Global Knowledge PowerShell Training

* [http://www.makeuseof.com/tag/boost-productivity-windows-powershell-scripts/ Boost Productivity with Windows PowerShell Scripts]
* [http://www.makeuseof.com/tag/boost-productivity-windows-powershell-scripts/ Boost Productivity with Windows PowerShell Scripts]
= Notes =
== Books ==
* Windows PowerShell Pocket Reference (O'Reilly)
* Windows PowerShell 2.0 Administrator's Pocket Consultant
* Windows PowerShell Programming for the Absolute Beginner
* http://www.powershell.com (3rd Party)
* [https://technet.microsoft.com/en-us/scriptcenter/bb410849.aspx Microsoft ScriptCenter PowerShell]
* [http://technet.microsoft.com/scriptcenter PowerShell ScriptCenter]
= Day One Notes =
Different versions of PowerShell are available for different OS's.  Microsoft is using PowerShell as a way to drive people to upgrade to the latest version of Windows.  Newer versions of Powershell work better with Newer versions of Microsoft Windows.
Different versions of PowerShell are available for different OS's.  Microsoft is using PowerShell as a way to drive people to upgrade to the latest version of Windows.  Newer versions of Powershell work better with Newer versions of Microsoft Windows.
== Objects ==
== Objects ==
get-process | get-member
Get-Member will output the member properties for an Object
get-service | Format-Table *
get-service | Format-Table *
get-service spooler | Format-list
get-service spooler | Format-list
dir | get-member
get-service | format-table status,name | get-member
Output references the output of the Format-Table object rather than the Get-Service object.
Format-Table/Format-List should usually be the LAST command in a Pipe Line.
get-service | sort-object - property name
get-process | sort Name,ID
get-process | sort VM -Descending  (or -desc, abbreviations work for more items as long as they are unique)
WIll open three instances of NotePad.exe
get-process | sort Name,ID | format-list
get-process | measure -property VM
get-process | measure -property VM -Sum -Average -Maximum -Minimum
get-process | ft Name,VM,PM
get-process | format-table Name,VM,PM
Can't sort this by VM now because it's been destroyed by the Format-Table command.
You have to change how you sort.
Get-Process | Select-Object Name,VM,PM | Sort VM -desc
The Select-Object command extracts the Name,VM,PM objects and preserves them for future actions.
get-process | sort vm -desc | select-object name,vm,pm -First 10
Top 10 memory consumers.
Top 10 memory consumers.
Get-Process | Select-Object Name,@{l="VM(MB)";e={$_.vm / 1mb}}
= Day Two Notes =
Remember that teh Get-Member object will display the Properties for a given object
Get-Date | Get-Member
Display the Help for an object in a seperate Windows.
Help <object> -ShowWindow
The SELECT-OBJECT component will allow you to filter the results returned.
Get-DHCPServerv4Scope -ComputerName LON-DC1 | Select-Object -Property ScopeID,SubnetMask,Name
== Filtering Objects ==
Comparison Operators are not the usual operators (=, >, <, etc)
Equal -eq -ceq
Inequality -ne -cne
Greater than -gt -cgt
Less than -lt -lt
Like -like (Allows wild cards * or ?)
HELP About_*
HELP about_Comparison_Operators
== Where-Object ==
There are version compatibility issues with Where-Object/Where commands.
WHERE-OBJECT is aliased by WHERE and by ?
PowerShell 3/4 - Cannot handle the complex queries shown below
Get-Service | Where Status -eq Running
PowerShell 3/4 - AKA Advanced Formatted Filter
Get-Service | Where-Object -Filter {$PSItem.Status -eq 'Running'}
PowerShell 2/3/4 - AKA Advanced Formatted Filter Command, works everywhere.
Get-Service | Where-Object -Filter {$_.Status -eq 'Running' -and $_name -like "*win*"}
== Object Enumeration in the Pipeline ==
=== For Each Enumeration ===
$MyServices = Get-Services
$MyServices | ForEach-Object Name
Outputs just the Service Names (% and ForEach are Aliases for ForEach-Object)
$MyServices.Name (works in versions greater than v2.0)
These two version present different output. Try them.
$MyServices | ForEach-Object {Write "The service name is:" $_.Name}
$MyServices | ForEach-Object {Write "The service name is: $($_.Name)"}
$MyServices | where {$_.Name -eq "Spooler"}
$MyServices | where {$_.name -eq "Spooker"} | forEach {$_.stop()}
Simplest version of this ...
$MyServices | ? Name -eq Spooler | % -MemberName Stop
Get-ChildItem -Path C:\Example -File | ForEach-Object -MemberType Encrypt
Get-ChildItem C:\Test -File | ForEach-Object {$_.Encrypt()}
