Windows Command Line (CMD) Cheat Sheet

Quick Reference

Open CMD as Admin

Win+X → Terminal (Admin)

Get help for any command

command /?

Pipe output

command1 | command2

Redirect to file

> overwrite · >> append

Suppress all output

command > nul 2>&1

Environment variable

%VARIABLE_NAME%

Clear screen

cls

Script directory path

%~dp0

Operators & Redirection

Operator	Meaning
`\|`	Pipe stdout to next command
`>`	Redirect stdout to file (overwrite)
`>>`	Redirect stdout to file (append)
`2>`	Redirect stderr to file
`2>&1`	Merge stderr into stdout

Operator	Meaning
`&`	Run second command regardless of first
`&&`	Run second only if first succeeded
`\|\|`	Run second only if first failed
`^`	Escape special characters
`( )`	Group commands into a block

Tip: Use command /? for built-in help on any command — for example robocopy /? or netsh /?.

Navigation & Filesystem

Command	What It Does
`cd C:\Windows`	Change to directory
`cd ..`	Go up one level
`cd \`	Go to root of current drive
`D:`	Switch to drive D

Command	What It Does
`cd /d D:\Folder`	Change drive and directory in one step
`pushd \\server\share`	Save current dir and navigate (supports UNC)
`popd`	Return to directory saved by pushd
`cd`	Print current directory path

Command	What It Does
`dir`	List files and folders
`dir /a`	Show hidden and system files
`dir /s *.log`	Search recursively for .log files
`dir /b`	Bare format — names only
`dir /o:s`	Sort by size

Command	What It Does
`dir /o:d`	Sort by date
`tree`	Display folder structure as tree
`tree /f`	Show tree including files
`where notepad.exe`	Find full path of an executable
`find "text" file.txt`	Search for text inside a file

Command	What It Does
`copy file.txt D:\Backup\`	Copy file to destination
`copy *.txt D:\Backup\`	Copy all .txt files
`move file.txt D:\Archive\`	Move file
`ren old.txt new.txt`	Rename file
`del file.txt`	Delete file
`del /s /q *.tmp`	Delete .tmp files recursively, no confirm

Command	What It Does
`type file.txt`	Print file contents
`more file.txt`	Display file page by page
`echo text > file.txt`	Write text to new file
`echo text >> file.txt`	Append text to file
`fc file1.txt file2.txt`	Compare two files line by line
`comp file1 file2`	Binary file comparison

Command	What It Does
`mkdir logs`	Create directory
`mkdir "My Folder"`	Create folder with spaces
`mkdir C:\A\B\C`	Create nested dirs in one step
`rmdir logs`	Remove empty directory
`rmdir /s /q logs`	Remove folder and all contents

Command	What It Does
`xcopy C:\Src D:\Dst /s /e /i`	Copy tree including empty subfolders
`robocopy C:\Src D:\Dst /e`	Robust copy with subdirectories
`robocopy C:\Src D:\Dst /mir`	Mirror — deletes files not in source
`robocopy C:\Src D:\Dst /z /log:out.log`	Resume on failure + write log
`robocopy C:\Src D:\Dst /e /xf *.tmp`	Copy tree, exclude .tmp files

Command	What It Does
`attrib file.txt`	Show file attributes (R, H, S, A)
`attrib +h file.txt`	Set hidden attribute
`attrib -r file.txt`	Remove read-only attribute
`attrib +r +h /s /d C:\Folder`	Apply attributes recursively

Command	What It Does
`mklink link.txt target.txt`	Create symbolic link to file
`mklink /d LinkDir TargetDir`	Create symbolic link to directory
`mklink /j LinkDir TargetDir`	Create junction (no admin required)
`mklink /h link.txt target.txt`	Create hard link

Processes & Services

Processes

Command	What It Does
`tasklist`	List all running processes
`tasklist /fi "imagename eq chrome.exe"`	Filter by process name
`tasklist /fi "status eq not responding"`	Find hung processes
`tasklist /svc`	Show services per svchost process
`tasklist /m kernel32.dll`	Find processes using a DLL
`start notepad.exe`	Start a program

