Powershell commands

Powershell Help

PowerShell Commandlets

List Processes

get-process [-Name string] 

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
   1504      69   113124     190068   496   725.77    696 chrome
    202      21    31500      29828   205     5.63   2096 chrome
    326      33    59024      80384   334    42.78   2396 chrome
    147       9     1412       4728    67     0.02   3740 chrome
    285      32    33040      57192   236     3.84   4192 chrome
    262      27    38300      54908   226     3.92   4340 chrome
    255      27    38636      51776   231     1.88   4440 chrome
    932      43    78888     122212   353   455.20   4924 chrome
    118       9     1372       4612    67     0.05   4932 chrome
    340      31    56320      77620   324    84.39   5328 chrome
    212      24    76552      75492   254     7.47   5480 chrome
    184      19    35456      12896   180     0.08   6564 chrome
     29       4     1516       2416    16     0.00   5980 cmd
     66       7     1120       6072    57     0.05    312 conhost
     64       7     1884       7632    59     0.00   2776 conhost
    221      11     1728       3588    45     0.25    548 csrss
    272      16     1976      34740    74    41.19    600 csrss
    198      14     2020      26964    72     2.16   3820 csrss
    112       7     1228       4948    54     0.02   3832 dllhost
   5285    9600   182316     176228   224     2.13   1328 dns
    192      27    61500     100852   193   212.72    908 dwm
    207      23    26132      65752   160     9.25   3748 dwm
   1343      70    50880     109020   584    65.73    536 explorer
   1281      83    39888      93832   505     9.11   3596 explorer
      0       0        0          4     0               0 Idle
    216      15     6996      10104   104     0.06   1360 IpOverUsbSvc
   1084      22     7640      14748    48     2.44    656 lsass
    663      47    63736      34980   781 5,100.67   3376 mmc
    164      12     2120       6672    41     0.00   3992 msdtc
    486      23    79640      82436   629     0.31   4104 powershell
    269      12     2448       9912    91     0.48   3256 rdpclip
    212       9     2788       5760    20     0.75    648 services
     55       2      276        992     4     0.02    420 smss
    381      20     3516       9508    72     0.06   1280 spoolsv
    106       9     1424       5600    38     0.00   1580 sqlwriter
    387      23     7196      12712    89     0.47     92 svchost
    434      14     4756      11392    42     0.69    772 svchost
    676      34     9608      18520  1375    28.50    784 svchost
    388      15     5032       8588    35    61.77    800 svchost
    638      19    21752      24268    73     2.48    916 svchost
   1855     159    32088      48860   190 3,718.88    944 svchost
    360      33     9216      10796    53     0.16   1148 svchost
    111      10     1140       4440    21     0.02   1256 svchost
    352      17     6012      13200    89     0.11   1308 svchost
    372      24    11604      13836  1110     1.08   1624 svchost
    563      27    11396      17708   140    29.97   1952 svchost
    857       0      116       2420     7   659.94      4 System
    210      19     4360      10288   473     0.34    448 taskhostex
    165      11     1748       7012    87     0.02   4172 taskhostex
    693      46    37596      55260   781   376.05   3616 vmconnect
    943      49   172112     170920   887    37.36   5676 vmconnect
    968      48   164424     165472   867    21.00   6180 vmconnect
    797      31    49808      40660   157   852.97   1692 vmms
    649      60    33416      45708   209 ...84.42    460 vmwp
    645      60    28136      41352   191 1,147.11   4052 vmwp
     85       8      920       3644    40     0.02    608 wininit
    158       8     1456       6356    52     0.13    724 winlogon
    152       7     1292       5292    49     0.05   3824 winlogon
    233      14     5320      11268    73     0.19    868 WmiPrvSE
    146      11     2456       7392    34     0.06   1164 WmiPrvSE

get-process -name chrome
 
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
   1500      69   113044     190028   494   725.78    696 chrome
    202      21    31500      29828   205     5.63   2096 chrome
    326      31    58676      80264   328    42.78   2396 chrome
    147       9     1412       4728    67     0.02   3740 chrome
    285      32    33040      57224   236     3.88   4192 chrome
    262      27    38300      54908   226     3.92   4340 chrome
    255      27    38636      51776   231     1.88   4440 chrome
    932      43    78888     122212   353   455.20   4924 chrome
    118       9     1372       4612    67     0.05   4932 chrome
    340      31    56320      77616   324    84.39   5328 chrome
    212      24    76552      75492   254     7.47   5480 chrome
    184      19    35456      12896   180     0.08   6564 chrome
    

List Services

PS1> get-services [-Name string]

Search Directory

The get-childitem lists or searches the directory structure. The command line option -recurse tells the get-childitem command to search all subdirectories as well. In the following example we search the entire C:\ drive for files that are greater than 500MB in size and write that information to a file called "bigfilelist.txt".
get-childitem c:\ -recurse | where-object {$_.length -gt 500MB} > bigfilelist.txt 

Unix like tail command

The get-content with the -wait option can act a sort of Unix tail command. This allowing to read the contents of the file but keep it open waiting for new data to be written. This is useful when monitoring log files. In the first example below, we list the entire contents of teh myfile.log and wait for any new entries to be written. In the second example, we list the contents of the myfile.log looking for the word "WARNING" and then keep the log file open for new content. In the third example, it is much the same as the second but rather than using the where/-match statement we use the select-string modifier instead.

In example 4, this command returns that last twenty lines of the log file. When appended wit the select-string command at the end, the select-string only parses the content in the last 20 lines of the log. The -Head option is like the the -Tail but acts at the begining of the file rather than the end.

ex1. PS1> Get-content myfile.log -Wait
ex2. PS1> get-content myfile.log -Wait |where {$_ -match "WARNING"}
ex3. PS1> get-content myfile.log -wait |select-string "fail"
ex4. PS1> get-content -path myfile.log -Tail 20

Unix like grep command

In the Unix like tail command section above we use the where/-match command to look for specific words. This is similar to the Unix grep command. In the first example we look for all lines that have an open bracket "[" at the beginning of the line. Any line that does not begin with an open bracket is ignored. In the second example, we read the contents of a file and lood for evry line that does not include the word LISTENING.
ex1.
PS1> get-content .\tmuninst.ptn |where {$_ -match "^\[" }

ex2.
PS1> get-content .\netstat-na.txt |where {$_ -notmatch "LISTENING"}
 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    10.38.72.22:445        10.53.37.205:51658     ESTABLISHED
  TCP    10.38.72.22:3389       10.53.37.205:51666     ESTABLISHED
  TCP    10.38.72.22:8080       10.1.41.94:53569       ESTABLISHED
  TCP    10.38.72.22:8080       10.1.41.94:53570       ESTABLISHED
  TCP    10.38.72.22:8080       10.1.44.114:58696      ESTABLISHED
  TCP    10.38.72.22:8080       10.1.53.37:53577       ESTABLISHED
  TCP    10.38.72.22:8080       10.1.58.219:60948      TIME_WAIT
  TCP    10.38.72.22:8080       10.1.70.159:65018      TIME_WAIT

Unix like wordcount

In Unix we have a couple of ways to get a word cound or a line count that contains a word. The are the wc -l and the gre -c commands. In powershell we have a command that does very much the same thing. It is the measure-object commandlet.
PS1> get-content .\netstat-connections.txt | measure-object

Count    : 1299
Average  :
Sum      :
Maximum  :
Minimum  :
Property :

Unix like find command

This unix like find command is more like a recursive directory listing with a grep command at the end. Either way you look at it, the same function is performed. In this case we use the get-childitem to recursively list all the files and directories from the current location and then use the where/-match command to filter out what we are looking for.
get-childitem . -recurse | where {$_ -match "\.docx"}
It is sometimes necessary to compare the contents of two different files. In the example that I use below, I am comparing the output from a Windows registry dump before and after setting the encryption was enabled in one of our registry keys.
compare-object $(get-content Encrypted.reg) $(get-content Decrypted.reg)

Import-CSV

Up until this point I was using powershell to mimic what I already knew how to do in Unix/Linux. From this point forward are powershell commands that go beyond just trying to emulate what I already know how to do elsewhere. I include these here because I find them usefull in my daily administration activities.

The import CSV file assumes a comma separated values file that contains a header row. This header row is used to create an attribute to define each column. I find this very useful. In the example give, the CSV contains three rows: host1, host2, and host3; and two columns: Host and IP Addr. When you import the csv file into the variable CSV, it has two attributes, Host and IP Addr. You may access those attributes directly as seen in the example below. I copied and modified this example from off the web but I don't remember where I got it from.

# Assuming a CSV as such:
# Host, IP Addr
# host1, IP1
# host2, IP2
# host3, IP3

$csv = Import-Csv C:\users\Administrator\Desktop\test.csv

# This retrieves all data from the datafile

# If we want to evaluate one cell at a time (line by line), we just pass it to a ForEach-Object.
# We identify our search with the $csv.Host which means only the column 'Host' evaluated.

$csv.Host | ForEach-Object {
	#This will print out what is in the current buffer ($_).
	#You may use this to act on the contents of the buffer for futher processing.
    $_
}

# So if this works, we should have the follow
# host1
# host2
# host3

Get-EventLog

There are time when we want to evaluate a Windows event log. For this we use the get-eventlog commandlet. In the examples given below, we will list the available Windows event logs and then search the appliation event log for error messages. In the first eample we just list the available event logs that we may query. Note that in the second example where we search for errors, we are only grabbing the newest 100 log entries before checking those 100 entries for an error message.
Ex1.
PS1> get-eventlog -list
 
  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
 102,400      0 OverwriteAsNeeded     127,754 Application
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  10,240      0 OverwriteAsNeeded         113 Lenovo-Customer Feedback
     512      7 OverwriteOlder              0 Lenovo-Lenovo Patch Utility/Admin
     512      7 OverwriteOlder          1,715 Lenovo-Message Center Plus/Admin
   8,192      0 OverwriteAsNeeded           0 Media Center
     128      0 OverwriteAsNeeded       2,187 OAlerts
 102,400      0 OverwriteAsNeeded      66,821 Security
 102,400      0 OverwriteAsNeeded     308,133 System
  15,360      0 OverwriteAsNeeded       1,652 Windows PowerShell

Ex2.
PS1> get-eventlog application -newest 100 |where {$_.EntryType -match "Error"} |format-list


Index              : 133505
EntryType          : Error
InstanceId         : 3011
Message            : Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD
                     in the Data section contains the error code.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {WmiApRpl, WmiApRpl, 8, F20300004D070000}
Source             : Microsoft-Windows-LoadPerf
TimeGenerated      : 12/4/2017 1:01:08 PM
TimeWritten        : 12/4/2017 1:01:08 PM
UserName           : NT AUTHORITY\SYSTEM

Index              : 133504
EntryType          : Error
InstanceId         : 3012
Message            : The performance strings in the Performance registry value is corrupted when process Performance ex
                     tension counter provider. The BaseIndex value from the Performance registry is the first DWORD in
                     the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is
                      the third DWORD in the Data section.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {Performance, 16, 37070000000000000000000009030000}
Source             : Microsoft-Windows-LoadPerf
TimeGenerated      : 12/4/2017 1:01:08 PM
TimeWritten        : 12/4/2017 1:01:08 PM
UserName           : NT AUTHORITY\SYSTEM

Index              : 133500
EntryType          : Error
InstanceId         : 3011
Message            : Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD
                     in the Data section contains the error code.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {WmiApRpl, WmiApRpl, 8, F20300004D070000}
Source             : Microsoft-Windows-LoadPerf
TimeGenerated      : 12/4/2017 12:05:00 PM
TimeWritten        : 12/4/2017 12:05:00 PM
UserName           : NT AUTHORITY\SYSTEM

Index              : 133499
EntryType          : Error
InstanceId         : 3012
Message            : The performance strings in the Performance registry value is corrupted when process Performance ex
                     tension counter provider. The BaseIndex value from the Performance registry is the first DWORD in
                     the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is
                      the third DWORD in the Data section.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {Performance, 16, 37070000000000000000000009030000}
Source             : Microsoft-Windows-LoadPerf
TimeGenerated      : 12/4/2017 12:05:00 PM
TimeWritten        : 12/4/2017 12:05:00 PM
UserName           : NT AUTHORITY\SYSTEM

Get registry information

There are two basic types of registry requests you may make, Get-ChildItem which is not very efficient, or the more usefult Get-ItemProperty. In this second command you will get more usefull infomration.

PS C:\Users\Administrator> Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.'



ClientConsoleZipTimeStamp                 : 20190330014434
CCSFTimeStamp                             : 20190330014056
CCSFPTNTimeStamp                          : 20190603144405
DoSynchronize                             : 0
UpdateOngoing                             : 0
TmListenInitDone                          : 1
AVRegisteredWithWsc                       : 0
ASRegisteredWithWsc                       : 0
FWRegisteredWithWsc                       : 0
DelayLoadTMCCSF                           : 0
DelayLoadAEGIS                            : 0
ReloadingTime                             : 0
PostUninstDone                            : 1
VDIController01_Status                    : 0
ECSP                                      : 1
WSCLastReportStatus                       : 0
Uldrv                                     : 0
Running                                   : 1
NTRtScanInitDone                          : 1
UADuplicationOptValue                     : 64
ConfirmUninstall                          : 0
CanGetIssuerFromBlob                      : 1
TMEBC-Ver                                 : 1.5.1037
CheckServerByHTTP                         : 0
ExcludeDCFiles                            : 1
DirectCheck                               : 0
EngineMin                                 : 11.000.1006
BkFileKeepDay                             : 7
NonSynProxySetting                        : 0
FqdnFirstOnOff                            : 0
EngineZipVer                              : 11.000.1006
ProgramVer                                : 14.0
ProductName                               : Trend Micro OfficeScan
BuildNum                                  : 1101
NoPwdProtect                              : 0
NoProgramUpgrade                          : 0
NoEngineUpgrade                           : 0
AllowMobile                               : 0
DiskReserved                              : 60
RemoveCTA                                 : 0
AllowStopScheduleScan                     : 0
AllowDelayScheduleScan                    : 0
AllowUpdateNow                            : 1
AllowUpdateFromTMAU                       : 1
Allow Uninstall                           : 0
MailScanPageOnOff                         : 0
ToolPageOnOff                             : 1
Pop3TrapOnOff                             : 1
RunPop3Trap                               : 0
OutlookScanOnOff                          : 1
ProxySettingOnOff                         : 1
FlowDiagnosis                             : 0
Updating                                  : 0
DomainType                                : 0
ReferenceHosts                            :
RefHostsChkTimeout                        : 3
PingServerScheduleInterval                : 3600
PingServerCheckMode                       : 0
RefHostsEnable                            : 0
RefHostsChkMode                           : 1
CookieScanner                             : 0
LogCookie                                 : 0
EnableAssessment                          : 0
AssessmentUntil                           : 1561957200
EnableAutoStopScheduleScan                : 0
ScheduleScanLimitMinutes                  : 60
wslimit_l                                 : 10000000
wslimit_r                                 : 10000000
wslimit_m                                 : 5000000
wsperiod_l                                : 30000
wsperiod_r                                : 30000
wsperiod_m                                : 30000
Update_Agent_Direct_Update                : 1
EnableEventLog                            : 0
EnableOPPMutexLog                         : 0
EventLogForPatternUpdate                  : 0
Critical2                                 : !CRYPTEX!377D8DE0B3B921CAD9AC1D9F55CCE4A2B7D6C202FA980BBD9B115AA52A65699387
                                            03B19E73588CEEA5474EEF67ECFCEE
Critical1                                 : !CRYPTEX!9D118E0B7F4955651CE69E27AFB9DAB2A7CA36E9686E43364679EEC138E01DD3A3
                                            383B7632D18A91DC32DF24ECC33DAF
HeartbeatFrequency                        : 10
PollingFrequency                          : 60
UnreachableNetworkScopeCount              : 0
ShowMailScan                              : 1
AllowConfigNotification                   : 0
EnableScheduleScanWarning                 : 0
EnableVirEmailWarning                     : 1
AllowPromptRebootForCleanup               : 1
GlobalHeartbeat                           : 0
LaunchBelowUsage                          : 20
LaunchMustContinueBelow                   : 15
LaunchCheckUsageFrequency                 : 2
LaunchCheckTimeout                        : 180
DelaySelfProtect                          : 1
DelayCheckFile                            : 1
DelayLoadFirewall                         : 1
DelayLoadDlp                              : 1
GCLCacheEnable                            : 1
GCLCacheRebuildDays                       : 28
OdscEnable                                : 1
OdscCriteriaDays                          : 60
OdscMaxExpiredDays                        : 30
DelayLoadGCLCacheEnable                   : 0
HotfixProgramFailLogTry                   : 3
DisplayPFWTab                             : 1
Security                                  : 1
RCS                                       : 101
IsLocked                                  : 1
AllowEditLogMaintenanceSetting            : 1
EnforceAUupdateURL                        : 0
DisableSIDName                            : 0
MinDuplicateVirusAlertInterval            : 0
AegisBMDriverVer                          : 2.98.1162
AegisBMServiceVer                         : 2.98.1165
AegisPEPtnVer                             : 1.249.00
AegisWLPtnVer                             : 1.725.00
AegisBMPtnVer                             : 1.235.00
AegisTDPtnVer                             : 1.945.64
AegisTTPtnVer                             : 1.307.64
AegisTMMSTPtnVer                          : 0.013.64
VsapiSMVPtnVer                            : 152300
AllowClnUpdNonPatternFromTMAU             : 1
UseVirusAlertSeverity                     : 0
HighRiskVirusType                         : Worm,Trojan
EnableCentralWhitelist                    : 1
CentralWhitelistExpCheckPeriod            : 240
EnableRTSHealthCheck                      : 0
RTSHealthCheckFrequencyInMin              : 15
IntensiveScanThreshold                    : 0
EnableTMEBC                               : 1
AddTmListenServiceDependencies            : 0
WSCReportChanged                          : 0
NoSleepInScheduleScan                     : 0
NoSleepInManualScan                       : 0
NoSleepInRemoteScan                       : 0
ForceEnumerateIPV4                        : 0
EnableMeerkatWLCheckRCL                   : 0
CensusQueryServerName                     : osce14-en-census.trendmicro.com
CensusQueryBackupServerName               : osce14bak-en-census.trendmicro.com
CensusQueryToken                          : !CRYPT!313C7CD8367CB5AEA2847E9847411C1C998D713AEE4FEB220741B67667F
NFCServer                                 : osce14-en.gfrbridge.trendmicro.com
NFCPort                                   : 80
NFCSSLPort                                : 443
AcCodeTmufe                               : TREOSCE14\0TRE\0
EnableELAM                                : 1
CCCASendLogPeriod                         : 0
EnableSampleSubmission                    : 0
SampleSubmissionDirectUploadFileExtension :
FAPopupAlert                              : 0
TrendxAlert                               : 1
EnableAegisActivityMonitor                : 1
ResetScanExceptionFrequency               : 300
PretouchControl                           : 0
UseAzureStorage                           : 0
ClientUIDisplayMode                       : 0
Wait_7Z_In_Update                         : 0
EnableDeviceControlUSBBlockingLog         : 0
DumpEnableExceptionHelper                 : 1
DumpMinimumFreeSpaceInMB                  : 1024
DumpMaximumFiles                          : 4
DumpEnableFullDump                        : 1
ReportDebugInfo                           : 0
GetConnectableIPMethod                    : 0
RealTimeScanSkippingFilePopupNotification : 0
MsiSignCheckExclusionList                 : VS80sp1-KB949009-X86-INTL.msp|
EnableProcessDeferScan                    : 0
EnableMoveNATClient                       : 0
MoveNATClientDomainPrefix                 : #moveto_
ShellExtensionOnOff                       : 0
HideNonThreatAlertsBehindFullScreen       : 1
CheckSuspectSize                          : 0
MaxSuspectSize                            : 500
SuspectExpiredDays                        : 7
SkipFWLevelLog                            : 0
EnableRealTimeScanPass                    : 0
TmlistenCheckLogInterval                  : 60
EnableUWFComponentRollback                : 0
USBScanExclusionOnInsertionList           :
RmvTmTDIForWinServer                      : 4294967295
RefEnableLocalConnected                   : 0
SendLogRetryTimes                         : 6
ProtectionReportFrequency                 : 0
EnableSPSRelay                            : 0
UmhPattern                                : 283028
DrePattern                                : 17002
BepPtnVer                                 : 751555
SalPtnVer                                 : 16841300
ElamPtnVer                                : 25
FalconPtnVer                              : 102600
ATSEPtnVer                                : 117000
ATSETrxLocalModelWLVer                    : 111900
ATSETrxLocalModelVer                      : 8
RoleSvc                                   : !CRYPTEX!67D7FF5BCCFA76D66DB884C70F7ABC07
UA_Use_HTTP                               : 1
ASICA                                     : 1
PollingModuleUpdateInterval               : 600
OverwriteDLPPtnByHotfix                   : 0
SpywareSendLogPeriod                      : 0
DLPDDSendLogPeriod                        : 0
TmListen_Ver                              : 14.0.1037
DreEngineVer                              : 1.9.1044
UMHEngineVer                              : 2.7.1013
XHLDREngVer                               : 1.100.1060
FalconEngVer                              : 1.7.1023
ATSEEngVer                                : 11.000.1006
ClientUpgradeStatus                       : 0
ExcludeExchangeStore                      : 1
PatternTooOld                             : 0
EnabledIPProtocols                        : 3
UpdateAgent                               : 0
ServerID                                  : 973419b6-54ea-488d-91a5-e8c2e3e13c21
IsServerInTheSameMachine                  : 0
TSCPatternVer                             : 1604
TSCVAPatternVer                           : 0
TSCRegDCTVer                              : 0
TSCCustDCTVer                             : 0
TSC-Ver                                   : 7.5.1126
CCSFInitDone                              : 1
TMFBE-Ver                                 : 2.58.1004
SystemModel                               : 3
IntelliTrapFolders                        : C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache|
Synchronize                               : 0
InternalBloomFilterPatternVer             : 1949201800
NonCrcPatternDate                         : 20191011
InternalNonCrcPatternVer                  : 1542100
DefaultExt                                : "",ACCDB,ACE,AMG,ARJ,BAT,BIN,BOO,BOX,BZ2,CAB,CDR,CDT,CHM,CLA,CLASS,COM,CPT,
                                            CSC,DLL,DOC,DOCM,DOCX,DOT,DOTM,DOTX,DRV,DVB,DWG,DWT,EML,EPOC,EXE,GMS,GZ,HLP
                                            ,HTA,HTM,HTML,HTT,INI,JAR,JPEG,JPG,JS,JSE,JTD,JTT,LNK,LZH,MDB,MPD,MPP,MPT,M
                                            SG,MSI,MSO,MST,NWS,OBD,OCX,OFT,OVL,PDF,PHP,PIF,PL,PM,POT,POTM,POTX,PPAM,PPS
                                            ,PPSM,PPSX,PPT,PPTM,PPTX,PRC,QPW,RAR,REG,RTF,SCR,SHS,SHW,SIS,SIT,SWF,SYS,TA
                                            R,VBE,VBS,VSD,VSS,VST,VXD,WMF,WML,WPD,WPT,WSF,XLA,XLAM,XLS,XLSB,XLSM,XLSX,X
                                            LT,XLTM,XLTX,XML,Z,ZIP,{*,
WhitelistPatternCache                     : 29a4fa1f72fff2d9fd8693e859e90d2450902c5af95c402315401b32f9852596f883236e72d
                                            a2698
ROOTKIT-Ver                               : 8.20.1020
PatternDate                               : 20190829
VsApiNT-Ver                               : 11.000.1006
TmFilter-Ver                              : 11.0.1006
TmPreFlt-Ver                              : 11.000.1006
PatternVer                                : 0
PatternVer1                               : 0
InternalPatternVer                        : 0
NonCrcPatternVer                          : 421
IntelliTrapBlackList                      : 251
IntelliTrapWhiteList                      : 651
InternalIntelliTrapWhiteList              : 165100
InternalIntelliTrapBlackList              : 25100
SSAPITMASSAPatternVer                     : 0
SSAPIPatternVer                           : 2223
SSAPIPatternDate                          : 20191009
VSAPIRegCPRVer                            : 0
SSAPI-Ver                                 : 6.2.4015
StartUpApplyOpp                           : 0
DelayLoadThreadStart                      : 2019-09-24-15:06:31
TMUFE-Ver                                 : 3.91.1018
NCIE_CNP_ptnVer                           : 11020100
NCIE_RR_ptnVer                            : 11051300
NCIEDriverVer                             :
TDI-Ver                                   : 0.0.0
OUSTimeStamp                              : 20190913054221
DelayLoadThreadHitCriteria                : 39
LastScannedFileName                       : C:\Windows\SoftwareDistribution\Download\c3ec3a71e304ffc44da00e3a1d8d354e\p
                                            ackage_851_for_kb4519998~31bf3856ad364e35~amd64~~10.0.1.9.cat
TotalScanned                              : 178597401
LastScanTime                              : 1570817891

PS C:\Users\Administrator> (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.').ProductName
Trend Micro OfficeScan
PS C:\Users\Administrator> (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.').ProgramVer
14.0
PS C:\Users\Administrator>

Get file version information

There are times when you may wnat to know what version of a file that you are running. Maybe you want to know if you need to run an update. We can do this with the get-item with the .versioninfo attribute.
(get-item "C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe").versioninfo
(get-item "C:\Program Files (x86)\Trend Micro\OfficeScan Client\Tmlistenshare_64x.dll").versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
12.0             12.0.0.6034      C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
12.0             12.0.0.6034      C:\Program Files (x86)\Trend Micro\OfficeScan Client\Tmlistenshare_64x.dll
You may also use the Windows WMI to test if an appliation is installand and what version of the application is installed. In Ex1, I use the get-wmiobject and search for "VMware Tools" to see if it installed and what version is installed.
Ex1.
PS1 > get-wmiobject -class win32_product | where {$_ -match "VMware Tools"}

IdentifyingNumber : {203A1A10-9CC9-4253-8975-44C76A0C9C7B}
Name              : VMware Tools
Vendor            : VMware, Inc.
Version           : 9.10.0.2476743
Caption           : VMware Tools

Windows feature command

In Ex1, I select which attributes that I want displayed. One writes the output to standard out, the other writes the output to a comma separated values file. In Ex2, I list the Windows featuers but only the ones that are already installed. Finally, in Ex3, I query the Windows featues by name and by Installed state. I then expoort that information to a CSV file, export-csv filename. Using the get-content command we see the comma separated file contents.
Ex1. 
PS1 > get-windowsfeature | select displayname, name
PS1 > get-windowsfeature | select name | export-csv {filename.csv} -verbose