get-aduser -Filter *
get-aduser -filter * -SearchBase "cn=Users,dc=Adatum,dc=com"
get-EventLog -LogName Security | where EventID -eq 4624
get-EventLog -LogName Security | where EventID -eq 4624 | Select TimeWritten<EventID,Message
get-EventLog -LogName Security | where EventID -eq 4624 | Select TimeWritten<EventID,Message | ConvertTo-HTML | Out-File EventReport.html
Get-ChildItem -Path CERT: -recurse
Get-ChildItem -Path CERT: -recurse | Get-Member
Get-ChildItem -Path CERT: -recurse | where HasPrivateKey -eq $False
Get-ChildItem -Path CERT: -Recurse | Where {$_.HasPrivateKey -eq $False -and $_.NotAfter -gt (Get_Date) -and $_.NotBefore -lt (Get-Date)}
Get-ChildItem -Path CERT: -Recurse | Where {$_.HasPrivateKey -eq $False -and $_.NotAfter -gt (Get_Date) -and $_.NotBefore -lt (Get-Date)} | Select Issuer,NotBefore,NotAfter
Get-Volume | Where-Object {$_.SizeRemaining -gt 0}
Get-Volume | Where-Object {$_.SizeRemaining -gt 0 -and $_.SizeRemaining/$_.Size -lt .99 }
Get-Volume | Where-Object {$_.SizeRemaining -gt 0 -and $_.SizeRemaining/$_.Size -lt .1 }
Get-ControlPanelItem -Category 'System and Security'
Did not need to include the Where-Object item
Get-ChildItem -Path CERT: -Recurse
Get-ChildItem -Path CERT: -Recurse | Get-Member
Get-ChildItem -Path CERT: -Recurse | ForEach GetKeyAlgorithm
Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges
Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges | Get-Member
Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges | ForEach Reboot
1..100 | ForEach { Get-Random -SetSeed $_ }
=== Module 3 ===
GM is an Alias for Get-Member!
=== Module 4 ===
get-adcomputer -Filter * | select @{l="Computername";e={$_.Name}}
CD Alias:
New-PSDrive -Name AlphaTest -PSProvider FileSystem -Root \\Alpha\Test
New-PSDrive -Name T -PSProvider FileSystem -Root \\Alpha\Test -Persist
The Second New-PSDrive will actually map a drive T:.  The Names for this form MUST be single letter.
=== Module 5 ===
dir c:\windows\system32 | format-wide -auto
dir c:\windows\system32 | format-wide -column 4
get-service spooler | format-list -Property *
get-service spooler | format-table -Property Name,DisplayName,status -auto
get-service | format-table -Property Name,status,canstop,canshutdown,canpause,DisplayName -auto -wrap
get-process | Format-Table -Property Name,ID,@{n='VM(MB)';e={$_.VM / 1MB};formatString='N2';align='right'} -AutoSize
get-service | sort-object status,name | format-table -groupby status
get-service spooler,winrm,bits -computerName TEM-RELAY-001 | ft MachineName,Status,Name,DisplayName
get-service spooler,winrm,bits -computerName TEM-RELAY-001,TEM-RELAY-047 | Sort MachineName,Status,Name | ft -GroupBy MachineName
get-service | out-gridview -OutputMode Multiple
get-process | out-gridview -Outputmode multiple | Stop-Process -Force
Get-ChildItem -Path C:\Windows\*.exe | Sort-Object -Property Length -Descending | Format-Table -Property Name,@{n='Size(KB)';e={$PSItem.Length / 1KB};formatString='N2'} -AutoSize
Get-ChildItem -Path C:\Windows\*.exe | Sort -Property Length -Descending | FT -Property Name,@{n='Size(KB)';e={$_.Length / 1KB};formatString='N2'} -AutoSize
Get-EventLog -LogName Security -Newest 20 | Select-Object -Property *,@{n='TimeDifference';e={$PSItem.TimeWritten - $PSItem.TimeGenerated}} | Sort-Object -Property TimeDifference -Descending | Format-Table -Property EventID,TimeDifference -AutoSize
Get-EventLog -LogName Security -Newest 20 | Select -Property *,@{n='TimeDifference';e={$_.TimeWritten - $_.TimeGenerated}} | Sort -Property TimeDifference -Descending | FT -Property EventID,TimeDifference -AutoSize
= Comment Based Help =
help about_comment*
Allows comments in the code to become part of the integrated Help system in PowerShell!!
= Functions =
function AddMe ($Num1, Num2) {
$Anwser = $Num1 + Num2
Write-Host "This is not part of the answer"
Write-Verbose "This is not part of the answer"
Write-Debug "This is not part of the answer"
Return $Answer
function AddMe {
Param [
  ($Num1, Num2)
$Anwser = $Num1 + Num2
Write-Host "This is not part of the answer"
Write-Verbose "This is not part of the answer"
Write-Debug "This is not part of the answer"
Return $Answer
= EOF =

General Information about PowerShell


Day One Notes

Different versions of PowerShell are available for different OS's. Microsoft is using PowerShell as a way to drive people to upgrade to the latest version of Windows. Newer versions of Powershell work better with Newer versions of Microsoft Windows.

