- Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. - If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved by using the following command from a `cmd.exe` prompt. - This commad only works from `cmd.exe` as Powershell won't recognize `%userprofile%` as an enviornment variable. - To read the file from Powershell, you'd have to replace `%userprofile%` with `$Env:userprofile` ```powershell # cmd.exe type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt # PowerShell type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ```