Useful commands for Windows administrators
Most commands are “one-liners”, but for some I had to make an exception and go to the right directory first.
These commands could all be used in batch files, though some may need some “parsing” with FOR /F to retrieve only the required substrings from the displayed information.
| Notes: | (1) | Commands that use external, or third party, or non-native utilities contain hyperlinks to these utilities’ download sites. |
| (2) | Replace command arguments displayed in italics with your own values. |
|
| (3) | Commands or utilities that require Windows Server 2003 are marked bright blue. | |
| Warning: | Most commands on this page are very powerful tools. Like most powerful tools they could cause a lot of damage in the hands of insufficiently skilled users. Treat these commands like you would (or should) treat a chainsaw: with utmost care. Do not use them if you do not fully understand what they do or how they do it. Any damage caused using these commands is completely your own responsibility. |
If you want to execute command repetitive , use -n switch, e.g. to let it run every 3 second, add -n 3
- How many users are logged on/connected to a server (and who are they)?
- which computer a user is logged on ?
- Who is logged on to a computer?
- What is this colleague’s login name?
- What is the full name for this login name?
- What groups is this user a member of?
- What permissions does a user have on this directory?
- When did someone last change his password?
- How do I reset someone’s password?
- Is someone’s account locked?
- How to unlock a locked account
- Make sure a local user’s password never expires
- Make sure a local user’s password will expire
- List all domains and workgroups in the network
- List all computers in the network
- List all domain controllers
- Find the primary domain controller
- List all member servers
- List all workstations
- Delete a computer account
- “I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes”
- List all drivers on any PC
- List all printers on any PC
- List all local administrators
- Locate rogue DHCP servers
- Disable Windows Firewall for domain only
- Completely disable Windows Firewall (not recommended)
- Is IP v4 supported on this computer?
- Is IP v6 supported on this computer?
- Which updates were installed on this compter?
- Net use
Change computer name:
netdom renamecomputer %computername% /newname:dc1 /userd:frank /passwordD:P@ssw0rd
Join domain:
netdom join %computername% /domain:Mydomain /userd:Mydomain\Mylogin /passwordd:*Assign IP address gateway to NIC:
ipconfig /all to show the name of the NIC.netsh interface ipv4 set address name="Ethernet0" source=static/dhcp address=192.168.0.12 gateway=192.168.0.1Add the DNS server address:
netsh interface ipv4 add dnsserver ethernet0 192.168.0.10 index=1Show the remote machine’s network configuration:
winrs -r:computername ipconfig /allDisk speed test
To test the C drive’s reading and writing speed:
winsat disk -drive cFind the string by findstr ( similar to grep)
Options:
- /B Matches pattern if at the beginning of a line.
- /E Matches pattern if at the end of a line.
- /L Uses search strings literally.
- /R Uses search strings as regular expressions.
- /S Searches for matching files in the current directory and all subdirectories.
- /I Specifies that the search is not to be case-sensitive.
- /X Prints lines that match exactly.
- /V Prints only lines that do not contain a match.
- /N Prints the line number before each line that matches.
- /M Prints only the filename if a file contains a match.
- /O Prints character offset before each matching line.
- /P Skip files with non-printable characters.
- /OFF[LINE] Do not skip files with offline attribute set.
- /A:attr Specifies color attribute with two hex digits. See “color /?”
- /F:file Reads file list from the specified file(/ stands for console).
- /C: count the specified string
- /G: file Gets search strings from the specified file(/ stands for console).
- /D:dir Search a semicolon delimited list of directories strings Text to be searched for.
[drive:][path]filename
Specifies a file or files to search.
How many users are logged on/connected to a server?
Sometimes we may need to know how many users are logged on to a (file) server, like maybe when there is a performance degradation.
At the server’s console itself, with native commands only:
NET SESSION | FIND /C "\\"
Remotely,
winrs -r:servername net session | find /C "\\"
or with the help of SysInternals’ PSTools:
PSEXEC \\servername NET SESSION | FIND /C "\\"
By replacing FIND /C "\\" by FIND "\\" (removing the /C switch, which means count the total number) you’ll get a list of logged on users instead of just the number of users.
by default the findstr (find) is case sensitive, you can add /I to make it insensitive if you are not sure the string case.
