Windows Command Reference — Authorised Security Assessment Use Only
92 CMD and PowerShell commands across 14 categories. Every command includes description, purpose, difficulty level, and side-by-side CMD/PowerShell syntax.
⌂ Open Interactive Index ◈ EDC Toolkit ☰ Toolkit Overview
92
Commands
56 🟢 Beginner
29 🟡 Intermediate
7 🔴 Advanced
All commands require authorised access · Windows 10/11 / Server 2019+
📁 WORKSPACE 2 COMMANDS · ASSESSMENT SETUP AND ORGANISATION
Create Assessment Workspace 🟢 Beginner
Description
Creates organized folder structure for assessment with Evidence, Screenshots, Network, SystemInfo, Passwords, and Reports folders. Includes timestamped log file.
Purpose
Start every assessment with proper organization
🪟 Command Prompt (CMD)
mkdir ClientAssessment_2026
cd ClientAssessment_2026
mkdir Evidence Screenshots Network SystemInfo Passwords Reports
echo Assessment started: %date% %time% > _assessment_log.txt
💻 PowerShell
New-Item -ItemType Directory -Path "ClientAssessment_2026"
Set-Location "ClientAssessment_2026"
"Evidence","Screenshots","Network","SystemInfo","Passwords","Reports" | ForEach-Object {New-Item -ItemType Directory -Name $_}
"Assessment started: $(Get-Date)" | Out-File "_assessment_log.txt"
Create Evidence Folder with Timestamp 🟢 Beginner
Description
Creates an evidence folder with current date and time in the name for unique identification.
Purpose
Organize evidence by date/time for multiple assessments
🪟 Command Prompt (CMD)
mkdir Evidence_%date:~-4,4%%date:~-10,2%%date:~-7,2%_%time:~0,2%%time:~3,2%
💻 PowerShell
New-Item -ItemType Directory -Name "Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
👤 USERS 9 COMMANDS · USER AND GROUP ENUMERATION
List All Local Users 🟢 Beginner
Description
Displays all user accounts on the local system with their properties.
Purpose
Identify all user accounts that exist on the system
🪟 Command Prompt (CMD)
net user
💻 PowerShell
Get-LocalUser | Format-Table Name, Enabled, LastLogon, PasswordRequired, PasswordLastSet
Show User Details 🟢 Beginner
Description
Shows detailed information about a specific user account including groups, last logon, password age.
Purpose
Get comprehensive information about a specific user
🪟 Command Prompt (CMD)
net user Administrator
💻 PowerShell
Get-LocalUser -Name Administrator | Format-List *
List Administrator Group Members 🟢 Beginner
Description
Shows all users who have administrator privileges on the system.
Purpose
Identify privileged accounts for security assessment
🪟 Command Prompt (CMD)
net localgroup administrators
💻 PowerShell
Get-LocalGroupMember -Group "Administrators" | Format-Table Name, ObjectClass, PrincipalSource
Show Current User Info 🟢 Beginner
Description
Displays detailed information about the currently logged-in user including groups and privileges.
Purpose
Understand your current security context and permissions
🪟 Command Prompt (CMD)
whoami /all
💻 PowerShell
whoami /all
List All Local Groups 🟢 Beginner
Description
Enumerates all local security groups on the system.
Purpose
Map out group structure for privilege analysis
🪟 Command Prompt (CMD)
net localgroup
💻 PowerShell
Get-LocalGroup | Format-Table Name, Description, SID
Show Remote Desktop Users 🟡 Intermediate
Description
Lists users allowed to connect via Remote Desktop.
Purpose
Identify remote access capabilities
🪟 Command Prompt (CMD)
net localgroup "Remote Desktop Users"
💻 PowerShell
Get-LocalGroupMember -Group "Remote Desktop Users" | Format-Table
Show Currently Logged In Users 🟢 Beginner
Description
Displays all users currently logged into the system (local and remote sessions).
Purpose
See who else is on the system right now
🪟 Command Prompt (CMD)
query user
💻 PowerShell
quser
Show Active User Sessions 🟢 Beginner
Description
Shows detailed information about all active user sessions.
Purpose
Monitor active logins and session details
🪟 Command Prompt (CMD)
query session
💻 PowerShell
query session
Show Password Policy 🟡 Intermediate
Description
Displays the local password policy settings including min length, complexity, lockout.
