Some notes on cmd line editing for Powershell in v2 CTP 3. It is often nice to be able to use a command line editor like Vim or Edlin when writing simple scripts. This allows the administrator to stay in one shell and one environment. Edlin allows the user to see the command history above and the editing space below. Bruce Payette's work lead me to create this function that replaces the venerable 'copy con' in DOS: 

function copy_con {[console]::In.ReadToEnd()}

My 'copy_con' function can be used to write to file or  variable:

copy_con > a.txt 

or

$a = copy_con

The same functionality is achieved in v2 CTP3 with read-host.

The 'out-gridview' cmdlet in CTP3 allows you to combine multiple output in one grid; a more readable and searchable window for multiple help files:  $a | %{help $_ -detailed} | out-gridview

Using the 'history' to create simple scripts is easy: 

$test_out = 25..30 | history| %{$_.CommandLine}

To execute the collection of commands from a variable:

$test_out  | %{Invoke-expression $_}

Searching for malware with Powershell

hmmm.....

This gives me output like:

1/3/2009 11:09 AM,19:9:16:859,100,csrss,1124,16388096,40923136,104357888,15458304,39809024,87851008

which covers WorkingSet, PrivateMemorySize, VirtualMemorySize, and their deltas between measurement interval.

## Use ps to measure Application Memory Deltas

## Run '.\ws_diff [Interval in Seconds] [Process Name] or

## to log all processes continually every 10 seconds -- 'while (1) {.\WS_diff.ps1 10 cmd >> ps_out.txt }'

# Create args as Variables or Objects

$sleep_time = $args[0]

# Create or define PS_Array. Default is ps is called without args. 

# Then take measurements $now, $then, $count

if ($args[1] -eq $NULL )

    {

    $then = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

    sleep -seconds $sleep_time

    $now  = ps | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

    $count = ($now | Select Name).count

    }

else

    {

    $ps_array = ( ps $args[1] )

    $then = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

    sleep -seconds $sleep_time

    $now  = ps -inputobject $ps_array | %{$_ | Select Name,ID,WorkingSet,PrivateMemorySize,VirtualMemorySize}

    $count = ($now | Select Name).count

    }

# Declare Time Measurements 

$date = (get-date -format g)

$hour = [DateTime]::UtcNow.TimeOfDay.Hours

$minutes = [DateTime]::UtcNow.TimeOfDay.Minutes

$seconds = [DateTime]::UtcNow.TimeOfDay.Seconds

$ms = [DateTime]::UtcNow.TimeOfDay.Milliseconds

# Write output and find diffs. Check if process has multiple instances first

if ( $count -gt 1 ) 

{

    $array_out = 0..$count |

    %{ 

    $date + "," +

    $hour + ":" + $minutes + ":" + $seconds + ":"  + $ms + "," +

    $sleep_time + "," + $now[$_].Name + "," + $now[$_].ID + "," +

    $now[$_].WorkingSet + "," +

    $now[$_].PrivateMemorySize + "," +

    $now[$_].VirtualMemorySize + "," +

    ( ($now[$_].WorkingSet) - ($then[$_].WorkingSet) ) + "," +

    ( ($now[$_].PrivateMemorySize) - ($then[$_].PrivateMemorySize) ) + "," +

    ( ($now[$_].VirtualMemorySize) - ($then[$_].VirtualMemorySize) )

    }

}

else  

{

    $array_out =

    $date + "," +

    $hour + ":" + $minutes + ":" + $seconds + ":"  + $ms + "," +

    $sleep_time + "," + $now.Name + "," + $now.ID + "," +

    $now.WorkingSet + "," +

    $now.PrivateMemorySize + "," +

    $now.VirtualMemorySize + "," +

    ( ($now.WorkingSet) - ($then.WorkingSet) ) + "," +

    ( ($now.PrivateMemorySize) - ($then.PrivateMemorySize) ) + "," +

    ( ($now.VirtualMemorySize) - ($then.VirtualMemorySize) )

}

write $array_out