Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Friday, February 2, 2018

Overwriting a PowerShell Constant

I have always said that one of the greatest benefit to teaching PowerShell (and Windows) is that different people bring different ideas to the table.  Things get fun for me when someone looks at what we are doing from a different angle and asked an interesting question.

This week’s class in Fort Wayne produced one of those questions.  We were looking at some of the options that are available to use with creating variables with the New-Variable cmdlet.  In particular, we were looking at constants.  Let’s build one.

PS C:\> New-Variable -Name Test1 -Value ([Bool]$True) -Option Constant

Now let’s take a look at the variable object.
Name        : Test1
Description :
Value       : True
Visibility  : Public
Module      :
ModuleName  :
Options     : Constant
Attributes  : {}

We can see from the Options property that we have created a constant.  We are going to attempt to change that value of this constant to FALSE.

PS C:\> Set-Variable -Name Test1 -Value $false
Set-Variable : Cannot overwrite variable Test1 because it is read-only or constant.
At line:1 char:1
+ Set-Variable -Name Test1 -Value $false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Test1:String) [Set-Variable], SessionStateU
    + FullyQualifiedErrorId : VariableNotWritable,Microsoft.PowerShell.Commands.SetVar

This is what we expected.  By definition, a constant cannot be changed.  We also attempted to change it with the –Force parameter.

PS C:\> Set-Variable -Name Test1 -Value $false -Force
Set-Variable : Cannot overwrite variable Test1 because it is read-only or constant.
At line:1 char:1
+ Set-Variable -Name Test1 -Value $false -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (Test1:String) [Set-Variable], SessionStateU
    + FullyQualifiedErrorId : VariableNotWritable,Microsoft.PowerShell.Commands.SetVar

Again, the expected results.  Well, this is where that question comes into play.  What if you re-cast the variable?  OK, let’s give this a try.

PS C:\> [Bool]$Test1 = $False

PS C:\> $Test1

Wait… What?  You cannot even get rid of a constant with Remove-Variable but here we changed it.  OK, did we really change the value or did it delete the variable and then recreate it?  Here is another test.

PS C:\> Set-Variable -Name Test3 -Value ([Bool]$True) -Option Constant -Description "This is a test"

Here we included a description which you can see in the variable objects properties.

Name        : Test3
Description : This is a test
Value       : True
Visibility  : Public
Module      :
ModuleName  :
Options     : Constant
Attributes  : {}

We are going to change this variable using the same successful method from above.

PS C:\> [Bool]$Test3 = $False

PS C:\> $Test3

And now let’s look at the properties to see if the description is still there.
PS C:\> Get-Variable -Name Test3 | Select-Object -Property *

PSPath        : Microsoft.PowerShell.Core\Variable::Test3
PSDrive       : Variable
PSProvider    : Microsoft.PowerShell.Core\Variable
PSIsContainer : False
Name          : Test3
Description   : This is a test
Value         : False
Visibility    : Public
Module        :
ModuleName    :
Options       : Constant
Attributes    : {System.Management.Automation.ArgumentTypeConverterAttribute}

The description is still there.  So, I guess there is a way to change the value of a constant without restarting PowerShell

Wednesday, January 31, 2018

What are Positional Parameters?

Often while teaching PowerShell, we get into a discussion about how someone, usually me, types this:

Get-Help Get-Date

Instead of

Get-Help –Name Get-Date

PowerShell parameters utilize positioning.  Good authors of cmdlets will determine which parameter will be the most frequently used and put that parameter in the first position.  That means if the user types a cmdlet, they can immediately provide the data for that parameter without calling the parameter name.  Take a look at the –Name parameter of Get-Help
    Gets help about the specified command or concept. Enter the name of a cmdlet, function, provider,
    script, or workflow, such as `Get-Member`, a conceptual topic name, such as `about_Objects`, or an
    alias, such as `ls`. Wildcard characters are permitted in cmdlet and provider names, but you
    cannot use wildcard characters to find the names of function help and script help topics.
    To get help for a script that is not located in a path that is listed in the Path environment
    variable, type the path and file name of the script.
    If you enter the exact name of a help topic, Get-Help displays the topic contents. If you enter a
    word or word pattern that appears in several help topic titles, Get-Help displays a list of the
    matching titles. If you enter a word that does not match any help topic titles, Get-Help displays
    a list of topics that include that word in their contents.
    The names of conceptual topics, such as `about_Objects`, must be entered in English, even in
    non-English versions of Windows PowerShell.
    Required?                    false
    Position?                    0
    Default value                None
    Accept pipeline input?       True (ByPropertyName)
    Accept wildcard characters?  false

