Say what’s up to PowerShell 5 (Part 20/27)

One of the most exciting features to ever come to PowerShell are Providers

Providers won’t make you go “Who! this is amazing man wow Vonnie this is so freggin’ cool” but they will make you smile.  Why?  Because you can access almost any data source as a drive.  So you can CD into an IIS: directory or change into a Registry directory.  So instead of busting open Regedit you can CD and DIR into your Registry hives just a like they were folders on your hard drive!

What are providers?

Providers are the unsung heroes of PowerShell.  I don’t know what it is but for some reason people tend to forget about them.

I’m not sure why because they’re pretty awesome.  They basically treat any data store as a hierarchical structure.  So it doesn’t matter what the underling data structure is, PowerShell transforms it into a common hierarchy that you access with common cmdlets.

Sound cool?

Keep reading.

Bust open PowerShell right now and type:

Get-PSProvider | Format-Table -AutoSize

I’m piping to format-table because I want to use the AutoSize parameter to automatically squeeze the column widths down to their tightest possible widths.

Get-PSProvider

Do you see all those drives in the right column?  Just think of them as various entry points into the items listed in the Name column.  So we see {C,D} are drives into the FileSystem.

But look.. we also see {HKLM, HKCU} are entry points into the Registry as well.

The middle column named Capabilities is also pretty cool.

ShouldProcess means the provider has the ability to accept the -WhatIf and -Confirm parameters.  Meaning, if you tack a -WhatIf or -Confirm on the end of a cmdlet inside one of these drives you’ll get either a hypothetical of what would have happened if you executed the command or you’ll get a confirmation window pop-up box.

And under all these drives we have items.  So for the FileSystem an item might be a file or folder.  But for the Registry an item might be a key.

This is why DIR is an alias for Get-ChildItem because as far as PowerShell is concerned the underling data source could be anything, it doesn’t have to be a file or folder.

Listing your drives

Let’s play with these Providers now…

Type Get-PSDrive to list your drives

Get-PSDrive

Alright, so let’s dive into the HKEY_CURRENT_USER drive.  How do you think we would do that?

If you said

CD HKLM:

Jump up and down twice and the spin around 10 times until you get dizzy and fall down.  You’re getting this man – you’re getting this.  Powershell isn’t hard.

Now let’s look around a bit…

Every incident responder and Cybersecurity analyst knows that one of the most common places you’ll find malware hiding is in the registry.  And one of the most popular spots is located in:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

There are other keys such as AppInit_Dlls and RunOnce but I’m going to keep it simple for now.

So instead of opening regedit32.exe you can easily, very easily view this key value directly from the Registry drive.

Type:

cd HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\

Remember you can tab complete these registry keys as you type them.

Then use Get-Item to display the key named Run.

Get-Item Run | ft -AutoSize

I’m piping it to Format-Table -AutoSize so the columns are as tightly spaced as possible (which improves readability)

And look at that!

We can see there’s a file called vmtoolsd.exe that runs on startup.  This could just as easily have been evilmalware.exe so this is a cool way to check for stuff like that.

Registry drive

 

About

Connect with Vonnie on Twitter

Posted in Windows, Windows 10 Tagged with: