For those new to PowerShell, figuring out where to begin can be quite daunting. It’s no secret that everyone learns differently. Some prefer to learn by reading, while others prefer to take the hands on approach. Regardless of the methodology one chooses to learn, very few are able to memorize every detail, and immediate retention certainly shouldn’t be the expectation. That being said, when it comes to learning PowerShell the key to efficiency and success is repetition. As you begin to work with PowerShell, you will most likely find yourself working with the same code in different scenarios, depending on your job function. While an O365 administrator will be more familiar with O365 PowerShell Cmdlets, an Active Directory Administrator will be more familiarized with the Active Directory Cmdlets. For instances where you have to work with code you are not familiar with, PowerShell provides some key tools to help you get familiarized. These tools provide a great place to start when first picking up PowerShell.
See my introduction to PowerShell, here.
Development Cmdlets
While this is not an official designation, I like to refer to the tools I will mention as development cmdlets because I tend to use them whenever I am working on developing a new script.
Get-Help
You will find that the Get-Help cmdlet is one of the most useful when working with unfamiliar code. The cmdlet will detail the use of different PowerShell objects and concepts including cmdlets, functions, CIM commands, workflows, providers, and aliases. Using the command is as simple as typing in Get-Help followed by the target. A few examples include:
- Get-Help Get-Process
- Get-Help Get-Content
- Get-Help Set-Process
Get-Command
This cmdlet can be used to retrieve a list of all commands currently installed on the computer. This is useful when you are working on a new task and are unsure if there are any commands that could help you. In this situation, you can use Get-Command as shown below:
- Get-Command -Type Cmdlet | Sort-Object -Property Noun | Format-Table -GroupBy Noun
This will provide you with a list of alphabetically sorted commands grouped by noun.
Get-Member
When working with cmdlets, you will often see data returned in the form of objects. Because these objects will not always contain the same properties and methods, it can be hard to determine the best ways to manipulate them. Luckily, the Get-Member function can be used to list out the properties and methods of any object given to it. Use of the cmdlet is generally accomplished with the ‘pipeline’ operator as demonstrated below:
- Get-ADUser -Filter 'Name -eq "ServiceAccount1"' | Get-Member
This will return the methods and properties of the ServiceAccount1 Active Directory user.
Other Useful Cmdlets
There are also many other useful cmdlets that span many different areas of PowerShell functionality. These can be found in almost every script.
Where-Object
The Where-Object cmdlet is used to filter objects in a collection based on the given conditions:
- Get-Service | Where-Object {$_.Status -eq "Stopped"}
In this example, instead of returning all services on the machine, only the services which are currently stopped will be returned.
Select-Object
The Select-Object cmdlet allows you to select specific object properties in the instances where you do not want an overabundance of information:
- Get-ChildItem C:\Users\nalmi\Desktop -File | Select-Object Name, LastWriteTime
In this example, only the Name and the LastWriteTime of the returned files will be displayed.
Set-ExecutionPolicy
Since the default policy on most devices is set to Restricted, it is common to run into an error that prevents you from executing scripts unless you change the Execution Policy. In order to prevent this, you may have to configure the Execution Policy to be less strict. Set-ExecutionPolicy can be used to do exactly that and will set the policy to the provided input as seen below:
- Set-ExecutionPolicy Unrestricted
It’s important to note that you will need to run PowerShell as an administrator in order to successfully configure policies.
Real World Scenario #1: Working With Services
As this series progresses, I will be covering a variety of different real world scenarios designed to show you some of the ways PowerShell can be used to automate common Windows Administration tasks. For this scenario, let’s imagine a case where you need to check to see if there are any Xbox related services currently running on your machine that need to be stopped.
The first step is finding cmdlets that will allow you to do this. As you know from the beginning of this post, you can use Get-Command to do just that. If you have previously used Get-Command, then you are aware that it returns a giant list commands that can be daunting to filter through. This is when using the Where-Object cmdlet will be useful. In this example, we want to identify a list of cmdlets that work with Services:
- Get-Command -Type Cmdlet | Where-Object { $_.Noun -eq "Service" }
Notice that ‘$_’ references the set of objects returned from Get-Command. Now that you have a list of cmdlets that interact with Services, you can start working on retrieving the status of the services you want. Before you can do that, however, you need to identify the different properties of the objects returned by Get-Service. To do so, you will use the Get-Member cmdlet described earlier in this post:
- $(Get-Service)[0] | Get-Member | ? { $_.MemberType -eq "Property" -or $_.MemberType -eq "AliasProperty" }
I want to specifically call out the question mark in the above line of code. Remember those aliases I referenced in the last post? Well, the question mark is the alias for Where-Object. In other words, the above line of code essentially says “give me all the members of the first object returned by Get-Service where the MemberType is Property or AliasProperty.”
Now that you have a list of properties, you will see that you have the ability filter based on the ‘Name’ of the services returned. Let’s use the Where-Object cmdlet one more time to find any services that could be related to Xbox.
- Get-Service | ? { $_.Name -like '*xbox*' }
As you can see in this scenario, there are two services which are currently running that need to stop. If you revisit the results of the Get-Command code, you will see that there was a cmdlet called Stop-Service. To stop the returned services, simply pass the results to this cmdlet as follows:
- Get-Service | ? { $_.Name -like '*xbox*' } | Stop-Service
If you run the Get-Service command again, you will notice that the services have now been stopped.
- Get-Service | ? { $_.Name -like '*xbox*' }
Next Week
In this post, a lot more information was covered and we have started to dig deeper into some useful code. In the next installment, we will work on organizing some of this code into actual cmdlets which will make administration of your environment much easier.
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
