How to use CMD and PowerShell Windows commands

Applies to: ✔️ Windows VMs

This article provides example commands to perform common tasks in scenarios in which you have to use the Special Administration Console (SAC) to access your Windows virtual machine (VM). For example, you might have to use SAC to troubleshoot RDP connection failures.

SAC is included in all versions of Windows since Windows Server 2003. By default, however, it's disabled. SAC relies on the sacdrv.sys kernel driver, the Special Administration Console Helper service (sacsvr), and the sacsess.exe process. For more information, see Emergency Management Services Tools and Settings.

SAC enables you to connect through a serial port to the running OS. When you open a Command Prompt window in SAC, sacsess.exe starts cmd.exe within your running OS. In Task Manager, you can see that if, at the same time, you also connect through RDP to your VM, you're now connected to SAC through the serial console feature. The CMD window that you access through SAC is the same as the cmd.exe window that you use when you connect through RDP. All the same commands and tools are available, including the ability to start PowerShell from that CMD instance. The major difference between SAC and the Windows Recovery Environment (WinRE) is that SAC lets you manage your running OS, but WinRE starts up into a different, minimal OS. Although Azure VMs don't support the ability to access WinRE, they can be managed through SAC.

Because SAC is limited to an 80x24 pixel screen buffer that has no scroll back capability, add | more to commands to display the output one page at a time. Use <spacebar> to see the next page, or <enter> to see the next line.

The paste shortcut for the serial console window is SHIFT+INSERT.

Because of SAC's limited screen buffer, it might be easier to manage longer commands by copying them from a local text editor to SAC.

Use CMD for Windows registry settings

To view and edit Windows registry settings by using CMD, follow these steps:

1. Verify that RDP is enabled. Run the following commands:

   reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

   reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections

   Note: The second key (under \Policies) exists only if the relevant Group Policy setting is configured.

2. Enable RDP by running the following commands:

   reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

   reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0

   Note: The second key (under \Policies) is necessary only if the relevant Group Policy setting is configured. The value is rewritten at next Group Policy refresh if it's configured in Group Policy.

Use CMD to manage Windows services

To manage Windows services by using CMD, follow these steps:

1. View the service state:

   sc query termservice

2. View the service logon account:

   sc qc termservice

3. Set the service logon account:

   sc config termservice obj= "NT Authority\NetworkService"

   Note: A space is required after the equal sign.

4. Set service start type:

   sc config termservice start= demand

   Note: A space is required after the equal sign. Possible start values include: boot, system, auto, demand, disabled, and delayed-auto.

5. Set service dependencies:

   sc config termservice depend= RPCSS

   Note: A space is required after the equal sign.

6. Start service by running either of the following commands:

   net start termservice

   sc start termservice

7. Stop the service by running either of the following commands:

   net stop termservice

   sc stop termservice

Use CMD to manage networking features

To manage networking features using CMD, follow these steps:

1. Show the network shell (netsh) properties:

   netsh interface show interface

2. Show IP properties:

   netsh interface ip show config

3. Show IPSec configuration:

   netsh nap client show configuration

4. Enable the network shell interface:

   netsh interface set interface name="<interface name>" admin=enabled

5. Set the netsh interface to use DHCP:

   netsh interface ip set address name="<interface name>" source=dhcp

For more information about netsh, see Network shell (netsh).

Azure VMs should always be configured in the guest OS to use DHCP to get an IP address. The Azure static IP setting still uses DHCP to give the static IP to the VM.

Ping

ping 8.8.8.8

Port ping

Install the telnet client

dism /online /Enable-Feature /FeatureName:TelnetClient

Test connectivity

telnet bing.com 80

To remove the telnet client

dism /online /Disable-Feature /FeatureName:TelnetClient

When limited to methods available in Windows by default, PowerShell can be a better approach for testing port connectivity. See the following PowerShell section for examples.

Test DNS name resolution

nslookup bing.com

Show Windows Firewall rule

netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)"

Disable Windows Firewall

netsh advfirewall set allprofiles state off

You can use this command when you troubleshoot to temporarily rule out Windows Firewall. Firewall will be enabled at the next restart or when you enable it by using the command in the next section. Don't stop the Windows Firewall service (MPSSVC) or Base Filtering Engine (BFE) service as a method to rule out the Windows Firewall. Stopping MPSSVC or BFE causes all connectivity to be blocked.