Two versions of the Powershell interface.

  • Console
    • Basic Command-Line
    • Maximum support for PowerShell
    • Minimal editing capabilities
  • ISE
    • Script Editor and Console Combination
    • Some PowerShell features not supported
    • Rich editing cap
  • Third Party hosting apps/Editors

help dir -Online

help dir -ShowWindow

The "-WhatIf" option will allow you to "Dry Run" a command that might modify something on the system.

The "-Confirm" option allows for a Y/N query per item for any command that MODIFIES the system.


get-command | measure-object

get-command | out-gridview

Show-Command Get-ChildItem

The "back tick" character (above the TAB key) is the "Line Continued Below" reference.

help dir `

is the same as

help dir -ShowWindow

get-service | sort-object -Property Status | Out-File Service.txt

same as ...

get-service | sort-object -Property Status > C:\Service.txt

get-service | sort-object -Property Status | Out-File Service.txt -Append

same as ...

get-service | sort-object -Property Status >> C:\Service.txt


get-process | get-member

Get-Member will output the member properties for an Object

get-service | Format-Table *

get-service spooler | Format-list

dir | get-member

get-service | format-table status,name | get-member

Output references the output of the Format-Table object rather than the Get-Service object.

Format-Table/Format-List should usually be the LAST command in a Pipe Line.

get-service | sort-object - property name

get-process | sort Name,ID

get-process | sort VM -Descending (or -desc, abbreviations work for more items as long as they are unique)


WIll open three instances of NotePad.exe

get-process | sort Name,ID | format-list

get-process | measure -property VM

get-process | measure -property VM -Sum -Average -Maximum -Minimum


get-process | ft Name,VM,PM

get-process | format-table Name,VM,PM

Can't sort this by VM now because it's been destroyed by the Format-Table command.

You have to change how you sort.

Get-Process | Select-Object Name,VM,PM | Sort VM -desc

The Select-Object command extracts the Name,VM,PM objects and preserves them for future actions.

get-process | sort vm -desc | select-object name,vm,pm -First 10

Top 10 memory consumers.

Get-Process | Select-Object Name,@{l="VM(MB)";e={$_.vm / 1mb}}

Day Two Notes

Remember that teh Get-Member object will display the Properties for a given object

Get-Date | Get-Member

Display the Help for an object in a seperate Windows.

Help <object> -ShowWindow

The SELECT-OBJECT component will allow you to filter the results returned.

Get-DHCPServerv4Scope -ComputerName LON-DC1 | Select-Object -Property ScopeID,SubnetMask,Name

Filtering Objects

Comparison Operators are not the usual operators (=, >, <, etc) Equal -eq -ceq Inequality -ne -cne Greater than -gt -cgt Less than -lt -lt Like -like (Allows wild cards * or ?)

HELP About_*

HELP about_Comparison_Operators


There are version compatibility issues with Where-Object/Where commands.

WHERE-OBJECT is aliased by WHERE and by ?

PowerShell 3/4 - Cannot handle the complex queries shown below

Get-Service | Where Status -eq Running

PowerShell 3/4 - AKA Advanced Formatted Filter

Get-Service | Where-Object -Filter {$PSItem.Status -eq 'Running'}

PowerShell 2/3/4 - AKA Advanced Formatted Filter Command, works everywhere.

Get-Service | Where-Object -Filter {$_.Status -eq 'Running' -and $_name -like "*win*"}

Object Enumeration in the Pipeline

For Each Enumeration

$MyServices = Get-Services

$MyServices | ForEach-Object Name

Outputs just the Service Names (% and ForEach are Aliases for ForEach-Object)

$MyServices.Name (works in versions greater than v2.0)

These two version present different output. Try them.

$MyServices | ForEach-Object {Write "The service name is:" $_.Name}

$MyServices | ForEach-Object {Write "The service name is: $($_.Name)"}

$MyServices | where {$_.Name -eq "Spooler"}

$MyServices | where {$_.name -eq "Spooker"} | forEach {$_.stop()}

Simplest version of this ...

