The 185 commands below are a random list of PowerShell one-liners I've taken note of over the years. Some of these commands are approaching 10 years old, so while all of them probably still work there are most likely better ways of achieving the same outcome with current versions of PowerShell and the underlying Operating System.
Each command-line can be copied and pasted at a PowerShell command prompt, or you can use the commands as part of a PS1 script file if you prefer.
Split a string on spaces, removing empty entries
$line.Split(" ", [System.StringSplitOptions]::RemoveEmptyEntries)
Measure how long a commands takes to execute
measure-command -expression {}
List the processes running on a remote machine
$process = [System.Diagnostics.Process]; $process::GetProcesses($server)
Get a process by ID running on a remote machine
$process = [System.Diagnostics.Process]; $proc = $process::GetProcessById(5716,$server)
Set the priority of a process to above normal
$proc.set_PriorityClass([System.Diagnostics.ProcessPriorityClass]::AboveNormal)
Create a new profile with the default profile variable
new-item -type file -force $profile
Create an empty object with the specified properties
$test = "" | Select-Object Name,Speed
Convert a SID to NT account name
$trustee = new-object System.Security.Principal.SecurityIdentifier("S-1-5-21-1234530602-3734247491-3823728601-63426"); $trustee.Translate([System.Security.Principal.NTAccount])
Delete the master account SID attribute from an AD object
$user = [ADSI]$ADsPath ; $user.putex(1,"msExchMasterAccountSid",$null)
Set the execution policy to allow local scripts to run unsigned
Set-ExecutionPolicy RemoteSigned
Set process affinity
$calcSet = Get-Process -ProcessName "calc" ; foreach ($calc in $calcSet) {$calc.ProcessorAffinity=0x1}
List the values of an enumeration
[enum]::GetValues([VMware.VimAutomation.Types.NamingScheme])
Use the WinNT provider to check administrative membership for a remote computer
[ADSI]"WinNT://" + $computerName + "/Administrators,group"; $members = $adminGroup.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} | sort-object
Export the key/value pairs of a hash table to csv
$test.GetEnumerator() | export-csv -path c:\temp\hashtable.csv
Return the date format using the get-date cmdlet
Get-Date -format "dd/MM/yyyy HH:mm:ss"
Create an associative array / hash table /
$test = @{a=1; b=2}
Sort a hashtable associative array by name or value
$results = @{a=1; b=2;c=0}; $results.GetEnumerator() | sort-object -property Name
Sleep or pause for 10 seconds
Start-Sleep -seconds 10
Find the last win32 exit code (errorlevel)
$lastexitcode
Find the name of the currently running script
$MyInvocation.MyCommand.path
Convert a string into datetime type using the current culture
$test = "17/03/2010 10:00:00 AM"; [datetime]::Parse($test, [System.Threading.Thread]::CurrentThread.CurrentCulture)
Run an infinite loop
for (;;) {write-output "loop"}
Process a list of files, extracting the first group of a repeating set of data
$files = get-item -path .\*; foreach ($file in $files) {$sandata = get-content -path $file; $count=0; foreach ($line in $sandata) {$csv = $line.split(","); if ($csv[0] -like '*textfilter*') {$count+=1}; if ($count -le 1) {if ($csv[0] -notlike '*Object*') {$line | out-file -file c:\temp\DailySANExport.csv -encoding ascii -append}}}}
Query Citrix XenApp server session information
Get-Wmiobject -namespace root\Citrix -class MetaFrame_Session -computer server01 | format-table -wrap -autosize
Query Citrix XenApp server load information
Get-Wmiobject -namespace root\Citrix -class MetaFrame_Server_LoadLevel -computer server01,server02,server03| format-table -wrap -autosize -prop ServerName,LoadLevel
Find the size of a folder and contents (including subdirectories)
Get-ChildItem $dirPath -recurse | Measure-Object -property length -sum
Round a number down
[math]::floor(100.9)
Find the last bootup time of a Windows OS
$lastBootTime = Get-WmiObject win32_operatingsystem -computer server01 -prop LastBootUpTime
Find the uptime of a machine from WMI, converted from CIM datetime to timespan
