Locking Workstation

PowerShell can access low-level API functions by using C#-style signatures. This way, API functions are compiled in-memory and added as new types. The example below uses an API function to lock the workstation:

Function Lock-WorkStation 
{
    $signature = '[DllImport("user32.dll",SetLastError=true)]
    public static extern bool LockWorkStation();'
    $t = Add-Type -memberDefinition $signature -name api -namespace stuff -passthru
    $null = $t::LockWorkStation()
}

So the lock out the current user, run this:

 
PS C:> Lock-WorkStation 
  

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Command Discovery Unleashed (Part 2)

When you enter a command in PowerShell, the engine triggers three events to actually discover the command you want to execute. This gives you a number of opportunities to intercept and change command discovery. Let’s teach PowerShell to send command output to Out-GridView whenever you add “>>” to a command name!

Here is the code:

$ExecutionContext.InvokeCommand.PreCommandLookupAction = {
param
(
    [string]
    $Command,

    [Management.Automation.CommandLookupEventArgs]
    $Obj
)

    # when the command ends with ">>"...
    if ($Command.EndsWith('>>'))
    {
        # ...remove the ">>" from the command...
        $RealCommand = $Command.Substring(0, $Command.Length-2)
        # ...run the original command with its original arguments,
        # and pipe the results to a grid view window
        $obj.CommandScriptBlock = {
            & $RealCommand @args | Out-GridView
            # use a new "closure" to make the $RealCommand variable available
            # inside the script block when it is later called
        }.GetNewClosure()
    }
}

Next, enter these two commands:

 
PS C:> Get-Process -Id $PID
PS C:> Get-Process>> -Id $PID 
 

The first command simply dumps the current process. The second command sends the results to Out-GridView automatically.

If you want to get rid of the behavior again, restart PowerShell (or assign an empty script block to the event). If you want to make the behavior permanent, add the code above to your $profile script.


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Command Discovery Unleashed (Part 1)

Whenever you enter a command in PowerShell, a series of events takes place to figure out where the command is located. This starts with a PreCommandLookupAction which you can use to log commands. Have a look at this:

$ExecutionContext.InvokeCommand.PreCommandLookupAction = {
param
(
    [string]
    $Command,

    [Management.Automation.CommandLookupEventArgs]
    $Obj
)
$whitelist = @(
'prompt',
'out-default',
'psconsolehostreadline',
'Microsoft.PowerShell.CoreSet-StrictMode'
)

    if ($Command -notin $whitelist -and $Obj.CommandOrigin -eq 'Runspace')
    {
        $host.UI.WriteLine('Yellow','White',$Command)
    }
}

When you run this, every command you enter will be echoed to the console – except for the commands listed in $whitelist. This illustrates how the PreCommandLookupAction works: it fires whenever you enter a command, and you could write the commands to a log file as well.


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Adding Numbers to a String (Part 2)

In the previous tip we illustrated a number of ways how to safely add variables to string content. Adding variables to double-quoted text can expose yet another issue with automatic variable detection. Have a look:

# this is the desired output:
# PowerShell Version is 5.1.17763.316

# this DOES NOT WORK:
"PowerShell Version is $PSVersionTable.PSVersion"

When you run this code, the output is not what most people would expect. The colorization already hints what it wrong: double-quoted strings expand variables only. They do not care about anything that follows. So since $PSVersionTable is a hash table object, PowerShell outputs the object type name, then adds “.PSVersion” to it:

 
PS> "PowerShell Version is $PSVersionTable.PSVersion"
PowerShell Version is System.Collections.Hashtable.PSVersion  
 

Here are four popular alternatives that work:

# use a subexpression
"PowerShell Version is $($PSVersionTable.PSVersion)"

# use the format (-f) operator
'PowerShell Version is {0}' -f $PSVersionTable.PSVersion


# concatenate (provided the first element is a string)
'PowerShell Version is ' + $PSVersionTable.PSVersion

# use simple variables
$PSVersion = $PSVersionTable.PSVersion
"PowerShell Version is $PSVersion"

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Adding Numbers to a String (Part 1)

Double-quoted strings can easily expand variables, however this concept is not foolproof:

$id = 123

# this is the desired output:
# Number is 123:
# this DOES NOT WORK:
"Number is $id:"

As you see in the sample above, when you place variables inside double-quoted text, PowerShell determines automatically where a variable starts and ends. A *** is considered part of the variable. To correct the issue, you need a way to clearly mark the start and end of a variable. Here are some approaches you can use to correct issues like this:

$id = 123

# PowerShell escape character ends the variable
"Number is $id`:"
# braces "embrace" the variable name
"Number is ${id}:"
# subexpressions execute the code in the parenthesis
"Number is $($id):"
# the format operator inserts the array on the right into the 
# placeholders in the template on the left
'Number is {0}:' -f $id
# which is essentially this:
'Number is ' + @($id)[0] + ':'

# careful with "addition": this requires the first 
# element to be a string. So this works:
'Number is ' + $id + ':'
# this won't:
$id + " is the number"
# whereas this will again:
'' + $id + " is the number"

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!