Command	What It Does
`taskkill /im notepad.exe`	Kill process by name
`taskkill /pid 1234`	Kill process by PID
`taskkill /im chrome.exe /f`	Force kill process
`taskkill /im chrome.exe /f /t`	Force kill process tree
`start "" "C:\Program Files\app.exe"`	Start app with space in path
`start /wait setup.exe`	Start and wait for it to finish

Services

Command	What It Does
`sc query`	List all services and state
`sc query Spooler`	Query specific service status
`sc start Spooler`	Start a service
`sc stop Spooler`	Stop a service
`sc config Spooler start= auto`	Set service to auto-start

Command	What It Does
`sc config Spooler start= disabled`	Disable a service
`net start`	List running services
`net start "Print Spooler"`	Start service by display name
`net stop "Print Spooler"`	Stop service by display name
`sc query type= all`	List all services including drivers

sc vs net: sc uses the internal service name (e.g. Spooler). net start/stop uses the display name (e.g. "Print Spooler"). Note the space after start= in sc config — it is required.

Networking

Command	What It Does
`ipconfig`	Show IP addresses for all adapters
`ipconfig /all`	Full details: MAC, DNS, DHCP lease
`ipconfig /flushdns`	Flush DNS resolver cache
`ipconfig /release`	Release DHCP lease
`ipconfig /renew`	Renew DHCP lease
`ping google.com`	Test connectivity (4 packets)
`ping -t 8.8.8.8`	Continuous ping (Ctrl+C to stop)
`ping -n 10 8.8.8.8`	Ping with specific packet count
`ping -a 192.168.1.1`	Resolve IP to hostname while pinging
`tracert google.com`	Trace route to destination
`tracert -d google.com`	Traceroute without DNS (faster)
`pathping google.com`	Ping + traceroute + packet loss stats

Command	What It Does
`nslookup google.com`	DNS lookup for hostname
`nslookup -type=MX google.com`	Look up MX records
`nslookup google.com 8.8.8.8`	Query a specific DNS server
`netstat -an`	All connections and listening ports
`netstat -b`	Show process name per connection (admin)
`netstat -rn`	Show routing table
`netstat -ano \| find ":80"`	Find what is using port 80
`arp -a`	Show ARP cache (IP to MAC)
`arp -d`	Clear ARP cache
`route print`	Show full routing table
`netsh wlan show profiles`	List saved Wi-Fi networks
`netsh wlan show profile "WiFi" key=clear`	Show saved Wi-Fi password

netstat -b requires admin: Without elevation it returns “The operation requires elevation”. Run CMD as Administrator to see process names per connection.

System Information

Command	What It Does
`systeminfo`	Full system info: OS, RAM, hotfixes
`systeminfo \| find "OS Name"`	Windows version only
`systeminfo \| find "Total Physical Memory"`	Total RAM
`systeminfo \| find "System Boot Time"`	Last boot time
`hostname`	Display computer name
`ver`	Display Windows version string
`winver`	Open Windows version info dialog
`set`	List all environment variables
`echo %COMPUTERNAME%`	Computer name
`echo %USERNAME%`	Current user name
`echo %USERPROFILE%`	Current user’s home directory
`echo %APPDATA%`	AppData\Roaming path

Command	What It Does
`wmic os get caption,version,buildnumber`	OS name, version, build
`wmic cpu get name,numberofcores`	CPU name and core count
`wmic memorychip get capacity`	RAM per DIMM slot in bytes
`wmic bios get manufacturer,smbiosbiosversion`	BIOS info
`wmic diskdrive get model,size`	Physical disk model and size
`wmic logicaldisk get caption,freespace,size`	Drive free space and total size
`wmic product get name,version`	List installed software
`wmic qfe list brief`	List installed Windows updates (hotfixes)
`date /t`	Display current date
`time /t`	Display current time
`echo %DATE% %TIME%`	Date and time in one line
`net statistics workstation`	Uptime and network stats