$computer = 'server01'; $lastBootTime = Get-WmiObject win32_operatingsystem -computer $computer -prop LastBootUpTime; $wbemDateTime = New-Object -ComObject WbemScripting.SWbemDateTime; $wbemDateTime.value = $lastboottime.LastBootUpTime; $lastBoot = $wbemDateTime.GetVarDate(); $now = Get-Date; $uptime = $now - $lastBoot; $uptime
Select a calculated property using a friendly name
Get-WmiObject -class win32_process | Select-Object -prop Name, @{Name="Owner";Expression ={($_.getowner().domain + "\" + $_.getowner().user)}} | format-table -wrap -autosize
List Processes and their owner
Get-WmiObject -class win32_process | Select-Object -prop Name, @{Name="Owner";Expression ={($_.getowner().domain + "\" + $_.getowner().user)}} | format-table -wrap -autosize
Create a PSObject to store name/value note pairs
$output = new-object PSObject; add-member -membertype NoteProperty -inputObject $output -name "Test" -value "value"
Start a command shell with elevated (UAC) privileges
$psi = new-object System.Diagnostics.ProcessStartInfo "cmd.exe"; $psi.Verb = "runas"; [System.Diagnostics.Process]::Start($psi)
Mail-enable an AD contact in an Exchange 2007 environment
get-mailcontact "CN=user1,DC=domain,DC=local" | set-mailcontact
Query the amount of free space available for 2008 R2 disk shrinking
diskpart shrink querymax
Find the local PowerShell version
$PSVersionTable
Read a file, sort it and then return only unique entries
gc $filename | sort | get-unique > $newfileName
Find unique strings filtered from an input file
find /i '"driverName"' PrinterDrivers_20110708.txt | sort | get-unique > c:\temp\PrinterDrivers.txt
Create a security identifier for a well-known security principal
$self = new-object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::SelfSid, $null)
Convert the Exchange 2007 string into readable format (EXCHANGE12ROCKS)
$out = ""; foreach ($char in ([char[]]"FYDIBOHF23SPDLT")) {$out += ([char]([int]$char-1))}; $out
WMI query to find properties is or is not NULL
Get-Wmiobject -namespace root\MicrosoftExchangeV2 -computer "server01" -Query "SELECT MailboxDisplayName,TotalItems,Size from Exchange_Mailbox WHERE MailboxDisplayName='Cartelier, Robbie' AND DateDiscoveredAbsentInDS is null"
Query disk information from a remote server using WMI
$disks = Get-WmiObject -Namespace root\cimv2 -ComputerName server01 -Query "SELECT * from Win32_LogicalDisk WHERE FileSystem='NTFS'"
Find services filtered by string that are running and stop them
get-service | where {$_.displayName -like '*time*' -and $_.status -eq 'Running'} | stop-service -force
Find and delete a local profile from a remote computer
$user = "domain\account"; $computer = "server01"; $trustee = new-object System.Security.Principal.NTAccount($user); $sid = $trustee.Translate([System.Security.Principal.SecurityIdentifier]).value; get-wmiobject -computer $computer -Query "SELECT * from Win32_UserProfile Where SID = '$sid'"; $profile.delete()
Create an array with a single member
$SingleArray = ,1
Store the results of an expression in an array
$test = @(get-service )
Find disk drive statistics from a number of remote computers
$servers = get-content -path servers.txt; $diskStats = $null; foreach ($server in $servers) { $diskStats += Get-Wmiobject -namespace root\cimv2 -computer $server -Query "SELECT SystemName,Name,Size,FreeSpace,VolumeName FROM Win32_LogicalDisk WHERE Size > 0 AND FileSystem='NTFS'" -ErrorAction SilentlyContinue}; $diskstats | select-object SystemName,Name,Size,FreeSpace,@{N="Used";E={$_.Size-$_.FreeSpace}},VolumeName,@{N="SizeGB";E={[math]::round($_.Size/1024/1024/1024)}},@{N="FreeGB";E={[math]::round($_.FreeSpace/1024/1024/1024)}},@{N="UsedGB";E={[math]::round(($_.Size-$_.FreeSpace)/1024/1024/1024)}} | sort -prop SystemName,Name | export-csv -path servers_diskstats.csv
Find USB devices attached to a number of remote computers
$servers = get-content -path servers.txt; foreach ($server in $servers) {[System.Object[]]$USBDevices += Get-Wmiobject -namespace root\cimv2 -computer $server -Query "SELECT * FROM Win32_DiskDrive WHERE InterfaceType = 'USB'" -ErrorAction SilentlyContinue}; $USBDevices| select __server, Caption, @{N="Size (GB)";E={[math]::round($_.Size/1000/1000/1000)}} | ft -wrap -autosize
Use the split operator to split on multiple characters
$user.proxyAddresses -split ";;"
Find the CA eTrust signature version from the agent.xml file
$ver = select-xml -path c:\temp\agent.xml -xpath '//thisProduct[@Name="eTrust Integrated Threat Manager"]/*/*[@Name="Anti-Malware Signatures"]'; $ver.node.version
Test a host connection with ping
if (test-connection -computer "server01" -count 1 -quiet) {write-host "test"}
Read and process an XML file on a list of servers, returning some attributes
$servers = get-content -path servers.txt; foreach ($server in $servers) { if (test-connection -computer $server -count 1 -quiet) { $path = '\\' + $server + '\c$\Program Files\CA\SharedComponents\Agent\Agent.xml'; if (test-path -path $path) { $ver = select-xml -path $path -xpath '//thisProduct[@Name="eTrust Integrated Threat Manager"]/*/*[@Name="Anti-Malware Signatures"]'; if ($ver) {write-output ($server + "," + $ver.node.version.major + '.' + $ver.node.version.minor + '.' + $ver.node.version.build + '.' + $ver.node.version.revision + "," + $ver.node.LastUpdateTime)} } else { Write-Output ($server + "," + "agent.xml not found") } }}
Find the uptime from one or more remote machines
$servers = get-content -path servers.txt; foreach ($computer in $servers) { if (test-connection -computer $computer -count 1 -quiet) { $lastBootTime = Get-WmiObject win32_operatingsystem -computer $computer -prop LastBootUpTime; $wbemDateTime = New-Object -ComObject WbemScripting.SWbemDateTime; $wbemDateTime.value = $lastboottime.LastBootUpTime; $lastBoot = $wbemDateTime.GetVarDate(); $now = Get-Date; $uptime = $now - $lastBoot; Write-Host ($computer + "," + $uptime.days + "," + $lastBoot.ToString("dd/MM/yyyy")); } }
Set the window title of a PowerShell window
$host.UI.rawui.windowtitle = "test"
Kill a remote process with WMI
([WMI]"\\server01\root\cimv2:Win32_Process.Handle='2564'").Terminate()
Convert a SWBEM datetime yyyymmhhdd time to standard datetime
$datetime = [System.Management.ManagementDateTimeConverter]::ToDateTime($installDate)
Find DNS scavenging events from a 2008 R2 server
$DNS = Get-Wmiobject -namespace root\cimv2 -computer "server01" -Query "SELECT * FROM Win32_NTLogEvent WHERE SourceName='Microsoft-Windows-DNS-Server-Service' AND LogFile='DNS Server' AND EventCode=2501" -ErrorAction SilentlyContinue; Write-Host "Time Generated,Visited Zones,Visited Nodes,Scavenged Nodes,Scavenged Records,Elapsed Seconds,Run again in hours" ; foreach ($scavenge in $dns) {write-output ([System.Management.ManagementDateTimeConverter]::ToDateTime($scavenge.timeGenerated).tostring() + "," + [string]::join(",",$scavenge.insertionstrings))}
Check whether the windows Search Service file services role is installed
wmic /node:server01 path Win32_ServerFeature where "ID=107"
Query remote event logs for DFS initial sync replication log entries
get-eventlog -logname 'DFS Replication' -computer server01 -after "15/01/2012 8:00:00" | where {$_.eventID -eq 4104}
Query local network connections (netstat)
[net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections()
Find when a number of machines had their NIC disconnected
$vms = get-content -path servers.txt; $events = foreach ($server in $vms) {get-eventlog -logname 'System' -computer $server -after "31/01/2012 17:00:00" | where {$_.eventID -eq 4201 -or $_.eventID -eq 4202}}; $events | select MachineName,EventID,TimeGenerated,Source,{$_.ReplacementStrings} | export-csv -path c:\temp\VM_NetworkDisconnectedEvents.csv
Enumerate arrays and output their contents to CSV
$events | select MachineName,EventID,TimeGenerated,Source,{$_.ReplacementStrings} | export-csv -path c:\temp\VM_NetworkDisconnectedEvents.csv
Search through text logs looking for a string
select-string -pattern a.user@test.com -path .\ExchangeLogs\*.* -SimpleMatch
Compare two sets of objects to identify differences
compare-object -referenceobject $processes_before -differenceobject $processes_after
Find the default domain password policy
Get-ADDefaultDomainPasswordPolicy
Find the available PowerShell modules
get-module -listAvailable
Find the PowerShell modules that are installed in the current session
get-module
Find the commands available in a specific PowerShell module
get-command -module GroupPolicy
Find IPMI WMI recent SEL event information from a number of servers
$servers = get-content -path servers.txt; $IPMIStats = $null ;foreach ($server in $servers) { $IPMIStats += Get-Wmiobject -namespace root\hardware -computer $server -Query "SELECT __server,MessageTimestamp,Description FROM LogRecord WHERE MessageTimestamp > '20120201000000.000000+600'" -ErrorAction SilentlyContinue}; $IPMIstats | select-object __server,MessageTimestamp,Description | sort -prop __server | export-csv -path c:\temp\SEL_20120225.csv
Read and decode the DACL stored in a REG_BINARY object in the registry
$reg = get-itemproperty "HKLM:\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity"; $acl = New-Object Security.AccessControl.RawSecurityDescriptor($($reg.SrvsvcSharePrintInfo), 0); $acl.DiscretionaryAcl; # see http://msdn.microsoft.com/en-us/library/cc244650(PROT.10).aspx for access mask
Convert REG_BINARY filetime stored in reversed byte/word format to date/time
[datetime]::FromFileTime([Convert]::ToInt64("01CD098EBB74AE65", 16))
List the PowerShell profile script path properties
$profile | select *
Read from remote event logs with PowerShell 2.0 or later
Get-WinEvent
Get the event log provider names for the specified log
$log = get-winevent -listlog Security | select providernames; $log.providernames
Find the EventID and descriptions from the specified event log provider
(get-winevent -listprovider 'Microsoft-Windows-Security-Auditing').events | ft ID,Description -autosize
Reverse an array
[array]::Reverse($array)
Join an array and output as a string with the specified delimiter
("test1", "test2") -join ";"
Add a UPN suffix to the local forest
get-adforest -current localcomputer | set-adforest -upnsuffixes @{Add="newsuffix.com"}
Modify the UPN for a user
get-aduser -id user01 | set-aduser -UserPrincipalName user01@newsuffix.com
Extract error information
$error[0].Exception | select * ; $error[0].Exception.InnerException | select *
Export a single property from multiple objects to file
$objects | select -prop prop01 | export-csv -notype -path c:\temp\output.txt -encoding ascii
Export server shares to a csv file
$outputfile = "c:\temp\server01_shares_" + [DateTime]::Now.ToString("yyyyMMddhhmmss") + ".csv"; Get-WmiObject win32_share -computer server01 | select Name,Path,Description,Caption | export-csv -path $outputFile; $outputFile
Check each line of one file for a match in a second file
$inputLines = get-content -path c:\temp\File01.txt; foreach ($line in $inputLines) {$match = select-string -pattern $line -path File02.txt -SimpleMatch; if (!($match)) {$member}}
Join a file in blocks of two lines
$text = get-content -path File.txt; $results = for($i=0; $i -le $text.length; $i = $i+2){Write-Output ($text[$i] + "; " + $text[$i+1])}
Convert a unicode hex-string to human readable string
$converted = for ($i=0; $i -le $string.length-1; $i = $i+4) {write-output ([CHAR][BYTE]([CONVERT]::toint16($string.substring($i, 2),16)))}; [string]::join("",$converted)
Find the snap-ins currently registered
get-PSsnapin -registered
Run FIM 2010 R2 Microsoft Best-practices Configuration Analyser
Import-module "C:\Program Files\Microsoft Baseline Configuration Analyzer 2\Modules\BaselineConfigurationAnalyzer\BaselineConfigurationAnalyzer"; Invoke-MBCAModel -ModelId FIMBPA -SubModel FIMService -computer fimservice
Binary OR of useraccountcontrol to see if an account is enabled/disabled
(514 -bor 2) -eq 514
Convert a date to filetime (64-bit 100-nanosecond since midnight, 01/01/1601)
$date = [datetime]"24 December 2012"; $date.tofiletime()
Regular expression for numbers with spaces or brackets
'^[\d() -]+$'
Remove brackets and spaces from a string
$test -replace('\(|\)|\s','')
Use the Modulus operator as a way of reporting status in a loop every x
$progress = $count % 1000; if ($progress -eq 0) { Write-Output $count} # Report every 1000
