Horizontal Logic

Two methods to query psdrives

2012-01-05T07:03:00.001-08:00

Both the methods below will query remote and local drives of all types:

Parse TCP and UDP ports from services file

2012-01-04T23:12:00.001-08:00

# Parses TCP and UDP ports from services file on Windows 7

$a=gc C:\Windows\System32\drivers\etc\services
$tcp=$a | sls tcp
$udp=$a | sls udp

[array[]]$tcp=0..(($tcp.count) -1) | % { (($tcp.GetValue($_) -split("/"))[0])}
[array[]]$udp=0..(($udp.count) -1) | % { (($udp.GetValue($_) -split("/"))[0])}

[array[]]$tcp_service_ports=0..(($tcp.count) -1) | % { (($tcp.GetValue($_) -split(" "))[-1])}
[array[]]$udp_service_ports=0..(($udp.count) -1) | % { (($udp.GetValue($_) -split(" "))[-1])}

Count the number of binaries in your path

2012-01-04T23:10:00.000-08:00

Powershell 3.0 CTP2

Count the number of binaries in your path:

([System.Environment]::GetEnvironmentVariables().Path -split(";") |% { ls $_ *.exe}).count

Compound variable assignment as [array[]] based storage

2011-09-03T14:14:00.000-07:00

Below is a function I have written to demonstrate a function which recursively checks ownership and access for files modified within a given time span. What I call to your attention is the ability to use the assignment operator ('+=') to store data recursively as highlighted in salmon. This is mentioned in 'about_assignment_operators' in the help for Powershell V2:

" When the value of the variable is an array, the += operator appends the
values on the right side of the operator to the array. Unless the array is
explicitly typed by casting, you can append any type of value to the array..."

In the second part of the script below, I pump the results of a foreach loop into an explicitly typed compound assignment variable ("$RecurseList"):

[Array[]]$RecurseList +=  foreach ($folder in $Recurse) {...

This structure almost shows some 'lambda' like functionality, enabling the Powershell programmer to operate on a series of objects, return and store values back to the pipeline which can be collected later in the same function for further operations.

function Check-RecentAccessCombined {

[CmdletBinding()]

    Param(

        [Parameter(ValueFromPipeline=$true)]

           [int]$days=1,

        [string]$ErrorActionPreference="SilentlyContinue"

    )



if ($RecurseList) {Clear-variable RecurseList}

$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,9999)

$Global:StartTime = (get-date) - (new-timespan -days $days)

$Global:Current=$pwd

$List=gci * | where {!$_.psiscontainer}

$Query= foreach ($i in $List) { gci $i |Select FullName,*Time, @{Label="Access";Expression={get-acl $_.PSChildName| % {$_.AccessToString}}}, @{Label="Owner";Expression={get-acl $_.PSChildName| % {$_.Owner}}}}

[Array[]]$Global:RecurseList += $Query | Select LastAccessTime,CreationTime,FullName,Owner,Access| where {$_.LastAccessTime -gt $StartTime} 



$Global:Recurse=ls -recurse * | where {$_.PSISContainer}

[Array[]]$RecurseList +=  foreach ($folder in $Recurse) {

    sl $folder.FullName;

    # $folder.FullName

    $List=gci * | where {!$_.psiscontainer};

    $Query= $List |Select FullName,*Time,@{Label="Access";Expression={get-acl $_.PSChildName| % {$_.AccessToString}}}, @{Label="Owner";Expression={get-acl $_.PSChildName| % {$_.Owner}}};

    $Query | Select LastAccessTime,CreationTime,FullName,Owner,Access| where {$_.LastAccessTime -gt $StartTime}; 

    } 



sl $Current

$RecurseList  | Sort -descending LastAccessTime

}

Storing 'Get-counter' data

2011-08-24T11:40:00.000-07:00

You can do this:

((get-counter -counter '\\rmfvpc\TCPv4\Connections Established').countersamples) | % {$_.CookedValue}

and this:

(get-counter -counter '\\rmfvpc\TCPv4\Connections Established').Readings | findstr ^[0-9]

and this:

(get-counter -counter '\\rmfvpc\TCPv4\Connections Established' -continuous -sampleinterval 2)

but you can't do this:

(get-counter -counter '\\rmfvpc\TCPv4\Connections Established' -continuous -sampleinterval 2).countersamples

or this:

(get-counter -counter '\\rmfvpc\TCPv4\Connections Established' -continuous -sampleinterval 2).Readings

or this:

[array]$a=(get-counter -counter '\\rmfvpc\TCPv4\Connections Established' -continuous -sampleinterval 2)

Therefore I ended up with this (which works):

while($true) {foreach ($i in (get-counter -counter '\\rmfvpc\TCPv4\Connections Established')) {$i.Readings | findstr ^[0-9]};sleep -seconds 2}

or this:

while($true) {foreach ($i in (get-counter -counter '\\rmfvpc\TCPv4\Connections Established')) {$i.countersamples | % {$_.CookedValue}};sleep -seconds 2}

and one these (which also works):

while($true) {[array]$b+=foreach ($i in (get-counter -counter '\\rmfvpc\TCPv4\Connections Established').countersamples) {$i | % {$_.CookedValue}};sleep -seconds 2}

while($true) {[array]$b+=foreach ($i in (get-counter -counter '\\rmfvpc\TCPv4\Connections Established')) {$i.Readings | findstr ^[0-9]};sleep -seconds 2}

$b
3
3
3
...

But it all seems just a little ungainly! Here's how I got there:

get-counter -ListSet * | findstr "CounterSetName" | Sort
CounterSetName : .NET CLR Data
...
CounterSetName : .NET Memory Cache 4.0
...
CounterSetName : ASP.NET v4.0.30319
CounterSetName : Authorization Manager Applications
...
CounterSetName : Browser
CounterSetName : Cache
CounterSetName : Database
...

(get-counter -ListSet Memory).Counter | Sort
\Memory\% Committed Bytes In Use
\Memory\Available Bytes
\Memory\Available KBytes
...
\Memory\Free & Zero Page List Bytes
\Memory\Free System Page Table Entries
\Memory\Modified Page List Bytes
...
(get-counter -ListSet 'TCPv4').Paths | Sort
\TCPv4\Connection Failures
\TCPv4\Connections Active
\TCPv4\Connections Established
\TCPv4\Connections Passive
\TCPv4\Connections Reset
\TCPv4\Segments Received/sec
\TCPv4\Segments Retransmitted/sec
\TCPv4\Segments Sent/sec
\TCPv4\Segments/sec

get-counter -counter '\\rmfvpc\TCPv4\Connections Established' -continuous -sampleinterval 10

Timestamp CounterSamples
--------- --------------
8/24/2011 10:36:24 AM \\rmfvpc\tcpv4\connections established :
3

8/24/2011 10:36:34 AM \\rmfvpc\tcpv4\connections established :
3

Update 08/30/2011:

This one liner:

while($true) {foreach ($i in (get-counter -counter '\\rmfvpc\TCPv4\Connections Established')) {write-host -backgroundcolor red "$($i.countersamples | % {$_.CookedValue}) Established Connections"};sleep -seconds 2;clear}

produces a nice flashing update of the number of TCPv4 connections. Looks like this:

Some addendum on modules

2011-08-22T01:29:00.000-07:00

If you add modules like PSUserTools from Microsoft you receive some enhanced functionality. You also receive some well conceived script. After you have imported your modules ('import-module'), you can use a function like that below to list all the exported commands:

function Global:get-module_exports {

[CmdletBinding()]

Param(

[Parameter(Mandatory=$true)]

$ModName

)

$commands=(get-module $ModName).ExportedCommands

[Array[]]$list=(($commands).Values) | %{$_.Name} | Sort

$list

}

PS C:\> get-module -list
ModuleType Name ExportedCommands
---------- ---- ----------------
...
Manifest PSUserTools {}
....
PS C:\> import-module PSUserTools
PS C:\> get-module_exports PSUserTools
Get-CurrentUser
Get-Everyone
Start-ProcessAsAdministrator
Test-IsAdministrator

'Get-CurrentUser' queries WMI to find domain and local users. Here is a simplified function derived from that script that prints out local users and their SIDs:

function net_user

{

function netusers {$query = "Win32_UserAccount";$query+= " WHERE LocalAccount='True'";Get-WmiObject $query }

netusers | % {($_.name)+" "+($_.SID)}

}

PS C:\ net_user [SIDs deleted for privacy]

Administrator S-1-*

Guest S-1-*

rferrisx S-1-*

$$ Recursion?

2011-05-06T16:35:00.000-07:00

After reading Lee Holmes $$ blog post, I realized the $$ command has some recursive properties.
You can assign a function to the $$ variable and then init that function as follows:

Function Repeat-History
{
$$='function gh {get-history}'
Invoke-History $$
gh
}

This allows us to do some interesting work. The function below will run through a class C subnet pinging port 443 with a TCP based ping. It does this by loading the "$$" variable with an nping cmd, echoing the command , and then using invoke-expression ('iex') to load the results into a file. The advantage of 'executing your label' ...

function global:nmap_subnet
{
   [CmdletBinding()]
   Param(
        [string] $subnet,
        [string] $ErrorActionPreference="silentlycontinue"
         )

0..255 |% {$$="C:\tools\nmap-5.51-win32\nmap-5.51\nping -c 1 --tcp -p 443 $subnet.$_"
$$
iex $$ | findstr RCVD | out-file -append $subnet
}
}

Displaying IP addresses with Windows Powershell

2011-02-09T21:55:00.000-08:00

How many IP Addresses on a Windows 7 system?

Here are two different Powershell commands that produce a list of IPv4 and IPv6 addresses on the same Windows 7 workstation. One parses 'ipconfig' and validates five addresses through '[System.Net.IPaddress]'. The other uses 'gwmi' and the format of the addresses it produces will not similarly validate. Aside from the formatting of the object produced, I cannot understand why they will not validate. It appears here I am extracting IPv6 anycast and broadcast addresses with 'ipconfig' that 'gwmi' is not giving me.

$IPAddress_ipconfig=(ipconfig | Select-string Address) -split ": " | Select-string -notmatch ". ."
foreach ($IP in $IPAddress_ipconfig) {([System.Net.IPaddress]::Parse("$IP")).IPAddressToString}

fe80::6172:6ecf:2d05:b0ae%12
192.168.0.11
fe80::cddc:ceef:b717:a5ac%11
2001:0:4137:9e76:30c3:129:3f57:fff4
fe80::30c3:129:3f57:fff4%17

(Get-WmiObject Win32_NetworkAdapterConfiguration | ? {$_.IPAddress} | Select IPaddress | fc -expand CoreOnly | findstr [0-9])

fe80::cddc:ceef:b717:a5ac
192.168.0.11
fe80::6172:6ecf:2d05:b0ae

ping multiple subnets

2011-01-08T02:04:00.000-08:00

# 'ping-multiple_subnets.ps1'

# All Rights Reserved Ryan M. Ferris r.10:34 PM 1/7/2011
# Powershell V2 functions to ping multiple-subnets
# Consists of three functions: (ping-subnet, ping-ip , ping-multi)
# ping-subnet : .NET $ping.send - a single (simple) eight byte ICMP packet
# ping-ip : WMI 'test-connection' - a single (wmi info) eight byte ICMP packet
# ping-multi : wrapper function 
    # first create multiple Class C ranges: e.g.:

    # $IPRange = 0..5 | %{"192.168.$_"}
    # use 'ping-multi' to discover them: e.g.:

    # $IPRange | % {ping-multi $_}
# The .NET $ping.send is much faster than WMI although 'test-connection' returns more

# information and can be configured to do authentication and impersonation
# Essentially, 'ping-subnet' does discovery that it pumps to 'ping-ip' which

# creates csv files named per subnet per pass.

function global:Ping-Subnet
{
   [CmdletBinding()]
   Param(
       [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
       [string]$Network,
       [array] $subnet=@(0..254),
       [int32] $buffersize=8,
       [Int32] $timeout=10,
       [Int32] $TTL=128,
       [bool]  $fragment=$false,
       [string]$ErrorActionPreference="silentlycontinue"
          )
$ping = new-object System.Net.NetworkInformation.Ping
$pingoptions = new-object System.Net.NetworkInformation.PingOptions
$pingoptions.ttl=$TTL
$pingoptions.dontfragment=$fragment
$Global:SNIPs=( $subnet | % -process  {$Ping.Send("$Network.$_", $timeout, $buffersize, $PingOptions)} | 
                where {$_.Status -eq "Success"})
$Global:IPs= $SNIPs | % {$_.Address.IPAddressToString}
}

function global:Ping-ip 
{
   [CmdletBinding()]
   Param(
       [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
       [string]$computername,
       [int32] $buffersize=8,
       [int32] $count=1,
       [Int32] $TimeToLive=128,
       [Int32] $Delay=1,
       [string] $ErrorActionPreference="silentlycontinue"
          )

        $global:result= Test-connection    -computername $computername `
                        -buffersize $buffersize `
                        -count $count `
                        -TimeToLive $TimeToLive `
                        -Delay $Delay
        $global:icmp_out  = New-Object PSObject -Property @{
            IPv4          = $result.IPv4Address.IPAddressToString
            IPv6          = $result.IPv6Address.IPAddressToString
            BytesSent     = $result.BufferSize
            BytesReturned = $result.ReplySize
            ResponseTime  = $result.ResponseTime
            ReplyInc      = $result.ReplyInconsistency
      } | Select-Object IPv4,IPv6,BytesSent,BytesReturned,Responsetime,ReplyInc

if ($icmp_out -ne $null)
    {$ICMP_out | ConvertTo-Csv -NoTypeInformation | out-file -width 120 -append -NoClobber (write "$3OCT.csv")}
}
function ping-multi
{
Param(
       [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
       [string] $Global:3OCT
       )
$3OCT | % {ping-subnet $_}
$IPs  | % {ping-ip $_}
}

Using Test-Connection

2011-01-04T13:03:00.000-08:00

'Test-Connection' is Powershell V2's GWMI-based icmp test cmdlet that returns considerable amounts of information in object format. 'Test-Connection' also has the ability to authenticate (at various levels) to the computer whose ICMP responses it is testing, but I do not discuss that in this post. 'Test-Connection' can return a number of errors, which I found difficult to trap, throw, or try-catch-finally. So, like some others (1,2), I punted on error-trapping with:

[string] $ErrorActionPreference="silentlycontinue" (Yea, I know...what a wimp...)

Although, 'Test-Connection' is slower than System.Net.NetworkInformation.Ping will probably ever be, it does return considerable amounts of useful information. Below is the function 'Ping-IP' with the returned object and some statistical results from 'measure-object'. I've created a hash table and renamed six of the properties. Notice how I can use 'Test-Connection' to check for IPv4 and IPv6 connections simultaneously (if you have an existing IPv6 interface).

function global:Ping-IP

{

[CmdletBinding()]

Param(

[Parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string]$computername,

[int32] $buffersize=8,

[int32] $count=1,

[string] $ErrorActionPreference="silentlycontinue"

)

$global:result= Test-connection -computername $computername -buffersize $buffersize -count $count

$global:ICMP_out = New-Object PSObject -Property @{

IPv4 = $result.IPv4Address.IPAddressToString

IPv6 = $result.IPv6Address.IPAddressToString

BytesSent = $result.BufferSize

BytesReturned = $result.ReplySize

ResponseTime = $result.ResponseTime

ReplyInc = $result.ReplyInconsistency

} | Select-Object IPv4,IPv6,BytesSent,BytesReturned,Responsetime,ReplyInc

if ($result -ne $null) {$ICMP_out}

}

First I create a partial subnet range to ping, pipe the function output ("ping-ip") to a variable and then sort the output by response time:

$IPRange=0..50 | %{"74.125.127.$_"}

$result=$IPRange | % {Ping-IP $_}

$result | Sort Responsetime -Descending | ft

IPv4 IPv6 BytesSent BytesReturned ResponseTime ReplyInc

---- ---- --------- ------------- ------------ --------

74.125.127.19 8 18 115 True

74.125.127.40 8 18 80 True

74.125.127.46 8 18 80 True

74.125.127.50 8 18 74 True

74.125.127.16 8 18 68 True

74.125.127.48 8 18 67 True

74.125.127.27 8 18 66 True

74.125.127.14 8 18 61 True

74.125.127.33 8 18 43 True

74.125.127.39 8 18 40 True

74.125.127.41 8 18 34 True

74.125.127.18 8 18 31 True

.....

Next, I can easily measure the "Responsetime" of my 'Test-Connection' queries with 'measure-object' :

$result | Measure-Object -Average -Maximum -Minimum -Sum -Property Responsetime

Count : 28

Average : 40.7857142857143

Sum : 1142

Maximum : 115

Minimum : 19

Property : ResponseTime

There are considerable more statistics and graphing output that could be done with this function with log-parser, and/or a Powershell statistics package and/or csv exports to spreadsheet software. Creating a more robust function will involve more sophisticated error-trapping and or the use of the background jobs. To be continued...

Powershell log time-stamping

2010-12-21T09:40:00.000-08:00

The function 'logtime' below will work as a logging function in scripts

$FileTime=[DateTime]::Now.ToFileTime()

function logtime{
$date = [DateTime]::Now.Day
$hour = [DateTime]::Now.TimeOfDay.Hours
$minutes = [DateTime]::Now.TimeOfDay.Minutes
$seconds = [DateTime]::Now.TimeOfDay.Seconds
$ms = [DateTime]::Now.TimeOfDay.Milliseconds

[object]$logtime = New-Object PSObject -Property @{
date=$date
hour=$hour
minutes=$minutes
seconds=$seconds
ms=$ms
}
write $logtime | ft -HideTableHeaders -AutoSize -Property date,hour,minutes,seconds,ms | out-file -append -noclobber $PWD\$FileTime

}

[output]
PS C:\Users\rferrisx\Documents> gc 129374235* | more

  21 8 45 43 821
  21 8 51 12 604
  21 8 51 12 616
  21 8 51 12 656
  21 8 51 12 662

System.Net.NetworkInformation.Ping

2010-12-08T16:47:00.000-08:00

Here are some Powershell ping notes from System.Net.NetworkInformation.Ping. Powershell v 2.0 provides for the gwmi based Win32_PingStatus in the 'Test-Connection' cmdlet . 'Test-connection' provides a wealth of information. However this post simply examines how to use:

System.Net.NetworkInformation.Ping
System.Net.NetworkInformation.PingOptions

Below is the common code needed for all three examples. This code sets up $ping and $pingoptions:

#Set up the ping options
$ping = new-object System.Net.NetworkInformation.Ping
$pingoptions = new-object System.Net.NetworkInformation.PingOptions
$pingoptions.ttl=255
$pingoptions.dontfragment=$false
# Here is the overload
# From $ping.send.overloaddefinitions use: System.Net.NetworkInformation.PingReply Send(string hostNameOrAddress, int timeout, byte[] buffer, System.Net.NetworkInformation.PingOptions options)

#now ping a subnet with one line of code
(1..254 | % -process {$Ping.Send("192.168.0.$_", 10, 64, $PingOptions)})
# or (stop output) or redirect to a variable:
$a=(1..254 | % -process {$Ping.Send("192.168.0.$_", 10, 64, $PingOptions)})

This gives us something interesting like this:

PS C:\ps1> $a | where {$_.Status -eq "Success"} | ft * -auto

Status Address RoundtripTime Options Buffer
------ ------- ------------- ------- ------
Success 192.168.0.1 2 System.Net.NetworkInformation.PingOptions {64}
Success 192.168.0.6 1 System.Net.NetworkInformation.PingOptions {64}
Success 192.168.0.11 0 System.Net.NetworkInformation.PingOptions {64}
Success 192.168.0.13 0 System.Net.NetworkInformation.PingOptions {64}

If you functionalize/filterize the output :
function pingsn {1..254 | % -process {$Ping.Send("192.168.0.$_", 10, 64, $PingOptions)}}
filter success {if ($_.status -eq "Success") {($_.Address.IPAddressToString)+" "+($_.roundtriptime)}}
you get a similar output:
pingsn | success

192.168.0.1 1
192.168.0.6 1
192.168.0.9 0
192.168.0.11 1

We can also ping and array of names (as below) and retrieve similar information if we pipe the output to a variable. Or we can do something more CSV like:

#ping a multiple names
$DNS_array="google.com", "googel.com", "googley.com"
($DNS_array | % -process {$Ping.Send("$_", 10, 64, $PingOptions)})

Status : Success
Address : 72.14.213.99
RoundtripTime : 29
Options : System.Net.NetworkInformation.PingOptions
Buffer : {64, 0, 0, 0...}

Status : Success
Address : 74.125.224.17
RoundtripTime : 38
Options : System.Net.NetworkInformation.PingOptions
Buffer : {64}

Status : Success
Address : 74.117.221.11
RoundtripTime : 96
Options : System.Net.NetworkInformation.PingOptions
Buffer : {64}

($DNS_array | % -process {$Ping.Send("$_", 10, 64, $PingOptions)}) |
% {$_.Address.IPAddressToString +","+ $_.Status +","+ $_.RoundTripTime}

72.14.213.99,Success,25
74.125.224.17,Success,38
74.117.221.11,Success,98

Something more clever to ping multiple subnets is needed. The code below isn't very fast. The use of a filter might speed it up. However, you can make it faster by specifying exactly the hosts you want in $Host_array.

#ping multiple subnets
[array]$Host_array=1..20
$Subnet_array="192.168.0","192.168.1","192.168.2"
$count=$Subnet_array.count
$i=0
do
{
$global:out = $host_array | % -process {$Ping.Send($Subnet_array[$i]+"."+$_ , 1, 64, $PingOptions)}
$out | % {if ($_.Address) {$_.Address.IPAddressToString +","+ $_.Status +","+ $_.RoundTripTime}}
$i=$i+1
}
while ($i -lt $count)

Looking at Process, Threads, Modules with Powershell 2.0

2010-07-31T00:54:00.000-07:00

I have published "Looking at Processes, Modules, and Threads with Powershell 2.0 Part I". The paper concerns itself with comparing Processes, Modules, and Threads and offers some discussion for comparing their changes over time. See also:
http://www.rmfdevelopment.com/PowerShell_Scripts/diff_PMT.ps1

http://rmfdevelopment.com/PowerShell_Scripts/diff_PMT_adv.ps1

Which processes are communicating on Vista? Part II

2010-05-05T19:32:00.000-07:00

This is a faster method of telling which processes are communicating. It feeds netstat output to tasklist:

@for /f "tokens=1-5" %a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do @tasklist /FO CSV /V /FI "PID eq %e" /NH

If put in a batch file that is properly escaped:

@for /f "tokens=1-5" %%a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do @tasklist /FO CSV /V /FI "PID eq %%e" /NH

and then run as below, it gives you process information on Established TCP connections. Tested on Vista. :

@ntob_ts.cmd | sort /+2
"chrome.exe","3192","Console","1","77,012 K","Running","RMFVista\Admin","0:02:54","Daily Alerts - Google Analytics - Google Chrome"
"chrome.exe","3192","Console","1","77,012 K","Running","RMFVista\Admin","0:02:54","Daily Alerts - Google Analytics - Google Chrome"
"opera.exe","4092","Console","1","346,284 K","Running","RMFVista\Admin","0:09:03","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"opera.exe","4092","Console","1","346,328 K","Running","RMFVista\Admin","0:09:03","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"

This batch file below includes netstat endpoints but seems to randomly attach an IP address to the System Idle process ("0"):

@echo off
for /f "tokens=1-5" %%a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
goto EOF
:loop

@echo "%EP%", | findstr /V "ECHO"
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH
@echo " " >NUL

:EOF

[output]
"74.125.19.17:443",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.19.19:443",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.19.19:443",
"opera.exe","4092","Console","1","346,312 K","Running","RMFVista\Admin","0:09:40","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"74.125.19.19:443",
"opera.exe","4092","Console","1","346,324 K","Running","RMFVista\Admin","0:09:40","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"74.125.19.101:80",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.10.23:80",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"76.96.30.119:110",
"System Idle Process","0","Services","0","24 K","Unknown","NT AUTHORITY\SYSTEM","24:51:17","N/A"
"85.13.200.108:110",
"WinMail.exe","4456","Console","1","179,712 K","Running","RMFVista\Admin","0:34:00","Google Alert - TCP/IP"

Which services are communicating on Vista?

2010-03-08T13:13:00.000-08:00

What I want to know is which services are engaging in network communication. How they are changing over time. Network Monitor 3.3 tracks data packets back to executables but has an "unknown" category that carries a lot of data. TCPView gives a dynamic list of Process, Protocol, Address and Port in real-time. In the batch files below I pipe uniq tcpvcon output of process IDs to tasklist /SVC and have FC detect what has changes. Tasklist /SVC is slow however.

@echo off
@for /f %%i in ('tcpvcon -a -c ^| gawk -F"," '{print $3}' ^| sort ^| uniq') do @(tasklist /NH /FO CSV /SVC /FI "PID eq %%i") >&1>> temp1
@for /f %%i in ('tcpvcon -a -c ^| gawk -F"," '{print $3}' ^| sort ^| uniq') do @(tasklist /NH /FO CSV /SVC /FI "PID eq %%i") >&1>> temp2
fc temp1 temp2 > &1>> diff

@echo off
:top
del temp1
del temp2
@for /f %%i in ('tcpvcon -a -c ^| gawk -F"," '{print $3}' ^| sort ^| uniq') do @(tasklist /NH /FO CSV /SVC /FI "PID eq %%i") >&1>> temp1
@for /f %%i in ('tcpvcon -a -c ^| gawk -F"," '{print $3}' ^| sort ^| uniq') do @(tasklist /NH /FO CSV /SVC /FI "PID eq %%i") >&1>> temp2
fc temp1 temp2
goto top

Some relatively simple Powershell also helps detect which services are communicating:

$global:svchost = get-wmiObject win32_process -filter "name='svchost.exe'"

$global:win32_handle = $svchost | foreach { gwmi -query "Select * from win32_service where processID = $($_.handle)" }

$global:Sort_handle = $win32_handle | sort processID, Name

$global:Sort_svchost = $svchost | sort processID

$Sort_handle | format-table processID,name,state, startmode,Started,AcceptStop,Description -AutoSize

$Sort_svchost | format-table ProcessID,ThreadCount,HandleCount,WS,VM,KernelModeTime,ReadOperationCount,ReadTransferCount,OtherTransferCount -Autosize

Enumerating running modules

2009-06-14T15:44:00.000-07:00

Some code worth publishing (from some work I am doing over at RMF Network Security on Conficker, worm detection, etc: ):

$Global:ps = ps

$ps_count = $ps.count

write "Process Count = $ps_count"

$Global:all_modules = 0..$ps_count |%{$ps[$_].Modules} | Select Size,ModuleName,FileName,FileVersion

$allmod_count = $all_modules.count

write "All instances of loaded modules = $allmod_count"

$Global:unique_all_modules = $all_modules | Select -property ModuleName | Sort -Unique -property ModuleName

$uniqmod_count = $unique_all_modules.count

write "All uniq module names = $uniqmod_count"

$Global:all_modules_memory = $all_modules | Select -property ModuleName,Size | Sort -property Size

$Global:MO_all_mod_mem = $all_modules_memory | measure-object -property Size -sum

$Global:CountModMem = $MO_all_mod_mem.count

$Global:SumModMem = $MO_all_mod_mem.sum

$SumModMemMB = ( ( $SumModMem * 1000)/ 1GB)

write "Sum of $CountModMem modules memory size = $SumModMemMB GB"

Output:

.\AllModules.ps1

Process Count = 69

All instances of loaded modules = 2943

All uniq module names = 526

Sum of 2943 modules memory size = 1.75315514206886 GB

The error below is something I will have to look into:

:$a = ps -Module

Get-Process : cannot enumerate the modules of process 'Idle'

At line:1 char:8

+ $a = ps <<<< -Module

+ CategoryInfo : PermissionDenied: (System.Diagnostics.Process (Idle):Process) [Get-Process], ProcessCommandException

+ FullyQualifiedErrorId : CouldnotEnumerateModules,Microsoft.PowerShell.Commands.GetProcessCommand

Get-Process : cannot enumerate the modules of process 'System'

At line:1 char:8

+ $a = ps <<<< -Module

+ CategoryInfo : PermissionDenied: (System.Diagnostics.Process (System):Process) [Get-Process], ProcessCommandException

+ FullyQualifiedErrorId : CouldnotEnumerateModules,Microsoft.PowerShell.Commands.GetProcessCommand

:$a.count

2940

2009-04-14T13:18:00.000-07:00

Well, I thought this was pretty cool. Blackberry Storm, Cygwin, Powershell v2CTP3,MidpSSH 1.7:

Gathering Network Statistics

2009-04-08T20:51:00.000-07:00

# In PS CTP2v3, .NET access to IP statistics is non-existent. There are no static members

# for the interface statistics yet, although there are non static members:

[System.Net.NetworkInformation.IcmpV4Statistics].getmembers() | %{$_.name}

[System.Net.NetworkInformation.IPGlobalStatistics].getmembers() | %{$_.name}

# This means network data has to come from WMI or netsh:

$computer = "LocalHost"

$namespace = "root\CIMV2"

Get-WmiObject -class Win32_PerfFormattedData_Tcpip_TCP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfFormattedData_Tcpip_UDP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfFormattedData_Tcpip_IP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfFormattedData_Tcpip_NetworkInterface -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfRawData_Tcpip_TCP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfRawData_Tcpip_UDP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfRawData_Tcpip_IP -computername $computer -namespace $namespace

Get-WmiObject -class Win32_PerfRawData_Tcpip_NetworkInterface -computername $computer -namespace $namespace

netsh interface ip show

netsh interface ip show ipstats

netsh interface ip show tcpstats

netsh interface ip show interface

$computer = "LocalHost"

$namespace = "root\CIMV2"

$Tcpip_TCP = Get-WmiObject -class Win32_PerfFormattedData_Tcpip_TCP -computername $computer -namespace $namespace

$Tcpip_TCP | Select ConnectionFailures,ConnectionsActive,ConnectionsEstablished,ConnectionsPassive,ConnectionsReset

$computer = "LocalHost"

$namespace = "root\CIMV2"

$Tcpip_NI = Get-WmiObject -class Win32_PerfRawData_Tcpip_NetworkInterface -computername $computer -namespace $namespace

$Tcpip_NI | Select BytesReceivedPersec,BytesSentPersec,BytesTotalPersec

$netsh_interface_stats = netsh interface ip show interface

$netsh_interface_stats | Select-string "In Octets"

$netsh_interface_stats | Select-string "Out Octets"

Working with netmon caps in Powershell

2009-04-01T11:18:00.000-07:00

An update to this post 8:32 PM 8/7/2009:

I have no path to loading nmcap files into powershell now that logparser does not work with Netmon 3.3 file format. I added my comment to this feature request:

https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=265564&SiteID=216

"The jump between 3.2 and 3.3 file formats/APIs broke logparser2.2 interface to netmon files which was extraordinarily useful since logparser would convert file formats, sql-lize queries, create charts and datagrids, etc. Examples are below. Granted this is probably a logparser (e.g. unsupported ware) defect, however...The real defect is here is that there is no path to convert Netmon 3.3 captures files to CSV.C:\Program Files (x86)\Log Parser 2.2>logparser -headers OFF -stats NO -i:NETMON -o:CSV "SELECT DateTime,SrcMAC,SrcPort,DstMAC,DstPort,WindowSize FROM32.cap"2009-01-13 11:37:53,00095B00F3DA,80,0013021A607B,2004,328902009-01-13 11:37:53,0013021A607B,2006,00095B00F3DA,80,163842009-01-13 11:37:54,00095B00F3DA,80,0013021A607B,2006,58402009-01-13 11:37:54,0013021A607B,2006,00095B00F3DA,80,175202009-01-13 11:37:54,0013021A607B,2006,00095B00F3DA,80,17520.....C:\Program Files (x86)\Log Parser 2.2>logparser -headers OFF -i:NETMON -o:CSV "SELECT DateTime,SrcMAC,SrcPort,DstMAC,DstPort,WindowSize FROM 33.cap"Statistics:-----------Elements processed: 0Elements output: 0Execution time: 0.01 seconds"

7:10 AM 4/2/2009: An update to this post

Once you have a capture in the form of an object, you can do interesting work with it in powershell:

$DstSrcPort_8NET = $capture where-object {($_.SrcIP -match "^8\." ) -or ($_.DstIP -match "^8\.")}
$DstSrcPort_8NET Sort DateTime -unique ft more
$DstSrcPort_8NET group-object DstPort Sort -descending Count
$DstSrcPort_8NET measure-object -average -minimum -maximum -property WindowSize
$a = $DstSrcPort_8NET Sort SrcIP -unique
$a %{[System.Net.DNS]::Resolve($_.SrcIP)}

In progress...concating collections of nmcap files and searching them for specific SrcIP and DstIp with Powershell and LogParser. This code is working now, but still "to be continued"...

function Search-IP($IP_String)

{ #start function

(ls -name *.cap)

foreach-object -begin {$file =[DateTime]::now.ToFileTime().ToString()} `

-process {

$filename = $_ ;

$temp = logparser -headers OFF -stats NO -i:NETMON -o:CSV "SELECT DateTime,SrcIP,SrcPort,DstIP,DstPort,WindowSize FROM $filename" ;

out-file -inputobject $temp -append -noclobber -filepath $file} `

-end {

$header = "DateTime","SrcIP","SrcPort","DstIP","DstPort","WindowSize" ;

$Global:capture = Import-csv $file -header $header ;

$Global:MatchIPObject = $capture where-object {$_ -match $IP_String} ;

$Global:MatchIPString = Select-String $IP_String $file -AllMatches}

} #end function

:$MatchIPObject[0..10] ft

DateTime SrcIP SrcPort DstIP DstPort WindowSize

-------- ----- ------- ----- ------- ----------

2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 16384

2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4140

2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 16560

2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4140

2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 15753

2007-07-16 13:59:52 68.26.116.175 1170 66.133.124.56 443 16384

2007-07-16 13:59:52 66.133.124.56 443 68.26.116.175 1169 4229

2007-07-16 13:59:52 68.26.116.175 1169 66.133.124.56 443 15753

:$MatchIPString[0..10]

128830930248593750:7:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16384

128830930248593750:9:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4140

128830930248593750:10:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16560

128830930248593750:11:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,16560

128830930248593750:12:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4140

128830930248593750:13:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753

128830930248593750:14:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753

128830930248593750:15:2007-07-16 13:59:52,68.26.116.175,1170,66.133.124.56,443,16384

128830930248593750:16:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4229

128830930248593750:17:2007-07-16 13:59:52,66.133.124.56,443,68.26.116.175,1169,4229

128830930248593750:18:2007-07-16 13:59:52,68.26.116.175,1169,66.133.124.56,443,15753

:$MatchIPObject[0..10] gm

TypeName: System.Management.Automation.PSCustomObject

Name MemberType Definition

---- ---------- ----------

Equals Method System.Boolean Equals(Object obj)

GetHashCode Method System.Int32 GetHashCode()

GetType Method System.Type GetType()

ToString Method System.String ToString()

DateTime NoteProperty System.String DateTime=2007-07-16 13:59:52

DstIP NoteProperty System.String DstIP=66.133.124.56

DstPort NoteProperty System.String DstPort=443

SrcIP NoteProperty System.String SrcIP=68.26.116.175

SrcPort NoteProperty System.String SrcPort=1169

WindowSize NoteProperty System.String WindowSize=16384

:$MatchIPString[0..10] gm

TypeName: Microsoft.PowerShell.Commands.MatchInfo

Name MemberType Definition

---- ---------- ----------

Equals Method System.Boolean Equals(Object obj)

GetHashCode Method System.Int32 GetHashCode()

GetType Method System.Type GetType()

ToString Method System.String ToString(), System.String ToString(String directory)

Context Property Microsoft.PowerShell.Commands.MatchInfoContext Context {get;set;}

Filename Property System.String Filename {get;}

IgnoreCase Property System.Boolean IgnoreCase {get;set;}

Line Property System.String Line {get;set;}

LineNumber Property System.Int32 LineNumber {get;set;}

Matches Property System.Text.RegularExpressions.Match[] Matches {get;set;}

Path Property System.String Path {get;set;}

Pattern Property System.String Pattern {get;set;}

2009-03-30T19:33:00.000-07:00

I experimented with a powershell script in the start folder. I had some issues. I am still not sure how to get consecuitive commands that share the same environment running. So I simply appended my function name after defining it in my script. I did not use the "-file" option but invoked the script like a command from a cmd.exe file. This cmd.exe file still requires me to type an Administrative password after startup. Not quite sure how to get around that...

:: Powershell startup to pump established connections to the Event Log

:: see http://www.rmfdevelopment.com/PowerShell_Scripts/List-TCPConnections_Advanced.ps1

echo Powershell -windowStyle hidden -noexit -noprofile "& D:\PS1\netstat_Established_log_startup.ps1" >TCPListen.cmd

runas /profile /env /user:Administrator TCPListen.cmd

Metadata

2009-03-24T21:37:00.000-07:00

Jason Shirk's excellent post on meta-programming inspired this function and alias I have added to my profile to help me get a handle on the use and format of paramaters in CTP2 v3 scripts.

function Create-Metadata($args0) {

$args0 = new-object System.Management.Automation.CommandMetadata (get-command $args0)

[System.Management.Automation.ProxyCommand]::Create($args0) | out-file ProxyCommand.txt

more ProxyCommand.txt

}

Set-Alias cm Create-Metadata

Run as below:

CM("trace-command")

[CmdletBinding(DefaultParameterSetName='expressionSet')]

param(

[Parameter(ValueFromPipeline=$true)]

[System.Management.Automation.PSObject]

${InputObject},

[Parameter(Mandatory=$true, Position=0)]

[System.String[]]

${Name},

[Parameter(Position=2)]

[System.Management.Automation.PSTraceSourceOptions]

${Option},

[Parameter(ParameterSetName='expressionSet', Mandatory=$true, Position=1)]

[System.Management.Automation.ScriptBlock]

${Expression},

[Parameter(ParameterSetName='commandSet', Mandatory=$true, Position=1)]

[System.String]

${Command},

[Parameter(ParameterSetName='commandSet', ValueFromRemainingArguments=$true)]

[Alias('Args')]

[System.Object[]]

${ArgumentList},

[System.Diagnostics.TraceOptions]

${ListenerOption},

[Alias('PSPath')]

[System.String]

${FilePath},

.....

2009-03-24T21:17:00.000-07:00

Some notes on FileVersionInfo, finding Modules, loaded dlls:

(get-process -id $pid).modules | %{$_} | fl * | more

Size : 152

Company : Microsoft Corporation

FileVersion : 6.1.6949.0 (fbl_srv_powershell_ctp(srvbld).081105-1651)

ProductVersion : 6.1.6949.0

Description : Windows PowerShell

Product : Microsoft? Windows? Operating System

ModuleName : PowerShell.exe

FileName : C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe

BaseAddress : 579928064

ModuleMemorySize : 155648

EntryPointAddress : 579954429

FileVersionInfo : File: C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe

InternalName: POWERSHELL

OriginalFilename: PowerShell.EXE

FileVersion: 6.1.6949.0 (fbl_srv_powershell_ctp(srvbld).081105-1651)

FileDescription: Windows PowerShell

Product: Microsoft? Windows? Operating System

ProductVersion: 6.1.6949.0

Debug: False

Patched: False

PreRelease: False

PrivateBuild: True

SpecialBuild: False

Language: English (United States)

....

A workable tlist substitute:

$a =foreach ($id in (get-process)) {write $id.Name,$id.Size,$id.modules}

$a | more

alg

Size(K) ModuleName FileName

------- ---------- --------

52 alg.exe C:\WINDOWS\System32\alg.exe

700 ntdll.dll C:\WINDOWS\system32\ntdll.dll

984 kernel32.dll C:\WINDOWS\system32\kernel32.dll

352 msvcrt.dll C:\WINDOWS\system32\msvcrt.dll

68 ATL.DLL C:\WINDOWS\System32\ATL.DLL

580 USER32.dll C:\WINDOWS\system32\USER32.dll

292 GDI32.dll C:\WINDOWS\system32\GDI32.dll

620 ADVAPI32.dll C:\WINDOWS\system32\ADVAPI32.dll

584 RPCRT4.dll C:\WINDOWS\system32\RPCRT4.dll

68 Secur32.dll C:\WINDOWS\system32\Secur32.dll

1268 ole32.dll C:\WINDOWS\system32\ole32.dll

556 OLEAUT32.dll C:\WINDOWS\system32\OLEAUT32.dll

36 WSOCK32.dll C:\WINDOWS\System32\WSOCK32.dll

.....

2009-03-16T21:40:00.000-07:00

This will be worth some more investigation. I can send a Powershell array of cmd.exe strings to the cmd.exe interpreter and pass cmd.exe a Powershell "here string" that will passthru a Powershell variable to the cmd.exe interpreter. Be interesting to next see if I can reverse the process.

# writes out time and date from cmd.exe

write "Time and Date from CMD.EXE:"

$Global:command =

"time /t",

"date /t"

out-file -inputobject $command -encoding ASCII -filepath $pwd\cmd.txt

Start-Process cmd.exe -argument /Q -nonewwindow -wait -redirectstandardinput $pwd\cmd.txt

#set date in cmd.exe with UNIX style 'get-date'

write "Set cmd.exe date with (get-date -uformat)"

$DNT= get-date -uformat %m/%d/%Y

$Global:command =

date $DNT

out-file -inputobject $command -encoding ASCII -filepath $pwd\cmd.txt

Start-Process cmd.exe -argument /Q -nonewwindow -wait -redirectstandardinput $pwd\cmd.txt

This also works well to enter multiple lines to be interpreted by cmd.exe:

function copy_con {[console]::In.ReadToEnd()}

write "Enter lines into copy_con to be interpreted by cmd.exe. End the list with CTRL-C:"

$Global:command = copy_con

out-file -inputobject $command -encoding ASCII -filepath $pwd\cmd.txt

Start-Process cmd.exe -argument /Q -nonewwindow -wait -redirectstandardinput $pwd\cmd.txt

prompt

This doesn't work yet, but probably could with some work:

function Start-Cmd($parameter1) {Start-Process cmd.exe -argument /Q -nonewwindow -wait -redirectstandardinput $parameter1}

Start-cmd dir

Start-Process : This command cannot be executed because either the parameter 'RedirectStandardInput 'D:\PS1\dir'' has an invalid value or cannot be u

sed with this command. Give a valid input and Run your command again.

At line:1 char:47

+ function Start-Cmd($parameter1) {Start-Process <<<< cmd.exe -argument /Q -nonewwindow -wait -redirectstandardinput $parameter1}

+ CategoryInfo : InvalidOperation: (:) [Start-Process], FileNotFoundException

+ FullyQualifiedErrorId : FileNotFoundException,Microsoft.PowerShell.Commands.StartProcessCommand

Finding Time

2009-03-13T15:33:00.000-07:00

FindingTimes in Powershell (and cmd.exe). I have put the script FindingTimes.ps1 in my repository. I am returning various results. This script demonstrates different methods of finding System Time and Uptime on Windows with cmd.exe or Powershell. There is a discrepancy in the method results between .NET and GWMI. I do not know what is causing this, I suspect the hibernate process or uptime.exe heartbeat function (from MS Reskit) is causing the descrepancy.

PS D:\PS1> .\FindingTime_001.ps1

Finding Current and Boot Times from Powershell: A Medley of Methods

System Times:

Time now using Get-Date:

03/16/2009 19:41:35

DisplayHint : DateTime

DateTime : Monday, March 16, 2009 7:41:35 PM

Date : 3/16/2009 12:00:00 AM

Day : 16

DayOfWeek : Monday

DayOfYear : 75

Hour : 19

Kind : Local

Millisecond : 343

Minute : 41

Month : 3

Second : 35

Ticks : 633728292953437500

TimeOfDay : 19:41:35.3437500

Year : 2009

Time From .NET:

.NET Date Time Now is 03/16/2009 19:41:35

.NET UTC Date Time Now is 03/17/2009 02:41:35

.NET Time is Date Hours Minutes Seconds MS : 16 19 41 35 359

.NET UTC Time is Date Hours Minutes Seconds MS : 17 2 41 35 359

Time from WMI Win32_OperatingSystem LocalDateTime:

03/16/2009 19:41:35

Time and Date from CMD.EXE:

Microsoft Windows XP [Version 5.1.2600]

D:\PS1>07:41 PM

D:\PS1>Mon 03/16/2009

D:\PS1>.

System UpTimes:

Uptime for cmd.exe

Microsoft Windows XP [Version 5.1.2600]

D:\PS1>Running cmd.exe

D:\PS1>Current TimeStamp is 03.16.2009_19.41.35.59

Statistics since 3/14/2009 9:45 AM

Uptime From Microsoft Resource Kit: 'D:\uptime.exe:'

\\RMFMEDIA has been up for: 2 day(s), 9 hour(s), 57 minute(s), 26 second(s)

Uptimes from the System Event 6009 Log Query and (get-date): Elapsed from Last Boot Times

Last boot Date/Time -- LBTs from Current Time in Days.Hours.Minutes.Seconds

03/14/2009 09:44:52 -- 2.9.56.44

03/04/2009 14:25:00 -- 12.5.16.36

02/20/2009 01:24:35 -- 24.18.17.1

02/19/2009 20:47:39 -- 24.22.53.57

02/18/2009 11:10:45 -- 26.8.30.51

02/16/2009 10:24:21 -- 28.9.17.15

02/16/2009 10:10:47 -- 28.9.30.49

02/03/2009 11:33:24 -- 41.8.8.12

01/15/2009 22:40:17 -- 59.21.1.19

01/09/2009 09:52:51 -- 66.9.48.45

01/07/2009 17:39:39 -- 68.2.1.57

01/05/2009 18:30:06 -- 70.1.11.30

01/05/2009 11:01:59 -- 70.8.39.37

12/24/2008 11:20:21 -- 82.8.21.15

Uptime from Get-WmiObject -class Win32_PerfFormattedData_PerfOS_System

Number of Days = 2.41489583333333

Number of Hours = 57.9575

Number of Minutes = 3477.45

Number of Seconds 208647

Uptme from GWMI Win32_OperatingSystem -Namespace root\CIMV2 LastBootUpTime and (get-date)

Last Boot Time: 03/16/2009 03:33:43 Current Time: 03/16/2009 19:41:36

Uptimes from Last Boot in Days.Hours.Minutes.Seconds = 0.16.7.52

Uptime from Get-WmiObject -class Win32_OperatingSystem LastBootUpTime and LocalDateTime

Uptime is 0.16.7.52

Uptime from D:\cygwin\bin\uptime.exe (procps version 3.2.6)

19:41:36 up 16:07, 1 user, load average: 0.00, 0.00, 0.00

2009-03-06T18:49:00.000-08:00

The last few days have been horrible for me. There is a level of knowledge I am missing about .NET and Powershell that is preventing me from doing great new creative things. Fortunately, there are brilliant coders like Josh Einstein and others stumbling across similar issues. For example:http://groups.google.com/group/microsoft.public.windows.powershell/browse_thread/thread/40356985a4e3e015/9112f551260968f0?hl=en#9112f551260968f0

It's amazing how useful ad-hoc discussions about new features in CTPv3 are to many us. "Jaykul"Bennett posted one I am sure is being mined from all over the world:

http://huddledmasses.org/a-guide-to-advanced-functions/#more-1116

Oh well, back to Holmes, Payette, Deshev, and others and see if I can figure out what I am doing. Perhaps some time spent just reading .NET and C# books would be useful....hmmmm...

I've posted this:

"In learning Powershell, once you are over the humps of the pipeline,
automatic variables, conditional loops, .NET, network admin tricks
etc. (e.g. a "better cmd line"), you are faced with absorbing the
intent of the architects in creating and using functionality like:

params for Functions
scriptlets
[cmdletbinding]
Cmdlet architecture

etc. and a subset of other dev skillsets like error handling,
debugging that would make the difference for between someone who is
rewriting his 10 line cmd scripts or someone who is creating
significant functionality in Powershell scripts. I think what I would
like is book with a title like "Design Patterns for Powershell" that
provides examples and discussion on how to best implement Powershell
for performance, for re-usable design, when something more "lambda"
than "imperative" makes sense and the converse. Currently, there is a
lot of research leg work to go through to come up with this "all by
your lonesome". Other pieces of this might be a Visio or VisStudio
design template(s), advice on writing testable and easily debugged
functions, PSIE extensions that provide for intellisense or design
templates. It's true folks like Bennet, Lee, Snover, Payette, Holmes,
and the Powershell team have some discussion and some examples about
this...but I find myself with many questions...and feeling a little
confused. Do I need to master "Design Patterns for C#" or understand
Functional Language style vs. Imperative Language issues before I
write elegant, correct, re-usable functions, and scriplets for
Powershell?"

2009-02-23T13:51:00.000-08:00

Teaching myself debugging...some random notes:

There are no locals or watch windows in the CTP2 v3 ISE. They are sorely needed. However, there is a plethora of debugging facilities in Powershell. Today's post is about my morning exploration of such facilities. I have a function List-TCPConnections that works fine with one argument but doesn't work with multiple pipeline values. This param: [ValueFromPipeline] gives me a "load assembly" error message and I am not ready to debug that right now ;-) . I have a cmd.exe test script to give myself connection states: for /l %i in (1000,100,10000) do wget %i.com. I run through TCP Connection States like this: '0..11 | %{List-TCPConnections $_}'

Under such test, the function below works as expected, pumping out connection states, IP addresses to console and (classic) EventLog:

function global:List-TCPEstablished {do {List-TCPConnections 5} while (1)}

This (pipeline function) does not work :

function global:List-TCPAllStates {do {0..11 | %{List-TCPConnections $_}} while (1)}

Originally, I tried some simple 'print debug' type strategies with "get-variable" (gv) and "out-gridview". But the compound variables do not Invoke() (for me) in "out-gridview" so these strategies weren't helping.

(gv -s 0)| out-gridview ## scope for everything

(gv -s 1)| out-gridview ## one scope up

## Just what the script gives subtracted from everything

compare-object (gv -s script) (gv -s 0) | out-gridview

Along the same lines, I thought I would be more tricky and pump out variable arrays I wanted to watch as needed:

$local_out=

"last_netblock",

"netblock",

"State"

$dbg = $local_out | %{gv ($_)}; $dbg | out-gridview

That still wasn't helpful for the above reasons. Below, the trace command dumps lots of information, but still doesn't help me with logic errors:

trace-command -name metadata,parameterbinding,cmdlet -option ExecutionFlow,data,errors {do {0..11 | %{List-TCPConnections $_};sleep -s 5} while (1)}-pshost

Using a script block at the start of my Begin{} function and calling it as needed was most useful at this point.

## Debug Print Script Block

$Global:locals_out=

{

$State

$last_netblock

write .

$netblock

}

## Debug

write $Locals_out.Invoke()

to be continued...

2009-02-18T09:34:00.001-08:00

Three of the four last posts have resulted in a considerable speed up of my Powershell learning curve. In my February 6th post , I created a (not so) simple script to log all new Established TCP Connections. 'Compare-Object' was very useful in finding the diff between one netblock and the last. In my February 12th post, I worked through how to send those Established TCP Connections to the (classic) Event Viewer. I then spent quite a bit of time trying to build a script that iterated all TCPStates past the current TCP Connection diff in an attempt to send all TCP State Connections to the Event Log. I spent a lot of time failing to create such an iteration. (Update February 25): Eventually, I did create a function(s) which will log select TCP Connection States. It is posted here: http://www.rmfdevelopment.com/PowerShell_Scripts/List-TCPConnections_Advanced.ps1

There are a ton of issues for me to work out with Powershell involving .NET overloads, Functions Types, Iteration, Parameters....But the foreach-object can be used in a block to process an array line by line. Very simple and straightforward:

$global:c = compare-object -referenceobject $State_netblock -differenceobject $State_last_netblock

if ($c -eq $null){}

elseif($c.SideIndicator -eq "<=" )

{$C |

foreach-object -process{

$LocalAddress = $_.InputObject.LocalEndPoint.Address

$RemoteAddress = $_.InputObject.RemoteEndPoint.Address

$LocalPort = $_.InputObject.LocalEndPoint.Port

$RemotePort = $_.InputObject.RemoteEndPoint.Port

$TCP_State = $TCPState[$State]

$name = [System.Net.DNS]::Resolve("$RemoteAddress")

$name_canon = $name.hostname

write "$TimeNow $RemoteAddress $name_canon : $RemotePort $TCP_State"

$EventLog.Source = "$name_canon"

$EventLog.WriteEntry("$LocalAddress $TCP_State connection to $RemoteAddress($name_canon) from Local Port: $LocalPort to Remote Port: $RemotePort",$infoevent,$RemotePort,$State)

}

Update on event log queries for the event log generated by the above script:

Source

$Source_8NetUnique = get-eventlog -log EstablishedTCPConnections | ?{$_.Source -match "^8\."} | sort-object -property Source -unique

$SourceNetUnique = get-eventlog -log EstablishedTCPConnections | ?{$_.Source -match "^*"} | sort-object -property Source -unique

$SourceNetUniqueGroupBy = get-eventlog -log EstablishedTCPConnections | ?{$_.Source -match "^*"} | group-object -property Source | Sort-object -property count -descending

Function Get-NetName ($CountNetName) { get-eventlog -log EstablishedTCPConnections | ?{$_.Source -match "^$CountNetName"} | group-object -property Source | Sort-object -property count -descending}

foreach($i in (gc alpha.txt)){get-netname $i}

Port

$Port80 = get-eventlog -log EstablishedTCPConnections | ?{$_.EventID -match "^80"}| sort-object -property TimeGenerated -descending

$EventIDNetUnique = get-eventlog -log EstablishedTCPConnections | ?{$_.EventID -match "^*"} | sort-object -property EventID -unique

$EventIDNetUniqueGroupBy = get-eventlog -log EstablishedTCPConnections | ?{$_.EventID -match "^*"} | group-object -property EventID | Sort-object -property count -descending

Function Get-PortType ($CountPortType) { get-eventlog -log EstablishedTCPConnections | ?{$_.EventID -match "^$CountPortType"} | group-object -property EventID | Sort-object -property count -descending}

$Source = get-eventlog -log EstablishedTCPConnections | group-object -property Source | sort-object -property Count -descending

$Port = get-eventlog -log EstablishedTCPConnections | group-object -property EventID | sort-object -property Count -descending

$UniqSource = get-eventlog -log EstablishedTCPConnections | sort-object -property Source -descending -unique

$UniqPort = get-eventlog -log EstablishedTCPConnections | sort-object -property EventID -descending -unique

$UniqSource = get-eventlog -log EstablishedTCPConnections | group-object -property Source | sort-object -property Count -descending

$UniqSource | Select Count,Name | cvhtml > UniqSource.html

$a | %{[System.Net.DNS]::Resolve($_.Source)}

$a | %{whois ($_.Source)}

2009-02-12T14:41:00.000-08:00

This function pushes off the stack every new Established TCP connection as so:

PS >List-EstablishedTCP

209.62.20.43 ev1s-209-62-20-43.theplanet.com : 80

72.30.190.105 rc10.ysm.vip.ac2.yahoo.com : 80

165.160.9.37 165.160.9.37 : 80

66.235.133.3 dc2-3.112.2o7.net : 80

75.101.151.37 ec2-75-101-151-37.compute-1.amazonaws.com : 80

8.12.226.77 8.12.226.77 : 80

96.17.232.242 a96-17-232-242.deploy.akamaitechnologies.com : 80

It also send a message to the (classic) Event Log named "EstablishedTCPConnections" as shown here. One PoSh blog was very helpful with this: http://winpowershell.blogspot.com/2006/07/writing-windows-events-using.html

function Global:EstablishedTCP

{ ## start function

$a = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

$b = $a.GetActiveTcpConnections() | where{$_.State -eq "Established" }

if ($b -ne $null -and $last_b -ne $null)

{

$c = compare-object $b $last_b;

}

if ($c.SideIndicator -eq "<=" )

{

$LocalAddress = $c.InputObject.LocalEndPoint.Address

$RemoteAddress = $c.InputObject.RemoteEndPoint.Address

$LocalPort = $c.InputObject.LocalEndPoint.Port

$RemotePort = $c.InputObject.RemoteEndPoint.Port

$name = [System.Net.DNS]::Resolve("$RemoteAddress")

$name_canon = $name.hostname

write "$RemoteAddress $name_canon : $RemotePort"

$EventLog = new-object System.Diagnostics.EventLog("EstablishedTCPConnections")

$EventLog.Source = "$name_canon"

$infoevent = [System.Diagnostics.EventLogEntryType]::Information

$EventLog.WriteEntry("$LocalAddress established connection to $RemoteAddress ($name_canon) from Local Port: $LocalPort to Remote Port: $RemotePort",$infoevent,$RemotePort,01)

}

start-sleep -m 100

$global:last_b = $b

} ## end function Established

function global:List-EstablishedTCP {do {EstablishedTCP} while (1)}

2009-02-08T19:44:00.000-08:00

This is a weird peice of code inspired by some syntax I found in Hristo Deshev's interesting book: "Pro Windows Powershell". Hristo talks about converting IDictionary objects to Hash Tables. 'PS' or 'get-process' uses the PID as the hash code for the process object. This allows a construct that produces a hash table with explict PIDs as hash keys. It is too late to figure out if this side-effect would have any value to anyone.

$script_block_ID = {ps | %{$_.ID} | Sort-object }

$dict = new-object Collections.Specialized.OrderedDictionary

$script_block_ID.Invoke() | %{$dict[(ps -id $_ | Select Name)] = $_.GetHashCode()}

write `r`n `$dict:

$dict

$hash = [hashtable]$dict

write `r`n `$hash:

$hash

[$hash:]

@{Name=cmd} 1364

@{Name=alg} 864

@{Name=explorer} 3212

@{Name=gvim} 1852

@{Name=wmiprvse} 1332

@{Name=VCSExpress} 3980

@{Name=wscntfy} 352

@{Name=chrome} 2724

@{Name=svchost} 1536

....

Enumerating TCP Connections

2009-02-06T10:18:00.000-08:00

What I was looking for is a simple script to capture all new ("Established") connections. This could use some improve since my code has some side-effects. 'Compare-object' subtracts the diff between two arrays: the reference set and the difference set. To run this I type this at a PS prompt:

function Est_do {do {Established} while (1)}
Est_do | out-file $pwd\Established.txt

function global:Established

{

Begin

{

$a = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

}

Process

{

if ($b -ne $null) {$last_b = $b}

$b = $a.GetActiveTcpConnections() | where{$_.State -eq "Established" }

if ($last_b -ne $null)

{$c = compare-object $last_b $b;

if ($c.SideIndicator -eq "=>" ) {write $c.InputObject | ft -HideTableHeaders}

}

$global:last_b = $b

}

End

{

start-sleep -m 250

}

[Established.txt] :

Established 192.168.0.8:3419 209.85.147.83:80

Established 192.168.0.8:3420 74.125.19.191:80

Established 192.168.0.8:3422 74.125.19.191:80

...

2009-02-05T15:41:00.000-08:00

I spent some time seeing if Powershell could deliver some 'lsof' functionality easily with little luck. Few windows utilities do this now. Some exceptions are 'netstat -bno' (XPSP3) or tcpview.exe. Powershell (or at least me with Powershell) can't do much with the TCPState interface despite the presence of static members:

PS > [System.Net.NetworkInformation.TcpState].GetMembers() | % {$_.Name}

...

Unknown

Closed

Listen

SynSent

SynReceived

Established

FinWait1

FinWait2

CloseWait

Closing

LastAck

TimeWait

DeleteTcb

This interface: [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

was more useful:

[netstat.ps1]

$a = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

$b = $a.GetActiveTcpListeners() | Select Address,Port | Sort Port

$c = $a.GetActiveUDPListeners() | Select Address,Port | Sort Port

$d = $a.GetActiveTcpConnections() | Select LocalEndPoint,RemoteEndPoint,State | Sort State,RemoteEndPoint

write "TCP Listeners" $b | ft -auto

write "UDP Listeners" $c | ft -auto

write "TCP Active Connections" $d | ft -auto

PS >.\netstat.ps1

TCP Listeners

Address Port

------- ----

0.0.0.0 135

192.168.0.5 139

192.168.0.8 139

0.0.0.0 445

127.0.0.1 1027

0.0.0.0 3389

UDP Listeners

Address Port

------- ----

127.0.0.1 123

192.168.0.8 123

192.168.0.5 123

192.168.0.5 137

192.168.0.8 137

192.168.0.5 138

192.168.0.8 138

0.0.0.0 445

0.0.0.0 500

192.168.0.5 1900

127.0.0.1 1900

192.168.0.8 1900

127.0.0.1 2139

127.0.0.1 2683

127.0.0.1 2704

0.0.0.0 4500

TCP Active Connections

LocalEndPoint RemoteEndPoint State

------------- -------------- -----

127.0.0.1:1266 127.0.0.1:1265 Established

127.0.0.1:1265 127.0.0.1:1266 Established

127.0.0.1:1268 127.0.0.1:1267 Established

127.0.0.1:1267 127.0.0.1:1268 Established

192.168.0.8:2877 65.55.11.254:80 Established

192.168.0.8:2876 72.14.207.191:80 Established

192.168.0.8:1062 209.85.173.102:80 CloseWait

2009-01-27T10:58:00.000-08:00

This is my third update to this script. I think this script will finally push me into "programming like a real man" (e.g. with functions, params, hash arrays, throws, traps other optimizations) e.g. http://rmfdevelopment.com/PowerShell_Scripts/QueryEventFunction.ps1

Interestingly, I found System Event ID 36 breaks my script. It is a failure of the Windows Time Service and I think I have found a defect in Time/Date formatting:

## Takes Event Log queries...and finds elapsed time from event

# Default queries localhost system shutdown (EventID 6009)

# E.G. .\EventLogQueries.ps1 System 4072

# E.G . 6005..6009 | %{.\EventLogQueries.ps1 System $_ }

if ($args[0] -eq $Null) {$Log_Type = "System"} else {$Log_Type = $args[0]}

if ($args[1] -eq $Null) {$Event_ID = 6009} else {$Event_ID = $args[1]}

write $args[1]

## TODO for remote and other properties:

## if ($args[3] = $Null) {$Computer = localhost} else {$args[3] = $Computer}

# query Event Log

$EventLog = get-eventlog -log $Log_Type | Select Message,EventID,TimeGenerated

$Event = $EventLog | ?{$_.eventID -eq $Event_ID}

$EventID = $Event | %{$_.eventID}

$Message = $Event | %{$_.Message}

$TimeGenerated = $Event | %{$_.TimeGenerated}

## TODO: Needs Trap or Throw for bad date or time format from Microsoft like for Event ID 36

## EventID 36 will break this script because....(??)

## if EventID is null, discard query

if ($LogType = "System" -and $EventID -eq 36) {$EventID = $NULL;write "Skip System EventID 36 because it breaks this script"}

if ($EventID -ne $NULL)

{

# Find elapsed time, total restarts, restarts/days and generate some arrays

## DBG::$test_EventID = $EventID[0]

## DBG::$test_Args_1 = $Args[1]

## DBG::write "Args[1]:$test_Args_1 -- Date/Time -- Elapsed Time (D.H.M.S)"

write "EventID -- Message -- Date/Time -- Elapsed Time (D.H.M.S)"

$array_count = ($Event).count - 1

$total_events = ($Event).count

$curr_date = get-date

$first_event_date = $TimeGenerated[$array_count]

$last_event_date = $TimeGenerated[0]

$event_time_span =($curr_date - $first_event_date)

$elapsed = $TimeGenerated[0..$array_count] | %{($curr_date - $_)}

$AverageDaysBetweenEvents = $event_time_span.Days%$total_events

## Report Data

## What happens if data field is null?

0..$array_count | %{

$days = $elapsed[$_].days;

$hours = $elapsed[$_].hours;

$minutes = $elapsed[$_].minutes;

$seconds = $elapsed[$_].seconds;

$EventIDPrint = $EventID[$_];

$MessagePrint = $Message[$_];

$TimeGeneratedPrint = $TimeGenerated[$_];

write "$EventIDPrint,$MessagePrint,$TimeGeneratedPrint,$days.$hours.$minutes.$seconds" }

}

if ($EventID -ne $NULL)

{

write "Number of Events:$total_events First Occurrence:$first_event_date Last Occurrence:$last_event_date Average Days Between Events:$AverageDaysBetweenEvents"

}

2009-01-23T13:40:00.000-08:00

# Takes Event Log queries...and finds elapsed time from event

# E.G . 6005..6009 | %{.\EventLogQueries.ps1 System $_ }

if ($args[0] -eq $Null) {$Log_Type = "System"} else {$Log_Type = $args[0]}

if ($args[1] -eq $Null) {$Event_ID = 6009} else {$Event_ID = $args[1]}

# query Event Log

$EventLog = get-eventlog -log $Log_Type

$EventID = $EventLog | ?{$_.eventID -eq $Event_ID}

# If EventID is null, discard query

if ($EventID -ne $NULL)

{

# Find Elapsed Time and Generate Array

write "Event ID -- Date/Time -- Elapsed Time (D.H.M.S)"

$LogType_EventID_MsgProperty = $EventID | %{$_.TimeGenerated}

$count = ($LogType_EventID_MsgProperty).count - 1

$curr_date = get-date

$array = $LogType_EventID_MsgProperty[0..$count] | %{($curr_date - $_)}

# Report Data

0..$count | %{

$days = $array[$_].days;

$hours = $array[$_].hours;

$minutes = $array[$_].minutes;

$seconds = $array[$_].seconds;

$date = $LogType_EventID_MsgProperty[$_];

write "$Event_ID -- $date -- $days.$hours.$minutes.$seconds";}

}

Output:

PS >6005..6009 | %{.\EventLogQueries.ps1 System $_ }

Event ID -- Date/Time -- Elapsed Time (D.H.M.S)

6005 -- 01/15/2009 22:40:17 -- 7.15.0.2

6005 -- 01/09/2009 09:52:51 -- 14.3.47.28

6005 -- 01/07/2009 17:39:39 -- 15.20.0.40

6005 -- 01/05/2009 18:30:06 -- 17.19.10.13

6005 -- 01/05/2009 11:01:59 -- 18.2.38.20

6005 -- 12/24/2008 11:20:21 -- 30.2.19.58

6005 -- 12/21/2008 10:01:15 -- 33.3.39.4

6005 -- 12/19/2008 09:23:52 -- 35.4.16.27

6005 -- 12/11/2008 08:04:59 -- 43.5.35.20

6005 -- 12/03/2008 08:10:23 -- 51.5.29.56

Event ID -- Date/Time -- Elapsed Time (D.H.M.S)

6006 -- 01/15/2009 09:28:14 -- 8.4.12.6

6006 -- 01/09/2009 09:52:04 -- 14.3.48.16

6006 -- 01/07/2009 17:38:05 -- 15.20.2.15

6006 -- 01/05/2009 11:00:36 -- 18.2.39.44

6006 -- 12/19/2008 09:22:42 -- 35.4.17.38

6006 -- 12/11/2008 08:03:46 -- 43.5.36.34

Event ID -- Date/Time -- Elapsed Time (D.H.M.S)

6009 -- 01/15/2009 22:40:17 -- 7.15.0.5

6009 -- 01/09/2009 09:52:51 -- 14.3.47.31

6009 -- 01/07/2009 17:39:39 -- 15.20.0.43

6009 -- 01/05/2009 18:30:06 -- 17.19.10.16

6009 -- 01/05/2009 11:01:59 -- 18.2.38.23

6009 -- 12/24/2008 11:20:21 -- 30.2.20.1

6009 -- 12/21/2008 10:01:15 -- 33.3.39.7

6009 -- 12/19/2008 09:23:52 -- 35.4.16.30

6009 -- 12/11/2008 08:04:59 -- 43.5.35.23

6009 -- 12/03/2008 08:10:23 -- 51.5.29.59

2009-01-22T19:42:00.001-08:00

Last Boot Times. A Microsoft.public.windows.powershell forum question made me think about how important historical knowledge of last boot times are to most administrators. Microsoft has an excellent utility (uptime.exe at http://support.microsoft.com/kb/232243) that records significant system events and estimates system availability. I wanted to see how difficult such a utility would be to recreate in Powershell. I was surprised to find some reporting differeneces for last uptime between the different approaches. To be continued...

##. \LastBootWMI.ps1

$colItems = Gwmi Win32_OperatingSystem -Namespace "root\CIMV2" -ComputerName localhost

$LB = $ColItems.ConvertToDateTime($ColItems.LastBootUpTime)

$array = (get-date).subtract($LB)

$Curr_date = (get-date)

$days = $array.days

$hours = $array.hours

$minutes = $array.minutes

$seconds = $array.seconds

write "Last Boot Time: $LB Current Time: $Curr_date"

write "Time from Last Boot in Days.Hours.Minutes.Seconds = $days.$hours.$minutes.$seconds"

PS >.\LastBootWMI.ps1

Last Boot Time: 01/20/2009 03:42:31 Current Time: 01/22/2009 19:00:25

Time from Last Boot in Days.Hours.Minutes.Seconds = 2.15.17.53

## .\LastBootTimes.ps1

$SysEvtLog = get-eventlog -log System

$Evt_ID_6009 = $SysEvtLog | ?{$_.eventID -eq 6009}

$Evt_ID_6009TG = $Evt_ID_6009 | %{$_.TimeGenerated}

$count = ($Evt_ID_6009TG.count) -1

$curr_date = get-date

$array = $Evt_ID_6009TG[0..$count] | %{($curr_date - $_)}

write "Last boot Date/Time -- LBTs from Current Time in Days.Hours.Minutes.Seconds"

0..$count | %{

$days = $array[$_].days;

$hours = $array[$_].hours;

$minutes = $array[$_].minutes;

$seconds = $array[$_].seconds;

$date = $Evt_ID_6009TG[$_];

write "$date -- $days.$hours.$minutes.$seconds";}

PS >.\LastBootTimes.ps1

Last boot Date/Time -- LBTs from Current Time in Days.Hours.Minutes.Seconds

01/15/2009 22:40:17 -- 6.20.20.5

01/09/2009 09:52:51 -- 13.9.7.31

01/07/2009 17:39:39 -- 15.1.20.43

01/05/2009 18:30:06 -- 17.0.30.16

01/05/2009 11:01:59 -- 17.7.58.23

12/24/2008 11:20:21 -- 29.7.40.1

12/21/2008 10:01:15 -- 32.8.59.7

12/19/2008 09:23:52 -- 34.9.36.30

12/11/2008 08:04:59 -- 42.10.55.23

12/03/2008 08:10:23 -- 50.10.49.59

D:\>uptime.exe /s

Uptime Report for: \\RMFMEDIA

Current OS: Microsoft Windows XP, Service Pack 3, Multiprocessor Free.

Time Zone: Pacific Standard Time

System Events as of 1/22/2009 7:13:12 PM:

Date: Time: Event: Comment:

---------- ----------- ------------------- -----------------------------------

12/3/2008 8:10:23 AM Boot

12/11/2008 8:03:46 AM Shutdown Prior uptime:7d 23h:53m:23s

12/11/2008 8:04:59 AM Boot Prior downtime:0d 0h:1m:13s

12/19/2008 9:22:42 AM Shutdown Prior uptime:8d 1h:17m:43s

12/19/2008 9:23:52 AM Boot Prior downtime:0d 0h:1m:10s

12/21/2008 10:01:15 AM Boot

12/24/2008 11:20:21 AM Boot

1/5/2009 11:00:36 AM Shutdown Prior uptime:11d 23h:40m:15s

1/5/2009 11:01:59 AM Boot Prior downtime:0d 0h:1m:23s

1/5/2009 6:30:06 PM Boot

1/5/2009 6:30:12 PM Bluescreen STOP 0x0000008e

1/7/2009 5:38:05 PM Shutdown

1/7/2009 5:39:39 PM Boot Prior downtime:0d 0h:1m:34s

1/9/2009 9:52:04 AM Shutdown Prior uptime:1d 16h:12m:25s

1/9/2009 9:52:51 AM Boot Prior downtime:0d 0h:0m:47s

1/15/2009 9:28:14 AM Shutdown Prior uptime:5d 23h:35m:23s

1/15/2009 10:40:17 PM Boot Prior downtime:0d 13h:12m:3s

Current System Uptime: 6 day(s), 20 hour(s), 33 minute(s), 32 second(s)

2009-01-19T22:59:00.000-08:00

Some notes on cmd line editing for Powershell in v2 CTP 3. It is often nice to be able to use a command line editor like Vim or Edlin when writing simple scripts. This allows the administrator to stay in one shell and one environment. Edlin allows the user to see the command history above and the editing space below. Bruce Payette's work lead me to create this function that replaces the venerable 'copy con' in DOS:

function copy_con {[console]::In.ReadToEnd()}

My 'copy_con' function can be used to write to file or variable:

copy_con > a.txt

$a = copy_con

The same functionality is achieved in v2 CTP3 with read-host.

The 'out-gridview' cmdlet in CTP3 allows you to combine multiple output in one grid; a more readable and searchable window for multiple help files: $a | %{help $_ -detailed} | out-gridview

Using the 'history' to create simple scripts is easy:

$test_out = 25..30 | history| %{$_.CommandLine}

To execute the collection of commands from a variable:

$test_out | %{Invoke-expression $_}

2009-01-12T11:46:00.000-08:00

Parsing Logs again....Following up from a few posts ago. I would like to figure out how to get multiple log types working together with the simplest syntax in Powershell. I think the goal would be to take events that happen from whatever handlers (Event Logs, Application Verifier, Windbg, NetMonitor, Syslogd, Firewall, IDS) and parse them into "congruent datetime stamped events" as objects (??). To get today's dump from Windows Firewall Audit (set this up in auditing...) messaging out of my Security Event Log, I do something like this:

$now = [System.DateTime]::get_now()

$NowSDS = $now.ToShortDateString()

$SEL = get-eventlog -logname Security | where-object {($_.timegenerated -match "$NowSDS") -and ($_.message -match "Windows Firewall")} | fl *

$SEL | out-file $pwd\SEL.txt

Select-string SEL.txt -pattern "Process Identifier","Path","Port number" -allmatches

## or

Select-string SEL.txt -pattern "Process Identifier","Path","Port number" -allmatches | out-file SEL_SR.txt

$sr = [System.IO.StreamReader]("$pwd\SEL_SR.txt")

$sr.readToEnd()

Results are like:

...

SEL.txt:11669: Path: C:\WINDOWS\system32\svchost.exe

SEL.txt:11671: Process identifier: 1588

SEL.txt:11685: Port number: 50386

SEL.txt:11712: Path: C:\WINDOWS\system32\svchost.exe

SEL.txt:11714: Process identifier: 1588

SEL.txt:11728: Port number: 59453

...

Ungainly. Not parsing an object in the end but eventually text! So here we are parsing the Message descriptions from the Security Event log MSG field (which is text!) into an object:

$now = [System.DateTime]::get_now()

$NowSDS = $now.ToShortDateString()

$SEL = get-eventlog -logname Security | where-object {($_.timegenerated -match "$NowSDS") -and ($_.message -match "Windows Firewall")}

$SEL_MSG = $SEL | %{$_.message}

Select-string -inputobject $SEL_MSG -pattern "Process Identifier","Path","Port number" -allmatches

Okay, an object but not what I want yet....And Select-String isn't helping any here:

Name: -

Path: C:\WINDOWS\system32\svchost.exe

Process identifier: 1588

User account: NETWORK SERVICE

User domain: NT AUTHORITY

Service: Yes

RPC server: No

IP version: IPv4

IP protocol: UDP

Port number: 55033

Allowed: No

User notified: No The Windows Firewall has detected an application listening for incoming traffic.

## This doesn't work

## $SR = [System.IO.StreamReader]($SEL)

## $sr.readToEnd()

to be continued....

2009-01-05T09:34:00.001-08:00

I am happy to see that the new ISE can open multiple buffers like GVIM7.2:

http://picasaweb.google.com/rferrisx/Powershell?authkey=Q5B4cx4qTOg#5287862514382137954

Searching for malware with Powershell

2009-01-02T00:08:00.000-08:00

hmmm.....

This gives me output like:

1/3/2009 11:09 AM,19:9:16:859,100,csrss,1124,16388096,40923136,104357888,15458304,39809024,87851008

which covers WorkingSet, PrivateMemorySize, VirtualMemorySize, and their deltas between measurement interval.

## Use ps to measure Application Memory Deltas

## Run '.\ws_diff [Interval in Seconds] [Process Name] or

## to log all processes continually every 10 seconds -- 'while (1) {.\WS_diff.ps1 10 cmd >> ps_out.txt }'

# Create args as Variables or Objects

$sleep_time = $args[0]

# Create or define PS_Array. Default is ps is called without args.

# Then take measurements $now, $then, $count

if ($args[1] -eq $NULL )

{

$then = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

sleep -seconds $sleep_time

$now = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

$count = ($now | Select Name).count

}

else

{

$ps_array = ( ps $args[1] )

$then = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

sleep -seconds $sleep_time

$now = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

$count = ($now | Select Name).count

}

# Declare Time Measurements

$date = (get-date -format g)

$hour = [DateTime]::UtcNow.TimeOfDay.Hours

$minutes = [DateTime]::UtcNow.TimeOfDay.Minutes

$seconds = [DateTime]::UtcNow.TimeOfDay.Seconds

$ms = [DateTime]::UtcNow.TimeOfDay.Milliseconds

# Write output and find diffs. Check if process has multiple instances first

if ( $count -gt 1 )

{

$array_out = 0..$count |

$date + "," +

$hour + ":" + $minutes + ":" + $seconds + ":" + $ms + "," +

$sleep_time + "," + $now[$_].Name + "," + $now[$_].ID + "," +

$now[$_].WorkingSet + "," +

$now[$_].PrivateMemorySize + "," +

$now[$_].VirtualMemorySize + "," +

( ($now[$_].WorkingSet) - ($then[$_].WorkingSet) ) + "," +

( ($now[$_].PrivateMemorySize) - ($then[$_].PrivateMemorySize) ) + "," +

( ($now[$_].VirtualMemorySize) - ($then[$_].VirtualMemorySize) )

}

else

{

$array_out =

$date + "," +

$hour + ":" + $minutes + ":" + $seconds + ":" + $ms + "," +

$sleep_time + "," + $now.Name + "," + $now.ID + "," +

$now.WorkingSet + "," +

$now.PrivateMemorySize + "," +

$now.VirtualMemorySize + "," +

( ($now.WorkingSet) - ($then.WorkingSet) ) + "," +

( ($now.PrivateMemorySize) - ($then.PrivateMemorySize) ) + "," +

( ($now.VirtualMemorySize) - ($then.VirtualMemorySize) )

}

write $array_out

Measuring Working Set difference over time

2008-12-30T12:38:00.000-08:00

Something performance oriented that I spent way too much time with...

## Use ps to measure WS difference

## Run '.\ws_diff [Measure Interval in Seconds]' or

## to log to text continually every 10 seconds --

## 'while (1) {.\WS_diff.ps1 10 >> ps_out.txt }'

# Take Measurements $Now and $Then and $Count

$then = ps | %{$_ | Select Name,ID, WorkingSet}

sleep -seconds $args[0]

$now = ps | %{$_ | Select Name,ID, WorkingSet}

$count = ($now | Select Name).count

# Declare Time Measurement and Interval

$date = (get-date -format g)

$hour = [DateTime]::UtcNow.TimeOfDay.Hours

$Minutes = [DateTime]::UtcNow.TimeOfDay.Minutes

$seconds = [DateTime]::UtcNow.TimeOfDay.Seconds

$ms = [DateTime]::UtcNow.TimeOfDay.Milliseconds

$interval = $args[0]

## write output and find difference

$text_out = 0..$count |

$date + "," + $hour + ":" + $Minutes + ":" + $seconds + ":" + $ms + "," +

$interval + "," + $Now[$_].Name + "," + $Now[$_].ID + "," +

( ($then[$_].WorkingSet) - ($Now[$_].WorkingSet) )

}

write $text_out

Produces csv output like:

12/30/2008 12:53 PM,20:53:58:953,10,AcroRd32,2204,0

12/30/2008 12:53 PM,20:53:58:953,10,alg,1648,0

12/30/2008 12:53 PM,20:53:58:953,10,CepstralLicSrv,476,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,336,-4096

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2416,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2580,0

12/30/2008 12:53 PM,20:53:58:953,10,chrome,2660,-77824

...

2008-10-04T21:32:00.000-07:00

More cmd.exe vs Powershell

This ditz below gets me a columnar listing of IP Address, DNS Name from cmd.exe . In the next post, we will whip that up in Powershell.

:: Produces columnar listing of IP and DNS name for range of IPs

:: Takes one argument with the first three octets of an IP

:: 'CheckNames 209.85.171 | findstr IP_Name' or

:: 'CheckNames 209.85.171 | findstr IP_Name >> Out.txt'

:: requires Cygwin in path or GNU grep, gawk, tr for Win32

@echo off

set args=%1

(for /l %%i in (1,1,255) do ( set OCT=%%i && set args && call :loop ))

goto end

:loop

set OCT

for /f %%i in ('ping -n 1 -l 1 -w 750 %args%.%OCT% ^| grep Reply ^| gawk '{ print $3 }' ^| tr -d : ' ) do set IP=%%i

for /f %%i in ('nslookup %args%.%OCT% ^| grep Name: ^| gawk '{ print $2 }' ') do set Name=%%i

echo IP_Name %IP% %Name%

set IP=

set Name=

:end

Some sample output shows some of the problems in constructing complicated cmd.exe logic:

IP_Name cg-in-f107.google.com

IP_Name 209.85.171.108 cg-in-f108.google.com

IP_Name

IP_Name 209.85.171.112 cg-in-f112.google.com

IP_Name 209.85.171.113 cg-in-f113.google.com

IP_Name

IP_Name 209.85.171.115 cg-in-f115.google.com

IP_Name 209.85.171.116

We know some ICMP fails, we know some name resolution fails, but we can't easily uncover the reasons for the failures or run additional code to check on the status of the failed ICMP and DNS requests.

2008-09-14T10:48:00.000-07:00

More Parsing Event Logs. Another way to do this , referencing part of Brandon Shell and Shay Levi's discussion. This doesn't parse the unformatted message text into object as I did in the post before. In any event, it would be useful to get away from using findstr.exe.

