Windows Enumeration Cheat Sheet 2025

Gather Windows host info fast with this 2025 enumeration cheat sheet. PowerShell, AD queries and free tools map attack paths in minutes.
  • Ethan Carter
  • Guides
  • Ethical Hacking
Windows Enumeration Cheat Sheet 2025

1. Introduction

Windows enumeration is a cornerstone of ethical hacking and penetration testing, providing deep insights into the configuration, vulnerabilities, and potential attack surfaces of Windows systems. As organizations increasingly rely on Windows environments, understanding how to enumerate these systems is vital for both defenders and ethical hackers. This Windows Enumeration Cheat Sheet 2025 delivers a comprehensive, up-to-date guide for security professionals, red teamers, and IT administrators seeking to master enumeration techniques, tools, and best practices.

This article covers everything from basic system information gathering to advanced domain enumeration, with actionable commands, tool recommendations, and ethical considerations. Whether you're preparing for a penetration test, seeking to harden your infrastructure, or studying for a certification, this cheat sheet will serve as your essential reference.

2. What is Windows Enumeration?

Windows enumeration is the process of systematically gathering information about a Windows system or network. This includes details about users, groups, shares, services, installed applications, network configurations, and more. Enumeration is typically performed after initial access is gained, but it can also be part of a reconnaissance phase in ethical hacking.

The goal is to identify potential vulnerabilities, misconfigurations, and escalation paths that could be exploited by attackers. Effective enumeration is critical for understanding the security posture of a Windows environment.

3. Why is Windows Enumeration Important in Ethical Hacking?

Enumeration is a key phase in the MITRE ATT&CK framework and is essential for ethical hacking engagements. By enumerating Windows systems, ethical hackers can:

  • Identify privilege escalation opportunities
  • Discover sensitive data and misconfigured shares
  • Map out network topology and trust relationships
  • Assess security controls and patch levels
  • Simulate real-world attacker behavior for risk assessment

According to the CISA, improper configuration and lack of visibility are among the top causes of security breaches in Windows environments. Enumeration helps uncover these weaknesses before malicious actors do. For a deeper dive into the latest techniques, check out this Password Cracking Guide 2025: 5 Latest Techniques.

4. Preparing Your Enumeration Environment

4.1 Legal and Ethical Considerations

Ethical hacking must always be conducted within the boundaries of the law and with explicit authorization. Before performing any enumeration:

  • Obtain written permission from the system owner
  • Define the scope and rules of engagement
  • Comply with relevant laws and regulations (e.g., GDPR, ISO/IEC 27001)
  • Follow ethical guidelines from organizations like OffSec and ISACA

Unauthorized enumeration is illegal and unethical. Always act responsibly to protect privacy and data integrity. For practical advice on staying compliant, review Legal Password Testing: Stay Compliant in 2025.

4.2 Tools and Resources Overview

A variety of tools are available for Windows enumeration, including both built-in utilities and third-party applications. Key resources include:

  • Command Prompt and PowerShell
  • Sysinternals Suite (Microsoft Docs)
  • Third-party tools like enum4linux, WinPEAS, and PowerView
  • Automated scripts and frameworks (e.g., PowerSploit)

Ensure your environment is isolated (e.g., using virtual machines) and that you have backups before proceeding.

5. Basic Windows System Information Gathering

5.1 Systeminfo and Hostname

Start by collecting fundamental system details. The systeminfo command provides a comprehensive overview: 

systeminfo

This reveals OS version, architecture, hotfixes, and more. To retrieve the hostname: 

hostname

Alternatively, use: 

echo %COMPUTERNAME%

5.2 Windows Version and Build

Identifying the exact Windows version and build is crucial for vulnerability assessment. Use: 

ver
wmic os get Caption,CSDVersion,Version,BuildNumber

For PowerShell: 

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber

5.3 User and Group Enumeration

Enumerate local users and groups to identify potential targets and privilege escalation paths: 

net user
net localgroup
net localgroup Administrators
wmic useraccount get name,sid,status

For PowerShell: 

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember -Group "Administrators"

6. Network Enumeration Techniques

6.1 IP Configuration and Routing Table

Understanding network interfaces and routing is essential for lateral movement and network mapping: 

ipconfig /all
route print

PowerShell alternative: 

Get-NetIPAddress
Get-NetRoute

6.2 Firewall and Network Shares

Check firewall status and rules: 

netsh advfirewall show allprofiles
netsh firewall show state
netsh firewall show config

Enumerate network shares: 

net share
Get-SmbShare

For more on securing and auditing network shares, see NTLM Hash Cracking: Modern Techniques 2025.

