ago!) EUC focus since 1995 PowerShell since 2014 (C, C++, C# previously as well as vbs, cmd, kix, *nix shell) Mostly write PowerShell for software vendors like ControlUp, Parallels, Flexxible & more Microsoft MVP in PowerShell category (5 years) Available Services – code reviews, performance improvements, training, stand-up comedy @guyrleech
Searching Set history to OneDrive or similar (in $profile) Leave searchable breadcrumbs # findme Ctrl r Ctrl space (tab completion on (legal) steroids) Get-Help (with –ShowWindow or –Online) Get-Command & Get-Module Start commands with ( [Console]::title = ‘Purpose of Window to help quick finding’
use (get-)history (alias h) Measure-Command ok but swallows output Out-GridView (ogv) –Passthru (+ ctrl c), Export-CSV and Export-CLIXML Jump box with all modules, SDKs, etc (& use for scheduled tasks) Measure(-Object) (I’m too lazy/old to count things ) Put # in front of command if realise need to do something first so return to it & uncomment AI but beware of the lies (“hallucinations”)
whole word back/forward • Ctrl Home/End to delete to start/end of line • Ctrl z/y – undo (multiple)/redo • Ctrl arrow – jump words • Number conversions • ‘{0:x}’ –f 1234 • 0x4d2 • [convert]::ToString( 1234 , 2 ) • scb/gcb – pipe to/from clipboard • (gcb).length – how long is that string in the clipboard • (get-date) - (gcim Win32_OperatingSystem).LastBootUpTime – what's the uptime?
detail at a time from 1 log ?? Explore event providers Get-WinEvent –ListProvider *interesting* -FilterHashTable -Computername Script to bring all event logs together (was a one liner)
GPO • Secpol.msc (Advanced Audit Policy Configuration->Detailed Tracking) • auditpol.exe (use GUIDs if non-English locale) • P/Invoke AuditSetSystemPolicy • Also cmd line auditing (potential security implications) • Increase Security event log size/make persistent • Event ids 4688 and 4689 in Security event log • Can troubleshoot as far back as the Security event log goes • Did something crash or exit prematurely (and if so what exit code)? • What launched that cmd.exe (at logon)? • Is something running a lot? • Is something running from a strange location? • Script to show processes, durations, parents, command lines or summary
security woes Options -ComputerName -CIMSession -PowerShell Remoting (but accessing UNCs generally won’t work) WinRM Winrm /quickconfig Enable-PSRemoting GPO SSH Local admin or in “Remote Management Users” group Enter-PSSession (gcm *pssession) History is on client device – use same local script folder on all machines
performance classes by default) • Tab completion of classes or list with Get-CimClass (avoid WMI calls) • Great way to get computer details and export to CSV for reference/analysis • Some classes have methods which can be called, e.g. Win32_UserProfile • Filter in query, not afterwards if possible (speed, memory) • Can take array of machines via –ComputerName • Other name spaces, e.g. SCCM, Citrix • Get-CimInstance -Namespace Root -ClassName __Namespace • Tab/control space completion so easy to explore • Script to Monitor WMI activity
or WMI/CIM • Great for bulk/complex queries and changes • Report to csv/html and email via scheduled task, e.g. expired/expiring accounts • Do big lookups and cache (hashtable) rather than lots of individual requests • Be careful! • Use –WhatIf/-Confirm (SupportsShouldProcess/ConfirmImpact/ShouldProcess) • Backup/test in non-production • GroupPolicy module • E.g. what GPOs have changed in the last 7 days? • Graph module for Entra ID
guyrleech
lycorp_recruit_jp
techiro
ryosukeigarashi
oracle4engineer
uhyo
kimujun
sansantech
amixedcolor
kenjikondobai
onk
akexorcist
eventhub
jcasabona
keithpitt
sferik
lauravandoore
mongodb
trallard
eileencodes
thoeni
lara
marcduiker
smashingmag
colly
