PowerShell for Windows Admins


November 30, 2013  5:39 AM

Defender Module: Threat Catalog

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

You can see the threats that defender is testing against

Get-MpThreatCatalog | select SeverityID, ThreatName

You get a long list like this

5 TrojanDownloader:Win32/Agent.A
4 TrojanDownloader:Win32/Holistyc
2 Dialer:Win32/EPlugin
5 Backdoor:Win32/Fxsvc
2 Adware:Win32/Networkone

This is the important one:

Get-MpThreatDetection

You want this to return nothing i.e. no threats found

You can start a scan like this:

Start-MpScan -ScanType QuickScan

A progress bar will show how things are going – again if your machine is clean you won’t get a return

November 29, 2013  4:56 PM

Mac Address

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

No not where you go for a burger!

I saw a post on the forum about getting the MAC address fro remote machines. The original post was using a fixed filter on NetConnectionID which assumes that all of your machines are configured equally. I think a better approach is to gather all the data

function get-macaddress {
[CmdletBinding()]
param(
[string]$computername = $env:COMPUTERNAME
)
Get-WmiObject -Class Win32_NetworkAdapter -ComputerName $computername -Filter “NetConnectionID LIKE ‘%'” |
select PSComputerName, Description, NetConnectionID, MACAddress

}

The WMI filter ensures that only adapters with a NetConnectionID are returned.

Once you have the data you can ensure your machines are configured the same


November 29, 2013  4:44 PM

Clear the Trusted Hosts list

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

This post rounds out the remoting series and shows you how to clear the trusted hosts list

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/29/powertip-use-powershell-to-clear-the-trusted-hosts-file.aspx


November 29, 2013  12:43 PM

Windows 8.1 Defender module

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Windows 8.1 includes a module – Defender for working with the anti-malware engine on the machine. I’m presuming this means Windows Defender only

The starting point is Get-MpComputerStatus

£> Get-MpComputerStatus

AMEngineVersion : 1.1.10100.0
AMProductVersion : 4.3.9600.16384
AMServiceEnabled : True
AMServiceVersion : 4.3.9600.16384
AntispywareEnabled : True
AntispywareSignatureAge : 2
AntispywareSignatureLastUpdated : 27/11/2013 11:14:50
AntispywareSignatureVersion : 1.163.737.0
AntivirusEnabled : True
AntivirusSignatureAge : 2
AntivirusSignatureLastUpdated : 27/11/2013 11:14:50
AntivirusSignatureVersion : 1.163.737.0
BehaviorMonitorEnabled : True
ComputerID : 10EEA25B-DB88-4238-BA5C-C500519F9C56
ComputerState : 0
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : True
LastFullScanSource : 0
LastQuickScanSource : 2
NISEnabled : False
NISEngineVersion : 2.1.10003.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 109.17.0.0
OnAccessProtectionEnabled : True
QuickScanAge : 1
QuickScanEndTime : 27/11/2013 21:48:57
QuickScanStartTime : 27/11/2013 21:47:16
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
PSComputerName :

which shows a lot of useful data.

The cmdlet has a CimSession parameter so you can work with remote Windows 8.1 machines. This module isn’t available on Windows 2012 R2.

Other cmdlets include:

Add-MpPreference
Get-MpComputerStatus
Get-MpPreference
Get-MpThreat
Get-MpThreatCatalog
Get-MpThreatDetection
Remove-MpPreference
Remove-MpThreat
Set-MpPreference
Start-MpScan
Update-MpSignature

If you think the output is reminiscent of a WMI class you’re right. The cmdlet is CDXML built from the ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus CIM class


November 29, 2013  4:33 AM

Remoting series

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

My remoting series on the Scripting Guy blog has finished. The full set of posts is:

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/29/remoting-week-non-domain-remoting.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/28/powertip-remove-powershell-web-access-authorization-rules.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/28/remoting-week-remoting-security.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/27/remoting-week-configuring-remoting.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/26/powertip-determine-version-of-wsman-on-remote-computer.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/26/remoting-week-remoting-sessions-in-powershell.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/25/powertip-use-powershell-to-find-key-of-wmi-class.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/25/remoting-week-remoting-recap.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/27/remoting-week-configuring-remoting.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/26/powertip-determine-version-of-wsman-on-remote-computer.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/26/remoting-week-remoting-sessions-in-powershell.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/25/powertip-use-powershell-to-find-key-of-wmi-class.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/25/remoting-week-remoting-recap.aspx


November 28, 2013  3:36 PM

PowerShell on Windows RT

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

PowerShell v4 contains a help file

get-help about_Windows_RT –showwindow

That explains the differences between PowerShell on a full Windows device and on a Windows RT device such as a Surface 2


November 28, 2013  3:28 PM

Get-Process in PowerShell 4

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

If you use Get-Process in PowerShell v3

£> Get-Process powershell

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
——- —— —– —– —– —— — ———–
516 17 49436 59220 233 8.86 7100 powershell

PowerShell v4 enables you to see the user account associated with the process

£> Get-Process powershell -IncludeUserName

Handles WS(K) VM(M) CPU(s) Id UserName ProcessName
——- —– —– —— — ——– ———–
593 214888 823 17.27 2148 MANTICORE\richard powershell

Now we have an easy way to discover who started a process


November 27, 2013  2:35 PM

Capacity planning series finished

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

My capacity planning series on the Scripting Guy blog finished last week. Didn’t get chance to post about it as I was at Microsoft in Seattle.

Full series and associated powertip postings:

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/18/powertip-compare-the-contents-of-files-with-powershell.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/18/the-admin-s-first-steps-capacity-planning-part-3.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/11/powertip-use-powershell-to-format-dates.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/11/the-admin-s-first-steps-capacity-planning-part-2.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/04/powertip-view-network-statistics-with-powershell.aspx

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/04/the-admin-s-first-steps-capacity-planning.aspx

Enjoy


November 27, 2013  3:48 AM

PowerShell team topics for 2014 Summit

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The detailed agenda for the PowerShell Summit can be linked from here.

http://msmvps.com/blogs/richardsiddaway/archive/2013/11/11/powershell-summit-2014-agenda.aspx

Members of the PowerShell team will be speaking at the Summit. They are looking for input on the topics you want them to cover. Please view the list of possible topics and leave your comments at

http://blogs.msdn.com/b/powershell/archive/2013/11/05/seeking-input-on-powershell-summit-sessions.aspx


November 11, 2013  12:17 PM

Capacity Planning part 2

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

My capacity planning mini series on the Scripting Guy blog continues with the second part – dealing with storing data in SQL Server – available today

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/11/the-admin-s-first-steps-capacity-planning-part-2.aspx

I’ll repeat the URL for the first part for reference

http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/04/the-admin-s-first-steps-capacity-planning.aspx


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: