In Windows XP and Windows 2003 this was done via the command proxycfg.exe. You would simply set and unset the “Local Machine” proxy with the commands:

The old way to set the "Local Machine" proxy:

Proxycfg –p {proxy address:port} {bypass list}

Proxycfg -p "proxy.bohack.com:8180" "<local>;*.bohack.com"

The old way to unset it:

Proxycfg –d

It basically sets the registry value below, to the values you specify in with the proxycfg command.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings

So what happened to the “proxycfg.exe” command? Starting in Vista, Windows Server 2008 and Windows 7 you will no longer find the proxycfg command. It has now been replaced with the “netsh” command. This command can be used either interactively by tying “netsh” and navigating the tree of commands or used in a one line command sequence, like shown below.

The new way to set the "Local Machine" Proxy:

netsh winhttp set proxy {proxy address:port} {bypass list}

netsh winhttp set proxy "proxy.bohack.com:8180" "<local>;*.bohack.com"

The new way to unset it:

netsh winhttp reset proxy

Check the settings with:

netsh winhttp show proxy

The new commands change the same registry value above, the only thing that changed it the command to set and unset the Local Machine proxy. Theoretically you could export out the registry setting and import it onto another machine.

The icacls.exe command was introduced in Windows 2003 Service Pack 2. It now comes installed by default in Windows Vista, Windows Server 2008 (R2) and Windows 7. So administrators will need to learn this command sooner or later. Recently I found the tool to be very flexible and I extensively documented the options. I mapped the different command line options to the GUI, for the network admins that need the GUI to understand how to use the command line.

The first point that should be made about icacls.exe is that it defaults to edit mode. The original cacls command defaults to replace mode. Next are the commands:

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI
 and should always be used cautiously.
/setowner is a handy little command which allows you to change
 the ownership of a file or folder to another user;
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article
 and may be in a future article.

The icacls command also has an /inheritance command which performs the same function as un-checking the “Include inheritable permission from this object’s parent” in the GUI. This of course presents you with the question of how to proceed; copy the permissions or remove all existing permissions. So the command line you can specify:

/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions
 from the parent same as the GUI.
/inheritance:r to disable and remove the
 current permissions again same as the GUI.

The next thing to learn is how inheritance is propagated for permissions. When using either the /grant or /deny statement you will build the permissions as /grant {user}:{inheritance}{permissions} everything is encapsulated by parenthesis. The default in Windows when applying permissions in the GUI is “This folder, subfolders and files”, but to achieve the default at the command line you need to use /grant {user}: (OI)(CI){permissions} and the permissions should be encapsulated in parenthesis. The table below is to help you formulate your inheritance for permissions:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

The last thing to learn is the permissions. You can use macro permissions, which are also called simple permissions or you can use advanced permissions. The simple permissions are the permissions found in the first properties tab under security. The advanced permissions are when you select advanced and you get the full permissions list. So building on the permissions line from above; if we wanted to grant testuser on the folder test and apply modify permissions so all subfolders and files inherited the permissions. The line would be ‘icacls test /grant testuser:(OI)(CI)(M)’

Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

When you master this command you will be able to do anything with permissions from the command line. Including understanding the SDDL or Security Descriptor Definition Language; which Microsoft uses to create group policy permissions.

Some things the GUI is great for like exploring a file structure. Many times you are browsing the GUI and realize you need to drop to a command prompt to start a task. Rather than clicking ‘Start’, then ‘Run’, typing ‘CMD enter’ and then changing directory, it would be nice to right click and drop to a CMD prompt from the Windows context menu.

I have been using this little crafted registry hack for years now. There are two needs for a command prompt one is right clicking on a file or other object and the other is right clicking on a folder. The ‘Command Prompt Anywhere.reg’ below takes care of both instances. The first part edits the default context menu so that the ‘CommandPrompt’ shows up for files and objects not defined as a folder. The second part edits the folder context menu so that ‘CommandPrompt’ shows for folders.

There is one limitation It will not work for network locations, this is a limitation of using the ‘cd’ command and can be changed using the ‘pushd’ command. The ‘pushd’ command will temporarily map the network location to the first drive letter available starting from ‘Z’ and working backwards in the alphabet. However if the ‘cd’ command in the scripts is replaced with ‘pushd’ you will need to keep the network mappings tidy, by using either a ‘net use z: /d’ or ‘popd’ before you exit the prompt.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell]

[HKEY_CLASSES_ROOT\*\shell\CommandPrompt]

[HKEY_CLASSES_ROOT\*\shell\CommandPrompt\Command]
@="cmd.exe /k cd \"%1/..\""

[HKEY_CLASSES_ROOT\Directory\shell]

[HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt]

[HKEY_CLASSES_ROOT\Directory\shell\CommandPrompt\Command]
@="cmd.exe /k cd \"%1\""

To install just copy and paste it to a file called ‘Command Prompt Anywhere.reg’,  then double click it and answer ‘yes’ to the warning.