본문 바로가기
컴퓨터 관련

파워쉘(PowerShell) 정리 [간단하게]

by _BlankSpace 2016. 7. 10.

1. 파워쉘(PowerShell)이란?


- 시스템 관리 전용으로 설계된 작업 기반 명령 셸 및 스크립팅 언어


- .NET Framework에 기반하여 개발된 Windows PowerShell은 IT 전문가와 고급 사용자가 Windows 운영 체제 시스템

및 Windows에서 실행되는 응용 프로그램의 관리를 제어하고 자동화할 수 있도록 함.


- 기존의 cmd보다 강력한 스크립트를 지원.

- COM 및 WMI에 대한 접근이 가능

COM : Component Object Model

WMI : Windows Management Instrumentation.

 

- cmdlet 이라는 명령어 체계를 사용

- 간단한 스크립트 사용 가능

- 입출력 시 text 문자열 대신 Object를 사용

- Object 단위로 처리


- gi c: <-- c:의 내용을 볼 수 있음 / ls와 비슷함

Get-ChildItem c:  는 ls와 같은 결과

 

- text, html 파일들 다 cvs로 컨버팅해서 뽑아낼 수 있음

 

먼저. Cmdlet이란?

- "Command-Let" 의 줄임 말로 Windows PowerShell에서 개체를 조작하는 단일 기능 명령.

- 동사와 명사를 대시(-)로 구분한 이름 형식 (ex: Get-Process) 로 식별 할 수 있음.

-    "get" : 데이터 검색

"set" : 데이터 설정 또는 변경

"format" : 데이터 형식 지정

"out" : 지정된 대상으로 출력을 전달하는 역할


그럼, 지금부터 바로 명령어 연습으로.


- help Get-Process -Online 

온라인으로 출력된 내용을 볼 수 있음.


 Get-Eventlog -LogName security -ComputerName z_310_17 -Verbose

보안 관련된 로그 내용임

Get-Eventlog <-- 커멘드 명령어임

LogName security <--첫번째 매개변수

ComputerName z_310_17 < -- 복수 매개변수 / 첫번째 이후 복수 매개변수로 처리한 것

Verbose <-- 스위치 매개변수 /


- Get-Verb *

동사 매개변수 내용들 가져오기.


Verb                                           Group
----                                           -----
Add                                            Common
Clear                                          Common
Close                                          Common
Copy                                           Common
Enter                                          Common
Exit                                           Common
Find                                           Common
Format                                         Common
Get                                            Common

 

.... 등등 많음


 tasklist.exe | findstr winlogo <- 과거 방식

 

ps -ef | grep sshd <- 리눅스 유닉스용

 

Get-Process | Where-Object {$_.name -eq "winlogon"}

- 요즘은 이런식으로 뽑아낼 수 있음

- Where-Object 앞에서 받은 내용들을 {}안에 있는 조건에 맞춰서 출력

 

ex1)

PS C:\> Get-Process | Where-Object {$_.name -eq "svchost"}

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    351      66     7796       5760    38     1.01    368 svchost
    579      47    26784      11576    90     2.51    500 svchost
    523      23     8832       6644    80     0.53    536 svchost
    418      40    17456      15588    83     1.45    596 svchost
   2079      77  1028852     479096  1483 7,611.01    604 svchost
    410      14     6160       4896    45     4.31    996 svchost
    508      36    19016       9244   104     2.26   1048 svchost
    325      33    15048       6176    65     0.86   1236 svchost
    108       8     2400        236    29     0.03   2540 svchost
    355      46    67416      23216   146    24.90   3544 svchost

 

ex2)

PS C:\> Get-Process | Where-Object {$_.name -eq "notepad"}

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    100       9     3812       9956    86     0.05   9320 notepad

 

 

PS C:\> Get-Process | Where-Object {$_.name -like "sv*"}

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    365      66     8016       4332    38     1.61    368 svchost
    583      47    30528      14516    95     4.52    500 svchost
    526      23     8784       3352    79     0.83    536 svchost
    428      52    20564      11032    98     2.45    596 svchost
   2050      77  1031140      19944  1486 ...56.31    604 svchost
    421      14     6188       3280    44     8.21    996 svchost
    497      36    19120       7828   103     3.39   1048 svchost
    324      33    15184       4824    65     1.08   1236 svchost
    114       9     2560       1236    31     0.03   2540 svchost
    355      46    70320      15608   146    42.17   3544 svchost




파이프라인

- 리눅스 / 유닉스 때의 파이프라인은 단순 텍스트를 스트림으로 전달

- 파워쉘의 파이프라인은 입/출력에 객체를 사용

* 객체의 속성을 사용해서 데이터를 편집/출력/정렬

-PS C:\> Get-Process | Get-Member | get-member

 

-get-member의 정보만 가져온 것.

