Useful Windows Commands
 Image Credit: Unsplash by BoliviaInteligente Useful Window Commands:An Important Windows Security Commands for A Network Administrator |
The Windows Command Line Interface has a lot of predefined commands that allow users to modify, configure, and perform various security operations on their files to protect the computer from being attacked. You can access these commands through Command Prompt or PowerShell, giving administrators powerful control over accounts, files, networks, and firewalls.
Net User
The Windows net user command is a core utility used by administrators to manage user accounts on a computer directly through the Command Prompt or PowerShell interface. It allows for creating, modifying, and removing accounts efficiently.
To use most features of net user, you must open the Command Prompt or PowerShell as an administrator by searching for "cmd" or "powershell", right-clicking the result, and selecting "Run as administrator".
Viewing User Information
List All Users: Simply type net user. This command lists all the user accounts present on the local machine or domain.
View A Specific User's Details: To see extensive information about a single user, type net user JohnDoe, replacing JohnDoe with the actual username. This shows details like account status, last login time, password expiration, and group memberships.
Managing User Accounts
Add A New User: To create an account, use the /add switch. A basic command looks like this: net user JohnDoe password123 /add. This creates the user "JohnDoe" with the initial password "password123".
Delete A User: To remove an account, use the /delete switch: net user JohnDoe /delete. This action is immediate and permanent, so use it with caution.
Change A Password: You can reset a user's password in two main ways.
To type the new password in a hidden, secure prompt, use an asterisk: net user JohnDoe * . After pressing Enter, you will be prompted to type and confirm the new password without it appearing on the screen.
To set the password directly in the command (less secure as it is visible in command history), you can type net user JohnDoe NewPassword
Modifying User Properties with Switches
You can add specific options, called "switches" (which start with a forward slash /), after the username to control account settings.
Enable or Disable an Account: Use /active:no to temporarily stop a user from logging in without deleting their account. Use /active:yes to re-enable it.
Example: net user JohnDoe /active:no
Set The Full Name: The username is for logging in; the full name is for display purposes. Use the /fullname switch.
Example: net user JohnDoe /fullname:"John Doe Smith"
Set Account Expiration: You can set an account to expire on a specific date using /expire:date (format varies by region) or /expire:never.
Example: net user JohnDoe /expire:12/31/2025
Limit Login Times: Restrict when a user can log in using /times. You can specify days and hours.
Example: net user JohnDoe /times:M-F,08:00-17:00 (Monday to Friday, 8 AM to 5 PM)
Domain Management: If you are working in a large corporate network environment, you must add the /domain switch to the end of your commands to manage users on the network domain controller rather than your local PC.
Example: net user JohnDoe /domain
For a complete list of all possible switches and their exact usage, you can always type net help user in the Command Prompt.
Net Accounts
The net accounts command is a classic Windows command-line tool used to view and adjust the local security policies for user accounts on a computer. It primarily focuses on password and account lockout settings. This command is specifically for stand-alone or workgroup computers and cannot be used to change policies on a domain controller, as domain-level policies override local ones.
Function and Usage
When you run the simple command net accounts, it displays the current settings for the local password and account lockout policies, such as the minimum password length, maximum password age, and the lockout threshold.
The command can also be used with several options to modify these settings. You must have administrator privileges to use these options and actually change the policies. The changes you make take effect the next time a user changes their password.
Key Options Explained
Here are the main options for the net accounts command and what they do:
/FORCELOGOFF:{minutes | NO}: This option sets the number of minutes a user has before they are automatically forced to log off the system when their allowed logon time expires or their password is about to expire. You can set a specific number of minutes or use NO to disable forced logoffs.
/MINPWLEN:length: This is used to define the minimum number of characters required for a user's password. You can set a length from 0 to 127 characters. A higher number makes passwords harder to guess.
/MAXPWAGE:{days | UNLIMITED}: This sets the maximum number of days a password can be used before the user is forced to change it. This value can be any number from 1 to 49,710 days, or you can use UNLIMITED to make passwords never expire. The default is typically 90 days.
/MINPWAGE:days: This option sets the minimum number of days a user must keep their new password before they are allowed to change it again. This stops users from immediately switching back to an old, familiar password. The value can be 0 or any number up to the maximum password age.
/UNIQUEPW:number: This specifies how many previous passwords the system remembers and prevents the user from reusing. The number can be from 0 to 24.
/DOMAIN: Adding this option to the end of a net accounts command tells the computer to perform the operation on the primary domain controller of the current domain (if the computer is a member of a domain). Without this option, the command works only on the local computer's settings.
Modern Alternatives and Relevance
The net accounts command is an older tool that has been available since early versions of Windows. While it still works for managing local machine policies, it is generally considered a legacy command in modern Windows administration. For managing security policies in a modern enterprise network with Active Directory, administrators typically use the Group Policy Management Console (GPMC). PowerShell commands are also a more powerful and recommended alternative for modern automation and management tasks.
Netsat
The Windows netstat command (short for network statistics) is a vital, built-in tool used from the command line to check on your computer's network activity and troubleshoot connectivity problems. It gives you a clear picture of all current network connections, which ports on your computer are open and waiting for connections, and provides various network performance statistics.
Core Functionality
When you run the basic netstat command without any extra options, it shows a list of all current, active TCP (Transmission Control Protocol) connections. For each connection, it displays:
Protocol: The type of connection, either TCP or UDP (User Datagram Protocol).
Local Address: Your computer's IP address and the specific port number it is using.
Foreign Address: The IP address and port number of the remote computer you are connected to.
State: The current condition of the connection, such as ESTABLISHED (active and working), LISTENING (waiting for an incoming connection), TIME_WAIT (finishing up a connection), or CLOSED. This information is very useful for monitoring your system and spotting unusual connections, which might indicate issues like malware.
Useful Options (Parameters)
You can add simple options (also called switches or parameters, starting with a hyphen -) to the netstat command to see more specific information.
netstat -a: This is a very common command. It shows all active connections and all the ports that are open and listening for incoming traffic, not just the currently active ones. This provides a complete picture of your computer's network availability.
netstat -n: This option makes the output faster by showing addresses and port numbers as pure numbers, without trying to find their names (like website names). This avoids delays if the network has problems with name lookups.
netstat -o: This command is extremely helpful for security and troubleshooting. It shows the Process ID (PID) for each connection. The PID is a unique number that you can use in the Windows Task Manager to find exactly which application or program is using that specific network connection.
netstat -b: Similar to -o, this option takes it a step further by trying to display the actual program's executable name (like chrome.exe or spotify.exe) that opened the connection. You generally need to run the command prompt as an administrator for this to work properly.
netstat -s: This displays detailed overall statistics for each network protocol (like TCP, UDP, IP, and ICMP). It shows counts of packets sent and received, and any errors, which helps diagnose performance bottlenecks or hardware problems.
netstat -r: This command shows your computer's routing table. The routing table is like a set of directions your computer uses to decide the best path for sending network traffic to different destinations.
netstat -e: This displays simple statistics for your network adapter, showing the number of bytes and packets sent and received.
netstat <interval>: You can add a number, like netstat 5, to make the command repeat and update the information every 5 seconds until you press Ctrl+C to stop it.
You can combine many of these options, for example, netstat -ano will show all connections, in numeric form, with their process IDs. This combination is very popular for in-depth monitoring and troubleshooting.
You can also read: Alibaba Launched an AI-Powered Glasses
TASKLIST and TASKKILL
Windows' TASKLIST and TASKKILL are powerful command-line tools used for managing running programs and processes. TASKLIST shows you what is running, and TASKKILL stops processes. They provide more control than the standard Task Manager graphical interface, especially for automation or troubleshooting unresponsive applications.
