8 bits

Andreas Schuster released a improved version of his Event Log parser:

Evtx Parser Version 1.0.1

More information: http://computer.forensikblog.de/en/2009/12/evtx_parser_1_0_1.html 

Download Powershell V2

Powershell Owner's manual

Download screencast

Scripting with Powershell

Windows PowerShell is an extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language. Windows PowerShell 2.0 was released with Windows 7 and Windows Server 2008 R2.

PowerShell is built on top of, and is integrated with, the Microsoft .NET Framework. Additionally PowerShell enables easy access to COM and WMI to provide an environment in which administrators perform administrative tasks on both local and remote Windows systems.

The administrative tasks are generally performed by execution of cmdlets (pronounced commandlets), which are specialized .NET classes implementing a particular operation. You can combine these by use of scripts. Windows PowerShell also provides a hosting mechanism with which the Windows PowerShell runtime can be embedded inside other applications. With PowerShell, graphical interface-based management applications on Windows are layered on top of Windows PowerShell. In the future all Microsoft Applications running on the Windows platform are to be PowerShell aware.

Windows PowerShell includes its own extensive, console-based help, similar to man pages in Unix shells via the Get-Help cmdlet.

Interestingly there are a number of other Linux-PowerShell parallels, for instance:

•man is the same as Get-Help –detailed
•ls is the same as Get-ChildItem
•pwd is the same as Get-Location

A Cmdlet can easily be recognized from the fact that its name will consist of two elements: a verb and a noun. For example, one of the most useful Cmdlets is:

Get-help
However, there are abbreviations for some of the Cmdlets, for example:

Get-Process
Can also be typed as:

ps

Which is command familiar to many Linux users as the command to view details about currently running processes.

Overview

The commands Windows PowerShell executes may be in the form of 'cmdlets', which are specialized .NET classes designed expressly to expose a functionality via PowerShell, PowerShell scripts (*.ps1) or regular executables. If a command is an executable file, PowerShell launches it in a separate process; if it is a cmdlet, it is executed in the PowerShell process. PowerShell also provides an interactive command line interface, wherein the commands can be entered and their output displayed. The user interface, based on the Win32 console, offers customizable tab completion but lacks syntax highlighting. PowerShell also enables the creation of aliases for cmdlets, which are textually translated by PowerShell into invocations of the original commands. Powershell also supports both named and positional parameters for commands. In executing a cmdlet, the job of binding the argument value to the parameter is done by PowerShell itself, but, for external executables, arguments are passed via the argv (or equivalent) variable array to be parsed by the executable.

Pipeline

Another concept used by PowerShell is that of a pipeline. Like Unix pipelines, PowerShell pipelines are used to compose complex commands, allowing the output of one command to be passed as input to another. A pipeline is set up by piping the output of one command (or pipeline) to another command, using the | operator. But, unlike its Unix counterpart, the PowerShell pipeline is an object pipeline; that is, the data passed between cmdlets are fully typed objects, rather than character streams. When data is piped as objects, the elements they encapsulate retain their structure and types across cmdlets, without the need for any serialization or explicit parsing of the stream, as would be the need if only character streams were shared. An object can also encapsulate certain functions that work on the contained data. These also become available to the recipient command for use. For the last cmdlet in a pipeline, PowerShell automatically pipes its output object to the Write-Host cmdlet, which creates a formatted text representation of its data, writing it to the screen.

Cmdlets

In other words, Cmdlets are the native commands in the PowerShell stack. Cmdlets follow a <verb>-<noun> naming pattern, such as Get-ChildItem, helping to make them self-descriptive. Cmdlets output their results as objects, or collections thereof (including arrays), and can optionally receive input in that form, making them suitable for use as recipients in a pipeline. But, whereas PowerShell allows arrays and other collections of objects to be written to the pipeline, cmdlets always process objects individually. For collections of objects, PowerShell invokes the cmdlet on each object in the collection, in sequence.

Example: when you use the ps (or Get-Process) command, the list is sorted alphabetically according to the process name. However, it may be more useful to sort by the WS field so that the processes using the most memory appear at the top of the list. To do this the user "pipes" the output of ps to a second Cmdlet "sort-object":

ps | sort-object WS –descending

It’s also worth noting that the piped Cmdlets can be split over multiple lines:

ps |
where-object -FilterScript ~-2-~ |
sort-object WS –descending

Finally the concatenation symbol (>) will send the result output file after the information has been converted to HTML so that it can then be viewed in a web browser:

ps |
where-object -FilterScript ~-1-~ |
sort-object WS –descending |
convertto-html -property Name,WS > ps.html

The result will be an HTML file containing only the alphabetically sorted, currently running processes and the amount of memory that they’re using.

Modules

In Powershell V2, a more portable version of Cmdlets called Modules have been added. The Powershell V2 release notes state, "Modules allow script developers and administrators to partition and organize their Windows PowerShell code in self-contained, reusable units. Code from a module executes in its own self-contained context and does not affect the state outside of the module. Modules also enable you to define a restricted runspace environment by using a script."