Two things to take note of.  First of all, the type of data that this parameter accepts is [String].  The second is the value of Position which is zero.  That means if the user types the cmdlet Get-Help and then a value of the type string, that value will be the argument for the –Name parameter. 

I often stress the need for full command syntax in scripts so everyone knows what parameters you are using but I am also guilty of using positional parameters for my more common cmdlets like Get-Help and Where-Object.  Here is some code to help you see the parameter in the first position and what type of data it expects.  Just be forwarded, it will load all of your modules into memory.
$Commands = Get-Command

ForEach ($CMD in $Commands) {
    $Obj = [PSCustomObject]@{
        'Cmdlet' = $CMD.Name
        'PositionOne' = (($CMD | Get-Help).parameters.parameter | where position -eq 0).Name
        'Type' = (($CMD | Get-Help).parameters.parameter| where position -eq 0).Type.Name

    Write-OutPut $Obj

Monday, January 29, 2018

How to start a PowerShell Script from a Batch File

How to start a PowerShell Script from a Batch File

In last week’s PowerShell class in Phoenix, we had a last minute question.  It involved trying to simplify the launching of a PowerShell script for users.  Having end users working with PowerShell has long been a cumbersome task.  End users like a GUI.  We can put a GUI interface on top of our code, but it is difficult to do manually or you need a third party solution.  When you build a GUI, it also takes an additional skill set that most IT Pros do not have.

We decided to go with a batch file.  Yes, I know.  Old tech but we will give it new life.  Here is our test code for this project. We saved this file as c:\ps\Test1.ps1.

Write-Host "I work!!!" -BackgroundColor DarkMagenta

Yes, I know.  Not exactly exciting.  The purpose of this is to get it to launch with a batch file.

We looked at the PowerShell.exe Command-Line Help ( to see how to launch PowerShell with a script from the command line at the same time.  We came up with:

PowerShell.exe –File C:\PS\Test1.ps1

We saved this command line into a batch file in the same directory as the script and was able to launch it from a desktop shortcut icon.  Right now, this is a viable option.

What about using parameters?  This is a bit more difficult.  The original objective was to do it from a DOS command prompt, but when we add parameters, the process is just as complex as doing it PowerShell if not more.  Here is our new code.

Param ($ComputerName)
Write-Host "I work!!!" -BackgroundColor DarkMagenta
Write-Host $ComputerName

Again, I know.  Real advanced.  This is what our batch file looks like now:

PowerShell.exe –File C:\PS\Test1.ps1 –ComputerName INDY-DC1
The original goal was to simplify this so the user did not have to type in PowerShell.  At this point, I would actually have the user use PowerShell and turn this script into a cmdlet in an auto-loading module.  To do this new process via batch file, here are the steps:
1.       Open Notepad
2.       Open the batch file in notepad
3.       Manually enter the computer name.
4.       Save the file
5.       Double click the desk shortcut to the batch file.

If this was a cmdlet in an auto-loading module, here is the process:
1.       Open PowerShell
2.       Type CmdletName –ComputerName INDY-DC1
That is it!

Monday, January 22, 2018

How to tell PowerShell which version of .NET to Use

Here is one from this week’s PowerShell class. We just finished a lesson on methods and I passed on “The first rule of Computer Science” to my class that one of my professions, Dan Matthews, passed on to me.  It simply states “Never re-invent the wheel”.  With that, we started to talk about the value of methods.  The question popped us as to which version of .Net is PowerShell using and how to select a different version?  Well, here is how to determine the current installed versions of .Net:

 PS C:\> Get-Childitem "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP"