Purpose
Assess password security requirements
🪟 Command Prompt (CMD)
net accounts
💻 PowerShell
Get-LocalUser | Select-Object Name, PasswordRequired, PasswordExpires, @{N='PasswordAge(Days)';E={(New-TimeSpan -Start $_.PasswordLastSet).Days}}
🌐 NETWORK 15 COMMANDS · NETWORK DISCOVERY AND ANALYSIS
Show IP Configuration 🟢 Beginner
Description
Displays all network adapter configurations including IP addresses, subnet masks, gateways, and DNS servers.
Purpose
Understand network configuration and connectivity
🪟 Command Prompt (CMD)
ipconfig /all
💻 PowerShell
Get-NetIPConfiguration -Detailed
Show Network Interfaces 🟢 Beginner
Description
Lists all network interfaces with their status and configuration.
Purpose
Identify all network adapters and their properties
🪟 Command Prompt (CMD)
netsh interface show interface
💻 PowerShell
Get-NetAdapter | Format-Table Name, InterfaceDescription, Status, LinkSpeed, MacAddress
Show ARP Cache 🟢 Beginner
Description
Displays the ARP cache showing IP-to-MAC address mappings of recently contacted devices.
Purpose
See other devices on the local network
🪟 Command Prompt (CMD)
arp -a
💻 PowerShell
Get-NetNeighbor | Format-Table IPAddress, LinkLayerAddress, State
Show Routing Table 🟡 Intermediate
Description
Displays the routing table showing how network traffic is directed.
Purpose
Understand network routing and gateway configuration
🪟 Command Prompt (CMD)
route print
💻 PowerShell
Get-NetRoute | Format-Table DestinationPrefix, NextHop, InterfaceAlias, RouteMetric
Show All Network Connections 🟢 Beginner
Description
Lists all active network connections with local/remote addresses, ports, and process IDs.
Purpose
See all active network communication
🪟 Command Prompt (CMD)
netstat -ano
💻 PowerShell
Get-NetTCPConnection | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
Show Listening Ports 🟢 Beginner
Description
Shows only ports that are actively listening for incoming connections.
Purpose
Identify services accepting network connections
🪟 Command Prompt (CMD)
netstat -ano | findstr LISTENING
💻 PowerShell
Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"} | Format-Table LocalAddress, LocalPort, OwningProcess, @{N='Process';E={(Get-Process -Id $_.OwningProcess).ProcessName}}
Show Established Connections 🟢 Beginner
Description
Displays only currently established (active) network connections.
Purpose
See active communications happening right now
🪟 Command Prompt (CMD)
netstat -ano | findstr ESTABLISHED
💻 PowerShell
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, @{N='Process';E={(Get-Process -Id $_.OwningProcess).ProcessName}}
Show DNS Cache 🟢 Beginner
Description
Displays cached DNS resolution entries showing recently resolved domain names.
Purpose
See what domains have been recently accessed
🪟 Command Prompt (CMD)
ipconfig /displaydns
💻 PowerShell
Get-DnsClientCache | Format-Table Entry, Name, Type, TimeToLive
Clear DNS Cache 🟢 Beginner
Description
Flushes the DNS resolver cache. Useful for troubleshooting DNS issues.
Purpose
Reset DNS cache to force fresh lookups
🪟 Command Prompt (CMD)
ipconfig /flushdns
💻 PowerShell
Clear-DnsClientCache
Show Network Shares 🟢 Beginner
Description
Lists all shared folders/resources on the local system.
Purpose
Identify file shares that may be accessible over network
🪟 Command Prompt (CMD)
net share
💻 PowerShell
Get-SmbShare | Format-Table Name, Path, Description, CurrentUsers
Show Active SMB Sessions 🟡 Intermediate
Description
Displays active SMB (file sharing) sessions from remote computers.
Purpose
See who is accessing shared files
🪟 Command Prompt (CMD)
net session
💻 PowerShell
Get-SmbSession | Format-Table ClientComputerName, ClientUserName, NumOpens, SecondsIdle
Test Network Connectivity 🟢 Beginner
Description
Tests connectivity to a remote host (example: google.com). Shows if host is reachable.
Purpose
Verify internet/network connectivity
🪟 Command Prompt (CMD)
ping google.com
💻 PowerShell
Test-Connection google.com -Count 4
Trace Network Route 🟢 Beginner
Description
Traces the network path to a destination showing all hops along the way.
Purpose
Troubleshoot network routing and identify path to destination
🪟 Command Prompt (CMD)
tracert google.com
💻 PowerShell
Test-NetConnection google.com -TraceRoute
DNS Lookup 🟢 Beginner
Description
Resolves a domain name to its IP address(es).
Purpose
Find IP address of a domain
🪟 Command Prompt (CMD)
nslookup google.com
💻 PowerShell
Resolve-DnsName google.com
Show Network Statistics 🟡 Intermediate
Description
Displays detailed network protocol statistics (TCP, UDP, ICMP, IP).
Purpose
Analyze network usage and protocol statistics
🪟 Command Prompt (CMD)
netstat -s
💻 PowerShell
Get-NetTCPConnection | Group-Object State | Select-Object Count, Name
🛡️ FIREWALL 5 COMMANDS · FIREWALL CONFIGURATION AND RULES
Show Firewall Status 🟢 Beginner
Description
Displays Windows Firewall status for all profiles (Domain, Private, Public).
Purpose
Check if firewall is enabled and its configuration
🪟 Command Prompt (CMD)
netsh advfirewall show allprofiles
💻 PowerShell
Get-NetFirewallProfile | Format-Table Name, Enabled, DefaultInboundAction, DefaultOutboundAction
Show All Firewall Rules 🟡 Intermediate
Description
Lists all Windows Firewall rules (can be very long).
Purpose
See all firewall rules configured on system
🪟 Command Prompt (CMD)
netsh advfirewall firewall show rule name=all
💻 PowerShell
Get-NetFirewallRule | Format-Table DisplayName, Direction, Action, Enabled
Show Enabled Firewall Rules 🟡 Intermediate
Description
Lists only currently enabled firewall rules.
Purpose
See active firewall rules affecting traffic
🪟 Command Prompt (CMD)
netsh advfirewall firewall show rule name=all | findstr "Rule Name"
💻 PowerShell
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"} | Format-Table DisplayName, Direction, Action
Show Inbound Firewall Rules 🟡 Intermediate
Description
Lists firewall rules that apply to incoming traffic.
Purpose
Understand what inbound traffic is allowed/blocked
🪟 Command Prompt (CMD)
netsh advfirewall firewall show rule name=all dir=in
💻 PowerShell
Get-NetFirewallRule | Where-Object {$_.Direction -eq "Inbound" -and $_.Enabled -eq "True"} | Format-Table DisplayName, Action
Show Outbound Firewall Rules 🟡 Intermediate
Description
Lists firewall rules that apply to outgoing traffic.
Purpose
Understand what outbound traffic is allowed/blocked
🪟 Command Prompt (CMD)
netsh advfirewall firewall show rule name=all dir=out
💻 PowerShell
Get-NetFirewallRule | Where-Object {$_.Direction -eq "Outbound" -and $_.Enabled -eq "True"} | Format-Table DisplayName, Action
⚙️ PROCESSES 9 COMMANDS · PROCESS INSPECTION AND MANAGEMENT
List All Running Processes 🟢 Beginner
Description
Shows all currently running processes with PID, memory usage, and session info.
Purpose
See what programs are currently executing
🪟 Command Prompt (CMD)
tasklist
💻 PowerShell
Get-Process | Format-Table ProcessName, Id, CPU, @{N='Memory(MB)';E={[math]::Round($_.WS/1MB,2)}}
Show Process Tree 🟡 Intermediate
Description
Displays processes in a tree structure showing parent-child relationships.
Purpose
Understand process hierarchy and spawning
🪟 Command Prompt (CMD)
wmic process get name,processid,parentprocessid
💻 PowerShell
Get-CimInstance Win32_Process | Select-Object ProcessName, ProcessId, ParentProcessId | Format-Table
Show Processes with Full Path 🟢 Beginner
Description
Lists processes including their full executable path.
Purpose
Identify where process executables are located
🪟 Command Prompt (CMD)
wmic process get name,processid,executablepath
💻 PowerShell
Get-Process | Select-Object ProcessName, Id, Path | Format-Table
Show Processes with Command Line 🟡 Intermediate
Description
Displays processes with their full command line arguments.
Purpose
See how processes were started and with what parameters
🪟 Command Prompt (CMD)
wmic process get name,processid,commandline
💻 PowerShell
Get-CimInstance Win32_Process | Select-Object Name, ProcessId, CommandLine | Format-Table -Wrap
Show Top CPU Processes 🟢 Beginner
Description
Lists processes sorted by CPU usage (highest first).
Purpose
Identify processes consuming most CPU
🪟 Command Prompt (CMD)
wmic process get name,processid,workingsetsize /format:list | sort
💻 PowerShell
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 | Format-Table ProcessName, Id, CPU, @{N='Memory(MB)';E={[math]::Round($_.WS/1MB,2)}}
Show Top Memory Processes 🟢 Beginner
Description
Lists processes sorted by memory usage (highest first).
