Finding & Filtering
Filtering Objects
The Get-Member cmdlet gets the members, the properties and methods, of objects.
# get an object along with its properties and methods
Get-LocalUser administrator | get-member
TypeName: Microsoft.PowerShell.Commands.LocalUser
Name MemberType Definition
---- ---------- ----------
Clone Method Microsoft.PowerShell.Commands.LocalUser Clone()
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
AccountExpires Property System.Nullable[datetime] AccountExpires {get;set;}
Description Property string Description {get;set;}
Enabled Property bool Enabled {get;set;}
FullName Property string FullName {get;set;}
LastLogon Property System.Nullable[datetime] LastLogon {get;set;}
Name Property string Name {get;set;}
ObjectClass Property string ObjectClass {get;set;}
PasswordChangeableDate Property System.Nullable[datetime] PasswordChangeableDate {get;set;}
PasswordExpires Property System.Nullable[datetime] PasswordExpires {get;set;}
PasswordLastSet Property System.Nullable[datetime] PasswordLastSet {get;set;}
PasswordRequired Property bool PasswordRequired {get;set;}
PrincipalSource Property System.Nullable[Microsoft.PowerShell.Commands.PrincipalSource] PrincipalSource {ge...
SID Property System.Security.Principal.SecurityIdentifier SID {get;set;}
UserMayChangePassword Property bool UserMayChangePassword {get;set;}
# get all object's properties
Get-LocalUser administrator | Select-Object -Property *
AccountExpires :
Description : Built-in account for administering the computer/domain
Enabled : False
FullName :
PasswordChangeableDate :
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : True
PasswordLastSet :
LastLogon : 1/20/2021 5:39:14 PM
Name : Administrator
SID : S-1-5-21-3916821513-3027319641-390562114-500
PrincipalSource : Local
ObjectClass : User
# filtering based on specified properties (the * is redundant)
Get-LocalUser * | Select-Object -Property Name,PasswordLastSet
Name PasswordLastSet
---- ---------------
Administrator
DefaultAccount
Guest
MTanaka 1/27/2021 2:39:55 PM
WDAGUtilityAccount 1/18/2021 7:40:22 AM
# filtering, sorting, and grouping
Get-LocalUser * | Sort-Object -Property Name | Group-Object -Property Enabled
Count Name Group
----- ---- -----
4 False {Administrator, DefaultAccount, Guest, WDAGUtilityAccount}
1 True {MTanaka}User objects are typically small in size, so the need for filtering is not apparent. Service objects are the exact opposite: they contain a ton of properties that is hard to go through them all.
# get all object's properties
Get-Service | Select-Object -Property *
Name : AarSvc_1ca8ea
RequiredServices : {}
CanPauseAndContinue : False
CanShutdown : False
CanStop : False
DisplayName : Agent Activation Runtime_1ca8ea
DependentServices : {}
MachineName : .
ServiceName : AarSvc_1ca8ea
ServicesDependedOn : {}
ServiceHandle :
Status : Stopped
ServiceType : 224
StartType : Manual
Site :
Container :
Name : AdobeARMservice
RequiredServices : {}
CanPauseAndContinue : False
CanShutdown : False
CanStop : True
DisplayName : Adobe Acrobat Update Service
DependentServices : {}
MachineName : .
ServiceName : AdobeARMservice
ServicesDependedOn : {}
ServiceHandle :
Status : Running
ServiceType : Win32OwnProcess
StartType : Automatic
Site :
Container :
<SNIP>
# filtering based on properties, sorting alphabetically, formatting as a list
Get-Service | Select-Object -Property DisplayName,Name,Status | Sort-Object DisplayName | fl
<SNIP>
DisplayName : ActiveX Installer (AxInstSV)
Name : AxInstSV
Status : Stopped
DisplayName : Adobe Acrobat Update Service
Name : AdobeARMservice
Status : Running
<SNIP>
# filtering for any object containing 'Defender' within the specified field
Get-Service | Where-Object -Property DisplayName -like '*Defender*'
Get-Service | Where DisplayName -like '*Defender*'
Status Name DisplayName
------ ---- -----------
Running mpssvc Windows Defender Firewall
Stopped Sense Windows Defender Advanced Threat Pr...
