Author Archives: Don Jones

About Don Jones

Don Jones is a Windows PowerShell MVP, author of several Windows PowerShell books (and other IT books), Co-founder and President/CEO of, PowerShell columnist for Microsoft TechNet Magazine, PowerShell educator, and designer/author of several Windows PowerShell courses (including Microsoft's). Power to the shell!

Our NaNoWriMo Challenge: Write a PowerShell Article

In honor of National Novel Writing Month (NaNoWriMo), I wanted to offer a smaller, and more unique, challenge.

Send me a PowerShell article.

Seriously. My name is Don Jones, and this is, so you can probably figure out how to contact me. Send me an article between 800 and 3,000 words (including code) in Microsoft Word format. Don’t attach any scripts. Please keep the formatting super-simple: paste code from the PowerShell ISE, and use Word’s default styles otherwise. If you must include screen shots, please embed them in the doc, but also include them as a a separate PNG in your e-mail.

You can write about anything, provided it’s PowerShell-related. What’s best? Some challenge that stumped you – and that you eventually solved (and please, tell us how). Something that you think folks could benefit from, or could learn to do better. Even an article that lays out both sides of a particular question, and outlines the pros and cons of each argument. Doesn’t matter. What matters is that you write. 

I will personally commit to reading every single one, and providing you with feedback on your article. When suitable, I’ll make some specific suggestions for improving the article. If you then fix it up accordingly, I’ll run it by a professional editor – and I’ll have it published. In some cases, we’ll publish it right here on In other cases, I’ll submit it to my friends at 1105 Media for their consideration in one of their IT magazines, like Redmond Magazine or Still others will go into the TechLetter, which would be a huge help to our editors, who are always hungry for content.

Being able to communicate well is important in all walks of life, but being willing to share is even more important. Think you’ve got nothing to share? Wrong. You have unique experiences that everyone can learn from. You do not need to be an expert in order to have something valuable to share. We would all benefit a lot more if more people shared their experiences and successes – so now it’s your turn.

The deadline is November 30th, of course, and I’ll work my way through them all as quickly as possible. You’re not going to be judged on your grammar or spelling (although do use Word’s tools to help those as much as it can). Don’t try to write fancy, or overly formal. In fact, just write like you’d talk. Read your piece back to yourself aloud, and if it sounds weird, fix it so it doesn’t. If it sounds good, it’ll read well.

C’mon. Take up the challenge. And tweet folks over to this article, too. Let’s make it a thing. My goal is to help at least a few folks because regular bloggers, either here or elsewhere, and my dream is to find maybe a couple of folks who can pick up a full-time column with a magazine or other publication. That’d be awesome. I know you’re out there – let’s get the party started.


How to Have the PowerShell Summit Come to You

We’re often asked if we’re planning to have a PowerShell Summit in (insert name of town/country/city). The answer is, “no,” because we’re usually not planning much in advance of whatever’s currently on the table. Keep in mind – we’re all volunteers. We don’t have a ton of free time to plan 3 years out! As you’ll see in a minute, it’s a lot of work.

That said, you can play a big role in bringing the Summit to your town. How? Simply write a proposal and submit it to us. Use the “Admin” e-mail alias at Here’s what to include:

  • When you’re proposing for. We typically need a proposal roughly 18 months out. The North America event is in April, and the Europe event in September, so you need to plan about a year and a half ahead of those dates.
  • A description of the local PowerShell audience. Helping us understand the local business environment, how many Microsoft IT pros are employes, and whether or not there’s a local user group, all helps. The more you can do to help us reach out to the locals, the more confident we’ll be in planning an event in your area.
  • A venue. This is the tough part, because we have a number of pretty strict requirements. Many commercial venues won’t talk to a smaller organization more than 6-9 months out, so in talking to a venue you’ll have to ask them to estimate pricing based on their current situation; we’ll nail down particulars closer-in if we select the venue. We don’t need you to guarantee dates; we just need an estimate of how much the venue wants to charge us.

Our venue requirements are detailed and pretty much non-negotiable.

