If you’ve just started exploring the world of cybersecurity, one of the best ways to understand how computers really work is through the Command Prompt – the old, black-and-white window that most people ignore.
The Command Prompt may look intimidating, but for anyone starting in cybersecurity, it’s one of the best tools to understand what’s happening under the hood of Windows. Using CMD helps you see how the operating system actually works – how it talks to the network, manages files, and handles system integrity. If you’d like to explore the full list of built-in commands, you can find Microsoft’s official reference here: Windows-Befehle – offizielle Dokumentation.
Before we start, if you are not familiar with the keyboard shortcut to get to the command prompt quickly, this is how it works:
- Click the Windows key (WINKEY) + R, this is the shortcut for running a program.
- Type “cmd” and click Enter
This will open the CMD tool, and you should be ready to go!
Below is a practical list of cmd commands that every aspiring cybersecurity learner should know, grouped by purpose. Each one includes a short explanation, a useful real-world example, and notes on when it matters.
CMD commands for General and System Information
1. systeminfo
This cmd command gathers and displays detailed information about your system – operating system version, architecture, installed updates, network configuration, and more. It’s often the first command used during initial reconnaissance on a Windows host, whether for legitimate auditing or security assessment.
Example:
systeminfo
It’s especially useful when checking for missing updates or identifying if a target machine runs a specific OS build that might be vulnerable.
2. tasklist
If your system starts acting strangely, you’ll want to see what’s running. tasklist gives a detailed view of all active processes, similar to the Task Manager but in text form.
Example:
tasklist
Combine it with findstr to locate specific processes. In incident response, this is often one of the first steps when hunting for malicious programs.
Example:
tasklist | findstr chrome
You can search for suspicious processes or filter output to detect malware or persistence mechanisms that hide from graphical views.
3. chkdsk
Checks a disk for file system errors and bad sectors. Attackers sometimes exploit filesystem inconsistencies, so ensuring integrity is an important step after forensic acquisition or recovery.
Example:
chkdsk C: /f
Adding /f automatically fixes detected issues. Without parameters, it only reports problems.
4. sfc
SFC (System File Checker) scans and repairs corrupted or modified system files. It’s valuable not just for troubleshooting, but also for checking integrity after suspected malware infection.
Example:
sfc /scannow
Run this as Administrator. It checks all protected system files and replaces incorrect versions with cached copies. From a cybersecurity perspective, it helps verify whether critical components have been tampered with.
5. net user
This command manages user accounts. Type net user to list them all, or net user <username> to view details about one. Security professionals use it to detect unauthorized accounts created by malware or during privilege escalation. You can also reset passwords or create accounts – useful in system administration exercises.
Examples:
net user
– lists accounts
net user Administrator
– shows details for a specific account
net user testuser /add
– add local account
net user student NewPass123!
– assigns or changes a password for a user account
net user attacker /delete
– remove a local account (requires admin)
Checking user accounts is one of the first steps when investigating potential intrusions.
6. cleanmgr
The Disk Cleanup utility can reclaim space by removing temporary files and system caches. From a security perspective, it’s sometimes used in remediation to remove leftover temporary files after cleanup; note that it will not reliably remove forensic artifacts.
Examples:
cleanmgr
– opens the GUI for cleanup choices
cleanmgr /sageset:1
then
cleanmgr /sagerun:1
– preconfigure options and run them non-interactively.
After incident simulations, this command helps reset the environment to a clean state.
7. powercfg
This command manages power and energy settings, but also logs wake timers and devices that bring your computer out of sleep. Useful not only for optimization but also for forensic checks of unexpected wake events.
Examples:
powercfg /lastwake
– shows what last woke the computer
powercfg /devicequery wake_armed
– devices authorized to wake the system
powercfg /energy
– generates a report that can point to misbehaving drivers or scheduled tasks
In cybersecurity, powercfg /lastwake can show which process or device woke a machine – sometimes revealing scheduled malware behavior.
8. shutdown
It’s not just for turning off your PC. With shutdown /r /t 0, you can instantly reboot; with /l, log off. In cybersecurity labs, automated scripts sometimes use it to reset systems after testing or infection simulations.
Examples:
shutdown /r /t 0
– restart immediately
shutdown /s /t 0
– shut down immediately
shutdown /a
– abort a pending shutdown
In incident response, it’s used to isolate hosts on a local network or script mass reboots after updates.
CMD commands for File and Directory Management
9. dir
Lists files in the current directory and subdirectories, including hidden and system files. A simple but powerful command for enumerating data, especially when looking for hidden executables or scripts.
Examples:
dir /a /s
It’s often combined with findstr to filter output – for instance:
dir /a /s | findstr ".exe"
10. tasklist
Displays a list of running processes with detailed information, including memory usage, session name, and window title.
Examples:
tasklist /v
Pair it with findstr to locate suspicious processes:
tasklist /v | findstr powershell
This helps detect persistence or post-exploitation scripts still active in memory.
11. taskkill
Terminates a running process by name or PID. Useful when shutting down malicious executables during investigation or system cleanup.
Examples:
taskkill /im malware.exe /f
The /f flag forces termination, which is often necessary if the process resists normal closure.
Network Configuration and Troubleshooting
12. ipconfig
This one is your window into how your computer talks to the network. Typing ipconfig shows your IP address, default gateway, and subnet mask – basically, how your device identifies itself online. For anyone studying cybersecurity, understanding this is fundamental. You’ll often use ipconfig /all to see details like MAC addresses and DNS servers, or ipconfig /flushdns to clear cached domain data after testing websites or spoofing scenarios.
Example:
ipconfig
ipconfig /all
– shows full network details
ipconfig /flushdns
– clears DNS cache (useful after DNS changes or when testing DNS spoofing mitigations).
13. ping
Ping checks if a device is reachable. It sends small packets of data and measures the response time. Running ping 8.8.8.8 (Google’s DNS) tells you whether your internet connection actually works. In security testing, ping is often used to confirm if a target is alive before scanning it, though many firewalls block ICMP requests to stay stealthy.
Examples:
ping 8.8.8.8
ping -n 10 example.com
– send 10 pings to measure stability.
ipconfig displays local network interface parameters, essential for diagnosing connectivity or configuration problems.14. tracert
While ping shows if something responds, tracert shows how your packets reach that target – listing each router or “hop” on the way. This helps you map network topology and locate where traffic is delayed or blocked, which is valuable in incident investigations or when tracking suspicious routing.
Examples:
tracert google.com
tracert 8.8.8.8
In security work, it’s sometimes used to identify whether network traffic is being rerouted or intercepted.
tracert reveals each intermediate node on the path to a remote host, helping diagnose latency or routing issues.15. netstat
Netstat reveals all active network connections and listening ports. Type netstat -ano to see which processes are using which ports. This command is gold when investigating suspicious activity – if you find a strange process listening on an unexpected port, it could hint at malware or a backdoor. Analysts use netstat -b to detect suspicious outbound connections.
Examples:
netstat -ano
– to see which processes are using which ports
netstat -b
– (requires elevation) shows the executable involved in creating each connection.
netstat -r
– shows the system’s routing table – the internal “map” of how data travels between interfaces. Unusual or unknown routes may indicate rogue gateways or VPN misconfigurations.
netstat -b lists active connections and the executables that opened them, aiding in detecting suspicious or unauthorized network activity.16. nslookup
Resolves domain names to IP addresses – useful for checking DNS configuration or investigating suspicious domains. Every time you visit a website, your system needs to translate the name (like example.com) into an IP address. nslookup lets you perform that translation manually. You can also use it to test DNS servers or see whether a domain points somewhere suspicious.
Examples:
nslookup
then inside interactive mode server 8.8.8.8 and example.com
nslookup example.com
nslookup -type=mx gmail.com
– retrieves mail exchange records
DNS queries can reveal phishing infrastructure or malware command-and-control hosts.
nslookup with the MX flag retrieves mail exchange records, confirming which servers handle a domain’s email routing.17. netsh
A powerful network shell for viewing and modifying network configuration. One practical and commonly used forensic trick is extracting saved Wi-Fi profiles and their plaintext keys (requires admin). Use this to audit what Wi-Fi networks a machine has stored and to check for weak shared keys.
Examples:
netsh wlan show profiles
– list saved Wi-Fi profiles
netsh wlan show profile name="WiFiName" key=clear
– show the plaintext key for that profile (replace ProfileName with the actual profile name)
netsh interface ipv4 show config – show IPv4 interface configuration.
18. arp
Displays the ARP table – a mapping between IP addresses and MAC addresses. Helps detect ARP spoofing attacks or unfamiliar devices on the local network.
Example:
arp -a
Compare entries against expected devices to detect anomalies.
Why These CMD Commands Matter for Cybersecurity
Every one of these commands teaches visibility – the foundation of system defense. GUI tools show results, but CMD shows the process, the logs, and the live data flow. Security professionals rely on this perspective to detect anomalies, verify integrity, and understand the network beyond the surface level.
For absolute beginners, mastering these commands means you stop being a passive user and start becoming an analyst. You’ll know how to ask your system questions – and how to read its answers.
If you want to explore all available Windows command-line tools in greater depth, take a look at Microsoft’s official documentation.
Ready to go further?
Join Cybersteps’ Cybersecurity course, where you’ll use these commands in real-world labs, mapping networks, monitoring connections, and analyzing Windows systems hands-on. Understanding CMD commands is not just a cool trick – it’s a crucial step toward gaining cybersecurity expertise.
Ready to Build a Career in Cybersecurity?