Enable Windows Firewall

netsh advfirewall set allprofiles state on

Manage Users and Groups using CMD

Create local user account

net user /add <username> <password>

Add local user to local group

net localgroup Administrators <username> /add

Verify that the user account is enabled

net user <username> | find /i "active"

Azure VMs that are created from a generalized image have the local administrator account renamed to the name that's specified during VM provisioning. Usually, the name isn't Administrator.

Enable user account

net user <username> /active:yes

View user account properties

net user <username>

Example lines of interest from a local admin account:

Account active          Yes

Account expires         Never

Password expires        Never

Workstations allowed    All

Logon hours allowed     All

Local Group Memberships *Administrators

View local groups

net localgroup

Manage the Windows Event Log using CMD

Query event log errors

wevtutil qe system /c:10 /f:text /q:"Event[System[Level=2]]" | more

Change /c:10 to the desired number of events to return, or move it to return all events matching the filter.

Query event log by Event ID

wevtutil qe system /c:1 /f:text /q:"Event[System[EventID=11]]" | more

Query event log by Event ID and Provider

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Microsoft-Windows-Hyper-V-Netvsc'] and EventID=11]]" | more

Query event log by Event ID and Provider for the last 24 hours

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Microsoft-Windows-Hyper-V-Netvsc'] and EventID=11 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"

Use 604800000 to look back seven days instead of 24 hours.

Query event log by Event ID, Provider, and EventData in the last seven days

wevtutil qe security /c:1 /f:text /q:"Event[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4624 and TimeCreated[timediff(@SystemTime) <= 604800000]] and EventData[Data[@Name='TargetUserName']='<username>']]" | more

View or remove installed applications by using CMD

List installed applications

wmic product get Name,InstallDate | sort /r | more

The sort /r command sorts results in descending order by install date, making it easier to identify recently installed applications. Use <spacebar> to advance to the next page of output, or <enter> to advance one line.

Uninstall an application

wmic path win32_product where name="<name>" call uninstall

Replace <name> with the name that's returned in the previous command for the application that you want to remove.

File System Management using CMD

Get file version

wmic datafile where "drive='C:' and path='\\windows\\system32\\drivers\\' and filename like 'netvsc%'" get version /format:list

This example returns the file version of the virtual network adapter driver, which is netvsc.sys, netvsc63.sys, or netvsc60.sys depending on the Windows version.

Scan for system file corruption

sfc /scannow

See also Repair a Windows Image.

Scan for system file corruption

dism /online /cleanup-image /scanhealth

See also Repair a Windows Image.

Export file permissions to text file

icacls %programdata%\Microsoft\Crypto\RSA\MachineKeys /t /c > %temp%\MachineKeys_permissions_before.txt

Save file permissions to ACL file

icacls %programdata%\Microsoft\Crypto\RSA\MachineKeys /save %temp%\MachineKeys_permissions_before.aclfile /t

Restore file permissions from ACL file

icacls %programdata%\Microsoft\Crypto\RSA /save %temp%\MachineKeys_permissions_before.aclfile /t

When using /restore, specify the parent folder of the one used in /save. For example, use \RSA if you previously saved permissions for \MachineKeys.

Take NTFS ownership of a folder

takeown /f %programdata%\Microsoft\Crypto\RSA\MachineKeys /a /r

Grant NTFS permissions to a folder recursively

icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "BUILTIN\Administrators:(F)"

Manage Devices

Remove entries for nonexistent PNP devices

This command cleans up device entries for hardware that no longer exists on the system:

%windir%\System32\RUNDLL32.exe %windir%\System32\pnpclean.dll,RunDLL_PnpClean /Devices /Maxclean

Manage Group Policy

Force a Group Policy update

gpupdate /force /wait:-1

Miscellaneous Tasks using CMD

Show OS version

ver

or

wmic os get caption,version,buildnumber /format:list

or

systeminfo find /i "os name"

systeminfo | findstr /i /r "os.*version.*build"

View OS install date

systeminfo | find /i "original"

or

wmic os get installdate

View last boot time

systeminfo | find /i "system boot time"

View time zone

systeminfo | find /i "time zone"

or

wmic timezone get caption,standardname /format:list

Restart Windows

shutdown /r /t 0

Adding /f forces running applications to close without warning users.

Detect Safe Mode boot

bcdedit /enum | find /i "safeboot"

Windows Commands - PowerShell

To run PowerShell in SAC, after you reach a CMD prompt, type:

powershell <enter>

First check if PSReadLine is loaded. It's loaded by default on Windows Server 2016, Windows 10, and later versions of Windows. It would only be present on earlier Windows versions if it's manually installed.

If this command returns to a prompt with no output, then the module wasn't loaded and you can continue using the PowerShell session in SAC as normal.

get-module psreadline

If the previous command returns the PSReadLine module version, run the following command to unload it. This command doesn't delete or uninstall the module. It only unloads it from the current PowerShell session.

remove-module psreadline

If PSReadLine is loaded, it may introduce extra characters when you paste text. To avoid this, unload the module by using remove-module psreadline.

View and Edit Windows Registry Settings by using PowerShell

Verify RDP is enabled

get-itemproperty -path 'hklm:\system\curRentcontrolset\control\terminal server' -name 'fdenytsconNections'

get-itemproperty -path 'hklm:\software\policies\microsoft\windows nt\terminal services' -name 'fdenytsconNections'

The second key under \Policies exists only if the relevant Group Policy setting is configured.

Enable RDP

set-itemproperty -path 'hklm:\system\curRentcontrolset\control\terminal server' -name 'fdenytsconNections' 0 -type dword

set-itemproperty -path 'hklm:\software\policies\microsoft\windows nt\terminal services' -name 'fdenytsconNections' 0 -type dword

The second key (under \Policies) would be needed only if the relevant group policy setting was configured. The value will be rewritten at next group policy refresh if it's configured in group policy.

Manage Windows Services using PowerShell

View service details

get-wmiobject win32_service -filter "name='termservice'" | format-list Name,DisplayName,State,StartMode,StartName,PathName,ServiceType,Status,ExitCode,ServiceSpecificExitCode,ProcessId

Get-Service can be used but doesn't include the service logon account. Get-WmiObject win32-service does.

Set service logon account

(get-wmiobject win32_service -filter "name='termservice'").Change($null,$null,$null,$null,$null,$false,'NT Authority\NetworkService')

When using a service account other than NT AUTHORITY\LocalService, NT AUTHORITY\NetworkService, or LocalSystem, specify the account password as the last (eighth) argument after the account name.

Set service startup type

set-service termservice -startuptype Manual

Set-service accepts Automatic, Manual, or Disabled for startup type.

Set service dependencies

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\TermService' -Name DependOnService -Value @('RPCSS','TermDD')

Start service

start-service termservice

Stop service

stop-service termservice

Manage Networking Features using PowerShell

Show network adapter properties

get-netadapter | where {$_.ifdesc.startswith('Microsoft Hyper-V Network Adapter')} | format-list status,name,ifdesc,macadDresS,driverversion,MediaConNectState,MediaDuplexState

or

get-wmiobject win32_networkadapter -filter "servicename='netvsc'" | format-list netenabled,name,macaddress

Get-NetAdapter is available in 2012 and later versions, for 2008 R2, use Get-WmiObject.

Show IP properties

get-wmiobject Win32_NetworkAdapterConfiguration -filter "ServiceName='netvsc'" | format-list DNSHostName,IPAddress,DHCPEnabled,IPSubnet,DefaultIPGateway,MACAddress,DHCPServer,DNSServerSearchOrder

Enable network adapter

get-netadapter | where {$_.ifdesc.startswith('Microsoft Hyper-V Network Adapter')} | enable-netadapter

or

(get-wmiobject win32_networkadapter -filter "servicename='netvsc'").enable()

Get-NetAdapter is available in 2012 and later versions, for 2008 R2, use Get-WmiObject.

Set network adapter to use DHCP

get-netadapter | where {$_.ifdesc.startswith('Microsoft Hyper-V Network Adapter')} | Set-NetIPInterface -DHCP Enabled

(get-wmiobject Win32_NetworkAdapterConfiguration -filter "ServiceName='netvsc'").EnableDHCP()

Get-NetAdapter is available in 2012 and later versions. For 2008 R2, use Get-WmiObject. Azure VMs should always be configured in the guest OS to use DHCP to obtain an IP address. The Azure static IP setting still uses DHCP to give the IP to the VM.

