Windows PowerShell is a powerful command-line shell and scripting language tool for automating tasks and simplifying configuration. It can be used to automate almost any task in the Windows ecosystem, including Active Directory and Microsoft Exchange.

PowerShell has become a popular tool among system administrators and experienced Windows users. PowerShell ISE (Integrated Scripting Environment) makes scripting with PowerShell even easier and more robust. Automation is very important for modern Windows security, so learning PowerShell is an essential skill.

In this lab, you will explore different options of using PowerShell.

Part 1: Introduction to PowerShell ISE

1. Turn on the Windows VM.
2. In the Start Menu, search for “Windows PowerShell ISE” and click on Run as administrator. Click Yes if prompted by User Account Control.

3. You can see all the available commands in the Commands tab. Search for the Name “Get”. Notice the available commands for retrieving information.

   You can also use the Get-Command command to list all the available commands.

Part 2: Windows Processes

4. Use the Get-Process command to see a list of the running processes.

    Get-Process
   

5. See all the properties of the lsass.exe process. LSASS is the Local Security Authority process.

    Get-Process -Name lsass | Format-List *
   

6. Launch Paint. Then show its details.

    mspaint.exe
    Get-Process -Name mspaint | Format-List *
   

7. Save the Paint process object in a new variable. This object could be used in a script.

    $PaintApp = Get-Process -Name mspaint
   

8. Use the object variable to terminate Paint. You will notice that IntelliSense shows you the available method names for the variable in a dropdown.

    $PaintApp.Kill()
   

9. Change directories to your user’s desktop folder.

    cd $HOME\Desktop
   

10. Generate a comma-delimited list of the name, ID, and path properties of all running processes.

    Get-Process | Select-Object Name,Id,Path | Export-Csv -Path ProcessList.csv
    

11. Use ISE itself to open the CSV. Notice the structure of the data.

    ise .\ProcessList.csv
    

12. Close the ProcessList.csv tab.
13. Display the same data in a graphical pop-up table.

    Get-Process | Select-Object Name,Id,Path | Out-GridView
    

14. Close the pop-up.
15. Use the Get-Service command to list all the background services.

    Get-Service
    

    Notice that the status could be Stopped, Running, or Paused.

16. Generate an HTML file of the list of services.

    Get-Service | Select-Object DisplayName,Status | ConvertTo-Html | Out-File -FilePath ServiceList.html
    

17. Open the new HTML file.

    .\ServiceList.html
    

18. Close the browser.

Part 3: Windows Event Logs

18. Use the Get-WinEvent command to see the names of all local Windows Event logs.

    Get-WinEvent -ListLog * | Select-Object LogName
    

    Notice the variety of log types.

19. View the last 15 events from the System log.

    Get-WinEvent -LogName System -MaxEvents 15 | Select-Object TimeCreated,Id,Message
    

20. Press the up arrow to return to the previous command, but edit it to save the output to a CSV. The ComputerName option could be used to query a remote computer. In this example, we wll pretend to do so but, instead we query the local computer.

    Get-WinEvent -LogName System -MaxEvents 15 -ComputerName LocalHost | Select-Object TimeCreated,Id,Message | Export-Csv -Path EventLog.csv
    

Part 4: Windows File System

21. View the properties of the newly-created file. Notice one property is the CreationTime.

    dir .\ServiceList.html | Format-List *
    

22. Sort the files in Desktop by the time they were created.

    dir | Sort-Object CreationTime | Select-Object CreationTime,FullName
    

23. Close all windows. Turn off the Windows VM.
24. Please write up a paragraph answering the following questions.
    1. What are five different ways that an administrator could use PowerShell to remotely manage and monitor their systems?

More Info