Educating the world

Our blog has over 10,000 readers a month

Scripting with Windows PowerShell Part 1

May 18th, 2011

Working with processes, services, and event logs
Part 1 of a 5 part series.

Windows 7 is the only operating system that has Windows PowerShell and PowerShell ISE (developer environment) fully installed. The rest of the operating systems either have nothing installed or just have the DOS box style command prompt which is blue instead of black - woo-who! The best way to install it or the missing components is via Windows Update.

Ed Wilson, the person who did the webcast (of which this is a transcript), has his own blog where he evangelises PowerShell. It’s updated everyday and contains some useful stuff like Use PowerShell to Copy a Table Between Two SQL Server Instances.

There is a section of his blog called Scripting Wife that is basically instructions on how to do things but with screen shots where he has tried to make it really simple. I think the title is a little condescending but at least there is something. One of the articles talks you through how to set up PowerShell in case you don’t have Windows 7 installed.

The shell can be loaded via Start -> All programs -> Accessories -> Windows PowerShell.

Load in the blue console Windows PowerShell. Microsoft have added the Unix equivalent commands to the shell for some of the normal DOS commands.

WindowsUnix
dirls
typecat
clsclear

For the most part PowerShell is just like using the normal (black) command shell. The TAB key acts as a better file name completion, so get half way through a directory path, hit TAB and the shell will cycle through possible files which match that sequence. There is also up/down arrow history.

Try it out now. Open a PowerShell command prompt and type “get-c” (without the quotes) then hit the TAB button. The “get-c” will complete firstly to Get-ChildItem and pressing TAB again will move you one to Get-Command. If you were to carry on you would get Get-ComputerRestorePoint, Get-Content, Get-Counter, Get-Credential, Get-Culture before cycling back to Get-ChildItem. If you go passed the command you were looking for then you can press SHIFT+TAB to go backwards through the list. Play with it by typing another “get-” and hitting TAB and see how the different commands are completed.

If we want to find out about a particular command then we can use the Get-Command command. For example we would like to see what commands are related to processes. Type get-co TAB which will complete to Get-Command. Press the space bar to move to the first argument on the command line. Type “-” and then hit TAB to cycle through the available options that this command supports. The first one is -Name, then hit TAB again to get -Verb and again to get -Noun. Add another space so that we can add a option parameter, enter “*proc*” so the command line reads:

Get-Command -Noun *proc*

then press return to issue the command and you will get the commands along with their options.

CommandType     Name            Definition
-----------     ----            ----------
Cmdlet          Debug-Process   Debug-Process [-Name] <String[]> [-Verbose] [-De...
Cmdlet          Get-Process     Get-Process [[-Name] <String[]>] [-ComputerName ...
Cmdlet          Start-Process   Start-Process [-FilePath] <String> [[-ArgumentLi...
Cmdlet          Stop-Process    Stop-Process [-Id] <Int32[]> [-PassThru] [-Force...
Cmdlet          Wait-Process    Wait-Process [-Name] <String[]> [[-Timeout] <Int...

There are 5 process related Cmdlets (which are command line add-ons).

Enter the Get-Process command. It will display information about each process.

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    148     119     3292      13356    85     0.05   1416 albd_server
    157       9     1972       6188    63     0.09   1108 atieclxx
     68       8     2060       7580    74     0.06   1256 Notepad
     92       8     2612       9712    77    12.20   2324 Notepad
    149      11    17116      16816    48            3668 audiodg

The table displays the number of handles, private memory (in kilobytes), working sat?, virtual memory, CPU time in seconds, process identifier and process name. Some information is missing because they require elevated privileges to get that information. If you want all the information you must Run As Administrator.

The opposite of Get-Process is Stop-Process, so let’s load a process we can kill. Launch notepad by typing notepad on the command prompt. Check it is running with Get-Process notep*. There are 2 ways we can kill the notepad process: one at a time or all of the running notepad processes together.

Stop-Process 1234
Stop-Process -id 1234

where 1234 is the id of the process. We can also use the Get-process notep* to pre-filter the processes we would like to stop. What do you think would happen if we ran the following command.

