{"id":19374392,"url":"https://github.com/ucdavis/windows_system_analysis_lab","last_synced_at":"2026-05-13T01:34:03.950Z","repository":{"id":117041139,"uuid":"378520964","full_name":"ucdavis/Windows_System_Analysis_Lab","owner":"ucdavis","description":"PowerShell for Windows System Analysis Lab","archived":false,"fork":false,"pushed_at":"2023-06-16T15:05:40.000Z","size":108,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-01-30T22:59:54.683Z","etag":null,"topics":["beginner","powershell","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ucdavis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-19T23:16:39.000Z","updated_at":"2023-06-15T14:57:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"150f1aac-024d-46c3-910a-a80a68a4a4df","html_url":"https://github.com/ucdavis/Windows_System_Analysis_Lab","commit_stats":null,"previous_names":["ucdavis/windows_system_analysis_lab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ucdavis/Windows_System_Analysis_Lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucdavis%2FWindows_System_Analysis_Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucdavis%2FWindows_System_Analysis_Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucdavis%2FWindows_System_Analysis_Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucdavis%2FWindows_System_Analysis_Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ucdavis","download_url":"https://codeload.github.com/ucdavis/Windows_System_Analysis_Lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucdavis%2FWindows_System_Analysis_Lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32964050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T23:30:32.555Z","status":"ssl_error","status_checked_at":"2026-05-12T23:30:18.191Z","response_time":102,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beginner","powershell","windows"],"created_at":"2024-11-10T08:35:02.389Z","updated_at":"2026-05-13T01:34:03.927Z","avatar_url":"https://github.com/ucdavis.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"## PowerShell for Windows System Analysis Lab\n\nTen sessions offered for learning to use PowerShell to analyze Windows system configuration.\n\n**All lab exercises and descriptions are listed in the README**. \n\nThe lesson script files are designed to only be used as a downloadable reference. \n\nAt the beginning of each script is a \"exit\" command to prevent an accidental run\n\n\n## Lesson 1\n\n### 1.1 Transcripts \n\n\u003cdetails\u003e\n\u003csummary\u003e1.1 Exercises\u003c/summary\u003e\n\n\nStart a Transcript File\n```powershell\nStart-Transcript\n```\n```powershell\n# Default Location C:\\Users\\userID\\Documents\\PowerShell_transcript.NNNNNN.NNNNNNNNNNN.txt\n```\nStart Transcript with Custom Name\n```powershell\nStart-Transcript \"MyTranscript.txt\"\n```\nOr for the File to be Placed in the Specific Directory\n```powershell\nStart-Transcript C:\\Script_Runs\\MyTranscript.txt\n```\nTo Stop the Transcript from Recording Commands and Output\n```powershell\nStop-Transcript\n```\n\u003c/details\u003e\n\n### 1.2 PowerShell Version\n\n\u003cdetails\u003e\n\u003csummary\u003e1.2 Exercises\u003c/summary\u003e\n\n\nView PowerShell Version\n```powershell\n$PSVersionTable\n```\n\u003c/details\u003e\n\n### 1.3 Cmdlets and Modules\n\n\n\u003cdetails\u003e\n\u003csummary\u003e1.3 Exercises\u003c/summary\u003e\n\nCmdlet Format -eq action-noun\n```powershell\nGet-Command -Noun service\n```\nGet All Commands by a Certain Action\n```powershell\nGet-Command -Verb start\n```\nGet All Currently Loaded Cmdlets\n```powershell\nGet-Command -CommandType Cmdlet\n```\nUpdate Help Before Using It\n```powershell\nUpdate-Help\n```\nBasic Help Information for Cmdlet\n```powershell\nGet-Help Get-Process\n```\nOnline Help for a Cmdlet\n```powershell\nGet-Help Get-Process -Online\n```\nHelp with Examples\n```powershell\nGet-Help Get-Process -examples\n```\nHelp Full Listing\n```powershell\nGet-Help Get-Process -Full\n```\nHelp About a Certain Subject\n```powershell\nGet-Help about_operators\n```\nHelp About\n```powershell\nGet-Help about_*\n```\nGet All PowerShell Modules Available on System\n```powershell\nGet-Module -ListAvailable\n```\nImport Module in Current PowerShell Session\n```powershell\nImport-Module DnsClient\n```\nGet All Commands in a Module (Should Only Be Used After Importing)\n```powershell\nGet-Command -Module DnsClient\n```\nFind .NET Object Used in