Parsing Netsh output - windows

I need to parse the output given by the netsh command in powershell.
Below is the command i'm using
Netsh advfirewall show private
It's proving the below output
Private Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
My requirement is to access each and every value in the above output. Something like $result.state / $result.InboundUserNotification
I'm pretty new to PowerShell and i have searched on google about this and wasn't able to find anything.

The obligatory recommendation:
It's always better to find a PowerShell cmdlet to call, so you can take advantage of objects getting output, whose properties you can robustly access - but it sounds like the candidate cmdlet, Get-NetFirewallProfile doesn't work as expected for your use case (domain-joined computers).
Text parsing is always less robust than an object-based solution, though PowerShell offers many powerful features, if needed, notably in this case the switch statement with its -Regex option:
$result = [ordered] #{} # initialize the (ordered) result hashtable.
# Process each line output by netsh, and if it is a line
# containing a property/value-pair, add an entry to the hashtable.
switch -Regex (netsh advfirewall show private) {
'^(.+?) {2,}(.+)' { $result[$Matches.1] = $Matches.2 }
}
# Now you can access $result.State, $result.'Firewall Policy', ...
Note the assumption that the property name and its value are separated by at least two spaces
( {2,}); lines that don't match the property/value pattern are simply skipped.
An alternative is to assume a fixed column width with a single space separating the columns, which does seem to be the case here:
$result = [ordered] #{} # initialize the (ordered) result hashtable.
# Process each line output by netsh, and if it is a line
# containing a property/value-pair, add an entry to the hashtable.
switch -Regex (netsh advfirewall show private) {
'^(.{37}) (.+)' { $result[($Matches.1).TrimEnd()] = $Matches.2 }
}
Note the (...) (parentheses) around $Matches.1, which is unexpectedly required in order to call .TrimEnd() on the value; the parentheses wouldn't be necessary if index syntax ([1]) rather than property syntax .1 were used (that is, $Matches[1].TrimEnd() would work). The problem seems to be specific to property / key names that are numbers. See GitHub issue #14036

If you must parse this output, you can do the following:
$netsh = (Netsh advfirewall show private |
Select-String -Pattern "\s{2,}") -replace '\s{2,}','=' -replace '\\','\\' -join [System.Environment]::NewLine
$result = [pscustomobject](ConvertFrom-StringData $netsh)
The problem with the ConvertFrom-StringData method is the hash table output is not ordered. If order matters, you can just create your hash table by splitting each line into property/value pairs:
$hash = [ordered]#{}
Netsh advfirewall show private | Select-String -Pattern "\s{2,}" |
Foreach-Object {
$key,$value = $_ -split '\s{2,}'
$hash[$key] = $value
}
$result = [pscustomobject]$hash

Here's a similar approach to AdminOfThings answer utilizing ConvertFrom-StringData as well as Foreach-Object's -Begin and -End parameters.
Netsh advfirewall show private |
ForEach-Object -Begin{$ht = [ordered]#{}} {
if($_ -match '\s{10,}')
{
$ht += $_ -replace '\\','\\' -replace '\s{10,}','=' | ConvertFrom-StringData
}
} -End{[PSCustomObject]$ht} -OutVariable result
And a slight variation
Netsh advfirewall show private | Where-Object {$_ -match '\s{10,}'} |
ForEach-Object -Begin{$ht = [ordered]#{}} {
$ht += $_ -replace '\\','\\' -replace '\s{10,}','=' | ConvertFrom-StringData
} -End{[PSCustomObject]$ht} -OutVariable result

Related

Which command to use for getting Bytes per cluster and Bytes per File record segment data for multiple servers?

I would like to generate Bytes per cluster and Bytes per File record segment data for over 50 servers into an excel sheet (for a drive D)
I know the command "Fsutil fsinfo ntfsinfo [drive letter:]" provides this info but only for local system.
i tried writing this but it did not work.
"Enter-PSSession Server1
Fsutil fsinfo ntfsinfo D:
Exit-PSSession"
I then executed each command manually and it was working.
Can anyone please help me create a script to get the above mentioned data at one go for 50 servers.
Thank you
Continuing from my comment, you can use cmdlet Invoke-Comand for that:
# you may already have admin permissions on each of the servers, but if not, get craedentials for someone that has
$adminCreds = Get-Credential -Message 'Please add your admin credentials to get server information'
# your list of server names here
$servers = 'Server01', 'Server02' # etc.
# next use 'Invoke-Command' to have each server run the code
$result = Invoke-Command -ComputerName $servers -Credential $adminCreds -ScriptBlock {
# have each server run the Fsutil command, and return that as PsCustomObject for convenience
# instead of an array of lines.
# to use ConvertFrom-StringData in PowerShell < 7.x, you need to replace the first colon with a equals sign
# PowerShell versions above 5.1 can use parameter -Delimiter '='
[PsCustomObject]((Fsutil fsinfo ntfsinfo D:) -replace '(?<!:.*):', '=' -join "`r`n" | ConvertFrom-StringData)
}
Now you can save the entire result to CSV or limit to the properties you need like
$result | Select-Object PSComputerName, 'Bytes Per Cluster', 'Bytes Per FileRecord Segment' | Export-Csv -Path 'X:\serverInfo.csv' -NoTypeInformation
If you are not sure all of the servers can be reached, do a loop:
$result = foreach ($server in $servers) {
# test if the server can be reached
if (Test-Connection -ComputerName $server -Count 1 -Quiet) {
Invoke-Command -ComputerName $server -Credential $adminCreds -ScriptBlock {
# have each server run the Fsutil command, and return that as PsCustomObject for convenience
# instead of an array of lines.
# to use ConvertFrom-StringData in PowerShell < 7.x, you need to replace the first colon with a equals sign
# PowerShell versions above 5.1 can use parameter -Delimiter '='
[PsCustomObject]((Fsutil fsinfo ntfsinfo D:) -replace '(?<!:.*):', '=' -join "`r`n" | ConvertFrom-StringData)
}
}
else {
Write-Warning "Server $server is off-line!"
}
}
Regex details:
(?<! Assert that it is impossible to match the regex below with the match ending at this position (negative lookbehind)
: Match the character “:” literally
. Match any single character
* Between zero and unlimited times, as many times as possible, giving back as needed (greedy)
)
: Match the character “:” literally

The rights of the .exe of a windows service powershell

I am blocked with my code
I will try to explain what I would like to do with it,
my code is to scan the different windows services, to keep in memory only what uses an .exe and then to search among them the ones that the users have full control of.
I would like it to display the service and its rights at the end.
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} | select Name, State, Pathname, StartName | Out-Null
foreach ($service in $services) {
$var = "{0}.exe" -f ($Service.PathName -Split ".exe")[0]
foreach ($right in $var ){
if ( (Get-Acl $var).Access -ccontains "BUILTIN\Utilisateurs FullControl "{
Write-Warning " Exploit detected "
}
}
}
thank you in advance for your feedback
Get-CimInstance Win32_Service |
Where-Object { $_.PathName -like '*.exe*'} |
Select-Object Name, State, Pathname, StartName |
ForEach-Object {
$_.PathName = ($_.PathName -split '(?<=\.exe\b)')[0].Trim('"')
Add-Member -PassThru -InputObject $_ Acl (Get-Acl -LiteralPath $_.PathName)
} |
Where-Object {
$_.Acl.Access.Where({
$_.IdentityReference -ceq 'BUILTIN\Utilisateurs' -and
$_.FileSystemRights -eq 'FullControl'
}, 'First').Count -gt 0
}
Note that I've replaced Get-WmiObject with Get-CimInstance, because the CIM cmdlets superseded the WMI cmdlets in PowerShell v3 (released in September 2012). Therefore, the WMI cmdlets should be avoided, not least because PowerShell (Core) (v6+), where all future effort will go, doesn't even have them anymore. Note that WMI still underlies the CIM cmdlets, however. For more information, see this answer.
The above uses the ForEach-Object call to:
update the .PathName property of each object to contain only the - unquoted - path of the executable with each service.
add an .Acl property to each object via Add-Member, containing the service executable's ACL, obtained via Get-Acl.
The resulting list of objects is then filtered by those whose service-executable ACL contains an entry for identity BUILTIN\Utilisateurs[1] with full control over the executable.
That is, the resulting objects are effectively those for which you meant to issue Write-Warning " Exploit detected "
As for what you tried:
$services = ... | Out-Null by definition captures nothing[2] in variable $services, given that Out-Null's purpose is to suppress output.
While $var = "{0}.exe" -f ($Service.PathName -Split ".exe")[0] does extract the executable path (although .exe should be \.exe\b, for robustness), it may include enclosing double quotes, which should be stripped.
It's unclear where $rights comes from.
You cannot use -ccontains to match across multiple properties of an object, and note that the purpose of the -contains operator and its variants is to test presence of a value in full, in a collection, not to look for a substring in a single string.
[1] It's interesting to see that these identity references are localized; the equivalent on a US-English system would be BUILTIN\Users. Generally, it would be better to obtain a culture-independent representation of this identity, namely its SID, and use that for comparison: $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq 'S-1-5-32-545'
[2] Loosely speaking, $null; technically, it is the singleton value that PowerShell uses to signal "no output received", [System.Management.Automation.Internal.AutomationNull]::Value.
If I begin by the begining you terminate your first line by | out-null so $services contains nothing.
Then you forgot a ")" in your if.
You should present your code with indentations.
Be carefull :
"{0}.exe" -f ("C:\WINDOWS\system32\msiexec.exe /V"-Split ".exe")[0]
Gives :
C:\WINDOWS\system32\ms.exe
So use a '\' before the '.' :
"{0}.exe" -f ("C:\WINDOWS\system32\msiexec.exe /V"-Split "\.exe")[0]
which gives (regular expression story ?):
C:\WINDOWS\system32\msiexec.exe
So it will give something like that.
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} | select Name, State, Pathname, StartName
foreach ($service in $services) {
$var = "{0}.exe" -f ($Service.PathName -Split "\.exe")[0]
if ((Get-Acl $var.Trim('"') -ErrorAction Stop) -ccontains "BUILTIN\Utilisateurs FullControl "){
Write-Warning " Exploit detected "
}
}