Purpose
Identify memory-hungry processes
🪟 Command Prompt (CMD)
tasklist /fi "memusage gt 100000"
💻 PowerShell
Get-Process | Sort-Object WS -Descending | Select-Object -First 10 | Format-Table ProcessName, Id, @{N='Memory(MB)';E={[math]::Round($_.WS/1MB,2)}}
Show Process Services 🟡 Intermediate
Description
Lists processes that are hosting Windows services.
Purpose
See which processes are running services
🪟 Command Prompt (CMD)
tasklist /svc
💻 PowerShell
Get-Process | Where-Object {$_.Name -match 'svchost'} | Format-Table ProcessName, Id
Kill Process by Name ⚠ ADMIN 🟢 Beginner
⚠️ Forces termination - unsaved data will be lost
Description
Terminates a process by its name (example: notepad.exe). Forces immediate termination.
Purpose
Stop a running program
🪟 Command Prompt (CMD)
taskkill /F /IM notepad.exe
💻 PowerShell
Stop-Process -Name notepad -Force
Kill Process by PID ⚠ ADMIN 🟢 Beginner
⚠️ Forces termination - unsaved data will be lost
Description
Terminates a process by its Process ID (example: PID 1234).
Purpose
Stop a specific process instance
🪟 Command Prompt (CMD)
taskkill /F /PID 1234
💻 PowerShell
Stop-Process -Id 1234 -Force
🔧 SERVICES 5 COMMANDS · WINDOWS SERVICE ENUMERATION
List All Services 🟢 Beginner
Description
Shows all Windows services with their status (Running, Stopped) and startup type.
Purpose
See all services configured on the system
🪟 Command Prompt (CMD)
sc query type= service state= all
💻 PowerShell
Get-Service | Format-Table Name, DisplayName, Status, StartType
Show Running Services 🟢 Beginner
Description
Lists only services that are currently running.
Purpose
See active services
🪟 Command Prompt (CMD)
sc query type= service state= running
💻 PowerShell
Get-Service | Where-Object {$_.Status -eq "Running"} | Format-Table Name, DisplayName
Show Stopped Services 🟢 Beginner
Description
Lists services that are stopped/not running.
Purpose
Identify disabled or stopped services
🪟 Command Prompt (CMD)
sc query type= service state= inactive
💻 PowerShell
Get-Service | Where-Object {$_.Status -eq "Stopped"} | Format-Table Name, DisplayName
Show Service Details 🟡 Intermediate
Description
Displays detailed information about a specific service (example: Spooler).
Purpose
Get comprehensive service configuration
🪟 Command Prompt (CMD)
sc qc Spooler
💻 PowerShell
Get-Service Spooler | Format-List *
Show Automatic Services 🟡 Intermediate
Description
Lists services set to start automatically at boot.
Purpose
See what starts when Windows boots
🪟 Command Prompt (CMD)
wmic service where StartMode="Auto" get Name,State
💻 PowerShell
Get-Service | Where-Object {$_.StartType -eq "Automatic"} | Format-Table Name, Status
🔐 SECURITY 8 COMMANDS · SECURITY CONFIGURATION ASSESSMENT
Extract WiFi Passwords ⚠ ADMIN 🔴 Advanced
⚠️ Requires Administrator privileges. For authorized assessments only.
Description
Extracts passwords for all saved WiFi networks. Requires administrator privileges.
Purpose
Recover saved WiFi credentials for documentation
🪟 Command Prompt (CMD)
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear | findstr "Key Content"
💻 PowerShell
(netsh wlan show profiles) | Select-String "\:(.+)$" | ForEach-Object {
    $name=$_.Matches.Groups[1].Value.Trim()
    $wifi = (netsh wlan show profile name=$name key=clear)
    $pass = $wifi | Select-String "Key Content\W+\:(.+)$"
    if($pass){
        [PSCustomObject]@{
            SSID=$name
            Password=$pass.Matches.Groups[1].Value.Trim()
        }
    }
} | Format-Table -AutoSize
Show Windows Defender Status 🟢 Beginner
Description
Displays Windows Defender antivirus status and protection levels.
Purpose
Check antivirus protection state
🪟 Command Prompt (CMD)
powershell Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled
💻 PowerShell
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled, BehaviorMonitorEnabled, AntivirusSignatureLastUpdated
Show Defender Exclusions 🟡 Intermediate
Description
Lists files, folders, and processes excluded from Windows Defender scanning.