Users & Permissions

Command	What It Does
`net user`	List all local user accounts
`net user username`	Show details for a specific user
`net user username pass /add`	Create a new local user
`net user username newpass`	Change user password
`net user username /active:no`	Disable a user account
`net user username /delete`	Delete a user account
`whoami`	Show current user name
`whoami /groups`	List current user’s group memberships

Command	What It Does
`net localgroup`	List all local groups
`net localgroup Administrators`	Show Administrators group members
`net localgroup Administrators user /add`	Add user to Administrators
`net localgroup Administrators user /delete`	Remove user from Administrators
`whoami /priv`	List current user’s privileges
`runas /user:DOMAIN\admin cmd.exe`	Run CMD as another user
`net accounts`	Show password and lockout policy
`net session`	List active network sessions (admin)

Command	What It Does
`icacls C:\Folder`	Show NTFS permissions
`icacls file.txt /grant "User:(R)"`	Grant read permission
`icacls file.txt /grant "Users:(F)"`	Grant full control
`icacls file.txt /deny "User:(W)"`	Explicitly deny write access

Command	What It Does
`icacls C:\Folder /grant "User:(OI)(CI)(M)"`	Modify on folder + subfolders + files
`icacls file.txt /remove "User"`	Remove all permissions for a user
`icacls C:\Folder /reset /t`	Reset to inherited defaults (recursive)
`icacls C:\Folder /save perms.txt /t`	Export permissions to file

Flag	Permission Level
`F`	Full control
`M`	Modify (read, write, execute, delete)
`RX`	Read and execute
`R`	Read only
`W`	Write only

Flag	Inheritance
`(OI)`	Object inherit — applies to files in folder
`(CI)`	Container inherit — applies to subfolders
`(IO)`	Inherit only — not applied to the folder itself
`(NP)`	No propagate — do not inherit further down
`(I)`	Inherited from parent container

Disk & Storage

Command	What It Does
`chkdsk C:`	Check disk for errors (read-only)
`chkdsk C: /f`	Fix file system errors
`chkdsk C: /r`	Find bad sectors + recover data
`fsutil volume diskfree C:`	Show free space for a volume
`fsutil file createnew test.bin 1073741824`	Create a 1 GB test file
`vol C:`	Show volume label and serial number

Command	What It Does
`label C: NewLabel`	Change volume label
`subst Z: "C:\Long\Path"`	Map folder to virtual drive letter
`subst Z: /d`	Remove virtual drive mapping
`subst`	List all active virtual drive mappings
`defrag C: /u /v`	Defragment drive with progress output
`diskpart`	Open diskpart interactive shell (admin)

Diskpart commands (run inside diskpart shell)

Command	What It Does
`list disk`	List all physical disks
`select disk 1`	Select disk 1
`list partition`	List partitions on selected disk
`list volume`	List all volumes
`select volume 3`	Select volume 3

Command	What It Does
`assign letter=Z`	Assign drive letter to selected volume
`remove letter=Z`	Remove drive letter
`online disk`	Bring an offline disk online
`attributes disk clear readonly`	Remove read-only flag from disk
`exit`	Exit diskpart

Diskpart is destructive: No undo. Always double-check select disk before any operation. Selecting the wrong disk and cleaning it permanently destroys all data.

Registry

Command	What It Does
`reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion`	Read a registry key
`reg query HKCU\Software /f "chrome" /s`	Search for pattern recursively
`reg add HKCU\Software\MyApp /v Setting /t REG_SZ /d "value"`	Add or update a string value
`reg add HKCU\Software\MyApp /v Count /t REG_DWORD /d 1`	Add a DWORD value
`reg delete HKCU\Software\MyApp /v Setting /f`	Delete a value (no confirm)

Command	What It Does
`reg delete HKCU\Software\MyApp /f`	Delete entire key and subkeys
`reg export HKCU\Software\MyApp backup.reg`	Export key to .reg file
`reg import backup.reg`	Import a .reg file
`reg copy HKCU\Software\Src HKCU\Software\Dst /s`	Copy key including subkeys
`regedit`	Open Registry Editor GUI

Registry Hives

Abbreviation	Full Name & Purpose
`HKLM`	HKEY_LOCAL_MACHINE — system-wide settings
`HKCU`	HKEY_CURRENT_USER — current user settings
`HKCR`	HKEY_CLASSES_ROOT — file associations, COM

Abbreviation	Full Name & Purpose
`HKU`	HKEY_USERS — all user profiles loaded
`HKCC`	HKEY_CURRENT_CONFIG — hardware profile
`REG_SZ / REG_DWORD / REG_BINARY`	Common value types: string / int / raw

Always export before editing: reg export HKCU\Software\MyApp backup.reg — there is no undo for deleted keys.

Event Logs & Diagnostics

wevtutil — Event Logs

Command	What It Does
`wevtutil el`	List all available event logs
`wevtutil gl System`	Get configuration of a log
`wevtutil qe System /c:20 /f:text /rd:true`	Last 20 System events as text
`wevtutil cl Application`	Clear Application event log (admin)

Command	What It Does
`wevtutil qe Security /q:"*[System[EventID=4625]]" /c:10 /f:text /rd:true`	Last 10 failed logons (ID 4625)
`wevtutil epl System C:\backup\system.evtx`	Export log to file
`eventvwr`	Open Event Viewer GUI
`eventvwr /l:C:\backup\system.evtx`	Open a saved .evtx file

System Diagnostics

Command	What It Does
`sfc /scannow`	Scan and repair system files (admin)
`sfc /verifyonly`	Scan only, no repair
`DISM /Online /Cleanup-Image /CheckHealth`	Quick check for component store issues
`DISM /Online /Cleanup-Image /ScanHealth`	Full component store scan
`DISM /Online /Cleanup-Image /RestoreHealth`	Repair using Windows Update

Command	What It Does
`gpresult /r`	Show applied Group Policy (user + computer)
`gpresult /h gpreport.html`	Generate full GPO report as HTML
`gpupdate /force`	Force immediate Group Policy refresh
`msconfig`	System Config: startup, services, boot
`perfmon /report`	Generate performance diagnostic report

Batch Scripting Essentials

Syntax	Meaning
`set name=value`	Define a variable (no spaces around =)
`echo %name%`	Print variable value
`set /p name=Enter value:`	Prompt user for input
`set /a result=5+3`	Arithmetic expression
`setlocal enabledelayedexpansion`	Enable !var! inside blocks
`echo !name!`	Delayed expansion (inside for/if blocks)

Syntax	Meaning
`@echo off`	Suppress command echoing
`echo.`	Print a blank line
`pause`	Wait for keypress
`rem This is a comment`	Comment line
`:: This is a comment`	Alternative comment (faster)
`title My Script`	Set CMD window title

Syntax	Meaning
`if "%1"=="" goto usage`	Check if argument is empty
`if exist file.txt echo found`	Check if file exists
`if not exist file.txt goto end`	Jump if file does not exist
`if /i "%var%"=="yes"`	Case-insensitive string compare
`if %ERRORLEVEL% neq 0 goto fail`	Check last exit code

Syntax	Meaning
`goto label`	Jump to a label
`:label`	Define a jump target
`call :subroutine`	Call sub-routine and return
`call other.bat arg1`	Call another script
`exit /b 0`	Exit with code (0=success, 1=error)

ERRORLEVEL: Use if %ERRORLEVEL% neq 0 rather than if errorlevel 1 — the latter is true for any value ≥ 1 and can cause unexpected behavior.

