Windows Command Line & PowerShell Foundations

Introduction

Working effectively with Windows systems from a security or administration perspective requires a solid understanding of the available command-line interfaces. Unlike graphical tools, command-line environments expose the operating system in a direct and scriptable way, allowing fine‑grained control over system behavior, configuration, and automation.

Windows ships with two primary command-line interfaces: Command Prompt (cmd.exe) and PowerShell. While both provide access to the underlying operating system, they differ significantly in design philosophy, capabilities, and use cases. Understanding when and how to use each one is a foundational skill for system administrators, blue team operators, and penetration testers alike.

This article consolidates practical knowledge, commands, and concepts learned during structured training and hands‑on labs. It is designed as a long‑form reference rather than a quick cheatsheet, emphasizing why things work in addition to how to execute them.

Command Prompt vs PowerShell

At a high level, Command Prompt is a legacy shell designed around simple command execution and text-based output. PowerShell, on the other hand, was introduced to solve many of CMD’s limitations by providing an object‑oriented shell built on top of the .NET framework.

One important operational detail is interoperability: commands from CMD can be executed inside PowerShell, but PowerShell cmdlets cannot be executed directly from CMD unless explicitly invoking the PowerShell interpreter.

This distinction becomes relevant in constrained environments, legacy systems, or when interacting with remote shells that only expose cmd.exe.

Command Prompt (CMD)

Accessing CMD

Command Prompt can be accessed locally or remotely depending on the environment and the attacker or administrator’s level of access.

Local access is straightforward and often the first interaction point when enumerating a Windows system. Remote access is more common in enterprise environments and post‑exploitation scenarios.

Local access methods include:

Using Win + R followed by cmd
Direct execution of C:\Windows\System32\cmd.exe

Remote access can be achieved through multiple protocols such as:

SSH (modern and preferred when available)
WinRM (PowerShell‑oriented but can spawn CMD)
PsExec
RDP (graphical, but often abused to reach a shell)

From a security standpoint, the method of access often determines logging visibility and privilege context.

Built‑in Help System

CMD includes a basic help mechanism that lists available commands and their usage. While limited compared to Unix man pages, it remains useful in restricted environments without internet access.

help
help dir

Understanding how to retrieve help locally is valuable during exams, CTFs, or isolated lab systems where external documentation is unavailable.

Basic Usability Tips

Unlike Bash, CMD does not persist command history across sessions. Once the window is closed, the command history is lost. This limitation impacts forensic analysis and user auditing, but also reduces traces during short‑lived interactions.

Useful commands include:

cls
doskey /history

Keyboard shortcuts such as F7 (interactive history) or arrow keys significantly speed up command reuse during enumeration phases.

Navigation is typically the first step when exploring an unfamiliar system. Knowing how to move efficiently through directories allows faster identification of misconfigurations, sensitive files, or writable locations.

cd
cd ..\..\
dir
tree /F

From a security perspective, directory traversal is often combined with permission analysis to identify paths suitable for file drops or privilege escalation attempts.

Interesting Directories from a Security Perspective

Certain directories are consistently relevant during enumeration because of their permissions or operational role:

C:\Windows\Temp
C:\Users\Public
User‑specific %TEMP% directories
Program installation paths

These locations are commonly writable and less monitored, making them ideal targets for temporary file storage or payload staging.

Gathering Information on a Windows Host

Host enumeration aims to build a complete picture of the system: its users, configuration, network exposure, and running services. This information is essential for both defensive monitoring and offensive privilege escalation.

Typical enumeration questions include:

Which user am I?
What groups does this user belong to?
What services and scheduled tasks are running?
What network resources are accessible?

Answering these questions reduces uncertainty and guides further actions.

Environment Variables

Environment variables act as a shared configuration layer between the operating system and applications. They influence execution paths, application behavior, and script logic.

In Windows, environment variables are not case‑sensitive and can exist at multiple scopes: system, user, or process level. Understanding scope is critical when troubleshooting scripts or attempting persistence.

Commonly abused variables include:

%PATH%
%SYSTEMROOT%
%USERPROFILE%
%LOGONSERVER%

From an offensive perspective, environment variables may reveal domain membership, execution context, or misconfigurations.

Scheduled Tasks

Scheduled tasks provide automated execution of commands based on time or system events. Administrators rely on them for maintenance, but attackers often abuse them for persistence or privilege escalation.

Tasks can be triggered by:

System startup
User logon
Time‑based schedules
Specific system events

Querying tasks is often one of the first post‑exploitation steps:

schtasks /query /fo LIST /v

Writable or misconfigured scheduled tasks represent a high‑value target.

PowerShell Fundamentals

Why PowerShell Matters

PowerShell was designed to be more than a shell; it is a full automation and configuration framework. Unlike CMD, PowerShell works with objects instead of plain text, enabling complex data manipulation with minimal code.

This object‑based approach dramatically reduces the need for fragile string parsing and enables powerful one‑liners.

Cmdlets and Modules

PowerShell commands follow a strict Verb‑Noun naming convention, making them predictable and discoverable.

Examples:

Get-Process
Set-Service
Test-NetConnection

Modules bundle cmdlets and scripts into reusable components. Understanding module structure is essential when developing or importing custom tooling.

Execution Policies

Execution policies are often misunderstood. They are not security controls, but safety mechanisms designed to prevent accidental script execution.

Common policies include:

Restricted
RemoteSigned
Unrestricted

Attackers frequently check and bypass execution policies when executing payloads.

Users, Groups, and Permissions

Windows security is built around users and groups. Permissions are almost always assigned at the group level, making group membership a key enumeration target.

Built‑in accounts such as Administrator or Guest behave differently from domain users, especially in enterprise environments.

Understanding permission inheritance and access control entries (ACEs) is critical for both system hardening and privilege escalation analysis.

Registry Fundamentals

The Windows Registry is a hierarchical database storing configuration for the OS and installed applications. Many persistence mechanisms and configuration weaknesses reside here.

Registry keys and values control:

Startup behavior
Installed software
User preferences
Security policies

Knowing where to look in the registry often reveals persistence hooks or insecure configurations.

Event Logging

Windows Event Logs record system, application, and security events. From a defensive perspective, they are invaluable for detection. From an offensive perspective, they reveal what actions are logged and how visible certain techniques are.

Logs are stored as .evtx files and categorized by severity levels such as Information, Warning, Error, and Critical.

Networking and Web Interaction

Windows networking closely mirrors Unix concepts, but is exposed through different tooling. PowerShell provides native cmdlets for inspecting interfaces, routes, and connectivity.

Get-NetIPAddress
Test-NetConnection

PowerShell can also interact directly with web services using Invoke-WebRequest, enabling scripted downloads, API interaction, and data exfiltration.

Automation and Scripting

Automation is where PowerShell truly shines. Scripts and modules allow administrators and attackers alike to scale actions across systems.

Understanding scope (global, local, script) prevents variable leakage and unexpected behavior. Well‑structured scripts are predictable, maintainable, and harder to detect when properly written.

Reference Repository

This article is derived from and expanded upon notes maintained in the following repository:

https://github.com/lameiro0x/security-foundations-htb-notes

That repository contains the full learning material, diagrams, and extended references used as the foundation for this post.

Closing Notes

These fundamentals form the baseline for more advanced topics such as Active Directory attacks, lateral movement, and persistence. Mastery of Windows command‑line environments significantly lowers the barrier to advanced security work and should be considered mandatory knowledge for any aspiring security professional.

Introduction#

Command Prompt vs PowerShell#

Command Prompt (CMD)#

Accessing CMD#

Built‑in Help System#

Basic Usability Tips#

Navigation and File System Interaction#

Interesting Directories from a Security Perspective#

Gathering Information on a Windows Host#

Environment Variables#

Scheduled Tasks#

PowerShell Fundamentals#

Why PowerShell Matters#

Cmdlets and Modules#

Execution Policies#

Users, Groups, and Permissions#

Registry Fundamentals#

Event Logging#

Networking and Web Interaction#

Automation and Scripting#

Reference Repository#

Closing Notes#