1. 파워쉘(PowerShell)이란?
- 시스템 관리 전용으로 설계된 작업 기반 명령 셸 및 스크립팅 언어
- .NET Framework에 기반하여 개발된 Windows PowerShell은 IT 전문가와 고급 사용자가 Windows 운영 체제 시스템
및 Windows에서 실행되는 응용 프로그램의 관리를 제어하고 자동화할 수 있도록 함.
- 기존의 cmd보다 강력한 스크립트를 지원.
- COM 및 WMI에 대한 접근이 가능
COM : Component Object Model
WMI : Windows Management Instrumentation.
- cmdlet 이라는 명령어 체계를 사용
- 간단한 스크립트 사용 가능
- 입출력 시 text 문자열 대신 Object를 사용
- Object 단위로 처리
- gi c: <-- c:의 내용을 볼 수 있음 / ls와 비슷함
Get-ChildItem c: 는 ls와 같은 결과
- text, html 파일들 다 cvs로 컨버팅해서 뽑아낼 수 있음
먼저. Cmdlet이란?
- "Command-Let" 의 줄임 말로 Windows PowerShell에서 개체를 조작하는 단일 기능 명령.
- 동사와 명사를 대시(-)로 구분한 이름 형식 (ex: Get-Process) 로 식별 할 수 있음.
- "get" : 데이터 검색
"set" : 데이터 설정 또는 변경
"format" : 데이터 형식 지정
"out" : 지정된 대상으로 출력을 전달하는 역할
그럼, 지금부터 바로 명령어 연습으로.
- help Get-Process -Online
온라인으로 출력된 내용을 볼 수 있음.
- Get-Eventlog -LogName security -ComputerName z_310_17 -Verbose
보안 관련된 로그 내용임
Get-Eventlog <-- 커멘드 명령어임
LogName security <--첫번째 매개변수
ComputerName z_310_17 < -- 복수 매개변수 / 첫번째 이후 복수 매개변수로 처리한 것
Verbose <-- 스위치 매개변수 /
- Get-Verb *
동사 매개변수 내용들 가져오기.
Verb Group
---- -----
Add Common
Clear Common
Close Common
Copy Common
Enter Common
Exit Common
Find Common
Format Common
Get Common
.... 등등 많음
tasklist.exe | findstr winlogo <- 과거 방식
ps -ef | grep sshd <- 리눅스 유닉스용
Get-Process | Where-Object {$_.name -eq "winlogon"}
- 요즘은 이런식으로 뽑아낼 수 있음
- Where-Object 앞에서 받은 내용들을 {}안에 있는 조건에 맞춰서 출력
ex1)
PS C:\> Get-Process | Where-Object {$_.name -eq "svchost"}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
351 66 7796 5760 38 1.01 368 svchost
579 47 26784 11576 90 2.51 500 svchost
523 23 8832 6644 80 0.53 536 svchost
418 40 17456 15588 83 1.45 596 svchost
2079 77 1028852 479096 1483 7,611.01 604 svchost
410 14 6160 4896 45 4.31 996 svchost
508 36 19016 9244 104 2.26 1048 svchost
325 33 15048 6176 65 0.86 1236 svchost
108 8 2400 236 29 0.03 2540 svchost
355 46 67416 23216 146 24.90 3544 svchost
ex2)
PS C:\> Get-Process | Where-Object {$_.name -eq "notepad"}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
100 9 3812 9956 86 0.05 9320 notepad
PS C:\> Get-Process | Where-Object {$_.name -like "sv*"}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
365 66 8016 4332 38 1.61 368 svchost
583 47 30528 14516 95 4.52 500 svchost
526 23 8784 3352 79 0.83 536 svchost
428 52 20564 11032 98 2.45 596 svchost
2050 77 1031140 19944 1486 ...56.31 604 svchost
421 14 6188 3280 44 8.21 996 svchost
497 36 19120 7828 103 3.39 1048 svchost
324 33 15184 4824 65 1.08 1236 svchost
114 9 2560 1236 31 0.03 2540 svchost
355 46 70320 15608 146 42.17 3544 svchost
파이프라인
- 리눅스 / 유닉스 때의 파이프라인은 단순 텍스트를 스트림으로 전달
- 파워쉘의 파이프라인은 입/출력에 객체를 사용
* 객체의 속성을 사용해서 데이터를 편집/출력/정렬
-PS C:\> Get-Process | Get-Member | get-member
-get-member의 정보만 가져온 것.
