Windows Cheat Sheet for essential Commands
Mastering a few key Windows commands can save you time, troubleshoot issues, and unlock hidden features. From speeding up tasks to fixing common problems, the Command Prompt and PowerShell are powerful tools to solve some of these issues.
In this post, I will explore interesting and useful Windows commands and update this post regularly.
- Determine if Computer is joined to an Domain (on-premise, Entra ID, Hybrid)
- Determine the Logon Server (Domain Controller) on a Windows Client
- Determine in which OU my Active Directory Domain Joined Computer is placed to
- Determine in which OU my Active Directory User Account is placed to
- Force a Restart of the Explorer.exe
- Determine local Listening Ports
- Determine local Listening Ports and its Binary
- Determine local Established Ports
- Determine local open UDP Ports and Connections
- Determine Domain Account Password Expiration
- Set WinHTTP Proxy
- Determine last Restart Date and Time
- gpupdate vs. gpupdate /force
- Terminate Windows Services they stuck Stopping/Starting
- Links
Determine if Computer is joined to an Domain (on-premise, Entra ID, Hybrid)
To quickly determine if a computer is joined to a domain (on-premise, Entra ID or hybrid) we can execute the following command in the PowerShell or CMD with elevated Administrator rights.
The dsregcmd.exe /status command is a useful diagnostic tool in Windows for checking the device’s Entra ID join status and related registration details. It provides information such as domain join type, user state, SSO (Single Sign-On) status, and other relevant Entra ID connectivity details. This command is particularly helpful for troubleshooting authentication, device registration, and hybrid join issues in enterprise environments. Running it displays a summary of the device’s Entra ID and domain registration state.
> dsregcmd.exe /status
Determine the Logon Server (Domain Controller) on a Windows Client
When a Windows computer joins a domain, it authenticates against a Domain Controller (DC), known as the logon server. There are several ways to find the Logon Server against the client authenticated.
By using the legacy CMD command set, just works when using the CMD (Command Prompt).
> set | findstr "LOGONSERVER"
The PowerShell equivalent is.
PS> Get-ChildItem Env:
PS> Get-ChildItem Env: | Where-Object { $_.Name -like "*LOGON*" -or $_.Name -like "*DOMAIN*" -or $_.Name -like "*USER*" }
By using the nltest command/utility used for testing and troubleshooting Active Directory (AD) domain relationships, trust configurations, and Domain Controller (DC) communications.
PS> nltest /dsgetdc:YOURDOMAIN.COM
Below the DC: \\MatrixDC-01.matrixpost-lab.net show the logon server which was used by the client.
PS> nltest /dsgetdc:$env:USERDOMAIN
Determine in which OU my Active Directory Domain Joined Computer is placed to
To determine directly on a Active Directory domain joined computer in which OU it is placed to, we can run the following PowerShell command.
PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" | Select-Object Distinguished-Name PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine"
Determine in which OU my Active Directory User Account is placed to
We can run the following command which displays the user name in Fully Qualified
Distinguished Name (FQDN) format.
> whoami -fqdn
More you will find by display the help information for the whoami command.
> whoami /?
Force a Restart of the Explorer.exe
The explorer.exe (Windows Explorer) is a critical system process in Windows that provides the graphical user interface (GUI), including:
- The desktop (icons, wallpaper, and right-click menu)
- The taskbar (Start menu, system tray, and open apps)
- File Explorer (folders, drives, and file management)
In case the we can’t restart the explorer.exe directly on the machine by using for example the task manager, we can terminate and restart it by using the CMD or PowerShell shown below.
The following command forcefully closes Windows Explorer and then restarts it. This can be useful for refreshing the its controled components mentioned above if they frozen or misbehaving.
> taskkill /f /im explorer.exe && start explorer.exe
We can also fire up this command from remote by using for example the psexec utility from Sysinternals and shown in my following post.
Determine local Listening Ports
Below for example we will list the local TCP listening ports for RDP and SMB.
By using the Get-NetTCPConnection cmdlet we will see all states of the TCP socket.
PS> Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 3389 }
PS> Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 445 }
We can also list all ports by using wildcards and the -like flag like shown below.
PS> Get-NetTCPConnection | Where-Object { $_.LocalPort -like "4967*" }
Or by using the good old netstat tool.
PS> netstat.exe -nao | findstr 3389 | findstr LISTENING PS> netstat.exe -nao | findstr 445 | findstr LISTENING
-a – Displays all connections and listening ports (TCP & UDP)
-n – Show numerical addresses (no DNS resolution)
-o – Shows the Process ID (PID) associated with each connection.
Determine local Listening Ports and its Binary
To show also the corresponding binary which is listening behind the TCP socket, we can also use the Get-NetTCPConnection command and pipe it for the owning process like shown below for TCP port 22 (SSH daemon).
PS> Get-NetTCPConnection -LocalPort 22 -State Listen | Select-Object LocalAddress,LocalPort,State,OwningProcess,@{n='ProcessName';e={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}},@{n='Path';e={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path}} | Format-Table -Auto
Determine local Established Ports
Below we will see that the remote computer with the IP 10.0.0.149 is connected to the local server per RDP on TCP port 3389.
By using the Get-NetTCPConnection cmdlet we will see all states of the TCP socket including the established states.
PS> Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 3389 }
PS> Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 445 }By using the netstat tool.
