PowerShell for Windows System Analysis Lab

Ten sessions offered for learning to use PowerShell to analyze Windows system configuration.

All lab exercises and descriptions are listed in the README.

The lesson script files are designed to only be used as a downloadable reference.

At the beginning of each script is a "exit" command to prevent an accidental run

Lesson 1

1.1 Transcripts

1.1 Exercises

Start a Transcript File

Start-Transcript

# Default Location C:\Users\userID\Documents\PowerShell_transcript.NNNNNN.NNNNNNNNNNN.txt

Start Transcript with Custom Name

Start-Transcript "MyTranscript.txt"

Or for the File to be Placed in the Specific Directory

Start-Transcript C:\Script_Runs\MyTranscript.txt

To Stop the Transcript from Recording Commands and Output

Stop-Transcript

1.2 PowerShell Version

1.2 Exercises

View PowerShell Version

$PSVersionTable

1.3 Cmdlets and Modules

1.3 Exercises

Cmdlet Format -eq action-noun

Get-Command -Noun service

Get All Commands by a Certain Action

Get-Command -Verb start

Get All Currently Loaded Cmdlets

Get-Command -CommandType Cmdlet

Update Help Before Using It

Update-Help

Basic Help Information for Cmdlet

Get-Help Get-Process

Online Help for a Cmdlet

Get-Help Get-Process -Online

Help with Examples

Get-Help Get-Process -examples

Help Full Listing

Get-Help Get-Process -Full

Help About a Certain Subject

Get-Help about_operators

Help About

Get-Help about_*

Get All PowerShell Modules Available on System

Get-Module -ListAvailable

Import Module in Current PowerShell Session

Import-Module DnsClient

Get All Commands in a Module (Should Only Be Used After Importing)

Get-Command -Module DnsClient

Find .NET Object Used in Cmdlet

Get-Process | Get-Member

List All Alias

Get-Alias

Look for Specific Alias

Get-Alias -Definition Stop-Process

Create Alias

New-Alias -Name "Gunrock" Get-ChildItem

1.4 Pipeline

1.4 Exercises

Command to Find If CmdLet Allows for Piping (Check Accept Pipeline Property Under Parameters)

Get-Help Get-Process -full | more 

Using Out-File to Get Resource Info on the Pipeline

Get-Help About_pipeline | Out-File about_pipeline.txt

Get All Process and Then Sort by Display Name

Get-Process | Sort-Object ProcessName -descending

Stop All Notepad Process and Log Process Collection Before Stopping

Get-Process notepad | Tee-Object -file Notepad_Processes.txt | Stop-Process

Get All Services That Are Running Then Only Show the Display Name

Get-Service | Where-Object { $_.Status -eq "Running" } | ForEach-Object { $_.DisplayName }

Quick Way to Report on File Types in a Folder

Get-ChildItem | Group-Object -property extension

Lesson 2

2.1 Script Execution Policy

2.1 Exercises

Get Current Policy

Get-ExecutionPolicy

Set the Script Execution Policy for Current User

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

2.2 Outputs

2.2 Exercises

To Get All the Format Object Commands

Get-Command -verb format

Get All Processes in a GUI Gridview

Get-Process | Out-GridView

Output Sent to a File

Get-Service | Out-File Services.txt

Quick Array Sent to a File

@("Server1","Server2","Server3","Server4") | Out-File servers.txt

Service List Sent to Your Default Printer

Get-Service | Out-Printer 

Running Service List With Only a Few Columns Exported to CSV

Get-Service | Where-Object { $_.Status -eq "Running" } | Select-Object Name,DisplayName,Status,CanStop | Sort-Object DisplayName | Export-Csv running_services.csv -NoTypeInformation

2.3 Inputs

2.3 Exercises

Prompt User for Info

$requiredData = Read-Host -prompt "Enter Required Data"