-그냥 get-member하면 출력 안됌.
-PS C:\> Get-Process | gm | gm
TypeName: Microsoft.PowerShell.Commands.MemberDefinition
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Definition Property System.String Definition {get;}
MemberType Property System.Management.Automation.PSMemberTypes MemberType {get;}
Name Property System.String Name {get;}
TypeName Property System.String TypeName {get;}
- PS C:\> Get-Process | gm | out-gridview
그리드뷰로 볼 수 있음
- PS C:\> Get-Process | Sort-Object -Descending vm
sort를 이용해서 내 마음대로 정렬 가능
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
2067 76 1028600 478956 1481 8,192.02 604 svchost
360 46 122684 104620 742 1.93 7572 powershell_ise
664 42 156952 163596 733 8.28 7888 powershell
1063 145 233224 178800 626 109.93 1284 iexplore
324 98 35796 10724 609 0.45 3804 PhantomClassAgent
1030 149 164952 194876 566 54.19 3944 iexplore
199 26 35488 11492 532 0.44 3360 PresentationFontCache
183 25 21912 8704 502 0.06 2360 PAService
193 23 12948 2248 487 0.06 1640 CertiportUpdateService
148 24 22460 1580 479 0.06 1760 CPExamSvc
768 129 143988 165664 449 12.14 7576 iexplore
804 93 133188 142580 433 4.15 8556 iexplore
759 116 113288 118832 427 5.88 4700 iexplore
291 33 58656 1796 425 1.15 4416 jandiapp
798 78 108356 65476 417 24.88 4188 iexplore
358 40 24864 15580 408 3.76 1344 taskhost
1181 117 77916 87684 395 21.98 1512 explorer
.....
- Get-Process | Sort-Object name | ConvertTo-html | out-file c:\process.html
ConvertTo-html <<<<-- 이걸 해야지 html에 맞는 형식이 됌.
Get-Process | Sort-Object name | ConvertTo-html | out-file c:\process.html
- Sort-Object name 이 부분 뒤에 -descending하면 뒤부터 출력
- Get-Process | Sort-Object name | Out-File C:\process.txt
- Get-Service | Sort-Object -Property status,name -Descending- Get-Service | Sort-Object -Property status,nae -Descending
- Get-Service | Sort-Object -Property status,name -Descending
정렬 기능.
어떤걸 우선순위로 볼 거냐
이름? 상태?
- Get-Service | Sort-Objex)
Status Name DisplayName
------ ---- -----------
Running wudfsvc Windows Driver Foundation - User-mo...
Running wuauserv Windows Update
Running WSearch Windows Search
Running wscsvc Security Center
Running WPDBusEnum Portable Device Enumerator Service
Running Winmgmt Windows Management Instrumentation
Running WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running WindowsSecuService WindowsSecuService
Running WinDefend Windows Defender
Running WdiServiceHost Diagnostic Service Host
Running VMwareHostd VMware Workstation Server
Running VMware NAT Service VMware NAT Service
Running VMUSBArbService VMware USB Arbitration Service
Running VMAuthdService VMware Authorization Service
Running V3 Service V3 Service
Running UxSms Desktop Window Manager Session Manager
Running TrkWks Distributed Link Tracking Client
Running Themes Themes
Running TabletInputService Tablet PC Input Service
Running stisvc Windows Image Acquisition (WIA)
.....
-PS C:\Users\Administrator> Get-Service | Sort-Object -Property name,status -Descending
ex)
Status Name DisplayName
------ ---- -----------
Stopped WwanSvc WWAN AutoConfig
Running wudfsvc Windows Driver Foundation - User-mo...
Running wuauserv Windows Update
Running WSearch Windows Search
Running wscsvc Security Center
Running WPDBusEnum Portable Device Enumerator Service
Stopped WPCSvc Parental Controls
Stopped WMPNetworkSvc Windows Media Player Network Sharin...
Stopped wmiApSrv WMI Performance Adapter
Stopped Wlansvc WLAN AutoConfig
Stopped WinRM Windows Remote Management (WS-Manag...
Running Winmgmt Windows Management Instrumentation
Running WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running WindowsSecuService WindowsSecuService
PS C:\Users\Administrator> Get-Service | Select-Object name
ex)
Name
----
AdobeFlashPlayerUpdateSvc
AdobeUpdateService
AeLookupSvc
ALG
AppIDSvc
Appinfo
AppMgmt
aspnet_state
AudioEndpointBuilder
AudioSrv
AxInstSV
BDESVC
BFE
<이름만 뽑ㅂ힘>
ex)
PS C:\Users\Administrator> Get-Service | Select-Object name, status | more
Name Status ---- ------ AdobeFlashPlayerUpdateSvc Stopped AdobeUpdateService Running AeLookupSvc Running ALG Stopped AppIDSvc Stopped Appinfo Running AppMgmt Stopped aspnet_state Stopped AudioEndpointBuilder Running AudioSrv Running AxInstSV Stopped BDESVC Stopped BFE Running BITS Stopped Browser Stopped bthserv Stopped CertiportUpdateService Running CertPropSvc Stopped clr_optimization_v2.0.50727_32 Stopped clr_optimization_v2.0.50727_64 Stopped clr_optimization_v4.0.30319_32 Stopped clr_optimization_v4.0.30319_64 Stopped COMSysApp Stopped CPExamService Running cphs
<이름 상태>
PS C:\> Get-Service | Select-Object name, DisplayName -first 5
Name DisplayName
---- -----------
AdobeFlashPlayerUpdateSvc Adobe Flash Player Update Service
AdobeUpdateService AdobeUpdateService
AeLookupSvc Application Experience
ALG Application Layer Gateway Service
AppIDSvc Application Identity
ect -Property status,name -Descending
<name, status 로 데이터 뽑고 name으로 정렬>
PS C:\Users\Administrator> Get-Service | Select-Object name, status | Sort-Object name
Name Status ---- ------ AdobeFlashPlayerUpdateSvc Stopped AdobeUpdateService Running AeLookupSvc Running ALG Stopped AppIDSvc Stopped Appinfo Running AppMgmt Stopped aspnet_state Stopped AudioEndpointBuilder Running AudioSrv Running AxInstSV Stopped BDESVC Stopped BFE Running BITS Stopped Browser Stopped bthserv Stopped CertiportUpdateService Running CertPropSvc Stopped clr_optimization_v2.0.50727_32 Stopped
로그 볼 때 편할 듯
PS C:\Users\Administrator> Get-Service | Select-Object -First 10 name,status | Sort-Object name
Name Status ---- ------ AdobeFlashPlayerUpdateSvc Stopped AdobeUpdateService Running AeLookupSvc Running ALG Stopped AppIDSvc Stopped Appinfo Running AppMgmt Stopped aspnet_state Stopped AudioEndpointBuilder Running AudioSrv
//////////////////////////////////////////////////////
PS C:\Users\Administrator> Get-Service | Select-Object -last 10 name,status | Sort-Object name
Name Status ---- ------ Wlansvc Stopped wmiApSrv Stopped WMPNetworkSvc Stopped WPCSvc Stopped WPDBusEnum Running wscsvc Running WSearch Running wuauserv Running wudfsvc Running WwanSvc
명령어 중에서 log 그 중 실행 가능한 것.
PS C:\> Get-Command *log* -type cmdlet
CommandType Name Definition
----------- ---- ----------
Cmdlet Clear-EventLog Clear-EventLog [-LogName] <String[]> [[-ComputerName] <St... Cmdlet Get-EventLog Get-EventLog [-LogName] <String> [[-InstanceId] <Int64[]>... Cmdlet Limit-EventLog Limit-EventLog [-LogName] <String[]> [-ComputerName <Stri... Cmdlet New-EventLog New-EventLog [-LogName] <String> [-Source] <String[]> [[-... Cmdlet Remove-EventLog Remove-EventLog [-LogName] <String[]> [[-ComputerName] <S... Cmdlet Show-EventLog Show-EventLog [[-ComputerName] <String>] [-Verbose] [-Deb... Cmdlet Write-EventLog Write-EventLog [-LogName] <String> [-Source] <String> [-E...
파워쉘로 레지스트리 파일도 읽을 수 있음 / 기존 cmd는 불가했음.
PS C:\> get-childItem -Path HKCU:\Software\Microsoft\Windows\
cd == set_loation c:...
PS HKCU:\Software\Microsoft\Windows\> ls
Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows
SKC VC Name Property
--- -- ---- --------
28 0 CurrentVersion {}
0 12 DWM {Composition, ColorizationOpaqueBlend, EnableAeroPeek, CompositionPolicy...}
3 0 Shell {}
2 0 TabletPC {}
2 12 Windows Error Reporting {ConfigureArchive, DisableArchive, Disabled, DisableQueue...}
쉘 내용을 볼 수 있음..................
PS HKCU:\Software\Microsoft\Windows\> Get-PSDrive
Name Used (GB) Free (GB) Provider Root CurrentLocation ---- --------- --------- -------- ---- --------------- Alias Alias
C 51.55 60.23 FileSystem C:\
cert Certificate \
D FileSystem D:\
E FileSystem E:\
Env Environment
F FileSystem F:\
Function Function
G FileSystem G:\
H FileSystem H:\
HKCU Registry HKEY_CURRENT_USER Software\Microsoft\Windows\ HKLM Registry HKEY_LOCAL_MACHINE
Variable Variable
WSMan WSMan
r누르면 이전 명령어 다시 실행가능.
PS C:\> Get-History -c 100 | format-list
Id : 1
CommandLine : Get-Service | Select-Object name, status | more
ExecutionStatus : Stopped
StartExecutionTime : 2016-07-07 오전 11:26:54
EndExecutionTime : 2016-07-07 오전 11:27:02
Id : 2
CommandLine : Get-Service | Select-Object name, status | more
ExecutionStatus : Stopped
StartExecutionTime : 2016-07-07 오전 11:27:03
EndExecutionTime : 2016-07-07 오전 11:27:26
Id : 3
CommandLine : Get-Service | Select-Object name, status | Sort-Object name
ExecutionStatus : Completed
StartExecutionTime : 2016-07-07 오전 11:27:37
EndExecutionTime : 2016-07-07 오전 11:27:37
파일 이동
-Destination
-Path
PS C:\> move .\process.txt C:\Users\
PS C:\> move -Destination C:\Users\Administrator\Desktop\ -Path .\process.txt
탭키 / 정렬
PS C:\> Get-Process | Format-Table -Property name, id -AutoSize
Name Id
---- --
AdobeUpdateService 1452
audiodg 14156
CertiportUpdateService 1640
ConEmu64 9552
ConEmu64 10756
ConEmuC64 6660
ConEmuC64 11024
conhost 7588
conhost 7848
conhost 10308
CPExamSvc 1760
csrss 420
csrss 776
dwm 1460
PS C:\> Get-Process | Select-Object -Property name, id
Name Id ---- -- AdobeUpdateService 1452 audiodg 14156 CertiportUpdateService 1640 ConEmu64 9552 ConEmu64 10756 ConEmuC64 6660 ConEmuC64 11024 conhost 7588 conhost 7848 conhost 10308 CPExamSvc 1760 csrss 420 csrss 776 dwm
ㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁ
Name Id
---- --
AdobeUpdateService 1452
audiodg 14156
CertiportUpdateService 1640
PS C:\> Get-Process | Select-Object -First 3 | Format-Table -Property name,id -AutoSize
Name Id
---- --
AdobeUpdateService 1452
audiodg 14156
CertiportUpdateService 1640
PS C:\> Get-Process | Select-Object -First 3 | Format-Table -Property name,id
Name Id ---- -- AdobeUpdateService 1452 audiodg 14156 CertiportUpdateService 1640
그룹으로 묶기
PS C:\> Get-Service | Sort-Object -Property status | Format-Table -GroupBy status
Status: Stopped
Status Name DisplayName
------ ---- -----------
Stopped RemoteAccess Routing and Remote Access
Stopped RasMan Remote Access Connection Manager
Stopped RpcLocator Remote Procedure Call (RPC) Locator
Stopped RemoteRegistry Remote Registry
Stopped ProtectedStorage Protected Storage
Stopped PolicyAgent IPsec Policy Agent
Stopped RasAuto Remote Access Auto Connection Manager
Stopped QWAVE Quality Windows Audio Video Experience
Stopped SessionEnv Remote Desktop Configuration
..