  • The venue must be near an international airport – no more than a 30-minute drive. This must be accessible by a major air carrier, such that a flight from Seattle-Tacoma could make it to the venue’s airport with no more than one connection. We have to be considerate of the product team’s time!
  • The venue must be near a sufficient number of affordable, business-class hotels. We do not reserve room blocks or guarantee rooms, so if you’re talking to a hotel, they may not want to deal with you because of this.
  • The venue must offer parking – although we are okay if there are parking fees.
  • We must have 2 rooms capable of seating at least 50 people each. That seating can be “theater-style…”
  • …but we must also have a place for at least 100 people to eat lunch. Sometimes, that means a separate room. Other times, it may mean setting the session rooms “classroom style” so people can eat in the session rooms. Switching to “classroom style” still needs to afford seating for 50 people per room, minimum.
  • We prefer to buy “all-day” catering packages that include unlimited coffee, a continental breakfast (pastries), buffet lunch, and an afternoon snack. Pricing cannot exceed about $110 per person per day – and that must include taxes, service fees, gratuities, and so on.
  • We prefer not to guarantee a specific number of people until very close-in. However, most commercial venues require a commitment up front. In that case, we prefer to commit to no more than 50 people – even though we want the flexibility to have more than that.
  • If we’re paying top dollar for catering, we should get the venue itself for free. That’s traditional at most commercial venues. If we’re paying for the venue, then our per-person/per-day catering cost should be substantially under our limit.
  • We prefer to minimize A/V expenses, but do require an HD projector, screen, and wireless lav mic in each of the two rooms. We’d need pricing on that equipment if it isn’t included in the venue pricing.
  • The venue needs to have decent Internet. That doesn’t necessarily need to be included for free, but it needs to be available. We may purchase 2-4 connections for speakers to use when presenting, so knowing the pricing would be helpful.
  • The venue needs to be available for at least one evening event, where we’ll likely want a cash bar and some light snacks – we expect to pay extra for the evening food, but not for the venue itself.

As you can see, it’s a tough list, and it’s a lot of work for us to find venues. That’s one reason we tend to lean toward Microsoft facilities, when they’re available, because we get the venue cheaper, the food cheaper, and so on.

You’ll also see that our pricing doesn’t leave a ton of room for error. At $110/person/day, each attendee costs us $330. With 50 attendees, there’s another $130 per person in overhead to pay for speakers’ meals. We have about another $130 per person in hard costs like insurance, equipment shipping, and logistics planning. We carve off another $150 per person to help fund itself, including this website. That’s $740 per person in costs – real close to the $800 we charge, which also has to cover VERIFIED EFFECTIVE exam costs and so on. We plan our numbers around a 50-person break-even point because we’re incredibly risk-averse – we don’t want to have to make up the difference on our personal credit cards, which has almost happened in the past. As you can see, we try to keep our numbers pretty tight – which means a lot of careful planning.

So… if you want to volunteer (it’s much appreciated!) and do some local legwork, you’re more than welcome to propose your favorite town. We understand that, working 18+ months out, some of the numbers will be estimates – that’s fine. Knowing that something is roughly in the right price range is a big start.

We do have other operational criteria that can come into play, so just because you propose someplace doesn’t mean we’re guaranteeing we’ll go there – but we’ll keep it in mind, even for future years.

When Will There be a PowerShell Summit in ____?

As we move into the middle of PowerShell Summit Europe 2014, we have a lot of folks asking, “when will you hold a Summit in ____” (insert the name of your favorite country).

Right now, is committed to organizing both North American and European events, one per year, while there is audience demand for them. Both events will shift locations from year to year, and the location choice is driven by a number of criteria – mainly financial ones.

But we’re all volunteers here. Each event requires upwards of 240 man-hours to put together, and an up-front financial commitment of up to $25,000. We’re getting to the point where the organization can front that money, but it’s been on personal credit cards to this point, paid back only once the event is complete. So… it’s a big deal. Strictly from a time perspective, we just don’t have enough to organize more events elsewhere in the world.

However, we continue to encourage folks to organize their own events. We’ve even come up with a brand name to get you started: PowerShell Forum. The idea is for those to be smaller 2-3 day, regional-level events that we help promote. We’ll provide all the advice we can to help get you going, too. We’ll put you in touch with the right folks so that if product team participation is an option, you can find out. We hope that a PowerShell Forum “grows up” to one day host a PowerShell Summit – because the organizers and volunteers are in place to let us hold a full Summit without taking on the entire time commitment ourselves.

In any community, if you want something good to come your way, the best way is to do it yourself – rather than asking someone else to bring the good to you. We feel that’s particularly true with live events, because you know the local market, the venues, the audience, the customs, the laws, and so on.

So, “when will there be a PowerShell Summit in _____?” The answer is, “when you make it happen.” We’d love to help – but you’ll have to take the first step.

Join the DSC Hackathon at PowerShell Summit 2014 Europe

On Monday night (Amsterdam time, September 29th), we’ll be holding the first DSC Hackathon at PowerShell Summit Europe 2014. Attached are the scenarios we’ll be asking participants to select from. We’ll ask everyone to work in small groups, pick one scenario, and try to produce a custom DSC resource that solves the problem.

Many of these are from Microsoft’s own internal “wish list” of resources that they don’t yet have anyone assigned to.

You’re welcome to participate, even if you’re not present at the Summit. You will need to operate in Amsterdam time; we’re only accepting submissions during that time (from about 6pm local time). If you’d like to participate, you’ll need a Twitter account to begin with. When the Hackathon starts, drop a tweet that includes the hash tag #DSCHackathon, as well as the scenario you’d like to work on. We’ll respond and connect you with a group that’s working on that scenario. From there, the group will let you know how they’d like to communicate – possibly a Skype chat window, possibly an IRC chat, it’ll be up to them.

In the event that Internet connectivity sucks, we’ll simply do our best, and may direct remote users to work on their own. But, if you monitor the #DSCHackathon tag, you may be able to find other remote users to team up with.

There are no prizes – we’re doing this for the good of the community. However, every team who hands in a working resource will get public recognition in the PowerShell team blog, on, and wherever else we can manage to mention you :).

As a reminder, you should plan to have Windows PowerShell v4 or later on your laptop in order to participate. We don’t anticipate going longer than 2-3 hours, and if you’re on-site plan to use battery power for the entire period. Ideally, you’ll want a server VM or two so that you can test the scenarios… which are attached herewith. And it’s fine to get an early start on these, if you like.

Download: DSC Hackathon Scenarios

Instructions for PowerShell Summit North America 2015 Registration

If you’re planning to attend PowerShell Summit North America 2015, to be held at the end of April 2015 in Charlotte, North Carolina, you should read the following important information:

  • The registration site will be open from 30 October 2014 to 30 March 2015. There is about a 30-day window from the end of registration to the event itself. There are no exceptions to this cutoff.
  • You should read the extremely important information about registering. It also contains links to the agenda and to the registration site.
  • The agenda will be available in mid-October 2014.
  • We will only have about 90 seats available due to the size of the venue. You will probably need to plan to register early, because we don’t have a magical way of making the building bigger to accommodate “just one more person.”
  • We will not be holding seats for later registrations. Everything becomes available on 30 October 2014. We’ve done the “phased release” before and it was a major PITA.
  • Yes, we will be recording all sessions and posting them on the YouTube channel. We will not be live-streaming because the facilities don’t exist to do so. Recordings will include slides/demos and a room microphone; this will not be Channel 9-quality, but it should get the job done. Or you could, you know, show up at the live event.

If you are planning to have someone in your organization register and pay on your behalf, it is crucial that they do so using your e-mail address, not theirs. Otherwise, we may not be able to admit you to the event. This is a big deal. Please don’t mess it up.

Please help us get the word out. This is entirely a community event, run entirely by volunteers who are paying their own way to the event also. We have zero marketing and advertising budget, because we try to keep the overall costs as low as humanly possible. Set reminders to tweet, Facebook, etc. once a month and help us let the world know about the event.

PowerShell v5: Misc Goodness (including Auditing)

Aside from classes and new DSC features, which I’ve already written about, there are a number of less-headline, but still-very-awesome, new capabilities.

This article is based on the September 2014 preview release of WMF 5.0. Information is highly subject to change.

First up is the ability to automatically create PowerShell cmdlets from an OData endpoint. Huh? OData is a kind of web service (basically); PowerShell gains the ability to look at the endpoint and construct a set of proxy cmdlets that let you interact with the endpoint more naturally. This is spiritually similar to what PowerShell can already do for a SOAP web service endpoint.

Next are some 7-years-overdue cmdlets for managing ZIP files: Compress-Archive and Expand-Archive. Finally. These use underlying .NET Framework ZIP functionality (I think), which has had some compatibility problems in the past, so we’ll see how these hold up. But they should be the missing link to letting you do everything DSC-related right in PowerShell, since you can now ZIP up your custom resources for deployment via pull server.

Auditing gets a huge win, and this is really more of a headline feature than people think. For one, the ISE now supports transcript creation. Yay! You can also “nest” transcripts, meaning you can have one running, and then start a second one to cover only a portion of time. Closing the second one lets the first remain running. You can also specify a central transcript directory, which is useful when you want to collect these things into a central folder for reporting. For example, you should now be able to set up Remoting endpoints that automatically kick off a transcript when someone connects, and saves them to that central location.

More auditing comes in the form of Group Policy settings. You’ve always been able to log the fact that certain commands were run (did you know that?), but now you can enable detailed script tracing that logs a crapload of detail to the PowerShell operational log (which can, like any other event log, be forwarded to another server). You get the complete details of every script block executed, even if it creates another script block. Again, this is set up in Group Policy – check out the WMF 5.0 release notes for the location.

Ed Snowden gets a face slap with new Cryptographic Message Syntax (CMS) cmdlets, including Get-CmsMessage, Protect-CmsMessage, and Unprotect-CmsMessage. These use PKI to encrypt data. By the way, if your organization doesn’t already have an internal PKI, WTF are you waiting for, you’re ten years behind the curve, man. PKI becomes more important to Windows environments every single day, and you need to get with the program.

There’s also a new fun feature for extracting content from strings. This system uses some Microsoft Research functionality called FlashExtract. Essentially, you give it examples of what your data looks like, and then point it to a big string (like a text file) full of data. It can extract all the data pieces based on your example. It’s early days for this technology, but it’s kind of awesome to see the PowerShell team giving us an easy way to play with it.

Because WMF 5.0 introduces PowerShellGet, it now includes commands to add PowerShellGet repositories. That means you can stand up your own repo, host your modules there, and install modules by simply running Install-Module (or find them using Find-Module). Tres awesome! We don’t yet have technical details on what the heck a PowerShellGet repository actually looks like, but I’m sure that’ll crop up.

ARE YOU PLAYING WITH WMF 5.0 ON A NON-PRODUCTION VM YET? YOU SHOULD BE. Times are changing and you gotta keep up!

PowerShell v5: What’s New in DSC

When Desired State Configuration (DSC) came out – gosh, just about a year ago – I kept telling people that there was more to come. And a lot of it is now just around the corner in PowerShell v5.

This article is written to the September 2014 preview release – things may change for the final release.

A major set of changes in DSC is a much more detailed and granular configuration of the Local Configuration Manager (LCM), the local “agent” that makes DSC work on the target node. This new level of configuration really shows you where Microsoft’s thinking is.

For example, a single target node can be configured to pull configurations from multiple pull servers. That doesn’t necessarily mean separate machines, as a single IIS instance can host multiple websites, but it means you’re no longer limited to one MOF per computer.

Yes, I said that. The LCM can now pull (but not have pushed to it) partial configurations. Each partial configuration is a MOF, but the understanding is that there can be more than one. There’s still no dynamic evaluation of which MOFs will be pulled; you have to specify them all in the LCM configuration, but now you can break a machine’s total configuration into multiple bits. Each partial configuration is given a source, which is a pull server.

Each partial configuration can be given exclusivity over certain resources. This helps avoid overlap. For example, you might decided that Partial Config A has exclusive control over all xIPAddress settings, meaning those settings from any other partial config wouldn’t work. Partial configurations can also depend on each other, so that (for example), Partial Config B won’t even run until Partial Config A is complete.

The LCM can also have a separate server configured for web- or file-based resource repositories, meaning those can be separated from the pull server endpoint.

What used to be called the “compliance server” is now simply the reporting server – we mentioned in “The DSC Book” that the name of this would likely change. It’s now a distinct configuration item, meaning even a node in Push mode can report its status to the reporting server!

New global synchronization capabilities also exist. A node’s configuration can be made dependent on a configuration item from another node. Meaning, Node “A” won’t try to configure until Node “B” completes certain items first. Communications is all via WS-MAN and CIM.

A new Get-DscConfigurationStatus returns a high-level status for a node – similar to what the reporting server would collect – and an amazing new Compare-DscConfiguration can now accept a configuration and tell you where a given node differs. This is a big deal, and something a lot of folks wanted in PowerShell v4. There’s also an Update-DscConfiguration, which forces a node to evaluate its DSC stuff right away.

DSC is quickly coming of age. In less than a year, we’ve seen (so far) 6 releases of additional resources, and now with PowerShell v5 we’re seeing a number of important enhancements and evolutions in the core technology. Many of the things that frustrated folks initially are now taken care of.

PowerShell v5: Class Support

This post is based on the September 2014 preview release of WMF 5.0. This is pre-release software, so this information may change.

One of the banner new features in PowerShell v5 is support for real live .NET Framework class creation in Windows PowerShell. The WMF 5.0 download’s release notes has some good examples of what classes look  like, but I wanted to briefly set some expectations for the feature, based on my own early experiences.

The primary use case for classes, at this point, is for DSC resources. Rather than creating a special PowerShell module that has specially named functions, live in a specially named folder, and work in a special way – that’s a lot of special, which means a lot of room for error – classes provide a more declarative way of creating DSC resources.

But we’re a bit ahead of ourselves. What’s a class?

In object-oriented programming, a class is a hunk of code that provides a specific interface. Everything in the .NET Framework is a class. When you run Get-Process in PowerShell, for example, you are returning objects of the type System.Diagnostics.Process – or, in other languages, objects of the class System.Diagnostics.Process. Each process is an instance of the class. The class describes all the standardized things that a process can show you (like its name or ID), or that it can do (like terminate). Programmers build the functionality into the class itself.

Classes can have static properties and methods – these are hunks of code that don’t require an actual instance of a process. For example, you can start a process without having a process in the first place. The System.Math class in .NET has lots of static members – the static property Pi, for example, contains the numeric value of pi to a certain number of decimal places. The static Abs() method returns the absolute value of a number.

PowerShell classes are designed to provide similar functionality. The trick with PowerShell classes, at least at this stage of their development, is that they don’t add their type name to any kind of global namespace. That is, let’s say you write a class named My.Cool.Thing, and you save it into a script module named MyCoolThing.psm1. You can’t just go into the shell and run New-Object -TypeName My.Cool.Thing to create an instance of the class, because there’s nothing in PowerShell (yet) that knows to go look for your script module to find the class. That’ll likely change in a future release, but for right now it means classes are kind of limited.

The basic rule is that you can only use a class within the same module that contains the class. That is, the class can only be “seen” from within the module. So, your MyCoolThing.psm1 module might define a class, and then might also define several commands (functions) that use the class – that’s legal, and it will work. You still can’t use New-Object; instead, you’d instantiate your class by using something like ClassName::new(), calling the static New() method of the class to instantiate it. I expect New-Object will get “hooked up” at some point, but it might not be until some future version of PowerShell.