Ping

test-netconnection

Or

get-wmiobject Win32_PingStatus -Filter 'Address="8.8.8.8"' | format-table -autosize IPV4Address,ReplySize,ResponseTime

Test-Netconnection without any parameters, try to ping internetbeacon.msedge.net. It's available in 2012 and later versions. For 2008 R2, use Get-WmiObject, as in the second example.

Port ping

test-netconnection -ComputerName bing.com -Port 80

Or

(new-object Net.Sockets.TcpClient).BeginConnect('bing.com','80',$null,$null).AsyncWaitHandle.WaitOne(300)

Test-NetConnection is available in 2012 and later versions. For 2008 R2, use Net.Sockets.TcpClient.

Test DNS name resolution

resolve-dnsname bing.com

Or

[System.Net.Dns]::GetHostAddresses('bing.com')

Resolve-DnsName is available in 2012 and later versions. For 2008 R2, use System.Net.DNS.

Show Windows Firewall rule by name

get-netfirewallrule -name RemoteDesktop-UserMode-In-TCP

Show Windows Firewall rule by port

get-netfirewallportfilter | where {$_.localport -eq 3389} | foreach {Get-NetFirewallRule -Name $_.InstanceId} | format-list Name,Enabled,Profile,Direction,Action

Or

(new-object -ComObject hnetcfg.fwpolicy2).rules | where {$_.localports -eq 3389 -and $_.direction -eq 1} | format-table Name,Enabled

Get-NetFirewallPortFilter is available in 2012 and later versions. For 2008 R2, use the hnetcfg.fwpolicy2 COM object.

Disable Windows Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Set-NetFirewallProfile is available in 2012 and later versions. For 2008 R2, use netsh advfirewall as referenced in the CMD section earlier in this article.

Manage Users and Groups using PowerShell

Create local user account

new-localuser <name>

Verify user account is enabled

(get-localuser | where {$_.SID -like "S-1-5-21-*-500"}).Enabled

Or

(get-wmiobject Win32_UserAccount -Namespace "root\cimv2" -Filter "SID like 'S-1-5-%-500'").Disabled

Get-LocalUser is available in 2012 and later versions. For 2008 R2, use Get-WmiObject. This example shows the built-in local administrator account. This account always has SID S-1-5-21-*-500. Azure VMs that are created from a generalized image have the local administrator account renamed to the name that's specified during VM provisioning. Usually, the name isn't Administrator.

Add local user to local group

add-localgroupmember -group Administrators -member <username>

Enable local user account

get-localuser | where {$_.SID -like "S-1-5-21-*-500"} | enable-localuser

This example enables the built-in local administrator account. This account always has SID S-1-5-21-*-500. Azure VMs that are created from a generalized image have the local administrator account renamed to the name specified during VM provisioning. Usually, the name isn't Administrator.

View user account properties

get-localuser | where {$_.SID -like "S-1-5-21-*-500"} | format-list *

Or

get-wmiobject Win32_UserAccount -Namespace "root\cimv2" -Filter "SID like 'S-1-5-%-500'" | format-list Name,Disabled,Status,Lockout,Description,SID

Get-LocalUser is available in 2012 and later versions. For 2008 R2, use Get-WmiObject. This example shows the built-in local administrator account. This account always has SID S-1-5-21-*-500.

View local groups

(get-localgroup).name | sort (get-wmiobject win32_group).Name | sort

Get-LocalUser is available in 2012 and later versions. For 2008 R2, use Get-WmiObject.

Manage the Windows Event Log using PowerShell

Query event log errors

get-winevent -logname system -maxevents 1 -filterxpath "*[System[Level=2]]" | more

Change /c:10 to the desired number of events to return, or remove it to return all matching events.

