Day 2 Flashcards
PowerShell
an object-oriented, interactive command environment with scripting language features
uses some *Nix commands and has a LINUX version.
Windows PowerShell Integrated Scripting Environment (ISE)
where the scripting language aspect of Windows PS generally takes place
Versions
use the Get-Host cmdlet or the $PSVersionTable variable to show the current PS version
aliases
use the cmdlet Get-Alias to show a list of aliase commands.
aliases are windows CLI and unix commands that work the same as a PS command
ex. dir is an alias for the Get-ChildItem cmdlet
help
get-command lists all available cmdlets.
use Get-help to show help information for those cmdlets
(help is an alias for Get-help)
you can use -examples to show examples of the cmdlet you are getting help for in use.
use wildcards with Get-Help (ex. Get-Help user
cmdlets
small commands used within PS; they are not stand alone executables
cmdlets breakdown
object
verb-noun attribute additional info
PS C:> get-ChildItem -Path C:\Windows
cmdlet parameter argument
more on Get
get is not the only verb available. use Get-Verb to display a list of verbs
cmdlet parameters (switches)
used to identify additional object attributes ex. -name -computername -path -examples
cmdlet arguments
arguments define additional information associated with a parameter name.
arguments are not required.
pipeline
piping refers to the process of passing the results of one cmdlet as input into a second cmdlet
modules
packages of PS commands, consisting of cmdlets, functions, variables, and aliases
logging
a way for the OS and its services and applications to record important actions, post status messages, and track security events
auditpol
the command line tool that enables auditing
auditing
auditing is the tracking of changes
security audits (appear in security logs)
event: description:
POLICY CHANGE–changes to policies
OBJECT ACCESS–when an object is accessed that has a *SACL
PRIVILEGE USE–when a user exercises a user right or privilege
PROCESS TRACKING–tracks all processes (program activation, process exit, indirect object access
SYSTEM–computer security events such as restart, shutdown or clearing the event log
ACCOUNT MANAGEMENT–creation, deletion, or change of user account
LOGON–logon attempts
ACCOUNT LOGON–authentication events authenticated through the SAM or AD
DIRECTORY SERVICE ACCESS–when a user accesses a directory service object with a *SACL
logs
application log-contains events logged by programs
system log-contains events logged by system components
security log-provides security event information
logs location
5*-%SystemRoot%\system32\config
6*-%SystemRoot%\system32\winevt\logs
additional domain logs
directory service log– contains events logged by Active directory
file replication service log– contains information about replication events
DNS server log– available when machine is configured as a DNS server
configuration of logs
log size can be set in incraments of 64kb to 4 Gb
default is 512kb
NSA group policy object changed the defaults of the event viewer from 512kb in size to over 4GB and from 7 days retention to never overwriting itself. events must be cleared manually
log intrepretation
the bottom of the log contains a summary
the top part of the log contains the description.
log event summary info
logged user computer event ID source levels (error, warning, info, critical) keywords (success audit, failed audit) task category Op Code
levels and keywords chart
Keywords Levels
application classic error,critical,warning,info
system classic
security success/failure info
windows registry
windows registry is a vast hierarchical repository of operating system (OS), hardware, applications, and user settings that is referred to as the heart and soul of the OS
The registry is read during the following times:
boot process, application startup, user login
regedit
primary tool for viewing and editing the registry
registry format
the registry is structured in a directory-type format containing hives, keys, sub-keys, and values containing data.
root keys
the windows registry consists of five root key hives; two master keys and three derived keys
master keys
HKEY_USERS (HKU)
HKEY_LOCAL_MACHINE (HKLM)
derived keys
HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_USER (HKCU)
HKEY_CURRENT_CONFIG (HKCC)
