Skip to content

Latest commit

 

History

History
499 lines (345 loc) · 14.2 KB

CommandHelp.md

File metadata and controls

499 lines (345 loc) · 14.2 KB

Command Help

Powershell and other commands and command samples are here primarily to quickly copy/paste them as needed, to recall things or to perform specific console tasks useful for Windows firewall development as opposed to running scripts.

In addition to the table below, see:

Windows PowerShell Cmdlets for Networking

Table of Contents

Store Apps

There are two categories:

  1. Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps:
    • Provisioned: Installed in user account the first time you sign in with a new user account.
    • Installed: Installed as part of the OS.
  2. System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS.

List all system apps beginning with word "Microsoft"

Get-AppxPackage -PackageTypeFilter Main |
Where-Object { $_.SignatureKind -eq "System" -and $_.Name -like "Microsoft*" } |
Sort-Object Name | ForEach-Object {$_.Name}

List all provisioned Windows apps

Not directly useful, but returns a few more packages than Get-AppxPackage -PackageTypeFilter Bundle

Get-AppxProvisionedPackage -Online | Sort-Object DisplayName | Format-Table DisplayName, PackageName

Lists the app packages that are installed for specific user account on the computer

Get-AppxPackage -User User -PackageTypeFilter Bundle | Sort-Object Name | ForEach-Object {$_.Name}

Get specific package

Get-AppxPackage -User User | Where-Object {$_.PackageFamilyName -like "*skype*"} |
Select-Object -ExpandProperty Name

Reference App Management

Reference Get-AppxPackage

Get app details

(Get-AppxPackage -Name "*Yourphone*" | Get-AppxPackageManifest).Package.Capabilities

Update store apps

$NamespaceName = "root\cimv2\mdm\dmmap"
$ClassName = "MDM_EnterpriseModernAppManagement_AppManagement01"
$WmiObj = Get-WmiObject -Namespace $NamespaceName -Class $ClassName
$Result = $WmiObj.UpdateScanMethod()

OR

Get-CimInstance -Namespace "Root\cimv2\mdm\dmmap" `
-ClassName "MDM_EnterpriseModernAppManagement_AppManagement01" |
Invoke-CimMethod -MethodName UpdateScanMethod

Table of Contents

Users and computers

List all users

Get-WmiObject -Class Win32_UserAccount
[Enum]::GetValues([System.Security.Principal.WellKnownSidType])

List only users

Get-LocalGroupMember -name users
Get-LocalGroupMember -Group "Users"

Only Administrators

Get-LocalGroupMember -Group "Administrators"

Prompt user for credentials

Get-Credential

Computer information

Get-WMIObject -class Win32_ComputerSystem

Currently logged in user

user name, prefixed by its domain

[System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Well known SID's

$Group = 'Administrators'
$account = New-Object -TypeName System.Security.Principal.NTAccount($Group)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])

OR

[System.Security.Principal.WellKnownSidType]::NetworkSid

Computer name

[System.Net.Dns]::GetHostName()
Get-WMIObject -class Win32_ComputerSystem | Select-Object -ExpandProperty Name

Table of Contents

CIM (Common Information Model)

CIM classes

Get-CimClass -Namespace root/CIMV2 |
Where-Object CimClassName -like Win32* |
Select-Object CimClassName

CIM Cmdlets

Get-Command -Module CimCmdlets

Table of Contents

Network interfaces

All possible adapters and their relevant info

Get-NetadApter -IncludeHidden | Select-Object -Property Name, InterfaceIndex, InterfaceAlias, `
InterfaceDescription, MediaConnectionState, Status, HardwareInterface, Hidden, Virtual, `
AdminStatus, ifOperStatus, ConnectionState

Physical, virtual and loopback IP interfaces

Get-NetIPInterface -IncludeAllCompartments | Select-Object -Property InterfaceIndex, `
InterfaceAlias, AddressFamily, ConnectionState, Store

All adapters configured with an IP regardless of connection state

Loopback and probably hidden adapters are not shown

Get-NetIPConfiguration -AllCompartments -Detailed

Table of Contents

git and GitHub

Repository creation date

To figure out the date and time some repository was created run curl against following URL format:

https://api.github.com/repos/<REPO_OWNER>/<REPO_NAME>

For example to see creation date and time of this repository run:

curl https://api.github.com/repos/metablaster/WindowsFirewallRuleset |
ConvertFrom-Json | Select-Object -ExpandProperty "created_at"

Go to first commit on GitHub

Get first commit SHA with git log --reverse

Copy SHA and paste into "Search or Jump to..." on GitHub, search "In this repository"

