Powershell and registry additions
This commit is contained in:
parent
0cc87fa399
commit
781892ac64
|
|
@ -39,21 +39,34 @@ Get-ChildItem | Select-Object -Property Mode, Name
|
|||
* skip - skips x objects
|
||||
|
||||
## Filtering Objects
|
||||
|
||||
```
|
||||
Verb-Noun | Where-Object -Property PropertyName -operator Value
|
||||
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
|
||||
```
|
||||
|
||||
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
|
||||
* Where -operator is a list of the following operators:
|
||||
|
||||
* -Match: matches the exact value of the property
|
||||
* -Contains: if any item in the property value is an exact match for the specified value
|
||||
* -EQ: if the property value is the same as the specified value
|
||||
* -GT: if the property value is greater than the specified value
|
||||
|
||||
### Out-Gridview
|
||||
|
||||
Pipe the output to a graphical window and Filter it through the GUI.
|
||||
|
||||
```
|
||||
whatever | Out-GridView
|
||||
```
|
||||
|
||||
## Sort Object
|
||||
|
||||
```
|
||||
Verb-Noun | Sort-Object
|
||||
```
|
||||
|
||||
```
|
||||
Get-ChildItem | Sort-Object
|
||||
```
|
||||
|
|
|
|||
|
|
@ -66,12 +66,38 @@
|
|||
* `SYSTEM\Select\LastKnownGood`
|
||||
|
||||
## Autostart Programs
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
|
||||
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
|
||||
|
||||
Run program on login for the current user
|
||||
|
||||
```
|
||||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
```
|
||||
|
||||
Run program on login for any user
|
||||
|
||||
```
|
||||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
```
|
||||
|
||||
Run program on login once for the current user
|
||||
|
||||
```
|
||||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
```
|
||||
|
||||
Run program for on login once for any user
|
||||
|
||||
```
|
||||
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
```
|
||||
|
||||
|
||||
## Recent Files
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
|
||||
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
|
||||
|
|
@ -125,3 +151,19 @@
|
|||
* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
|
||||
* hivedump
|
||||
* hivex
|
||||
* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence
|
||||
|
||||
```sh
|
||||
Get-Command -Module AutoRuns
|
||||
|
||||
|
||||
|
||||
CommandType Name Version Source
|
||||
|
||||
----------- ---- ------- ------
|
||||
|
||||
Function Compare-AutoRunsBaseLine 14.0 Aut...
|
||||
|
||||
Function Get-PSAutorun 14.0 Aut...
|
||||
|
||||
Function New-AutoRunsBaseLine 14.0 Aut...
|
||||
|
|
|
|||
Loading…
Reference in New Issue