Find the current running username in domain\user format
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Find the current running username
$env:username
Break a loop if keyboard input is detected
if($host.UI.RawUI.KeyAvailable) {break;}
Loop infintely until the 'Q' key is pressed
$Qkey = 81; for (;;) { start-sleep 5; if($host.UI.RawUI.KeyAvailable) { $key = $host.ui.RawUI.ReadKey("NoEcho,IncludeKeyUp") ; if ($key.VirtualKeyCode -eq $Qkey) ; { break; } } Write-Output "$(get-date)" }
Install IIS on 2008 onwards
Install-WindowsFeature -Name Web-Server -IncludeAllSubFeature
Find installed hotfixes and installation date
$hotfixes = Get-WmiObject -Namespace root\cimv2 -computer Computer -Query "Select HotfixID,ServicePackInEffect,InstallDate,InstalledBy,InstalledOn from win32_quickfixengineering"
Write a System.Byte[] array to a binary file
set-content -value $byteArray -encoding byte -path c:\temp\image.bmp
Convert decimal to hex
'{0:x}' -f 15
Rename an Active Directory object (caters for naming attribute renames)
rename-adobject -id "CN=User1,OU=Users,DC=domain,DC=local" -newname user2 -server 192.168.10.10
Convert yyyymmdd to [datetime]
[datetime]::ParseExact("20130913", "yyyymmdd", [Globalization.CultureInfo]::InvariantCulture)
Match an array of objects against a string using regular expressions
$mailbox = $mailboxes -match "MARTIN Wayne"
Create a generic log file name based on the script name and today's date
$logFile = ".\" + ($MyInvocation.MyCommand.Name.split("."))[0] + "_" + [DateTime]::Now.ToString("yyyyMMdd") + ".log"
Split a string (eg distinguishedName) containing escaped commas
$dn -split "(?<![\\]),"
List the event log providers on a remote computer
get-winevent -computer server01 -listprovider *
Append to the System path environment variable
$path = [environment]::GetEnvironmentVariable("Path","Machine"); [Environment]::SetEnvironmentVariable("Path", "$path;c:\util", "Machine")
Use AD cmdlets to change the samaccountname of a security group
get-group -id oldsamid | set-group -name newsamid -displayName "newdisplayName" -whatif
Connect with remote powershell to a Lync server
$lync = "lync01"; $session = New-PSSession -ConnectionUri "https://$lync/OcsPowershell" -Authentication Negotiate; Import-PsSession $session
Update the SIP address of a Lync user
Set-CsUser -Identity "user01" -SipAddress "sip:user01@domain.local" -whatif; get-csuser -id user01 | select SipAddress
Find Server 2012 firewall profiles
Get-NetFirewallProfile
Set Server 2012 firewall profiles to lock dropped traffic
Get-NetFirewallProfile | Set-NetFirewallProfile -logBlocked "True"
Find the last known SCM message for the specified service starting
get-winevent -computername fim01 -FilterHashTable @{ logname = "System"; providername="Service Control Manager"; ID = 7036; data = "Forefront Identity Manager Synchronization Service","Running"} -MaxEvents 1
Find the process creation date of a remote process
(Get-WmiObject -ComputerName fim01 -Query "Select * from win32_process where name ='miiserver.exe'") | select Name,@{N='Date';E={$_.ConvertToDateTime($_.creationdate)}} | ft -wrap -auto
Find if an AD account is locked out or not
get-aduser -id user01 -server dc01 -prop LockedOut
Start and then stop a network capture trace on server 2012
netsh Trace start capture = yes & pause & Netsh Trace stop
List the classes in a WMI namespace
Get-WmiObject -list -Namespace root\rsop\computer
Query the highest precedence logon as a service right GPO
Get-WmiObject -computer server01 -namespace root\rsop\computer -class RSOP_UserPrivilegeRight | where {$_.UserRight -eq 'SeServiceLogonRight' -and $_.Precedence -eq 1} | select-object -expand AccountList
Show the last 15 errors in the application event log
get-winevent -computername server01 -FilterHashTable @{logname = "Application"; level=2} -MaxEvents 15
Query Server 2012 for scheduled task information
Get-WMIObject -computer server01 -Namespace "root\Microsoft\Windows\TaskScheduler" -Query "SELECT * from MSFT_ScheduledTask"
Query the security descriptor of shares on a server
$shares = Get-WMIObject -Computer "server01" -Namespace root\cimv2 -Query "SELECT * from Win32_LogicalShareSecuritySetting"
Generate a new GUID
[System.Guid]::NewGuid().ToString()
Generate a new GUID and return with braces
[System.Guid]::NewGuid().ToString("B")
Get an empty GUID (all zeroes)
[System.Guid]::Empty
List browser URLs and document titles for IE browser (not edge)
$urls = (New-Object -ComObject Shell.Application).Windows() | Where-Object {$_.LocationUrl -match "(^https?://.+)|(^ftp://)"}; $urls | select locationName,locationUrl | ft -wrap -auto
View ADFS tracing from the debug event log
get-winevent -computername adfs01 -FilterHashTable @{ logname = "AD FS Tracing/Debug"} -oldest
View ADFS auditing for claim information
get-winevent -computername adfs01 -FilterHashTable @{ logname = "Security"; providername="AD FS Auditing"; ID = 500,501} -MaxEvents 10 | select id,machineName,TimeCreated,Message | ft -wrap -auto
View the AD site name associated with the specified computer
dfsutil /sitename:server01
Find the .Net framework version the current PowerShell instance is using
[Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory()
Store an encrypted password reversable only by the encrypting user
ConvertTo-SecureString -string "password" -asplaintext -force | ConvertFrom-SecureString | out-file -file c:\temp\password.txt
Encode a string to base64
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("Testing"))
Decode a base64 string to text string
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("VGVzdGluZw=="))
Install the ActiveDirectory module for PowerShell
Install-WindowsFeature -Name RSAT-AD-PowerShell
Export a certificate to binary format
Export-Certificate -FilePath c:\windows\temp\cert.crt -cert cert:localmachine\ca\9A26AAB090E0CD1F39B96731A4B49AAC65E7BEEA -type cert
Convert an octet stored byte array (eg. GUID) to hex string
[System.String]::Join('',( (get-adobject -id "uid=user01,OU=Users,DC=domain,DC=local" -server dc01 -prop objectguid).objectguid | ForEach-Object { $_.ToString('x2') }))
Check if a string is null or empty
if ([string]::IsNullOrEmpty($string) -eq $true){"True"}
List the UPN suffixes from a remote forest
(get-adforest -identity domain.local).upnsuffixes
List the PowerShell remoting endpoints
Get-PSSessionConfiguration
Read a certificate from file
Get-PfxCertificate -FilePath c:\temp\test.cer | fl *
Prevent PowerShell progress bars from displaying
$ProgressPreference = "SilentlyContinue"
Convert the number of seconds to a timespan to show hours/minutes etc
[timespan]::fromseconds(15*60*60)
Find a remote PowerShell session using WinRM
Get-WSManInstance -ConnectionURI http://server01:5985/wsman shell -Enumerate
Remove a remote PowerShell session using WinRM
Remove-WSManInstance -ConnectionURI http://localhost:5985/wsman shell @{ShellID="6CF3C5C6-1954-430F-98B7-2D99E8AADCE3"}
Start an elevated process with PowerShell
start-process -verb RunAs cmd
Find the verbs available for a particular file
$startExe = New-Object System.Diagnostics.ProcessStartInfo -Args PowerShell.exe; $startExe.verbs
Check if a specified time of day has passed
((get-date) -lt ([datetime]::ParseExact("23:00:00", "HH:mm:ss", [System.Globalization.CultureInfo]"en-AU")))
Start an elevated runas process as alternate credentials
Start-Process powershell -Credential $cred -ArgumentList '-noprofile -command &{Start-Process cmd -verb runas}'
Find service terminated unexpectedly (multiple event IDs)
get-winevent -computername server01 -FilterHashTable @{ logname = "System"; startTime = $date; id=7031,7034}
Decrypt a securestring password to text
(New-object System.Net.NetworkCredential("",$Password)).Password
Convert to a nicely formatted JSON message
ConvertFrom-Json $message | ConvertTo-Json
Find hotfixes installed
get-hotfix
URL encode a string
[System.Web.HttpUtility]::UrlEncode($clientID)
Check remote Hyper-V VM migration status
Get-WmiObject -computer server01 -Namespace root\virtualization\v2 -Class Msvm_MigrationJob | ft Name, JobStatus, PercentComplete, VirtualSystemName
Make it so doskey macros and shortcuts work in PS5+
Remove-Module PSReadLine