Create String Array From a Text File

$servers = Get-Content servers.txt

Import Data a CSV File and Use a Specific Column From It

Import-Csv running_services.csv | Foreach-Object { $_.DisplayName }

2.4 Errors

2.4 Exercises

The Setting for Error Handling is Stored in the $ErrorActionPreference variable Error Handling Options:

• Continue = Output Error Message; Continue to Run Next Command (Default)
• SilentlyContinue = Suppress Error Message; Continue to Run the next command
• Stop = Halt the Execution
• Inquire = Prompt User for Action to Perform

$ErrorActionPreference = "Continue";

Errors that Occur During a PowerShell Session are Stored in $error

$error

Empty Error Messages from $error

$error.clear();

Some Cmdlets Support an ErrorAction Statement (only for parameter data) These Won't Display an Error

Remove-Item nothinghere -ErrorAction "SilentlyContinue";

Stop-Process -ID 8888888 -ErrorAction "SilentlyContinue";

# This Will Due to -ID Must Be an Int

Stop-Process -ID NothingHere -ErrorAction "SilentlyContinue";

Lesson 3

3.1 Environment Variables

3.1 Exercises

View Environment Variables

Get-ChildItem Env:

View Path Environment Variable

$Env:path -split ";"

3.2 File System

3.2 Exercises

Navigate with Set-Location (alias cd)

Set-Location c:\users\$env:username\Desktop

List Items in Current Directory

Get-ChildItem

List Only the Text File

Get-ChildItem -Filter *.txt

Get List of All "Item" Cmdlets

Get-Command -noun item | Select-Object Name | Sort-Object Name | Out-File Item_Commands.txt

Get the Path of Current Operating Directory

(Get-Location).Path

Check to See If a Directory or File Exists

Test-Path -Path c:\sacramento\kings.txt

Get List of All "Content" Cmdlets

Get-Command -Noun Content

Search for All Text Files on System Drive

Get-Childitem -Path c:\ -Filter *.txt -Recurse;

Create a Folder

New-Item My_Scripts -ItemType Directory

Create a Text File

New-Item .\My_Scripts\first_script.ps1 -ItemType File;

Add Content to a File

Add-Content -Path .\My_Scripts\first_script.ps1 -Value "Get-Service";

Move or Rename a File

Move-Item .\My_Scripts\first_script.ps1 .\My_Scripts\second_script.ps1;

Get Rights on Current Directory

Get-Acl -Path . | Format-List

Get Access on Current Directory

(Get-Acl -Path .).Access

Get the Owner of a Directory or File

(Get-Acl -Path c:\Intel\Logs).Owner 

List the NTFS Permissions of a File or Folder

(Get-Acl -Path $env:programfiles).Access

Show Permissions in Friendly Format on Current Directory

(Get-Acl -Path .).Access | Select-Object -ExpandProperty IdentityReference FileSystemRights | Format-Table Value,FileSystemRights

View File Hash

Get-FileHash .\Scary_Executable_I_Just_Downloaded.exe

3.3 PSDrive and Registry

3.3 Exercises

PS Drives

Get-PSDrive

List PSDrive for Registry

Get-PSDrive -PSProvider Registry

Change to HKEY_LOCAL_MACHINE

Set-Location HKLM:

View Windows Current Version Information

Get-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion'

View RDP Port Number (Requires Admin Console)

(Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").PortNumber

System Environment

Set-Location env:

3.4 Searching File Contents

3.4 Exercises

Create File to Search

Get-Process | Out-File processes.txt

Search a File for a Specific Term

Select-String "svchost" .\processes.txt

Search for String in File and Show One Line Before and Three Lines After

Select-String "explorer" .\processes.txt -Context 1,3

Search Multiple Files

Select-String "explorer" .\process* 

Lesson 4

4.1 System Information

4.1 Exercises

Get BIOS Information

Get-WmiObject -Class Win32_BIOS -Computer localhost

Get Basic System Info

Get-WmiObject -Class Win32_ComputerSystem -Computer localhost

Get Operating System Info

Get-WmiObject -Class Win32_OperatingSystem -Computer localhost

Get Consolidated Object of System and Operating System Properties

Get-ComputerInfo

4.2 Disk Information

4.2 Exercises

Get Disk Information

Get-Disk | Format-List

Show Physical Disk Information

Get-PhysicalDisk

Get Disk Information (Model and Size)

Get-WmiObject -Class Win32_DiskDrive | ForEach-Object { Write-Output ($_.Model.ToString() + " Size:" + ($_.Size/1GB) + "GB") }

Get Logical Disk Info

Get-WmiObject -Class Win32_LogicalDisk -Filter "DriveType='3'" -Computer localhost

Show Disk Partitions

Get-Partition

Get Disk Volume Information

Get-Volume | Format-Table

Get Fixed Volumes

Get-Volume | Where-Object DriveType -eq "Fixed"

Get Volume Info (Windows 7)

Get-WmiObject -Class Win32_Volume -Filter "DriveType='3'" | Select-Object Name

Get Share Info

Get-SmbShare | Format-List

Get Share Info (Version 2)

Get-WmiObject -Class Win32_Share -Computer localhost

4.3 Processor and Memory

4.3 Exercises

Get Processor Information

Get-WmiObject -Class Win32_Processor | Select-Object Name,Description,NumberOfCores | Sort-Object Name

Get Number of Memory Slots

(Get-WmiObject -Class Win32_PhysicalMemoryArray).MemoryDevices

Retrieve Memory Slot Allocations

Get-WMIObject -Class Win32_PhysicalMemory | ForEach-Object { Write-Output ($_.DeviceLocator.ToString() + " " + ($_.Capacity/1GB) + "GB") };

4.4 Printer Information

4.4 Exercises

Show Printers

Get-Printer

Show Local Printers

Get-Printer | Where-Object { $_.Type -eq "Local" } | Format-Table -AutoSize

Show Printer Ports

Get-PrinterPort

Lesson 5

5.1 Local Users and Groups

5.1 Exercises

Show Local Users

Get-LocalUser

Show Local Groups

Get-LocalGroup

Show Local Group Membership

Get-LocalGroupMember -Group Administrators

Show Local Group Membership using Pipe

Get-LocalGroup -Name 'Remote Desktop Users' | Get-LocalGroupMember

Show Local Profiles and Their SIDs

Get-WmiObject win32_userprofile | Select-Object LocalPath,SID

5.2 Processes and Services

5.2 Exercises

Get Process By Partial Name

Get-Process -Name Chrom*

View Processes by Highest CPU Usage

Get-Process | Sort-Object CPU -Descending | more

View Processes by Highest Memory Usage

Get-Process | Sort-Object WorkingSet -Descending | more

Show File Information for One of the Zoom Processes

Get-Process -ProcessName 'Zoom' -FileVersionInfo | Format-List

Get Path to Process's Executable

Get-Process -FileVersionInfo -ErrorAction "SilentlyContinue" | Select-Object OriginalFilename,FileVersionRaw,FileName | Sort-Object OriginalFilename
#Or
Get-WmiObject -Class Win32_Process -Computer localhost | Select-Object Name,Path | Sort-Object Name

Get Owner of the Process

Get-WmiObject -Class Win32_Process -Computer localhost | Select-Object Name, @{Name="Owner"; Expression={$_.GetOwner().User}} | Sort-Object Name

Get Service By Partial Name

Get-Service -Name Spoo*

Get Running Services

Get-Service | Where-Object { $_.Status -eq "Running" } | Select-Object Name,DisplayName,Status,CanStop | Sort-Object DisplayName

Get All Services and the Account which they are running under

Get-WmiObject -Class Win32_Service -Computer localhost | Select-Object Name,State,StartName | Sort-Object -Property @{Expression="StartName";Descending=$false},@{Expression="Name";Descending=$false}

