Home > Sample chapters

Overview of Windows PowerShell 5.0

Security issues with Windows PowerShell

As with any tool as versatile as Windows PowerShell, there are bound to be some security concerns. Security, however, was one of the design goals in the development of Windows PowerShell.

When you launch Windows PowerShell, it opens in the root of your user folder; this ensures that you are in a directory where you will have permission to perform certain actions and activities. This is far safer than opening at the root of the drive, or even opening in system root.

The running of scripts is disabled by default and can be easily managed through Group Policy. It can also be managed on a per-user or per-session basis.

Controlling execution of Windows PowerShell cmdlets

Have you ever opened a CMD interpreter prompt, entered a command, and pressed Enter so that you could find out what it does? What if that command happened to be Format C:\? Are you sure you want to format your C drive? This section covers some parameters that can be supplied to cmdlets that allow you to control the way they execute. Although not all cmdlets support these parameters, most of those included with Windows PowerShell do. The three switch parameters you can use to control execution are -WhatIf, -Confirm, and suspend. Suspend is not really a switch parameter that is supplied to a cmdlet, but rather is an action you can take at a confirmation prompt, and is therefore another method of controlling execution.

Windows PowerShell cmdlets that change system state (such as Set-Service) support a prototype mode that you can enter by using the -WhatIf switch parameter. The developer decides to implement -WhatIf when developing the cmdlet; however, the Windows PowerShell team recommends that developers implement -WhatIf. The use of the -WhatIf switch parameter is shown in the following procedure.

Using -WhatIf to prototype a command

  1. Open Windows PowerShell by choosing Start | Run | PowerShell. The Windows PowerShell prompt opens by default at the root of your user folder.
  2. Start an instance of Notepad.exe. Do this by entering notepad and pressing the Enter key. This is shown here.

    notepad
  3. Identify the Notepad process you just started by using the Get-Process cmdlet. Type enough of the process name to identify it, and then use a wildcard asterisk (*) to avoid typing the entire name of the process, as follows.

    Get-Process note*
  4. Examine the output from the Get-Process cmdlet, and identify the process ID. The output on my machine is shown here. Note that, in all likelihood, the process ID used by your instance of Notepad.exe will be different from the one on my machine.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
    -------  ------    -----      ----- -----   ------     -- -----------
    114      8         1544       8712 ...54      0.00   3756 notepad
  5. Use -WhatIf to find out what would happen if you used Stop-Process to stop the process ID you obtained in step 4. This process ID is found under the Id column in your output. Use the -Id parameter to identify the Notepad.exe process. The command is as follows.

    Stop-Process -id 3756 -whatif
  6. Examine the output from the command. It tells you that the command will stop the Notepad process with the process ID that you used in your command.

    What if: Performing the operation "Stop-Process" on target "notepad (3756)".

Confirming actions

As described in the previous section, you can use -WhatIf to prototype a cmdlet in Windows PowerShell. This is useful for finding out what a cmdlet would do; however, if you want to be prompted before the execution of the cmdlet, you can use the -Confirm parameter.

Confirming the execution of cmdlets

  1. Open Windows PowerShell, start an instance of Notepad.exe, identify the process, and examine the output, just as in steps 1 through 4 in the previous exercise.
  2. Use the -Confirm parameter to force a prompt when using the Stop-Process cmdlet to stop the Notepad process identified by the Get-Process note* command. This is shown here.

    Stop-Process -id 3756 -confirm

    The Stop-Process cmdlet, when used with the -Confirm parameter, displays the following confirmation prompt.

    Confirm
    Are you sure you want to perform this action?
    Performing operation "Stop-Process" on Target "notepad (3756)".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):
  3. Enter y and press Enter. The Notepad.exe process ends. The Windows PowerShell prompt returns to the default, ready for new commands, as shown here.

    PS C:\>

Suspending confirmation of cmdlets

The ability to prompt for confirmation of the execution of a cmdlet is extremely useful and at times might be vital to assisting in maintaining a high level of system uptime. There might be times when you enter a long command and then remember that you need to check on something else first. For example, you might be in the middle of stopping a number of processes, but you need to view details on the processes to ensure that you do not stop the wrong one. For such eventualities, you can tell the confirmation that you would like to suspend execution of the command.

Suspending execution of a cmdlet

  1. Open Windows PowerShell, start an instance of Notepad.exe, identify the process, and examine the output, just as in steps 1 through 4 in the “Using -WhatIf to prototype a command” exercise. The output on my machine is shown following. Note that in all likelihood, the process ID used by your instance of Notepad.exe will be different from the one on my machine.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
    -------  ------    -----      ----- -----   ------     -- -----------
         39       2      944        400    29     0.05   3576 notepad
  2. Use the -Confirm parameter to force a prompt when using the Stop-Process cmdlet to stop the Notepad process identified by the Get-Process note* command. This is illustrated here.

    Stop-Process -id 3576 -confirm

    The Stop-Process cmdlet, when used with the -Confirm parameter, displays the following confirmation prompt.

    Confirm
    Are you sure you want to perform this action?
    Performing operation "Stop-Process" on Target "notepad (3576)".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):
  3. To suspend execution of the Stop-Process cmdlet, enter s. and then a double-arrow prompt appears, as follows.

    PS C:\>>
  4. Use the Get-Process cmdlet to obtain a list of all the running processes that begin with the letter n. The syntax is as follows.

    Get-Process n*

    On my machine, two processes appear, the Notepad process I launched earlier and another process. This is shown here.

    Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
    -------  ------    -----      ----- -----   ------     -- -----------
        269     168     4076       2332 ...98     0.19   1632 NisSrv
        114       8     1536       8732 ...54     0.02   3576 notepad
  5. Return to the previous confirmation prompt by entering exit.

    Again, the confirmation prompt appears as follows.

    Confirm
    Are you sure you want to perform this action?
    Performing operation "Stop-Process" on Target "notepad (3576)".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):
  6. Enter y and press Enter to stop the Notepad process. There is no further confirmation. The prompt now displays the default Windows PowerShell prompt, as shown here.

    PS C:\>