10 Windows Commands every Sysadmin should know

An oldie-but-a-goodie, these command-line basics topped the list of popular troubleshooter posts last year that every Sysadmin should know.

1. Pathping

Ping does a good job of telling you whether two machines can communicate with one another over TCP/IP, but if a ping does fail, you won’t receive any information regarding the nature of the failure. This is where the pathping utility comes in.

Pathping is designed for environments in which one or more routers exist between hosts. It sends a series of packets to each router that’s in the path to the destination host in an effort to determine whether the router is performing slowly or dropping packets. At its simplest, the syntax for pathping is identical to that of the ping command (although there are some optional switches you can use). The command looks like this:


2. Nslookup

The nslookup tool can help you to verify that DNS name resolution is working correctly. When you run nslookup against a host name, the tool will show you how the name was resolved, as well as which DNS server was used during the lookup. This tool can be extremely helpful when troubleshooting problems related to legacy DNS records that still exist but that are no longer correct.

To use this tool, just enter the nslookup command, followed by the name of the host you want to resolve. For example:


3. System File Checker

Malicious software will often attempt to replace core system files with modified versions in an effort to take control of the system. The System File Checker can be used to verify the integrity of the Windows system files. If any of the files are found to be missing or corrupt, they will be replaced. You can run the System File Checker by using this command:

sfc /scannow

4. File Signature Verification

One way to verify the integrity of a system is to make sure that all the system files are digitally signed. You can accomplish this with the File Signature Verification tool. This tool is launched from the command line but uses a GUI interface. It will tell you which system files are signed and which aren’t. As a rule, all the system files should be digitally signed, although some hardware vendors don’t sign driver files. The command used to launch the File Signature Verification tool is:


5. Netstat

Netstat is great command to run when you think you have malware on your computer.  If there’s a Trojan or Bot sitting on your computer then it must open a port in a TCP/IP state called LISTENING so it can await remote commands from the attacker.  To view all ports on your system enter this command:

netstat -ano

or if you want to see everything add the b switch to show each executable involved in creating the connection.

netstat -bano

Now you can see all connections and listening ports along with the process ID and .EXE file associated with the connection.  If you suspect your computer has been compromised research the executable or process name in Google to see what other people have said about it.  The other thing you can do is compare the netstat output with a known working system and research the differences.

As an aside, since bano is bathroom in Spanish I never forget that netstat -bano shows me all the digital dirt on my system.  It’s a helpful mnemonic.

netstat -bano

6. driverquery

When you need to see a list of all your system drivers use driverquery.  This command completes in seconds.



You can also output the list to a pretty spreadsheet by using this little trick:

driverquery /fo csv > my-drivers.xlsx

7. cipher

cipher is actually one of the best kept secrets of the command line.  In addition to letting administrators encrypt and decrypt drive data, it actually lets you overwrite deleted data rendering it virtually irrevocable.  Whenever you delete a file on a traditional hard drive the data isn’t really zapped from the disk; vestiges of it still remain.  The only thing that really happens is that the deleted data is deallocated and therefore made available for use when new data is written to the hard drive.

But I digress, cipher is a quick and easy fix to make unauthorized recovery of your data very hard (not impossible but extremely arduous).

When you’re ready to nuke your drive here’s the metaphorical big red button:

Use with caution:

cipher /w:d:

cipher wipe

8. tasklist & taskkill

Sure you could press Ctrl + Alt + Del to conjure up the Windows Task Manager but the command line has much too alluring.

To see a list of all running tasks on your PC enter this command:

tasklist/fi "STATUS eq running"

This says, “show me a list of tasks that currently have a status of running”.

You can also see all your frozen applications too:

tasklist/fi "STATUS eq not responding"

tasklist view running and not responding

When you find the obdurate process that’s locking up your computer use taskkill to kill it.

The PID switch kills a task by Process ID (PID) and taskkill /im kills a task by image name which is the file name of the application.

taskkill pid

In the graphic above I highlighted the image name iexplorer.exe so you could see how I knew to kill PID 3880.

9. Repair-bde

If a drive that is encrypted with BitLocker has problems, you can sometimes recover the data using a utility called repair-bde. To use this command, you will need a destination drive to which the recovered data can be written, as well as your BitLocker recovery key or recovery password. The basic syntax for this command is:

repair-bde <source> <destination> -rk | rp <source>

You must specify the source drive, the destination drive, and either the rk (recovery key) or the rp (recovery password) switch, along with the path to the recovery key or the recovery password. Here are two examples of how to use this utility:

repair-bde c: d: -rk e:\recovery.bek
repair-bde c: d: -rp 111111-111111-111111-111111-111111-111111

10. Netsh

The Netsh command is a powerful command-line tool for Windows Server 2003, Windows XP, and Windows 2000. Netsh is available in the Microsoft Windows 2000 Server Resource Kit and is standard in Windows 2003 and XP. Netsh lets you change almost any network configuration setting as well as document network configurations.

You can use the command in a batch file or from its own command shell. Netsh has a useful Help system that you can access by adding /? to almost any of its subcommands. Here are few cool commands which netsh is capable of.

Show TCP/IP settings—The command

netsh interface ip show config

Change network configuration—Netsh can change the current network configuration. The command

netsh interface ip set
  address "Local Area 
  Connection" static

Use a dynamic DHCP assigned address—The command

netsh interface ip set
  address "Local Area 
  Connection" dhcp

Change a DNS server address—When you change the system’s IP address type, you almost always have to change the DNS server’s address as well. The command

netsh interface ip set dns
  "Local Area Connection" 

Restore network configuration—The Netsh Exec command runs a Netsh script file. The command

netsh exec mycfg.dat

Work with remote systems—One of Netsh’s best hidden features is its ability to work with remote systems. The command

netsh set machine remotecomputer


Leave a Reply

Your email address will not be published. Required fields are marked *