 

-그냥 get-member하면 출력 안됌.


-PS C:\> Get-Process | gm | gm


TypeName: Microsoft.PowerShell.Commands.MemberDefinition

Name        MemberType Definition
----        ---------- ----------
Equals      Method     bool Equals(System.Object obj)
GetHashCode Method     int GetHashCode()
GetType     Method     type GetType()
ToString    Method     string ToString()
Definition  Property   System.String Definition {get;}
MemberType  Property   System.Management.Automation.PSMemberTypes MemberType {get;}
Name        Property   System.String Name {get;}
TypeName    Property   System.String TypeName {get;}



- PS C:\> Get-Process | gm | out-gridview

그리드뷰로 볼 수 있음


- PS C:\> Get-Process | Sort-Object -Descending vm

sort를 이용해서 내 마음대로 정렬 가능

 

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
   2067      76  1028600     478956  1481 8,192.02    604 svchost
    360      46   122684     104620   742     1.93   7572 powershell_ise
    664      42   156952     163596   733     8.28   7888 powershell
   1063     145   233224     178800   626   109.93   1284 iexplore
    324      98    35796      10724   609     0.45   3804 PhantomClassAgent
   1030     149   164952     194876   566    54.19   3944 iexplore
    199      26    35488      11492   532     0.44   3360 PresentationFontCache
    183      25    21912       8704   502     0.06   2360 PAService
    193      23    12948       2248   487     0.06   1640 CertiportUpdateService
    148      24    22460       1580   479     0.06   1760 CPExamSvc
    768     129   143988     165664   449    12.14   7576 iexplore
    804      93   133188     142580   433     4.15   8556 iexplore
    759     116   113288     118832   427     5.88   4700 iexplore
    291      33    58656       1796   425     1.15   4416 jandiapp
    798      78   108356      65476   417    24.88   4188 iexplore
    358      40    24864      15580   408     3.76   1344 taskhost
   1181     117    77916      87684   395    21.98   1512 explorer

.....

 

 

- Get-Process | Sort-Object name | ConvertTo-html | out-file c:\process.html

 process.html




ConvertTo-html <<<<-- 이걸 해야지 html에 맞는 형식이 됌.

 

Get-Process | Sort-Object name | ConvertTo-html | out-file c:\process.html

 

- Sort-Object name 이 부분 뒤에 -descending하면 뒤부터 출력



- Get-Process | Sort-Object name | Out-File C:\process.txt

 

 process.txt


- Get-Service | Sort-Object -Property status,name -Descending- Get-Service | Sort-Object -Property status,nae -Descending 

- Get-Service | Sort-Object -Property status,name -Descending


정렬 기능.

어떤걸 우선순위로 볼 거냐

이름? 상태?


- Get-Service | Sort-Objex)

Status   Name               DisplayName
------   ----               -----------
Running  wudfsvc            Windows Driver Foundation - User-mo...
Running  wuauserv           Windows Update
Running  WSearch            Windows Search
Running  wscsvc             Security Center
Running  WPDBusEnum         Portable Device Enumerator Service
Running  Winmgmt            Windows Management Instrumentation
Running  WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running  WindowsSecuService WindowsSecuService
Running  WinDefend          Windows Defender
Running  WdiServiceHost     Diagnostic Service Host
Running  VMwareHostd        VMware Workstation Server
Running  VMware NAT Service VMware NAT Service
Running  VMUSBArbService    VMware USB Arbitration Service
Running  VMAuthdService     VMware Authorization Service
Running  V3 Service         V3 Service
Running  UxSms              Desktop Window Manager Session Manager
Running  TrkWks             Distributed Link Tracking Client
Running  Themes             Themes
Running  TabletInputService Tablet PC Input Service
Running  stisvc             Windows Image Acquisition (WIA)

.....



-PS C:\Users\Administrator> Get-Service | Sort-Object -Property name,status -Descending

 

ex)

Status   Name               DisplayName
------   ----               -----------
Stopped  WwanSvc            WWAN AutoConfig
Running  wudfsvc            Windows Driver Foundation - User-mo...
Running  wuauserv           Windows Update
Running  WSearch            Windows Search
Running  wscsvc             Security Center
Running  WPDBusEnum         Portable Device Enumerator Service
Stopped  WPCSvc             Parental Controls
Stopped  WMPNetworkSvc      Windows Media Player Network Sharin...
Stopped  wmiApSrv           WMI Performance Adapter
Stopped  Wlansvc            WLAN AutoConfig
Stopped  WinRM              Windows Remote Management (WS-Manag...
Running  Winmgmt            Windows Management Instrumentation
Running  WinHttpAutoProx... WinHTTP Web Proxy Auto-Discovery Se...
Running  WindowsSecuService WindowsSecuService

 

PS C:\Users\Administrator> Get-Service | Select-Object name

 

ex)

Name
----
AdobeFlashPlayerUpdateSvc
AdobeUpdateService
AeLookupSvc
ALG
AppIDSvc
Appinfo
AppMgmt
aspnet_state
AudioEndpointBuilder
AudioSrv
AxInstSV
BDESVC
BFE

<이름만 뽑ㅂ힘>

 

ex)

 

PS C:\Users\Administrator> Get-Service | Select-Object name, status | more

Name                                                                                                                               Status ----                                                                                                                               ------ AdobeFlashPlayerUpdateSvc                                                                                                         Stopped AdobeUpdateService                                                                                                                Running AeLookupSvc                                                                                                                       Running ALG                                                                                                                               Stopped AppIDSvc                                                                                                                          Stopped Appinfo                                                                                                                           Running AppMgmt                                                                                                                           Stopped aspnet_state                                                                                                                      Stopped AudioEndpointBuilder                                                                                                              Running AudioSrv                                                                                                                          Running AxInstSV                                                                                                                          Stopped BDESVC                                                                                                                            Stopped BFE                                                                                                                               Running BITS                                                                                                                              Stopped Browser                                                                                                                           Stopped bthserv                                                                                                                           Stopped CertiportUpdateService                                                                                                            Running CertPropSvc                                                                                                                       Stopped clr_optimization_v2.0.50727_32                                                                                                    Stopped clr_optimization_v2.0.50727_64                                                                                                    Stopped clr_optimization_v4.0.30319_32                                                                                                    Stopped clr_optimization_v4.0.30319_64                                                                                                    Stopped COMSysApp                                                                                                                         Stopped CPExamService                                                                                                                     Running cphs

 

<이름 상태>

 

 

PS C:\> Get-Service | Select-Object name, DisplayName -first 5

Name                                           DisplayName
----                                           -----------
AdobeFlashPlayerUpdateSvc                      Adobe Flash Player Update Service
AdobeUpdateService                             AdobeUpdateService
AeLookupSvc                                    Application Experience
ALG                                            Application Layer Gateway Service
AppIDSvc                                       Application Identity



ect -Property status,name -Descending




<name, status 로 데이터 뽑고 name으로 정렬>

 

PS C:\Users\Administrator> Get-Service | Select-Object name, status | Sort-Object name

Name                                                                                                                               Status ----                                                                                                                               ------ AdobeFlashPlayerUpdateSvc                                                                                                         Stopped AdobeUpdateService                                                                                                                Running AeLookupSvc                                                                                                                       Running ALG                                                                                                                               Stopped AppIDSvc                                                                                                                          Stopped Appinfo                                                                                                                           Running AppMgmt                                                                                                                           Stopped aspnet_state                                                                                                                      Stopped AudioEndpointBuilder                                                                                                              Running AudioSrv                                                                                                                          Running AxInstSV                                                                                                                          Stopped BDESVC                                                                                                                            Stopped BFE                                                                                                                               Running BITS                                                                                                                              Stopped Browser                                                                                                                           Stopped bthserv                                                                                                                           Stopped CertiportUpdateService                                                                                                            Running CertPropSvc                                                                                                                       Stopped clr_optimization_v2.0.50727_32                                                                                                    Stopped

 


로그 볼 때 편할 듯

 

PS C:\Users\Administrator> Get-Service | Select-Object -First 10 name,status | Sort-Object name

Name                                                                                                                               Status ----                                                                                                                               ------ AdobeFlashPlayerUpdateSvc                                                                                                         Stopped AdobeUpdateService                                                                                                                Running AeLookupSvc                                                                                                                       Running ALG                                                                                                                               Stopped AppIDSvc                                                                                                                          Stopped Appinfo                                                                                                                           Running AppMgmt                                                                                                                           Stopped aspnet_state                                                                                                                      Stopped AudioEndpointBuilder                                                                                                              Running AudioSrv

 

//////////////////////////////////////////////////////

PS C:\Users\Administrator> Get-Service | Select-Object -last 10 name,status | Sort-Object name

Name                                                                                                                               Status ----                                                                                                                               ------ Wlansvc                                                                                                                           Stopped wmiApSrv                                                                                                                          Stopped WMPNetworkSvc                                                                                                                     Stopped WPCSvc                                                                                                                            Stopped WPDBusEnum                                                                                                                        Running wscsvc                                                                                                                            Running WSearch                                                                                                                           Running wuauserv                                                                                                                          Running wudfsvc                                                                                                                           Running WwanSvc



명령어 중에서 log  그 중 실행 가능한 것.

 

PS C:\> Get-Command *log* -type cmdlet

CommandType     Name                                                         Definition
-----------     ----                                                         ----------
Cmdlet          Clear-EventLog                                               Clear-EventLog [-LogName] <String[]> [[-ComputerName] <St... Cmdlet          Get-EventLog                                                 Get-EventLog [-LogName] <String> [[-InstanceId] <Int64[]>... Cmdlet          Limit-EventLog                                               Limit-EventLog [-LogName] <String[]> [-ComputerName <Stri... Cmdlet          New-EventLog                                                 New-EventLog [-LogName] <String> [-Source] <String[]> [[-... Cmdlet          Remove-EventLog                                              Remove-EventLog [-LogName] <String[]> [[-ComputerName] <S... Cmdlet          Show-EventLog                                                Show-EventLog [[-ComputerName] <String>] [-Verbose] [-Deb... Cmdlet          Write-EventLog                                               Write-EventLog [-LogName] <String> [-Source] <String> [-E...



파워쉘로 레지스트리 파일도 읽을 수 있음 / 기존 cmd는 불가했음.

 

PS C:\> get-childItem -Path HKCU:\Software\Microsoft\Windows\

 

cd == set_loation c:...

 

PS HKCU:\Software\Microsoft\Windows\> ls


    Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows


SKC  VC Name                           Property
---  -- ----                           --------
 28   0 CurrentVersion                 {}
  0  12 DWM                            {Composition, ColorizationOpaqueBlend, EnableAeroPeek, CompositionPolicy...}
  3   0 Shell                          {}
  2   0 TabletPC                       {}
  2  12 Windows Error Reporting        {ConfigureArchive, DisableArchive, Disabled, DisableQueue...}

 

쉘 내용을 볼 수 있음..................

 

PS HKCU:\Software\Microsoft\Windows\> Get-PSDrive

Name           Used (GB)     Free (GB) Provider      Root                                                                 CurrentLocation ----           ---------     --------- --------      ----                                                                 --------------- Alias                                  Alias
C                  51.55         60.23 FileSystem    C:\
cert                                   Certificate   \
D                                      FileSystem    D:\
E                                      FileSystem    E:\
Env                                    Environment
F                                      FileSystem    F:\
Function                               Function
G                                      FileSystem    G:\
H                                      FileSystem    H:\
HKCU                                   Registry      HKEY_CURRENT_USER                                        Software\Microsoft\Windows\ HKLM                                   Registry      HKEY_LOCAL_MACHINE
Variable                               Variable
WSMan                                  WSMan





r누르면 이전 명령어 다시 실행가능.

 

PS C:\> Get-History -c 100 | format-list


Id                 : 1
CommandLine        : Get-Service | Select-Object name, status | more
ExecutionStatus    : Stopped
StartExecutionTime : 2016-07-07 오전 11:26:54
EndExecutionTime   : 2016-07-07 오전 11:27:02

Id                 : 2
CommandLine        : Get-Service | Select-Object name, status | more
ExecutionStatus    : Stopped
StartExecutionTime : 2016-07-07 오전 11:27:03
EndExecutionTime   : 2016-07-07 오전 11:27:26

Id                 : 3
CommandLine        : Get-Service | Select-Object name, status | Sort-Object name
ExecutionStatus    : Completed
StartExecutionTime : 2016-07-07 오전 11:27:37
EndExecutionTime   : 2016-07-07 오전 11:27:37

 




파일 이동

-Destination

-Path

 

PS C:\> move .\process.txt C:\Users\
PS C:\> move -Destination C:\Users\Administrator\Desktop\ -Path .\process.txt

 





탭키 / 정렬

 

PS C:\> Get-Process | Format-Table -Property name, id -AutoSize

Name                       Id
----                       --
AdobeUpdateService       1452
audiodg                 14156
CertiportUpdateService   1640
ConEmu64                 9552
ConEmu64                10756
ConEmuC64                6660
ConEmuC64               11024
conhost                  7588
conhost                  7848
conhost                 10308
CPExamSvc                1760
csrss                     420
csrss                     776
dwm                      1460



PS C:\> Get-Process | Select-Object -Property name, id

Name                                                                                                                                   Id ----                                                                                                                                   -- AdobeUpdateService                                                                                                                   1452 audiodg                                                                                                                             14156 CertiportUpdateService                                                                                                               1640 ConEmu64                                                                                                                             9552 ConEmu64                                                                                                                            10756 ConEmuC64                                                                                                                            6660 ConEmuC64                                                                                                                           11024 conhost                                                                                                                              7588 conhost                                                                                                                              7848 conhost                                                                                                                             10308 CPExamSvc                                                                                                                            1760 csrss                                                                                                                                 420 csrss                                                                                                                                 776 dwm

 

 

ㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁㅁ

 

Name                      Id
----                      --
AdobeUpdateService      1452
audiodg                14156
CertiportUpdateService  1640


PS C:\> Get-Process | Select-Object -First 3 | Format-Table -Property name,id -AutoSize

Name                      Id
----                      --
AdobeUpdateService      1452
audiodg                14156
CertiportUpdateService  1640


PS C:\> Get-Process | Select-Object -First 3 | Format-Table -Property name,id

Name                                                                                                              Id ----                                                                                                              -- AdobeUpdateService                                                                                              1452 audiodg                                                                                                        14156 CertiportUpdateService                                                                                          1640

 



그룹으로 묶기

 

PS C:\> Get-Service | Sort-Object -Property status | Format-Table -GroupBy status


   Status: Stopped

Status   Name               DisplayName
------   ----               -----------
Stopped  RemoteAccess       Routing and Remote Access
Stopped  RasMan             Remote Access Connection Manager
Stopped  RpcLocator         Remote Procedure Call (RPC) Locator
Stopped  RemoteRegistry     Remote Registry
Stopped  ProtectedStorage   Protected Storage
Stopped  PolicyAgent        IPsec Policy Agent
Stopped  RasAuto            Remote Access Auto Connection Manager
Stopped  QWAVE              Quality Windows Audio Video Experience
Stopped  SessionEnv         Remote Desktop Configuration

..

 

   Status: Running                                                                
                                                                                  
Status   Name               DisplayName                                           
------   ----               -----------                                           
Running  wscsvc             Security Center                                       
Running  V3 Service         V3 Service                                            
Running  wuauserv           Windows Update                                        
Running  VMAuthdService     VMware Authorization Service                          
Running  WSearch            Windows Search                                        
Running  MpsSvc             Windows Firewall                                      
Running  TrustedInstaller   Windows Modules Installer                             
Running  TrkWks             Distributed Link Tracking Client                      
Running  UxSms              Desktop Window Manager Session Manager                
Running  wudfsvc            Windows Driver Foundation - User-mo...                
Running  AudioEndpointBu... Windows Audio Endpoint Builder                        
Running  WPDBusEnum         Portable Device Enumerator Service                    
Running  Appinfo            Application Information                              

..





글 안잘리게

 

PS C:\> Get-Service | Format-Table -wrap







PS C:\> Get-Process | Format-List -Property name, status

 

Name : AdobeUpdateService        
                                 
Name : audiodg                   
                                 
Name : CertiportUpdateService    
                                 
Name : ConEmu                    
                                 
Name : ConEmuC64                 
                                 
Name : ConEmuC64                 
                                 
Name : ConEmuC64                 
                                 
Name : conhost                   
                                 
Name : conhost                   
                                 
Name : conhost                   
                                 
Name : CPExamSvc                 
                                 
Name : csrss                     
                                 
Name : csrss                     
                                 
Name : dwm                       
                                

---

 

PS C:\> Get-Process | more                                                        
                                                                                  
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName             
-------  ------    -----      ----- -----   ------     -- -----------             
     65       7     1224        212    42     0.03   1452 AdobeUpdateService      
    135      10    19544      19208    61           10048 audiodg                 
    173      23    12948       2052   487     0.06   1640 CertiportUpdateService  
    254      23    22984      31784   157     3.85  15340 ConEmu                  
     95       9     4304       7008    78     0.14  10092 ConEmuC64               
     96       9     4776       7556    78     2.89  11752 ConEmuC64               
    100       9     4308       7228    78     1.76  14912 ConEmuC64               
     89       8     4840       8476    77     0.05  13372 conhost                 
     89       8     4896       8600    77     3.51  14960 conhost                 
     89       8     4876       8572    77     2.06  15248 conhost                 
    147      24    22460       1396   479     0.08   1760 CPExamSvc               
    608      13     2988        856    61     1.90    420 csrss                   
    965      28     4176      15968   256   137.45    776 csrss                   
    152      19    36136      27420   175    57.91   1460 dwm                     
   1305     112    91188      39996   407    28.98   1512 explorer                
      0       0        0         24     0               0 Idle                    
    910     102    45028      27984   309    30.01    488 iexplore                
    893      85   175236     103780   507   129.65   1284 iexplore                
   1119     125   166508     116392   608   450.58   3944 iexplore                
    812      81   108568      22572   426    25.58   4188 iexplore                
    722      93    95512      16840   382     6.44   4700 iexplore                
    844     101   133708      41276   450    67.19   5344 iexplore                
    753     100   113004      51536   438    21.43   7576 iexplore                
    816      96   137304      35164   437     6.61   8556 iexplore                
    590      49    42548      16916   276     1.72  11808 iexplore                
    121       9     3192         96    38     0.02    876 igfxCUIService          
    173      15     8248        372   100     0.08   3560 igfxEM                  
    125      12     7076        376    88     0.05   3568 igfxHK                  
    157      11    10100        360    82     0.16   3584 igfxTray                
     68       6     2156         88    25     0.02   1868 IMEDICTUPDATE           
    705      44    29776       9980   278     7.43   1584 jandiapp                
-- More  --                                                                      