Get-process notep* | Stop-Process

We can find out by asking “What if":

Get-process notep* | Stop-Process -WhatIf

What if: Performing operation "Stop-Process" on Target "Notepad2 (1256)".
What if: Performing operation "Stop-Process" on Target "Notepad2 (2324)".
What if: Performing operation "Stop-Process" on Target "Notepad2 (4648)".

This is the biggest difference between Unix shell and Windows PowerShell. Under Unix the output of one file maybe the input of any other file but the pipe conduit only delivers the flat text output and retrieves the flat text input. Under Windows PowerShell the meaning behind each line is carried through the pipe. In the Get-Process/Stop-Process example the Stop-Process knew that the ID part of the Get-Process column was the key to use when it came to stopping processes.

Now that we can launch processes and kill them we probably want to learn a bit about going over our passed command history. We can use the Get-Command command to find out about history in the same way we did above:

Get-Command -Noun *history*

CommandType     Name             Definition
-----------     ----             ----------
Cmdlet          Add-History      Add-History [[-InputObject] <psobject []>] [-Pass...
Cmdlet          Clear-History    Clear-History [[-Id] <int32 []>] [[-Count] <int32 ...
Cmdlet          Get-History      Get-History [[-Id] <Int64[]>] [[-Count] <int32>]...
Cmdlet          Invoke-History   Invoke-History [[-Id] <string>] [-Verbose] [-Deb...

Run the Get-History cmdlet which will give you a list of all the commands you have issued. History is something that is used all the time and so there are several alias’ for Get-History. These may be found by issuing the alias command:

alias h*

to give us:

CommandType     Name     Definition
-----------     ----     ----------
Alias           h        Get-History
Alias           history  Get-History

Running the Get-History command will list all the commands you have issued in the current shell:

  Id CommandLine
  -- -----------
   1 dir
   2 cls
   3 clear
   4 Get-Process
   5 notepad
   6 notepad

Now we can use the

Invoke-History -id 4
Invoke-History 4

which will run Get-Process. Fiddling around with the history commands to invoke previously issued commands can be a little time consuming; you might find it easier to get the history and highlight the command you would like to run again with the mouse and right click twice to copy the highlighted text to the clipboard and paste into the command window.

Let’s look at a couple of useful PowerShell system commands.

Get-Service
Lists all the services and has an output similar to below:

Get-Service

Status   Name               DisplayName
------   ----               -----------
Stopped  AeLookupSvc        Application Experience
Running  Albd               Atria Location Broker
Stopped  ALG                Application Layer Gateway Service

The list of services is kind of long so let’s filter it to only show services that have a Status of Running. Let’s take a look at the command:

Get-Service | where { $_.status -eq “Running” }

Where is PowerShell’s version of grep with line object knowledge. Ed Wilson says the $_ refers to each service but that can’t be right, it actually refers to each line (or as we discovered earlier each object line). If you do a TAB command completion after the dot after the $_, then you get commands like $_.Length, $_.CompareTo(, $_.Contains( and a whole host of other test conditions and attributes. So I think that if it recognises the “.status” as a column name it uses that, otherwise it sees if there are any predefined functions. The code between the curly braces is known as a script block or a code block or “like a wavy curvy fried thingy, dude” - Thanks Ed. The block between the braces “{}” is the filter applied to each object (line).

Status   Name               DisplayName
------   ----               -----------
Running  Albd               Atria Location Broker
Running  AMD External Ev... AMD External Events Utility
Running  AppMgmt            Application Management
Running  AudioEndpointBu... Windows Audio Endpoint Builder

A bit of testing around and we can use the contains builtin function. Strangely the search text (Installer) is case-sensitive! unlike all the other commands.

Get-Service | where { $_.displayname.contains("Installer") }

Status   Name               DisplayName
------   ----               -----------
Stopped  AxInstSV           ActiveX Installer (AxInstSV)
Stopped  msiserver          Windows Installer
Stopped  TrustedInstaller   Windows Modules Installer

Get-EvenLog
Faster way to look at system events.

Get-EventLog -LogName application -Newest 3

Ed Wilson spent over a minute talking about how running this command was faster that going into the control panel, loading the event view and finding the application event log. Well no shit Sherlock! “application” can be replaced by “system” for system logs.

Get-Help
This is basically Unix manual. The layout is the same too! With the same headings too: NAME, SYNOPSIS, SYNTAX, DESCRIPTION, RELATED LINKS and REMARKS.

Get-Help Get-Process

If you look at the help for Get-Process you will see -ComputerName <string[]> in the SYNTAX section which means that you can run this command against other machines in the domain. There is no where on the command line for me to add my credentials so the program is going to impersonate me. The command will run on local machines or remote machines but not against an untrusted network.
In the Unix manual there is usually an EXAMPLES section at the end, but PowerShell’s Get-Help has split it out as an extra command.

Get-Help -Examples Get-Process

There are 9 examples of Get-Process showing how to filter the information, store it, format it, get file versions, modules that are loaded with the process.

Get-Help -Full Get-Process | more

Same as -Examples but more detailed. There is so much scrolling off the screen that I have piped it into the more command which handles the text in a pager fashion.

Help -Full Get-Process

Help is short for Get-Help except for it adds the more pager on the end automatically.

End of session questions and answers
Q: What do I need to make calls using Windows PowerShell?
A: Window PowerShell v2+ to do remote calls
A: PowerShell supports WMI so you can run remote commands by using that instead.

Q: Can you change the privileges of a command that is running?
A: No, but you can use the RunAs(.exe) to emulate the Unix sudo command.

Q: Group Policy for administration files do not come installed on Windows 7 by default?
A: True

Q: What version of PowerShell am I running?
A: There is an environment variable to tell you.

$PSVersionTable

Name                           Value
----                           -----
CLRVersion                     2.0.50727.4959
BuildVersion                   6.1.7600.16385
PSVersion                      2.0
WSManStackVersion              2.0
PSCompatibleVersions           {1.0, 2.0}
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion      2.1

The environment variable is a set of interrogate’able objects commands can be teased apart. For example

$PSVersionTable.BuildVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
6      1      7600   16385

$PSVersionTable.BuildVersion.Major

6

Q: PowerShell vs Command line
A: It’s better (but surrounded by 2 minutes of waffle!)

Q: Can you list all the PowerShell variables?
A:

dir variable:

Name                           Value
----                           -----
$                              ^
?                              False
^                              ^
_
args                           {}
ConfirmPreference              High
ConsoleFileName
DebugPreference                SilentlyContinue

Some of these can be set up in your PowerShell profile. A useful one is MaximumHistoryCount for the number of commands your history will store.

Condensed: Scripting with Windows PowerShell

May 17th, 2011

I was really tired of using Windows DOS command prompt and had heard of “Windows PowerShell” (cue thunder and lightening in the background). Had a hunt around and found the “Scripting with Windows PowerShell” 5 part video tutorial done by Ed Wilson who has written a couple of books on the subject. Hurray I thought.

I’m not new to Windows DOS command prompt but I am a newbie to Windows PowerShell so I thought I’d start at the beginning. Jesus! How to make a potentially-dull subject *really dull*. This guy is really, really boring… “and hey like ya’know". I got about 9 minutes through the first hour-long episode, before I had to switch it off. He had spoken for 10 minutes and had said pretty much nothing. I couldn’t bear it any longer. I needed a break before I threw something at my monitor! And to think this is only part one of five hour long episodes.

I span forward a bit an there were “…like some really amazing and cool features…” which were copies of normal Unix functions but done slightly differently and frankly slightly worst but you have to work with what you have, so stop complaining!

I thought that I would take one for the team and watch the presentations, strip out all the incessant babble so that you wouldn’t have to waste 5 hours of your life.

Update: Wrote this article a year or 2 ago and I’m not doing as much Powershell these days. I thought about going back and transcribing the final chapter but the thought of it fills me with dread so I will leave it as an exercise for the reader!

Running Python in debug mode under Eclipse

April 21st, 2011

Download and install Eclipse

Even though you will be developing Python you will still need Eclipse with the Java SDK. I think this is for 2 reasons. Firstly Python support for Eclipse is in the form of an Eclipse plug-in as opposed to a fully integrated Eclipse application and there aren’t any Eclipse distributions with no (computer) language support. The other reason (I think) is that many of the development tools for Java are used for Python.

