID

$env:PROCESSOR_IDENTIFIER

%PROCESSOR_IDENTIFIER%

Processor Level

$env:PROCESSOR_LEVEL

%PROCESSOR_LEVEL%

Processor Revision

$env:PROCESSOR_REVISION

%PROCESSOR_REVISION%

C:\ProgramData

$env:ProgramData

%ProgramData%

C:\Program Files

$env:ProgramFiles

%ProgramFiles%

C:\Program Files (x86)

$env:ProgramFiles(x86)

%ProgramFiles(x86)%

C:\Program Files

$env:ProgramW6432

%ProgramW6432%

PATH for PowerShell Modules

$env:PSModulePath

%PSModulePath%

C:\Users\Public

$env:PUBLIC

%PUBLIC%

Console

$env:SESSIONNAME

%SESSIONNAME%

$env:SystemDrive

%SystemDrive%

C:\WINDOWS

$env:SystemRoot

%SystemRoot%

Current User's AppData\Local\Temp Folder

$env:TEMP

%TEMP%

Current User's AppData\Local\Temp Folder

$env:TMP

%TMP%

Domain Name

$env:USERDOMAIN

%USERDOMAIN%

Roaming Profile Domain

$env:USERDOMAIN_ROAMINGPROFILE

%USERDOMAIN_ROAMINGPROFILE%

User Name

$env:USERNAME

%USERNAME%

User Home Folder

$env:USERPROFILE

%USERPROFILE%

C:\WINDOWS

$env:windir

%windir%

Shortcuts

(TODO: Make tables)

CTRL+N (open new session), CTRL+R (Execute Commands), CTRL+SHIFT+ESC (Task Manager), Windows+E (open explorer), CTRL-B, CTRL-I (Favourites), CTRL-H (History), CTRL-L, CTRL-O (File/Open Dialog), CTRL-P (Print Dialog), CTRL-S (Save As)

Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9

Shell URIs

shell:Administrative Tools
shell:DocumentsLibrary
shell:Libraries
shell:UserProfiles
shell:Personal
shell:SearchHomeFolder
shell:NetworkPlacesFolder
shell:SendTo
shell:UserProfiles
shell:Common Administrative Tools
shell:MyComputerFolder
shell:InternetFolder
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D} --> Control Panel
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} --> This PC/My Computer
shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D} --> Network Places

Powershell

Thanks

PreviousVim NextPowerShell

Last updated 4 hours ago

Was this helpful?

Sysinternals

Tool

Description

Example Use Case

Cyber Kill Chain Phase

PsExec

Executes processes remotely on another system.

Used for lateral movement by executing commands on remote hosts.

Lateral Movement

AccessChk

Checks user permissions for files, registry keys, and objects.

Identify privilege escalation opportunities by analyzing access control settings.

Privilege Escalation

ProcMon (Process Monitor)

Captures real-time system activity, including file, registry, and network events.

Monitor security controls and detect potential weaknesses in endpoint defenses.

Exploitation

TCPView

Monitors active TCP/UDP connections in real time.

Identify open ports and active connections for reconnaissance.

Reconnaissance

Autoruns & Autorunsc

Displays all auto-start programs, services, and registry entries.

Find persistence mechanisms used by malware or adversaries.

Persistence

Handle

Lists open handles to files, registry keys, and other system objects.

Investigate (i.e. unlock) locked files that may contain sensitive data or credentials.

Credential Access

ListDLLs

Displays loaded DLLs for running processes.

Identify DLL injection opportunities for stealthy code execution (i.e. Running malware)

Defense Evasion

SigCheck

Verifies digital signatures of files.

Detect unsigned or tampered executables that may be malicious.

Execution

Strings

Extracts readable text from binary files.

Analyze malware binaries for embedded commands or indicators of compromise.

Reconnaissance

PsSuspend

Suspends processes without terminating them.

Disable security tools temporarily during red-team operations.

Defense Evasion

A full list of the current tools can be found .
Sysinternals tools can be linked to directly and run in-memory from
- This command maps the current full list of Sysinternals tools to the first available drive letter as a network share, ready for use!
```
net use * //live.sysinternals.com
```

Windows Shells

CMD.EXE

Use Cases for `cmd.exe`

System Administration: Modify system settings, manage processes, and configure user accounts.
Networking: Troubleshoot connectivity, scan ports, and manage network shares.
Security & Forensics: Analyze logs, check permissions, and identify suspicious activities.
Scripting & Automation: Write batch scripts for repetitive tasks and scheduled jobs.
File & Directory Management: Copy, move, delete, and modify file attributes efficiently.

Types of Commands in `cmd.exe`

There are two primary types of commands that can be executed in cmd.exe:

Built-in Commands:
- These commands are directly processed within the cmd.exe shell, meaning they do not rely on external programs to execute.
- Built-ins provide essential functionality such as file manipulation, directory navigation, and environment management.
- Examples: cd (change directory), dir (list files), echo (display text), set (manage environment variables), and exit (close command prompt).
External Executables:
- These commands call separate .exe files, typically stored in system directories like C:\Windows\System32\.
- External commands extend the shell’s capabilities by invoking system utilities and tools.
- Examples: ping.exe (network testing), ipconfig.exe (network configuration), tasklist.exe (list running processes), and robocopy.exe (advanced file copy operations).

For example:

cd, dir, echo, set, exit are all built-ins handled directly by cmd.exe.
Commands like ping, ipconfig, tasklist, and robocopy are external, i.e. they invoke separate .exe files located in system directories (e.g. C:\Windows\System32\).

Windows CMD built-in commands

Command

Description

Example Use Case

Changes the current directory.

cd C:\Users\tester\Documents – Navigate to the Documents folder for user tester.

dir

Lists files and directories in the current folder.

dir /s /b – List all files in the current directory and subdirectories.

echo

Displays text or variables in the command prompt.

echo Hello, World! – Print "Hello, World!" to the screen.

set

Sets or displays environment variables.

set PATH – Show the current PATH variable.

exit

Closes the command prompt.

exit – Close the terminal session.

cls

Clears the command prompt screen.

cls – Wipe the screen clean.

ver

Displays the Windows version.

ver – Show the OS version number.

help

Displays help information for CMD commands.

help dir – Show details on how to use the dir command.

copy

Copies files from one location to another.

copy file.txt D:\Backup\ – Copy file.txt to the Backup folder.

move

Moves files from one location to another.

move file.txt D:\Backup\ – Move file.txt to the Backup folder.

del

Deletes files.

del /F /Q file.txt – Force delete file.txt without confirmation.

ren

Renames a file or folder.

ren oldname.txt newname.txt – Rename oldname.txt to newname.txt.

mkdir

Creates a new directory.

mkdir C:\NewFolder – Create a folder named NewFolder.

rmdir

Deletes a directory.

rmdir /s /q C:\OldFolder – Remove OldFolder and its contents.

attrib

Changes file attributes (hidden, read-only, etc.).

attrib +H file.txt – Hide file.txt.

title

Changes the title of the command prompt window.

title Custom CMD Window – Set the window title to "Custom CMD Window".

prompt

Changes the command prompt display style.

prompt $P$G – Set prompt to display the current path followed by >.

The 'Net' Commands

Command

Description

Example Use Case

Common Options

net user

Manages user accounts on a computer. You can add, remove, and modify users.

net user tester /add – Adds a new user named tester.

/delete – Remove a user, /domain – Execute on a domain controller.

net localgroup

Manages local groups on the computer. You can add, remove, and list members.

net localgroup Administrators tester /add – Adds tester to the Administrators group.

/delete – Remove a group, /add – Create a new group.

net share

Creates, deletes, and manages shared resources on the network.

net share myshare=C:\MyFolder /grant:tester,full – Creates a share named myshare with full access for user tester.

/delete – Stop sharing a resource, /grant – Assign access permissions.

net start / stop

Starts or stops network services.

net start "Web Client" – Starts the Web Client service.

Specify service names to start or stop.

net session

Displays all current sessions or disconnects them.

net session \\RemotePC /delete – Disconnects the session with RemotePC.

/delete – End a session.

net use

Connects, disconnects, and displays shared network resources.

net use Z: \\Server\Share – Maps the network share at \\Server\Share to the Z: drive.

/delete – Disconnect a network drive, /persistent – Make the connection persistent across reboots.

net view

Displays a list of computers or network resources.

net view \\Server – Shows shared resources on the server named Server.

/domain – List domains or computers in a domain.

net accounts

Displays or modifies password and logon policies for user accounts.

net accounts /maxpwage:90 – Set maximum password age to 90 days.

/forcelogoff – Force logoff after inactivity, /minpwlen – Set minimum password length.

net statistics

Displays statistics for network services like Workstation or Server.

net statistics workstation – View workstation statistics.

Specify workstation or server for different stats.

net print

Displays or manages print jobs on a network printer.

net print \\Server\Printer – View print jobs on a shared printer.

/delete – Remove a print job.

net file

Displays open files on a network and allows closing them.

net file – View open files.

/close – Close an open file.

net group

Manages global groups on a domain.

net group "IT Admins" /add – Creates a new global group named "IT Admins".

/delete – Remove a group, /add – Create a new group.

net time

Synchronizes the system clock with a network time server.

net time \\Server /set /yes – Sync time with Server.

/querysntp – Query the SNTP time server.

File Manipulation

File Attributes

Here is a list of the most common Windows file attributes:

Attribute

Description

Example Use Case

Read-Only (R)

Prevents modifications to the file.

Used on important documents to avoid accidental changes.

Hidden (H)

Hides the file from standard directory views.

Hiding configuration files from casual users.

System (S)

Marks a file as a system file, restricting user modifications.

Applied to critical Windows system files.

Archive (A)

Flags the file for backup or archiving purposes.

Automatically marked when a file is edited, useful for backup software.

Compressed (C)

Indicates the file is compressed via NTFS compression.

Reduces file size on NTFS partitions.

Encrypted (E)

Encrypts the file using NTFS encryption.

Protects sensitive data by restricting unauthorized access.

Temporary (T)

Indicates the file is for temporary use.

Used by applications for cache storage.

Sparse (P)

Allocates disk space efficiently by storing only non-zero data.

Used for database and virtualization scenarios.

Offline (O)

Marks the file as offline, meaning it's stored remotely.

Useful for files managed by cloud storage systems.

Managing File Attributes

You can view and change file attributes using the following commands:

CMD: attrib +H secret.txt → Hide secret.txt attrib -R report.docx → Remove Read-Only from report.docx
PowerShell: $file = Get-Item "C:\example.txt"; $file.Attributes += 'Hidden' → Hide the file

Example: Set a file as Hidden (-h) using attrib.

This can also be used to change other file property flags such as (a) Archive and (r) ReadOnly.
Flags must be added separately (-h -a -r not -har).

# Show the file attributes
attrib <C:\path\filename>

# Add the 'hidden' attribute
attrib +h <C:\path\filename>

# Remove the 'hidden' property
attrib -h <C:\path\filename>

Example: Set a file as Hidden. (This can also be used to change other file property flags such as Archive and ReadOnly)

# Get File attributes
$file = (Get-ChildItem <file>) # Need the file as an object to get attributes directly
$file.attributes # Show the file's attributes
#Normal

# Flip the bit of the Hidden attribute using xor
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Hidden

# Change attribute with direct assignment (beware, using = will set ONLY that attribute)
$file.Attributes += 'Hidden'

# To remove the 'Hidden' attribute, flip the bit back using xor (or direct assignement)
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Normal

NTFS Permissions

NTFS Permission Types & Applicability

Below is a table describing the different NTFS permissions:

Permission

Description

Applicable To

Example Use Case

Full Control

Grants complete access, including modifying permissions and taking ownership.

Files & Folders

Administrators managing system files.

Modify

Allows reading, writing, and deleting files/folders.

Files & Folders

Users editing documents but restricted from changing permissions.

Read & Execute

Allows viewing and executing files but prevents modifications.

Files & Folders

Running applications without modifying them.

List Folder Contents

Allows viewing folder contents but prevents file modifications.

Folders Only

Browsing directories without altering files.

Read

Grants permission to view files and folder contents.

Files & Folders

Users needing access to reference documents.

Write

Allows creating and modifying files but prevents deletion.

Files & Folders

Users adding new files to a shared directory.

Traverse Folder / Execute File

Allows navigating through folders or executing files.

Files & Folders

Running scripts or accessing nested directories.

Delete

Grants permission to remove files or folders.

Files & Folders

Users managing temporary files.

Change Permissions

Allows modifying NTFS permissions for files and folders.

Files & Folders

Administrators adjusting access control settings.

Take Ownership

Allows users to take ownership of files or folders.

Files & Folders

Recovering access to locked files.

Key Features of NTFS Permissions

Inheritance: Permissions assigned to a parent folder automatically apply to its subfolders and files unless explicitly overridden.
Explicit vs. Inherited Permissions: Explicit permissions are manually set, while inherited permissions come from parent directories.
Deny Overrides Allow: If a user has both "Allow" and "Deny" permissions, "Deny" takes precedence.
Combining Permissions: If a user belongs to multiple groups, their permissions are combined.

Apply only to shared folders accessed over a network (not local access).
Three levels of access:
- Read - Users can view files and folders but cannot modify them.
- Change - Users can read, modify, and delete files.
- Full Control - Users can read, modify, delete, and change permissions.
Set at the folder level (not individual files).
Cannot be inherited - each shared folder has its own permissions.

NTFS Permissions

Apply to both local and network access.
More granular control: permissions can be set for individual files and folders.
Can be inherited: permissions assigned to a parent folder apply to subfolders and files.
Includes advanced permissions like Modify, Read & Execute, Write, and Full Control.

When a user accesses a shared folder over the network, both Share and NTFS permissions apply. The most restrictive permission takes precedence.

Permission Type

Explicit vs. Inherited

Allow vs. Deny

Precedence Level

Explicit Deny (NTFS)

Directly assigned to a file or folder

Deny

Highest Precedence

Explicit Deny (Share)

Directly assigned to a shared folder

Deny

High Precedence

Explicit Allow (NTFS)

Directly assigned to a file or folder

Allow

Medium Precedence

Explicit Allow (Share)

Directly assigned to a shared folder

Allow

Medium Precedence

Inherited Deny (NTFS)

Inherited from a parent folder

Deny

Lower Precedence

Inherited Allow (NTFS)

Inherited from a parent folder

Allow

Lowest Precedence

Key Takeaways

Deny always overrides Allow: if a user is explicitly denied access via NTFS or Share permissions, they cannot access the resource.
NTFS permissions apply to both local and network access, while Share permissions apply only to network access.
File permissions override folder permissions, unless Full Control is granted at the folder level.
The most restrictive permission applies: if NTFS allows access but Share denies it, the user is denied.

Access Control Lists (ACLs)

Every file and folder has an ACL that determines its accessibility:

ACLs contain a list of permissions assigned to different users or groups.
Permissions can be explicitly assigned or inherited from a parent directory.
ACLs help enforce security policies and protect sensitive data.

To view an ACL for a file or folder: right-click on the item in Explorer and select 'Properties'. Click on the 'Security' tab, the view the section marked 'Permissions for '.

Windows ACL Components

Discretionary Access Control List (DACL) - Defines who has allow or deny permissions.
System Access Control List (SACL) - Used for auditing access attempts.
Owner - The user who controls the resource and can change permissions.
Inheritance - Determines if child files/folders receive permissions from a parent directory.

Common ACL Permissions

Permission

Description

Example Use Case

Full Control

Grants complete access, including modifying ACLs and taking ownership.

Used by administrators to manage security settings.

Modify

Allows reading, writing, and deleting files/folders.

Editors and contributors modifying shared project files.

Read & Execute

Allows viewing and running files but prevents modifications.

Running applications without altering them.

List Folder Contents

Allows browsing directories without modifying files.

Users needing access to a directory’s structure without altering data.

Read

Grants permission to view files and folder contents.

Viewing reference documents without editing.

Write

Allows creating and modifying files but prevents deletion.

Users adding new content to shared folders without deletion rights.

Change Permissions

Allows modifying ACL settings for files and folders.

Administrators adjusting access control settings.

Take Ownership

Allows users to take ownership of files or folders.

Recovering access to locked files.

Key Takeaways

ACLs control file/folder access by assigning permissions to users and groups.
Explicit Deny overrides Allow when conflicting permissions exist.
Inheritance determines whether child objects receive parent permissions.

Managing ACLs in Windows

Using File Explorer

Right-click a file or folder → Properties → Security tab.
Click Edit to modify permissions.
Add, remove, or adjust permissions for users and groups.

Using the shell

Using icacls

View ACLs:

icacls C:\SensitiveData

Grant Full Control:

icacls C:\SensitiveData /grant tester:F

Remove Permissions:

icacls C:\SensitiveData /remove tester

Copy permissions from one file or directory to another

Get-ACL C:\File1 | Set-Acl C:\File2

Remove permissions from a folder or file

$path = "C:\temp" #Replace with whatever file you want to do this to.
$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false #Gets all non inherited rules.
#Filter your $rules however you want to remove permissions.

#For example, to target a specific user or group:
$targetrule = $rules | where IdentityReference -eq "$Domain\$User" #Leave domain off for local accounts.