Cmdlet\n```powershell\nGet-Process | Get-Member\n```\nList All Alias\n```powershell\nGet-Alias\n```\nLook for Specific Alias\n```powershell\nGet-Alias -Definition Stop-Process\n```\nCreate Alias\n```powershell\nNew-Alias -Name \"Gunrock\" Get-ChildItem\n```\n\n\u003c/details\u003e\n\n### 1.4 Pipeline\n\n\n\u003cdetails\u003e\n\u003csummary\u003e1.4 Exercises\u003c/summary\u003e\n\nCommand to Find If CmdLet Allows for Piping (Check Accept Pipeline Property Under Parameters) \n```powershell\nGet-Help Get-Process -full | more \n```\nUsing Out-File to Get Resource Info on the Pipeline\n```powershell\nGet-Help About_pipeline | Out-File about_pipeline.txt\n```\nGet All Process and Then Sort by Display Name\n```powershell\nGet-Process | Sort-Object ProcessName -descending\n```\nStop All Notepad Process and Log Process Collection Before Stopping\n```powershell\nGet-Process notepad | Tee-Object -file Notepad_Processes.txt | Stop-Process\n```\nGet All Services That Are Running Then Only Show the Display Name\n```powershell\nGet-Service | Where-Object { $_.Status -eq \"Running\" } | ForEach-Object { $_.DisplayName }\n```\nQuick Way to Report on File Types in a Folder\n```powershell\nGet-ChildItem | Group-Object -property extension\n```\n\n\u003c/details\u003e\n\n## Lesson 2\n\n### 2.1 Script Execution Policy\n\n\u003cdetails\u003e\n\u003csummary\u003e2.1 Exercises\u003c/summary\u003e\n\nGet Current Policy\n```powershell\nGet-ExecutionPolicy\n```\nSet the Script Execution Policy for Current User \n```powershell\nSet-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser\n```\n\n\u003c/details\u003e\n\n### 2.2 Outputs\n\n\n\u003cdetails\u003e\n\u003csummary\u003e2.2 Exercises\u003c/summary\u003e\n\nTo Get All the Format Object Commands\n```powershell\nGet-Command -verb format\n```\nGet All Processes in a GUI Gridview\n```powershell\nGet-Process | Out-GridView\n```\nOutput Sent to a File\n```powershell\nGet-Service | Out-File Services.txt\n```\nQuick Array Sent to a File\n```powershell\n@(\"Server1\",\"Server2\",\"Server3\",\"Server4\") | Out-File servers.txt\n```\nService List Sent to Your Default Printer\n```powershell\nGet-Service | Out-Printer \n```\nRunning Service List With Only a Few Columns Exported to CSV\n```powershell\nGet-Service | Where-Object { $_.Status -eq \"Running\" } | Select-Object Name,DisplayName,Status,CanStop | Sort-Object DisplayName | Export-Csv running_services.csv -NoTypeInformation\n```\n\n\u003c/details\u003e\n\n### 2.3 Inputs\n\n\u003cdetails\u003e\n\u003csummary\u003e2.3 Exercises\u003c/summary\u003e\n\nPrompt User for Info\n```powershell\n$requiredData = Read-Host -prompt \"Enter Required Data\"\n```\nCreate String Array From a Text File \n```powershell\n$servers = Get-Content servers.txt\n```\nImport Data a CSV File and Use a Specific Column From It\n```powershell\nImport-Csv running_services.csv | Foreach-Object { $_.DisplayName }\n```\n\n\u003c/details\u003e\n\n### 2.4 Errors\n\n\u003cdetails\u003e\n\u003csummary\u003e2.4 Exercises\u003c/summary\u003e\n\nThe Setting for Error Handling is Stored in the $ErrorActionPreference variable\nError Handling Options:\n- Continue = Output Error Message; Continue to Run Next Command (Default)\n- SilentlyContinue = Suppress Error Message; Continue to Run the next command\n- Stop = Halt the Execution\n- Inquire = Prompt User for Action to Perform\n\n```powershell\n$ErrorActionPreference = \"Continue\";\n```\nErrors that Occur During a PowerShell Session are Stored in $error\n```powershell\n$error\n```\nEmpty Error Messages from $error\n```powershell\n$error.clear();\n```\nSome Cmdlets Support an ErrorAction Statement (only for parameter data)\nThese Won't Display an Error\n```powershell\nRemove-Item nothinghere -ErrorAction \"SilentlyContinue\";\n```\n```powershell\nStop-Process -ID 8888888 -ErrorAction \"SilentlyContinue\";\n```\n```powershell\n# This Will Due to -ID Must Be an Int\n```\n```powershell\nStop-Process -ID NothingHere -ErrorAction \"SilentlyContinue\";\n```\n\n\n\u003c/details\u003e\n\n## Lesson 3\n\n### 3.1 Environment Variables\n\n\u003cdetails\u003e\n\u003csummary\u003e3.1 Exercises\u003c/summary\u003e\n\n\nView Environment Variables\n```powershell\nGet-ChildItem Env:\n```\nView Path Environment Variable\n```powershell\n$Env:path -split \";\"\n```\n\n\u003c/details\u003e\n\n### 3.2 File System\n\n\u003cdetails\u003e\n\u003csummary\u003e3.2 Exercises\u003c/summary\u003e\n\n\nNavigate