  1. Go to the Eclipse download page:
    http://download.eclipse.org/eclipse/downloads/
  2. From the Latest Release section download the latest version 3.6.1 (eclipse-SDK-3.6-win32.zip)

There is no installer so we will have to do it ourselves, but don’t worry it’s dead easy.

  1. Create a folder for your python development installation. You will save yourself a lot of trouble if you install the application under a directory without a space in the directory path name:

    mkdir c:\python

  2. Unzip the downloaded zip in this folder, so you have a folder called c:\python\eclipse

Download and install Python

There are 2 versions of Python: 2.7 and 3.1, both are considered stable but there are more compatible 3rd party libraries for 2.7 than there are for 3.1 so download that instead.

  1. Go to the Python download site:
    http://www.python.org/download/releases/2.7/
  2. Download the Windows MSI installer
  3. Install it in the default location: c:\python27.

Download and install PyDev

Still with me? Now we’re going to download the PyDev (Python plug-in for Eclipse).

  1. Launch Eclipse by double clicking on the eclipse executable located at: c:\python\eclipse\eclipse.exe
  2. When it launches for the first time, it will ask you to provide the location of the workspace, so pick a location without spaces in the path and not under the eclipse root (c:\python\eclipse). I’m going to keep everything together and set my workspace to c:\python\workspace.

Next we are going to install the PyDev plug-in.

  1. From the Eclipse menu bar Help -> Install New Software…
  2. Click the Add button and enter the details of the PyDev repository.

    1. Set Name to Pydev and Pydev Extensions
    2. Set Location to http://pydev.org/updates
    3. Then click OK
  3. After a few seconds PyDev and PyDev Mylyn Integration (optional) will appear. Click the Select All button and then click Next.
  4. Eclipse will work out the dependencies (which in this case is none) and allow you to click Next again.
  5. Accept the licence agreements, click Finish and go and get yourself a coffee.
  6. There were a couple of warnings about unsigned content, so just click through these.

Configuring Eclipse and Python

Now that everything is installed we must tell Eclipse about Python.

  1. Go to: Window -> Preferences -> Pydev -> Interpreter - Python
  2. Click New…
  3. Enter Python 2.7 in the Interpreter Name and use the browse button and navigate to the python.exe executable to fill in the Interpreter Executable field.
  4. When you’re done click Ok.
  5. Clicking Ok will make the Pydev perform a search for python bits.

Test Eclipse / Python installation

Now to test our installation we are going to write a little program.

  1. From the Eclipse menubar File -> New -> Project….
  2. Select PyDev -> Pydev Project, and click Next.
  3. Enter a Project name of HelloWorld.
  4. Then click Finish.
  5. You’ll be asked about switching to the Pydev perspective, so click Yes because this will make it easier to develop under.

Before we can right real code we need a Python module to put it in.

  1. Highlight the HelloWorld project and from the Eclipse menu bar select File -> New -> PyDev Package.
  2. Set the Source Folder to /HelloWorld/src.
  3. Set the Name to uk.co.bigsoft.python.
  4. The click Finish

I have just come from developing under Java which encourages back-domain-name packages, so I have done the same here. Most Python projects are only one or two packages deep.

Next up we are going to create a module in our package.

  1. Highlight the Python package and select File -> New -> Pydev module.
  2. For the Name field enter helloworld.
  3. For the Template highlight Module: Main.
  4. Then click Finish

Next we are going to write a simple python program:

Code

'''
Created on 6 Sep 2010
 
@author: MrN
'''
 
if __name__ == '__main__':
    c = 0
    a = 5
    b = 2
    c = a + b
    print c

Note: Python cares about indentation so make sure your cut and paste produces the same indentation as above.

Now that we have a program we are going to set up the debugger.

  1. Hover in the margin next to line b = 2, right click and select Add Breakpoint. This will put a green spot in the margin.
  2. From the menu bar select Run -> Debug.
  3. If the Debug As window pops up asking you to Select a way to debug ‘helloworld.py’, then select Python Run, and then click Ok.
  4. This will ask us if we want to open a Debug perspective, so click Yes and Remember my decision otherwise it will keep pestering you.

The program will launch in the debug perspective and stop at the breakpointed line (indicated with the green spot). On the right hand side make sure the Variables tab is showing and it will have our 2 variables defined: a and c valued at 5 and 0 respectively. Repeating Run -> Step over will progress the run line by one line of code.