Ex2.
PS1 >  Get-WindowsFeature |where installed

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[X] File and Storage Services                           FileAndStorage-Services        Installed
    [X] Storage Services                                Storage-Services               Installed
[X] Web Server (IIS)                                    Web-Server                     Installed
    [X] Web Server                                      Web-WebServer                  Installed
        [X] Common HTTP Features                        Web-Common-Http                Installed
            [X] Default Document                        Web-Default-Doc                Installed
            [X] Directory Browsing                      Web-Dir-Browsing               Installed
            [X] HTTP Errors                             Web-Http-Errors                Installed
            [X] Static Content                          Web-Static-Content             Installed
            [X] HTTP Redirection                        Web-Http-Redirect              Installed
            [X] WebDAV Publishing                       Web-DAV-Publishing             Installed
        [X] Health and Diagnostics                      Web-Health                     Installed
            [X] HTTP Logging                            Web-Http-Logging               Installed
            [X] Custom Logging                          Web-Custom-Logging             Installed
            [X] Logging Tools                           Web-Log-Libraries              Installed
        [X] Performance                                 Web-Performance                Installed
            [X] Static Content Compression              Web-Stat-Compression           Installed
        [X] Security                                    Web-Security                   Installed
            [X] Request Filtering                       Web-Filtering                  Installed
            [X] Basic Authentication                    Web-Basic-Auth                 Installed
            [X] Windows Authentication                  Web-Windows-Auth               Installed
        [X] Application Development                     Web-App-Dev                    Installed
            [X] .NET Extensibility 3.5                  Web-Net-Ext                    Installed
            [X] .NET Extensibility 4.6                  Web-Net-Ext45                  Installed
            [X] ASP                                     Web-ASP                        Installed
            [X] ASP.NET 3.5                             Web-Asp-Net                    Installed
            [X] ASP.NET 4.6                             Web-Asp-Net45                  Installed
            [X] CGI                                     Web-CGI                        Installed
            [X] ISAPI Extensions                        Web-ISAPI-Ext                  Installed
            [X] ISAPI Filters                           Web-ISAPI-Filter               Installed
            [X] Server Side Includes                    Web-Includes                   Installed
    [X] Management Tools                                Web-Mgmt-Tools                 Installed
        [X] IIS Management Console                      Web-Mgmt-Console               Installed
        [X] IIS 6 Management Compatibility              Web-Mgmt-Compat                Installed
            [X] IIS 6 Metabase Compatibility            Web-Metabase                   Installed
            [X] IIS 6 Management Console                Web-Lgcy-Mgmt-Console          Installed
            [X] IIS 6 Scripting Tools                   Web-Lgcy-Scripting             Installed
            [X] IIS 6 WMI Compatibility                 Web-WMI                        Installed
        [X] IIS Management Scripts and Tools            Web-Scripting-Tools            Installed
[X] .NET Framework 3.5 Features                         NET-Framework-Features         Installed
    [X] .NET Framework 3.5 (includes .NET 2.0 and 3.0)  NET-Framework-Core             Installed
[X] .NET Framework 4.6 Features                         NET-Framework-45-Fea...        Installed
    [X] .NET Framework 4.6                              NET-Framework-45-Core          Installed
    [X] ASP.NET 4.6                                     NET-Framework-45-ASPNET        Installed
    [X] WCF Services                                    NET-WCF-Services45             Installed
        [X] HTTP Activation                             NET-WCF-HTTP-Activat...        Installed
        [X] Message Queuing (MSMQ) Activation           NET-WCF-MSMQ-Activat...        Installed
        [X] Named Pipe Activation                       NET-WCF-Pipe-Activat...        Installed
        [X] TCP Activation                              NET-WCF-TCP-Activati...        Installed
        [X] TCP Port Sharing                            NET-WCF-TCP-PortShar...        Installed
[X] Message Queuing                                     MSMQ                           Installed
    [X] Message Queuing Services                        MSMQ-Services                  Installed
        [X] Message Queuing Server                      MSMQ-Server                    Installed
[X] SMB 1.0/CIFS File Sharing Support                   FS-SMB1                        Installed
[X] Windows Defender Features                           Windows-Defender-Fea...        Installed
    [X] Windows Defender                                Windows-Defender               Installed
    [X] GUI for Windows Defender                        Windows-Defender-Gui           Installed
[X] Windows PowerShell                                  PowerShellRoot                 Installed
    [X] Windows PowerShell 5.1                          PowerShell                     Installed
    [X] Windows PowerShell 2.0 Engine                   PowerShell-V2                  Installed
    [X] Windows PowerShell ISE                          PowerShell-ISE                 Installed
[X] Windows Process Activation Service                  WAS                            Installed
    [X] Process Model                                   WAS-Process-Model              Installed
    [X] Configuration APIs                              WAS-Config-APIs                Installed
[X] WoW64 Support                                       WoW64-Support                  Installed

Ex3. 
PS1 > Get-WindowsFeature |select Name, Installed |Export-Csv test.csv -verbose
VERBOSE: Performing the operation "Export-Csv" on target "test.csv".
PS1 > Get-Content test.csv
#TYPE Selected.Microsoft.Windows.ServerManager.Commands.Feature
"Name","Installed"
"AD-Certificate","False"
"ADCS-Cert-Authority","False"
"ADCS-Enroll-Web-Pol","False"
"ADCS-Enroll-Web-Svc","False"
"ADCS-Web-Enrollment","False"
"ADCS-Device-Enrollment","False"
"ADCS-Online-Cert","False"
"AD-Domain-Services","False"
"ADFS-Federation","False"
"ADLDS","False"
"ADRMS","False"
"ADRMS-Server","False"
"ADRMS-Identity","False"
"DeviceHealthAttestationService","False"
"DHCP","False"
"DNS","False"
"Fax","False"
"FileAndStorage-Services","True"
"File-Services","False"
"FS-FileServer","False"
"FS-BranchCache","False"
"FS-Data-Deduplication","False"
"FS-DFS-Namespace","False"
"FS-DFS-Replication","False"
"FS-Resource-Manager","False"
"FS-VSS-Agent","False"
"FS-iSCSITarget-Server","False"
"iSCSITarget-VSS-VDS","False"
"FS-NFS-Service","False"
"FS-SyncShareService","False"
"Storage-Services","True"
"HostGuardianServiceRole","False"
"Hyper-V","False"
"MultiPointServerRole","False"
"NPAS","False"
"Print-Services","False"
"Print-Server","False"
"Print-Scan-Server","False"
"Print-Internet","False"
"Print-LPD-Service","False"
"RemoteAccess","False"
"DirectAccess-VPN","False"
"Routing","False"
"Web-Application-Proxy","False"
"Remote-Desktop-Services","False"
"RDS-Connection-Broker","False"
"RDS-Gateway","False"
"RDS-Licensing","False"
"RDS-RD-Server","False"
"RDS-Virtualization","False"
"RDS-Web-Access","False"
"VolumeActivation","False"
"Web-Server","True"
"Web-WebServer","True"
"Web-Common-Http","True"
"Web-Default-Doc","True"
"Web-Dir-Browsing","True"
"Web-Http-Errors","True"
"Web-Static-Content","True"
"Web-Http-Redirect","True"
"Web-DAV-Publishing","True"
"Web-Health","True"
"Web-Http-Logging","True"
"Web-Custom-Logging","True"
"Web-Log-Libraries","True"
"Web-ODBC-Logging","False"
"Web-Request-Monitor","False"
"Web-Http-Tracing","False"
"Web-Performance","True"
"Web-Stat-Compression","True"
"Web-Dyn-Compression","False"
"Web-Security","True"
"Web-Filtering","True"
"Web-Basic-Auth","True"
"Web-CertProvider","False"
"Web-Client-Auth","False"
"Web-Digest-Auth","False"
"Web-Cert-Auth","False"
"Web-IP-Security","False"
"Web-Url-Auth","False"
"Web-Windows-Auth","True"
"Web-App-Dev","True"
"Web-Net-Ext","True"
"Web-Net-Ext45","True"
"Web-AppInit","False"
"Web-ASP","True"
"Web-Asp-Net","True"
"Web-Asp-Net45","True"
"Web-CGI","True"
"Web-ISAPI-Ext","True"
"Web-ISAPI-Filter","True"
"Web-Includes","True"
"Web-WebSockets","False"
"Web-Ftp-Server","False"
"Web-Ftp-Service","False"
"Web-Ftp-Ext","False"
"Web-Mgmt-Tools","True"
"Web-Mgmt-Console","True"
"Web-Mgmt-Compat","True"
"Web-Metabase","True"
"Web-Lgcy-Mgmt-Console","True"
"Web-Lgcy-Scripting","True"
"Web-WMI","True"
"Web-Scripting-Tools","True"
"Web-Mgmt-Service","False"
"WDS","False"
"WDS-Deployment","False"
"WDS-Transport","False"
"ServerEssentialsRole","False"
"UpdateServices","False"
"UpdateServices-WidDB","False"
"UpdateServices-Services","False"
"UpdateServices-DB","False"
"NET-Framework-Features","True"
"NET-Framework-Core","True"
"NET-HTTP-Activation","False"
"NET-Non-HTTP-Activ","False"
"NET-Framework-45-Features","True"
"NET-Framework-45-Core","True"
"NET-Framework-45-ASPNET","True"
"NET-WCF-Services45","True"
"NET-WCF-HTTP-Activation45","True"
"NET-WCF-MSMQ-Activation45","True"
"NET-WCF-Pipe-Activation45","True"
"NET-WCF-TCP-Activation45","True"
"NET-WCF-TCP-PortSharing45","True"
"BITS","False"
"BITS-IIS-Ext","False"
"BITS-Compact-Server","False"
"BitLocker","False"
"BitLocker-NetworkUnlock","False"
"BranchCache","False"
"NFS-Client","False"
"Containers","False"
"Data-Center-Bridging","False"
"Direct-Play","False"
"EnhancedStorage","False"
"Failover-Clustering","False"
"GPMC","False"
"DiskIo-QoS","False"
"Web-WHC","False"
"Internet-Print-Client","False"
"IPAM","False"
"ISNS","False"
"LPR-Port-Monitor","False"
"ManagementOdata","False"
"Server-Media-Foundation","False"
"MSMQ","True"
"MSMQ-Services","True"
"MSMQ-Server","True"
"MSMQ-Directory","False"
"MSMQ-HTTP-Support","False"
"MSMQ-Triggers","False"
"MSMQ-Multicasting","False"
"MSMQ-Routing","False"
"MSMQ-DCOM","False"
"Multipath-IO","False"
"MultiPoint-Connector","False"
"MultiPoint-Connector-Services","False"
"MultiPoint-Tools","False"
"NLB","False"
"PNRP","False"
"qWave","False"
"CMAK","False"
"Remote-Assistance","False"
"RDC","False"
"RSAT","False"
"RSAT-Feature-Tools","False"
"RSAT-SMTP","False"
"RSAT-Feature-Tools-BitLocker","False"
"RSAT-Feature-Tools-BitLocker-RemoteAdminTool","False"
"RSAT-Feature-Tools-BitLocker-BdeAducExt","False"
"RSAT-Bits-Server","False"
"RSAT-DataCenterBridging-LLDP-Tools","False"
"RSAT-Clustering","False"
"RSAT-Clustering-Mgmt","False"
"RSAT-Clustering-PowerShell","False"
"RSAT-Clustering-AutomationServer","False"
"RSAT-Clustering-CmdInterface","False"
"IPAM-Client-Feature","False"
"RSAT-NLB","False"
"RSAT-Shielded-VM-Tools","False"
"RSAT-SNMP","False"
"RSAT-Storage-Replica","False"
"RSAT-WINS","False"
"RSAT-Role-Tools","False"
"RSAT-AD-Tools","False"
"RSAT-AD-PowerShell","False"
"RSAT-ADDS","False"
"RSAT-AD-AdminCenter","False"
"RSAT-ADDS-Tools","False"
"RSAT-ADLDS","False"
"RSAT-Hyper-V-Tools","False"
"Hyper-V-Tools","False"
"Hyper-V-PowerShell","False"
"RSAT-RDS-Tools","False"
"RSAT-RDS-Gateway","False"

Add Windows feature

Why did I go through all the trouble to show you how to export windows features as a CSV file? I did so because you could then use that file to enable additional features in the Windows operating system with the add-windowsfeature command. Simply edit the CSV file down to just the features you want to enable and the run the following example.
PS1 > Import-Csv {filename.csv} | foreach {add-windowsfeature $_.Name}

Start-process

the start-process command is used to start or execute a program. Sometimes this may be performe simply by entering the command at the PowerShell prompt such as taskmgr but you may also use the start-process to open a file in Word from the command line, or even start a new file manager from the current location. Some of my most used shortcuts are listed below.