6.3 Active Connections

List active network connections and listening ports: 

netstat -ano
Get-NetTCPConnection
Get-NetUDPEndpoint

This helps identify running services and potential remote access points.

7. Service and Process Enumeration

7.1 Running Services

Enumerate all running and stopped services: 

sc query
sc query type= service state= all
Get-Service

To get detailed service configuration: 

sc qc [ServiceName]
Get-WmiObject win32_service | Select-Object Name, State, PathName, StartMode

7.2 Installed Applications and Software

List installed programs to identify vulnerable or outdated software: 

wmic product get name,version
Get-WmiObject -Class Win32_Product | Select-Object Name, Version

For a more comprehensive list, check the registry: 

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
reg query HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

7.3 Scheduled Tasks

Enumerate scheduled tasks, which may reveal persistence mechanisms or sensitive scripts: 

schtasks /query /fo LIST /v
Get-ScheduledTask | Select-Object TaskName, TaskPath, State

8. User Accounts and Privilege Enumeration

8.1 Local Users and Groups

Reiterate user and group enumeration for privilege analysis: 

net user
net localgroup
Get-LocalUser
Get-LocalGroup

8.2 Password Policy and Account Lockout

Review password policies to assess account security: 

net accounts
Get-LocalUser | Select-Object Name, PasswordNeverExpires, PasswordRequired

Check account lockout policy: 

net accounts
secedit /export /cfg C:\secpol.cfg
find "Lockout" C:\secpol.cfg

For best practices on password policy and testing, see Password Policy Best Practices 2025.

8.3 Privilege Escalation Opportunities

Identify potential privilege escalation vectors:

  • Unquoted service paths (MITRE ATT&CK T1574.009)
  • Weak service permissions
  • AlwaysInstallElevated registry keys
  • DLL hijacking opportunities

Automated tools like WinPEAS and Seatbelt can help identify these issues.

9. File and Directory Enumeration

9.1 Sensitive Files and Common Locations

Look for sensitive files in common directories:

  • C:\Users\Public\
  • C:\Users\<username>\Documents\
  • C:\Windows\System32\config\
  • C:\ProgramData\

Use: 

dir /s /b C:\*.txt
dir /s /b C:\*.xml
dir /s /b C:\*.config

9.2 Hidden and System Files

Reveal hidden and system files: 

dir /a:h /s C:\
dir /a:s /s C:\

PowerShell alternative: 

Get-ChildItem -Path C:\ -Hidden -Recurse -ErrorAction SilentlyContinue

9.3 Access Control Lists (ACLs)

Review file and directory permissions to identify weak ACLs: 

icacls "C:\Path\To\FileOrFolder"
Get-Acl -Path "C:\Path\To\FileOrFolder"

10. Registry Enumeration

10.1 Registry Hives of Interest

Key registry hives for enumeration:

  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_USER (HKCU)
  • HKEY_USERS (HKU)

Enumerate keys: 

reg query HKLM
reg query HKCU

10.2 Stored Credentials

Check for stored credentials in the registry: 

reg query "HKLM\SECURITY\Policy\Secrets"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

Also review credential managers and password vaults.

10.3 Auto-Start Entries

Enumerate auto-start programs for persistence mechanisms: 

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
wmic startup get caption,command

11. Network Share and SMB Enumeration

11.1 Identifying Shared Folders

List all shared folders: 

net share
Get-SmbShare

From a remote system, use: 

net view \\target_ip
smbclient -L \\target_ip -N

11.2 Accessing and Enumerating Shares

Access shares: 

net use \\target_ip\sharename
smbclient //target_ip/sharename -U username

Enumerate permissions and contents to identify sensitive data.

