{"id":10195,"date":"2025-10-19T01:12:56","date_gmt":"2025-10-19T01:12:56","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10195"},"modified":"2025-10-19T01:12:56","modified_gmt":"2025-10-19T01:12:56","slug":"1-little-known-secret-of-help-exe","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/10\/19\/1-little-known-secret-of-help-exe\/","title":{"rendered":"1 little known secret of help.exe"},"content":{"rendered":"\n

When you run help.exe<\/em> it prints out a lot commands that it supports. The below is a snapshot from Windows 11:<\/p>\n\n\n\n

For more information on a specific command, type HELP command-name\nASSOC          Displays or modifies file extension associations.\nATTRIB         Displays or changes file attributes.\nBREAK          Sets or clears extended CTRL+C checking.\nBCDEDIT        Sets properties in boot database to control boot loading.\nCACLS          Displays or modifies access control lists (ACLs) of files.\nCALL           Calls one batch program from another.\nCD             Displays the name of or changes the current directory.\nCHCP           Displays or sets the active code page number.\nCHDIR          Displays the name of or changes the current directory.\nCHKDSK         Checks a disk and displays a status report.\nCHKNTFS        Displays or modifies the checking of disk at boot time.\nCLS            Clears the screen.\nCMD            Starts a new instance of the Windows command interpreter.\nCOLOR          Sets the default console foreground and background colors.\nCOMP           Compares the contents of two files or sets of files.\nCOMPACT        Displays or alters the compression of files on NTFS partitions.\nCONVERT        Converts FAT volumes to NTFS.  You cannot convert the\n               current drive.\nCOPY           Copies one or more files to another location.\nDATE           Displays or sets the date.\nDEL            Deletes one or more files.\nDIR            Displays a list of files and subdirectories in a directory.\nDISKPART       Displays or configures Disk Partition properties.\nDOSKEY         Edits command lines, recalls Windows commands, and \n               creates macros.\nDRIVERQUERY    Displays current device driver status and properties.\nECHO           Displays messages, or turns command echoing on or off.\nENDLOCAL       Ends localization of environment changes in a batch file.\nERASE          Deletes one or more files.\nEXIT           Quits the CMD.EXE program (command interpreter).\nFC             Compares two files or sets of files, and displays the \n               differences between them.\nFIND           Searches for a text string in a file or files.\nFINDSTR        Searches for strings in files.\nFOR            Runs a specified command for each file in a set of files.\nFORMAT         Formats a disk for use with Windows.\nFSUTIL         Displays or configures the file system properties.\nFTYPE          Displays or modifies file types used in file extension \n               associations.\nGOTO           Directs the Windows command interpreter to a labeled line in \n               a batch program.\nGPRESULT       Displays Group Policy information for machine or user.\nHELP           Provides Help information for Windows commands.\nICACLS         Display, modify, backup, or restore ACLs for files and \n               directories.\nIF             Performs conditional processing in batch programs.\nLABEL          Creates, changes, or deletes the volume label of a disk.\nMD             Creates a directory.\nMKDIR          Creates a directory.\nMKLINK         Creates Symbolic Links and Hard Links\nMODE           Configures a system device.\nMORE           Displays output one screen at a time.\nMOVE           Moves one or more files from one directory to another \n               directory.\nOPENFILES      Displays files opened by remote users for a file share.\nPATH           Displays or sets a search path for executable files.\nPAUSE          Suspends processing of a batch file and displays a message.\nPOPD           Restores the previous value of the current directory saved by \n               PUSHD.\nPRINT          Prints a text file.\nPROMPT         Changes the Windows command prompt.\nPUSHD          Saves the current directory then changes it.\nRD             Removes a directory.\nRECOVER        Recovers readable information from a bad or defective disk.\nREM            Records comments (remarks) in batch files or CONFIG.SYS.\nREN            Renames a file or files.\nRENAME         Renames a file or files.\nREPLACE        Replaces files.\nRMDIR          Removes a directory.\nROBOCOPY       Advanced utility to copy files and directory trees\nSET            Displays, sets, or removes Windows environment variables.\nSETLOCAL       Begins localization of environment changes in a batch file.\nSC             Displays or configures services (background processes).\nSCHTASKS       Schedules commands and programs to run on a computer.\nSHIFT          Shifts the position of replaceable parameters in batch files.\nSHUTDOWN       Allows proper local or remote shutdown of machine.\nSORT           Sorts input.\nSTART          Starts a separate window to run a specified program or command.\nSUBST          Associates a path with a drive letter.\nSYSTEMINFO     Displays machine specific properties and configuration.\nTASKLIST       Displays all currently running tasks including services.\nTASKKILL       Kill or stop a running process or application.\nTIME           Displays or sets the system time.\nTITLE          Sets the window title for a CMD.EXE session.\nTREE           Graphically displays the directory structure of a drive or \n               path.\nTYPE           Displays the contents of a text file.\nVER            Displays the Windows version.\nVERIFY         Tells Windows whether to verify that your files are written\n               correctly to a disk.\nVOL            Displays a disk volume label and serial number.\nXCOPY          Copies files and directory trees.\nWMIC           Displays WMI information inside interactive command shell.\n\nFor more information on tools see the command-line reference in the online help.\n<\/pre>\n\n\n\n
When you run a help <command><\/code> command tho, the help.exe<\/em> just executes the program associated with the command and appends \/?<\/code> to it.<\/p>\n\n\n\n
As a result, you can save your payload into f.ex. recover.exe<\/em> or shutdown.exe<\/em> (or many others that are NOT interpreted commands) and run:<\/p>\n\n\n\n
help recover\nhelp shutdown<\/pre>\n\n\n\n
that will make help.exe<\/em> program execute these payloads via proxy.<\/p>\n\n\n\n
I have an impression I am not the first to point it out, but I couldn’t find references to a previous research on this subject. If you know, please let me know so I can add kudos\/credits. Thank you!<\/p>\n","protected":false},"excerpt":{"rendered":"
When you run help.exe it prints out a lot commands that it supports. The below is a snapshot from Windows 11: For more information on a specific command, type HELP command-name ASSOC Displays or modifies file extension associations. ATTRIB Displays … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[126,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10195"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10195"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10195\/revisions"}],"predecessor-version":[{"id":10196,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10195\/revisions\/10196"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}