with Set-Location (alias cd)\n```powershell\nSet-Location c:\\users\\$env:username\\Desktop\n```\nList Items in Current Directory\n```powershell\nGet-ChildItem\n```\nList Only the Text File\n```powershell\nGet-ChildItem -Filter *.txt\n```\nGet List of All \"Item\" Cmdlets\n```powershell\nGet-Command -noun item | Select-Object Name | Sort-Object Name | Out-File Item_Commands.txt\n```\nGet the Path of Current Operating Directory\n```powershell\n(Get-Location).Path\n```\nCheck to See If a Directory or File Exists\n```powershell\nTest-Path -Path c:\\sacramento\\kings.txt\n```\nGet List of All \"Content\" Cmdlets\n```powershell\nGet-Command -Noun Content\n```\nSearch for All Text Files on System Drive\n```powershell\nGet-Childitem -Path c:\\ -Filter *.txt -Recurse;\n```\nCreate a Folder\n```powershell\nNew-Item My_Scripts -ItemType Directory\n```\nCreate a Text File \n```powershell\nNew-Item .\\My_Scripts\\first_script.ps1 -ItemType File;\n```\nAdd Content to a File\n```powershell\nAdd-Content -Path .\\My_Scripts\\first_script.ps1 -Value \"Get-Service\";\n```\nMove or Rename a File\n```powershell\nMove-Item .\\My_Scripts\\first_script.ps1 .\\My_Scripts\\second_script.ps1;\n```\nGet Rights on Current Directory\n```powershell\nGet-Acl -Path . | Format-List\n```\nGet Access on Current Directory\n```powershell\n(Get-Acl -Path .).Access\n```\nGet the Owner of a Directory or File\n```powershell\n(Get-Acl -Path c:\\Intel\\Logs).Owner \n```\nList the NTFS Permissions of a File or Folder\n```powershell\n(Get-Acl -Path $env:programfiles).Access\n```\nShow Permissions in Friendly Format on Current Directory\n```powershell\n(Get-Acl -Path .).Access | Select-Object -ExpandProperty IdentityReference FileSystemRights | Format-Table Value,FileSystemRights\n```\nView File Hash\n```powershell\nGet-FileHash .\\Scary_Executable_I_Just_Downloaded.exe\n```\n\n\u003c/details\u003e\n\n### 3.3 PSDrive and Registry\n\n\n\u003cdetails\u003e\n\u003csummary\u003e3.3 Exercises\u003c/summary\u003e\n\n\nPS Drives\n```powershell\nGet-PSDrive\n```\nList PSDrive for Registry\n```powershell\nGet-PSDrive -PSProvider Registry\n```\nChange to HKEY\\_LOCAL\\_MACHINE\n```powershell\nSet-Location HKLM:\n```\nView Windows Current Version Information\n```powershell\nGet-ItemProperty -Path 'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion'\n```\nView RDP Port Number (Requires Admin Console)\n```powershell\n(Get-ItemProperty \"HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\").PortNumber\n```\nSystem Environment\n```powershell\nSet-Location env:\n```\n\n\u003c/details\u003e\n\n### 3.4 Searching File Contents\n\n\u003cdetails\u003e\n\u003csummary\u003e3.4 Exercises\u003c/summary\u003e\n\n\nCreate File to Search\n```powershell\nGet-Process | Out-File processes.txt\n```\nSearch a File for a Specific Term\n```powershell\nSelect-String \"svchost\" .\\processes.txt\n```\nSearch for String in File and Show One Line Before and Three Lines After\n```powershell\nSelect-String \"explorer\" .\\processes.txt -Context 1,3\n```\nSearch Multiple Files\n```powershell\nSelect-String \"explorer\" .\\process* \n```\n\n\u003c/details\u003e\n\n## Lesson 4\n\n### 4.1 System Information\n\n\u003cdetails\u003e\n\u003csummary\u003e4.1 Exercises\u003c/summary\u003e\n\n\nGet BIOS Information\n```powershell\nGet-WmiObject -Class Win32_BIOS -Computer localhost\n```\nGet Basic System Info\n```powershell\nGet-WmiObject -Class Win32_ComputerSystem -Computer localhost\n```\nGet Operating System Info\n```powershell\nGet-WmiObject -Class Win32_OperatingSystem -Computer localhost\n```\nGet Consolidated Object of System and Operating System Properties\n```powershell\nGet-ComputerInfo\n```\n\n\u003c/details\u003e\n\n### 4.2 Disk Information\n\n\u003cdetails\u003e\n\u003csummary\u003e4.2 Exercises\u003c/summary\u003e\n\n\nGet Disk Information\n```powershell\nGet-Disk | Format-List\n```\nShow Physical Disk Information\n```powershell\nGet-PhysicalDisk\n```\nGet Disk Information (Model and Size)\n```powershell\nGet-WmiObject -Class Win32_DiskDrive | ForEach-Object { Write-Output ($_.Model.ToString() + \" Size:\" + ($_.Size/1GB) + \"GB\") }\n```\nGet Logical Disk Info\n```powershell\nGet-WmiObject -Class Win32_LogicalDisk -Filter \"DriveType='3'\" -Computer localhost\n```\nShow Disk Partitions\n```powershell\nGet-Partition\n```\nGet Disk Volume Information\n```powershell\nGet-Volume | Format-Table\n```\nGet Fixed Volumes\n```powershell\nGet-Volume | Where-Object DriveType -eq \"Fixed\"\n```\nGet Volume Info (Windows 7)\n```powershell\nGet-WmiObject -Class Win32_Volume -Filter \"DriveType='3'\" | Select-Object Name\n```\nGet Share Info\n```powershell\nGet-SmbShare | Format-List\n```\nGet Share Info (Version 2)\n```powershell\nGet-WmiObject -Class Win32_Share -Computer localhost\n```\n\n\u003c/details\u003e\n\n### 4.3 Processor and Memory\n\n\u003cdetails\u003e\n\u003csummary\u003e4.3 Exercises\u003c/summary\u003e\n\n\nGet Processor Information\n```powershell\nGet-WmiObject -Class Win32_Processor | Select-Object Name,Description,NumberOfCores | Sort-Object Name\n```\nGet Number of Memory Slots\n```powershell\n(Get-WmiObject -Class Win32_PhysicalMemoryArray).MemoryDevices\n```\nRetrieve Memory Slot Allocations\n```powershell\nGet-WMIObject -Class Win32_PhysicalMemory | ForEach-Object { Write-Output ($_.DeviceLocator.ToString() + \" \" + ($_.Capacity/1GB) + \"GB\") };\n```\n\n\u003c/details\u003e\n\n### 4.4 Printer Information\n\n\u003cdetails\u003e\n\u003csummary\u003e4.4 Exercises\u003c/summary\u003e\n\n\nShow Printers\n```powershell\nGet-Printer\n```\nShow Local Printers\n```powershell\nGet-Printer | Where-Object { $_.Type -eq \"Local\" } | Format-Table -AutoSize\n```\nShow Printer Ports\n```powershell\nGet-PrinterPort\n```\n\n\u003c/details\u003e\n\n## Lesson 5\n\n### 5.1 Local Users and Groups\n\n\u003cdetails\u003e\n\u003csummary\u003e5.1 Exercises\u003c/summary\u003e\n\n\nShow Local Users\n```powershell\nGet-LocalUser\n```\nShow Local Groups\n```powershell\nGet-LocalGroup\n```\nShow Local Group Membership\n```powershell\nGet-LocalGroupMember -Group Administrators\n```\nShow Local Group Membership using Pipe\n```powershell\nGet-LocalGroup -Name 'Remote Desktop Users' | Get-LocalGroupMember\n```\nShow Local Profiles and Their SIDs\n```powershell\nGet-WmiObject win32_userprofile | Select-Object LocalPath,SID\n```\n\n\u003c/details\u003e\n\n### 5.2 Processes and Services\n\n\u003cdetails\u003e\n\u003csummary\u003e5.2 Exercises\u003c/summary\u003e\n\n\nGet Process By Partial Name\n```powershell\nGet-Process -Name Chrom*\n```\nView Processes by Highest CPU Usage\n```powershell\nGet-Process | Sort-Object CPU -Descending | more\n```\nView Processes by Highest Memory Usage\n```powershell\nGet-Process | Sort-Object WorkingSet -Descending | more\n```\nShow File Information for One of the Zoom Processes\n```powershell\nGet-Process -ProcessName 'Zoom' -FileVersionInfo | Format-List\n```\nGet Path to Process's Executable\n```powershell\nGet-Process -FileVersionInfo -ErrorAction \"SilentlyContinue\" | Select-Object OriginalFilename,FileVersionRaw,FileName | Sort-Object OriginalFilename\n#Or\nGet-WmiObject -Class Win32_Process -Computer localhost | Select-Object Name,Path | Sort-Object Name\n```\nGet Owner of the Process\n```powershell\nGet-WmiObject -Class Win32_Process -Computer localhost | Select-Object Name, @{Name=\"Owner\"; Expression={$_.GetOwner().User}} | Sort-Object Name\n```\nGet Service By Partial Name\n```powershell\nGet-Service -Name Spoo*\n```\nGet Running Services\n```powershell\nGet-Service | Where-Object { $_.Status -eq \"Running\" } | Select-Object Name,DisplayName,Status,CanStop | Sort-Object DisplayName\n```\nGet All Services and the Account which they are running under\n```powershell\nGet-WmiObject -Class Win32_Service -Computer localhost | Select-Object Name,State,StartName | Sort-Object -Property @{Expression=\"StartName\";Descending=$false},@{Expression=\"Name\";Descending=$false}\n```\n\n\u003c/details\u003e\n\n### 5.3 Event Logs\n\n\u003cdetails\u003e\n\u003csummary\u003e5.3 Exercises\u003c/summary\u003e\n\n\nGet All Event Log Names\n```powershell\nGet-WinEvent -ListLog * -ErrorAction SilentlyContinue;\n```\nGet the Latest 100 Items in the System Log\n```powershell\nGet-WinEvent -LogName 'System' -MaxEvents 100;\n```\nLog Entry Types:\n- 0 = LogAlways\n- 1 = Critical\n- 2 = Error\n- 3 = Warning\n- 4 = Informational\n- 5 = Verbose\n\nKeywords:\n- AuditFailure = 4503599627370496\n- AuditSuccess = 9007199254740992\n\nGet the Lastest 5 Errors in the System Log\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName='System'; Level=2; } -MaxEvents 5;\n```\nGet Application Log Entries Between Specific Times\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=(Get-Date).AddDays(-5); EndTime=(Get-Date).AddDays(-1); };\n```\nGet Failed