Anyway, back to DSC.

DSC is a bit unique, because normally you don’t load resource modules; the Local Configuration Manager loads them. When you build a DSC resource class, you’re forced to provide three methods: Get(), Set(), and Test(). The LCM loads your module, instantiates the class, and then calls the three methods as needed. DSC resources built in this fashion can live in a plain old module .PSM1 file – there’s no need to create a DSCResources subfolder, no need to have an empty “root” module, or any of that. So it’s a more elegant solution all around. Aside from some structural differences, you code them the same as you always have. v5 still supports the old-style resources, for backward compatibility, but class-based resources are the “way forward.” I expect Microsoft will eventually refactor the DSC Resource Kit to be class-based resources, as soon as they get a minute and as soon as v5 is widely adopted.

So most of the “wiring” behind classes has, to this point, been designed to support that DSC use case. In other words, of all the things a PowerShell class will need to do, the team has so far focused mainly on those things that impact DSC. The rest will come later – the release notes use the phrase, “…in this release” a lot, meaning the team understands where the current weaknesses are. “This release” in some cases may simply mean this current preview release, meaning they’re targeting more features for v5’s final release; in other cases, more features will have to wait for v6 (or whatever) or a later version of PowerShell.

So there’s a little rambling on classes and what’s presently in PowerShell v5. If you haven’t already downloaded the preview and started playing with it, you should; not in production, though. Keep it in a test VM for the time being.

PowerShell Summit Europe 2014: Prepare for the DSC Hackathon

We’re hoping that everyone attending the PowerShell Summit Europe 2014 will join our Monday evening DSC Hackathon, where we’ll become “product team members for a night” and try to code up some DSC Resources from the team’s own internal wish list!

We’ll provide a cash bar as well as finger food for our on-site attendees… but you’re welcome to participate remotely, too! Sometime on September 29th, watch for a posting that includes the challenges. Choose your challenge, and follow the blog post instructions to submit them. We’ll also include details for participating live via IRC and other chat mechanisms, and we may be able to do a live room-cast via Lync or something.

There are no winners and no losers – only the entire community wins, because completed entries will be added to the GitHub repo and made available to the world, for free. But, coders who complete a resource will receive public recognition, both here on and in some other very visible venues!

Here’s what you’ll need to participate:

  • A laptop with a charged battery and PowerShell 4.0 installed. We won’t be able to provide power, so make sure you can run 1-2 hours unplugged.
  • Ideally, a virtual machine running Win2012R2 that is configured as a domain controller. If your laptop has limited resources, install the full server GUI on that and code right on it – it’s the domain controller functionality you’ll want.
  • Whatever editing tools you like apart from the ISE.
  • Beforehand, familiarize yourself with “The DSC Book.”
  • Have the full DSC Resource Kit installed. In many cases, you’ll want to refer to existing resources to see how they do things. At a minimum, the xActiveDirectory module is a good one to have.

Apart from that – stay tuned!

Free Online Access to TechLetter Back Issues

Did you know that has, for more than a year now, offered a mostly-monthly TechLetter e-mail newsletter? It’s stuffed with community news, announcements (like our free webinar schedule), feature articles on PowerShell, and much more. It’s a great way to learn a little bit at a time, and it’s truly awesome content.

And we keep back issues for your perusal!

You can find the back issues online. We post all but the most recent 2-3 issues, but of course you can subscribe and have them delivered right to your inbox around the middle of most months.

We’re always on the lookout for new content, too – and if you’re thinking, “oh, I have nothing really to share,” you’re wrong! It can be as simple as an article about something you figured out. With more than 5,000 subscribers, someone’s sure to appreciate your perspective! Contact our Editors at via e-mail to submit your article, or to suggest an article idea.

And please – tell a friend!

Wish List: Better Code Formatting in the Forums (Can You Help?)

I know it’s been a “wish” of many folks for our forums to have better code formatting. Well, if you know some PHP and a little about WordPress, you can make it happen.

What we need is a WordPress plugin that hooks the action for post displays. The plugin needs to take the post body, and look for anything contained within HTML “code” tags or “pre” tags.

Within that content, the plugin needs to strip any further code/pre tags (WordPress has a bit of a glitch where it’ll sometimes nest them). It should then HTML-encode the remaining content to turn any backticks into an HTML entity. Finally, it should color-code the content, or whatever, and hand it back to WordPress for display.

If you think you might be interested, let me know.

There ARE existing code formatters. But they have some weaknesses:

  • Many require you to use a custom shortcode, which our forums users won’t pick up on. Getting folks to use the standard CODE tag, which is even on the toolbar, is hard enough.
  • Most require additional directives to specify the language and whatnot that will be formatted – that’s a hurdle people, in the past, weren’t able to grasp.
  • Some use extensive client-side JavaScript, which is heavy, performs poorly, and doesn’t interact well with some of the other JavaScript on the site.
  • Many don’t accommodate WordPress’ treatment of backticks. WP wants them to be code delimiters, but obviously in PowerShell the backtick is important for other reasons.

What we need isn’t giant, and it isn’t complicated, it’ll just require some time.

UPDATE: I’m working on it.

UPDATE: I think I got it. I’m using the GeSHi parser Joel uses on, although I’ve applied different CSS style to it. If anyone would like to tackle improving that parser, or the CSS, you can hit me up and I’ll give you the code as it stands. But as-is, we get line-numbered, colorized syntax in a scrollable window when you use

 to enclose your code blocks. WordPress backticks aren’t allowed for code, and inline code isn’t supported. Older HTML-style CODE and PRE tags will be converted automatically. I think.

Quick Tip: WMI vs. CIM Syntax

# List all classes in a namespace
Get-CimClass -Namespace root\CIMv2
Get-WmiObject -Namespace root\CIMv2 -List

# list all classes containing “service” in their name
Get-CimClass -Namespace root\CIMv2 | Where CimClassName -like ‘*service*’ | Sort CimClassName


Get-CimClass -Namespace root\CIMv2 -Classname *service*
Get-WmiObject -Namespace root\CIMv2 -List | Where Name -like ‘*service*’ | Sort Name

# get all class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem

# filter class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_LogicalDisk -Filter “DriveType=3″
Get-WmiObject -Namespace root\CIMv2 -Class Win32_LogicalDisk -Filter “DriveType=3″

# show all properties
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | Get-Member
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | Get-Member

# show all properties and values
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | fl *

# remote computer
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_BIOS -ComputerName dc,win81
Get-WmiObject -Namespace root\CIMv2 -Class Win32_BIOS -ComputerName dc,win81

# use CIM command to talk to non-CIM computer
Get-CimInstance -Namespace root\CIMv2 -ClassName win32_BIOS -CimSession (
New-CimSession -ComputerName OLD-XP-PC -SessionOption (
New-CimSessionOption -Protocol Dcom
) Annual Operating Budget

As we approach our annual shareholder meeting for, Inc., I wanted to take a moment and share some details about our 2014-2015 operating budget.

First, you can always review the budget spreadsheet in our OneDrive account. This is updated as our plans change, prices rise, and so on; you’re welcome to check back whenever you like.

Now, let’s talk about some of our organizational goals, and what some of the items in the spreadsheet mean. As you know, we’ve been fortunate to have the support of several corporate sponsors since our invention. MVP Systems, Interface Technical Training, CBT Nuggets, and SAPIEN Technologies have been amongst those helping us out; Interface and SAPIEN both signed on for a generous three-year commitment right when we launched, and we couldn’t have gotten to this point without them. However, we know that companies’ goals and positions change over time, so we’ve been trying to drive to a point where we didn’t need to rely on corporate sponsorship. We now believe that the PowerShell Summit is stable enough that, with a conservative budget, we can meet our operational needs out of the profits from the North America and Europe events.

As a note, isn’t classified as a nonprofit; we’re a not-for-profit. We’re legally allowed to make a profit; it just isn’t a goal. The corporation pays Federal income tax on any profits, although most of our income is spent on expenses, which end up being deductions.

As you’ll notice in the spreadsheet, we believe we can meet our annual operating budget by applying a $175 overhead charge to each attendee of the Summit, assuming we get 100 attendees between the two events annually. That’s conservative; the N.A. show has done 100 and 150, in its two years. So in reality the number can probably be much smaller.

Our $750 annual AWPP fee includes Summit admission, VERIFIED EFFECTIVE exams, and other benefits; our operating budget reflects the costs for these items (including virtual machine hosting for the examination program). So $175 of that $750 is earmarked for; that leaves $575 to cover actual Summit expenses. Due to the exchange rate, Europe is our worst-case show for expenses, with a $330/person overhead for food and beverage. The remaining $245 goes to cover speaker overhead: speaker food and beverage (we admit them to the event for free, but they still eat), and some speaker travel reimbursement. With 50 paid attendees, that’s $12,250 in overhead income. Subtract $3300 for 10 speakers’ F&B, and we have about $9000 left to cover other expenses, including some speaker travel reimbursement. The US shows do somewhat better; in reality; we probably will take less than the $175 per person from the Europe show, to allow for more speaker travel expenses, and take a bit more from the US show where our expenses are lower and attendance is known to be higher.

Most of the budget line items should be fairly self-explanatory. In some cases, we’re receiving some of the services for free at present; we’ve budgeted to pays for them should our free ride ever end. You’re welcome to ask about anything that seems unclear, too. But you’ll notice that there’s no budget for salaries: nobody associated with, Inc. is paid for their efforts. We’re run by volunteers.