TASKLIST: Viewing Running Processes
The TASKLIST command displays a detailed list of all processes currently running on the computer. Running the simple command tasklist in the Command Prompt gives basic information, including the Image Name (the program's executable file name) and the unique Process ID (PID). The PID is a number Windows uses to identify each running program.
You can add options (called "switches") to the basic command to get more specific information:
/v: This switch provides verbose (very detailed) output, showing extra information like the session, CPU time, and window title for each process.
/svc: This shows any associated services running within a process.
/fi <filter>: This allows you to filter the list to find specific processes. For example, you can filter by memory usage, status (like "NOT RESPONDING"), or user name.
/s <system>: This allows you to check processes on a remote computer on the network.
TASKKILL: Stopping Processes
The TASKKILL command is used to stop one or more running processes. This is useful for closing programs that are frozen or not responding, which the Task Manager might struggle with. You must tell TASKKILL which process to stop, either by its Process ID (PID) or its Image Name.
Here are the key options for the TASKKILL command:
/PID <processID>: Terminates the process with the specified process ID. You would typically use the TASKLIST command first to find this number.
/IM <imagename>: Terminates processes by their image name (e.g., notepad.exe).
/F: This is a very important switch that forces the process to terminate immediately, ignoring any requests to save data or shut down normally. It is often necessary for unresponsive programs.
/T: This option performs a "tree kill," which means it terminates the specified process and any child processes that were started by it.
Common Usage Example
A common scenario is a program that freezes. You could use these commands to close it:
First, find the process's PID: tasklist /fi "IMAGENAME eq frozenapp.exe"
Then, force-kill it using the PID: taskkill /F /PID 1234 (where 1234 is the PID you found).
Alternatively, to close all instances of a program by name, you could use taskkill /F /IM frozenapp.exe.
Ipconfig and Ping
ipconfig and ping are two of the most basic and vital tools used on Windows computers to understand and troubleshoot network problems. They are simple command-line tools that help you see your computer's network settings and test connectivity to other devices .
Ipconfig (IP Configuration)
ipconfig is like asking your computer, "What are my network settings?" It tells you how your computer is connected to a network and what address it is using.
What It Shows You
When you type ipconfig into the command prompt, the main things you will see are:
IP Address: This is your computer's unique address on the local network, like a house number. For example, 192.168.1.5 .
Default Gateway: This is the address of your router, the device that lets your computer connect to the internet. It acts as the "doorway" to the outside world.
Subnet Mask: This helps your computer figure out which other addresses are in the same local network.
Key Commands
ipconfig /all: This gives you much more detailed information, including your computer's physical (MAC) address and the addresses of the DNS servers it is using.
ipconfig /release and ipconfig /renew: These commands are used to "give back" your current IP address to the network and then "ask for a new one." This can fix problems where your computer isn't getting a valid network address.
Ping (Packet Internet Groper)
ping is used to test if your computer can communicate with another device on the network or the internet. It is like sending a small "hello" message and waiting for a "hello back".
Whoami
The Windows whoami command is a simple but powerful tool used to display information about the account you are currently using on your computer. It essentially answers the question "Who am I?" within the computer's system. This is very helpful when you need to quickly confirm which user account you are operating under, especially in multi-user environments, or when running commands that require special permissions.
Basic Usage
To use the command, you simply open the Command Prompt (CMD) or PowerShell and type whoami, then press Enter.
Command: whoami
Output:
The command will typically return the current domain or computer name, followed by your user name. For example, the output might look like SALES\JOHN or COMPUTERNAME\Admin.
Advanced Usage (Command Switches)
The real strength of whoami comes from using special options, or "switches," which allow you to see much more detailed information than just your username. These switches are added to the main command, like this: whoami /option.
/user: This switch shows your current user name along with your Security Identifier (SID). A SID is a unique code that the computer uses internally to identify your account.
/groups: This is very useful. It lists all the security groups that your user account belongs to. This helps you understand what permissions you have on the system, as access is often given to groups rather than individual users.
/priv: This switch lists all the specific security privileges your account has. Privileges are like special rights, such as the ability to shut down the system or back up files.
/all: This single command gives you a full report, combining the information from the /user, /groups, and /priv switches. It displays all the user, group, and privilege details in one go.
/fqdn: This shows your user name using its full internet address format (Fully Qualified Domain Name), which is mainly used in large network environments.
/upn: This displays your username in the User Principal Name format, which looks like an email address (e.g., john@example.com).
Why Is It Useful?
System administrators often use the whoami command for troubleshooting access issues or in scripts to automate tasks and ensure they run with the correct user permissions. It is a quick and effective way to manage and verify user identities on a Windows system.
Cipher
The Windows Cipher tool (cipher.exe) is a powerful, built-in command-line utility used by administrators to manage data encryption on drives that use the NTFS file system, primarily through the Encrypting File System (EFS). It also has a well-known function to securely erase deleted data from a disk, preventing its recovery.
Core Functionality: Encryption Management
The primary purpose of the Cipher tool, as part of EFS, is to control which files and folders are encrypted. When used without any extra commands, it simply shows the encryption status of the current folder and any files inside it.
Encrypting Data: The cipher /e command is used to encrypt specified files or directories. When a directory is marked for encryption, any new files added to that folder are automatically encrypted as well. This process converts the data into an unreadable format, making it inaccessible to anyone without the proper decryption key, even if they have physical access to the computer's hard drive. The operating system manages the automatic decryption when the authorized user accesses the file.
Decrypting Data: Conversely, the cipher /d command removes the encryption from specified files or directories, returning them to their normal, readable state.
Managing Encryption Keys: Cipher also helps manage the user's encryption certificates and keys. For example, the cipher /k command creates a new file encryption key for the current user, while cipher /x allows users to back up their EFS certificate and keys to a file for safety.
Securely Erasing Deleted Data
One of the most important and common uses for the Cipher tool is to permanently remove data that was previously deleted using normal methods.
When a user deletes a file in Windows, the data is not immediately wiped from the disk. Instead, the space it occupied is simply marked as available for new data, and the pointer to the file is removed. Until that space is written over, the old data can often be recovered using special software.
The cipher /w command is designed to prevent this recovery by overwriting the unused (deallocated) space on the drive. It works by performing multiple passes, typically overwriting the free space with a series of zeros, then ones, and finally random numbers. This process makes the previously deleted information unrecoverable.
To use this feature:
Close all running programs.
Open the Command Prompt.
Type cipher /w:<directory>, where <directory> is any folder on the volume you want to clean (e.g., cipher /w:C: for the C: drive).
Limitations and Considerations
NTFS Requirement: The Cipher tool's encryption and secure-wipe features only work on drives formatted with the NTFS file system.
Running Programs: All programs should be closed before running the /w command, as the process needs exclusive access to the free space.
SSD Limitations: The secure wiping of free space might be less effective on Solid State Drives (SSDs) due to how they manage memory internally (wear leveling).
System Files: The command primarily targets unallocated space and generally does not affect data stored in system structures like the Master File Table (MFT) or Volume Shadow Copies, which may require different tools for secure deletion.
EFS Availability: File encryption using EFS is generally not available in the Home editions of Windows.
Attrib
The Windows attrib command is a powerful tool used in the Command Prompt to view or change the special properties, known as attributes, assigned to files and folders. These attributes are simple markers that tell the operating system how to handle the file.
How to Use The Attrib Command
The basic way to use the command is to type attrib followed by specific letters (switches) to add or remove attributes, and then the name of the file or folder.
To add an attribute, you use a plus sign (+) before the attribute letter.
To remove an attribute, you use a minus sign (-) before the attribute letter.
If you type attrib by itself, it displays the attributes of all items in your current location.
Key Attributes
The four main attributes you will use most often are:
R (Read-only): When this is set, a file cannot be easily changed or deleted by accident. Programs might not be able to save changes to it.