Purpose
Identify security exclusions that may be exploited
🪟 Command Prompt (CMD)
powershell Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess
💻 PowerShell
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension
Show Security Event Log 🟡 Intermediate
Description
Displays recent security events from Windows Event Log (last 20 entries).
Purpose
Review security-related events and alerts
🪟 Command Prompt (CMD)
wevtutil qe Security /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName Security -Newest 20 | Format-Table TimeGenerated, EventID, Message -Wrap
Show Failed Login Attempts 🔴 Advanced
Description
Lists failed login attempts from Security event log (Event ID 4625).
Purpose
Identify potential brute force attempts
🪟 Command Prompt (CMD)
wevtutil qe Security "/q:*[System[(EventID=4625)]]" /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4625} | Select-Object -First 20 | Format-Table TimeGenerated, Message -Wrap
Show Successful Logins 🔴 Advanced
Description
Lists successful login events (Event ID 4624).
Purpose
Track user authentication history
🪟 Command Prompt (CMD)
wevtutil qe Security "/q:*[System[(EventID=4624)]]" /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624} | Select-Object -First 20 | Format-Table TimeGenerated, Message -Wrap
Show UAC Settings 🟡 Intermediate
Description
Displays User Account Control (UAC) configuration settings.
Purpose
Check privilege escalation protections
🪟 Command Prompt (CMD)
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
💻 PowerShell
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | Select-Object EnableLUA, ConsentPromptBehaviorAdmin
Check if Admin 🟢 Beginner
Description
Checks if current PowerShell session has administrator privileges.
Purpose
Verify privilege level before running admin commands
🪟 Command Prompt (CMD)
net session >nul 2>&1 && echo Administrator || echo Not Administrator
💻 PowerShell
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
📄 FILES 7 COMMANDS · FILE SYSTEM SEARCH AND INSPECTION
Search for Files by Name 🟢 Beginner
Description
Recursively searches for files matching pattern (example: *.txt) from C:\ drive.
Purpose
Find files by name or extension
🪟 Command Prompt (CMD)
dir /s /b C:\*.txt
💻 PowerShell
Get-ChildItem -Path C:\ -Recurse -Filter *.txt -ErrorAction SilentlyContinue | Select-Object FullName
Find Large Files 🟡 Intermediate
Description
Finds files larger than 100MB in C:\ drive.
Purpose
Identify large files consuming disk space
🪟 Command Prompt (CMD)
forfiles /S /M * /C "cmd /c if @fsize GTR 104857600 echo @path @fsize"
💻 PowerShell
Get-ChildItem -Path C:\ -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 100MB} | Select-Object FullName, @{N='Size(MB)';E={[math]::Round($_.Length/1MB,2)}} | Sort-Object 'Size(MB)' -Descending
Find Recent Files 🟢 Beginner
Description
Finds files modified in the last 7 days.
Purpose
Identify recently changed files
🪟 Command Prompt (CMD)
forfiles /P C:\ /S /D -7 /C "cmd /c echo @path @fdate"
💻 PowerShell
Get-ChildItem -Path C:\ -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | Select-Object FullName, LastWriteTime
Find Hidden Files 🟡 Intermediate
Description
Searches for files with Hidden attribute set.
Purpose
Discover hidden files that may contain sensitive data
🪟 Command Prompt (CMD)
dir /s /a:h C:\
💻 PowerShell
Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object {$_.Attributes -match "Hidden"} | Select-Object FullName
Search File Contents 🟡 Intermediate
Description
Searches for text string inside files (example: 'password' in .txt files).
Purpose
Find files containing specific text/keywords
🪟 Command Prompt (CMD)
findstr /S /I /M "password" C:\*.txt
💻 PowerShell
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Select-String -Pattern "password" | Select-Object Path, LineNumber, Line
List Files in Directory 🟢 Beginner
Description
Lists all files and folders in current directory with details.
Purpose
View directory contents
🪟 Command Prompt (CMD)
dir
💻 PowerShell
Get-ChildItem | Format-Table Name, Length, LastWriteTime
Show File Permissions 🟡 Intermediate
Description
Displays NTFS permissions for a specific file or folder.
Purpose
Check access control lists (ACLs)
🪟 Command Prompt (CMD)
icacls C:\
💻 PowerShell
Get-Acl C:\ | Format-List
💻 SYSTEM 13 COMMANDS · SYSTEM INFORMATION AND CONFIGURATION
Show Full System Information 🟢 Beginner
Description
Displays comprehensive system information including OS, hardware, and configuration.
