PowerShell Cmdlets are very powerful because of the way in which they use .NET objects. Using a script makes them versatile and efficient.
The Microsoft Windows PowerShell is incredibly useful command line application. It uses the Windows .NET framework to access objects and can be very useful for system administration. For example it is possible to see which processes are running with just a single Cmdlet (or Command-let), or by combining Cmdlets the user can quickly see which processes are hogging the processor or using up all of the memory.
There is, of course, one issue with combining Cmdlets: it is time consuming to type all of the commands line by line. Fortunately there is an easy solution. The solution is to create a script.
Creating a PowerShell Script File
A PowerShell Script file is simply a text file containing the Cmdlets that would have been typed into the PowerShell console. Instead of typing in the Cmdlets individually the user simply calls the script, and it’s this that does all of the hard work. Obviously this is not of much use for one off investigations (apart from when the user types Cmdlets incorrectly), however it can be of great benefit if the task is to be repeated.
There are no restrictions as to where the scripts are placed on the computer, but they must always have the same file name extension - .ps1.
An Example PowerShell Script
The best way to learn about scripting is to examine a real example, in this case a script that will:
- list all running processes that are using more that 1M of memory
- ignore the PowerShell process
- sort the result
- place the result in a file formatted for viewing on a web site
The script is quite simple, although it is worth noting the use of pipes (represented by |). Pipes allow the output of one Cmdlet to be used as the input to another:
get-process |
where-object {$.WS -ge 1048576} |
where-object {$.processname -ne "powershell"} |
sort-object WS –descending |
convertto-html -property Name,WS > c:\Inetpub\wwwroot\ps.html
If this script is saved to "c:\powershell\check_memory.ps1" then it can be run from the command
prompt by typing:
powershell c:\powershell\check_memory
However, life is never quite that simple.
Enabling PowerShell Scripts
Anyone running a PowerShell at this point will probably receive an error something like:
File c:\powershell\check_memory.ps1 cannot be loaded because the
execution of scripts is disabled on this system.
Please see "get-help about_signing" for more details.
At line:1 char:26
+ c:\powershell\check_memory <<<< That’s because PowerShell does not automatically allow scripts. It actually has four levels of security (known as execution policies):
- Restricted: This is the default execution policy, and stops all scripts from running
- AllSigned: Allows scripts to run, but only if they have an associated digital signature from a trusted publisher.
- RemoteSigned: Allows all scripts on the computer to run and any other scripts that have an associated digital signature from a trusted publisher
- Unrestricted: Allows all scripts to run (but this should be avoided)
The current execution policy can be examined from the command prompted:
powershell get-executionpolicy
It will, in all likelihood, return “Restricted”. It’s then just a matter of setting the execution policy to be less restrictive:
powershell set-executionpolicy RemoteSigned
The script can now be run and the results examined in the HTML file that it produces.
Summary
A PowerShell script is simply a text file containing PowerShell Cmdlets connected by pipes. It must have a “.ps1” file name extension. The file can be called directly from the command prompt, but only if the appropriate execution policy has been set. Once that is done then any complex sets of instruction can type once and the script can be run as often as required with not extra work needed by the developer.