Status: Running
Status Name DisplayName
------ ---- -----------
Running wscsvc Security Center
Running V3 Service V3 Service
Running wuauserv Windows Update
Running VMAuthdService VMware Authorization Service
Running WSearch Windows Search
Running MpsSvc Windows Firewall
Running TrustedInstaller Windows Modules Installer
Running TrkWks Distributed Link Tracking Client
Running UxSms Desktop Window Manager Session Manager
Running wudfsvc Windows Driver Foundation - User-mo...
Running AudioEndpointBu... Windows Audio Endpoint Builder
Running WPDBusEnum Portable Device Enumerator Service
Running Appinfo Application Information
..
글 안잘리게
PS C:\> Get-Service | Format-Table -wrap
PS C:\> Get-Process | Format-List -Property name, status
Name : AdobeUpdateService
Name : audiodg
Name : CertiportUpdateService
Name : ConEmu
Name : ConEmuC64
Name : ConEmuC64
Name : ConEmuC64
Name : conhost
Name : conhost
Name : conhost
Name : CPExamSvc
Name : csrss
Name : csrss
Name : dwm
---
PS C:\> Get-Process | more
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
65 7 1224 212 42 0.03 1452 AdobeUpdateService
135 10 19544 19208 61 10048 audiodg
173 23 12948 2052 487 0.06 1640 CertiportUpdateService
254 23 22984 31784 157 3.85 15340 ConEmu
95 9 4304 7008 78 0.14 10092 ConEmuC64
96 9 4776 7556 78 2.89 11752 ConEmuC64
100 9 4308 7228 78 1.76 14912 ConEmuC64
89 8 4840 8476 77 0.05 13372 conhost
89 8 4896 8600 77 3.51 14960 conhost
89 8 4876 8572 77 2.06 15248 conhost
147 24 22460 1396 479 0.08 1760 CPExamSvc
608 13 2988 856 61 1.90 420 csrss
965 28 4176 15968 256 137.45 776 csrss
152 19 36136 27420 175 57.91 1460 dwm
1305 112 91188 39996 407 28.98 1512 explorer
0 0 0 24 0 0 Idle
910 102 45028 27984 309 30.01 488 iexplore
893 85 175236 103780 507 129.65 1284 iexplore
1119 125 166508 116392 608 450.58 3944 iexplore
812 81 108568 22572 426 25.58 4188 iexplore
722 93 95512 16840 382 6.44 4700 iexplore
844 101 133708 41276 450 67.19 5344 iexplore
753 100 113004 51536 438 21.43 7576 iexplore
816 96 137304 35164 437 6.61 8556 iexplore
590 49 42548 16916 276 1.72 11808 iexplore
121 9 3192 96 38 0.02 876 igfxCUIService
173 15 8248 372 100 0.08 3560 igfxEM
125 12 7076 376 88 0.05 3568 igfxHK
157 11 10100 360 82 0.16 3584 igfxTray
68 6 2156 88 25 0.02 1868 IMEDICTUPDATE
705 44 29776 9980 278 7.43 1584 jandiapp
-- More --
PS C:\> Get-Service | Format-Wide -Property displayname
displayname을 넓게 출력함.