Purpose
Get complete system overview
🪟 Command Prompt (CMD)
systeminfo
💻 PowerShell
Get-ComputerInfo | Format-List
Show Computer Name and Domain 🟢 Beginner
Description
Displays computer name and domain/workgroup membership.
Purpose
Identify system identity and network membership
🪟 Command Prompt (CMD)
systeminfo | findstr /C:"Host Name" /C:"Domain"
💻 PowerShell
Get-ComputerInfo | Select-Object CsName, CsDomain, CsWorkgroup
Show OS Version 🟢 Beginner
Description
Displays Windows operating system version and build number.
Purpose
Verify Windows version for compatibility
🪟 Command Prompt (CMD)
ver
💻 PowerShell
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
Show Installed Updates 🟢 Beginner
Description
Lists all installed Windows updates and hotfixes.
Purpose
Verify patch level and update history
🪟 Command Prompt (CMD)
wmic qfe list
💻 PowerShell
Get-HotFix | Format-Table Description, HotFixID, InstalledOn
Show CPU Information 🟢 Beginner
Description
Displays processor details including model, cores, and speed.
Purpose
Get CPU specifications
🪟 Command Prompt (CMD)
wmic cpu get name,numberofcores,maxclockspeed
💻 PowerShell
Get-CimInstance Win32_Processor | Select-Object Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed
Show Memory Information 🟢 Beginner
Description
Displays RAM configuration including capacity and speed.
Purpose
Get memory specifications
🪟 Command Prompt (CMD)
wmic memorychip get capacity,speed
💻 PowerShell
Get-CimInstance Win32_PhysicalMemory | Select-Object @{N='Capacity(GB)';E={[math]::Round($_.Capacity/1GB,2)}}, Speed, Manufacturer
Show Disk Information 🟢 Beginner
Description
Lists all disk drives with model, size, and interface type.
Purpose
Get storage device details
🪟 Command Prompt (CMD)
wmic diskdrive get model,size,interfacetype
💻 PowerShell
Get-CimInstance Win32_DiskDrive | Select-Object Model, @{N='Size(GB)';E={[math]::Round($_.Size/1GB,2)}}, InterfaceType
Show Drive Space 🟢 Beginner
Description
Displays used and free space for all drives.
Purpose
Check disk space availability
🪟 Command Prompt (CMD)
wmic logicaldisk get caption,size,freespace
💻 PowerShell
Get-PSDrive -PSProvider FileSystem | Select-Object Name, @{N='Used(GB)';E={[math]::Round($_.Used/1GB,2)}}, @{N='Free(GB)';E={[math]::Round($_.Free/1GB,2)}}
Show BIOS Information 🟢 Beginner
Description
Displays BIOS version and serial number.
Purpose
Get firmware details
🪟 Command Prompt (CMD)
wmic bios get serialnumber,version
💻 PowerShell
Get-CimInstance Win32_BIOS | Select-Object SerialNumber, Version, Manufacturer
Show Motherboard Information 🟢 Beginner
Description
Displays motherboard manufacturer and model.
Purpose
Identify system board
🪟 Command Prompt (CMD)
wmic baseboard get product,manufacturer,version,serialnumber
💻 PowerShell
Get-CimInstance Win32_BaseBoard | Select-Object Manufacturer, Product, Version, SerialNumber
Show Uptime 🟢 Beginner
Description
Shows how long the system has been running since last boot.
Purpose
Check system uptime
🪟 Command Prompt (CMD)
systeminfo | findstr /C:"System Boot Time"
💻 PowerShell
Get-CimInstance Win32_OperatingSystem | Select-Object @{N='Uptime';E={(Get-Date) - $_.LastBootUpTime}}, LastBootUpTime
Show Environment Variables 🟢 Beginner
Description
Lists all system and user environment variables.
Purpose
View environment configuration
🪟 Command Prompt (CMD)
set
💻 PowerShell
Get-ChildItem Env: | Format-Table Name, Value
Show Timezone 🟢 Beginner
Description
Displays current timezone setting.
Purpose
Verify system timezone configuration
🪟 Command Prompt (CMD)
tzutil /g
💻 PowerShell
Get-TimeZone
📦 SOFTWARE 4 COMMANDS · INSTALLED APPLICATIONS AND STARTUPS
List Installed Programs 🟢 Beginner
Description
Lists all installed applications from Windows Registry.
Purpose
Inventory installed software
🪟 Command Prompt (CMD)
wmic product get name,version
💻 PowerShell
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Format-Table
List Installed Programs (32-bit) 🟡 Intermediate
Description
Lists 32-bit applications installed on 64-bit system.