PS C:\> Get-Service | Format-Wide -Property displayname

 

displayname을 넓게 출력함.


Adobe Flash Player Update Service                         AdobeUpdateService
Application Experience                                    Application Layer Gateway Service
Application Identity                                      Application Information
Application Management                                    ASP.NET State Service
Windows Audio Endpoint Builder                            Windows Audio
ActiveX Installer (AxInstSV)                              BitLocker Drive Encryption Service
Base Filtering Engine                                     Background Intelligent Transfer Service
Computer Browser                                          Bluetooth Support Service
Certiport Update Service                                  Certificate Propagation
Microsoft .NET Framework NGEN v2.0.50727_X86              Microsoft .NET Framework NGEN v2.0.50727_X64
Microsoft .NET Framework NGEN v4.0.30319_X86              Microsoft .NET Framework NGEN v4.0.30319_X64
COM+ System Application                                   Certiport Exam Service
Intel(R) Content Protection HECI Service                  Cryptographic Services
Offline Files                                             DCOM Server Process Launcher
Disk Defragmenter                                         DHCP Client
DNS Client                                                Wired AutoConfig
Diagnostic Policy Service                                 Extensible Authentication Protocol
Encrypting File System (EFS)                              Windows Media Center Receiver Service
Windows Media Center Scheduler Service                    Windows Event Log
COM+ Event System                                         Fax




PS C:\> Get-Service

Status   Name               DisplayName
------   ----               -----------
Stopped  AdobeFlashPlaye... Adobe Flash Player Update Service
Running  AdobeUpdateService AdobeUpdateService
Stopped  AeLookupSvc        Application Experience
Stopped  ALG                Application Layer Gateway Service
Stopped  AppIDSvc           Application Identity
Running  Appinfo            Application Information
Stopped  AppMgmt            Application Management
Stopped  aspnet_state       ASP.NET State Service
Running  AudioEndpointBu... Windows Audio Endpoint Builder
Running  AudioSrv           Windows Audio
Stopped  AxInstSV           ActiveX Installer (AxInstSV)
Stopped  BDESVC             BitLocker Drive Encryption Service
Running  BFE                Base Filtering Engine
Stopped  BITS               Background Intelligent Transfer Ser...
Stopped  Browser            Computer Browser
Stopped  bthserv            Bluetooth Support Service
Running  CertiportUpdate... Certiport Update Service
Stopped  CertPropSvc        Certificate Propagation
Stopped  clr_optimizatio... Microsoft .NET Framework NGEN v2.0....




한줄에 몇 줄씩 출력

 

PS C:\> Get-Process | Format-Wide -Column 5


AdobeUpdateService      audiodg                CertiportUpdateService ConEmu                 ConEmuC64
ConEmuC64               ConEmuC64              ConEmuC64              conhost                conhost
conhost                 conhost                CPExamSvc              csrss                  csrss
dwm                     explorer               Idle                   iexplore               iexplore
iexplore                iexplore               iexplore               iexplore               iexplore
iexplore                iexplore               igfxCUIService         igfxEM                 igfxHK
igfxTray                IMEDICTUPDATE          jandiapp               jandiapp               jandiapp
jandiapp                jandiapp               jusched                KakaoTalk              lsass
lsm                     MsSpellCheckingFaci... NHCAAgent              NHCACombackInfo        NHCAMsn
NHCAPTAgent             NHCARemote             NHCARemote             NHCASysMon             NHCAUI
PAService               PhantomClassAgent      powershell             powershell             powershell
powershell              PresentationFontCache  RAVCpl64               SearchIndexer          services
ShdServ                 ShdTray                smss                   SnippingTool           spoolsv
svchost                 svchost                svchost                svchost                svchost
svchost                 svchost                svchost                svchost                svchost
System                  taskhost               V3SP                   V3Svc                  vmnat
vmware-authd            vmware-hostd           vmware-tray            vmware-usbarbitrator64 WindowsSecuService
wininit                 winlogon               wisptis                WUDFHost

 

 

ㅁㅁㅁㅁ

PS C:\> Get-Process | Format-Wide -Column 5 -Property vm


44433408                63819776               510193664              199163904              81973248
81977344                80924672               81973248               80318464               80318464
82415616                80318464               502202368              64303104               268812288
183140352               425209856              0                      323117056              531120128
654340096               444997632              400564224              472227840              459485184
457183232               289882112              40259584               104366080              92409856
86384640                26714112               291295232              403238912              271581184
233553920               445403136              73797632               317435904              54595584
18227200                62676992               121974784              69435392               117870592
79970304                93642752               75280384               120877056              109297664
525873152               639889408              598200320              598200320              598200320
609783808               543166464              115437568              197218304              35864576
69509120                102264832              4186112                200609792              83423232
39104512                95293440               83521536               87236608               1783017472
46231552                107614208              69451776               30711808               153051136
3526656                 423096320              175058944              66727936               49004544
84692992                170094592              74084352               58183680               13496320
56119296                65159168               59781120               41254912





프로그램 실행

 

 

PS C:\> Get-Process -name notepad | Stop-Process
PS C:\> Start-Process notepad

 

 

PS C:\> Get-Process -name calc |Stop-Process
PS C:\> Start-Process calc
PS C:\> Get-Process -name calc |Stop-Process -Confirm

 

PS C:\> Get-Process -name calc |Stop-Process -whatif
WhatIf: 대상 "calc (15284)"에서 "Stop-Process" 작업을 수행합니다.

 

PS C:\> Get-Service | Stop-Service -WhatIf

 

whatif 끄면 어떻게 되는지.?





PS C:\> Get-Process | Export-Clixml c:\test.xml

 

PS C:\> Compare-Object -ReferenceObject (Import-Clixml c:\test.xml) -DifferenceObject (Get-Process) -Property name

name                                                      SideIndicator
----                                                      -------------
notepad                                                   =>
SearchFilterHost                                          <=
SearchProtocolHost                                        <=

notepad는 들어가고 /

 

나머지는 빠져나옴

 

(백도어 확인 목적)

 

지금 프로세스와 과거 프로세스와 비교해서 튀어나오는 것들 비교하는 것..

 

리 xml로 정보를 빼낸 것과 현재 프로세스와 비교하는 거임




Get-HotFix | Select-Object Description, hotfixid | Sort-Object -Descending | ConvertTo-Html | Out-File c:\hotfix.html

거꾸로,

최신 핫픽스랑 비교.

Descriptionhotfixid
UpdateKB2731771
UpdateKB2786081
UpdateKB2685811
UpdateKB2729094
UpdateKB2888049
UpdateKB976902
UpdateKB2834140
UpdateKB2882822
UpdateKB2841134
UpdateKB2841134
UpdateKB2849697
UpdateKB2849696
HotfixKB2534111
HotfixKB2639308
UpdateKB2670838
UpdateKB2533623

 

----------------------


PS C:\> Get-WmiObject -EnableAllPrivileges win32_userprofile | select localpath, sid,@{NAME='last used';EXPRESSION={$_.ConverToDateTime($_.lastusertime)}}

 

 

 

Get-WmiObject :     Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes.

 

 

EnableAllPrivileges :

Enables all the privileges of the current user before the command makes the WMI call.

 

win32_userprofile : Represents information about a user profile on a Windows system.

 

 

localpath                              sid                                    last used
---------                              ---                                    ---------
C:\Users\Administrator                 S-1-5-21-803020922-819449392-432581...
C:\Windows\ServiceProfiles\NetworkS... S-1-5-20
C:\Windows\ServiceProfiles\LocalSer... S-1-5-19
C:\Windows\system32\config\systempr... S-1-5-18

 

'last used'; 마지막에 접속했던 시간

 

 

 

이 컴퓨터는 별도로 로그인안되어있으므로 안나와있음




--------------------

PS C:\> Get-WmiObject -EnableAllPrivileges win32_networkAdapterconfiguration | where{$_.IPenabled -eq 'Ture'} | select DHCPEnabled, @{name='IPaddress';Expression={$_.ipaddress-join';'}},@{name='DefaultIPGateway';Expression={$_.Defaultipgateway=join';'}},DNSDomain

                 DHCPEnabled IPaddress                    DefaultIPGateway             DNSDomain
                 ----------- ---------                    ----------------             ---------
                       False 203.253.5.196;fe80::4c8d:...
                       False 192.168.75.1;fe80::9455:b...
                       False 192.168.66.1;fe80::1541:1...