Adobe Flash Player Update Service AdobeUpdateService
Application Experience Application Layer Gateway Service
Application Identity Application Information
Application Management ASP.NET State Service
Windows Audio Endpoint Builder Windows Audio
ActiveX Installer (AxInstSV) BitLocker Drive Encryption Service
Base Filtering Engine Background Intelligent Transfer Service
Computer Browser Bluetooth Support Service
Certiport Update Service Certificate Propagation
Microsoft .NET Framework NGEN v2.0.50727_X86 Microsoft .NET Framework NGEN v2.0.50727_X64
Microsoft .NET Framework NGEN v4.0.30319_X86 Microsoft .NET Framework NGEN v4.0.30319_X64
COM+ System Application Certiport Exam Service
Intel(R) Content Protection HECI Service Cryptographic Services
Offline Files DCOM Server Process Launcher
Disk Defragmenter DHCP Client
DNS Client Wired AutoConfig
Diagnostic Policy Service Extensible Authentication Protocol
Encrypting File System (EFS) Windows Media Center Receiver Service
Windows Media Center Scheduler Service Windows Event Log
COM+ Event System Fax
PS C:\> Get-Service
Status Name DisplayName
------ ---- -----------
Stopped AdobeFlashPlaye... Adobe Flash Player Update Service
Running AdobeUpdateService AdobeUpdateService
Stopped AeLookupSvc Application Experience
Stopped ALG Application Layer Gateway Service
Stopped AppIDSvc Application Identity
Running Appinfo Application Information
Stopped AppMgmt Application Management
Stopped aspnet_state ASP.NET State Service
Running AudioEndpointBu... Windows Audio Endpoint Builder
Running AudioSrv Windows Audio
Stopped AxInstSV ActiveX Installer (AxInstSV)
Stopped BDESVC BitLocker Drive Encryption Service
Running BFE Base Filtering Engine
Stopped BITS Background Intelligent Transfer Ser...
Stopped Browser Computer Browser
Stopped bthserv Bluetooth Support Service
Running CertiportUpdate... Certiport Update Service
Stopped CertPropSvc Certificate Propagation
Stopped clr_optimizatio... Microsoft .NET Framework NGEN v2.0....
한줄에 몇 줄씩 출력
PS C:\> Get-Process | Format-Wide -Column 5
AdobeUpdateService audiodg CertiportUpdateService ConEmu ConEmuC64
ConEmuC64 ConEmuC64 ConEmuC64 conhost conhost
conhost conhost CPExamSvc csrss csrss
dwm explorer Idle iexplore iexplore
iexplore iexplore iexplore iexplore iexplore
iexplore iexplore igfxCUIService igfxEM igfxHK
igfxTray IMEDICTUPDATE jandiapp jandiapp jandiapp
jandiapp jandiapp jusched KakaoTalk lsass
lsm MsSpellCheckingFaci... NHCAAgent NHCACombackInfo NHCAMsn
NHCAPTAgent NHCARemote NHCARemote NHCASysMon NHCAUI
PAService PhantomClassAgent powershell powershell powershell
powershell PresentationFontCache RAVCpl64 SearchIndexer services
ShdServ ShdTray smss SnippingTool spoolsv
svchost svchost svchost svchost svchost
svchost svchost svchost svchost svchost
System taskhost V3SP V3Svc vmnat
vmware-authd vmware-hostd vmware-tray vmware-usbarbitrator64 WindowsSecuService
wininit winlogon wisptis WUDFHost
ㅁㅁㅁㅁ
PS C:\> Get-Process | Format-Wide -Column 5 -Property vm
44433408 63819776 510193664 199163904 81973248
81977344 80924672 81973248 80318464 80318464
82415616 80318464 502202368 64303104 268812288
183140352 425209856 0 323117056 531120128
654340096 444997632 400564224 472227840 459485184
457183232 289882112 40259584 104366080 92409856
86384640 26714112 291295232 403238912 271581184
233553920 445403136 73797632 317435904 54595584
18227200 62676992 121974784 69435392 117870592
79970304 93642752 75280384 120877056 109297664
525873152 639889408 598200320 598200320 598200320
609783808 543166464 115437568 197218304 35864576
69509120 102264832 4186112 200609792 83423232
39104512 95293440 83521536 87236608 1783017472
46231552 107614208 69451776 30711808 153051136
3526656 423096320 175058944 66727936 49004544
84692992 170094592 74084352 58183680 13496320
56119296 65159168 59781120 41254912
프로그램 실행
PS C:\> Get-Process -name notepad | Stop-Process
PS C:\> Start-Process notepad
PS C:\> Get-Process -name calc |Stop-Process
PS C:\> Start-Process calc
PS C:\> Get-Process -name calc |Stop-Process -Confirm
PS C:\> Get-Process -name calc |Stop-Process -whatif
WhatIf: 대상 "calc (15284)"에서 "Stop-Process" 작업을 수행합니다.
PS C:\> Get-Service | Stop-Service -WhatIf
whatif 끄면 어떻게 되는지.?
PS C:\> Get-Process | Export-Clixml c:\test.xml
PS C:\> Compare-Object -ReferenceObject (Import-Clixml c:\test.xml) -DifferenceObject (Get-Process) -Property name
name SideIndicator
---- -------------
notepad =>
SearchFilterHost <=
SearchProtocolHost <=
notepad는 들어가고 /
나머지는 빠져나옴
(백도어 확인 목적)
지금 프로세스와 과거 프로세스와 비교해서 튀어나오는 것들 비교하는 것..
리 xml로 정보를 빼낸 것과 현재 프로세스와 비교하는 거임
Get-HotFix | Select-Object Description, hotfixid | Sort-Object -Descending | ConvertTo-Html | Out-File c:\hotfix.html
거꾸로,
최신 핫픽스랑 비교.
Description | hotfixid |
---|---|
Update | KB2731771 |
Update | KB2786081 |
Update | KB2685811 |
Update | KB2729094 |
Update | KB2888049 |
Update | KB976902 |
Update | KB2834140 |
Update | KB2882822 |
Update | KB2841134 |
Update | KB2841134 |
Update | KB2849697 |
Update | KB2849696 |
Hotfix | KB2534111 |
Hotfix | KB2639308 |
Update | KB2670838 |
Update | KB2533623 |
----------------------
PS C:\> Get-WmiObject -EnableAllPrivileges win32_userprofile | select localpath, sid,@{NAME='last used';EXPRESSION={$_.ConverToDateTime($_.lastusertime)}}
Get-WmiObject : Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes.
EnableAllPrivileges :
Enables all the privileges of the current user before the command makes the WMI call.
win32_userprofile : Represents information about a user profile on a Windows system.
localpath sid last used
--------- --- ---------
C:\Users\Administrator S-1-5-21-803020922-819449392-432581...
C:\Windows\ServiceProfiles\NetworkS... S-1-5-20
C:\Windows\ServiceProfiles\LocalSer... S-1-5-19
C:\Windows\system32\config\systempr... S-1-5-18
'last used'; 마지막에 접속했던 시간
이 컴퓨터는 별도로 로그인안되어있으므로 안나와있음
--------------------
PS C:\> Get-WmiObject -EnableAllPrivileges win32_networkAdapterconfiguration | where{$_.IPenabled -eq 'Ture'} | select DHCPEnabled, @{name='IPaddress';Expression={$_.ipaddress-join';'}},@{name='DefaultIPGateway';Expression={$_.Defaultipgateway=join';'}},DNSDomain
DHCPEnabled IPaddress DefaultIPGateway DNSDomain
----------- --------- ---------------- ---------
False 203.253.5.196;fe80::4c8d:...
False 192.168.75.1;fe80::9455:b...
False 192.168.66.1;fe80::1541:1...
현재 지금 시스템이 갖고있는 게이트웨이 디폴트를 찾는 명령어
--------------------
Get-WmiObject 윈도우관련 시작 프로그램
win32_startupcommand 셀렉트 구문으로 뺐음
지금 얘가 시작프로그램에 설치되어있음
PS C:\> Get-WmiObject -EnableAllPrivileges win32_startupcommand | Select command, user, caption
command user caption
------- ---- -------
%ProgramFiles%\Windows Sidebar\Side... NT AUTHORITY\LOCAL SERVICE Sidebar
%ProgramFiles%\Windows Sidebar\Side... NT AUTHORITY\NETWORK SERVICE Sidebar
"C:\Program Files (x86)\Kakao\Kakao... Z_310_17\Administrator KakaoTalk
"C:\Users\Administrator\AppData\Loc... Z_310_17\Administrator jandiapp
"C:\Program Files\AhnLab\V3IS80\V3S... Public V3 Session Process
"C:\Program Files\Realtek\Audio\HDA... Public RTHDVCPL
C:\PROGRA~1\COMMON~1\MICROS~1\IME14... Public IME14 KOR Setup
"C:\Program Files (x86)\Common File... Public AdobeAAMUpdater-1.0
"C:\Program Files\PhantomClass\Phan... Public Shield
--------------------
PS C:\> Get-WmiObject -EnableAllPrivileges win32_service | select name, processid, state,Displayname, pathname | sort state
실행중인 서비스만 가져오기
--------------------
실행했던 usb와 같은 저장 매체가 나옴.
PS C:\> Get-ItemProperty -ea 0 HKLM:\SYSTEM\CurrentControlSet\Enum\usbstor\*\* | select friendlyname, PSchildnamecls
FriendlyName PSChildName
------------ -----------
USB DISK 3.0 USB Device 070D63FE8910FA47&0
General USB Flash Disk USB Device 0511030000000514&0
Generic STORAGE DEVICE USB Device 000000009744&0
Generic STORAGE DEVICE USB Device 000000009744&1
Generic STORAGE DEVICE USB Device 000000009744&2
Generic STORAGE DEVICE USB Device 000000009744&3
Samsung P3 Portable USB Device DE777DE507000094&0
SanDisk Cruzer Glide USB Device 200431093013FFB252A4&0
-ea 0 <- 에 원래 패스값이 들어가야되는데 0을 넣음으로써 패스를 무시함
원래는 -path "asdsadsadsad~~~"
무시하기위해서 -ea 0 을 입력.
Get-ItemProperty :: To access the value of the default property
--------------------
PS C:\> Get-ItemProperty -ea 0 HKLM:\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | select Displayname, DisplayVersion, Publisher, InstallDate, InstallLocation | sort InstallDate -Descending
DisplayName : Microsoft Office Shared MUI (Korean) 2010
DisplayVersion : 14.0.4763.1000
Publisher : Microsoft Corporation
InstallDate : 20151223
InstallLocation : C:\Program Files (x86)\Microsoft Office\
DisplayName : Microsoft_VC90_CRT_x86
DisplayVersion : 1.00.0000
Publisher : Adobe
InstallDate : 20151223
InstallLocation : C:\Program Files (x86)\Adobe\My Product Name\
DisplayName : Adobe Reader 9.4.0 - Korean
DisplayVersion : 9.4.0
Publisher : Adobe Systems Incorporated
InstallDate : 20151222
InstallLocation : C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
DisplayName : Realtek High Definition Audio Driver
DisplayVersion : 6.0.1.7620
Publisher : Realtek Semiconductor Corp.
InstallDate : 20151222
InstallLocation : C:\Program Files\Realtek\Audio\HDA
--------------------
gui장점
가독성 높음
api 의존 거의 함
dll - api를 시작하면서 여러가지 dll를 건드림 /
정보량 낮음
cli장점
가독성 낮음
api 의존 거의 안함
dll 낮음
찾아낼 수 있는 정보량이 많음
속도 훨씬 빠름
--------------------
--------------------
--------------------
--------------------
--------------------
'컴퓨터 관련' 카테고리의 다른 글
퀵 정렬 알고리즘 (0) | 2016.07.22 |
---|---|
1.5. 금액 맞추기 알고리즘 (0) | 2016.07.12 |
쉘 스크립트(Shell Script) 정리 (1) (0) | 2016.07.10 |
시큐어 코딩(Secure Coding) 이란? (0) | 2016.07.07 |
보안 용어 모음(1) (0) | 2016.07.06 |
댓글