So what happens when we get 200 global Summit attendees instead of the 100 we budget for? That’ll give us an operational pad. In most cases, it means we’ll be able to be a bit more elaborate with the Summit itself, buying some food for an evening event, for example. As I mentioned, it’ll also allow us to better reimburse speakers for their out-of-pocket travel expenses, which is definitely a goal. In fact, one reason we’ve tried to pay the operational budget from just half our expected attendance is specifically so we’ll have extra funds so that speakers don’t have to be entirely out-of-pocket to present at the Summits.

I hope this is helpful. As always, feel free to post your questions.

Analyzing the “Black Magic” PowerShell “Exploit” and Appropriate Actions

Trend Micro released a report on a new PowerShell-vectored exploit named Black Magic. I had a lovely Twitter conversation about what this means in terms of PowerShell’s vulnerability to attack, and what admins should do. Unfortunately Twitter sucks for carrying on that kind of conversation, so I wanted to post this to clarify a few things.

First, I’m going to write this article as if “you” were hit by this exploit. Don’t take it personally, it’s just an easier style of language for me – it’s not actually addressing you.

Second, when it comes to security, the goal is to stop attacks from happening. That means you have to consider all the ways something could nail you, and try to block as many of them as is practical. That’s called “defense in depth,” giving you multiple layers of defense. The corollary to that is that your environment must still be functional. I mean, from a secure standpoint, if I unplugged all the WiFi access points and Ethernet switches you have, you’d be pretty secure. And non-functional.

Third… and I don’t know how to be delicate about this, but a lot of admins out there aren’t very sophisticated about security. There’s sometimes a tendency to fix what they can get their hands on, whether or not that makes any impact on security or not. So let’s be very clear about what you do when it comes to security: You do as little as possible, and impinge as little functionality as possible, while achieving your security goals. That helps maintain a “functional” environment, and keeps the security aspect of it “maintainable.” Sometimes, “as little as possible” is quite a lot indeed – but you look for that balance. Finally, you almost never do anything to “improve” security if it is in fact a null improvement. That is, you don’t lock the doors if the windows can’t be closed. There’s no point.

Now, let’s look at how Black Magic operates.


Step 1: Social Engineering

The exploit comes in the form of an .LNK e-mail attachment. That’s a Windows shortcut file. Users are meant to double-click it, and the shortcut launches a PowerShell session with the execution policy essentially turned off.

Problem 1: You let users get .LNK e-mail attachments from external users. This is stupid. Users shouldn’t be able to receive executable file types. Note that a .PS1 file isn’t an executable file type, which is why the exploit had to take this action. If you’d blocked .LNK attachments at the firewall, the exploit would be useless.

Problem 2: Your users are opening file attachments from people they don’t know. There is no technical way to protect an environment where users aren’t doing the right thing. No way. Just give up. This is why I keep going on about building a “culture of security.” If your users’ job descriptions, or your company employee manual, doesn’t say something to the effect of, “employees must be able to safely operate company computers in accordance with company policies and standards,” then you’re just doomed. If it does say that, and a user does open an attachment like this, you write them up and eventually fire them. If you think you can stop stupid users from bypassing every security measure you put in place, you are dumber than they are. You have to fix the social engineering element. There is almost no point in trying anything else, because users will get around it.

I know. A lot of you are shrugging and saying, “well, you can’t fix users, so I’ll just lock down PowerShell.” It won’t work.

I once, and rather famously, refused to help a law firm client get their NTFS file permissions under control, because they let users print sensitive documents and leave them lying around the office. Don’t bother locking the door if the windows are open.


Step 2: The Download

One of the elements of the Twitter discussion was, “maybe standard users shouldn’t have PowerShell able to run, because it’s so powerful and can be exploited so easily.”

Um, no.

First: PowerShell’s execution policy is not a measure against malware. It was never designed to be, so don’t be disappointed when it isn’t. If you thought it was, you were wrong, and that’s your fault for not educating yourself, not Microsoft’s fault for failing to do something they never set out to do in the first place.

Second: PowerShell only lets you do what you have permission to do. The Black Magic exploit used PowerShell simply to download a file from the Internet. That’s it. It didn’t wipe out Active Directory, it didn’t erase a file server, and it didn’t start grabbing messages out of Exchange, because normal users can’t do those things.

Would locking down PowerShell, so that normal users couldn’t run it, have stopped this exploit? No, because normal users have an abundance of ways to download files, and the exploit would simply have used a different one. PowerShell was convenient here, not necessary. If you’re going to posit locking down PowerShell, you must also lock down every other possible means of downloading a file from the Internet, or you’ve done nothing to impact security. Nothing.

PowerShell is not powerful. Erase that from your mind. Everything PowerShell is and does comes from the .NET Framework installed on every one of your computers, which your users have full access to. PowerShell is nothing more than a human-friendly way of getting to the Framework without needing Visual Studio on-hand. You could erase PowerShell and 100% of its functionality would still be present and absolutely usable by an exploit. Get your brain wrapped around that, because it’s an important concept.

Problem 3: You let your users download files from trashy websites. Your firewall should have been blocking access, and if it had integrated malware tools and realtime block lists, it probably would have caught this access.

