PowerShell

ABOUT

PowerShell is a powerful task automation and configuration management framework developed by Microsoft, built on the .NET framework. It includes a command-line shell and a scripting language designed to automate tasks across Windows systems, such as managing processes, services, files, and configurations. PowerShell is more powerful and flexible than the traditional Command Prompt (cmd) and integrates deeply with system administration tools.

ALSO WE COULD USE CMD COMMANDS WITH CMD /C {COMMAND}

ALIASES

Many cmdlets in PowerShell also have aliases. For example, the aliases for the cmdlet Set-Location, to change directories, is either cd or sl. We can view all available aliases by typing Get-Alias.

PS C:\> get-alias

CommandType     Name                               Version    Source
-----------     ----                               -------    ------
Alias           % -> ForEach-Object
Alias           ? -> Where-Object
Alias           ac -> Add-Content
Alias           asnp -> Add-PSSnapin
Alias           cat -> Get-Content
Alias           cd -> Set-Location

We can also set up our own aliases with New-Alias and get the alias for any cmdlet with Get-Alias -Name.

PS C:\> New-Alias -Name "Show-Files" Get-ChildItem
PS C:\> Get-Alias -Name "Show-Files"

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           Show-Files

RUNNING SCRIPTS

PowerShell ISE (Integrated Scripting Environment) allows users to write PowerShell scripts on the fly. It also has an autocomplete/lookup function for PowerShell commands. The PowerShell ISE allows us to write and run scripts in the same console, which allows for quick debugging.

Examples:

PS C:\> .\PowerView.ps1; Get-LocalGroup | fl

Import scripts so that all functions could be used in our PowerShell session

PS C:\> Import-Module .\PowerView.ps1

EXECUTION POLICY

Execution Policy, is security feature to control script execution and prevent the execution of malicious scripts.

Execution policy is not a security boundary and can be bypassed by

• Typing the script directly into the console.

• Using encoded commands or adjusting policy temporarily.

Changing the execution policy for the current process (session).

PS C:\> Set-ExecutionPolicy Bypass -Scope Process

View execution policy

PS C:\> Get-ExecutionPolicy -List

Policy	Description
AllSigned	Scripts need a trusted publisher's signature. Prompts for untrusted publishers.
Bypass	No restrictions; no warnings or prompts.
Default	Default: Restricted for desktops, RemoteSigned for servers.
RemoteSigned	Local scripts can run; downloaded scripts require a digital signature.
Restricted	Blocks script execution; allows individual commands.
Undefined	No policy set; defaults to Restricted.
Unrestricted	Allows unsigned scripts; warns for non-local intranet scripts.

CMDLETS

Cmdlets are specialized commands in PowerShell. They follow a consistent verb-noun naming (Get-Process) to indicate their action and the object they operate on.

Get more info about file

PS C:\> Get-ChildItem -Path 'C:\Share\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

List all running Services

PS C:\> Get-Service | ? {$_.Status -eq "Running"} | select -First 2 | fl

Examine Service permissions

PS C:\> Get-ACL -Path HKLM:\System\CurrentControlSet\Services\wuauserv | Format-List

List all loaded Modules

PS C:\> Get-Module | select Name,ExportedCommands | fl

Check Defender

PS C:\> Get-MpComputerStatus | findstr "True"

Listing Named Pipes

PS C:\> gci \\.\pipe\

WMI

Getting Windows Version

PS C:\> Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

List system information

PS C:\> Get-WmiObject -Class Win32_OperatingSystem | select SystemDirectory,BuildNumber,SerialNumber,Version | ft

Get SID of users

PS C:\> get-localuser | Select name,sid

Get all service paths

PS C:\> wmic service get name, pathname