Which computer a user is logged on?
(NET SESSION) | Select-String mr.trouble
THis will return the IP address,you can use nslookup to find the computer name.
Who is logged on to a computer?
We often need to know who is currently logged on to a remote computer.
With native Windows (up to and including XP) commands only:
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"
The first name in the list usually is the logged on user (try playing with the NET NAME command to learn more about the names displayed by NBTSTAT).
This is the fastest way to find the logged on user name, and the results that you do get are correct, but NBTSTAT won’t always return a user name, even when a user is logged on.
Using WMIC (Windows XP Professional and later):
WMIC /Node:remotecomputer ComputerSystem Get UserName
This is arguably the most reliable (native) command to find out who is logged on.
remotecomputer: the IP address of the remote computer.
With the help of SysInternals‘ PSTools:
PSLOGGEDON -L \\remotecomputer
or:
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "
or:
PSEXEC \\remotecomputer NET NAME
or for Windows XP only:
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"
Using REG.EXE (Windows 2000 and later):
FOR /F %%A IN ('REG Query \\remotecomputer\HKU ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO ( FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"') DO ( SET LoggedinUser=%%B ) )
or for Windows 7:
FOR /F %%A IN ('REG Query \\remotecomputer\HKU /K /F "S-1-5-21-" ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO (') DO ( FOR /F "tokens=2*" %%B IN ('REG Query "\\remotecomputer\%%~A\Volatile Environment" /V "UserName" ˆ| FIND /V ":"') DO ( SET LoggedinUser=%%C ) )
NETSH and WMIC are for XP or later, and are the most reliable of all commands shown here.
WMIC requires WMI enabled remote computers and Windows XP on the administrator’s computer; NETSH requires Windows XP on the local and remote computers.
PSLOGGEDON is a more accurate solution than NBTSTAT, but it will return the last logged on user if no one is currently logged on.
The NET and NBTSTAT commands show more or less identical results, but the NBTSTAT command is much faster.
The REG command is accurate, but may need to be modified depending on the version used.
More information on REG versions can be found on my REG Query page.
For Windows NT 4 and 2000: use NBTSTAT (fast, but it won’t always return the user name!), and only switch to REG if NBTSTAT doesn’t return a user name (modify the REG command for Windows NT 4).
For Windows XP and later: if you want to search lots of computers for logged on users, I recommend you try NBTSTAT first (fast, but it won’t always return the user name!), and only switch to NETSH, REG or WMIC (accurate) if NBTSTAT doesn’t return a user name.
Credits: Jiří Janyška (WMIC command) and Matthew W. Helton (NETSH command).
What is this colleague’s login name?
My colleagues often forget to mention their logon account name when calling the helpdesk, and the helpdesk doesn’t always ask either. I suppose they expect me to know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:
DSQUERY USER -name *lastname* | DSGET USER -samid -display
| Note: | Windows Server 2003’s “DSTools” will work fine in Windows 2000 and XP too, when copied. Keep in mind, however, that some Windows Server 2003 Active Directory functionality is not available in Windows 2000 Active Directories. |
What is the full name for this login name?
With the native NET command:
NET USER loginname /DOMAIN | FIND /I " name "
With (native) Windows Server 2003 commands:
DSQUERY USER -samid *loginname* | DSGET USER -samid -display
| Note: | The NET command may seem more universal, because it requires neither Active Directory nor Windows Server 2003 commands, but it is language dependent! For non-English Windows you may need to modify FIND’s search string. |
What groups is this user a member of?
In Windows NT 4 and later, users usually are members of global groups. These global groups in turn are members of (domain) local groups. Access permissions are given to (domain) local groups.
To check if a user has access to a resource, we need to check group membership recursively.
With (native) Windows Server 2003 commands:
DSQUERY USER -samid loginname | DSGET USER -memberof -expand
What permissions does a user have on this directory?
One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Windows Server 2003 Resource Kit Tools is a better alternative:
CD /D d:\directory2check SHOWACLS /U:domain\userid
When did someone last change his password?
With the native NET command:
NET USER loginname /DOMAIN | FIND /I "Password last set"
How do I reset someone’s password?
With the native NET command:
NET USER loginname newpassword /DOMAIN
With (native) Windows Server 2003 commands:
DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword
| Note: | To prevent the new password from being displayed on screen replace it with an asterisk (*); you will then be prompted (twice) to type the new password “blindly”. |
Is someone’s account locked?
With the native NET command:
NET USER loginname /DOMAIN | FIND /I "Account active"
The account is either locked (“Locked”) or active (“Yes”).
How to unlock a locked account
With the native NET command:
NET USER loginname /DOMAIN /ACTIVE:YES
or, if the password needs to be reset as well:
NET USER loginname newpassword /DOMAIN /ACTIVE:YES
Make sure a local user’s password never expires / will expire
With WMIC (Windows XP Professional or later):
WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="FALSE"
With WMIC (Windows XP Professional or later):
WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="TRUE"
List all domains and workgroups in the network
With the native NET command:
NET VIEW /DOMAIN
List all computers in the network
With the native NET command:
NET VIEW
or, to list the names only:
FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO ECHO.%%A
delims is a backslash, followed by a tab and a space.
List all domain controllers
With native Windows 2000 commands (Without read only Domain controller) :
NETDOM QUERY /D:MyDomain DC
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
Including Read only DC:
- Distinguish name: With (native) Windows Server 2003 commands (Active Directory only):
DSQUERY Server
- Name only:
DSQUERY Server -o rdn
Find the primary domain controller
With native Windows 2000 commands:
NETDOM QUERY /D:MyDomain PDC
or, to find the FSMO with (native) Windows Server 2003 commands (Active Directory only):
NETDOM QUERY /D:mydomain.com FSMO
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
List all member servers
With native Windows 2000 commands:
NETDOM QUERY /D:MyDomain SERVER
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
List all workstations
With native Windows 2000 commands:
NETDOM QUERY /D:MyDomain WORKSTATION
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
Delete a computer account
With native Windows 2000 commands:
NETDOM /DOMAIN:MyDomain MEMBER \\computer2Bdeleted /DELETE
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
“I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes”
Sounds familiar?
With (native) Windows XP Professional or Windows Server 2003 commands:
FOR /F %%A IN (servers.txt) DO ( WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv | MORE /E +2 >> SRVSPACE.CSV )
The only prerequisites are:
- SRVSPACE.CSV should not exist or be empty,
- a list of server names in a file named SERVERS.TXT, one server name on each line,
- and WMIC.EXE, which is native in Windows XP Professional and later.
The CSV file format is ServerName,DeviceID,FileSystem,FreeSpace,Size (one line for each harddisk partition on each server).
If you have a strict server naming convention, SERVERS.TXT itself can be generated with the NET command:
FOR /F "delims=\ " %%A IN ('NET VIEW ^| FINDSTR /R /B /C:"\\\\SRV\-"') DO (>>SERVERS.TXT ECHO.%%A)
| Notes: | (1) | assuming server names start with “SRV-“; modify to match your own naming convention. |
| (2) | delims is a backslash, followed by a tab and a space. |
List all drivers on any PC
With (native) Windows XP Professional or Windows Server 2003 commands:
DRIVERQUERY /V /FO CSV > %ComputerName%.csv
Or, for remote computers:
DRIVERQUERY /S remote_PC /V /FO CSV > remote_PC.csv
List all printers on any PC
With (native) Windows XP+ commands:
WMIC /Node:remote_PC Path Win32_Printer Get DeviceID
List all local administrators
With (native) Windows NT 4+ commands:
NET LOCALGROUP Administrators
Or, to remove header and footer lines:
FOR /F "delims=[]" %%A IN ('NET LOCALGROUP Administrators ˆ| FIND /N "----"') DO SET HeaderLines=%%A FOR /F "tokens=*" %%A IN ('NET LOCALGROUP Administrators') DO SET FooterLine=%%A NET LOCALGROUP Administrators | MORE /E +%HeaderLines% | FIND /V "%FooterLine%"
Locate rogue DHCP servers
Never had an “illegal” router wreaking havoc on your network yet…?