Purpose
Find 32-bit software on 64-bit Windows
🪟 Command Prompt (CMD)
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName
💻 PowerShell
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher | Format-Table
Show Startup Programs 🟡 Intermediate
Description
Lists programs configured to run at startup.
Purpose
Identify auto-start applications
🪟 Command Prompt (CMD)
wmic startup list full
💻 PowerShell
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, User | Format-Table
Show Scheduled Tasks 🟡 Intermediate
Description
Lists all scheduled tasks configured on the system.
Purpose
Identify automated tasks and jobs
🪟 Command Prompt (CMD)
schtasks /query /fo LIST
💻 PowerShell
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Select-Object TaskName, State, TaskPath | Format-Table
📋 EVENT LOGS 4 COMMANDS · WINDOWS EVENT LOG ANALYSIS
Show System Event Log 🟢 Beginner
Description
Displays recent system events (errors, warnings, info).
Purpose
Review system health and errors
🪟 Command Prompt (CMD)
wevtutil qe System /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName System -Newest 20 | Format-Table TimeGenerated, EntryType, Source, Message -Wrap
Show Application Event Log 🟢 Beginner
Description
Displays recent application events.
Purpose
Review application errors and warnings
🪟 Command Prompt (CMD)
wevtutil qe Application /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName Application -Newest 20 | Format-Table TimeGenerated, EntryType, Source, Message -Wrap
Show Error Events Only 🟡 Intermediate
Description
Filters event log to show only error-level events.
Purpose
Focus on critical issues
🪟 Command Prompt (CMD)
wevtutil qe System "/q:*[System[(Level=2)]]" /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName System -EntryType Error -Newest 20 | Format-Table TimeGenerated, Source, Message -Wrap
Show Warning Events Only 🟡 Intermediate
Description
Filters event log to show only warning-level events.
Purpose
Identify potential issues
🪟 Command Prompt (CMD)
wevtutil qe System "/q:*[System[(Level=3)]]" /c:20 /f:text /rd:true
💻 PowerShell
Get-EventLog -LogName System -EntryType Warning -Newest 20 | Format-Table TimeGenerated, Source, Message -Wrap
📷 EVIDENCE 4 COMMANDS · EVIDENCE COLLECTION AND HASHING
Take Screenshot 🟢 Beginner
Description
Captures current screen and saves as PNG file with timestamp.
Purpose
Document visual evidence
🪟 Command Prompt (CMD)
powershell Add-Type -AssemblyName System.Windows.Forms; $screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height); $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Location, [System.Drawing.Point]::Empty, $screen.Size); $bitmap.Save('screenshot.png'); $graphics.Dispose(); $bitmap.Dispose()
💻 PowerShell
Add-Type -AssemblyName System.Windows.Forms
$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds
$bitmap = New-Object System.Drawing.Bitmap($screen.Width, $screen.Height)
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($screen.Location, [System.Drawing.Point]::Empty, $screen.Size)
$bitmap.Save("screenshot_$(Get-Date -Format 'yyyyMMdd_HHmmss').png")
$graphics.Dispose()
$bitmap.Dispose()
Create Evidence Archive 🟢 Beginner
Description
Compresses a folder into a ZIP archive with timestamp.
Purpose
Package evidence for delivery
🪟 Command Prompt (CMD)
powershell Compress-Archive -Path "Evidence" -DestinationPath "Evidence_Archive_%date:~-4,4%%date:~-10,2%%date:~-7,2%.zip"
💻 PowerShell
Compress-Archive -Path "Evidence" -DestinationPath "Evidence_Archive_$(Get-Date -Format 'yyyyMMdd_HHmmss').zip"
Calculate File Hash (MD5) 🟡 Intermediate
Description
Computes MD5 hash of a file for integrity verification.
Purpose
Generate file hash for evidence chain of custody
🪟 Command Prompt (CMD)
certutil -hashfile filename.txt MD5
💻 PowerShell
Get-FileHash -Path filename.txt -Algorithm MD5
Calculate File Hash (SHA256) 🟡 Intermediate
Description
Computes SHA256 hash of a file (more secure than MD5).
Purpose
Generate cryptographic file hash
🪟 Command Prompt (CMD)
certutil -hashfile filename.txt SHA256
💻 PowerShell
Get-FileHash -Path filename.txt -Algorithm SHA256
📊 REPORTING 2 COMMANDS · ASSESSMENT REPORT GENERATION
Generate Quick Report 🟢 Beginner
Description
Creates a text file with basic system information for quick assessment.