$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path

Advanced: Add a specific list of permissions to a Folder (or file)

function Edit-Perms {
Param
(   
    $Path = "C:\temp", #Replace with whatever file you want to do this to.
    $User = "$env:username", #Format: "$domain\$useraccount" User account to grant permisions too.
    $Rights = "Read, ReadAndExecute, ListDirectory", #Comma seperated list.
    $InheritSettings = "Containerinherit, ObjectInherit", #Controls how permissions are inherited by children
    $PropogationSettings = "None", #Usually set to none but can setup rules that only apply to children.
    $RuleType = "Allow" #Allow or Deny.
)
$acl = Get-Acl $path
$perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path $path
}

Windows Rights (TODO: finish this)

Valid settings for Rights are as follows:

Setting

Description

AppendData

Specifies the right to append data to the end of a file.

ChangePermissions

Specifies the right to change the security and audit rules associated with a file or folder.

CreateDirectories

Specifies the right to create a folder.

CreateFiles

Specifies the right to create a file.

Delete

Specifies the right to delete a folder or file.

DeleteSubdirectoriesAndFiles

Specifies the right to delete a folder and any files contained within that folder.

ExecuteFile

Specifies the right to run an application file.

FullControl

ListDirectory

Specifies the right to read the contents of a directory.

Modify

Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.

Read

Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.

ReadAndExecute

Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.

ReadAttributes

ReadData

Specifies the right to open and copy a file or folder. This does not include the right to read file system attributes, extended file system attributes, or access and audit rules.

ReadExtendedAttributes

ReadPermissions

Specifies the right to open and copy access and audit rules from a folder or file. This does not include the right to read data, file system attributes, and extended file system attributes.

Synchronize

Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation.

TakeOwnership

Specifies the right to change the owner of a folder or file. Note that owners of a resource have full access to that resource.

Traverse

Specifies the right to list the contents of a folder and to run applications contained within that folder.

Write

WriteAttributes

Specifies the right to open and write file system attributes to a folder or file. This does not include the ability to write data, extended attributes, or access and audit rules.

WriteData

Specifies the right to open and write to a file or folder. This does not include the right to open and write file system attributes, extended file system attributes, or access and audit rules.

WriteExtendedAttributes

Specifies the right to open and write extended file system attributes to a folder or file. This does not include the ability to write data, attributes, or access and audit rules.

Valid Inherit settings:

Setting

Description

ContainerInherit

The ACE is inherited by child container objects.

None

The ACE is not inherited by child objects.

ObjectInherit

The ACE is inherited by child leaf objects.

Set the $InheritSettings to None if targeting a file instead of a folder.

Valid Propagation Settings:

Setting

Description

InheritOnly

Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.

None

Specifies that no inheritance flags are set.

NoPropagateInherit

Specifies that the ACE is not propagated to child objects.

Shared Folders/SMB

net use z: \\$ip\$sharename
#Adding /persistent:yes will make this survive reboots.

A great example is to mount the Sysinternals Live drive to use the tools directly from Microsoft:

net use z: \live.sysinternals.com\tools\ /persistent:yes

You can thank me later.

net use z: /delete

Environment Variables

The command set will display all current environment variables and their values in cmd.exe. In PowerShell use Get-ChildItem env: (or one of its aliases!) to list environment variables.

Many of the environment variables in the cmd.exe column can be used in other places inside Windows as well, such as the Address Bar of a browser or Explorer window.

You can find more about Windows environment variables on the .

Meaning

PowerShell

cmd.exe

C:\ProgramData

$env:ALLUSERSPROFILE

%ALLUSERSPROFILE%

Current User's AppData\Roaming Folder

$env:APPDATA

%APPDATA%

C:\Program Files\Common Files

$env:CommonProgramFiles

%CommonProgramFiles%

C:\Program Files (x86)\Common Files

$env:CommonProgramFiles(x86)

%CommonProgramFiles(x86)%

C:\Program Files\Common Files

$env:CommonProgramW6432

%CommonProgramW6432%

Computer Name

$env:COMPUTERNAME

%COMPUTERNAME%

C:\WINDOWS\system32\cmd.exe

$env:ComSpec

%ComSpec%

C:\Windows\System32\Drivers\DriverData

$env:DriverData

%DriverData%

$env:HOMEDRIVE

%HOMEDRIVE%

Current User's home folder

$env:HOMEPATH

%HOMEPATH%

Current User's AppData\Local folder

$env:LOCALAPPDATA

%LOCALAPPDATA%

UNC Path of Logon Server

$env:LOGONSERVER

%LOGONSERVER%

Number of Processor (cores)

