PowerShell — Quick Reference¶
Essentials¶
| Command | Action |
|---|---|
[Environment]::Is64BitOperatingSystem |
Check OS architecture (64‑bit or not) |
[Environment]::Is64BitProcess |
Check current PowerShell session architecture |
"$($PSVersionTable.PSEdition) $($PSVersionTable.PSVersion)" |
Show PowerShell edition and version |
$ExecutionContext.SessionState.LanguageMode |
Check language mode (e.g., ConstrainedLanguage) |
$PSHOME |
Show PowerShell installation directory |
Get-ChildItem Env: |
List environment variables |
Get-Date |
Display local date/time |
Get-Command |
List available commands/cmdlets |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Path to 64‑bit PowerShell (from 64‑bit context) |
C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe |
Launch 64‑bit PowerShell from a 32‑bit process |
Host Quick‑Triage¶
| Command | Action |
|---|---|
driverquery /v /fo csv | ConvertFrom-Csv | Select-Object 'Display Name','Start Mode','Path' |
Enumerate installed drivers with start mode and path |
Get-CimInstance Win32_PnPSignedDriver | Select-Object DeviceName,DriverVersion,Manufacturer |
Enumerate signed drivers and versions |
Get-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" |
Locate PSReadLine history (Windows PowerShell 5.1) |
Get-Item "$env:APPDATA\Microsoft\PowerShell\PSReadLine\ConsoleHost_history.txt" |
Locate PSReadLine history (PowerShell 7+) |
Get-ChildItem -Path <dir> -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | ForEach-Object { (New-Object -ComObject WScript.Shell).CreateShortcut($_.FullName).TargetPath } |
List target paths from .lnk shortcuts |
Files & ACLs¶
| Command | Action |
|---|---|
Get-Content <path> |
Read file content (text) |
Get-Content <path> -Wait -Tail <N> |
Tail file and follow new lines |
Select-String -Path <path> -Pattern "<pattern>" |
Search for text in a file |
Get-ChildItem -Path <root> -Filter <name> -Recurse -Force -ErrorAction SilentlyContinue |
Search for a file by name |
Get-ChildItem -Recurse -File | Select-Object -Expand FullName |
List files recursively (full paths) |
Get-ChildItem | Sort-Object LastWriteTime |
Sort items by last write time |
Get-Acl <path> | Format-List * |
Show file/folder ACLs (detailed) |
Networking¶
| Command | Action |
|---|---|
Get-NetTCPConnection -State Listen | ForEach-Object { $_ | Add-Member ProcessName (Get-Process -Id $_.OwningProcess).Name -PassThru } | Format-Table ProcessName,LocalAddress,LocalPort -AutoSize |
List listening TCP ports with owning process |
Test-NetConnection <host> -Port <port> |
Test TCP connectivity to a host:port |
Credentials & Permissions (Admin tasks)¶
| Command | Action |
|---|---|
$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force |
Create SecureString from plaintext (for testing) |
$cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', $pass) |
Create PSCredential object |
(Import-CliXml -Path <file>).GetNetworkCredential().Password |
Recover password from exported credential (same user/machine) |
[System.Net.NetworkCredential]::new("", $SecurePassword).Password |
Convert a SecureString to plaintext (handle with care) |
($acl = Get-Acl HKLM:\System\CurrentControlSet\Services).Sddl | ConvertFrom-SddlString -Type RegistryRights | ForEach-Object { $_.DiscretionaryAcl } |
View service registry ACLs (SDDL → readable DACL) |
RDP¶
| Command | Action |
|---|---|
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 |
Enable RDP connections |
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" |
Allow RDP in Windows Firewall |
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'DisableRestrictedAdmin' -Value 0 -PropertyType DWORD |
Enable RDP Restricted Admin mode |
Script Execution¶
| Command | Action |
|---|---|
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File <file.ps1> |
Run script bypassing policy |