Windows PowerShell is a powerful command-line shell and scripting language tool for automating tasks and simplifying configuration. It can be used to automate almost any task in the Windows ecosystem, including Active Directory and Microsoft Exchange.

PowerShell has become a popular tool among system administrators and experienced Windows users. PowerShell ISE (Integrated Scripting Environment) makes scripting with PowerShell even easier and more robust. Automation is very important for modern Windows security, so learning PowerShell is an essential skill.

In this lab, you will explore different options of using PowerShell.

Part 1: Introduction to PowerShell ISE

  1. Turn on the Windows VM.
  2. In the Start Menu, search for “Windows PowerShell ISE” and click on Run as administrator. Click Yes if prompted by User Account Control.
  3. You can see all the available commands in the Commands tab. Search for the Name “Get”. Notice the available commands for retrieving information.

    You can also use the Get-Command command to list all the available commands.

PowerShell ISE Commands

Part 2: Windows Processes

  1. Use the Get-Process command to see a list of the running processes.
     Get-Process
    
  2. See all the properties of the lsass.exe process. LSASS is the Local Security Authority process.
     Get-Process -Name lsass | Format-List *
    
  3. Launch Paint. Then show its details.
     mspaint.exe
     Get-Process -Name mspaint | Format-List *
    
  4. Save the Paint process object in a new variable. This object could be used in a script.
     $PaintApp = Get-Process -Name mspaint
    
  5. Use the object variable to terminate Paint. You will notice that IntelliSense shows you the available method names for the variable in a dropdown.
     $PaintApp.Kill()
    
  6. Change directories to your user’s desktop folder.
     cd $HOME\Desktop
    
  7. Generate a comma-delimited list of the name, ID, and path properties of all running processes.
    Get-Process | Select-Object Name,Id,Path | Export-Csv -Path ProcessList.csv
    
  8. Use ISE itself to open the CSV. Notice the structure of the data.
    ise .\ProcessList.csv
    
  9. Close the ProcessList.csv tab.
  10. Display the same data in a graphical pop-up table.
    Get-Process | Select-Object Name,Id,Path | Out-GridView
    
  11. Close the pop-up.
  12. Use the Get-Service command to list all the background services.
    Get-Service
    

    Notice that the status could be Stopped, Running, or Paused.

  13. Generate an HTML file of the list of services.
    Get-Service | Select-Object DisplayName,Status | ConvertTo-Html | Out-File -FilePath ServiceList.html
    
  14. Open the new HTML file.
    .\ServiceList.html
    
  15. Close the browser.

Part 3: Windows Event Logs

  1. Use the Get-WinEvent command to see the names of all local Windows Event logs.
    Get-WinEvent -ListLog * | Select-Object LogName
    

    Notice the variety of log types.

  2. View the last 15 events from the System log.
    Get-WinEvent -LogName System -MaxEvents 15 | Select-Object TimeCreated,Id,Message
    
  3. Press the up arrow to return to the previous command, but edit it to save the output to a CSV. The ComputerName option could be used to query a remote computer. In this example, we wll pretend to do so but, instead we query the local computer.
    Get-WinEvent -LogName System -MaxEvents 15 -ComputerName LocalHost | Select-Object TimeCreated,Id,Message | Export-Csv -Path EventLog.csv
    

Part 4: Windows File System

  1. View the properties of the newly-created file. Notice one property is the CreationTime.
    dir .\ServiceList.html | Format-List *
    
  2. Sort the files in Desktop by the time they were created.
    dir | Sort-Object CreationTime | Select-Object CreationTime,FullName
    
  3. Close all windows. Turn off the Windows VM.
  4. Please write up a paragraph answering the following questions.
    1. What are five different ways that an administrator could use PowerShell to remotely manage and monitor their systems?

More Info