Last edit: October 02, 2017 08:56:01 AM CDT List of all cheatsheets Active Directory Get list of users who have not changed their passwords Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null } Files, Filesystems & Partitions Get list of drives gdr -psProvider FileSystem Get list of mapped drives gwmi -Class Win32_MappedLogicalDisk | select Name, ProviderName Get list of mapped drives for a user net use robocopy syntax robocopy source destination [options] e.b. robocopy C:\Directory_A C:\Directory_B /E = recursive, including attributes /W:[Value] = Wait time in seconds, e.g. /W:20 /R:[Value] = Retry time in seconds, e.g. /R:20 /LOG:[path] = Log file Repair filesystem sfc /scannow Hardware & Kernel Get machine's serial number wmic bios get serialnumber Get installed memory size in bytes wmic memorychip get Capacity Get MAC address getmac Get MAC addresses for all adapters getmac /v /fo list Get make and model Get-WmiObject -Class Win32_ComputerSystem | select manufacturer, model Display basic hardware information on a remote machine winrm enumerate wmicimv2/Win32_ComputerSystem Installs & Updates Get list of installed updates wmic qfe list See if a particular update is installed systeminfo | find ": KB[update number]" Export list of installed updates wmic qfe get /format:csv >C:\updates.csv Activate Windows 8+ with a MAK or change product key As administrator, sluix.exe 3 Enter new key Reset Automatic Update wuauclt.exe /resetauthorization /detectnow Which server is a machine getting updates from? reg query HKLM\SOFTWARE\policies\Microsoft\Windows\WindowsUpdat Monitoring See also Notable Utilities Get process listing tasklist Network Flush DNS ipconfig /flushdns PowerShell Allow local PowerShell scripts to run (aka chmod +x) Set-ExecutionPolicy remotesigned Equivalent of X apropos: get-help [query] date: get-date echo: write-output find: dir [query] -recursive head: select-object -first [number of lines] kill: stop-process ls: get-childitem / gci / dir ls -a: ls -force man: get-help [command] ps: get-process ps | grep: get-process [query] rm: remove-item sleep: start-sleep sort: sort-object uniq: get-unique tail: gc [file to watch] | select-object -last [number of lines] tail -f: gc -tail [number of lines] -wait [file to watch] touch: set-content -Path /path/to/file -Value $null whomai: [Security.Principal.WindowsIdentity]::GetCurrent() | select name Variables %: for each e.g. Get-Child-Item -name boom | %{Remove-Item} $_: container for current pipeline object Array: $[name] = @(“name”, “name1”, “name2”) Remote Management Enable Windows Remote Management (WinRM) on a machine winrm quickconfig Get WinRM configuration information winrm get winrm/config Display OS properties on a remote machine winrm get wmicimv2/Win32_OperatingSystem Display free memory on a remote machine winrm g wmicimv2/Win32_OperatingSystem -fragment:FreePhysicalMemory -r:[machinename] Run a command on a remote machine winrs -r:[machine name] [insert command here] Start a service on a remote machine winrm invoke startservice wmicimv2/Win32_Service?name=[servicename] -r:[machinename] Stop a service on a remote machine winrm invoke startservice wmicimv2/Win32_Service?name=[servicename] -r:[machinename] Reboot a remote machine winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:[machinename] Security Check for Service Principals in a Domain setspn -T [domain/forest] -F -Q */[name or IP] View Service Principal listing for a particular host setspn -L [hostname] Services Find a service's short name Get-Service | Sort-Object -Property DisplayName | Format-Table DisplayName, Name -AutoSize System Get full licensing status slmgr.vbs /dlv Get uptime systeminfo | find "System Boot Time:" Get uptime v2 net statistics workstation or net statistics server Users & Groups Get AD user account information net user /DOMAIN [user] Output list of user accounts and settings wmic /output:C:\logs\useraccounts.txt useraccount list full Windows Server Get a list of shares on server gwmi -computer $remotecomputername -Class win32_share | select -ExpandProperty Name Get list of printers from Windows 2k8 print server WMIObject -class Win32_printer | Select Name,DriverName,PortName,Location > \Output\Path Syntax for Firewall rule netsh advfirewall firewall add rule name=[nickname] dir=[in/out] action=[allow/block/bypass] protocol=[TCP/UDP] localport=[port #] Config Files Tk Notable Utilities Make the Toolbar balloon alert present a dialog wlrmdr.exe -s 60000 -f 1 -t "[Balloon header]" -m "[ballon body text]" -a o cmd shell equivalents mv: move rm: del rm -r: deltree ls: dir grep: find