Windows OS Details
Administrative Binaries
lusrmgr.msc
local users and group manager
services.msc
services control panel
taskmgr.exe
task manager
secpol.msc
local security policy editor
eventvwr.msc
event viewer
regedit.exe
registry editor
gpedit.msc
group policy editor
control.exe
control panel
ncpa.cpl
network connections manager
devmgmt.msc
device manager editor
diskmgmt.msc
disk manager editor
Environment Variables
%SYSTEMROOT%
Points to Windows folder (Commonly: C\Windows)
%APPDATA%
Points to user roaming directory (Commonly: C:\Users\<Username>\AppData\Roaming)
%COMPUTERNAME%
The computer’s hostname
%HOMEDRIVE%
Points to default OS drive (Commonly: C:\)
%HOMEPATH%
Points to user directory (Commonly: C:\Users\<Username>)
%PATH%
When a command is run without a full path (ex: ipconfig) the OS searches all file paths contained in the PATH env variable for this file
%PATHEXT%
When a command is run without an extension (ex: ipconfig) the OS searches for file matches that include extensions from the PATHEXT list
%SYSTEMDRIVE%
Points to default OS drive (Commonly: C:\)
%TMP% && %TEMP%
Points to user temp folder (Commonly: C:\Users\<Username>\AppData\Local\Temp)
%USERPROFILE%
Points to user directories (Commonly: C:\Users\<Username>)
%WINDIR%
Points to Windows directory (Commonly: C:\Windows)
%ALLUSERSPROFILE%
Points to Windows directory (Commonly: C:\ProgramData Windows 10+)
Key Files & Locations
%SYSTEMROOT%\System32\drivers\etc\hosts
DNS Entries
%SYSTEMROOT%\System32\drivers\etc\networks
Network Settings
%SYSTEMROOT%\System32\config\SAM
User & password hashes
%SYSTEMROOT%\repair\SAM
Backup copy of SAM (WinXP)
%SYSTEMROOT%\System32\config\RegBack\SAM
Backup copy of SAM
%WINDIR%\System32\config\AppEvent.Evt
Application Log (WinXP)
%WINDIR%\System32\config\SecEvent.Evt
Security Log (WinXP)
%WINDIR%\System32\config\SECURITY
Security Log
%WINDIR%\System32\config\APPLICATION
Application Log
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Startup Log (WinXP)
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Startup Folder (shell:startup)
%WINDIR%\Panther\
Commonly used unattended install files
%WINDIR%\System32\Sysprep
Commonly used unattended install files
%WINDIR%\kb*
Installed patches (WinXP)
Windows Structure
\PerfLogs
Windows performance logs, but on a default config, it is empty
\Program Files
32-bit arch: Programs 16-bit and 32-bit installed in this folder 64-bit arch: 64-bit programs installed in this folder
\Program File (x86)
Appears on 64-bit edition of Windows 32-bit and 16-bit programs are default installed in this folder
\ProgramData
Contains program data that are expected to be accessed by applications system wide. The organization of the files is at the discretion of the developer
\Users
Folder contains one subfolder for each user that has logged onto the system at least one.
In addition: "Public" and "Default" (hidden), "Default User" (NTFS "Default" folder) and "All Users" (NTFS symbolic link to "C:\ProgramData"
\Users\Public
Folder serves as a buffer for users of a computer to share files. By default, this folder is accessible to all users that can log on to the computer. By default, this folder is shared over the network with a valid user account. This folder contains user created data (typically empty)
%USER%\AppData
This folder stores per-user application data and settings. The folder contains three subfolders: Roaming, Local, and LocalLow. Roaming data saved in Roaming will synchronize with roaming profiles to other computer when the user logs in. Local and LocalLow does not sync up with networked computers
\Windows
Windows itself is installed into this folder
\Windows\System
\Windows\System32
\Windows\SysWOW64
\WinSxS
Last updated