Win Shell
Write-Output "Current user:"
whoami
whoami /all
Write-Output "Contents of current directory:"
Get-ChildItem -Force
Write-Output "Command history:"
Get-History
(Get-PSReadLineOption).HistorySavePath | Get-Content -ErrorAction SilentlyContinue
Write-Output "System information:"
systeminfo
Get-ComputerInfo
Write-Output "Checking installed hotfixes (priv-esc relevance):"
wmic qfe get Caption,Description,HotFixID,InstalledOn
Write-Output "Checking local admin privileges:"
net localgroup administrators
whoami /groups | findstr /i "S-1-5-32-544"
Write-Output "Searching for files with specific name:"
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *WHATEVER*
Write-Output "Searching for files with 'flag' in name:"
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *flag*
Write-Output "Scheduled Tasks:"
schtasks /query /fo LIST /v
Write-Output "Environment PATH:"
$env:PATH
Write-Output "Shares (local):"
net share
Write-Output "Network drives:"
net use
Write-Output "Services (all):"
Get-Service
Write-Output "Services with unquoted paths:"
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\"
Write-Output "Running processes:"
tasklist
Get-Process
Write-Output "Detailed process info:"
wmic process get name,processid,parentprocessid,commandline
Write-Output "Startup items:"
Get-CimInstance Win32_StartupCommand
Write-Output "Local users:"
net user
Get-LocalUser
Write-Output "Logged in users:"
query user
Get-CimInstance Win32_LoggedOnUser
Write-Output "Last logon info:"
net user <username>
Write-Output "ARP table:"
arp -a
Write-Output "Routing table:"
route print
Write-Output "Network connections:"
netstat -ano
Write-Output "Firewall configuration:"
netsh advfirewall show allprofiles
Write-Output "Hosts file:"
Get-Content C:\Windows\System32\drivers\etc\hosts
Write-Output "DNS cache:"
ipconfig /displaydns
Write-Output "Recent files (current user):"
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Recent" -Force
Write-Output "Event Logs (Security β last 50):"
Get-EventLog -LogName Security -Newest 50
Write-Output "Registry Run keys:"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Write-Output "AlwaysInstallElevated check:"
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
Write-Output "Unattended install files:"
dir C:\Unattend.xml -Recurse -ErrorAction SilentlyContinue
dir C:\Windows\Panther\Unattend.xml -Recurse -ErrorAction SilentlyContinue
Write-Output "SAM & SYSTEM file presence:"
dir C:\Windows\System32\config\SAM
dir C:\Windows\System32\config\SYSTEM
Write-Output "Check for writable service binaries:"
icacls "C:\Program Files\*" 2>$nullLast updated