$env:NUMBER_OF_PROCESSORS

%NUMBER_OF_PROCESSORS%

Current User's Onedrive folder

$env:OneDrive

%OneDrive%

Current User's Onedrive folder

$env:OneDriveConsumer

%OneDriveConsumer%

Operating System Family

$env:OS

%OS%

PATH to search when unspecified

$env:Path

%Path%

File Extensions that Windows will search PATH for

$env:PATHEXT

%PATHEXT%

Processor Architecture

$env:PROCESSOR_ARCHITECTURE

%PROCESSOR_ARCHITECTURE%

Processor ID

$env:PROCESSOR_IDENTIFIER

%PROCESSOR_IDENTIFIER%

Processor Level

$env:PROCESSOR_LEVEL

%PROCESSOR_LEVEL%

Processor Revision

$env:PROCESSOR_REVISION

%PROCESSOR_REVISION%

C:\ProgramData

$env:ProgramData

%ProgramData%

C:\Program Files

$env:ProgramFiles

%ProgramFiles%

C:\Program Files (x86)

$env:ProgramFiles(x86)

%ProgramFiles(x86)%

C:\Program Files

$env:ProgramW6432

%ProgramW6432%

PATH for PowerShell Modules

$env:PSModulePath

%PSModulePath%

C:\Users\Public

$env:PUBLIC

%PUBLIC%

Console

$env:SESSIONNAME

%SESSIONNAME%

$env:SystemDrive

%SystemDrive%

C:\WINDOWS

$env:SystemRoot

%SystemRoot%

Current User's AppData\Local\Temp Folder

$env:TEMP

%TEMP%

Current User's AppData\Local\Temp Folder

$env:TMP

%TMP%

Domain Name

$env:USERDOMAIN

%USERDOMAIN%

Roaming Profile Domain

$env:USERDOMAIN_ROAMINGPROFILE

%USERDOMAIN_ROAMINGPROFILE%

User Name

$env:USERNAME

%USERNAME%

User Home Folder

$env:USERPROFILE

%USERPROFILE%

C:\WINDOWS

$env:windir

%windir%

Shortcuts

(TODO: Make tables)

Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9

Shell URIs

shell:Administrative Tools
shell:DocumentsLibrary
shell:Libraries
shell:UserProfiles
shell:Personal
shell:SearchHomeFolder
shell:NetworkPlacesFolder
shell:SendTo
shell:UserProfiles
shell:Common Administrative Tools
shell:MyComputerFolder
shell:InternetFolder
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D} --> Control Panel
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} --> This PC/My Computer
shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D} --> Network Places

Powershell

PowerShell is a large and important enough topic that it has its .

Thanks

If you like this content and would like to see more, please consider !

Sysinternals

Windows Shells

CMD.EXE

Use Cases for cmd.exe

Types of Commands in cmd.exe

Windows CMD built-in commands

The 'Net' Commands

File Manipulation

File Attributes

Managing File Attributes

NTFS Permissions

NTFS Permission Types & Applicability

Key Features of NTFS Permissions

Windows Share Permissions

Share Permissions

NTFS Permissions

Precedence of Share vs. NTFS Permissions

Access Control Lists (ACLs)

Windows ACL Components

Common ACL Permissions

Key Takeaways

Managing ACLs in Windows

Using File Explorer

Using the shell

Windows Rights (TODO: finish this)

Valid Inherit settings:

Valid Propagation Settings:

Shared Folders/SMB

Mount a remote CIFS/SMB share

To remove a previously mounted share:

Environment Variables

Explorer Navigation

Shortcuts

Shell URIs

Powershell

Thanks

Sysinternals

Windows Shells

CMD.EXE

Use Cases for cmd.exe

Types of Commands in cmd.exe

Windows CMD built-in commands

The 'Net' Commands

File Manipulation

File Attributes

Managing File Attributes

NTFS Permissions

NTFS Permission Types & Applicability

Key Features of NTFS Permissions

Windows Share Permissions

Share Permissions

NTFS Permissions

Precedence of Share vs. NTFS Permissions

Access Control Lists (ACLs)

Windows ACL Components

Common ACL Permissions

Key Takeaways

Managing ACLs in Windows

Using File Explorer

Using the shell

Windows Rights (TODO: finish this)

Valid Inherit settings:

Valid Propagation Settings:

Shared Folders/SMB

Mount a remote CIFS/SMB share

To remove a previously mounted share:

Environment Variables

Explorer Navigation

Shortcuts

Shell URIs

Powershell

Thanks

Use Cases for `cmd.exe`

Types of Commands in `cmd.exe`

Use Cases for `cmd.exe`

Types of Commands in `cmd.exe`