 

현재 지금 시스템이 갖고있는 게이트웨이 디폴트를 찾는 명령어

--------------------

Get-WmiObject 윈도우관련 시작 프로그램

win32_startupcommand  셀렉트 구문으로 뺐음

지금 얘가 시작프로그램에 설치되어있음

 

 

 

PS C:\> Get-WmiObject -EnableAllPrivileges win32_startupcommand | Select command, user, caption

command                                user                                   caption
-------                                ----                                   -------
%ProgramFiles%\Windows Sidebar\Side... NT AUTHORITY\LOCAL SERVICE             Sidebar
%ProgramFiles%\Windows Sidebar\Side... NT AUTHORITY\NETWORK SERVICE           Sidebar
"C:\Program Files (x86)\Kakao\Kakao... Z_310_17\Administrator                 KakaoTalk
"C:\Users\Administrator\AppData\Loc... Z_310_17\Administrator                 jandiapp
"C:\Program Files\AhnLab\V3IS80\V3S... Public                                 V3 Session Process
"C:\Program Files\Realtek\Audio\HDA... Public                                 RTHDVCPL
C:\PROGRA~1\COMMON~1\MICROS~1\IME14... Public                                 IME14 KOR Setup
"C:\Program Files (x86)\Common File... Public                                 AdobeAAMUpdater-1.0
"C:\Program Files\PhantomClass\Phan... Public                                 Shield

--------------------

PS C:\> Get-WmiObject -EnableAllPrivileges win32_service | select name, processid, state,Displayname, pathname | sort state

 

실행중인 서비스만 가져오기

--------------------

실행했던 usb와 같은 저장 매체가 나옴.

 

PS C:\> Get-ItemProperty -ea 0 HKLM:\SYSTEM\CurrentControlSet\Enum\usbstor\*\* | select friendlyname, PSchildnamecls

FriendlyName                                   PSChildName
------------                                   -----------
USB DISK 3.0 USB Device                        070D63FE8910FA47&0
General USB Flash Disk USB Device              0511030000000514&0
Generic STORAGE DEVICE USB Device              000000009744&0
Generic STORAGE DEVICE USB Device              000000009744&1
Generic STORAGE DEVICE USB Device              000000009744&2
Generic STORAGE DEVICE USB Device              000000009744&3
Samsung P3 Portable USB Device                 DE777DE507000094&0
SanDisk Cruzer Glide USB Device                200431093013FFB252A4&0

-ea 0 <- 에 원래 패스값이 들어가야되는데 0을 넣음으로써 패스를 무시함

원래는 -path "asdsadsadsad~~~"

무시하기위해서 -ea 0 을 입력.

 

 

Get-ItemProperty  :: To access the value of the default property

--------------------


PS C:\> Get-ItemProperty -ea 0 HKLM:\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | select Displayname, DisplayVersion, Publisher, InstallDate, InstallLocation | sort InstallDate -Descending

 

DisplayName     : Microsoft Office Shared MUI (Korean) 2010       
DisplayVersion  : 14.0.4763.1000                                  
Publisher       : Microsoft Corporation                           
InstallDate     : 20151223                                        
InstallLocation : C:\Program Files (x86)\Microsoft Office\        
                                                                  
DisplayName     : Microsoft_VC90_CRT_x86                          
DisplayVersion  : 1.00.0000                                       
Publisher       : Adobe                                           
InstallDate     : 20151223                                        
InstallLocation : C:\Program Files (x86)\Adobe\My Product Name\   
                                                                  
DisplayName     : Adobe Reader 9.4.0 - Korean                     
DisplayVersion  : 9.4.0                                           
Publisher       : Adobe Systems Incorporated                      
InstallDate     : 20151222                                        
InstallLocation : C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ 
                                                                  
DisplayName     : Realtek High Definition Audio Driver            
DisplayVersion  : 6.0.1.7620                                      
Publisher       : Realtek Semiconductor Corp.                     
InstallDate     : 20151222                                        
InstallLocation : C:\Program Files\Realtek\Audio\HDA 



--------------------


gui장점

가독성 높음

api 의존 거의 함

dll - api를 시작하면서 여러가지 dll를 건드림 /

정보량 낮음

 

cli장점

가독성 낮음

api 의존 거의 안함

dll 낮음

찾아낼 수 있는 정보량이 많음

속도 훨씬 빠

--------------------

--------------------

--------------------

--------------------

--------------------




'컴퓨터 관련' 카테고리의 다른 글

퀵 정렬 알고리즘  (0) 2016.07.22
1.5. 금액 맞추기 알고리즘  (0) 2016.07.12
쉘 스크립트(Shell Script) 정리 (1)  (0) 2016.07.10
시큐어 코딩(Secure Coding) 이란?  (0) 2016.07.07
보안 용어 모음(1)  (0) 2016.07.06

댓글