Well done.

Mohamed Hassan, Samsung and StarLogger debacle

April 1st, 2011

The current hot topic in the news at the moment is Mohamed Hassan writing an article for Network World claiming that Samsumg laptops arrive pre-installed with StarLogger. StarLogger records every keystroke made on your computer on every window (including passwords), it captures screen-shots and can email those results to third parties.

A couple of days after the publication of the article, it was de-bunked as a false positive from GIF Labs anti-virus application VIPRE. False positives are expected whenever one uses heuristic algorithms to monitor behaviour, so you can’t really blame the anti-virus company for that.

The aspect of all this that concerns me is the author of the original article Mohamed Hassan. The top of the original article lists a pretty impressive set of qualifications that Mohamed Hassan has.

MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009

Let’s take a look at the qualifications:

Source: Master of Science in Information Assurance program information from Norwich University website:

The Master of Science in Information Assurance (MSIA) program provides students with a comprehensive exploration of the information security life cycle and its growing importance to an organization in achieving its strategic and tactical objectives. Knowledge and skills students gain from the program will enhance their capability as information security practitioners; will support their growth toward upper management and executive positions such as chief information security officer (CISOs) and chief risk managers; and will enable them to promote best practices through effective communication with C-level executives.

Source: International Information Systems Security Certification Consortium, Inc

Certified Information Systems Security Professional

If you plan to build a career in information security ? one of today?s most visible professions ? and if you have at least five full years of experience in information security, then the CISSP® credential should be your next career goal. It?s the credential for professionals who develop policies and procedures in information security.

The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.

Source: Wikipedia

Certified Information Systems Auditor (CISA) is a professional certification for information technology audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association. Candidates for the certification must meet requirements set by ISACA

Norwich University (Northfield, Vermont, U.S.A) looks like [from their website] a standard military university established in 1819.

Quite impressive! And yet with all these qualifications, he writes an article on what a £29.95 piece of software tells him and nothing else. If he had open the now infamous c:\windows\SL directory he would have seen that it didn’t contain the StarLogger application because any security consultant worth his salts could have identified what that looks like. It’s nice to see that his $50,000 education didn’t go to waste.

Samsumg have been very quick to tackle this libel, but mud sticks and they will probably unduly suffer because of this.

B2Evolution Bad Request Illegal value received for parameter

March 20th, 2011

I suddenly started getting a very strange error message in my B2Evolution installation after restarting the web server. The error message read:

Bad Request!

The parameters of your request are invalid.

If you have obtained this error by clicking on a link INSIDE of this site, please report the bad link to the administrator.

Go back to home page
Additional information about this error:
Illegal value received for parameter «p»!

The site seemed to display normally but when I clicked on any of the links the message came up.

I did a bit of hunting for the Illegal value received for parameter string and found it in the inc/_core/_param.funcs.php file. Had a look in the file and thought that the following bit of code was causing the problem so I added a line of debug:

PHP

elseif( !empty( $regexp ) &amp;amp;&amp;amp; ( !is_scalar($GLOBALS[$var]) || !preg_match$regexp$GLOBALS[$var] ) ) )
{       // Value does not match!
  echo "var=".$var."|regexp=".$regexp."|GLOBALS=".$GLOBALS[$var]."|";
  bad_request_diesprintfT_('Illegal value received for parameter &amp;laquo;%s&amp;raquo;!'), $var ) );
}

Sure enough refreshing the page produced a line of debug:

var=p|regexp=/^(\+|-)?[0-9]+$/|GLOBALS=/path/to/host/web|

I recognised the variable p as an environment variable I had set during the work I was doing prior to the web server restart. So to correct the problem I stopped the web server, unset the environment variable and restarted the web server.

# /etc/init.d/httpd stop
Stopping httpd: [ OK ]
# unset p
# /etc/init.d/httpd start

This bizarre behaviour had come about with a combination of two php.ini configuration options being set. Firstly variables_order included the “E” option to include environment variables and register_globals was switched on to put those variables into the global address space. There is a note about this behaviour in the PHP documentation where it talks about variables_order.

It was just a bit of a surprise that it broke my installation. These days register_globals is switched off by default for security reasons, so it wasn’t a problem to turn it off.