$MyServices | ? Name -eq Spooler | % -MemberName Stop

Get-ChildItem -Path C:\Example -File | ForEach-Object -MemberType Encrypt

Get-ChildItem C:\Test -File | ForEach-Object {$_.Encrypt()}

get-aduser -Filter *

get-aduser -filter * -SearchBase "cn=Users,dc=Adatum,dc=com"

get-EventLog -LogName Security | where EventID -eq 4624

get-EventLog -LogName Security | where EventID -eq 4624 | Select TimeWritten<EventID,Message

get-EventLog -LogName Security | where EventID -eq 4624 | Select TimeWritten<EventID,Message | ConvertTo-HTML | Out-File EventReport.html

Get-ChildItem -Path CERT: -recurse

Get-ChildItem -Path CERT: -recurse | Get-Member

Get-ChildItem -Path CERT: -recurse | where HasPrivateKey -eq $False

Get-ChildItem -Path CERT: -Recurse | Where {$_.HasPrivateKey -eq $False -and $_.NotAfter -gt (Get_Date) -and $_.NotBefore -lt (Get-Date)}

Get-ChildItem -Path CERT: -Recurse | Where {$_.HasPrivateKey -eq $False -and $_.NotAfter -gt (Get_Date) -and $_.NotBefore -lt (Get-Date)} | Select Issuer,NotBefore,NotAfter


Get-Volume | Where-Object {$_.SizeRemaining -gt 0}

Get-Volume | Where-Object {$_.SizeRemaining -gt 0 -and $_.SizeRemaining/$_.Size -lt .99 }

Get-Volume | Where-Object {$_.SizeRemaining -gt 0 -and $_.SizeRemaining/$_.Size -lt .1 }


Get-ControlPanelItem -Category 'System and Security'

Did not need to include the Where-Object item

Get-ChildItem -Path CERT: -Recurse

Get-ChildItem -Path CERT: -Recurse | Get-Member

Get-ChildItem -Path CERT: -Recurse | ForEach GetKeyAlgorithm

Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges

Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges | Get-Member

Get-WMIObject-Class Win32_OperatingSystem -EnableAllPrivileges | ForEach Reboot


1..100 | ForEach { Get-Random -SetSeed $_ }

Module 3

GM is an Alias for Get-Member!

Module 4

get-adcomputer -Filter * | select @{l="Computername";e={$_.Name}}


CD Alias:



New-PSDrive -Name AlphaTest -PSProvider FileSystem -Root \\Alpha\Test

New-PSDrive -Name T -PSProvider FileSystem -Root \\Alpha\Test -Persist

The Second New-PSDrive will actually map a drive T:. The Names for this form MUST be single letter.

Module 5

dir c:\windows\system32 | format-wide -auto

dir c:\windows\system32 | format-wide -column 4

get-service spooler | format-list -Property *

get-service spooler | format-table -Property Name,DisplayName,status -auto

get-service | format-table -Property Name,status,canstop,canshutdown,canpause,DisplayName -auto -wrap

get-process | Format-Table -Property Name,ID,@{n='VM(MB)';e={$_.VM / 1MB};formatString='N2';align='right'} -AutoSize

get-service | sort-object status,name | format-table -groupby status

get-service spooler,winrm,bits -computerName TEM-RELAY-001 | ft MachineName,Status,Name,DisplayName

get-service spooler,winrm,bits -computerName TEM-RELAY-001,TEM-RELAY-047 | Sort MachineName,Status,Name | ft -GroupBy MachineName

get-service | out-gridview -OutputMode Multiple

get-process | out-gridview -Outputmode multiple | Stop-Process -Force

Get-ChildItem -Path C:\Windows\*.exe | Sort-Object -Property Length -Descending | Format-Table -Property Name,@{n='Size(KB)';e={$PSItem.Length / 1KB};formatString='N2'} -AutoSize

Get-ChildItem -Path C:\Windows\*.exe | Sort -Property Length -Descending | FT -Property Name,@{n='Size(KB)';e={$_.Length / 1KB};formatString='N2'} -AutoSize

Get-EventLog -LogName Security -Newest 20 | Select-Object -Property *,@{n='TimeDifference';e={$PSItem.TimeWritten - $PSItem.TimeGenerated}} | Sort-Object -Property TimeDifference -Descending | Format-Table -Property EventID,TimeDifference -AutoSize

Get-EventLog -LogName Security -Newest 20 | Select -Property *,@{n='TimeDifference';e={$_.TimeWritten - $_.TimeGenerated}} | Sort -Property TimeDifference -Descending | FT -Property EventID,TimeDifference -AutoSize

Comment Based Help

help about_comment*

Allows comments in the code to become part of the integrated Help system in PowerShell!!


function AddMe ($Num1, Num2) {

$Anwser = $Num1 + Num2
Write-Host "This is not part of the answer"
Write-Verbose "This is not part of the answer"
Write-Debug "This is not part of the answer"
Return $Answer


function AddMe {

Param [
 ($Num1, Num2) 


$Anwser = $Num1 + Num2
Write-Host "This is not part of the answer"
Write-Verbose "This is not part of the answer"
Write-Debug "This is not part of the answer"
Return $Answer