Clean up repository

git clean -d -x --dry-run
git clean -d -x -f

git prune --dry-run
git prune

git repack -d -F

Table of Contents

Troubleshooting

Commands useful to troubleshoot random issues

Get rule special properties

Update PolicyStore, DisplayGroup and Direction before running

Get-NetFirewallRule -PolicyStore PersistentStore -DisplayGroup "Network Discovery" `
-Direction Outbound | Select-Object DisplayName, PolicyDecisionStrategy, ConditionListType, `
ExecutionStrategy, SequencedActions, Profiles, LocalOnlyMapping, LooseSourceMapping

Get new services

Quickly detect which services started after some system state change

$ReferenceServices = Get-Service | Where-Object -Property Status -eq "Running"
($ReferenceServices | Measure-Object).Count

$DifferenceServices = Get-Service | Where-Object -Property Status -eq "Running"
($DifferenceServices | Measure-Object).Count

$NewServices = Compare-Object -ReferenceObject $ReferenceServices -DifferenceObject $DifferenceServices
$NewServices | Select-Object -ExpandProperty InputObject

Gpg agent does not work

Problem:

gpg: can't connect to the agent

Fix:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

If not working:

gpgconf: error running 'C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe'

Then close down all programs, open new PowerShell or CMD console instance and run the fix again but with pause of at least 5 seconds between each command.

Table of Contents

Code design and development

Most useful commands for design

Get type accelerators

[PSCustomObject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::get.GetEnumerator() | Sort-Object Key

Get approved verbs

# PowerShell Core
Get-Verb | Select-Object Verb, Group, Description | Sort-Object Verb

# Windows PowerShell
Get-Verb | Select-Object Verb, Group | Sort-Object Verb

Invoke PSScriptAnalyzer

Invoke-ScriptAnalyzer -Path .\ -Recurse -Settings Config\PSScriptAnalyzerSettings.psd1 |
Format-List -Property Severity, RuleName, RuleSuppressionID, Message, Line, ScriptPath

Add or use types from .NET assembly in PowerShell

Add-Type -AssemblyName "System.Management.Automation"
using namespace System.Management.Automation

Get function definition

Quickly see definition of some function to learn it's implementation

Get-ChildItem function:

(Get-ChildItem function:Get-GitStatus).Definition

Table of Contents

Firewall and rule management

Get a list of predefined rule groups

Get-NetFirewallRule -PolicyStore SystemDefaults | Sort-Object -Unique Group |
Sort-Object DisplayGroup | Format-Table DisplayGroup, Group

Apply predefined rules to GPO

Apply "Remote Assistance" predefined rules to GPO firewall (both inbound and outbound)

Get-NetFirewallRule -PolicyStore SystemDefaults -Group "@FirewallAPI.dll,-33002" `
-PolicyStoreSourceType Local | Copy-NetFirewallRule -NewPolicyStore ([Environment]::MachineName)

Same but by referencing by DisplayGroup

Get-NetFirewallRule -PolicyStore SystemDefaults -DisplayGroup "Network Discovery" `
-PolicyStoreSourceType Local | Copy-NetFirewallRule -NewPolicyStore ([Environment]::MachineName)

Temporarily toggle all blocking rules

To quickly troubleshoot packet drop, should be used in conjunction with allowing default inbound and outbound.

$Rules = Get-NetFirewallRule -PolicyStore ([environment]::MachineName) |
Where-Object { $_.Action -eq "Block" -and $_.Enabled -eq "True" }

Disable-NetFirewallRule -InputObject $Rules
Enable-NetFirewallRule -InputObject $Rules

Table of Contents

Package provider management

List of package providers that are loaded or installed but not loaded

Get-PackageProvider
Get-PackageProvider -ListAvailable

List of package sources that are registered for a package provider

Get-PackageSource

List of Package providers available for installation

Find-PackageProvider -Name Nuget -AllVersions
Find-PackageProvider -Name PowerShellGet -AllVersions -Source "https://www.powershellgallery.com/api/v2"

Install package provider

-Scope AllUsers (Install location for all users)

"$env:ProgramFiles\PackageManagement\ProviderAssemblies"

-Scope CurrentUser (Install location for current user)

"$env:LOCALAPPDATA\PackageManagement\ProviderAssemblies"
Install-PackageProvider -Name Nuget -Verbose -Scope CurrentUser
# Install-PackageProvider -Name PowerShellGet -Verbose -Scope CurrentUser

Table of Contents

Module management

# TODO: Package and module management

Table of Contents

Windows System

Specifc system wide commands that are useful for firewall management

Clear event logs

WFP and PowerShell may generate log entries

NOTE: All credits to How to Clear All Event Logs in Event Viewer in Windows

Get-WinEvent -ListLog * | Where-Object { $_.RecordCount } | ForEach-Object {
  [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
}

Table of Contents