Command Line Tips

Useful CMD.exe commands related to drivers, debugger configuration, memory dump generation, etc.

© CodeMachine Inc. | codemachine.com | @codemachineinc

Command Line Tips

Creating service entry for a kernel mode driver

sc create NAME type= kernel start= demand error= normal binPath= System32\Drivers\DRIVER.sys DisplayName= DESCRIPTION

Command line to connect WinDBG to COM1 of Virtual Machine Guest OS for Kernel Debugging

"windbg.exe" -Q -k "com:port=\\.\pipe\COM1,baud=115200,pipe,resets=0,reconnect"

Configure the system to generate complete kernel memory dump

wmic recoveros set DebugInfoType = 1

Enable the Administrator account and set up a password for that account

net user administrator password /active:YES

Command Line INF File Installation on Vista and later versions of Windows

%WINDIR%\system32\InfDefaultInstall.exe MyInfFile.inf

Backup the current boot loader entry to an entry named "Microsoft Windows [debugger disabled]"

bcdedit /copy {current} /d "Microsoft Windows [debugger disabled]"

Enable debugging in the current boot loader entry

bcdedit /debug {current} ON

Enable debugging over COM1 at 115200 baud in the current boot loader entry

bcdedit /dbgsettings serial debugport:1 baudrate:115200

Enable the registry entry for DbgPrint() output to appear in WinDBG

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v DEFAULT  /t REG_DWORD /d 0xffffffff

Configure the system to generate a user mode mini-dump with full memory information

User Mini Dump File would be generated in %LOCALAPPDATA%\CrashDumps upon application crash.

reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 0x2

Configure the system forcing a system Crash from a PS/2 keyboard

Crash is triggered upon detecting the key combination "Ctrl + Scroll Lock + Scroll Lock" from a PS/2 keyboard

reg add "HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" /v CrashOnCtrlScroll  /t REG_DWORD /d 0x1

Configure the system forcing a system Crash from a USB keyboard

Crash is triggered upon detecting the key combination "Ctrl + Scroll Lock + Scroll Lock" from an USB keyboard

reg add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v CrashOnCtrlScroll  /t REG_DWORD /d 0x1

Allow Remote Desktop connections (RDP) to the local system

Also enables firewall exception for RDP

wmic rdtoggle where ServerName="%COMPUTERNAME%" CALL SetAllowTSConnections 1, 1

Delete all existing system restore points across all drives

wmic shadowcopy delete

Disable System Restore (Volume Shadow Copy) on the system drive (typically C:)

wmic /namespace:\\root\default path SystemRestore call Disable %SystemDrive%

Allow loading drivers that are signed with a self-signed (test) certificate

bcdedit /set {current} testsigning on

Disable paging of kernel and device driver code pages

Required by Windows Performance Toolkit's stack-walk feature on X64 systems

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePagingExecutive  /t REG_DWORD /d 1 /f

Prevent windows from being automatically arranged when moved to the edge of the screen

reg add "HKCU\Control Panel\Desktop" /v WindowArrangementActive /t REG_SZ /d "0" /f

Retains kernel mode memory dumps, unconditionally

reg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v AlwaysKeepMemoryDump /t REG_DWORD /d 0x1

Configures the system to bug-check (crash) upon receiving a non-maskable interrupt

reg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 0x1

Share the directory "c:\shared" as "shared" give all users on the system full access to it

net share Shared=c:\Shared /GRANT:Everyone,FULL

Enables RDP access for the current user

wmic rdpermissions where TerminalName="RDP-Tcp" CALL AddAccount "%USERNAME%",1