Query event log by Event ID

get-winevent -logname system -maxevents 1 -filterxpath "*[System[EventID=11]]" | more

Query event log by Event ID and Provider

get-winevent -logname system -maxevents 1 -filterxpath "*[System[Provider[@Name='Microsoft-Windows-Hyper-V-Netvsc'] and EventID=11]]" | more

Query event log by Event ID and Provider for the last 24 hours

get-winevent -logname system -maxevents 1 -filterxpath "*[System[Provider[@Name='Microsoft-Windows-Hyper-V-Netvsc'] and EventID=11 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"

Use 604800000 to look back seven days instead of 24 hours. |

Query event log by Event ID, Provider, and EventData in the last seven days

get-winevent -logname system -maxevents 1 -filterxpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4624 and TimeCreated[timediff(@SystemTime) <= 604800000]] and EventData[Data[@Name='TargetUserName']='<username>']]" | more

View or remove iInstalled applications by using PowerShell

List installed software

get-wmiobject win32_product | select installdate,name | sort installdate -descending | more

Uninstall software

(get-wmiobject win32_product -filter "Name='<name>'").Uninstall()

File System Management by using PowerShell

Get file version

(get-childitem $env:windir\system32\drivers\netvsc*.sys).VersionInfo.FileVersion

This example returns the file version of the virtual NIC driver, which is named netvsc.sys, netvsc63.sys, or netvsc60.sys depending on the Windows version.

Download and extract file

$path='c:\bin';md $path;cd $path;(new-object net.webclient).downloadfile( ('htTp:/'+'/download.sysinternals.com/files/SysinternalsSuite.zip'),"$path\SysinternalsSuite.zip");(new-object -com shelL.apPlication).namespace($path).CopyHere( (new-object -com shelL.apPlication).namespace("$path\SysinternalsSuite.zip").Items(),16)

This example creates a c:\bin folder, then downloads and extracts the Sysinternals suite of tools into c:\bin.

Miscellaneous tasks that use PowerShell

Show OS version

get-wmiobject win32_operatingsystem | format-list caption,version,buildnumber

View OS install date

(get-wmiobject win32_operatingsystem).converttodatetime((get-wmiobject win32_operatingsystem).installdate)

View last boot time

(get-wmiobject win32_operatingsystem).lastbootuptime

View Windows uptime

"{0:dd}:{0:hh}:{0:mm}:{0:ss}.{0:ff}" -f ((get-date)-(get-wmiobject win32_operatingsystem).converttodatetime((get-wmiobject win32_operatingsystem).lastbootuptime))

Returns uptime as <days>:<hours>:<minutes>:<seconds>:<milliseconds>, for example 49:16:48:00.00.

Restart Windows

restart-computer

Adding -force forces running applications to close without warning users.

Instance metadata

You can query Azure instance metadata from within your Azure VM to view details such as osType, Location, vmSize, vmId, name, resourceGroupName, subscriptionId, privateIpAddress, and publicIpAddress.

Querying instance metadata requires healthy guest network connectivity because it makes a REST call through the Azure host to the instance metadata service. If you can query instance metadata, then the guest can communicate over the network to an Azure-hosted service.

For more information, see Azure Instance Metadata service.

Instance metadata

$im = invoke-restmethod -headers @{"metadata"="true"} -uri http://169.254.169.254/metadata/instance?api-version=2017-08-01 -method get

$im | convertto-json

OS Type (Instance Metadata)

$im.Compute.osType

Location (Instance Metadata)

$im.Compute.Location

Size (Instance Metadata)

$im.Compute.vmSize

VM ID (Instance Metadata)

$im.Compute.vmId

VM Name (Instance Metadata)

$im.Compute.name

Resource Group Name (Instance Metadata)

$im.Compute.resourceGroupName

Subscription ID (Instance Metadata)

$im.Compute.subscriptionId

Tags (Instance Metadata)

$im.Compute.tags

Placement Group ID (Instance Metadata)

$im.Compute.placementGroupId

Platform Fault Domain (Instance Metadata)

$im.Compute.platformFaultDomain

Platform Update Domain (Instance Metadata)

$im.Compute.platformUpdateDomain

IPv4 Private IP Address (Instance Metadata)

$im.network.interface.ipv4.ipAddress.privateIpAddress

IPv4 Public IP Address (Instance Metadata)

$im.network.interface.ipv4.ipAddress.publicIpAddress

IPv4 Subnet Address / Prefix (Instance Metadata)

$im.network.interface.ipv4.subnet.address

$im.network.interface.ipv4.subnet.prefix

IPv6 IP Address (Instance Metadata)

$im.network.interface.ipv6.ipAddress

MAC Address (Instance Metadata)

$im.network.interface.macAddress

Next steps

• See the main Serial Console Windows documentation page.
• Learn about the Serial Console for Linux VMs.
• Learn more about boot diagnostics.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.