A (Archive): This flag is a signal for backup programs. When a file is created or changed, Windows sets this "archive bit" on. Backup software looks for files with this mark and clears the mark after backing them up, ensuring only new or modified files are included in the next backup.
H (Hidden): This makes a file or folder invisible in standard views like File Explorer, unless you change your folder settings to "show hidden files". Some viruses use this to hide themselves.
S (System): This marks a file as a critical system file needed for the operating system to work. These files are hidden by default, and you must clear the system attribute before you can change other attributes.
Extra Options (Switches)
You can also use extra options to control how the command works:
/S: This means the command will work on files in the current folder and all subfolders inside it.
/D: This lets you include folders in the command's action, not just files.
Common Examples in Simple English
Here are a few ways you might use the attrib command:
View attributes:
attrib important_doc.txt (Shows the current attributes of the file named "important_doc.txt")
Make a file hidden:
attrib +h secret_file.txt (Adds the Hidden attribute to "secret_file.txt")
Make a file visible again:
attrib -h secret_file.txt (Removes the Hidden attribute from "secret_file.txt")
Make a file read-only:
attrib +r configuration.sys (Adds the Read-only attribute)
Remove read-only from many files:
attrib -r b:\public\*.* /s (Removes the Read-only attribute from all files in the b:\public folder and all its subfolders)
Hide a folder that is hard to unhide:
attrib +s +h "My Private Folder" (This combination makes the folder very hidden, often not appearing even when "show hidden files" is enabled in Explorer)
The attrib command is a flexible and essential tool for managing file visibility and protection at a basic level using the command line.
System File Checker(SFC)
The Windows System File Checker, commonly known as SFC or sfc /scannow, is a powerful command-line utility built into Microsoft Windows. Its primary purpose is to protect the integrity of essential system files and replace corrupted, damaged, or deleted versions with correct, original copies.
What Is SFC?
Think of SFC as a guardian for your core Windows files. These files are crucial for the operating system to run properly. If one becomes corrupted:perhaps due to a power outage, a software crash, or a malware infection:Windows might become unstable, crash, or fail to start.
How Does It Work?
When you run the SFC command, it performs two main tasks:
Scanning: It deeply examines protected system files to check for any inconsistencies or signs of damage.
Repairing (Restoring): It compares the files on your hard drive with original, trusted copies stored in a special, hidden location on your computer. If it finds a problem, it automatically replaces the bad file with a good one. This process is silent and automatic once the scan begins.
Why Use SFC?
You would typically use SFC if you notice unusual behavior in your Windows system. This could include:
Frequent application crashes.
System instability or random reboots.
"Blue Screen of Death" errors.
Missing dynamic link library (DLL) files errors.
General slow performance that cannot be explained otherwise.
It acts as a first line of defense for system-level troubleshooting before more drastic measures like reinstalling Windows are considered.
How to Run SFC
The most common way to run the tool is through the Command Prompt or PowerShell, which must be opened with administrator privileges.
Open the Start Menu.
Type "CMD" or "Command Prompt".
Right-click the result and select "Run as administrator".
In the black window that appears, type the command sfc /scannow and press Enter.
The process will take some time, from a few minutes to over an hour, depending on the speed of your computer and the state of your system. You must not close the window until it is complete.
Possible Results
Once finished, SFC will provide a final message. The results are usually one of the following:
"Windows Resource Protection did not find any integrity violations." This is good news; your system files are all in order.
"Windows Resource Protection found corrupt files and successfully repaired them." This means problems were found and fixed automatically. You may need to restart your computer for the changes to fully take effect.
"Windows Resource Protection found corrupt files but was unable to fix some of them." This indicates a more serious problem. The specific details can be found in a log file, but you might need to use other advanced tools like DISM (Deployment Image Servicing and Management) to fix the underlying issue that SFC couldn't resolve alone.
Limitations
While SFC is very helpful, it has limitations. It only checks core Windows files, not third-party application files, drivers, or your personal documents. It's one tool in a larger set of troubleshooting utilities.