Logins Over the Last 24 Hours (Requires Elevated Session)\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=(Get-Date).AddDays(-1); Id='4625'; } | Format-List | more;\n```\nGet Successful Logins Over the Last 24 Hours (Requires Elevated Session)\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=(Get-Date).AddDays(-1); Id='4624'; };\n```\nGet All Audit Failures in the Past Week\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName=@('Security'); Keywords=@(4503599627370496); StartTime=(Get-Date).AddDays(-7); } | Format-List | more\n```\nGet Provider Names for Application, System, and Security Logs (Requires Elevated Session)\n```powershell\nGet-WinEvent -ListLog @('Application','System','Security') | Select-Object LogName, @{Name=\"Providers\"; Expression={$_.ProviderNames | Sort-Object }} | Foreach-Object { Write-Output(\"`r`n---- \" + $_.LogName + \" ----`r`n\"); $_.Providers }; \n```\nGet Group Policy Related Entries in System Log in the Last 24 Hours\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName='System'; ProviderName='Microsoft-Windows-GroupPolicy'; StartTime=(Get-Date).AddDays(-1); } | Format-List | more;\n```\nGet All Sophos and Security Center Events in the Last 72 Hours (Requires Elevated Session)\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName=@('Application','System','Security'); ProviderName=@('HitmanPro.Alert','SAVOnAccess','SAVOnAccessControl','SAVOnAccessFilter','SecurityCenter'); StartTime=(Get-Date).AddDays(-3); } -ErrorAction SilentlyContinue | Format-List | more\n```\nGet All Critial or Error Entries from Application, System, and Security Logs in Last 24 Hours (Requires Elevated Session)\n```powershell\nGet-WinEvent -FilterHashtable @{ LogName=@('Application','System','Security'); Level=@(1,2); StartTime=(Get-Date).AddDays(-1); };\n```\n\n\n\u003c/details\u003e\n\n### 5.4 Scheduled Tasks\n\n\u003cdetails\u003e\n\u003csummary\u003e5.4 Exercises\u003c/summary\u003e\n\n\nShow Scheduled Tasks\n```powershell\nGet-ScheduledTask | Format-List\n```\nGet Scheduled Task By Name\n```powershell\nGet-ScheduledTask -TaskName Adobe*\n```\nShow Schedule Informatio for Task\n```powershell\nGet-ScheduledTask -TaskName Adobe* | ScheduledTaskInfo\n```\nShow Execute Actions for All Scheduled Tasks\n```powershell\nGet-ScheduledTask | Sort-Object -Property TaskName | Foreach-Object { Write-Output(\"`n\" + $_.TaskName + \":\"); Foreach ($ta in $_.Actions){$ta.execute}}\n```\n\n\u003c/details\u003e\n\n## Lesson 6\n\n### 6.1 Remote Desktop Protocol (RDP)\n\n\u003cdetails\u003e\n\u003csummary\u003e6.1 Exercises\u003c/summary\u003e\n\nView RDP Configuration (If not set via GPO). Check out fDenyTSConnections key. 0 = enabled, 1 = disabled\n```powershell\nGet-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server'\n```\nCheck Status of RDP Service\n```powershell\nGet-Service -Name TermService | Format-List\n```\nDisplay information about users logged on to the system. Run with /? for Help\n```powershell\nquser\n```\nDisplay information about Remote Desktop Services sessions. Run with /? for Help\n```powershell\nqwinsta\n```\n\n\u003c/details\u003e\n\n### 6.2 Windows Updates\n\n\u003cdetails\u003e\n\u003csummary\u003e6.2 Exercises\u003c/summary\u003e\n\nShow Windows Update Log\n```powershell\nGet-WindowsUpdateLog #Export File Goes to Desktop\n```\nView Last 50 Entries in Windows Update Log\n```powershell\nGet-Content ([Environment]::GetFolderPath(\"Desktop\") + \"\\WindowsUpdate.log\") | Select-Object -Last 50\n```\nGet All Updates Installed in the Last 7 Days\n```powershell\nGet-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-7) }\n```\nGet the First 10 Items in the Windows Update Log (Windows 7 and Older)\n```powershell\nGet-Content $env:windir\\windowsupdate.log | Select-Object -first 10\n```\nDisplay the Lines of the Windows Update Log that Have \"Added Update\" in Them (Windows 7 and Older)\n```powershell\nGet-Content $env:windir\\windowsupdate.log | Select-String \"Added update\"\n```\n\n\u003c/details\u003e\n\n### 6.3 Installed Software\n\n\u003cdetails\u003e\n\u003csummary\u003e6.3 Exercises\u003c/summary\u003e\n\n\nGet List of Installed 64 bit Software\n```powershell\nGet-ChildItem HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion\n```\nGet List of Installed 32 bit Software\n```powershell\nGet-ChildItem HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion\n```\nInstalled Software Script