$now = [System.DateTime]::get_now()

$now.ToShortDateString()

$Now_ToString = $now.ToShortDateString()

get-eventlog -logname Security | where-object {($_.timegenerated -match "$Now_ToString") -and ($_.message -match "Windows Firewall")} | fl * | findstr "Port number"

# or

get-eventlog -logname Security | where-object {($_.timegenerated -match "$Now_ToString") -and ($_.message -match "Port number")} | fl * | findstr "Port number"

2008-09-10T17:47:00.000-07:00

Creates a columnar listing of Ports to which the Windows Firewall has denied access. No doubt there is a simpler way....This uses Lee Holmes 'Convert-TextObject.ps1' from the "The Windows Powershell Cookbook". To get around parsing the message fields in the Event Log which aren't objects, I used findstr.exe with "MessageFilters.txt" as far below.

$now = [System.DateTime]::get_now()

$nowshort = ($now.ToShortDateString()).ToString()

$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$nowshort" } )| Select TimeGenerated,Message )

$TodaysFA_Delimited = ($TodaysFA | fl * | findstr /g:MessageFilters.txt) | .\Convert-TextObject.ps1 -Delimiter ":"

$TodaysFA_Ports = $TodaysFA_Delimited | where-object {$_.Property1 -match "Port"} | sort-object {$_.Property2}

$TodaysFA_PortNumber = $TodaysFA_Ports | Select {$_.Property2}

MessageFilters.txt

TimeGenerated :

Message:

Process identifier:

User account:

User domain:

Service:

RPC server:

IP version:

IP protocol:

Port number:

Allowed:

User notified:

2008-09-02T20:14:00.000-07:00

Parsing Event Logs. So what I am trying to do is fish out all the Windows Firewall Entries that tell me what internal ports communicate with the outside world. This is a useful way to use pfirewall.log (Windows Firewall to check for Trojans). I have eventviewer entries like below that give me more information than the pfirewall.log

Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 9/3/2008
Time: 6:58:53 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: RMFMEDIA
Description:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No
User notified: No

D:\>tail pfirewall.log
2008-09-03 07:27:37 OPEN UDP 192.168.1.114 69.7.46.8 56319 53 - - - - - - - - -
2008-09-03 07:27:37 OPEN TCP 192.168.1.114 72.14.207.191 1551 80 - - - - - - - - -
2008-09-03 07:27:38 OPEN UDP 192.168.1.114 192.168.0.2 1025 514 - - - - - - - - -
2008-09-03 07:27:44 CLOSE TCP 192.168.1.114 72.14.223.191 1550 80 - - - - - - - - -
2008-09-03 07:27:44 DROP TCP 72.14.223.191 192.168.1.114 80 1550 288 AP 2880782099

This is the basic idea:

( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit"} )| Select ReplacementStrings,TimeGenerated,Message )

The spew below also works now. What I wanted to do is limit the event log entries to today's date, but I couldn't find any easy way to embed a 'get-date' command without parsing it.

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$TodaysFA = ( ( get-eventlog -logname security | where {$_.EntryType -eq "FailureAudit" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

$date = (get-date -format g).Split(" ")
$now = $date[0].ToString()
$Todays_861 = ( ( get-eventlog -logname security | where {$_.EventID -eq "861" -and $_.TimeGenerated -match "$now" } )| Select ReplacementStrings,TimeGenerated,Message )

Next up: to dump just the Message field and extract out the port number and other various info into a csv. What I really want is just this information in a csv:

Process identifier: 1432
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 61248
Allowed: No

2008-07-15T15:59:00.000-07:00

With the help of Kuma:

http://groups.google.com/group/microsoft.public.windows.powershell
/browse_thread/thread/9b10ea1270dfd0ad/eb78a0bc226837d6#eb78a0bc226837d6

I have picked up this gem, which gives all the physical IPs on a system:

0..1 | %{([System.Net.DNS]::GetHostEntry(""))
.AddressList[$_].IPAddressToString}

2008-07-07T10:43:00.000-07:00

/\/\o\/\/ came up with the following brilliance:
http://thepowershellguy.com/blogs/posh/archive/2008/06/30/powershell-get-ipconfig-function.aspx?
CommentPosted=true#commentmessage

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
|% {$_.getIPProperties().UnicastAddresses[0]}

Address : 192.168.0.5
IPv4Mask : 255.255.255.0
IsTransient : False
IsDnsEligible : True
PrefixOrigin : Dhcp
SuffixOrigin : OriginDhcp
DuplicateAddressDetectionState : Preferred
AddressValidLifetime : 349435
AddressPreferredLifetime : 349435
DhcpLeaseLifetime : 349435

Address : 127.0.0.1
IPv4Mask :
IsTransient : False
IsDnsEligible : True
PrefixOrigin : Manual
SuffixOrigin : Manual
DuplicateAddressDetectionState : Preferred
AddressValidLifetime : 3079514780
AddressPreferredLifetime : 3079514780
DhcpLeaseLifetime : 3079514780

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
|% {$_.getIPProperties}

MemberType : Method
OverloadDefinitions : {System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()}
TypeNameOfValue : System.Management.Automation.PSMethod
Value : System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()
Name : GetIPProperties
IsInstance : True

MemberType : Method
OverloadDefinitions : {System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()}
TypeNameOfValue : System.Management.Automation.PSMethod
Value : System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()
Name : GetIPProperties
IsInstance : True

MemberType : Method
OverloadDefinitions : {System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()}
TypeNameOfValue : System.Management.Automation.PSMethod
Value : System.Net.NetworkInformation.IPInterfaceProperties GetIPProperties()
Name : GetIPProperties
IsInstance : True

2008-07-06T21:36:00.001-07:00

I find it simply amazing that Powershell can use the .NET to find the Broadcast and Loopback with little complication, but not the host IP Address:
[System.Net.IPAddress]::Broadcast.IPAddressToString
or
[System.Net.IPAddress]::Loopback.IPAddressToString

I can find all NetworkInterface information BUT the IP easily enough:
[System.Net.NetworkInformation.NetworkInterface]::
GetAllNetworkInterfaces()

But if I want my local host IP address through .NET I need some kludge like:
$host_name = [System.Net.Dns]::GetHostName() ; [System.Net.Dns]::Resolve("$host_name")

Or I can dredge up some other not quite satisfactory kludge from gwmi:

$NetworkInfo =gwmi -query "SELECT * FROM Win32_NetworkAdapterConfiguration"
function NetworkInfoSort {$NetworkInfo | Select-Object IPAddress,Description,Index,DefaultIPGateway | sort-object Index}
NetworkInfoSort

gwmi -class win32_NetworkAdapterConfiguration | %{ $_.IPAddress }

gwmi -query "SELECT IPAddress FROM Win32_NetworkAdapterConfiguration" | Select IPAddress

I wish I could just do something like:

[System.Net.IPAddress]::LocalHost.IPAddressToString
or
[System.Net.NetworkInformation.NetworkInterface]::
GetAllNetworkInterfaces.IPAddress
or
Get-ipconfig

2008-07-02T18:38:00.000-07:00

Still relatively confused on how to use the .NET through Powershell. Here are some simple examples that were easy to find because they have accessible overloaded interfaces (??):

$Ping = new-object System.Net.NetworkInformation.ping
$Ping.Send("192.168.0.1")
Status : Success
Address : 192.168.0.1
RoundtripTime : 1 ms
BufferSize : 32
Options : TTL=127, DontFragment=False

[System.Net.Dns]::Resolve("google.com") | fl *
HostName : google.com
Aliases : {}
AddressList : {64.233.167.99, 72.14.207.99, 64.233.187.99}

[System.Net.Dns]::GetHostName()
rmfmedia

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()

Id : {0348D5D7-6D83-44C8-B556-B29466698340}
Name : Wireless Network Connection
Description : Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
NetworkInterfaceType : Ethernet
OperationalStatus : Up
Speed : 54000000
IsReceiveOnly : False
SupportsMulticast : True
....

[System.Net.NetworkInformation.NetworkInterface]::GetIsNetworkAvailable()
True

2008-06-17T15:30:00.000-07:00

Exploration of .NET through 'Powertab' interrogation continues. I still don't know how to benefit from 'Powertab' just yet...I would like to know is Powershell can call these Properties below.

[System.Net.NetworkInformation.TcpState]
.GetMembers() | %{$_.Name}

...
Unknown
Closed
Listen
SynSent
SynReceived
Established
FinWait1
FinWait2
CloseWait
Closing
LastAck
TimeWait

2008-06-17T14:08:00.001-07:00

Querying .NET in Powershell. The ability to use the vast repertoire of .NET in Powershell is impressive. More difficult of late has been how to find .NET functions and call arguments. I was stuck reading the 3.5 Framework docs doing clunky stuff like this:

$webclient = New-Object System.Net.WebClient
$a = ($webclient | gm) | % {$_.Name}
$b = ( $a | % {$WebClient.$_} )
$c = ( $b | Select Name , OverloadDefinitions )
write $c

But then I installed 'PowerTab' and can tab my way to knowledge with the '.findmember' property. (This works without 'PowerTab' but is nowhere near as easy and complete.)

[System.Net.*
[System.Net.WebClient].
[System.Net.WebClient].FindMembers

PS [RMFMEDIA] >[System.Net.WebClient].FindMembers | ft -auto -wrap

WARNING: 4 columns do not fit into the display and were removed.

MemberType OverloadDefinitions
---------- -------------------
Method {System.Reflection.MemberInfo[] FindMembers(MemberTypes memberType, BindingFlags bindingAttr, MemberFilter filter, Object filterCriteria)}

2008-06-11T16:03:00.000-07:00

Selected 'Exif' statistics script is below. There are a number of ways I can improve it: Stream output, skip csv file creation (as an interim step) read list with arrays and parameters, using regex expressions to best effect. Still, quite a few lessons learned with this and the output can help check for errors. The issue is that 'exif' (Cygwin, GNU output) will sometimes skip fields. I am not checking for that or other error conditions in general but the 'Counts' need to sync up at least. That being said, 'measure-object' cmdlet gives me some easy 'meta-file' (exif) stats about my JPGs. Output looks as below. I am still not solving the problem that I do not know how to obtain select "meta-file" information from Powershell.

Count : 214
Average :
Sum :
Maximum :
Minimum :
Property : Exif_Tag

Count : 214
Average : 7.07102803738318
Sum :
Maximum : 13
Minimum : 3.5
Property : FNumber

Count : 214
Average : 58.0140186915888
Sum :
Maximum : 82
Minimum : 27
Property : Focal_Length

## Get-exif-stats.ps1
$exif_index = gci *.jpg | %{exif ($_.Name)}
$c = $exif_index | Select-String -pattern "EXIF tag" , FNumber , "Focal Length In 35mm"
$c1 = ("$c").Split( ) | Select-String -pattern JPG , f/ , mm
$c2 = (("$c1").Replace( "'" , "")).Split()
$c3 = (("$c2").Replace( " |f/" , ",")).Split()
$c4 = (("$c3").Replace( " 35mm|" , ",")).Split()

if ((gci PhotoData.csv).Exists -eq "True") {mv PhotoData.csv PhotoData.csv.old -force}

"Exif_Tag,FNumber,Focal_Length" | out-file PhotoData.csv
$c4 | out-file -append PhotoData.csv
$PhotoData = import-csv -path PhotoData.csv

$FileName = ( $PhotoData | Measure-Object -Property Exif_Tag )
$FNumber = ( $PhotoData | Measure-Object -Property FNumber -average -maximum -minimum )
$Focal_Length = ( $PhotoData | Measure-Object -Property Focal_Length -average -maximum -minimum )

echo $FileName
echo $FNumber
echo $Focal_Length

2008-06-09T21:57:00.000-07:00

Some progress tonight parsing 'exif' output with .Split and .Replace operators. Lee Holmes book is excellent on the use of comparison operators and text parsing. The script below takes text like this:

EXIF tags in 'P1050027.JPG' ('Intel' byte order):
FNumber |f/3.7
Focal Length In 35mm|71

and turns it into CSV delimited fields like this:

P1050027.JPG,f/3.7,71

## ParseExif.ps1
$exif_index = gci *.jpg | %{exif ($_.Name)}
$c = $exif_index | Select-String -pattern "EXIF tag" , FNumber , "Focal Length In 35mm"
$c1 = ("$c").Split( ) | Select-String -pattern JPG , f/ , mm
$c2 = (("$c1").Replace( "'" , "")).Split()
$c3 = (("$c2").Replace( " |" , ",")).Split()
$c4 = (("$c3").Replace( " 35mm|" , ",")).Split()

2008-06-08T16:27:00.000-07:00

The 'exif' program spits out an array of tags which I thought were consistently 56 lines (see below). (They are not of course.) So I attempted to query the 0 (filename) and the 20 (FNumber) per every group of 56 as if the output was an artificial array always 56 lines in length.

e.g. I am attempting to index an array of data by line number. This wasn't useful, but as an exercise in use of PS range operators and while construct. I am looking for some method to use PS to create objects from foreign data constructs. I think this may be approached more effectively else wise.

$exif_index = gci *.jpg | %{exif ($_.Name)}
$eil = $exif_index.length
$i = $eil

while ($i -gt 56)
{

$file_name = ($eil - ($i - 0))
$FNumber = ($eil - ($i - 20))
$exif_index[$file_name]
$exif_index[$FNumber]
## 56 is size of array
$i = ($i - 56)
}

Something like this results:
D:\images\06.04.08a
EXIF tags in 'P1050027.JPG' ('Intel' byte order):
FNumber |f/3.7
EXIF tags in 'P1050028.JPG' ('Intel' byte order):
FNumber |f/3.7
EXIF tags in 'P1050029.JPG' ('Intel' byte order):
FNumber |f/4.1
EXIF tags in 'P1050030.JPG' ('Intel' byte order):
FNumber |f/4.1

[full exif dump]

26# $exif_index | more
EXIF tags in 'P1050027.JPG' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Manufacturer |Panasonic
Model |DMC-TZ1
Orientation |top - left
x-Resolution |72.00
y-Resolution |72.00
Resolution Unit |Inch
Software |Ver.1.0
Date and Time |2008:06:04 09:54:14
YCbCr Positioning |co-sited
Compression |JPEG compression
Orientation |top - left
x-Resolution |72.00
y-Resolution |72.00
Resolution Unit |Inch
YCbCr Positioning |co-sited
Exposure Time |1/800 sec.
FNumber |f/3.7

2008-06-07T10:42:00.000-07:00

All I really want is a 'Get-exif' cmdlet in Powershell so I can compare specs in 'list' below for photos I have taken. I don't want to query .NET or load an assembly or set up an array. !!! Read four or five blogs on the matter. Read Lee Holmes Cookbook. Cygwin's exif with CMD.exe trumps anything Powershell I could come up with. A stupid wasted afternoon and morning.

more list
Exposure Time
FNumber
ISO
Focal Length
Exposure Mode

(one line in cmd.exe)
for /f %i in ('dir /b *.jpg') do exif %i | Findstr -g:list && pause

(I need PS to do more than this..)