With a (native) Windows Server 2003 command:
DHCPLOC -p local_IP_address [ valid_DHCP_server1 [ valid_DHCP_server2 [ .. ] ] ]
DHCPLOC.EXE is native in Windows Server 2003, and will run in Windows XP if copied/installed.
I didn’t test this in Windows Server 2003 yet, but in Windows XP you need to press “d” to start the discovery, or “q” to quit.
Disable Windows Firewall for domain only
Disable the firewall only when the computer (e.g. a laptop) is connected to the domain:
NETSH Firewall Set OpMode Mode = DISABLE Profile = DOMAIN
Completely disable Windows Firewall (not recommended)
Disable the firewall completely (not recommended unless an alternative enterprise firewall is used that requires you to do so):
SC [ \\Remote_computer ] Stop SharedAccess SC [ \\Remote_computer ] Config SharedAccess start= disabled
Is IP v4 supported on this computer?
Check if IP v4 is supported on the local computer:
PING 127.0.0.1 | FIND "TTL=" >NUL 2>&1 IF ERRORLEVEL 1 (ECHO IP v4 NOT supported) ELSE (IP v4 supported)
or:
WMIC Path Win32_PingStatus WHERE "Address='127.0.0.1'" Get StatusCode /Format:Value | FINDSTR /X "StatusCode=0" >NUL 2>&1 IF ERRORLEVEL 1 (ECHO IP v4 NOT supported) ELSE (IP v4 supported)
The WMIC command is faster, but requires Windows XP Professional or later.
Is IP v6 supported on this computer?
Check if IP v6 is supported on the local computer:
PING ::1 | FINDSTR /R /C:"::1:[ˆ$]" >NUL 2>&1 IF ERRORLEVEL 1 (ECHO IP v6 NOT supported) ELSE (IP v6 supported)
or:
WMIC Path Win32_PingStatus WHERE "Address='::1'" Get StatusCode >NUL 2>&1 IF ERRORLEVEL 1 (ECHO IP v6 NOT supported) ELSE (IP v6 supported)
The WMIC command is faster, but requires Windows XP Professional or later.
Which updates were installed on this computer?
Windows 7 / 8 / 10:
DISM /Online /Get-Packages
or:
WMIC QFE List
This will also show who installed this update or by system update.
DISM will return far more details than WMIC.
Windows 2000 and XP:
QFECHECK /V
Revert the update if you can not boot computer after installing update
unable to boot to the machine, try the following steps to revert windows update changes and check if you can boot.
a) Try to revert the update installation by running DISM command from Windows Recovery Environment (WinRE) & check if you are able to boot to the desktop normally.
Follow the steps bellow to boot into Windows Recovery Environment:
Windows Vista / Windows 7
Press and hold the F8 key early in the system boot process. Then select the Repair your computer option from the boot menu that appears.
Note: If your computer uses the F8 key for the BIOS Boot Menu (ASUS boards, for example), make sure to start pressing the F8 key after the BIOS screen has passed and before Windows has started to boot. In some cases, it may be easier to press F8 early to open the BIOS Boot Menu and then select the Windows drive to boot and immediately press F8 again.Windows 8.x
Press WinKey+I and click the Power icon. Hold down Shift and click Restart. Click Troubleshooting and then Advanced options to bring up the repair options.Windows 8.1/10
Press WinKey+X to open the Quick Link menu. Click Shut down or sign out, then hold down Shift and click Restart. (In Windows 10 you can also open the Start menu, click on Power and then Shift-click Restart.) Click Troubleshooting and then Advanced options to bring up the repair options.Note: If you would like to enable using F8 to access the Windows 8.1/10 legacy Safe Mode menu (as with Windows 7) please refer to the instructions at the end of this article.
b) You will need to know the date and time that the update was installed for this procedure.
c) From the command prompt run the following command: “DISM /Image:C:\ /Cleanup-Image /RevertPendingActions“
d) Then reboot your PC.