Code\n```powershell\n#Create An Array for Storing Installed Applications for Reporting\n$arrInstldApps = @();\n\n#Pull 32-bit Installed Applications on System and put them into Report Array\n$arrInstldApps = Get-ChildItem HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion;\n\n#Pull 64-bit Installed Applications on System and Add them to Report Array\n$arrInstldApps += Get-ChildItem HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall | Get-ItemProperty | Where-Object { $_.DisplayName -ne $null } | Select-Object DisplayName,DisplayVersion;\n\n#Display Installed Applications\n$arrInstldApps;\n```\n\n\u003c/details\u003e\n\n## Lesson 7\n\n### 7.1 Network Settings and Connections\n\n\u003cdetails\u003e\n\u003csummary\u003e7.1 Exercises\u003c/summary\u003e\n\n\nShow Network Adapters\n```powershell\nGet-NetAdapter\n```\nGet Basic Network Settings\n```powershell\nGet-NetIPConfiguration\n```\nGet IP Address Information\n```powershell\nGet-NetIPAddress\n```\nGet TCP Connections\n```powershell\nGet-NetTCPConnection\n```\nShow Established TCP Connections By Local Port \n```powershell\nGet-NetTCPConnection -State Established | Sort-Object LocalPort\n```\nShow Network Neighbors\n```powershell\nGet-NetNeighbor\n```\nGet DNS Information (NSLookup)\n```powershell\nResolve-DnsName ucdavis.edu\n```\nGet Route Information\n```powershell\nGet-NetRoute\n```\nPing Remote System Only Once\n```powershell\nTest-Connection -TargetName ucdavis.edu -Count 1\n```\nPing Remote Hosts Only Once and Display Quick Status\n```powershell\n@(\"1.1.1.1\",\"4.2.2.2\",\"8.8.4.4\",\"8.8.8.8\") | Foreach-Object { $pingStatus = Test-Connection $_ -Count 1 -Quiet; \"$_ $pingStatus\" }\n```\nTraceroute to Remote System\n```powershell\nTest-Connection -TargetName ucdavis.edu -Traceroute\n```\nTest If Specific Port Is Open (Computer Name can be hostname or IP Address)\n```powershell\nTest-NetConnection -ComputerName 127.0.0.1 -Port 4000\n```\nTest Network Connection By Port Common Name (Only Options HTTP, RDP, SMB, WINRM)\n```powershell\nTest-NetConnection -ComputerName localhost -CommonTCPPort RDP\n```\nTest Network Connection (Ping and TraceRoute)\n```powershell\nTest-NetConnection universityofcalifornia.edu -TraceRoute\n```\nTest Network Connection with Detailed Information\n```powershell\nTest-NetConnection -ComputerName universityofcalifornia.edu -DiagnoseRouting -InformationLevel Detailed\n```\nGet MAC Addresses of All Network Adapters\n```powershell\nGet-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.MACAddress -ne $null } | Select-Object Name,MACAddress | Sort-Object Name\n```\nGet All Assigned IPs\n```powershell\nGet-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -ne $null} | Select-Object Description,IPAddress\n```\n\n\u003c/details\u003e\n\n### 7.2 Firewall Configuration\n\n\u003cdetails\u003e\n\u003csummary\u003e7.2 Exercises\u003c/summary\u003e\n\n\nShow Firewall Status\n```powershell\nGet-NetFirewallProfile | Select-Object Name,Enabled\n```\nGet Firewall Rules Under Domain Profile\n```powershell\nGet-NetFirewallProfile -Name Domain | Get-NetFirewallRule | More\n```\nGet Firewall Rules that Allow Inbound Traffic\n```powershell\nGet-NetFirewallRule -Enabled True -Direction Inbound -Action Allow\n```\n\n\u003c/details\u003e\n\n### 7.3 Windows Remote Management\n\n\u003cdetails\u003e\n\u003csummary\u003e7.3 Exercises\u003c/summary\u003e\n\nCheck Status of WinRM Service\n```powershell\nGet-Service -Name WinRM\n#Or\nTest-WSMan\n```\nView WinRM Config (Requires Elevated Session)\n```powershell\nGet-WSManInstance -ComputerName Localhost -ResourceURI winrm/config\n```\nDisplay WinRM Listener Information (Requires Elevated Session)\n```powershell\nGet-WSManInstance -ComputerName Localhost -ResourceURI winrm/config/Listener -Enumerate\n```\n\n\u003c/details\u003e\n\n## Lesson 8\n\n### 8.1 Windows Defender\n\n\u003cdetails\u003e\n\u003csummary\u003e8.1 Exercises\u003c/summary\u003e\n\nView Current Defender Status\n```powershell\nGet-MpComputerStatus\n```\n```powershell\n# How Would You Only Display the QuickScanStartTime, QuickScanEndTime, and QuickScanOverDue Properties?