Hiding Properties in Return Results

By default, PowerShell shrink-fits most objects and shows only the most important properties by default:

 
PS C:> Get-WmiObject -Class Win32_BIOS


SMBIOSBIOSVersion : 1.9.0
Manufacturer      : Dell Inc.
Name              : 1.9.0
SerialNumber      : DLGQD72
Version           : DELL   - 1072009
 

To see the real information, users would need to use Select-Object and request all information explicitly:

 
PS C:> Get-WmiObject -Class Win32_BIOS | Select-Object -Property *


PSComputerName                 : DESKTOP-7AAMJLF
Status                         : OK
Name                           : 1.9.0
Caption                        : 1.9.0
SMBIOSPresent                  : True
__GENUS                        : 2
__CLASS                        : Win32_BIOS
__SUPERCLASS                   : CIM_BIOSElement
__DYNASTY                      : CIM_ManagedSystemElement
__RELPATH                      : Win32_BIOS.Name="1.9.0",SoftwareElementID="1.9.0",SoftwareElementState=3,TargetOperatingSystem=0,Version="DELL   - 1072009"
__PROPERTY_COUNT               : 31
__DERIVATION                   : {CIM_BIOSElement, CIM_SoftwareElement, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER                       : DESKTOP-7AAMJLF
__NAMESPACE                    : rootcimv2
__PATH                         : \DESKTOP-7AAMJLFrootcimv2:Win32_BIOS.Name="1.9.0",SoftwareElementID="1.9.0",SoftwareElementState=3,TargetOperatingSystem=0,Version="D
                                 ELL   - 1072009"
BiosCharacteristics            : {7, 9, 11, 12...}
BIOSVersion                    : {DELL   - 1072009, 1.9.0, American Megatrends - 5000B}
BuildNumber                    : 
CodeSet                        : 
…
ClassPath                      : \DESKTOP-7AAMJLFrootcimv2:Win32_BIOS
Properties                     : {BiosCharacteristics, BIOSVersion, BuildNumber, Caption...}
SystemProperties               : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                     : {dynamic, Locale, provider, UUID}
Site                           : 
Container                      : 
 

How can you achieve the same when you write your own PowerShell functions and return your own custom objects?

Simply tell PowerShell the names of the most important properties that should be visible by default. Below is an example. The function Get-Info creates a custom object with five properties. Before the function returns this object, it tags the object with some PowerShell wizardry and lists the default properties:

function Get-Info
{
  
  # prepare the object returned by the function
  $result = [PSCustomObject]@{
    Name = $env:username
    Date = Get-Date
    BIOS = Get-WmiObject -Class Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion
    Computername = $env:COMPUTERNAME
    Random = Get-Date
  }
  
  #region Define the VISIBLE properties
  # this is the list of properties visible by default
  [string[]]$visible = 'Name','BIOS','Random'
  $typ = 'DefaultDisplayPropertySet'
  [Management.Automation.PSMemberInfo[]]$info =
  New-Object System.Management.Automation.PSPropertySet($typ,$visible)
  
  # add the information about the visible properties to the return value
  Add-Member -MemberType MemberSet -Name PSStandardMembers -Value $info -InputObject $result
  #endregion


  # return the result object
  return $result
}

This is the result:

 
PS C:> Get-Info

Name  BIOS  Random             
----  ----  ------             
tobwe 1.9.0 01.04.2019 19:32:44



PS C:> Get-Info | Select-Object -Property *


Name         : tobwe
Date         : 01.04.2019 19:32:50
BIOS         : 1.9.0
Computername : DESKTOP-7AAMJLF
Random       : 01.04.2019 19:32:50
 

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Locking Workstation

PowerShell can access low-level API functions by using C#-style signatures. This way, API functions are compiled in-memory and added as new types. The example below uses an API function to lock the workstation:

Function Lock-WorkStation 
{
    $signature = '[DllImport("user32.dll",SetLastError=true)]
    public static extern bool LockWorkStation();'
    $t = Add-Type -memberDefinition $signature -name api -namespace stuff -passthru
    $null = $t::LockWorkStation()
}

So the lock out the current user, run this:

 
PS C:> Lock-WorkStation 
  

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Command Discovery Unleashed (Part 2)

When you enter a command in PowerShell, the engine triggers three events to actually discover the command you want to execute. This gives you a number of opportunities to intercept and change command discovery. Let’s teach PowerShell to send command output to Out-GridView whenever you add “>>” to a command name!

Here is the code:

$ExecutionContext.InvokeCommand.PreCommandLookupAction = {
param
(
    [string]
    $Command,

    [Management.Automation.CommandLookupEventArgs]
    $Obj
)

    # when the command ends with ">>"...
    if ($Command.EndsWith('>>'))
    {
        # ...remove the ">>" from the command...
        $RealCommand = $Command.Substring(0, $Command.Length-2)
        # ...run the original command with its original arguments,
        # and pipe the results to a grid view window
        $obj.CommandScriptBlock = {
            & $RealCommand @args | Out-GridView
            # use a new "closure" to make the $RealCommand variable available
            # inside the script block when it is later called
        }.GetNewClosure()
    }
}

Next, enter these two commands:

 
PS C:> Get-Process -Id $PID
PS C:> Get-Process>> -Id $PID 
 

The first command simply dumps the current process. The second command sends the results to Out-GridView automatically.

If you want to get rid of the behavior again, restart PowerShell (or assign an empty script block to the event). If you want to make the behavior permanent, add the code above to your $profile script.


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Command Discovery Unleashed (Part 1)

Whenever you enter a command in PowerShell, a series of events takes place to figure out where the command is located. This starts with a PreCommandLookupAction which you can use to log commands. Have a look at this:

$ExecutionContext.InvokeCommand.PreCommandLookupAction = {
param
(
    [string]
    $Command,

    [Management.Automation.CommandLookupEventArgs]
    $Obj
)
$whitelist = @(
'prompt',
'out-default',
'psconsolehostreadline',
'Microsoft.PowerShell.CoreSet-StrictMode'
)

    if ($Command -notin $whitelist -and $Obj.CommandOrigin -eq 'Runspace')
    {
        $host.UI.WriteLine('Yellow','White',$Command)
    }
}

When you run this, every command you enter will be echoed to the console – except for the commands listed in $whitelist. This illustrates how the PreCommandLookupAction works: it fires whenever you enter a command, and you could write the commands to a log file as well.


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Adding Numbers to a String (Part 2)

In the previous tip we illustrated a number of ways how to safely add variables to string content. Adding variables to double-quoted text can expose yet another issue with automatic variable detection. Have a look:

# this is the desired output:
# PowerShell Version is 5.1.17763.316

# this DOES NOT WORK:
"PowerShell Version is $PSVersionTable.PSVersion"

When you run this code, the output is not what most people would expect. The colorization already hints what it wrong: double-quoted strings expand variables only. They do not care about anything that follows. So since $PSVersionTable is a hash table object, PowerShell outputs the object type name, then adds “.PSVersion” to it:

 
PS> "PowerShell Version is $PSVersionTable.PSVersion"
PowerShell Version is System.Collections.Hashtable.PSVersion  
 

Here are four popular alternatives that work:

# use a subexpression
"PowerShell Version is $($PSVersionTable.PSVersion)"

# use the format (-f) operator
'PowerShell Version is {0}' -f $PSVersionTable.PSVersion


# concatenate (provided the first element is a string)
'PowerShell Version is ' + $PSVersionTable.PSVersion

# use simple variables
$PSVersion = $PSVersionTable.PSVersion
"PowerShell Version is $PSVersion"

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!