Purpose
Generate rapid assessment report
🪟 Command Prompt (CMD)
echo ===== QUICK ASSESSMENT REPORT ===== > quick_report.txt
echo Date: %date% >> quick_report.txt
echo Time: %time% >> quick_report.txt
echo. >> quick_report.txt
systeminfo | findstr /C:"Host Name" /C:"OS Name" /C:"OS Version" >> quick_report.txt
ipconfig | findstr /C:"IPv4" >> quick_report.txt
net user >> quick_report.txt
💻 PowerShell
@"
===== QUICK ASSESSMENT REPORT =====
Date: $(Get-Date)
Assessor: [Your Name]

$((Get-ComputerInfo | Select-Object CsName, WindowsVersion | Format-List | Out-String))
$((Get-NetIPConfiguration | Select-Object IPv4Address | Format-List | Out-String))
$((Get-LocalUser | Format-Table | Out-String))
"@ | Out-File "quick_report_$(Get-Date -Format 'yyyyMMdd').txt"
Generate Full Assessment Report 🟢 Beginner
Description
Creates comprehensive assessment report with system, network, and security information.
Purpose
Generate complete documentation
🪟 Command Prompt (CMD)
echo ===== FULL SECURITY ASSESSMENT REPORT ===== > full_report.txt
echo Generated: %date% %time% >> full_report.txt
echo. >> full_report.txt
echo [SYSTEM INFORMATION] >> full_report.txt
systeminfo >> full_report.txt
echo. >> full_report.txt
echo [NETWORK CONFIGURATION] >> full_report.txt
ipconfig /all >> full_report.txt
echo. >> full_report.txt
echo [USER ACCOUNTS] >> full_report.txt
net user >> full_report.txt
echo. >> full_report.txt
echo [RUNNING PROCESSES] >> full_report.txt
tasklist >> full_report.txt
💻 PowerShell
$report = @"
===== FULL SECURITY ASSESSMENT REPORT =====
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
Assessor: [Your Name]

[SYSTEM INFORMATION]
$((Get-ComputerInfo | Format-List | Out-String))

[NETWORK CONFIGURATION]
$((Get-NetIPConfiguration -Detailed | Format-List | Out-String))

[USER ACCOUNTS]
$((Get-LocalUser | Format-Table | Out-String))

[LOCAL GROUPS]
$((Get-LocalGroup | Format-Table | Out-String))

[RUNNING PROCESSES]
$((Get-Process | Format-Table | Out-String))

[SERVICES]
$((Get-Service | Format-Table | Out-String))

[NETWORK CONNECTIONS]
$((Get-NetTCPConnection | Format-Table | Out-String))
"@
$report | Out-File "full_report_$(Get-Date -Format 'yyyyMMdd').txt"
🔴 ADVANCED 5 COMMANDS · ADVANCED TECHNIQUES — AUTHORISED USE ONLY
Dump Cached Credentials ⚠ ADMIN 🔴 Advanced
⚠️ Requires Administrator privileges
Description
Lists cached domain credentials stored on the system. Requires admin.
Purpose
Identify cached authentication tokens
🪟 Command Prompt (CMD)
reg query "HKLM\SECURITY\Cache"
💻 PowerShell
reg query "HKLM\SECURITY\Cache"
Show PowerShell History 🟡 Intermediate
Description
Displays PowerShell command history for current user.
Purpose
Review previous PowerShell commands
🪟 Command Prompt (CMD)
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
💻 PowerShell
Get-Content (Get-PSReadLineOption).HistorySavePath
Show Browser History (Chrome) 🔴 Advanced
Description
Displays Chrome browser history from SQLite database.
Purpose
Review web browsing history
🪟 Command Prompt (CMD)
type "%LOCALAPPDATA%\Google\Chrome\User Data\Default\History"
💻 PowerShell
# Chrome stores history in SQLite - use external tool to read
Write-Host "Chrome history located at: $env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
Export Registry Key 🔴 Advanced
Description
Exports a registry key to a .reg file for backup or analysis.
Purpose
Backup or extract registry configuration
🪟 Command Prompt (CMD)
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion backup.reg
💻 PowerShell
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion backup.reg
Show Shadow Copies 🔴 Advanced
Description
Lists Volume Shadow Copy snapshots available on the system.
Purpose
Identify backup/restore points
🪟 Command Prompt (CMD)
vssadmin list shadows
💻 PowerShell
Get-CimInstance Win32_ShadowCopy | Select-Object InstallDate, VolumeName, DeviceObject