$exif_index = gci *.jpg | %{exif ($_.Name)}

2008-06-01T22:18:00.000-07:00

Okay...This uses 'Ping-Host' from PSCX PSSnapin. My function still doesn't do what I want it to do but..more promising. Give function first three octets (and hard code range - 1..254) , Bytes, Wait, Count (which only works as below with count of one right now...) Then Prints (only) Hosts UP, IP Address, AverageTime, MinimumTime, MaximumTime, Loss as so....Stats are misleading since I think (?) it is the ave, min, max for each separate run? )....Will fix this...and TTL...Man, Powergui is helpful. So are the NetCmdlets. Anyway, 'ping-host' is faster..than accessing the .NET ping(send) functionality from the post before this. My programming logic is still not standard. I should be using params and arrays as Holmes and Payette specify

.\CheckClassC_NC_function.ps1 209.85.173. 8000 1 20

Host UP,209.85.173.4,228,228,228,0
Host UP,209.85.173.5,42,42,42,0
Host UP,mh-in-f17.google.com,38,38,38,0
Host UP,mh-in-f18.google.com,41,41,41,0
Host UP,mh-in-f19.google.com,37,37,37,0
Host UP,mh-in-f32.google.com,42,42,42,0
...

function CheckHostClassC_function
## ($Subnet,$BufferSize,$Count,$Timeout,$TTL)
{
begin {$ping =(Ping-Host -Quiet -HostName $Subnet$_
-BufferSize $BufferSize -Count $Count -Timeout $Timeout );
$pingtrue =($ping.Received)
$host_ = ($ping.Host) ;
$AverageTime_ = ($ping.AverageTime) ;
$MinimumTime_ = ($ping.MinimumTime) ;
$MaximumTime_ = ($ping.MaximumTime) ;
$Loss_ = ($ping.Loss) ;
}

process {if ($pingtrue -eq "1")
{"Host UP"+","+"$host_"+","+"$AverageTime_"+","+
"$MinimumTime_"+","+"$MaximumTime_"+","+"$Loss_"}
}
}

sv Subnet $Args[0]
sv BufferSize $Args[1]
sv Count $Args[2]
sv Timeout $Args[3]
## sv TTL $Args[4]

1..254 | %{CheckHostClassC_function}

2008-05-25T20:24:00.000-07:00

So in thinking about what I have learned doing the work below...Please see my next post...To make matters worse, the pipe command does not appear in this blog.

Pinging IP subnet ranges in Powershell. This will be more difficult than...(you know the rest)..I am attempting to duplicate the functionality of my previous post.

PS D:\> $var = '192.168.0.1','192.168.0.2'
PS D:\> $var

192.168.0.1
192.168.0.2

PS D:\> $ping = new-object System.Net.NetworkInformation.Ping

PS D:\> $var foreach-object -process {$ping.Send($_)} ft -auto

Status Address RoundtripTime Options Buffer
------ ------- ------------- ------- ------
Success 192.168.0.1 1 System.Net.NetworkInformation.PingOptions {97, 98, 99, 100...}
TimedOut 0 {}

Closer yet...

PS D:\> $ping = new-object System.Net.NetworkInformation.Ping
PS D:\> $3OCT='71.0.0.'
PS D:\> 1..254 [pipe command here] foreach-object -process { if($ping.Send("$3OCT$_").status -eq "Success") {"$3OCT$_"} }

71.0.0.1
71.0.0.3
71.0.0.7
71.0.0.8
71.0.0.9
71.0.0.11

Putting this together a little bit more...

PS D:\> $3OCT = '190.10.10.'
PS D:\> function Ping-Host { begin{ $ping = new-object System.Net.NetworkInformation.Ping; } process{ if($ping.Send("$3OCT$_").status -eq "Success") {"$3OCT$_";} } }

PS D:\> 1..254 [pipe command here] Ping-Host
190.10.10.1
190.10.10.10
190.10.10.17

Looking Much Better this morning:

PS D:\> function Ping-Host { begin{ $ping = new-object System.Net.NetworkInformation.Ping; } process{ if($ping.Send("$3OCT$_","8").status -eq "Success") {"$3OCT$_"+","+($ping.Send("$3OCT$_","8").roundtriptime)+","+(date-time);} } }
PS D:\> 1..20 Ping-Host

71.0.0.1,80,05/26/2008 07:09:31
71.0.0.3,107,05/26/2008 07:09:32
71.0.0.7,97,05/26/2008 07:09:33
71.0.0.8,118,05/26/2008 07:09:33
71.0.0.11,104,05/26/2008 07:09:34

Below this 'works', but I had all kinds of issues with it and suspect that
(a) I don't understand argument and text passing in Powershell very well
(b) such skill are more idiosyncratic than they appear.

There were all kinds of issues here....lots of idiosyncratic behaviour to think about in Powershell. Actually, a whole host of Powershell topological and semantic rules exist that are not well described anywhere....

# CheckHostClassC.ps1 5:55 PM 5/26/2008 Down, dirty attempt to ping subnet. Takes two args: first three octets and wait time. Prints out IP address date, roundtriptime. No error checking.

function date-time {get-date -displayhint datetime}

function CheckHostClassC {begin {$ping = new-object System.Net.NetworkInformation.Ping; } process { if($ping.Send("$3OCT$_","$WaitTime").status -eq "Success") {"$3OCT$_"+","+($ping.Send("$3OCT$_","$WaitTime").roundtriptime)+","+(date-time);} }}

sv 3OCT $Args[0]
sv WaitTime $Args[1]

1..254 [pipe command here] CheckHostClassC

PS D:\> .\CheckHostClassC.ps1 193.172.1. 100

193.172.1.1,211,05/26/2008 18:24:37

193.172.1.3,212,05/26/2008 18:24:38

193.172.1.5,215,05/26/2008 18:24:39

2008-05-24T19:52:00.000-07:00

Okay, so let's try to start rewriting some CMD.EXE skillsets in Powershell. Here's something common: ping a range of subnets to see if the hosts are up and what their latency is. In CMD exe we first need some to code to produce an accurate timestamp because there is no native way to do this. Thus this complicated and idiosyncratic use of the set command to parse out time/date stamps:

:: realtd.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set timestamp=%realdate%_%realtime%

Now we need some nearly unreadable spew, some help fron gawk, some hard coded ping options, a hard coded subnet range...:

:: TestSubnet.cmd
@echo off
set ThreeOctets=%1
for /l %%i in (1,1,255) do set #=%%i && call :label
goto EOF
:label @(call realtd)
@(ping -l 1 -n 1 -w 2 %ThreeOctets%.%#% | findstr Reply | gawk '{print "%timestamp%" ":" $1 ":" $3$5}' )

:EOF

and last we can put a collection of the first three octects into text file and call them like this:

for /f %i in (subnets) do call Testsubnet %i

This gives us some reasonably parseable output:

D:\>call Testsubnet 193.0.0
....
05.24.2008_19.43.04.01:Reply:193.0.0.232:time=173ms 05.24.2008_19.43.05.51:Reply:193.0.0.236:time=169ms 05.24.2008_19.43.06.01:Reply:193.0.0.238:time=171ms 05.24.2008_19.43.07.01:Reply:193.0.0.241:time=171ms

D:\>call Testsubnet 194.0.0 05.24.2008_19.43.40.01:Reply:194.0.0.53:time=100ms

Okay, so you can see quite a bit of inelegance here to start with. Let's list some issues:

(1) a separate cmd file needs to run each time to log the timestamp
(2) the ping options are hardcoded...that probably could be fixed...but more inelegance
(3) we don't really need the field 'Reply' or 'time='. but they are hard to parse out. Once again more awk or perl code would probably do this but at what cost of complexity
(4) I don't really want to have to call the file that calls THE file...I just want to point to an XML file with all the correct options....
(5) requires Cygwin or GNU-Win32 gawk in your path....

I could go on, but you get the picture. Let's assemble this tool with less complexity, more readability and more functionality in Powershell in the next post...

2008-05-18T16:31:00.000-07:00

The world of Windows traditional cmd line is full of cumbersome crap. Just extracting the (NBT bound) IP Address takes two lines of idiosyncratic backquotes, escaped pipes, two temp files, Finally a call to snort with BPF options:

@echo off
:: find the NBT tied IP Address
for /f "usebackq delims=:" %%i in (`ping -n 1 -l 8 %computername% ^| findstr Reply`) do @echo %%i > IPReplyString.txt

for /f "tokens=1-3" %%i in (IPReplyString.txt) do echo %%k > IP.txt

:: set the IP address to %localIP%
for /f %%i in (IP.txt) do set localIP=%%i

:: start Snort with BPF filters...
snort -l D:\SnortLogs -vdeX dst host %localIP% and !(port 53 or 80 or 110)

....

2008-05-14T11:02:00.000-07:00

I will confess to being nearly a complete loser when it comes to successfully implementing sed, awk and regex. to search logs. I usually end up parsing my Authlogs with something really clueless like:

(IP Address and Port of invalid users with failed passwords)

$ grep "Failed password for invalid user" Sampleauthlog.txt | cut -b 75-110| uniq
from 202.163.221.227 port 43985 ssh
from 202.163.221.227 port 44553 ssh2
...

or (the IP Address of valid users with failed passwords )

$ grep Failed Sampleauthlog | grep -v invalid | awk '{print $11}'| uniq -c
5 202.163.221.227

I have some idea that I can break down each time, user, IP address, port, ssh type into a typical Powershell objects and do more informative and complex queries, but this needed some work:

$var=Select-string Failed SampleAuthlog.txt | Where-object {$_ -match "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"}

PS D:\Microsoft\Powershell> $var
SampleAuthlog.txt:3:Apr 26 01:20:29 rmfbsd sshd[30534]: Failed password for invalid user test5 from 202.163.221.227 port 43985 ssh2
SampleAuthlog.txt:5:Apr 26 01:20:32 rmfbsd sshd[11478]: Failed password for root from 202.163.221.227 port 44267 ssh2
....

Select-object $var
Select-Object : Cannot convert System.Management.Automation.PSObject to one of the following types {System.String, System.Management.Automation.ScriptBlock}.
At line:1 char:14.

One way around this is to massage a log file into a CSV format which AWK does easily, then use Powershell import-csv routine and manually add headers to the first line:

$ grep Failed authlog | grep -v invalid | awk '{print $1","$2","$3","$9","$11","$13,$15}'
Apr,26,01:20:32,root,202.163.221.227,44267
Apr,26,01:20:36,root,202.163.221.227,44411
...

$ grep Failed authlog | grep -v invalid | awk '{print $1","$2","$3","$9","$11","$13,$15}' >> /cygdrive/D/Microsoft/Powershell/Powershell.out

$PWSH = import-csv Powershell.csv
$PWSH | ft -auto
PS D:\Microsoft\Powershell> $PWSH | ft -auto

Month Day Time User IP Port
----- --- ---- ---- -- ----
Apr 26 01:20:32 root 202.163.221.227 44267
Apr 26 01:20:36 root 202.163.221.227 44411
Apr 26 01:20:47 root 202.163.221.227 44725
Apr 26 01:21:02 root 202.163.221.227 45354
...

Now we have part of an OPENBSD Authlog stored as a Powershell object. Thanks AWK!

Sequential file and Directory Creation

2008-05-09T23:57:00.001-07:00

Sequential file and Directory Creation. Useful for Test Engineers.

creates directories

1..100 | %{ni ( "NewDirectory-{0:0}" -f $_ ) -type directory }

creates files with sequential content

1..100 | %{ni ( "NewFile-{0:0}" -f $_ ) -type "file" -value "Number $_ of 100 files."}

2008-05-09T23:49:00.000-07:00

Use these two functions to query the supported assemblies [GAC] and .NET Collections (from Windows Powershell in Action, Bruce Payette)

function Get-Assemblies {[AppDomain]::CurrentDomain.GetAssemblies()}

function Get-Types ($Pattern=".") { Get-Assemblies | %{ $_.GetExportedTypes() } | where {$_ -match $Pattern} }

Get-Types System
Get-Types System.Collections
Get-Types System.Collections | more
Get-Types System.Collections.Specialized | more
Get-Types System.Collections.Specialized.StringDictionary
Get-Types System.Collections.Specialized.StringDictionary | gm
Get-Types System.Collections.Specialized.StringDictionary | gm | more

2008-05-09T23:40:00.000-07:00

The "Get-WmiObject" query below retrieves information from all network adapters. Piping to a Select-Object query produced a table sorted by Adapter Index. The Win32_NetworkAdapterConfiguration provides lots of configuration data so additional Network Adapter Query functions could be derived from it.

$NetworkInfo =gwmi -query "SELECT * FROM Win32_NetworkAdapterConfiguration"

function NetworkInfoSort {$NetworkInfo | Select-Object IPAddress,Description,Index,DefaultIPGateway | sort-object Index}

PS C:\> NetworkInfoSort | ft -auto

Also useful:

gwmi -class win32_NetworkAdapterConfiguration | %{ $_.IPAddress }