Powershell Profiles

PowerShell uses profiles to help customize the shell environment. There are a few files which customize the profile:

  • %windir%\system32\WindowsPowerShell\v1.0\profile.ps1 This profile is loaded for all users.
  • %windir%\system32\WindowsPowerShell\v1.0\ Microsoft.PowerShell_profile.ps1 This profile is loaded for all users, and only for the default instance of PowerShell.
  • %UserProfile%\My Documents\WindowsPowerShell\profile.ps1 This profile is loaded per-user, and affects all versions of PowerShell which are installed.
  • %UserProfile%\\My Documents\WindowsPowerShell\ Microsoft.PowerShell_profile.ps1 This profile is loaded per-user, but only affects the default instance of PowerShell.

Powershell Admin Scripts

To get the process owner.

(Get-WmiObject win32_process | where{$_.Name -eq ‘explorer.exe’}).getowner() | Select  domain, user

To find the systems that are alive

$result = Get-WmiObject -query “select * from win32_pingstatus where address=’google.com’ ”
if ($result.StatusCode -eq 0)
{echo “google.com is alive”}
{echo “google.com is not pingable”}

Vista/Win 7 Backdoor

  1. Boot with any live cd (Ubuntu/WinPE etc) to get access to windows file system
  2. rename c:\windows\system32\magnify.exe to magnify.exe.bak
  3. make a copy of c:\windows\system32\cmd.exe and rename that to magnify.exe
  4. reboot the machine, boot normally to windows by removing the live cd.
  5. once you see the “press ctrl alt del to login”, press “winkey + U”, this will bring up the Ease if Access window.
  6. Choose magnifyand hit ok, this will lauch that cmd.exe we placed before. this cmd.exe has full access to the system, you can call any program from here like compmgmt.msc and actually reset the admin password or create a new admin account.

Note: the following are the list of usefull mmc files

Certificates certmgr.msc
Indexing Service ciadv.msc
Computer Management compmgmt.msc
Device Manager devmgmt.msc
Disk Defragmenter dfrg.msc
Disk Management diskmgmt.msc
Event Viewer eventvwr.msc
Shared Folders fsmgmt.msc
Group Policy gpedit.msc
Local Users and Groups lusrmgr.msc
Removable Storage ntmsmgr.msc
Removable Storage Operator Requests ntmsoprq.msc
Performance perfmon.msc
Resultant Set of Policy rsop.msc
Local Security Settings secpol.msc
Services services.msc
Windows Management Infrastructure (WMI) wmimgmt.msc
Component Services comexp.msc