11.3 Null Sessions

Null sessions allow unauthenticated access to certain Windows resources. To test for null sessions: 

net use \\target_ip\ipc$ "" /u:""
enum4linux -a target_ip

Note: Modern Windows systems restrict null sessions, but misconfigurations may still exist.

12. Domain Enumeration (if part of a Windows Domain)

12.1 Domain Users and Groups

Enumerate domain users and groups: 

net user /domain
net group /domain
Get-ADUser -Filter *
Get-ADGroup -Filter *

Requires appropriate privileges and PowerShell Active Directory module. For step-by-step details, see How to Extract Hashes (eg: NTLM, Kerberos) from Windows Systems.

12.2 Group Policy Objects (GPOs)

List and review GPOs for security settings and misconfigurations: 

gpresult /R /Scope:User
gpresult /R /Scope:Computer
Get-GPO -All

GPOs can reveal password policies, login scripts, and more.

12.3 Trust Relationships

Identify domain trusts for lateral movement opportunities: 

nltest /domain_trusts
Get-ADTrust -Filter *

Trust relationships can expand the attack surface across multiple domains.

13. Tools for Windows Enumeration

13.1 Built-in Windows Tools

  • net (user, group, share, view, accounts)
  • systeminfo
  • wmic
  • PowerShell cmdlets
  • sc (service control)
  • reg (registry queries)
  • tasklist, taskkill
  • ipconfig, route, netstat

13.2 Popular Third-Party Tools

13.3 Automated Enumeration Scripts

  • WinPEAS (privilege escalation checks)
  • PowerSploit (PowerShell exploitation framework)
  • PowerView (domain enumeration)
  • enum4linux-ng (SMB and RPC enumeration)

Automated scripts accelerate the enumeration process and help uncover subtle misconfigurations.

14. Tips, Tricks, and Common Pitfalls

  • Document everything: Keep detailed notes and screenshots for reporting and remediation.
  • Check permissions: Always verify your access level before running enumeration commands.
  • Be stealthy: Use non-intrusive methods to avoid detection by security tools.
  • Correlate findings: Combine data from multiple sources for a comprehensive view.
  • Watch for false positives: Not all findings are exploitable; validate before reporting.
  • Respect privacy: Do not access or disclose sensitive data unless authorized.

Common pitfalls include overlooking hidden files, misinterpreting permissions, and failing to review scheduled tasks or registry auto-start entries.

15. Frequently Asked Questions

  • Is Windows enumeration legal? Only with explicit authorization and within the defined scope of an engagement.
  • Can enumeration be detected? Yes, especially if using noisy tools. Use stealthy, built-in commands where possible.
  • What is the difference between enumeration and exploitation? Enumeration is information gathering; exploitation involves taking advantage of vulnerabilities.
  • Which tools are best for beginners? Start with built-in Windows tools and gradually explore third-party utilities like WinPEAS and PowerView.
  • How often should enumeration be performed? Regularly, as part of vulnerability assessments and after significant system changes.

16. References and Further Reading

17. Conclusion

Windows enumeration is a critical skill for ethical hackers, penetration testers, and security professionals. By mastering the techniques and tools outlined in this Windows Enumeration Cheat Sheet 2025, you can effectively identify vulnerabilities, assess risk, and help organizations strengthen their security posture. Always operate within legal and ethical boundaries, document your findings, and stay updated on the latest enumeration methods and defensive strategies. For further learning, consult the authoritative resources listed above and practice in safe, controlled environments.

Share this Post:
Posted by Ethan Carter
Author Ethan
Ethan Carter is a seasoned cybersecurity and SEO expert with more than 15 years in the field. He loves tackling tough digital problems and turning them into practical solutions. Outside of protecting online systems and improving search visibility, Ethan writes blog posts that break down tech topics to help readers feel more confident.