5.3 Event Logs

5.3 Exercises

Get All Event Log Names

Get-WinEvent -ListLog * -ErrorAction SilentlyContinue;

Get the Latest 100 Items in the System Log

Get-WinEvent -LogName 'System' -MaxEvents 100;

Log Entry Types:

• 0 = LogAlways
• 1 = Critical
• 2 = Error
• 3 = Warning
• 4 = Informational
• 5 = Verbose

Keywords:

• AuditFailure = 4503599627370496
• AuditSuccess = 9007199254740992

Get the Lastest 5 Errors in the System Log

Get-WinEvent -FilterHashtable @{ LogName='System'; Level=2; } -MaxEvents 5;

Get Application Log Entries Between Specific Times

Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=(Get-Date).AddDays(-5); EndTime=(Get-Date).AddDays(-1); };

Get Failed Logins Over the Last 24 Hours (Requires Elevated Session)

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=(Get-Date).AddDays(-1); Id='4625'; } | Format-List | more;

Get Successful Logins Over the Last 24 Hours (Requires Elevated Session)

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=(Get-Date).AddDays(-1); Id='4624'; };

Get All Audit Failures in the Past Week

Get-WinEvent -FilterHashtable @{ LogName=@('Security'); Keywords=@(4503599627370496); StartTime=(Get-Date).AddDays(-7); } | Format-List | more

Get Provider Names for Application, System, and Security Logs (Requires Elevated Session)

Get-WinEvent -ListLog @('Application','System','Security') | Select-Object LogName, @{Name="Providers"; Expression={$_.ProviderNames | Sort-Object }} | Foreach-Object { Write-Output("`r`n---- " + $_.LogName + " ----`r`n"); $_.Providers }; 

Get Group Policy Related Entries in System Log in the Last 24 Hours

Get-WinEvent -FilterHashtable @{ LogName='System'; ProviderName='Microsoft-Windows-GroupPolicy'; StartTime=(Get-Date).AddDays(-1); } | Format-List | more;

Get All Sophos and Security Center Events in the Last 72 Hours (Requires Elevated Session)

Get-WinEvent -FilterHashtable @{ LogName=@('Application','System','Security'); ProviderName=@('HitmanPro.Alert','SAVOnAccess','SAVOnAccessControl','SAVOnAccessFilter','SecurityCenter'); StartTime=(Get-Date).AddDays(-3); } -ErrorAction SilentlyContinue | Format-List | more

Get All Critial or Error Entries from Application, System, and Security Logs in Last 24 Hours (Requires Elevated Session)

Get-WinEvent -FilterHashtable @{ LogName=@('Application','System','Security'); Level=@(1,2); StartTime=(Get-Date).AddDays(-1); };

5.4 Scheduled Tasks

5.4 Exercises

Show Scheduled Tasks

Get-ScheduledTask | Format-List

Get Scheduled Task By Name

Get-ScheduledTask -TaskName Adobe*

Show Schedule Informatio for Task

Get-ScheduledTask -TaskName Adobe* | ScheduledTaskInfo

Show Execute Actions for All Scheduled Tasks

Get-ScheduledTask | Sort-Object -Property TaskName | Foreach-Object { Write-Output("`n" + $_.TaskName + ":"); Foreach ($ta in $_.Actions){$ta.execute}}

Lesson 6

6.1 Remote Desktop Protocol (RDP)

6.1 Exercises

View RDP Configuration (If not set via GPO). Check out fDenyTSConnections key. 0 = enabled, 1 = disabled

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'

Check Status of RDP Service

Get-Service -Name TermService | Format-List

Display information about users logged on to the system. Run with /? for Help

quser

Display information about Remote Desktop Services sessions. Run with /? for Help

qwinsta

6.2 Windows Updates

6.2 Exercises

Show Windows Update Log

Get-WindowsUpdateLog #Export File Goes to Desktop

View Last 50 Entries in Windows Update Log

Get-Content ([Environment]::GetFolderPath("Desktop") + "\WindowsUpdate.log") | Select-Object -Last 50

Get All Updates Installed in the Last 7 Days

Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-7) }

Get the First 10 Items in the Windows Update Log (Windows 7 and Older)

Get-Content $env:windir\windowsupdate.log | Select-Object -first 10

Display the Lines of the Windows Update Log that Have "Added Update" in Them (Windows 7 and Older)

Get-Content $env:windir\windowsupdate.log | Select-String "Added update"

6.3 Installed Software

6.3 Exercises

Get List of Installed 64 bit Software

Get-ChildItem HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion

Get List of Installed 32 bit Software

Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion

Installed Software Script Code

#Create An Array for Storing Installed Applications for Reporting
$arrInstldApps = @();

#Pull 32-bit Installed Applications on System and put them into Report Array
$arrInstldApps = Get-ChildItem HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion;

#Pull 64-bit Installed Applications on System and Add them to Report Array
$arrInstldApps += Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion;

#Display Installed Applications
$arrInstldApps;

Lesson 7

7.1 Network Settings and Connections

7.1 Exercises

Show Network Adapters

Get-NetAdapter

Get Basic Network Settings

Get-NetIPConfiguration

Get IP Address Information

Get-NetIPAddress

Get TCP Connections

Get-NetTCPConnection

Show Established TCP Connections By Local Port

Get-NetTCPConnection -State Established | Sort-Object LocalPort

Show Network Neighbors

Get-NetNeighbor

Get DNS Information (NSLookup)

Resolve-DnsName ucdavis.edu

Get Route Information

Get-NetRoute

Ping Remote System Only Once

Test-Connection -TargetName ucdavis.edu -Count 1

Ping Remote Hosts Only Once and Display Quick Status

@("1.1.1.1","4.2.2.2","8.8.4.4","8.8.8.8") | Foreach-Object { $pingStatus = Test-Connection $_ -Count 1 -Quiet; "$_ $pingStatus" }

Traceroute to Remote System

Test-Connection -TargetName ucdavis.edu -Traceroute

Test If Specific Port Is Open (Computer Name can be hostname or IP Address)

Test-NetConnection -ComputerName 127.0.0.1 -Port 4000

Test Network Connection By Port Common Name (Only Options HTTP, RDP, SMB, WINRM)

Test-NetConnection -ComputerName localhost -CommonTCPPort RDP

Test Network Connection (Ping and TraceRoute)

Test-NetConnection universityofcalifornia.edu -TraceRoute

Test Network Connection with Detailed Information

Test-NetConnection -ComputerName universityofcalifornia.edu -DiagnoseRouting -InformationLevel Detailed

Get MAC Addresses of All Network Adapters

Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.MACAddress -ne $null } | Select-Object Name,MACAddress | Sort-Object Name

Get All Assigned IPs

Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null} | Select-Object Description,IPAddress

7.2 Firewall Configuration

7.2 Exercises

Show Firewall Status

Get-NetFirewallProfile | Select-Object Name,Enabled

Get Firewall Rules Under Domain Profile

Get-NetFirewallProfile -Name Domain | Get-NetFirewallRule | More

Get Firewall Rules that Allow Inbound Traffic

Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow

7.3 Windows Remote Management

7.3 Exercises

Check Status of WinRM Service

Get-Service -Name WinRM
#Or
Test-WSMan

View WinRM Config (Requires Elevated Session)

Get-WSManInstance -ComputerName Localhost -ResourceURI winrm/config

Display WinRM Listener Information (Requires Elevated Session)

Get-WSManInstance -ComputerName Localhost -ResourceURI winrm/config/Listener -Enumerate

Lesson 8

8.1 Windows Defender

8.1 Exercises

View Current Defender Status

Get-MpComputerStatus

# How Would You Only Display the QuickScanStartTime, QuickScanEndTime, and QuickScanOverDue Properties?

View Active and Past Malware Threats that Windows Defender Detected

Get-MpThreatDetection

View Preferences for the Windows Defender Scans and Updates

Get-MpPreference

View All Defender Related Commands

Get-Command | Where-Object -Property Source -eq -Value "Defender"

# Which Command Would Start a Quick Scan On the Local System? 

8.2 Transport Layer Security (TLS)

8.2 Exercises

Show List of Enabled TLS Cipher Suites

Get-TlsCipherSuite

Show Only the AES Ciphers

Get-TlsCipherSuite -Name "AES"

# How Would You Just List the Names of the Ciphers?

# What Happens When You Run

Get-TlsCipherSuite | Select-Object Name;

# Let's Look at What the Get-TlsCipherSuite Command Returns. What is the TypeName Value

Get-TlsCipherSuite | Get-Member

# What Happens When You Run

Get-TlsCipherSuite | Foreach-Object { $_.Name  }

# Check Out the Help on Disabling a Cipher. Are You Able to Pipe In Get-TlsCipherSuite Object Result?

Get-Help Disable-TlsCipherSuite -Full

# Would The Below Code Disable the DES Cipher? 

Foreach($tcs in (Get-TlsCipherSuite -Name "DES")){ Disable-TlsCipherSuite -Name $tcs.Name }

8.3 BitLocker

8.3 Exercises

View BitLocker Volume (Requires Elevated Session)

Get-BitLockerVolume

# The BitLockerVolume Class Has More than 10 Properties. How Would You View All Of Them? 

# How Would You Only Display the "VolumeStatus" Property?

# Which Command Could You Run to Find The Other "BitLocker" Related Commands?

Lesson 9

9.1 Creating Custom Objects

9.1 Exercises

#Initializing Array to Hold Custom Objects
$arrReporting = @();

#Load Up 25 Custom Objects
foreach($n in 1..25)
{
    #Creating a Custom Object 
    $cstObject = New-Object PSObject -Property (@{name=""; weight=0; handed="";});

    #Load Dynamic Value
    $cstObject.name = "User" + $n;
    $cstObject.weight = 100 + $n;

    if($n % 5 -eq 0)
    { 
        $cstObject.handed = "left";
    }
    else 
    {
        $cstObject.handed = "right";
    }

    #Adding Custom Object to Array 
    $arrReporting += $cstObject;
}

#View Reporting Array
$arrReporting;

9.2 Ping IP Range

9.2 Exercises

<# 
    Write a One-Liner to Ping a Class C Network and Report the Status of Each Ping.
    Extra Points for Pinging Each IP Only Once and Incorporating the "Quiet" Switch
#>

9.3 Plug and Play (PnP) Devices

9.3 Exercises

Show PnP Devices

Get-PnpDevice

Show PnP USB Devices

Get-PnpDevice -Class USB

<# 
Some PnP Device Classes
AudioEndpoint
Bluetooth
Camera
Image
Media
Monitor
Mouse
Net
PrintQueue
Processor
SecurityDevices
SmartCard
SoftwareDevice
USB
#>

# How Would You Display the Currently Present USB Devices?

# Which Command Could You Run to Display the Other PnP Device Related Commands?

Show PnP AudioEndpoint and Camera Device Properties

Get-PnpDevice -Class AudioEndpoint,Camera | Get-PnpDeviceProperty | Format-Table -AutoSize

Show Current PnP AudioEndpoint and Camera Device Friendly Name and Install Date Properties

Get-PnpDevice -Class AudioEndpoint,Camera -PresentOnly | Get-PnpDeviceProperty | Sort-Object InstanceId,KeyName | Where-Object -Property KeyName -in -Value "DEVPKEY_Device_FriendlyName", "DEVPKEY_Device_InstallDate" | Format-Table -AutoSize

<# 

Write a Script That Uses Custom Objects to Report the Friendly Names and Install Dates Of All Image and Media Devices Currently Present. 

Only One Custom Object Per InstanceId

Hint - The Group-Object Command is Your Friend

Export Custom Object Listing to CSV File (See Lesson 2)

#>

Lesson 10

10.1 Group Policy Results Report

10.1 Exercises

Displays RSoP Summary Data (Requires Elevated Session)

GPResult /r /scope:computer

<#
    Write a One-Liner Using the GPResult Command that "Displays all available information about Group Policy"

    For Additional Points, Export Results to a Text File
#>

10.2 File Permissions and Processes Script

10.2 Exercises

Write a Script to Report the File Permissions and Active Process Counts of all Program Files Folders and the Windows Directory

#ProgramFiles                   C:\Program Files
#ProgramFiles(x86)              C:\Program Files (x86)
#windir                         C:\WINDOWS

#Array to Hold Current Processes
$arrCurrntProcesses = @();

#Load Array of Strings of Currently Running Process's Executable 
$arrCurrntProcesses = Get-Process -FileVersionInfo -ErrorAction "SilentlyContinue" | Select-Object FileName | Foreach-Object { $_.FileName.ToString().ToLower(); };

#Reporting Array for Locations to Check
$arrReportLTC = @();

#Reporting Array for Locations to Check Permissions
$arrReportLTCPerms = @();

#Array of Locations to Check
$arrLocsToCheck = @(${env:programfiles(x86)},${env:programfiles},${env:windir});

#Loop Through the Locations to Check
foreach($LocToCheck in $arrLocsToCheck)
{
    #Pull Directories Under the Locations to Check
    foreach($ltcFldr in (Get-ChildItem -Path $LocToCheck -Directory -Depth 0))
    {
        #Create Custom Location to Check Folder Object
        $cstLTCFlder = New-Object PSObject -Property (@{ Location=""; Running_Process_Count=0;});
        $cstLTCFlder.Location = $ltcFldr.FullName;

        #Var of LTC Folder to Lower with Extra "\"
        [string]$ltcFldrLoc = $ltcFldr.FullName.ToString().ToLower() + "\";

        foreach($crntPrcs in $arrCurrntProcesses)
        {
            if($crntPrcs.ToString().StartsWith($ltcFldrLoc) -eq $true)
            {
                #####################################
                # What Would We Want To Do Here?
                #####################################
            }

        }

        #Add Custom Object to Reporting Array
        $arrReportLTC += $cstLTCFlder;
        
        #Pull File System ACLs for Folder
        foreach($fsACL in (Get-Acl -Path $ltcFldr.FullName).Access)
        {
            #Create Custom Shared Folder ACL Object
            $cstFsACL = new-object PSObject -Property (@{ Location=""; IdentityReference=""; FileSystemRights=""; AccessControlType=""; IsInherited=""; });
            
            ############################################################
            # Load the Custom Object with File System ACL Information
            #
            #
            #
            #
            #
            #
            ############################################################

            #Add Custom Object to Reporting Array
            $arrReportLTCPerms += $cstFsACL;
        }

    }#End of Get-ChildItem Foreach

}#End of $arrLocsToCheck Foreach

#Var for System Name
[string]$sysName= (hostname).ToString().ToUpper();

#Var for Report Date
[string]$rptDate = (Get-Date).ToString("yyyy-MM-dd");

#Var for LTC Process Counts Report Name
[string]$rptNameProcessCount = ".\LTC_Process_Counts_on_" + $sysName + "_" + $rptDate + ".csv";

#Var for LTC ACL Report Name
[string]$rptNameACLs = ".\LTC_ACLs_on_" + $sysName + "_" + $rptDate + ".csv";

#Export LTC Process Count Report to CSV
$arrReportLTC| Sort-Object -Property Location | Select-Object -Property Location,Running_Process_Count | Export-Csv -Path $rptNameProcessCount -NoTypeInformation;

#########################################################
# Export LTC ACLs Report to CSV
#
# 
#
#########################################################