Syntax	Meaning
`for %%f in (*.txt) do echo %%f`	Loop over files matching pattern
`for /r C:\Folder %%f in (*.log) do del "%%f"`	Recursive loop over files
`for /l %%i in (1,1,10) do echo %%i`	Numeric loop 1 to 10, step 1

Syntax	Meaning
`for /f "tokens=1,2" %%a in (file.txt) do ...`	Parse lines, split into tokens
`for /f "delims=," %%a in (data.csv) do ...`	Parse CSV with comma delimiter
`for /d %%d in (C:\*) do echo %%d`	Loop over directories only

%% vs %: Use %%f inside .bat files, use %f when typing directly in CMD interactively.

Syntax	Meaning
`%1 %2 %3`	Script arguments by position
`%0`	The script name itself
`%*`	All arguments as a single string
`shift`	Shift arguments: %2 becomes %1, etc.

Syntax	Meaning
`%~f1`	Argument 1 expanded to full path
`%~d1`	Drive letter only (e.g. C:)
`%~p1`	Path only (without filename)
`%~dp0`	Directory of the script itself

CMD vs PowerShell: When to Use Which

Task	Use CMD	Use PowerShell
Quick one-liner	✓ Often shorter syntax	More verbose but precise
Robust file copy	✓ `robocopy` is native	Possible but more complex
Simple batch scripts	✓ .bat files run everywhere	Execution policy can block .ps1
Managing services	`sc` / `net` work fine	✓ Richer output, pipeline support
Filtering & sorting output	Text parsing with `find`, `findstr`	✓ Real objects, native filtering
Remoting to other machines	Limited (psexec, WMI)	✓ Built-in PSRemoting
Active Directory	Basic (`net user` only)	✓ Full AD module
Error handling	ERRORLEVEL only	✓ try/catch, exceptions
Registry editing	✓ `reg` command is quick	Also possible via PSDrive
Compatibility (old systems)	✓ Works back to Windows XP	Requires PS version check

General rule: Use CMD for quick tasks and scripts that need to run everywhere without configuration. Use PowerShell for anything involving filtering, automation, or Windows APIs. For new scripts, PowerShell 7 is the modern standard.

FAQ

How do I run CMD as Administrator?

Three ways: (1) Press Win+X and choose Terminal (Admin). (2) Search for cmd in Start, right-click → Run as administrator. (3) From any CMD: runas /user:Administrator cmd.exe. Many commands silently fail or return “Access is denied” without elevation — when in doubt, run as admin.

How do I find which process is using a specific port?

Run as Administrator: netstat -ano | find ":80" — the PID is in the last column. Then: tasklist /fi "pid eq 1234" to get the process name. One-liner: for /f "tokens=5" %a in ('netstat -ano ^| find ":80" ^| find "LISTENING"') do tasklist /fi "pid eq %a"

What is the difference between xcopy and robocopy?

xcopy is older and simpler. robocopy supports resume on failure, bandwidth throttling (/ipg), mirroring (/mir), detailed logging, and preserving all NTFS attributes. For anything beyond a simple one-time copy, use robocopy. xcopy is considered legacy.

Why does my variable show as empty inside a for loop?

CMD expands %variables% when a line is parsed, not when it executes. Inside code blocks the entire block is parsed at once. The fix: add setlocal enabledelayedexpansion at the top of your script, then use !var! instead of %var% inside for and if blocks.

How do I suppress all output from a command?

To suppress stdout and stderr: command > nul 2>&1. Stderr only: command 2> nul. Stdout only: command > nul. To capture everything to a log instead: command >> script.log 2>&1

What is the difference between & and && when chaining commands?

& runs both commands regardless of result. && runs the second only if the first succeeded (ERRORLEVEL 0). || runs the second only if the first failed. Example: mkdir logs && cd logs changes into the directory only if mkdir succeeded.

How do I schedule a command to run automatically?

Use schtasks: schtasks /create /tn "MyTask" /tr "C:\Scripts\backup.bat" /sc daily /st 02:00 creates a task that runs daily at 2am. View existing tasks: schtasks /query /fo list. For a GUI: run taskschd.msc.