\n```\nView Active and Past Malware Threats that Windows Defender Detected\n```powershell\nGet-MpThreatDetection\n```\nView Preferences for the Windows Defender Scans and Updates\n```powershell\nGet-MpPreference\n```\nView All Defender Related Commands\n```powershell\nGet-Command | Where-Object -Property Source -eq -Value \"Defender\"\n```\n```powershell\n# Which Command Would Start a Quick Scan On the Local System? \n```\n\n\n\n\u003c/details\u003e\n\n### 8.2 Transport Layer Security (TLS)\n\n\u003cdetails\u003e\n\u003csummary\u003e8.2 Exercises\u003c/summary\u003e\n\nShow List of Enabled TLS Cipher Suites\n```powershell\nGet-TlsCipherSuite\n```\nShow Only the AES Ciphers\n```powershell\nGet-TlsCipherSuite -Name \"AES\"\n```\n```powershell\n# How Would You Just List the Names of the Ciphers?\n```\n```powershell\n# What Happens When You Run\n```\n```powershell\nGet-TlsCipherSuite | Select-Object Name;\n```\n```powershell\n# Let's Look at What the Get-TlsCipherSuite Command Returns. What is the TypeName Value\n```\n```powershell\nGet-TlsCipherSuite | Get-Member\n```\n```powershell\n# What Happens When You Run\n```\n```powershell\nGet-TlsCipherSuite | Foreach-Object { $_.Name  }\n```\n```powershell\n# Check Out the Help on Disabling a Cipher. Are You Able to Pipe In Get-TlsCipherSuite Object Result?\n```\n```powershell\nGet-Help Disable-TlsCipherSuite -Full\n```\n```powershell\n# Would The Below Code Disable the DES Cipher? \n```\n```powershell\nForeach($tcs in (Get-TlsCipherSuite -Name \"DES\")){ Disable-TlsCipherSuite -Name $tcs.Name }\n```\n\n\u003c/details\u003e\n\n### 8.3 BitLocker\n\n\u003cdetails\u003e\n\u003csummary\u003e8.3 Exercises\u003c/summary\u003e\n\nView BitLocker Volume (Requires Elevated Session)\n```powershell\nGet-BitLockerVolume\n```\n```powershell\n# The BitLockerVolume Class Has More than 10 Properties. How Would You View All Of Them? \n```\n```powershell\n# How Would You Only Display the \"VolumeStatus\" Property?\n```\n```powershell\n# Which Command Could You Run to Find The Other \"BitLocker\" Related Commands?\n```\n\n\n\u003c/details\u003e\n\n## Lesson 9\n\n### 9.1 Creating Custom Objects\n\n\u003cdetails\u003e\n\u003csummary\u003e9.1 Exercises\u003c/summary\u003e\n\n```powershell\n#Initializing Array to Hold Custom Objects\n$arrReporting = @();\n\n#Load Up 25 Custom Objects\nforeach($n in 1..25)\n{\n    #Creating a Custom Object \n    $cstObject = New-Object PSObject -Property (@{name=\"\"; weight=0; handed=\"\";});\n\n    #Load Dynamic Value\n    $cstObject.name = \"User\" + $n;\n    $cstObject.weight = 100 + $n;\n\n    if($n % 5 -eq 0)\n    { \n        $cstObject.handed = \"left\";\n    }\n    else \n    {\n        $cstObject.handed = \"right\";\n    }\n\n    #Adding Custom Object to Array \n    $arrReporting += $cstObject;\n}\n\n#View Reporting Array\n$arrReporting;\n\n```\n\n\u003c/details\u003e\n\n### 9.2 Ping IP Range\n\n\u003cdetails\u003e\n\u003csummary\u003e9.2 Exercises\u003c/summary\u003e\n\n```powershell\n\u003c# \n    Write a One-Liner to Ping a Class C Network and Report the Status of Each Ping.\n    Extra Points for Pinging Each IP Only Once and Incorporating the \"Quiet\" Switch\n#\u003e\n```\n\n\u003c/details\u003e\n\n### 9.3 Plug and Play (PnP) Devices\n\n\u003cdetails\u003e\n\u003csummary\u003e9.3 Exercises\u003c/summary\u003e\n\nShow PnP Devices\n```powershell\nGet-PnpDevice\n```\nShow PnP USB Devices\n```powershell\nGet-PnpDevice -Class USB\n```\n```powershell\n\u003c# \nSome PnP Device Classes\nAudioEndpoint\nBluetooth\nCamera\nImage\nMedia\nMonitor\nMouse\nNet\nPrintQueue\nProcessor\nSecurityDevices\nSmartCard\nSoftwareDevice\nUSB\n#\u003e\n```\n```powershell\n# How Would You Display the Currently Present USB Devices?\n```\n```powershell\n# Which Command Could You Run to Display the Other PnP Device Related Commands?\n```\nShow PnP AudioEndpoint and Camera Device Properties\n```powershell\nGet-PnpDevice -Class AudioEndpoint,Camera | Get-PnpDeviceProperty | Format-Table -AutoSize\n```\nShow Current PnP AudioEndpoint and Camera Device Friendly Name and Install Date Properties\n```powershell\nGet-PnpDevice -Class AudioEndpoint,Camera -PresentOnly | Get-PnpDeviceProperty | Sort-Object InstanceId,KeyName | Where-Object -Property KeyName -in -Value \"DEVPKEY_Device_FriendlyName\", \"DEVPKEY_Device_InstallDate\" | Format-Table -AutoSize\n```\n```powershell\n\u003c# \n\nWrite a Script That Uses Custom Objects to Report the Friendly Names and Install Dates Of All Image and Media Devices Currently Present. \n\nOnly One Custom Object Per InstanceId\n\nHint - The Group-Object Command is Your Friend\n\nExport Custom Object Listing to CSV File (See Lesson 2)\n\n#\u003e\n```\n\n\n\u003c/details\u003e\n\n## Lesson 