实验回顾1-6章

  • 按日期将最新的100个安全日志条目输出为HTML
Get-EventLog -LogName Security -Newest 100 | Sort-Object -Descending -Property TimeGenerated | ConvertTo-Html | Out-File sec.html
  • 显示前五个最消耗虚拟内存进程
Get-Process | Sort-Object -Descending -Property VM | Select-Object -First 5

  • 创建一个包含所有服务的CSV文件,只需列出服务名称和状态。所有出于运行状态的服务处于停止状态的服务之前
Get-Service | Select-Object -Property Name,Status | Sort-Object -Descending -Property Status | Export-Csv services.csv
  • 将BITS服务的启动项类型变更为手动
Set-Service -Name "BITS" -StartupType Manual
  • 显示计算机中所有文件名称为Win*.*的文件,以C:\开始
Get-ChildItem -LiteralPath "C:\" -Include "Win*.*" -Recurse

  • 获取C:\Program Files的目录列表。包含所有子文件夹,把这些目录列表放到位于C:\Dir.txt的文本文件内
Get-ChildItem -Path "C:\Program Files" -Recurse > C:\Dir.txt
  • 获取最近20条安全事件日志的列表,将这些信息转化成XML格式。不要在硬盘上创建文件,而是把XML在控制台窗口直接显示出来
Get-EventLog -LogName Security -Newest 20 | Format-Custom
Get-EventLog -LogName Security -Newest 20 | ConvertTo-Xml
  • 获取一个服务列表,仅保留服务名称、显示名称和状态,然后将这些信息发送到一个HTML文件。在HTML文件中的服务信息表格之前显示“Installed Services”
Get-Service | Select-Object -Property Name,DisplayName,Status | ConvertTo-Html -PreContent "Installed Services"
  • 为Get-ChildItem创建一个新的别名D。仅将别名导出到一个文件里。关闭这个Shell,然后打开一个新的控制台窗口。把别名导入到新的Shell中。确认能够通过运行D获得一个目录列表
New-Alias -Name "D" -Value "Get-ChildItem"
Export-Alias -Path "c:\d.txt" -Name "D"
Import-Alias -Path "c:\d.txt"

导出的别名文件内容如下:

# 别名文件
# 导出者 : Administrator
# 日期/时间 : 2018年5月18日 20:15:28
# 计算机: iZubw3nsaoh3v6Z
"D","Get-ChildItem","","None"

在新的窗口中测试:

  • 显示系统中存在的事件日志列表

这里补充一下,Get-EventLog仅适用于传统事件日志。若要从使用Vista及更高版本中的事件日志技术的日志中获取事件,用Get-WinEvent命令。

Get-EventLog -List

  • 展示Shell所在当前目录
Get-Location
  • 运行一个命令,展示最近你在Shell中运行过的命令。从中查找你在“显示系统中存在的事件日志列表”所运行的命令,并通过管道重新运行这个命令
Get-History -Id 9 | Invoke-History
  • 运行一个命令,从而在需要时通过覆盖旧日志来修改安全事件日志
Limit-EventLog -LogName "Security" -OverflowAction "OverwriteAsNeeded"
  • 通过New-Item新建一个目录
New-Item -ItemType "Directory" -Path "C:\Review"
  • 显示HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders的内容
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
  • 找出重启电脑、关闭电脑、从一个工作组或域内移除电脑、恢复电脑系统并重建检查点的命令
Stop-Computer
Restart-Computer
Remove-Computer
Restore-Computer
Checkpoint-Computer

注:这些命令都可通过Get-Command *Computer*查到。

  • 什么命令可以修改一个注册表值
Set-ItemProperty

实验回顾1-14章

  • 1

Display a list of running processes in a table that includes only the process names and ID numbers. Don’t let the table have a large blank area between the two columns.

Get-Process |
Format-Table -Property processname,id -AutoSize
  • 2

Run this:

Get-WmiObject -class Win32_UserAccount

Now run that same command again, but format the output into a table that has Domain and UserName columns. The UserName column should show the users’ Name property, like this:

Domain   UserName
=======  ========
COMPANY  DonJ

Make sure the second column header says UserName, and not Name.

Get-WmiObject -class Win32_UserAccount |
Format-Table -Property Domain,@{l='Username';e={$_.Name}} -AutoSize

  • 3

Have two computers (it’s OK to use localhost twice) run this command:

Get-PSProvider

Use Remoting to do this. Ensure that the output includes the computer names.

Invoke-Command -ComputerName localhost,localhost -command {Get-PSProvider}
  • 4

Use Notepad to create a file named C:\Computers.txt. In that file, put the following:

Localhost
localhost

You should have those two names on their own lines in the file—two lines total. Save the file and close Notepad. Then write a command that will list the running services on the computer names in C:\Computers.txt.

Invoke-Command -ComputerName (Get-Content .\computers.txt) -command {Get-Service | Where-Object -FilterScript {$_.Status -like "runn*"}}
  • 5

Query all instances of Win32_LogicalDisk. Display only those instances that have a DriveType property containing 3 and that have 50 percent or more free disk space.

Hint: to calculate free space percentage, it’s freespace/size * 100.

Note that the –Filter parameter of Get-WmiObject cannot contain mathematical expressions.

Get-WmiObject Win32_LogicalDisk |
Where-Object -FilterScript {$_.drivetype -eq 3 -and ($_.freespace / $_.size) -gt 0.5}

  • 6

Display a list of all WMI classes in the root\CIMv2 namespace.

Get-CimClass -Namespace root\CIMv2
  • 7

Display a list of all Win32_Service instances where the StartMode is Auto and the State is not Running.

Get-WmiObject win32_service |
Where-Object -FilterScript {$_.startmode -eq "auto" -and $_.state -ne "running"} |
Format-List
  • 8

Find a command that can send email messages. What are the mandatory parameters of this command?

Send-MailMessage
  • 9

Run a command that will display the folder permissions on C:.

Get-Acl -Path c:\
  • 10

Run a command that will display the permissions on every subfolder of C:\Users. Just the direct subfolders; you don’t need to recurse all files and folders. You’ll need to pipe one command to another command to achieve this.

Get-ChildItem C:\Users | Get-Acl

  • 11

Find a command that will start Notepad under a credential other than the one you’ve used to log into the shell.

Start-Process -FilePath notepad -Credential xxx
  • 12

Run a command that makes the shell pause, or idle, for 10 seconds.

Start-Sleep 10
  • 13

Can you find a help file (or files) that explains the shell’s various operators?

help *operators*

  • 14

Write an informational message to the Application event log. Use a category of 1 and raw data of 100,100.

Write-EventLog -LogName Application -EntryType Information -RawData 100,100 -Category 1 -EventId 1 -Message "hello" -Source msiinstaller
  • 15

Run this command:

Get-WmiObject Class Win32_Processor

Study the default output of this command. Now, modify the command so that it dis- plays in a table. The table should include each processor’s number of cores, manufacturer, and name. Also include a column called “MaxSpeed” that contains the processor’s maximum clock speed.

Get-WmiObject -Class Win32_Processor |
Format-Table -Property NumberofCores,Manufacturer,Name,@{l='MaxSpeed';e={$_.MaxClockSpeed}} -AutoSize

  • 16

Run this command:

Get-WmiObject Class Win32_Process

Study the default output of this command, and pipe it to Get-Member if you want. Now, modify the command so that only processes with a peak working set size greater than 5,000 are displayed.

Get-WmiObject -Class Win32_Process |
Where-Object -FilterScript {$_.PeakWorkingSetSize -gt 5000}

实验回顾1-19章

  • 1

Create a list of running processes. The list should include only process name, ID, VM, and PM columns. Put the list into an HTML-formatted file named C:\Procs.html. Make sure that the HTML file has an embedded title of “Current Processes”. Display the file in a web browser and make sure that title appears in the browser window’s titlebar.

Get-Process |
Select-Object -Property Name,Id,VM,PM |
ConvertTo-Html -Title "Current Processes" |
Out-File C:\Procs.html

  • 2

Create a tab-delimited file named C:\Services.tdf that contains all services on your computer. “`t” (backtick t inside double quotes) is PowerShell’s escape sequence for a horizontal tab. Include only the services’ names, display names, and statuses.

我想到的方法不太优雅,还用到了追加重定向:

Get-Service |
Select-Object -Property Name,DisplayName,Status |
ForEach-Object -Process {$line = $_.Name + "`t" + $_.DisplayName + "`t" + $_.Status; $line >> Services.tdf}

不过最终能够达到目的:

参考答案很优雅:

Get-Service |
Select-Object -Property Name,DisplayName,Status | Export-CSV c:\services.tdf Delimiter "`t"

竟然是替换掉csv格式默认的逗号…..

结果也比我的专业:

不过最终哪个更好用,也不好说。我觉得我生成的文档更简洁,方便程序调用。

  • 3

Repeat task 1, modifying your command so that the VM and PM columns of the HTML file display values in megabytes (MB), instead of bytes. The formula to calculate mega- bytes, displaying the value as a whole number, goes something like $_.VM / 1MB –as [int] for the VM property.

Get-Process |
Select-Object -Property Name,Id,@{l="VM(MB)";e={$_.VM / 1MB -as [int]}},@{l="PM(MB)";e={$_.PM / 1MB -as [int]}} |
ConvertTo-Html -Title "Current Processes" |
Out-File C:\Procs.html

总结

这本书的学习到这里就结束了。感谢作者Don Jones和Jeffery Hicks。感谢同济大学图书馆。译者也辛苦了,虽然这翻译并不好。