Windows Cheat Sheet

winget search terraform
winget install --id Hashicorp.Terraform -e          # -e = match the exact package id
winget list                                         # installed packages
winget upgrade                                      # show available upgrades
winget upgrade --all                                # upgrade everything
winget uninstall --id Git.Git -e
 
# Reproducible machine setup - export on one box, import on the next
winget export -o packages.json
winget import -i packages.json --accept-package-agreements --accept-source-agreements

# Install Scoop
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
irm get.scoop.sh | iex
 
# Buckets and tools
scoop bucket add extras
scoop bucket add versions
scoop install git gh terraform packer kubectl helm azure-cli pwsh
scoop install vscode starship
 
scoop update *                                      # update everything
scoop search terraform

Get-ComputerInfo | Select-Object CsName, OsName, OsVersion, OsBuildNumber, WindowsVersion, CsTotalPhysicalMemory
(Get-CimInstance Win32_OperatingSystem).Caption     # edition/version, quick
[System.Environment]::OSVersion.Version             # build number
 
(Get-CimInstance Win32_OperatingSystem).LastBootUpTime          # uptime / last boot
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10   # installed updates
 
Get-CimInstance Win32_BIOS      | Select-Object Manufacturer, SerialNumber
Get-CimInstance Win32_Processor | Select-Object Name, NumberOfCores, NumberOfLogicalProcessors
 
Confirm-SecureBootUEFI                              # Secure Boot state (elevated, UEFI)
Get-Tpm                                             # TPM presence/readiness

Get-Process | Sort-Object CPU -Descending |
    Select-Object -First 15 Name, Id, CPU, @{n='WS(MB)';e={[math]::Round($_.WorkingSet/1MB)}}
Stop-Process -Name node -Force                      # kill by name
Stop-Process -Id 1234                               # kill by PID
 
# Which process is using a port?
Get-NetTCPConnection -LocalPort 8080 |
    ForEach-Object { Get-Process -Id $_.OwningProcess }
# cmd equivalent: netstat -ano | findstr :8080  ->  tasklist /FI "PID eq <pid>"

Get-Service | Where-Object Status -eq 'Running' | Sort-Object DisplayName
Restart-Service -Name W3SVC -Force
Set-Service  -Name W3SVC -StartupType Automatic      # Automatic | Manual | Disabled
 
# The binary path and the account a service runs as (a common audit question)
Get-CimInstance Win32_Service -Filter "Name='W3SVC'" | Select-Object Name, StartName, PathName, State
 
# Auto-restart a service on failure (sc.exe - the spaces after '=' are required)
sc.exe failure W3SVC reset= 86400 actions= restart/60000/restart/60000/restart/60000

Get-NetIPConfiguration                              # IP, gateway, DNS per adapter
Test-NetConnection myserver -Port 443               # telnet/nc replacement
Test-NetConnection 8.8.8.8 -InformationLevel Detailed
Get-NetTCPConnection -State Listen | Sort-Object LocalPort | Select-Object LocalPort, OwningProcess
Resolve-DnsName example.com                         # nslookup/dig
Clear-DnsClientCache                                # ipconfig /flushdns
Get-NetRoute -AddressFamily IPv4 | Sort-Object RouteMetric    # routing table
 
# Reset the network stack (last resort, needs a reboot)
netsh winsock reset
netsh int ip reset

$portNumber      = 1433
$durationSeconds = 3600
$ruleName        = "TempRuleForPort$portNumber"
 
try {
    New-NetFirewallRule -DisplayName $ruleName -Direction Inbound `
        -LocalPort $portNumber -Action Allow -Protocol TCP
 
    $listener = [System.Net.Sockets.TcpListener]$portNumber
    $listener.Start()
    $endTime = (Get-Date).AddSeconds($durationSeconds)
 
    while ((Get-Date) -lt $endTime) {
        if ($listener.Pending()) {
            $client = $listener.AcceptTcpClient()
            Write-Host ("Connection from {0}" -f $client.Client.RemoteEndPoint) -ForegroundColor Green
            $client.Close()
        }
        Start-Sleep -Seconds 1
    }
} finally {
    if ($listener) { $listener.Stop() }
    Remove-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue   # always clean up
}

Get-NetFirewallProfile | Select-Object Name, Enabled         # Domain / Private / Public
Get-NetFirewallRule | Where-Object Enabled -eq 'True' |
    Select-Object DisplayName, Direction, Action | Sort-Object Direction
 
New-NetFirewallRule -DisplayName "Allow 8080 In" -Direction Inbound -LocalPort 8080 -Protocol TCP -Action Allow
Remove-NetFirewallRule -DisplayName "Allow 8080 In"
 
# Scope a rule to a source subnet - least exposure
New-NetFirewallRule -DisplayName "Allow RDP from mgmt" -Direction Inbound -LocalPort 3389 `
    -Protocol TCP -Action Allow -RemoteAddress 10.0.0.0/24