parse the contents of a variable powershell

I would like to parse the contents of a variable to display only the path of the .exe without the startup options
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} | select Name, DisplayName, State, Pathname, StartName
foreach ($service in $services) {
$Service.Pathname
}
Result
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Thank you in advance for your feedback
To offer a concise alternative, which also trims enclosing " chars. from command lines with executables containing spaces and recognizes argument-less unquoted executable paths containing spaces without enclosing "...":
((Get-CimInstance win32_service).PathName -match '\.exe\b').ForEach({
if (Test-Path -LiteralPath $_) { # Check if the entire string is an unquoted executable path alone.
$_
} else {
$_ -replace '^(?:"(.+?)"|([^ ]+)).*', '$1$2'
}
})
The above uses:
member-access enumeration to get all .PathName values simply by using property access at the collection level.
the regex-based -match operator to limit the values to those containing the verbatim substring .exe (regex metachar. . must be escaped as \.) at a word boundary (\b).
the .ForEach() array method, for faster processing (than with the ForEach-Object cmdlet) of values already in memory.
The Test-Path is used to check if the entire command line refers to a single executable, possibly with spaces in its path; if so, the entire string ($_) is passed out.
Otherwise, the command line is assumed to include arguments and/or an executable path enclosed in embedded "...".
the regex-based -replace operator with a regex that matches the entire input string and replaces it only with the substring of interest, the executable file path, via capture groups ((...)).
Note: The regex works whether or not the executable path ends in .exe, but given that the command line by definition does contain .exe, simpler solutions are possible, as shown in Santiago's helpful answer and elkenyo's helpful answer, though the latter should be made more robust:
('"C:\Program Files\bar2.exe" -baz' -split '(?<=\.exe\b)')[0].Trim('"')
For an explanation of how the -replace regex and substitution work, see this regex101.com snippet.
A simple demonstration:
$commandLines = 'c:\tools\foo1.exe',
'c:\tools\foo2.exe -bar',
'"C:\Program Files\bar1.exe"',
'"C:\Program Files\bar2.exe" -baz'
$commandLines -replace '^(?:"(.+?)"|([^ ]+)).*', '$1$2'
The above yields:
c:\tools\foo1.exe
c:\tools\foo2.exe
C:\Program Files\bar1.exe
C:\Program Files\bar2.exe
This should work for you;
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} | select Name, DisplayName, State, Pathname, StartName
foreach ($service in $services) {
($Service.PathName -Split ".exe")[0]
# to include .exe:
# "$(($Service.PathName -Split ".exe")[0]).exe"
}
You could use a Select-Object calculated property like so:
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} |
Select-Object Name, DisplayName, State,
#{n='PathName';e={[regex]::Match($_.PathName,'.*\.exe"?').Value}}
I'm using "? at the end of the regex because some Paths are enclosed with ", this will include it.
If you want to exclude the enclosing " you could use (though there is probably a better way):
[regex]::Match($_.PathName,'.*\.exe').Value.TrimStart('"')
Link to test it and explanation: https://regex101.com/r/BFlhVv/1
Then if you do $services.PathName it would show you all the paths without arguments.

