Los sistemas de archivos permiten organizar los datos en los dispositivos de almacenamiento siguiendo una serie de normas y restricciones. Un sistema de archivos se implanta después de crear una partición en un dispositivo de almacenamiento (disco duro, USB, CD/DVD, etc.). La unidad principal de los sistemas de archivos es el archivo, en general, los…
Read more
Presence This section focuses on information gathering about the victim host and the network that it’s attached to. System
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
#Shows all current environmental variables $env:ALLUSERSPROFILE $env:APPDATA $env:CommonProgramFiles ${env:CommonProgramFiles(x86)} $env:CommonProgramW6432 $env:COMPUTERNAME $env:ComSpec $env:FP_NO_HOST_CHECK $env:HOMEDRIVE $env:HOMEPATH $env:LOCALAPPDATA $env:LOGONSERVER $env:NUMBER_OF_PROCESSORS $env:OS $env:Path $env:PATHEXT $env:PROCESSOR_ARCHITECTURE $env:PROCESSOR_IDENTIFIER $env:PROCESSOR_LEVEL $env:PROCESSOR_REVISION $env:ProgramData $env:ProgramFiles ${env:ProgramFiles(x86)} $env:ProgramW6432 $env:PSModulePath $env:PUBLIC $env:SESSIONNAME $env:SystemRoot $env:TEMP $env:TMP $env:USERDOMAIN $env:USERDOMAIN_ROAMINGPROFILE $env:USERNAME $env:USERPROFILE $env:SystemDrive $env:windir #Shows all current environmental variables (macOS) $env:_ $env:LOGNAME $env:SHLVL $env:TERM_SESSION_ID $env:PATHEXT $env:__CF_USER_TEXT_ENCODING $env:PATH $env:SSH_AUTH_SOCK $env:TMPDIR $env:Apple_PubSub_Socket_Render $env:PSMODULEPATH $env:TERM $env:USER $env:HOME $env:PWD $env:TERM_PROGRAM $env:XPC_FLAGS $env:LC_CTYPE $env:SHELL $env:TERM_PROGRAM_VERSION $env:XPC_SERVICE_NAME #Information about disk Get-Disk #Retrieving Process Information Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime #Lists running threads for a specified process (Get-Process chrome | Select-Object Threads).Threads Get-Process | select -expand Threads #Last Boot Uptime Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime #Lists the current drivers on the system Get-Process -Module #Events and event logs on the local and remote Get-EventLog -LogName System -EntryType Error, Warning Get-EventLog -LogName System -EntryType Error, Warning -ComputerName $computer |
WMI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
#Information about disk Get-WmiObject -Class win32_DiskDrive #Retrieving the Shared Resources on the Local Computer Get-WmiObject -Class Win32_Share #Retrieving the Shared Resources on a Remote Computer Get-WmiObject -Class Win32_Share -ComputerName COMPUTER #Remote information Get-WmiObject Win32_ComputerSystem -cn $computer Get-WmiObject Win32_Group -cn $computer Get-WmiObject Win32_LogicalDisk -cn $computer Get-WmiObject Win32_NetworkClient -cn $computer Get-WmiObject Win32_NetworkConnection -cn $computer Get-WmiObject Win32_NetworkLoginProfile -cn $computer Get-WmiObject Win32_NTLogEvent -cn $computer Get-WmiObject Win32_OperatingSystem -cn $computer Get-WmiObject Win32_Process -cn $computer Get-WmiObject Win32_Product -cn $computer Get-WmiObject Win32_QuickFixEngineering -cn $computer Get-WmiObject Win32_Service -cn $computer Get-WmiObject Win32_Share -cn $computer Get-WmiObject Win32_StartupCommand -cn $computer Get-WmiObject Win32_UserAccount -cn $computer Get-WmiObject Win32_Volume -cn $computer #Remote information (use credential) $credenciales=Get-Credential (Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID (Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer (Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version (Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales #WMI queries $query="Select * from Msft_CliAlias"; Get-WMIObject -Query $query $query="Select * from Win32_BaseBoard"; Get-WMIObject -Query $query $query="Select * from Win32_BIOS"; Get-WMIObject -Query $query $query="Select * from Win32_BootConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_CDROMDrive"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystem"; Get-WMIObject -Query $query $query="Select * from WIN32_PROCESSOR"; Get-WMIObject -Query $query $query="Select * from Win32_ComputerSystemProduct"; Get-WMIObject -Query $query $query="Select * from CIM_DataFile"; Get-WMIObject -Query $query $query="Select * from WIN32_DCOMApplication"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOP"; Get-WMIObject -Query $query $query="Select * from WIN32_DESKTOPMONITOR"; Get-WMIObject -Query $query $query="Select * from Win32_DeviceMemoryAddress"; Get-WMIObject -Query $query $query="Select * from Win32_DiskDrive"; Get-WMIObject -Query $query $query="Select * from Win32_DiskQuota"; Get-WMIObject -Query $query $query="Select * from Win32_DMAChannel"; Get-WMIObject -Query $query $query="Select * from Win32_Environment"; Get-WMIObject -Query $query $query="Select * from Win32_Directory"; Get-WMIObject -Query $query $query="Select * from Win32_Group"; Get-WMIObject -Query $query $query="Select * from Win32_IDEController"; Get-WMIObject -Query $query $query="Select * from Win32_IRQResource"; Get-WMIObject -Query $query $query="Select * from Win32_ScheduledJob"; Get-WMIObject -Query $query $query="Select * from Win32_LoadOrderGroup"; Get-WMIObject -Query $query $query="Select * from Win32_LogicalDisk"; Get-WMIObject -Query $query $query="Select * from Win32_LogonSession"; Get-WMIObject -Query $query $query="Select * from WIN32_CACHEMEMORY"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemory"; Get-WMIObject -Query $query $query="Select * from Win32_PhysicalMemoryArray"; Get-WMIObject -Query $query $query="Select * from WIN32_NetworkClient"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkLoginProfile"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkProtocol"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkConnection"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapter"; Get-WMIObject -Query $query $query="Select * from Win32_NetworkAdapterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_NTDomain"; Get-WMIObject -Query $query $query="Select * from Win32_NTLogEvent"; Get-WMIObject -Query $query $query="Select * from Win32_NTEventlogFile"; Get-WMIObject -Query $query $query="Select * from Win32_OnBoardDevice"; Get-WMIObject -Query $query $query="Select * from Win32_OperatingSystem"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileUsage"; Get-WMIObject -Query $query $query="Select * from Win32_PageFileSetting"; Get-WMIObject -Query $query $query="Select * from Win32_DiskPartition"; Get-WMIObject -Query $query $query="Select * from Win32_PortResource"; Get-WMIObject -Query $query $query="Select * from Win32_PortConnector"; Get-WMIObject -Query $query $query="Select * from Win32_Printer"; Get-WMIObject -Query $query $query="Select * from Win32_PrinterConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_PrintJob"; Get-WMIObject -Query $query $query="Select * from Win32_Process"; Get-WMIObject -Query $query $query="Select * from Win32_Product"; Get-WMIObject -Query $query $query="Select * from Win32_QuickFixEngineering"; Get-WMIObject -Query $query $query="Select * from Win32_QuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSAccount"; Get-WMIObject -Query $query $query="Select * from Win32_TSNetworkAdapterSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TSPermissionsSetting"; Get-WMIObject -Query $query $query="Select * from Win32_TerminalServiceSetting"; Get-WMIObject -Query $query $query="Select * from Win32_OSRecoveryConfiguration"; Get-WMIObject -Query $query $query="Select * from Win32_Registry"; Get-WMIObject -Query $query $query="Select * from Win32_SCSIController"; Get-WMIObject -Query $query $query="Select * from Win32_PerfRawData_PerfNet_Server"; Get-WMIObject -Query $query $query="Select * from Win32_Service"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowCopy"; Get-WMIObject -Query $query $query="Select * from Win32_ShadowStorage"; Get-WMIObject -Query $query $query="Select * from Win32_Share"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareElement"; Get-WMIObject -Query $query $query="Select * from Win32_SoftwareFeature"; Get-WMIObject -Query $query $query="Select * from WIN32_SoundDevice"; Get-WMIObject -Query $query $query="Select * from Win32_StartupCommand"; Get-WMIObject -Query $query $query="Select * from Win32_SystemAccount"; Get-WMIObject -Query $query $query="Select * from Win32_SystemDriver"; Get-WMIObject -Query $query $query="Select * from Win32_SystemEnclosure"; Get-WMIObject -Query $query $query="Select * from Win32_SystemSlot"; Get-WMIObject -Query $query $query="Select * from Win32_TapeDrive"; Get-WMIObject -Query $query $query="Select * from Win32_TemperatureProbe"; Get-WMIObject -Query $query $query="Select * from Win32_TimeZone"; Get-WMIObject -Query $query $query="Select * from Win32_UninterruptiblePowerSupply"; Get-WMIObject -Query $query $query="Select * from Win32_UserAccount"; Get-WMIObject -Query $query $query="Select * from Win32_VoltageProbe"; Get-WMIObject -Query $query $query="Select * from Win32_Volume"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeQuotaSetting"; Get-WMIObject -Query $query $query="Select * from Win32_VolumeUserQuota"; Get-WMIObject -Query $query $query="Select * from Win32_WMISetting"; Get-WMIObject -Query $query |
Networking
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
#Network Adaptor information contains, manufacturer, MAC ID etc Get-WmiObject -Class win32_networkadapter #Hardware information of the network adapter Get-NetAdapterHardwareInfo #Returns all physical network adapters Get-NetAdapter -Physical #Networking statistics from the network adapter. The statistics include broadcast, multicast, discards, and errors Get-NetAdapterStatistics #Get the current MAC Get-NetAdapter | Select-Object Name,MacAddress Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress #Neighbor cache entries (The neighbor cache maintains information for each on-link neighbor, including the IP address and the associated link-layer address. In IPv4, the neighbor cache is commonly known as the Address Resolution Protocol (ARP) cache) Get-NetNeighbor #Get the current IP address Get-NetIPAddress | Select-Object InterfaceAlias,IPAddress Get-NetIPAddress -AddressFamily ipv4 Get-NetIPAddress -AddressFamily ipv6 Get-NetIPConfiguration #Information about firewall Get-NetFirewallAddressFilter Get-NetFirewallApplicationFilter Get-NetFirewallInterfaceFilter Get-NetFirewallInterfaceTypeFilter Get-NetFirewallPortFilter Get-NetFirewallProfile Get-NetFirewallRule Get-NetFirewallSecurityFilter Get-NetFirewallServiceFilter Get-NetFirewallSetting #List Firewall Rules #Direction: Inbound Get-NetFirewallRule | Where {$_.Direction –eq ‘Inbound’} #TCP Get-NetTCPConnection Get-NetTCPConnection | Select-Object LocalPort,Remoteport #UDP Get-NetUDPEndpoint (Get-NetUDPEndpoint).LocalPort #Information about DNS Get-DnsClient Get-DnsClientCache Get-DnsClientGlobalSetting Get-DnsClientNrptGlobal Get-DnsClientNrptPolicy Get-DnsClientNrptRule Get-DnsClientServerAddress #Displays your currently shared SMB entries Get-SmbShare Get-WmiObject -Class Win32_Share #Access a Router $user="admin" $pass="admin123" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='http://192.168.1.1:89/rpSys.html' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText #Connect to Access Point $user="admin" $pass="1234" $pair="${user}:${pass}" $bytes=[System.Text.Encoding]::ASCII.GetBytes($pair) $base64=[System.Convert]::ToBase64String($bytes) $basicAuthValue="Basic $base64" $headers=@{Authorization=$basicAuthValue} $url='http://192.168.1.2/index.asp' $result=(Invoke-WebRequest -Uri $url -Headers $headers) ($result.AllElements | Where tagName -eq “title”).outerText |
Users
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#List your current user [System.Security.Principal.WindowsIdentity]::GetCurrent() ([System.Security.Principal.WindowsIdentity]::GetCurrent()).name #Remote user Get-WmiObject win32_computersystem -property username -ComputerName RemoteComputer #List local users $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object Name #List local groups $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object name #Information about user accounts Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Account #Information about group accounts Get-WmiObject -Class Win32_Group |