Configure system region/locale

To read the operating system's current region or culture you can use the get-winsystemlocale PowerShell commandlet. For the United States that is generally en-us. To set the culture/locale, use the set-winsystemlocale in PowerShell. For the United States, that is en-us. The graphic below illustrates setting and viewing the current system locale.

Configure keyboard

Likewise, we can review and set the system keyboard wit the get-winsystemlanguagelist commandlet and setting the same with the set-winsystemlanguagelist -languagelist en-us to set a standard US 101 keyboard. Before Windows 8.x the powershell commandlet does not appear to work. The fallback method then becomes the control panel plug-in. Execute intl.cpl from the command line to get the Region and Language control panel plug-in. After setting the language, and region should be changed too, then log off and the log on again.

IIS web server

The IIS Service may need to be stopped, started, or restarted at various time. Fortunately there is a PowerShell command set just for that purpose. The IISreset command. It has three options /stop, /start, and /restart.
PS C:\Users\Administrator> iisreset /stop

Attempting stop...
Internet services successfully stopped

PS C:\Users\Administrator> iisreset /start

Attempting start...
Internet services successfully started

PS C:\Users\Administrator> iisreset /restart

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
PS C:\Users\Administrator>

Cleanup IIS logs

The IIS logs are not maintained so you will need to create a task to remove old log files from the IIS logs directory. By default, the IIS logs directory is on the root partition of the system disk. If the disk space becomes consumed with log files they you may have an OS failure. Below is a sample script that I created to remove all files older than 30 days from the IIS log directory. It may be modified for other purposes such as the virus quarantine directory.

The script looks for the location of the Apex One (OfficeScan) web server logfile directory. This is performed in the function fngetOSCE_IISLogs. Next we get the FileAge. I chose 30 days. We set our AnchorDate to be today less FileAge, so everything older than 30 days. Finally we remove the files. Note that the first "remove-item" command uses the -whatif option. This does not delete the file but tells you what files would be deleted if run without the -whatif option. I include this in here for testing purposes. Remove the comment "#" from the last line to execute the actual remove operation.

Make a simple web request

Sometimes you just need to test you web server to make sure it is running and serving data. There is a command for that as well, invoke-webrequest.

        
PS C:\inetpub\wwwroot\Commands> invoke-webrequest -usebasicparsing "https://www.geen.co/index.html"


StatusCode        : 200
StatusDescription : OK
Content           : Glen Geen
                                                                                                                               ; tagName=IMG; src=/images/LogoMakr-light.png}}
InputFields       : {}
Links             : {@{outerHTML=Home; tagName=A; href=/index.html}, @{outerHTML=Programming; tagName=A; href=/program.html}, @{outerHTML=JavaScript; tagName=A; href=/Commands/javascript.html},
                    @{outerHTML=Networking; tagName=A;
                    href=/Commands/networking.html}...}
ParsedHtml        :
RawContentLength  : 5830


// return just the status code.
PS C:\inetpub\wwwroot\Commands> (invoke-webrequest -usebasicparsing "https://www.geen.co/index.html").StatusCode
200

//return just the links in a web file
PS C:\inetpub\wwwroot\Commands> (invoke-webrequest -usebasicparsing "https://www.geen.co/index.html").Links

outerHTML                                                                                 tagName href
---------                                                                                 ------- ----
Home                                                            A       /index.html
Programming                                                     A       /program.html
JavaScript                                          A       /Commands/javascri...
Networking                                        A       /Commands/networki...
Perl                                                      A       /Commands/perl.html
PowerShell                                          A       /Commands/powershe...
Python                                                A       /Commands/python.html
SQL                                                        A       /Commands/sql.html
UNIX/Linux                                                A       /Commands/unix.html
Reading Room                                                   A       /resource.html
Recipe cards                                                       A       /Recipes
Morning News                                    A       /resource.html#se_...
Forums and blogs                                  A       /resource.html#se_...
Church                                            A       /resource.html#se_...
Government Related sites                                A       /resource.html#se_fed
Blog Shorts                                                       A       /BlogShorts
2A related discussion                                     A       /BlogShorts/2a.html
Changing the course of business              A       ./BlogShorts/#Chan...
Read full story here.                        A       ./BlogShorts/#Chan...
My To Do Lists                                              A       ./todolist.html
Menu Planner                                             A       ./MenuPlanner.html
LinkedIn                                A       http://www.linkedi...
My YouTube channel A       https://www.youtub...
Rubmle.com                                  A       https://rumble.com...
My MeWe world                                   A       https://mewe.com/i...
Pinterest.com                            A       https://www.pinter...
Ultimate Guitar                            A       https://www.ultima...
Glen Geen                                         A       mailto:gptwins@icl...
        
        

Prompt for user input

Read-Host ["Text for prompt: "] [-AsSecureString]
A quick example of prompting for a value is given below.
PS C:\> Read-Host "Enter First Name: "
Enter First Name: : Glen
Glen
PS C:\>

When entering a password, then you have to decode it with a system all. You may then use the ConvertTo-SecureString or ConvertFrom-SecureString on the resulting output. The example looks like:
PS C:\> Read-Host "Enter First Name: " -AsSecureString
Enter First Name: : ****
System.Security.SecureString
PS C:\>