Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Say what’s up to PowerShell 5 (Part 20/27) - fixedByVonnie

Say what’s up to PowerShell 5 (Part 20/27)

One of the most exciting features to ever come to PowerShell are Providers

Providers won’t make you go “Who! this is amazing man wow Vonnie this is so freggin’ cool” but they will make you smile.  Why?  Because you can access almost any data source as a drive.  So you can CD into an IIS: directory or change into a Registry directory.  So instead of busting open Regedit you can CD and DIR into your Registry hives just a like they were folders on your hard drive!

What are providers?

Providers are the unsung heroes of PowerShell.  I don’t know what it is but for some reason people tend to forget about them.

I’m not sure why because they’re pretty awesome.  They basically treat any data store as a hierarchical structure.  So it doesn’t matter what the underling data structure is, PowerShell transforms it into a common hierarchy that you access with common cmdlets.

Sound cool?

Keep reading.

Bust open PowerShell right now and type:

Get-PSProvider | Format-Table -AutoSize

I’m piping to format-table because I want to use the AutoSize parameter to automatically squeeze the column widths down to their tightest possible widths.


Do you see all those drives in the right column?  Just think of them as various entry points into the items listed in the Name column.  So we see {C,D} are drives into the FileSystem.

But look.. we also see {HKLM, HKCU} are entry points into the Registry as well.

The middle column named Capabilities is also pretty cool.

ShouldProcess means the provider has the ability to accept the -WhatIf and -Confirm parameters.  Meaning, if you tack a -WhatIf or -Confirm on the end of a cmdlet inside one of these drives you’ll get either a hypothetical of what would have happened if you executed the command or you’ll get a confirmation window pop-up box.

And under all these drives we have items.  So for the FileSystem an item might be a file or folder.  But for the Registry an item might be a key.

This is why DIR is an alias for Get-ChildItem because as far as PowerShell is concerned the underling data source could be anything, it doesn’t have to be a file or folder.

Listing your drives

Let’s play with these Providers now…

Type Get-PSDrive to list your drives


Alright, so let’s dive into the HKEY_CURRENT_USER drive.  How do you think we would do that?

If you said


Jump up and down twice and the spin around 10 times until you get dizzy and fall down.  You’re getting this man – you’re getting this.  Powershell isn’t hard.

Now let’s look around a bit…

Every incident responder and Cybersecurity analyst knows that one of the most common places you’ll find malware hiding is in the registry.  And one of the most popular spots is located in:


There are other keys such as AppInit_Dlls and RunOnce but I’m going to keep it simple for now.

So instead of opening regedit32.exe you can easily, very easily view this key value directly from the Registry drive.


cd HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\

Remember you can tab complete these registry keys as you type them.

Then use Get-Item to display the key named Run.

Get-Item Run | ft -AutoSize

I’m piping it to Format-Table -AutoSize so the columns are as tightly spaced as possible (which improves readability)

And look at that!

We can see there’s a file called vmtoolsd.exe that runs on startup.  This could just as easily have been evilmalware.exe so this is a cool way to check for stuff like that.

Registry drive



Connect with Vonnie on Twitter

Posted in Windows, Windows 10 Tagged with: