Windows Administration for Pentesters
Outline
- Why Pentesters Must Learn Windows
- Understanding CMD vs PowerShell
- CMD (Command Prompt)
- PowerShell
- Key Differences at a Glance
- Which One to Use?
- Common Windows Administration Commands for Pentesters
- User and Group Management
- File and Folder Operations
- Process and Task Management
- Service Enumeration and Control
- Network Configuration and Discovery
- Firewall Rules and Port Status
- Scheduled Tasks
- Finding Hidden Files and Sensitive Data
- Installed Software and Services
- Environment Variables
Why Pentesters Must Learn Windows
Most enterprise environments run on Windows. That means the majority of real-world engagements will involve Windows machines — workstations, servers, and domain controllers. As a pentester, understanding Windows isn’t optional; it’s essential. You’ll encounter Active Directory, Windows-based user management, PowerShell scripts, Group Policy, and a range of native tools you can abuse for privilege escalation, persistence, and lateral movement.
Unlike Linux, which is often open-source and community-driven, Windows is proprietary and structured differently. It has unique file paths, services, permission models, and built-in tools. A strong grasp of Windows internals and command-line tools will give you a massive edge during engagements — especially in post-exploitation and red teaming scenarios.
Understanding CMD vs PowerShell
Windows provides two primary command-line interfaces: Command Prompt (CMD) and PowerShell. Both are used to interact with the system, but they serve different purposes and have different capabilities. As a pentester (and system administrator), it’s important to understand both — when to use them, and what each can do.
CMD (Command Prompt)
- CMD is the original shell introduced in early versions of Windows (like MS-DOS).
- It’s simple, lightweight, and mostly used for basic file operations, scripting
.batfiles, and running legacy commands (ipconfig,net,tasklist, etc.). - Many tools and utilities used during pentesting (like
net,sc,wmic, andreg) are run from CMD or are compatible with it.
Why it matters: Most built-in system commands and services (especially legacy ones) are still accessed through CMD. It’s fast and predictable, especially when interacting with older or more stripped-down Windows systems.
PowerShell
- PowerShell is a modern, powerful, and extensible shell designed for automating system administration.
- Unlike CMD, it supports full .NET integration, object-oriented scripting, and complex logic.
- It can do everything CMD can — and much more. PowerShell enables remote administration, advanced enumeration, event log interaction, and in-memory script execution.
- It uses cmdlets (like
Get-Process,Get-Service,Set-ExecutionPolicy) and pipelines for chaining commands and working with objects.
Why it matters: PowerShell is a weapon in the hands of both sysadmins and attackers. Many exploitation frameworks and red-team scripts (like PowerView, PowerSploit, Nishang) are written in PowerShell. It’s also commonly whitelisted in environments where other tools are blocked.
Key Differences at a Glance
| Feature | CMD | PowerShell |
|---|---|---|
| Syntax Style | Text-based | Object-oriented |
| Scripting Format | .bat, .cmd | .ps1 |
| Functionality | Basic command-line utility | Full scripting language |
| Access to System Internals | Limited | Deep access (WMI, Registry, etc.) |
| Output Handling | Text strings | Structured .NET objects |
| Automation Capabilities | Minimal | Advanced automation |
Which One to Use?
- CMD is great for simple tasks: copying files, checking IPs, listing users.
- PowerShell shines when you need detailed enumeration, scripting, and exploitation.
As a pentester, you’ll switch between both depending on your foothold, available tools, and privilege level.
Pro Tip: In post-exploitation, stealth matters. PowerShell is powerful, but often heavily monitored. Knowing both shells gives you flexibility when facing different detection controls.
Common Windows Administration Commands for Pentesters
Once you’ve got a foothold on a Windows machine, here are the essential administration commands for enumeration, privilege escalation, and lateral movement.
1. User and Group Management
CMD:
whoami # Shows current user
whoami /groups # Lists all group memberships
net user # Lists all users
net user <username> # Detailed info on a specific user
net localgroup # Lists local groups
net localgroup administrators # Lists users in the Administrators group
Try adding yourself to privileged groups if possible:
net localgroup administrators <username> /add
2. File and Folder Operations
CMD:
dir # List files in directory
dir /a # Include hidden/system files
cd .. # Go up a directory
cd C:\Users\Public # Navigate to a directory
copy file.txt C:\temp\ # Copy file
move file.txt C:\temp\ # Move file
del file.txt # Delete file
mkdir testfolder # Create new folder
rmdir testfolder # Delete folder
PowerShell equivalents:
Get-ChildItem
Get-Content .\file.txt
Copy-Item file.txt C:\Temp\
Remove-Item file.txt
3. Process and Task Management
CMD:
tasklist # Show all running processes
taskkill /PID 1234 /F # Force kill a process by PID
PowerShell version:
Get-Process
Stop-Process -Id 1234 -Force
4. Service Enumeration and Control
CMD:
sc query # List services
sc query type= service # List actual services (not drivers)
sc qc <service name> # Show config details of a service
sc stop <service name> # Stop a service
sc start <service name> # Start a service
PowerShell:
Get-Service
Start-Service -Name Spooler
Stop-Service -Name Spooler
5. Network Configuration and Discovery
CMD:
ipconfig /all # Interface and IP details
netstat -ano # All connections with PID
route print # Routing table
arp -a # ARP table (connected IPs)
nslookup example.com # DNS resolution
ping 192.168.1.1 # Check connectivity
PowerShell:
Get-NetIPAddress
Test-Connection google.com
Resolve-DnsName example.com
6. Firewall Rules and Port Status
CMD:
netsh advfirewall show allprofiles # Show firewall profiles
netsh firewall show state # Legacy command
PowerShell:
Get-NetFirewallProfile
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"}
7. Scheduled Tasks
CMD:
schtasks /query /fo LIST /v # View all tasks with details
schtasks /create /tn name /tr cmd.exe /sc minute /mo 5
PowerShell:
Get-ScheduledTask
8. Finding Hidden Files and Sensitive Data
CMD:
dir /s /b C:\ | findstr /i password # Search for filenames with “password”
findstr /si password *.txt *.xml *.ini # Search file contents for “password”
PowerShell:
Get-ChildItem -Recurse -File | Select-String -Pattern "password"
9. Installed Software and Services
PowerShell:
Get-WmiObject -Class Win32_Product
Get-Service | Where-Object {$_.Status -eq "Running"}
Use this to identify potentially vulnerable software or services running on the machine.
10. Environment Variables
CMD:
set # List all environment variables
PowerShell:
Get-ChildItem Env:
Pay close attention to the PATH variable — if you can hijack a directory in the search path, you might be able to escalate privileges with a malicious binary.