Find the digital signature of a file
(get-AuthenticodeSignature c:\util\procexp.exe).SignerCertificate | fl *
Convert Unix epoch time in milliseconds to datetime
(Get-Date "1970-01-01 00:00:00.000Z") + ([TimeSpan]::FromMilliSeconds(1539045767455))
Convert a number to binary
[convert]::ToString(512,2)
Convert from win32 filetime
"{0:hh:mm:ss.fff tt dd/MM/yyyy}" -f [datetime]::FromFileTime(131864751713547989)
Find the effective applocker policy
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path "C:\Windows\System32\cscript.EXE"
Determine whether the AD recycle bin is enabled or not (EnabledScopes)
Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'
Find the Active Directory schema version
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
Query SCCM for a computer resource
$server = "sccm01";$site = "s01"; $resourceName = "server01"; $resource = Get-WmiObject -ComputerName $server -Namespace "root\sms\site_$site" -Class "SMS_R_System" -Filter "Name = '$resourceName'"
Query SCCM for a the collection membership of a computer resource
$ids = (Get-WmiObject -ComputerName $server -Namespace "root\sms\site_$site" -Class SMS_FullCollectionMembership -filter "ResourceID=`"$($Resource.ResourceId)`"").collectionID
Export DNS zone information from a 2016 DC
Get-DnsServerZone | export-csv -path c:\windows\temp\DNSZones_20190304.csv -encoding ascii -notype
Find Active Directory replication conflict objects
$conflicts = Get-ADObject -LDAPFilter "(|(cn=*\0ACNF:*)(ou=*CNF:*))"
Install RSAT on Windows 10 1809
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
Find Office 365 Group mailbox folder information
get-mailboxfolderstatistics -id user01@domain.local | select FolderPath
Find events containing the specified string
$filter = @{logname='Security'; starttime=[datetime]::today; data='/adfs/services/trust/2005/windowstransport' }; $events = get-winevent -computername adfs01 -FilterHashTable $filter
Decode a dnsrecord entry in an AD DNSRecord object
$dnsrecord = (get-adobject -id "DC=10.10,DC=168.192.in-addr.arpa,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=local" -prop *).dnsrecord; [System.Text.Encoding]::ASCII.GetString($dnsrecord[0])
Report when a TCP connection was created
Get-NetTCPConnection | Sort-Object LocalPort | Format-Table Local*, Remote*, State, CreationTime
Find any alternate data streams in a file
get-item c:\temp\test.txt -Stream *
View the content of an alternate data stream
get-content c:\temp\test.txt -Stream Stream1
Remove an alternate data stream
Remove-Item -path c:\temp\test.txt -Stream Zone.Identifier
Find the direct reports from the AD manager backlink
(get-aduser -id user01 -prop directreports).directreports
Find the day of week
(get-date).DayOfWeek
Find the number of the current day of the week
[int](get-date).DayOfWeek | (get-date).DayOfWeek.value__
Find the number of the the specified day
[int][DayofWeek]"Sunday"
Format a string as hex
"05bb80f4-5d0b-4358-b173-7a206a924734" | format-hex
Export DNS SRV records
Get-DNSServerResourceRecord -ZoneName domain.local -ComputerName dc01 -RRType SRV | Export-CSV -path c:\temp\srv-export.csv -notypeinformation
Query Domain Controllers in one or more sites
Get-ADDomainController -filter "site -eq 'site1' -or site -eq 'site2' -or site -eq 'site3'" |select name
Show datetime on command prompt
function prompt { "PS $((Get-Date).ToString("hh:mm:ss")) $(get-location)>"}
Find DCs running 2016 OS
Get-ADDomainController -filter "OperatingSystem -eq 'Windows Server 2016 Standard'" | select name
Unblock a file downloaded from the Internet
Unblock-File C:\temp\downloaded.ps1
Find the 5 most recent files from the specific path
Get-ChildItem -Recurse -path c:\admin\scripts\powershell\*.ps1 | sort -prop LastWriteTime -desc | select -first 5 FullName,LastWriteTime
Find the registered event log sources for the specified log
Get-WMIObject -Computer "server01" -Authentication PacketPrivacy -Query "SELECT FileName, Sources from Win32_NTEventLogFile where FileName = 'CustomEventLog'" | select -expand sources
Wayne's World of IT (WWoIT).
No comments:
Post a Comment