Net use
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
Syntax
net use [{DeviceName | *}] [\\ComputerName\ShareName[\volume]] [{Password | *}]] [/user:[DomainName\]UserName] [/user:[DottedDomainName\]UserName]
[/user: [UserName@DottedDomainName] [/savecred] [/smartcard] [{/delete | /persistent:{yes | no}}]
net use [DeviceName [/home[{Password | *}] [/delete:{yes | no}]]
net use [/persistent:{yes | no}]
Parameters
- DeviceName : Assigns a name to connect to the resource or specifies the device to be disconnected. There are two kinds of device names: disk drives (that is, D: through Z:) and printers (that is, LPT1: through LPT3:). Type an asterisk (*) instead of a specific device name to assign the next available device name.
- \\ ComputerName \ ShareName : Specifies the name of the server and the shared resource. If ComputerName contains spaces, use quotation marks around the entire computer name from the double backslash (\\) to the end of the computer name (for example, “\\Computer Name\Share Name“). The computer name can be from 1 to 15 characters long.
- \ volume : Specifies a NetWare volume on the server. You must have Client Service for NetWare installed and running to connect to NetWare servers.
- Password : Specifies the password needed to access the shared resource. Type an asterisk (*) to produce a prompt for the password. The password is not displayed when you type it at the password prompt.
- /user : Specifies a different user name with which the connection is made.
- DomainName : Specifies another domain. If you omit DomainName, net use uses the current logged on domain.
- UserName : Specifies the user name with which to log on.
- DottedDomainName : Specifies the fully-qualified domain name for the domain where the user account exists.
- /savecred : Stores the provided credentials for reuse.
- /smartcard : Specifies the network connection is to use the credentials on a smart card. If multiple smart cards are available, you are asked to specify the credential.
- /delete : Cancels the specified network connection. If you specify the connection with an asterisk (*), all network connections are canceled.
- /persistent:{yes | no} : Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent connections.
- /home : Connects a user to the home directory.
- net help command : Displays help for the specified net command.
Remarks
- Connecting and disconnecting from a network resourceUse net use to connect to and disconnect from a network resource, and to view your current connections to network resources. You cannot disconnect from a shared directory if you use it as your current drive or an active process is using it.
- Viewing connection informationTo view information about a connection, you can do either of the following:
- Type net useDeviceName to get information about a specific connection.
- Type net use to get a list of all the computer’s connections.
- Using deviceless connectionsDeviceless connections are not persistent.
- Connecting to NetWare serversAfter you install and run Client Service for NetWare, you can connect to a NetWare server on a Novell network. Use the same syntax that you use to connect to a Windows Networking server, except you must include the volume you to which you want to connect.
- Using quotation marksIf the ServerName that you supply contains spaces, use quotation marks around the text (that is, “Server Name“). If you omit quotation marks, an error message appears.
Examples
To assign the disk-drive device name E: to the Letters shared directory on the \\Financial server, type:
net use e: \\financial\letters
To assign (map) the disk-drive device name M: to the directory Mike within the Letters volume on the \\Financial NetWare server, type:
net use m: \\financial\letters\mike
To connect the user identifier Dan as if the connection were made from the Accounts domain, type:
net use d: \\server\share /user:Accounts\Dan
To disconnect from the \\Financial\Public directory, type:
net use f: \\financial\public /delete
To connect to the resource memos shared on the \\Financial 2 server, type:
net use k: “\\financial 2” \memos
To restore the current connections at each logon, regardless of future changes, type:
net use /persistent:yes
memory counters
Obtain a listing of memory counters related to the available bytes by using the typeperf command. This command is shown here:
typeperf “\memory\available bytes”