Problem 4: You’re not using a local to block outgoing access by applications. For standard users, there’s little reason to access the Internet by means other than a web browser or known applications. This is a well-known technology and approach that’s been around for a decade.

Step 3: Run a File

Black Magic’s last step is to run the downloaded payload, which it does under normal user permissions.

Problem 5: You’re allowing users to run arbitrary applications. AppLocker has been around since Windows Vista, and provides a way of “whitelisting” applications that may run. This payload would never have been allowed to execute if you’d been using a built-in tool that’s been around since 2008. AppLocker even offers the ability to build that whitelist for you.

Problem 6: You’re not running updated anti-malware software that would have detected the payload and blocked it – and alerted someone. Most would have blocked access to the URL where the payload came from, too.


So you’ve had six opportunities to stop this exploit, all of which involve well-known, years-old technologies and techniques. You probably haven’t done most of them, and so you want to blame PowerShell.

OK… I’ll step out of the “you” attack-y mode :).

The point is that, once you have arbitrary code running on users’ systems, you’re owned. Nothing you can do to PowerShell will stop that. This attack could easily have been a .LNK file that ran Cmd.exe and the Telnet or FTP client – it could have achieved the same thing. It could easily have been an .EXE (“no, we block EXE file attachments;” “why the hell don’t you also block .LNK then, dummy?”).

I don’t want to come across as defending PowerShell per se; I’m trying to help folks understand where the real security problems lie. PowerShell is a red herring in all this; it was a convenient way of getting innocuous code to execute. There were six other places where this attack would have been stopped in its tracks, and any six of those would also have stopped every other similar kind of attack that didn’t rely specifically on PowerShell. That’s what makes those six effective – they’re global, not targeted at one specific piece of code. All of those six act to stop malware.

Before you take actions in security, you need to make sure you’re doing so from a holistic, professional security perspective. The first time a fire broke out in a crowded theater, officials didn’t say, “well, we should put sprinklers and alarms in that theater.” They put them in every theater, and started demanding flame-retardant fabrics and other measures. You address security across the board, not on a piecemeal basis.


A Tangent Argument

“Ah,” the argument goes, “but we should reduce moving parts. Users don’t have a legit need to run PowerShell, so we should lock them out of it.”

Valid. Except that PowerShell.exe isn’t PowerShell. PowerShell is a .NET Framework-based engine; PowerShell.exe is just a console application that lets you feed typed commands to that engine. You can’t remove PowerShell, and you can’t “block” users’ access to it, because it’s part of the Framework. It’s an integral part of the operating system. Things you don’t even realize are using it, are using it.

But yes, you could block users’ access to the console application, PowerShell.exe. I might even buy that argument, especially in a highly secure environment where you simply don’t want users having access to anything they don’t explicitly need to do their jobs. In fact, I would buy that argument, if and only if you block users’ access to everything they don’t explicitly need. Notepad. Windows Paint. Solitaire. Etc. Because based on the theory you’re working from, all code is bad code (a valid security perspective) and you block everything not explicitly needed. Remember, PowerShell doesn’t give users any special capabilities. Anything a normal user can do in PowerShell can be done in at least 2 other ways using other native tools. This is why AppLocker is a better approach: the list of apps a user needs is smaller than the list of apps they don’t, and so a whitelist is more maintainable, no matter how huge it is.



There you go. Now, you’re welcome to make comments on this, and offer your perspective. However, I have a couple of guidelines.

  1. Keep the conversation civil and professional. I’ll delete anything obnoxious.
  2. Keep the conversation focused on security. And remember that security isn’t about locking down the doors when the windows are open; it’s about holistically achieving specific goals. You don’t take security measures that simply move the target elsewhere. “Defense in depth” doesn’t mean 80 security restrictions and 20 ways around them. If something is super-easy to bypass, you don’t bother.



[UPDATED] Verified Effective Exams will Begin Soon

Check it out…


Wave 1

We’ll be going live with the PowerShell Toolmaker program very soon. Wave 1 will permit our PowerShell Summit N.A. 2014 alumni who registered early and were given a free exam. If you’re one of those folks, and if you would like to be an early registrant, please contact exams at You will need to have your Summit confirmation code (it was e-mailed to you when you registered, and was printed on your badge; we cannot provide it to you if you’ve lost it). We’re looking for a small handful of early registrants to take the exam and help us test the grading systems. If you pass, it’s “real,” and you’ll get an e-certificate like the one shown here!

How do you know if you got a free exam? There was a slip included with your badge at the Summit. If you weren’t paying attention, we’ll allow you to try entering your Summit confirmation code as an exam voucher to see if it works. If you can’t find your confirmation code, you’re out of luck.

Wave 1 is designed to let us test the system and make sure everything is working well, in a small enough scale to manage any problems that arise.


Next Steps

If you’d like to know more about the program, and understand when it may be open to you, please review the VERIFIED EFFECTIVE information page.