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP

Name                           Property                                                                                                                            
----                           --------                                                                                                                            
v2.0.50727                     CBS       : 1                                                                                                                       
                               Increment : 4927                                                                                                                     
                               Install   : 1                                                                                                                        
                               OCM       : 1                                                                                                                       
                               SP        : 2                                                                                                                        
                               Version   : 2.0.50727.4927                                                                                                           
v3.0                           CBS       : 1                                                                                                                       
                               Increment : 4926                                                                                                                     
                               Install   : 1                                                                                                                       
                               SP        : 2                                                                                                                       
                               Version   : 3.0.30729.4926                                                                                                           
v3.5                           CBS         : 1                                                                                                                     
                               Install     : 1                                                                                                                     
                               InstallPath : C:\Windows\Microsoft.NET\Framework64\v3.5\                                                                             
                               SP          : 1                                                                                                                     
                               Version     : 3.5.30729.4926                                                                                                        
v4.0                           (default) : deprecated                                                                                                              

As for how to select a different version, I am going to default over to an article on Kris Powell’s blog.  You can view it here

Remember the 1st rule of computer science.  He answered it, let’s not repeat his work and give him the proper credit.

Wednesday, January 17, 2018

Disabling the Copy Functionality in a Windows Form

I’m currently in the middle of writing version 2 of my Security+ learning engine.  Some of you from last weeks Security+ class know that I have been developing a tool using SAPIEN PowerShell Studio to help you with the massive amount of terminology that you need to know for the Sec+ exam.  You also remember that I was putting in some safe guards to help protect the application from piracy.  I’m going to share one of those safeguards.  Here is a current view of version 2 of the product.

What I want to do is to disable the ability to copy the questions and answers to the clipboard.  Here is how you do it.  In the Designer view, click on the object that you want to protect.  In this case, I am clicking the text box that contains the questions.  In the Properties dialog, set the value for ShortcutsEnabled to False.  This turns off the right clicking capability of the object.

While talking about Active Directory Rights Management in the past, I’ve been hit hard that I cannot stop someone for taking out their cell phone and taking a picture.  Yes, you are right, I cannot stop a determined attacker, but I can make it more difficult.

Wednesday, January 10, 2018

Getting Hacked in Security+

This week we had a little surprise when we were working on the auditing component of our Security+ class here in North Carolina.  The labs this week are built in Azure and I gave each one a public IP address.  On Wednesday afternoon with the VMs online since Monday, we took a look at the failure login attempts.  We got a big surprise with over 11,000 bad logon attempts. 

We then started the second set of VMs fresh.  It took about 10 minutes until we started to see the attempts to access those VMs.  If this does not tell you we operate in a hostile environment, nothing will.  Here is the PowerShell code that we used and the results on the systems online for 10 minutes.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} 

TimeGenerated        AccountName   Domain Source       
-------------        -----------   ------ ------       
1/10/2018 6:23:36 PM administrator adatum
1/10/2018 6:20:09 PM Administrator Adatum -            
1/10/2018 6:20:09 PM Administrator Adatum -            
1/10/2018 6:13:07 PM ADMINISTRATOR
1/10/2018 6:12:52 PM ADMINISTRATOR
1/10/2018 6:08:53 PM -             -      -            
1/10/2018 6:08:53 PM -             -      -            
1/10/2018 6:05:54 PM Administrator Adatum -            
1/10/2018 6:05:54 PM Administrator Adatum -            
1/10/2018 2:37:23 PM Administrator Adatum -            
1/10/2018 2:37:23 PM Administrator Adatum -  

Let’s find out how many bad logon attempts there were.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} |

Count    : 13486
Average  :
Sum      :
Maximum  :
Minimum  :
Property : 

Here is the code to provide a list of all attempted user names.

Get-EventLog -LogName Security -InstanceId 4625 |
    Select-Object -Property TimeGenerated,
    @{N="AccountName";E={$_.Message.Split("`n")[12].Replace("Account Name:",$Null).Trim()}},
    @{N="Domain";E={$_.Message.Split("`n")[13].Replace("Account Domain:",$Null).Trim()}},
    @{N="Source";E={$_.Message.Split("`n")[26].Replace("Source Network Address:   ",$Null).Trim()}} |
    Select-object -Property AccountName -Unique |
    Sort-Object -Property AccountName

There was 2137 as of the writing of this article.