PS> netstat.exe -nao | findstr 3389 | findstr ESTABLISHED
-a – Displays all connections and listening ports (TCP & UDP)
-n – Show numerical addresses (no DNS resolution)
-o – Shows the Process ID (PID) associated with each connection.
Determine local open UDP Ports and Connections
To show all open UDP ports or as specific on a system we can use the Get-NetUDPEndpoint cmdlet.
Get-NetUDPEndpoint | Where-Object { $_.LocalPort -eq 111 }
# or by using the -like flag to use wildcards
Get-NetUDPEndpoint | Where-Object { $_.LocalPort -like "11*" }
The following command will show all open UPD ports and connections.
PS> netstat -anp UDP
-a – Show all connections and listening ports
-n – Show numerical addresses (no DNS resolution)
-p UDP – Filter for UDP only
Determine Domain Account Password Expiration
To check when a domain users password expires, you can use the following command.
PS> net user <username> /domain
Set WinHTTP Proxy
WinHTTP is more suited for non-interactive usage, such as windows services or background tasks that need to communicate over HTTP where no user-interaction is required. It is a lot faster than the WinINET library. WinHTTP is also easily accessed from .NET based applications making it a popular library for .NET Applications. WinHTTP by default does not use the proxy settings from WinINET.
Typical examples for applications and services using WinHTTP are:
- Adding/Removing features and roles in Windows 8.
- Windows Update
- Certificate validation of code
- Signed binaries / .NET applications that validate the certificate during application launch.
- Exchange Server
To show WinHTTP proxy settings on the client.
> netsh winhttp show proxy
To set new WinHTTP proxy settings on the client.
> netsh winhttp set proxy proxy-server="proxyserver:port" bypass-list="localhost; 127.0.0.1; ::1"
To reset WinHTTP proxy settings on the client.
> netsh winhttp reset proxy
Import the IE proxy settings of the current user.
> netsh winhttp import proxy source=ie
Determine last Restart Date and Time
To determine the last restart date and time on a Windows system, you have several easy options.
By using PowerShell or CMD. This shows when the system last booted, which effectively tells you the last restart time.
PS> systeminfo | find "System Boot Time"
By using PowerShell. This returns the exact date and time when Windows was last started.
PS> (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime
By using PowerShell. This tells you how long the system has been running (uptime).
PS> (get-date) - (gcim Win32_OperatingSystem).LastBootUpTime
gpupdate vs. gpupdate /force
The /force flag forces a reapplication of all Group Policy settings, even if they haven’t changed.
This means that any assigned GPOs will be reapplied.
When just running gpupdate without the /force flag, it only applies policies that have changed since the last update.
If no changes were made to the GPOs, nothing will be reapplied to the hosts or users.
Terminate Windows Services they stuck Stopping/Starting
By using the taskkill command (CMD)
Run the following command (just works by using the CMD) to determine the PID of the stucking service. Below for example the Windows Update Service (wuauserv).
> sc queryex wuauserv
To finally terminate the stuck process run the taskkill command below .
> taskkill /PID 9132 /F
By using the Stop-Process cmdlet (PowerShell)
We can also use the PowerShell to force the service stop. We can first determine all services they are in state ‘stop pending’ by running the following command.
PS> Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'stop pending'}
To list all services in state ‘start pending’ run.
PS> Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'start pending'}
We can use the Stop-Process cmdlet to terminate all processes found by pending state.
$Services = Get-WmiObject -Class win32_service -Filter "state = 'stop pending'"
if ($Services) {
foreach ($service in $Services) {
try {
Stop-Process -Id $service.processid -Force -PassThru -ErrorAction Stop
}
catch {
Write-Warning -Message "Error. Error details: $_.Exception.Message"
}
}
}
else {
Write-Output "No services with 'Stopping'.status"
}Using the Resource Monitor to analyze Services they stuck (Analyze Wait Chain)
In Windows Resource Monitor, analyzing the wait chain of a process helps identify which other process or thread is blocking it, which is especially useful when troubleshooting performance issues or hung applications.
Launch the Resource Monitor.
Right-click on the process you suspect is not responding or is stuck. Select “Analyze Wait Chain”.
A wait chain tree will pop up.
If the process is not waiting, you’ll see something like below “….. is running normally.“
If it is waiting, you’ll see a chain like:
process.exe (PID) ↳ anotherprocess.exe (PID)
This means process.exe is waiting on anotherprocess.exe, and so on.
A wait chain shows the chain of threads/processes that are waiting on a resource, like:
- A mutex (lock) that another thread holds
- A disk or network operation
- A hung child process
If the last process in the chain is stuck, the entire chain is stuck.
If the bottom process is clearly hung and you don’t need it → you can kill it. If you find circular dependencies (processes waiting on each other), that can signal a deadlock.
Use tools like Process Explorer or Procmon for deeper inspection.
In Process Explorer, the Threads tab is a powerful diagnostic tool that allows you to inspect the individual threads running within a process.
A thread is the smallest unit of execution within a process. Each process has at least one thread, but can have many, each handling different tasks concurrently (e.g., UI, networking, file I/O).
You can click “Stack” to view the call stack, showing what code the thread is executing.
Links
Windows Start button or the taskbar is not working – ideapad, ideacentre
https://support.lenovo.com/mn/en/solutions/ht503047-taskbarstart-button-does-not-respond-windows-10-ideapad-ideacentre
