Windows security commands

May 11, 2011

The following is a haphazard list of Windows commands useful to know for security-related tasks. Some of these do not work on all Windows platforms, or require administrator privileges to run properly.

Verify the integrity of critical Windows files by examining their digital signatures:


Show the recent DNS lookups:

ipconfig /displaydns

Show the ARP cache:

arp -a

Show TCP ports that are listening for connections:

netstat -an | findstr LISTEN

Show the process name that is listening on a given TCP port:

netstat -anpb tcp

Show the process name that is listening on a given UDP port:

netstat -anpb udp

Show all open sessions:

net session

Show all currently running processes:


Show all currently running services:

net start

Show all registry subkeys and entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s

Search for all files that have "string" within their filenames:

attrib /s *string*

Lists files in current directory from oldest to newest:

dir /od

Search for a string within the file example.txt (case insensitive, and quotes must be specified in the command):

find /i "string" example.txt

Show the NetBIOS computer name and MAC address for a Windows computer with IP address

nbtstat -A

Show local user accounts:

net user

Show the domain administrator accounts within a domain:

net group "domain admins" /domain

Show the system uptime (in the output look for a line saying "statistics since"). High uptime may indicate that the device hasn't been patched in a while:

net statistics server

Show windows firewall configuration:

netsh firewall show config

Originally posted September 11, 2009