Learning PowerShell Failures & Ramblings: Part2 Anti-Virus Enable? WMI CMI HEX?

The rambling continues. Quick re-cap I have my script-alike-function I created long ago called get-hitech that has multiple info gathering things. This post is about figuring out if Windows has Anti-Virus enabled and updated, kind-of. Please take notice, everything I do in this series of posts is mostly for learning and is actually for reals based on my script-alike-function. The steps may not be the best way to do something. I likely won’t even finish fixing my wonderful code. Sure is fun looking at this unfinished creation of my past. It’s OK to fail, share, learn, and make fun of what you didn’t know (and still don’t). PowerShell is more then meets the eye.

Not sure about you, but I personally go out of my way to not use WMI-Filters in Group Policy. Before PowerShell I knew what WMI was. I had even read way more then I cared to know. PowerShell has made WMI Interesting. Tip, don’t ask anyone too smart about the different between WMI and CMI. Here’s all you need to know, CMI works over PowerShell Remoting AKA WinRM (HTTP 5685) and WMI doesn’t. They both access the same goodies.

Let’s see what I got to work with in my script-alike-function. Looks like the Get-CimInstance is getting some info about the Anti-Virus and Anti-Spyware. Like there’s a different to me. Is there really Anti-Virus that doesn’t include Anti-Spyware? There’s something about converting to Hexadecimal. Great, I did use Hex for configuring my Sound Blaster ISA Card 20yrs ago and for connecting Plam Pilots for people who could code in Fortran but somehow could not figure-out how to set baud rates and com ports. For you old techs 2F8, 3E8 anyone?  Did your Sound Blaster have RAM sockets? part2-1

Well what happens when I run this code? Nothing but errors.  Time to just check the two variables, $AntiSpyware and $AntiViruspart2-2

Hey the CIM Stuff is getting something useful. My machine has Windows Defender. There  is something about a product state. Now I remember I had found some site that talked about the product state being in hex and what the numbers mean. Wish I had put a link to that site as a comment in my script-alike-function. part2-3

The Internet is amazing if you type in the right search. Found a MSDN Forum talking about the productstate and then I found a finished function all  by searching for ” windows antivirus productstate” Who knows, would I have used the term “productstate” with out PowerShell?

Here something on a msdn forum

Here’s someone who already finished a function

I’m not going to pretend like I’m not going to use  the function from Mr. Jirka Domin AKA Soyka (common jay?) and just call it a day. The only thing I will likely do it change it to CMI. Put a little more write-verbose, especially around the Hex stuff just for my own personal reference on how to convert Hex. Also not sure why Mr. Jays’ comments are mostly just the code with-out aliases. Please don’t use aliases, that why the powershell gods gave us Tab-Complete. post2-4

Mr. Jays’ code works!post2-5

Not sure I care about the path stuff. I can’t stand when programs are installed outside program files. Not to name names, Medisoft! But it’s easy to select what you want. Remember IT is highly opinionated. Let the user of your function decided what that they need with your functions. You never know you may change your own mind about what you need. post2-6

Take a look at the Param Block in Mr Jay’s code. That’s the top part marked Param super newbie. Notice there is only one param $computername. But it was giving a default value $computername = $env:computername so … if someone does not provide a value for the parameter it will default to the environmental variable in PowerShell for localhost. I going to come clean, not too long ago I would  put an IF Statement to see if I needed to provide the current system name. But you know what it worked and I put a nice write-verbose telling everyone what I was doing so they could laugh at me.

part2-9

One last rambling, there are more $ENV: in PowerShell then there are in the Windows GUI. What a pain to get to the real stuff in Windows now. I know the smartphone generation like clean ‘modern’ looking GUI Settings. I miss you Windows2K! As promised, this post was mostly just ramblings. Hope you have fun rambling your way with PowerShell.

part2-8

Learning PowerShell Failures & Ramblings: Part1 Windows Updates, the Registry, and Compare Object.

Warning his post is just rambling on sharing the fun of learning PowerShell. The tide is finally starting to turn. On one side, my procrastination and limited skills vs. a growing desire and ever-growing knowledge. Time to open a PowerShell script-alike-function I created some time ago. Basically, a function is a script that that can be used like a cmdlet. Instead of running a script by file name, you load a script with a function or group of functions. So, what’s that make a script-alike-function? It is what you create when you don’t know what you are doing. I now know plenty to get myself in trouble. My script-alike-function is named get-hitech. I have dreams of using PowerShell for helping with HIPAA/HITECH in small networks. HITECH has some administrative requirements about tracking user accounts, firewalls/anti-virus/updates must be enabled. My script-alike-function has multiple half-finished information gathering functions and scripts. I plan to cover each info gathering function with a post. My ramblings in this post cover the few lines of code for gathering information on settings for Windows Update, kind-of.

Here’s the little code that was dealing with Windows updates. I think the comment section is the most useful part. The code uses the PowerShell drive HKLM: to access the HKEY_LOCAL_MACHINE in the Windows registry like it was a storage drive. The Get-ChildItem is retrieving (getting) the settings for Windows Updates and stores this info a variable name $UpdateAU. For those who don’t know PowerShell can open the registry just type ” cd hklm: ” into PowerShell.

Here’s the output of this coding gem. At least thanks to my commit section I know what 0 equals.

My first thought is to apply what I learned from Mr. Jones and Mr. Hicks book, “Learn PowerShell ToolMaking…”. That is I’ll use a Hash Table to store data, use the table to create a PSObject, and then output the object. I wasn’t sure what data I had to store in a hash table? Ok, so by piping to format-list. I could see what little my $UpdateAU variable had to work with. For those super newbies’, this is a pipe ||||. And PowerShell has alias for commands, so format-list is fl. 

You got start somewhere, right? So, I created the hash table name $props. Then using something called a “Switch Statement”. Which is just a single statement to replace multiple “IF Statements”.

Here’s the output. Well the switch is working. I’m shocked, doesn’t look I got the “UpdatesEnable” output right. I’m not even sure the 0 is what I think, better test that later by changing my update settings in Windows and running the code again.

Now for my real ramblings… Are there not more settings in Windows 10? Will this code work in Win7 and win10? Does anyone even care about 8 and 8.1?  And how to do I get the updates enable to show true or false? The screen setting from my Windows 10 Developers Edition for sure has more options then I have in PowerShell. Where are these options stored in the registry? Well I could search the web, but that’s not as fun as powershell.

So how about that whole Compare-Object thing PowerShell supports? Could I save the registry as a file, make the changes in the GUI, then save the registry again, and finally compare the two files? Right off the bat, I made a few mistakes. First, I did not read the Help Compare-Object -details! Second, I failed to use the -Recurse parameter with get-child item. Third possible mistake I used JSON Files. Only because I have been playing with the JSON file Chrome stores its bookmarks. Would CliXML files be better? Notice I also forgot to provide a required parameter, so PowerShell prompted me.

I have never used Compare-Object. Why would I need files to compare? Maybe I just need two variables to compare, as shown by the Help system in PowerShell. Seems like a variable is more object like, right? 

Off to a great start, huge error message. Why is access not allowed? Doesn’t look like a PowerShell problem. Looks like a permission, access control list, file in-use??? Mr. Don Jones is right PowerShell is a great way to learn or re-enforce your knowledge on all types of stuff. You just have fun trying and learning. 

I now turn to the Internet and search for “user access to HKLM”. I find something about assigning permissions with the Windows Registry Editor (RegEdit). 

Wait a minute, why don’t I just try to export the registry as a file from RegEdit. Because I do have some rules about manually modifying the registry; only on a test VM and/or only on someone else’s machine.

Here we go, let’s get some content from a file and save it as a variable. … and PowerShell is now using 6GB of RAM! Better save this post just encase Windows goes crazy. Thinking maybe export the whole registry may have been a little much. Ctrl-C Ctrl-C, Ctrl-C please PowerShell stop. Well I’m just going to close PowerShell now.


OK, this time I’ll just export polices and not the whole registry. Umm, 28K vs. 477MB. Get-Content did seem to work, or there’s no errors.

Either I did something wrong (not me) or there is nothing different about my two objects. Not sure I’m going to find what I’m looking for with just a small amount of the registry. But the HKLM\SOFTWARE IS 358MB


Now what? I not sure compare-object would work for finding new registry links or not. You know the best think about your own rules, you can break them. I exported the registry setting for Paint.Net. I manually added a test entry and exported another file. Bam, there’s the difference. I’m going to have to play with the registry and compare-object on my much faster workstation. Maybe I should just compare the two save exported registry files, go back to using JSON? Again that’s the fun of PowerShell. 


Took about 10secs to manually find these settings in Regedit. There’s most of the other Windows Update settings. Better add that to my get-hitech script-alike-function so I have them.

That will do for my first IT post ever.

My goals for these failures and rambling posts are to help people realize you don’t have to be a genius to learn PowerShell. Most importantly it’s not just about PowerShell, Learning and failing with PowerShell will reinforce your knowledge on other subjects. I guess there will have to be a Part1A just to finish my function for gathering information on Windows Updates. As a side note, Mr. Don Jones is right about PowerShell. It is just one of many tools out there. There are likely much better tools for dealing with HITECH in small offices: Microsoft Operations Management, Group-Policy Reports, In-tune, Pulseway, Kaseya, Server-Essential Features, just to think of a few. Anyways I better stop rambling.