Add UserName to Processes
Get-Process lists all or individual processes. Add the parameter -IncludeUserName to see the user who owns the process. Since listing usernames for processes owned by someone else is a privileged operation, you need to run the code with elevated rights.
This lists all powershell processes and their users:
Get-Process -Name powershell,pwsh,powershell_ise -IncludeUserName
Identifying Remoting Visitors
When someone connects to your computer via PowerShell remoting, this remoting session surfaces as a process with name wsmprovhost.exe. You can check for such processes like this:
function Test-RemotingVisitor
{
(Get-Process -Name wsmprovhost -ErrorAction Ignore).Count -gt 0
}
Test-RemotingVisitor returns $true when there is at least one wsmprovhost process.
To see who has connected to your machine, you need Administrator privileges. Run this:
Get-Process -Name wsmprovhost -IncludeUserName -ErrorAction Ignore | Select-Object -Property Id, UserName
Note that you get back no results if there is no active remoting session. Replace wsmprovhost with any other process name to get a list of running instances and their user names.
## Discovering PowerShell Commands
Get-Command is the mother of all PowerShell commands. Use the parameters -Verb and -Noun to define your command search. For example, this finds all commands that retrieve information only (and thus are safe to execute even on production systems):
Get-Command -Verb Get
Likewise, to find out all commands that return information related to printing, add -Noun:
Get-Command -Verb Get -Noun *Print*
CommandType Name Version Source
----------- ---- ------- ------
Function Get-PrintConfiguration 1.1 PrintManagement
Function Get-Printer 1.1 PrintManagement
Function Get-PrinterDriver 1.1 PrintManagement
Function Get-PrinterPort 1.1 PrintManagement
Function Get-PrinterProperty 1.1 PrintManagement
Function Get-PrintJob 1.1 PrintManagement
The property CommandType reveals the command type (cmdlet is binary, function uses PowerShell source code), and the property Source returns the name of the PowerShell module that implements the command.
To expand your focus, you can dump all commands from a given module, i.e. PrintManagement:
Get-Command -Module PrintManagement
CommandType Name Version Source
----------- ---- ------- ------
Function Add-Printer 1.1 PrintManagement
Function Add-PrinterDriver 1.1 PrintManagement
Function Add-PrinterPort 1.1 PrintManagement
Function Get-PrintConfiguration 1.1 PrintManagement
Function Get-Printer 1.1 PrintManagement
Function Get-PrinterDriver 1.1 PrintManagement
Function Get-PrinterPort 1.1 PrintManagement
Function Get-PrinterProperty 1.1 PrintManagement
Function Get-PrintJob 1.1 PrintManagement
Function Read-PrinterNfcTag 1.1 PrintManagement
Function Remove-Printer 1.1 PrintManagement
Function Remove-PrinterDriver 1.1 PrintManagement
Function Remove-PrinterPort 1.1 PrintManagement
Function Remove-PrintJob 1.1 PrintManagement
Function Rename-Printer 1.1 PrintManagement
Function Restart-PrintJob 1.1 PrintManagement
Function Resume-PrintJob 1.1 PrintManagement
Function Set-PrintConfiguration 1.1 PrintManagement
Function Set-Printer 1.1 PrintManagement
Function Set-PrinterProperty 1.1 PrintManagement
Function Suspend-PrintJob 1.1 PrintManagement
Function Write-PrinterNfcTag 1.1 PrintManagement
Saving Command History
If you forgot to call Start-Transcript in time, and after playing with PowerShell commands for a while you would like to keep and save them, copy them to the clipboard:
Get-History | Set-Clipboard
Or write them directly to file:
Get-History | Out-File -FilePath $home\desktop\myCommands.txt
Executables
Any PowerShell automation solution can be broken down into individual command calls. Commands can be:
gantt
dateFormat YYYY-MM-DD
axisFormat
section .
Application : 2014-01-01, 1d
Cmdlet/Function :2014-01-01, 1d
Operators :2014-01-01, 1d
Variables :2014-01-01, 1d