Configs
|
1 2 3 4 5 |
#Services Get-Service #Print the contents of the Windows hosts file Get-Content $env:windir\System32\drivers\etc\hosts |
Finding important files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#Gets the items in one or more specified locations Get-ChildItem #Recursively searches for files with a “.txt” extension in the C:\temp directory. The contents of any files matching this criteria are then searched for the term “password” Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String password #Searching file “TeamViewer” Get-ChildItem c:\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } #Searching IP adresses in text files Write-Host "IP addresses:`n" Get-ChildItem C:\Users\ -rec -ea SilentlyContinue | ForEach-Object { Select-String "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value} } #Searching BitLocker recovery keys #Searching content “Clave de recuperación de Cifrado de unidad BitLocker” Get-ChildItem C:\Users\juan -rec -ea SilentlyContinue | ForEach-Object { Select-String "Clave de recuperación de Cifrado de unidad BitLocker" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches } |
Files to pull
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size Get-ChildItem $env:SystemDrive\pagefile.sys #Prefetch files Get-ChildItem $env:SystemRoot\Prefetch #Portion of accessed file list within prefetch file for PowerShell.exe Get-Content $env:SystemRoot\Prefetch\POWERSHELL_ISE.EXE-85BC6AB4.pf #File contains the registry settings Get-ChildItem $env:windir\System32\config -Force #File contains the registry settings for their individual account Get-ChildItem $env:USERPROFILE\NTUSER.DAT #This file contains the mappings of IP addresses to host names Get-ChildItem $env:windir\System32\drivers\etc\hosts Get-Content $env:windir\System32\drivers\etc\hosts |
Remote system access
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#Determines whether all elements of the path exist Test-Path \\192.168.1.56\datos #Gets the items in one or more specified locations Get-ChildItem \\192.168.1.56\datos #Creates a new Server Message Block (SMB) share New-SmbShare -Name fso -Path F:\power #Creates a new Server Message Block share and add permissions New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone #Enable remote desktop powershell Start-Process powershell_ise -Verb runAs Set-Location HKLM:\ $RegKey ='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\' Set-ItemProperty -Path $RegKey -Name fDenyTSConnections -Value 0 #View installed programs on remote machine $credencial=Get-Credential 1..254 | %{ ('192.168.1.'+$_) if(Test-Connection ('192.168.1.'+$_) -Quiet) { Get-WmiObject -Class Win32_Product -ComputerName ('192.168.1.'+$_) -Credential $credencial } } |
Software
|
1 2 3 4 5 |
#Gets a list of the app packages that are installed in a user profile Get-AppxPackage #Returns a list of all software packages that have been installed by using Package Management Get-Package |
AutoStart directories
|
1 |
Get-ChildItem $env:SystemDrive\'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\' -Force |
Persistance This section focuses on gaining a foothold to regain,…
Read more
|
1 |
Get-ChildItem D:\prueba | %{if(Get-Content $_.FullName | Select-String "borrar"){Remove-Item $_.FullName -WhatIf}} |
|
1 |
Get-ChildItem | Where-Object {$_.LastWriteTime -ge (Get-Date).AddDays(-1)} | Remove-Item |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
Alias % -> ForEach-Object Alias ? -> Where-Object Alias ac -> Add-Content Alias asnp -> Add-PSSnapIn Alias cat -> Get-Content Alias cd -> Set-Location Alias chdir -> Set-Location Alias clc -> Clear-Content Alias clear -> Clear-Host Alias clhy -> Clear-History Alias cli -> Clear-Item Alias clp -> Clear-ItemProperty Alias cls -> Clear-Host Alias clv -> Clear-Variable Alias cnsn -> Connect-PSSession Alias compare -> Compare-Object Alias copy -> Copy-Item Alias cp -> Copy-Item Alias cpi -> Copy-Item Alias cpp -> Copy-ItemProperty Alias curl -> Invoke-WebRequest Alias cvpa -> Convert-Path Alias dbp -> Disable-PSBreakpoint Alias del -> Remove-Item Alias diff -> Compare-Object Alias dir -> Get-ChildItem Alias dnsn -> Disconnect-PSSession Alias ebp -> Enable-PSBreakpoint Alias echo -> Write-Output Alias epal -> Export-Alias Alias epcsv -> Export-Csv Alias epsn -> Export-PSSession Alias erase -> Remove-Item Alias etsn -> Enter-PSSession Alias exsn -> Exit-PSSession Alias fc -> Format-Custom Alias fl -> Format-List Alias foreach -> ForEach-Object Alias ft -> Format-Table Alias fw -> Format-Wide Alias gal -> Get-Alias Alias gbp -> Get-PSBreakpoint Alias gc -> Get-Content Alias gci -> Get-ChildItem Alias gcm -> Get-Command Alias gcs -> Get-PSCallStack Alias gdr -> Get-PSDrive Alias ghy -> Get-History Alias gi -> Get-Item Alias gjb -> Get-Job Alias gl -> Get-Location Alias gm -> Get-Member Alias gmo -> Get-Module Alias gp -> Get-ItemProperty Alias gps -> Get-Process Alias gpv -> Get-ItemPropertyValue Alias group -> Group-Object Alias gsn -> Get-PSSession Alias gsnp -> Get-PSSnapIn Alias gsv -> Get-Service Alias gu -> Get-Unique Alias gv -> Get-Variable Alias gwmi -> Get-WmiObject Alias h -> Get-History Alias history -> Get-History Alias icm -> Invoke-Command Alias iex -> Invoke-Expression Alias ihy -> Invoke-History Alias ii -> Invoke-Item Alias ipal -> Import-Alias Alias ipcsv -> Import-Csv Alias ipmo -> Import-Module Alias ipsn -> Import-PSSession Alias irm -> Invoke-RestMethod Alias ise -> powershell_ise.exe Alias iwmi -> Invoke-WMIMethod Alias iwr -> Invoke-WebRequest Alias kill -> Stop-Process Alias lp -> Out-Printer Alias ls -> Get-ChildItem Alias man -> help Alias md -> mkdir Alias measure -> Measure-Object Alias mi -> Move-Item Alias mount -> New-PSDrive Alias move -> Move-Item Alias mp -> Move-ItemProperty Alias mv -> Move-Item Alias nal -> New-Alias Alias ndr -> New-PSDrive Alias ni -> New-Item Alias nmo -> New-Module Alias npssc -> New-PSSessionConfigurationFile Alias nsn -> New-PSSession Alias nv -> New-Variable Alias ogv -> Out-GridView Alias oh -> Out-Host Alias popd -> Pop-Location Alias ps -> Get-Process Alias pushd -> Push-Location Alias pwd -> Get-Location Alias r -> Invoke-History Alias rbp -> Remove-PSBreakpoint Alias rcjb -> Receive-Job Alias rcsn -> Receive-PSSession Alias rd -> Remove-Item Alias rdr -> Remove-PSDrive Alias ren -> Rename-Item Alias ri -> Remove-Item Alias rjb -> Remove-Job Alias rm -> Remove-Item Alias rmdir -> Remove-Item Alias rmo -> Remove-Module Alias rni -> Rename-Item Alias rnp -> Rename-ItemProperty Alias rp -> Remove-ItemProperty Alias rsn -> Remove-PSSession Alias rsnp -> Remove-PSSnapin Alias rujb -> Resume-Job Alias rv -> Remove-Variable Alias rvpa -> Resolve-Path Alias rwmi -> Remove-WMIObject Alias sajb -> Start-Job Alias sal -> Set-Alias Alias saps -> Start-Process Alias sasv -> Start-Service Alias sbp -> Set-PSBreakpoint Alias sc -> Set-Content Alias select -> Select-Object Alias set -> Set-Variable Alias shcm -> Show-Command Alias si -> Set-Item Alias sl -> Set-Location Alias sleep -> Start-Sleep Alias sls -> Select-String Alias sort -> Sort-Object Alias sp -> Set-ItemProperty Alias spjb -> Stop-Job Alias spps -> Stop-Process Alias spsv -> Stop-Service Alias start -> Start-Process Alias sujb -> Suspend-Job Alias sv -> Set-Variable Alias swmi -> Set-WMIInstance Alias tee -> Tee-Object Alias trcm -> Trace-Command Alias type -> Get-Content Alias wget -> Invoke-WebRequest Alias where -> Where-Object Alias wjb -> Wait-Job Alias write -> Write-Output |
Gestión del hardware Gestión de archivos Agregar/Eliminar software Actualizar Gestión de procesos Programación de tareas Gestión de usuarios Gestión del almacenamiento Gestión de la red Copias de seguridad Reparación del sistema Rendimiento del sistema Gestión del hardware
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
#Computer System Hardware Classes #Cooling Device Classes Get-WmiObject Win32_Fan Get-WmiObject Win32_HeatPipe Get-WmiObject Win32_Refrigeration Get-WmiObject Win32_TemperatureProbe #Input Device Classes Get-WmiObject Win32_Keyboard Get-WmiObject Win32_PointingDevice #Mass Storage Classes Get-WmiObject Win32_AutochkSetting Get-WmiObject Win32_CDROMDrive Get-WmiObject Win32_DiskDrive Get-WmiObject Win32_FloppyDrive Get-WmiObject Win32_PhysicalMedia Get-WmiObject Win32_TapeDrive #Motherboard, Controller, and Port Classes Get-WmiObject Win32_1394Controller Get-WmiObject Win32_1394ControllerDevice Get-WmiObject Win32_AllocatedResource Get-WmiObject Win32_AssociatedProcessorMemory Get-WmiObject Win32_BaseBoard Get-WmiObject Win32_BIOS Get-WmiObject Win32_Bus Get-WmiObject Win32_CacheMemory Get-WmiObject Win32_ControllerHasHub Get-WmiObject Win32_DeviceBus Get-WmiObject Win32_DeviceMemoryAddress Get-WmiObject Win32_DeviceSettings Get-WmiObject Win32_DMAChannel Get-WmiObject Win32_FloppyController Get-WmiObject Win32_IDEController Get-WmiObject Win32_IDEControllerDevice Get-WmiObject Win32_InfraredDevice Get-WmiObject Win32_IRQResource Get-WmiObject Win32_MemoryArray Get-WmiObject Win32_MemoryArrayLocation Get-WmiObject Win32_MemoryDevice Get-WmiObject Win32_MemoryDeviceArray Get-WmiObject Win32_MemoryDeviceLocation Get-WmiObject Win32_MotherboardDevice Get-WmiObject Win32_OnBoardDevice Get-WmiObject Win32_ParallelPort Get-WmiObject Win32_PCMCIAController Get-WmiObject Win32_PhysicalMemory Get-WmiObject Win32_PhysicalMemoryArray Get-WmiObject Win32_PhysicalMemoryLocation Get-WmiObject Win32_PNPAllocatedResource Get-WmiObject Win32_PNPDevice Get-WmiObject Win32_PNPEntity Get-WmiObject Win32_PortConnector Get-WmiObject Win32_PortResource Get-WmiObject Win32_Processor Get-WmiObject Win32_SCSIController Get-WmiObject Win32_SCSIControllerDevice Get-WmiObject Win32_SerialPort Get-WmiObject Win32_SerialPortConfiguration Get-WmiObject Win32_SerialPortSetting Get-WmiObject Win32_SMBIOSMemory Get-WmiObject Win32_SoundDevice Get-WmiObject Win32_SystemBIOS Get-WmiObject Win32_SystemDriverPNPEntity Get-WmiObject Win32_SystemEnclosure Get-WmiObject Win32_SystemMemoryResource Get-WmiObject Win32_SystemSlot Get-WmiObject Win32_USBController Get-WmiObject Win32_USBControllerDevice Get-WmiObject Win32_USBHub #Networking Device Classes Get-WmiObject Win32_NetworkAdapter Get-WmiObject Win32_NetworkAdapterConfiguration Get-WmiObject Win32_NetworkAdapterSetting #Power Classes Get-WmiObject Win32_Battery Get-WmiObject Win32_CurrentProbe Get-WmiObject Win32_PortableBattery Get-WmiObject Win32_PowerManagementEvent Get-WmiObject Win32_VoltageProbe #Printing Classes Get-WmiObject Win32_DriverForDevice Get-WmiObject Win32_Printer Get-WmiObject Win32_PrinterConfiguration Get-WmiObject Win32_PrinterController Get-WmiObject Win32_PrinterDriver Get-WmiObject Win32_PrinterDriverDll Get-WmiObject Win32_PrinterSetting Get-WmiObject Win32_PrintJob Get-WmiObject Win32_TCPIPPrinterPort #Telephony Classes Get-WmiObject Win32_POTSModem Get-WmiObject Win32_POTSModemToSerialPort #Video and Monitor Classes Get-WmiObject Win32_DesktopMonitor Get-WmiObject Win32_DisplayControllerConfiguration Get-WmiObject Win32_VideoController Get-WmiObject Win32_VideoSettings Get-WmiObject Win32_Processor Get-WmiObject -Class Win32_Processor Get-WmiObject -query "select * from Win32_Processor" Get-WmiObject Win32_PnPEntity Get-WmiObject -Class Win32_PnPEntity Get-WmiObject -query “select * from Win32_PnPEntity” Get-WmiObject Win32_battery Get-WmiObject -Class Win32_battery Get-WmiObject -query “select * from Win32_battery” |
Ejemplos
|
1 2 3 4 5 6 7 8 9 |