Get-PSDrive -PSProvider FileSystem |
    Select-Object Name, @{n='Used(GB)';e={[math]::Round($_.Used/1GB,1)}}, @{n='Free(GB)';e={[math]::Round($_.Free/1GB,1)}}
Get-Volume | Sort-Object DriveLetter
Get-Disk | Select-Object Number, FriendlyName, @{n='Size(GB)';e={[math]::Round($_.Size/1GB)}}, PartitionStyle, HealthStatus
 
Repair-Volume -DriveLetter C -Scan                   # online scan (chkdsk /scan)
chkdsk C: /f                                         # offline fix (schedules at next reboot for C:)
 
Remove-Item "$env:TEMP\*" -Recurse -Force -ErrorAction SilentlyContinue   # free space fast

Get-LocalUser
New-LocalUser -Name "svc-deploy" -Password (Read-Host -AsSecureString)
Add-LocalGroupMember -Group "Administrators" -Member "svc-deploy"
Get-LocalGroupMember -Group "Administrators"         # audit who is a local admin
Disable-LocalUser -Name "Guest"

Get-ScheduledTask | Where-Object State -ne 'Disabled' | Select-Object TaskName, State
Get-ScheduledTaskInfo -TaskName "Nightly"            # last/next run + last result
 
$action  = New-ScheduledTaskAction -Execute "pwsh.exe" -Argument "-File C:\scripts\job.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Register-ScheduledTask -TaskName "Nightly" -Action $action -Trigger $trigger `
    -User "SYSTEM" -RunLevel Highest
 
Start-ScheduledTask -TaskName "Nightly"              # run now
Unregister-ScheduledTask -TaskName "Nightly" -Confirm:$false
schtasks /query /fo LIST /v /tn "Nightly"           # classic equivalent, works everywhere

Get-WinEvent -LogName System -MaxEvents 50
# Errors in the last day (Level 2 = Error)
Get-WinEvent -FilterHashtable @{ LogName='System'; Level=2; StartTime=(Get-Date).AddDays(-1) }
# Common diagnostics
Get-WinEvent -FilterHashtable @{ LogName='System';      Id=41 }   # kernel-power: dirty/unexpected shutdown
Get-WinEvent -FilterHashtable @{ LogName='Application'; Id=1000 } # application crash
Get-WinEvent -FilterHashtable @{ LogName='Security';    Id=4625 } -MaxEvents 20  # failed logons (elevated)
 
wevtutil el                                          # list every log name

Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' |
    Select-Object ProductName, CurrentBuild
New-ItemProperty -Path 'HKCU:\Software\MyApp' -Name 'LogLevel' -Value 'Info' -PropertyType String -Force
Set-ItemProperty -Path 'HKCU:\Software\MyApp' -Name 'LogLevel' -Value 'Debug'
Remove-ItemProperty -Path 'HKCU:\Software\MyApp' -Name 'LogLevel'
 
reg export "HKCU\Software\MyApp" backup.reg          # back up a key before editing
reg add  "HKCU\Software\MyApp" /v LogLevel /t REG_SZ /d Info /f

DISM /Online /Cleanup-Image /RestoreHealth           # repair the component store (run first if sfc fails)
sfc /scannow                                         # verify/repair protected system files
 
Get-WindowsOptionalFeature -Online | Where-Object State -eq 'Enabled'
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart
Install-WindowsFeature -Name Web-Server -IncludeManagementTools    # Windows Server roles

Enable-PSRemoting -Force                             # enable WinRM (run on the target)
Invoke-Command -ComputerName web01 -ScriptBlock { Get-Service W3SVC } -Credential (Get-Credential)
Enter-PSSession  -ComputerName web01 -Credential (Get-Credential)
 
# Enable RDP (registry + firewall group)
Set-ItemProperty 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
winget upgrade --all                                 # application updates (not the OS)
 
# OS updates via the PSWindowsUpdate module
Install-Module PSWindowsUpdate -Scope CurrentUser
Get-WindowsUpdate                                    # list pending
Install-WindowsUpdate -AcceptAll -AutoReboot         # install (mind -AutoReboot on servers)

Get-ChildItem Env:                                   # list all
$env:MY_VAR = "value"                                # current session only
[System.Environment]::SetEnvironmentVariable("MY_VAR", "value", "User")     # persist for the user
[System.Environment]::SetEnvironmentVariable("MY_VAR", "value", "Machine")  # persist machine-wide (admin)

wsl --list --verbose              # installed distros and status
wsl --install -d Ubuntu-22.04     # install a specific distro
wsl --set-default Ubuntu-22.04
wsl --shutdown                    # stop all running distros (apply .wslconfig changes)
wsl --export Ubuntu-22.04 ubuntu-backup.tar          # back up before destructive ops
wsl --unregister Ubuntu-22.04     # 🚨 permanently destroys the distro's filesystem

@"
[wsl2]
memory=8GB
processors=2
swap=4GB
localhostForwarding=true
"@ | Set-Content -Path "$Env:USERPROFILE\.wslconfig"

winget install --id Microsoft.Sysinternals -e
# or run a tool directly, no install:
\\live.sysinternals.com\tools\procexp64.exe