Sunday, February 12, 2017

Obscure Windows commands and features

My previous blog post has become quite popular crossing the 10,000 views mark in just a few days. Given such interest I decided to share a few more useful commands as well as some obscure tricks that I came across over the years.

hh.exe - HTML help

hh.exe has been part of Windows for a very long time. What makes it fun though is that it supports external URLs, so we can make calls like this:

hh http:\\    (notice the backslashes)

This made me curious - what is the user agent string for this "browser"? Running it on a Windows 7 machine:

hh http:\\

Let's just collectively exhale "Wow... IE7" ;)

But what about Windows 10 I hear you ask. There it is:

Same thing - IE7. Of course this is not the real IE7 - Trident/7.0 is a give away. This is IE 11 running in IE7 compatibility mode. But I still find it funny.

mshta.exe exhibits the same behavior except for the old style navigation bar. But I find the retro "IE6 style buttons" look way more amusing.

I mentioned another effect of HH in one of my earlier blog posts - even if you disable Adobe Flash player in your browsers, it will still be there (as demonstrated by opening a web page in HH).

"God mode"

You can create a directory with a specific GUID extension to enable the so-called God Mode. No, you won't get the BFG 9000. Instead, Windows will populate this directory with a LOT of tools and various management options - all in one spot. There will be nothing new that you haven't seen before - just an interesting way of presenting all of these tools in the same place.

To do this - just create a directory with this specific name ("GodMode" part can be anything but the GUID part is important)

md "GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Yet another Recycling Bin?

In case one is not enough ;)

md YetAnotherRecycleBin.{645FF040-5081-101B-9F08-00AA002F954E}

Where-ever you create this directory, it will act as a Recycling Bin. It is the existing recycling bin - i.e. if you already had a few deleted files you would be able to see them in the "new" bin too.

View Reliability History

Buried deep inside, the reliability monitor allows you to have a quick look what happened to your system recently that may have a potential impact on system reliability.

To find it - just click Start -> Run -> and type "reliability"
Or you can choose a more convoluted path: go to Contol Panel -> System and Security -> Review your computer's status and resolve issues -> Maintenance

and then click on "View reliability history" (at the bottom of this picture)

This is probably something that you have never used before. And yet it certainly is a useful representation of what happened on this system recently.

Notepad Log

Did you know that notepad can append a date/time every time you open a document? In fact, this feature has been around for a long time but not that many people know about it.

Just create a new text document and put ".LOG" (without the quotation marks) at the top.

Now every time you open this file, you will see a new timestamp automatically added by the notepad.

Stored Credentials (aka Windows Vault)

Run this command:

control keymgr.dll

You will be able to see all currently stored credentials (and perhaps delete the unused or sensitive ones)

You can use a command line equivalent:

cmdkey /list

When was the computer rebooted last time?

Run this command:

net statistics server 

and check the "statistic since <date time>" line

Find which application will open files with a particular file extension

I know that usually people just search through the registry to get this information. But there is a simpler way to achieve this by using 2 commands. First, we can use the ASSOC command to find the current file association for a particular file extension. And then knowing the file association we can feed it into another command FTYPE to display which application handles this association. E.g. let's try to find out which application will open PDF files:

assoc | find "pdf"
ftype AcroExch.Document.2015

Find all CAs (certificate authorities) in your organisation (Active Directory)

certutil has rich functionality. Here I am going to show you how to find all certificate authorities in your organisation:

certutil -ADCA | find "dNSHostName"

Get a list of all domain controllers

nltest is another powerful utility with lots of useful options. E.g. this is how you can quickly find a list of all domain controllers:

nltest /DCLIST:YourOrgDomainName

How to wipe deleted data using the cipher utility?

I will quote this Microsoft KB article:

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, you can recover the deleted data by using a low-level disk editor or data-recovery software.
The built-in cipher utility can be used to wipe data from the deallocated space making it (almost) impossible to recover. Impossible in the general sense. But I said "almost" - because there are special forensic solutions that can potentially recover data that was overwritten even several times.

In order to clean C: drive, first of all quit all programs. Then run this command against any directory on the target (C:) drive - it doesn't matter which directory you choose. Note, it may take a significant amount of time to wipe large disks.

cipher /w:c:\test

Microsoft uses a multipass approach when overwriting data:

Microsoft’s cipher.exe, writes a pass of zeros, a pass of FFs, and a pass of random data, in compliance with DoD standard 5220.22-M. (US DoD, 1995)

I will stop here. Please let me know if you find posts like this one useful and/or informative. As usual, leave your feedback, comments, command examples etc at the bottom.


  1. Replies
    1. Thank you. I hope some people will find it useful. And for others it will just be some amusing things that they potentially haven't heard about before.