Powershell: find/replace string using wildcard - syntax difficulty

I have the following text in a file named ".connectionInfo":
device name = "WTG001" {
address = "172.28.16.1";
port = 80;
timeout = 3;
rfs = true;
operatingSystem = "vxworks";
}
I have one file as the master (shown above) and wish to create multiple copies in multiple directories with this IP address incrementing by one. In directory "WTG001", I would have .connectionInfo with "172.28.16.1", in directory "WTG002", I would have .connectionInfo with "172.28.16.2", etc.
I have the following Powerscript file and would like to use a counter (IP_Counter) to increment the last digits of the IP address:
$folder="C:\work\Scripting";
$txtFile="C:\work\Scripting\TurbineConfig.txt";
$pattern="\d+.+";
get-content $txtFile | %
{
$IP_Counter = 1
if($_ -match $pattern)
{
Copy-Item -Path C:\work\Scripting\.connectionInfo -Destination "$folder\$_.vxworks";
(Get-Content C:\work\Scripting\.connectionInfo) |
Foreach-Object {$_ -replace '172.28.16.*','172.28.16.$IP_Counter'} |
Out-File "$folder\.connectionInfo";
$IP_Counter++;
...
}
}
I'm having problems with the proper syntax for the "-replace" attribute. I want to replace just the last 3 digits of the IP address with the value $IP_Counter. I think using '172.28.16.*' wildcard finds the last number in the IP but I cannot figure out the precise syntax for the replace string. Please help me identify what '172.28.16.$IP_Counter' should look like.
I can use that same knowledge to replace the "WTG001" text also.
You can use the following -replace expression:
Foreach-Object {$_ -replace '172\.28\.16\.\d+',"172.28.16.$IP_Counter"}
\d+ represents digits only so the semicolon at the end of the line and the quotes won't be replaced. You also need to use double quotes " around the replacement string to interpolate $IP_Counter
I hope there is also some bounds checking for $IP_Counter - in your example it looks like it would loop forever.

Breaking foreach loop in PowerShell v2

I'm having trouble terminating a foreach-object loop in PowerShell v2. For a rough idea of the task I'm trying to accomplish, here's the pseudo-code:
Read lists of host machines from a text file
For each host in the text file get Win32_Product (filtered against an exclusion list),
convert output to html and save.
The reason for the script is that I've amassed a text file listing all applications included on standard client images, and would like to periodically scan hosts from another text file to see if there are any unauthorized, sketchy or otherwise unnecessary applications on the host machines.
The code does work in a rough sense, but the main issue I'm having is that the script will not terminate without manual intervention. I guess the component I'm missing here is to run the loop until some condition exists (ie. first line in the host file is encountered for the second time), then terminates the script. Although this is the method I've envisioned, I am always open to other logic, especially if its more efficient.
Here's the actual code:
Get-Content c:\path\to\testhostlist.txt | Foreach-Object {
Get-WmiObject Win32_Product |
Where-Object { $_.Name -f "'C:\path\to\testauthapplist.txt'" |
ConvertTo-Html name,vendor,version -title $name -body "<H2>Unauthorized Applications.</H2>"}} |
Set-Content c:\path\to\unauthapplisttest.html
I don't see how the first line of the host file (I infer you mean testhostlist.tx) would ever be encountered a second time, since you're only listing it once. This doesn't even seem to be an infinite loop that would need an exit condition. Foreach-Object doesn't repeat indefinitely.
It seems to me that the problem is not that the loop doesn't exit without a condition, it's that the syntax is invalid.
Where-Object filters the pipeline by passing only objects that meet a certain condition, but the scriptblock that follows doesn't perform a boolean test.
In fact, the content of the scriptblock doesn't appear valid in and of itself. -f is the format operator, and takes a format string as the left operand, but $_.Name is not a format string.
I'm going to take a guess here, based on your description, that the idea is to filter the results of Get-WmiObject Win32_Product for objects whose Name property isn't listed in testauthapplist.txt (I take it that's the "exclusion list" you're referring to). If so, this is the correct syntax:
Get-Content c:\path\to\testhostlist.txt | %{
Get-WmiObject Win32_Product | ?{
(Get-Content 'C:\path\to\testauthapplist.txt') -notcontains $_.Name
} | ConvertTo-Html name,vendor,version -title $name -body "<H2>Unauthorized Applications.</H2>"
} | Set-Content c:\path\to\unauthapplisttest.html
(Note that %{} and ?{} are just abbreviations for Foreach-Object and Where-Object, respectively.)
If i understood you correctly you are trying to stop your Script completely? If so did you try Break?
If you only want to skip a loop use continue
$hostlist = Get-Content c:\path\to\testhostlist.txt
$a = #()
Foreach($item in $hostlist)
{
$a += "<style>"
$a += "BODY{background-color:gray;}"
$a += "TABLE{margin: auto;border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
$a += "TH{border-width: 1px;padding: 4px;border-style: solid;border-color: black;background-color:yellow}"
$a += "TD{border-width: 1px;padding: 4px;border-style: solid;border-color: black;background-color:white}"
$a += "h2{color:#fff;}"
$a += "</style>"
Get-WmiObject Win32_Product | select name,vendor,version | sort name | ConvertTo-Html -head $a -body "<Center><H2>Unauthorized Applications.</H2></Center>" | Out-File c:\path\to\$item"-applist.html"
}

Resources