Running WdNisSvc Microsoft Defender Antivirus Networ...
Running WinDefend Microsoft Defender Antivirus Service
# same as above, showing all properties of each matched object
Get-Service | Where DisplayName -like '*Defender*' | Select-Object -Property *
RequiredServices : {mpsdrv, bfe}
CanPauseAndContinue : False
CanShutdown : False
CanStop : False
DisplayName : Windows Defender Firewall
DependentServices :
MachineName : .
ServiceName : mpssvc
ServicesDependedOn : {mpsdrv, bfe}
ServiceHandle :
Status : Running
ServiceType : Win32ShareProcess
StartType : Automatic
Site :
Container :
<SNIP>Expression
Description
Like
Utilizes wildcard expressions to perform matching.
Contains
Gets the object if any item in the property value matches exactly as specified.
Equal to
Specifies an exact match (case sensitive) to the property value supplied.
Match
Is a regular expression match to the value supplied.
Not
Specifies a match if the property is blank, does not exist, or is $False.
Searching Content
Select-String (sls) is similar to grep or findstr. It is NOT case-sensitive by default.
# Searching recursively
Get-ChildItem -Path c:\users\mtanaka\ -File -Recurse
Directory: C:\Users\MTanaka\Desktop\notedump\NoteDump
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/26/2022 1:47 PM 1092 demo notes.md
-a--- 4/22/2022 2:20 PM 1074 noteDump.py
-a--- 4/22/2022 2:55 PM 61440 plum.sqlite
-a--- 4/22/2022 2:20 PM 375 README.md
<SNIP>
# filtering based on extensions
GCI -Path c:\users\mtanaka\ -File -Recurse -ErrorAction SilentlyContinue | Where {($_.Name -like "*.txt")}
Directory: C:\Users\MTanaka\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/11/2022 3:32 PM 183 demo-notes.txt
-a--- 4/4/2022 9:37 AM 188 q2-to-do.txt
-a--- 10/12/2022 11:26 AM 14 test.txt
-a--- 1/4/2022 11:23 PM 310 Untitled-1.txt
Directory: C:\Users\MTanaka\Desktop\win-stuff
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 5/19/2021 10:12 PM 7831 wmic.txt
Directory: C:\Users\MTanaka\Desktop\Workshop\
Mode LastWriteTime Length Name
---- ------------- ------ ----
----- 1/7/2022 4:39 PM 945 info.txt
# filter for more extensions
GCI –Path C:\Users\MTanaka\ -File -Recurse -ErrorAction SilentlyContinue | Where {($_.Name -like "*.txt" -or $_.Name -like "*.py" -or $_.Name -like "*.ps1" -or $_.Name -like "*.md" -or $_.Name -like "*.csv")}
Directory: C:\Users\MTanaka\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/11/2022 3:32 PM 183 demo-notes.txt
-a--- 10/11/2022 10:22 AM 1286 github-creds.txt
-a--- 4/4/2022 9:37 AM 188 q2-to-do.txt
-a--- 9/18/2022 12:35 PM 30 notes.txt
-a--- 10/12/2022 11:26 AM 14 test.txt
-a--- 2/14/2022 3:40 PM 3824 remote-connect.ps1
-a--- 10/11/2022 8:22 PM 874 treats.ps1
-a--- 1/4/2022 11:23 PM 310 Untitled-1.txt
Directory: C:\Users\MTanaka\Desktop\notedump\NoteDump
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 4/26/2022 1:47 PM 1092 demo.md
-a--- 4/22/2022 2:20 PM 1074 noteDump.py
-a--- 4/22/2022 2:20 PM 375 README.md
# search files' content
GCI -Path C:\Users\MTanaka\ -Filter "*.txt" -Recurse -File | sls "Password","credential","key"
CFP-Notes.txt:99:Lazzaro, N. (2004). Why we play games: Four keys to more emotion without story. Retrieved from:
notes.txt:3:- Password: F@ll2022!
wmic.txt:67: wmic netlogin get name,badpasswordcount
wmic.txt:69:Are the screensavers password protected? What is the timeout? good use: see that all systems are
complying with policy evil use: find systems to walk up and use (assuming physical access is an option)Last updated