10\n\n### 10.1 Group Policy Results Report\n\n\u003cdetails\u003e\n\u003csummary\u003e10.1 Exercises\u003c/summary\u003e\n\nDisplays RSoP Summary Data (Requires Elevated Session)\n```powershell\nGPResult /r /scope:computer\n```\n```powershell\n\u003c#\n    Write a One-Liner Using the GPResult Command that \"Displays all available information about Group Policy\"\n\n    For Additional Points, Export Results to a Text File\n#\u003e\n```\n\n\n\u003c/details\u003e\n\n### 10.2 File Permissions and Processes Script\n\n\u003cdetails\u003e\n\u003csummary\u003e10.2 Exercises\u003c/summary\u003e\n\nWrite a Script to Report the File Permissions and Active Process Counts of all Program Files Folders and the Windows Directory \n```powershell\n\n#ProgramFiles                   C:\\Program Files\n#ProgramFiles(x86)              C:\\Program Files (x86)\n#windir                         C:\\WINDOWS\n\n#Array to Hold Current Processes\n$arrCurrntProcesses = @();\n\n#Load Array of Strings of Currently Running Process's Executable \n$arrCurrntProcesses = Get-Process -FileVersionInfo -ErrorAction \"SilentlyContinue\" | Select-Object FileName | Foreach-Object { $_.FileName.ToString().ToLower(); };\n\n#Reporting Array for Locations to Check\n$arrReportLTC = @();\n\n#Reporting Array for Locations to Check Permissions\n$arrReportLTCPerms = @();\n\n#Array of Locations to Check\n$arrLocsToCheck = @(${env:programfiles(x86)},${env:programfiles},${env:windir});\n\n#Loop Through the Locations to Check\nforeach($LocToCheck in $arrLocsToCheck)\n{\n    #Pull Directories Under the Locations to Check\n    foreach($ltcFldr in (Get-ChildItem -Path $LocToCheck -Directory -Depth 0))\n    {\n        #Create Custom Location to Check Folder Object\n        $cstLTCFlder = New-Object PSObject -Property (@{ Location=\"\"; Running_Process_Count=0;});\n        $cstLTCFlder.Location = $ltcFldr.FullName;\n\n        #Var of LTC Folder to Lower with Extra \"\\\"\n        [string]$ltcFldrLoc = $ltcFldr.FullName.ToString().ToLower() + \"\\\";\n\n        foreach($crntPrcs in $arrCurrntProcesses)\n        {\n            if($crntPrcs.ToString().StartsWith($ltcFldrLoc) -eq $true)\n            {\n                #####################################\n                # What Would We Want To Do Here?\n                #####################################\n            }\n\n        }\n\n        #Add Custom Object to Reporting Array\n        $arrReportLTC += $cstLTCFlder;\n        \n        #Pull File System ACLs for Folder\n        foreach($fsACL in (Get-Acl -Path $ltcFldr.FullName).Access)\n        {\n            #Create Custom Shared Folder ACL Object\n            $cstFsACL = new-object PSObject -Property (@{ Location=\"\"; IdentityReference=\"\"; FileSystemRights=\"\"; AccessControlType=\"\"; IsInherited=\"\"; });\n            \n            ############################################################\n            # Load the Custom Object with File System ACL Information\n            #\n            #\n            #\n            #\n            #\n            #\n            ############################################################\n\n            #Add Custom Object to Reporting Array\n            $arrReportLTCPerms += $cstFsACL;\n        }\n\n    }#End of Get-ChildItem Foreach\n\n}#End of $arrLocsToCheck Foreach\n\n#Var for System Name\n[string]$sysName= (hostname).ToString().ToUpper();\n\n#Var for Report Date\n[string]$rptDate = (Get-Date).ToString(\"yyyy-MM-dd\");\n\n#Var for LTC Process Counts Report Name\n[string]$rptNameProcessCount = \".\\LTC_Process_Counts_on_\" + $sysName + \"_\" + $rptDate + \".csv\";\n\n#Var for LTC ACL Report Name\n[string]$rptNameACLs = \".\\LTC_ACLs_on_\" + $sysName + \"_\" + $rptDate + \".csv\";\n\n#Export LTC Process Count Report to CSV\n$arrReportLTC| Sort-Object -Property Location | Select-Object -Property Location,Running_Process_Count | Export-Csv -Path $rptNameProcessCount -NoTypeInformation;\n\n#########################################################\n# Export LTC ACLs Report to CSV\n#\n# \n#\n#########################################################\n\n\n\n```\n\n\n\u003c/details\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fucdavis%2Fwindows_system_analysis_lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fucdavis%2Fwindows_system_analysis_lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fucdavis%2Fwindows_system_analysis_lab/lists"}