Get-WmiObject win32_processor | Select-Object LoadPercentage Get-WmiObject -query "select NumberOfCores from Win32_Processor" Get-WmiObject -Class Win32_Processor | Select-Object NumberOfCores Get-WmiObject -query “select Name,Status from Win32_PnPEntity” Get-WmiObject -query “select * from Win32_PnPEntity” | Select-Object Name, Status Get-WmiObject -query "select * from Win32_PnPEntity where caption like '%cam%'" Get-WmiObject Win32_PnPEntity | where {$_.caption -match 'webcam'} gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} | Sort Manufacturer,Description,DeviceID | Ft -GroupBy Manufacturer Description,Service,DeviceID Get-WmiObject -Class win32_battery |
Gestión de archivos
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
#Crear o modificar un archivo New-Item #Crear un directorio New-Item #Ver el contenido de un archivo Get-Content #Acceder al contenido de un directorio Set-Location #Listar el contenido de un directorio Get-ChildItem #Eliminar un archivo Remove-Item #Eliminar un directorio Remove-Item #Copiar un archivo o un directorio Copy-Item #Mover un archivo o un directorio Move-Item #Renombrar un archivo o un directorio Rename-Item #Comprimir y descomprimir un archivo o un directorio Compress-Archive Expand-Archive #Imprimir Out-Printer #Ver carpetas compartidas Get-SmbShare Get-WmiObject -Class Win32_Share #Compartir carpeta New-SmbShare #Ver y asignar permisos Get-Acl Set-Acl New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule |
Ejemplos
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#Comprimir Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip #Actualizar un archivo comprimido Compress-Archive -LiteralPath C:\powershell\example2.txt -Update -DestinationPath C:\powershell\comprimido.zip #Descomprimir Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir #Crear y recurso compartido New-SmbShare -Name fso -Path F:\power #Crear y asignar permisos a un recurso compartido New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone #Ver permisos Get-Acl D:\power #Añadir permisos mediante reglas de acceso $permisos = Get-Acl -Path D:\power #Crear regla de acceso #System.Security.AccessControl.FileSystemAccessRule: Representa una abstracción de una entrada de control de acceso (ACE) que define una regla de acceso para un archivo o directorio $permisoadd = 'Todos', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $regla = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permisoadd $permisos.SetAccessRule($regla) #Añadir permisos a la carpeta $permisos | Set-Acl -Path $ruta |
Agregar/Eliminar software
|
1 2 3 4 |
Get-Package Get-WmiObject -Class Win32_Product Install-Package |
Ejemplos
|
1 2 3 4 5 6 7 8 9 10 11 12 |
#Ver el nombre de programas instalados (Get-Package).name (Get-WmiObject -Class Win32_Product).name #Número de programas instalados (Get-WmiObject -Class Win32_Product).count #Instalar un programa Install-Package filezilla #Ver en el Registro información sobre el software instalado Get-ChildItem hklm:\software\microsoft\windows\currentversion\uninstall | ForEach-Object {(Get-ItemProperty $_.pspath).DisplayName} |
Actualizar
|
1 |
Get-HotFix |
New features in Windows PowerShell Starting in Windows PowerShell 5.0, you can develop by using classes, by using formal syntax and semantics that are similar to other object-oriented programming languages. Class, Enum, and other keywords have been added to the Windows PowerShell language to support the new feature. For more information about working with classes,…
Read more
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#Creating or deleting files for each user Set-Location F:\power\ #User and operation list in a file #Example: #Juan,create #Lucas,delete ForEach($user in Get-Content .\namesandoperation.txt) { if($user.Split(',')[1] -match 'create') { Write-Host 'Create file' $user=$user.Split(',')[0] #Creating file for each user #If the item you are trying to create already exists #Override the default behavior New-Item $user'.txt' -ItemType file -Force } if($user.Split(',')[1] -match 'delete') { Write-Host 'Delete file' $user=$user.Split(',')[0] #Deleting file for each user Remove-Item $user'.txt' } } |