Deployment Image Servicing and Management (DISM)
Windows Deployment Image Servicing and Management (DISM) is a powerful, built-in command-line tool used by system administrators and everyday users to manage and repair Windows system images. Think of it as an all-in-one toolkit for maintaining the core foundation of your Windows operating system, ensuring its health and stability.
Core Purpose
The primary function of DISM is to prepare, modify, and fix Windows images, which are essentially snapshot files of the entire operating system. These images are used for installing Windows on new computers or for recovery purposes. A key benefit of DISM is that it can work on an offline image (one that is not currently running) or a live system, offering great flexibility.
Key Capabilities
DISM provides extensive control over Windows installations through various functions:
System Repair: This is a major use for everyday users. When Windows files become corrupted or go missing (often after system crashes or malware issues), DISM can scan the current operating system image for problems and automatically download and restore healthy, official replacement files from Microsoft's servers via Windows Update. It is often used as a follow-up to the System File Checker (sfc /scannow) tool when that tool cannot fix an issue.
Image Management: For IT professionals, DISM can "mount" an image file (like a .wim or virtual hard disk .vhd file), making its contents accessible like a regular folder. This allows for detailed inspection and modification. Users can also capture a current system setup into a new image file, split images, or add/remove different versions of Windows within one file.
Customization and Configuration: DISM allows for deep customization of a Windows image before it is installed on a computer. This includes:
Adding/Removing Drivers: Ensuring compatibility with specific hardware by injecting necessary drivers into the image.
Managing Features: Turning Windows features (like the .NET Framework or specific tools) on or off.
Applying Updates: Integrating the latest security patches and software updates into the image offline, so the final installation is up-to-date from day one.
Changing Settings: Modifying international language settings and other configurations.
Common Usage Scenarios
Users interact with DISM primarily through the Command Prompt (running as an administrator) or PowerShell.
The most common repair commands include:
DISM /Online /Cleanup-Image /CheckHealth: This command quickly checks if the Windows image has been marked as corrupted by a previous process, without performing a full scan.
DISM /Online /Cleanup-Image /ScanHealth: This performs a thorough scan of the entire system file store to detect any corruption, which can take several minutes.
DISM /Online /Cleanup-Image /RestoreHealth: This is the repair command. It scans for corruption and automatically attempts to fix any issues found by getting files from a specified source, often Windows Update.
In essence, DISM is an essential, versatile tool for maintaining the integrity and flexibility of the Windows operating system at its foundation, allowing for powerful repairs and custom setups.
Chkdsk
Chkdsk is a built-in Windows tool that stands for "Check Disk." Its main job is to scan your computer's hard drive for problems and fix them. Think of it as a doctor for your disk.
When you run Chkdsk, it looks for two main types of issues:
Logical Errors: This means the file system is messed up. The file system is like the library's catalog; it tells Windows where everything is stored. If the catalog is wrong, files get lost or corrupted. Chkdsk fixes these errors, making sure your files can be found and opened correctly.
Physical Errors (bad sectors): The hard drive itself can have damaged spots, called bad sectors. It's like having a scratched CD. Chkdsk can find these damaged areas and tell Windows not to store any data there in the future. This prevents data loss.
You can run Chkdsk through the Command Prompt or by right-clicking a drive in File Explorer and going to Properties >
Final Verdict
Windows security commands empower users to identify threats, safeguard files, manage accounts, and keep an eye on networks,without relying on third-party tools. Whether you're using net user for account management or netsh advfirewall for network security, knowing these commands can really enhance your security game.
Research Links:
Microsoft, 2025, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands. Accessed 9 November 2025. ,
Wikipedia, 2025, https://en.wikipedia.org/wiki/Netstat. Accessed 9 November 2025. ,
Wikipedia, 2025, https://en.wikipedia.org/wiki/FX%2132. Accessed 6 November 2025.
Wikipedia, 2025, https://en.wikipedia.org/wiki/Windows%20Imaging. Accessed 6 November 2025.
.jpeg)
Comments
Post a Comment