Scripting

Windows PowerShell includes a dynamically typed scripting language which can implement complex operations using cmdlets imperatively. The scripting language supports variables, functions, branching (if-then-else), loops (while, do, for, and foreach), structured error/exception handling and closures/lambda expressions, as well as integration with .NET. Variables in PowerShell scripts have names that start with $; they can be assigned any value, including the output of cmdlets. While the language is untyped, internally the variables are stored with their types, which can be either primitive types or objects. Strings can be enclosed either in single quotes or in double quotes: when using double quotes, variables will be expanded even if they are inside the quotation marks. According to the variable syntax, if the path to a file is enclosed in braces preceded by a dollar sign (as in ${C:\foo.txt}), it refers to the contents of the file. If it is used as an L-value, anything assigned to it will be written to the file. When used as an R-value, it will be read from the file. If an object is assigned, it is serialized before storing it.

Object members can be accessed using . notation, as in C# syntax. PowerShell provides special variables, such as $args, which is an array of all the command line arguments passed to a function from the command line.

Source: http://en.wikipedia.org/wiki/Windows_PowerShell

I just stumbled upon nice free software to edit photos, maps etc. It's really a nice alternative for programs like Photoshop. At the moment, I use it to make some screenshots of the scripts that I write. The name of this free program is Paint.NET and more information is available here.

I was looking for a method to run perl scripts on my Windows 2008 server. I tried ActivePerl, which was working great on my Windows XP machine. However, ActivePerl seems not to be working with Vista and 2008.

I have found a nice alternative: Strawberry Perl. This 100% open source and up to date Perl for Windows runs every script I need (XP, 2003, 2008, Vista and Win7).

I was looking for a free Windows tool to synchronize files and folders between two locations on my network. I have tried Microsoft SyncToy 2.1. Both 32 and 64 bits versions are available.

The GUI is easy to understand. But, there's also a command line tool available (SyncToyCmd.exe) which is nice when you want to use a batch job to synchronize your files automatically on a daily basis. I think this is one of the most comfortable tools available for this job!

I recently started to work with Microsoft Windows Server 2008 (IIS7) and I have detected some really cool command line tricks:

ForFiles

Use ForFiles to delete files older than (for example) two days:

Forfiles /P C:\Downloads\ /S /M *.jpg /D -2 /C "cmd /C del /Q @path"

More information about ForFiles is available using this command:

forfiles /?

Schtasks

Use Schtasks to schedule tasks from the command line. For example, create a scheduled task that runs every hour:

schtasks /create /tn "Name of the task" /tr run this command /sc HOURLY

another example:

create a scheduled task that runs every day at a specific time:

schtasks /create /tn "My script" /tr C:\Users\Administrator\MyScripts\myscript.bat /sc daily /st 08:00

The scheduled task shows up in Windows Task Manager (library). More information about schtasks is available using this command:

schtasks /?

and is also available at:

http://technet.microsoft.com/en-us/library/cc725744(WS.10).aspx 

Please let me know if you know other, really useful command line tricks that I can use under Windows Server 2008 !

Unfortunately, some webpages can steal the text you last copied for pasting (copy & paste) in Windows. With a combination of JavaScript, ASP, PHP or CGI, those webpages may be able to write your possible sensitive data (like your credit card number) to a database on another server.

An example of this is available here.

Fortunately, the fix for this is quite simple:

1. In Internet Explorer, go to Tools -> Internet Options -> Security
2. Click on Custom Level
3. In the security settings, click to Disable the “Allow Paste Operations via Script.” That will keep your clipboard contents private !

Modern Windows versions are Unicode based, meaning that two bytes are used for each character. However, certain text utilities may not understand Unicode. I did have some problems when loading a CSV file I made with FTK Imager into an SQL database. All text strings looked as if all characters where separated with spaces, for example:

h e l l o ,  h o w  a r e  y o u  t o d a y . c s v

instead of

hello, how are you today.csv

This was certainly not the result I was looking for. Fortunately, this is quite easy to solve. If you want to convert a multibyte CSV file to a one-byte-per-character version, type the following command:

TYPE unicodefile.csv > plaintextfile.txt

If your file contains "extended" ASCII characters like ë or à, you first have to type

CHCP 1252

after the dos prompt. 1252 is the most commonly used codepage for western languages in modern Windows versions.

The type command performs the conversion. It is useful if you're dumping out registry keys from regedit.exe, which writes out in Unicode format.

If you want to convert a Microsoft Word document into a pdf file, you can use free pdf printers (for example CutePdf). But, free tools do have their limitations. If you want to make full featured pdf files, you can use the free Open Office Writer.

You can open your Word document with Open Office Writer. Then, ít's very easy to export the document as pdf, including hyperlinks etc. The PDF export feature in OpenOffice.org provides a huge set of formatting and security options; so that PDF files can be customized for many different scenarios, including ISO standard PDF/A files.

You can download Open Office here.