With all previous releases of Firefox, we used to check the version of firefox.exe to find out which version it was.

With Firefox 10.0 executable, we had a version 10.0.0.4412 for the ESR and 10.0.0.4411 for the release update channel but for firefox 10.0.1, we have both 10.0.1.4421 which doesn’t allow us to differentiate between the ESR and the release channel version anymore.

I’ve asked the Enterprise Working group and got the following answer from the Ben Hearsum

The only way to distinguish between the two versions these days is through the application.ini file. The SourceRepository field in the [App] section will be “http://hg.mozilla.org/releases/mozilla-esr10″ for this line of ESR builds. (When we start the next line of ESR at Firefox 17 this will change, of course.)

The version you’re looking at isn’t used by us at all. The only thing we do is guarantee that it doesn’t go backwards.

Powershell, to the rescue…

#Requires -Version 3.0

<#
.SYNOPSIS    
    Get the channel and version of Mozilla Firefox
 
.DESCRIPTION  
    Get the channel and version of Mozilla Firefox
 
.PARAMETER ComputerName
    Non mandatory parameter, array of remote computernames
 
.PARAMETER Credential
    Non mandatory parameter, credential used to contact remote computer

.NOTES    
    Name: Get-FirefoxInfo
    Author: Emin Atac
    DateCreated: 19/02/2012
 
.LINK    
    http://p0w3rsh3ll.wordpress.com
 
.EXAMPLE    
    .\Get-FirefoxInfo.ps1

    Channel         Version
    -------         -------
    release         10.0
    
    Returns the channel and version of Mozilla Firefox found locally
.EXAMPLE    
    .\Get-FirefoxInfo.ps1 -ComputerName "PAR903","127.0.0.1"
    Returns the channel and version of Mozilla Firefox of the two remote computers

.EXAMPLE    
    .\Get-FirefoxInfo.ps1 -ComputerName "remoteComputer1","remoteComputer2" -Credential (Get-Credential) 
    Use the credentials you specified to retrieve the channel and version of Mozilla Firefox of the two remote computers
#>

[cmdletbinding(DefaultParameterSetName='',SupportsTransactions=$false)]
param(
    [Parameter(Mandatory=$false,ParameterSetName='',ValueFromPipeline=$true,Position=0)]
    [system.array]$ComputerName=$null,

    [parameter(Mandatory=$false,ParameterSetName='',ValueFromPipeline=$true,Position=1)]
    [System.Management.Automation.PSCredential]$Credential = $null
)

# Build a hashtable for splatting
$otherparams = @{}
if ($credential)
{
    $otherparams += @{Credential = $Credential}
}
# Note to myself: both test-path and get-content support PScredential inputs

if ($ComputerName -ne $null)
{
    foreach ($computer in $ComputerName)
    {
        # Variable reset
        $osprop = $programfiles = $appinipath = $content = $sourcerep = $URL = $channel = $sourcever = $version = $MFOjb = $null
        # We need to get the target OS architecture and systemdrive
        try
        {
            $osprop = @(Get-WmiObject -Query "Select * FROM Win32_operatingsystem" -ComputerName $computer -ErrorAction Stop @otherparams)
        } 
        catch
        {
            # WMI was unable to retrieve the information
            switch ($_)
            {
                {$_.Exception.ErrorCode -eq 0x800706ba} { $reason =  "Unavailable (offline, firewall)" }
                {$_.CategoryInfo.Reason -eq 'UnauthorizedAccessException' } { $reason = "Access denied" }
                default { $reason  = $_.Exception.Message }
            }
            Write-Host -ForegroundColor Yellow  -Object "Failed to connect to WMI on $Computer because: $reason"
            # break
        } # end of catch
        
        if (($osprop.Count -ne 0) -and ($osprop -ne $null))
        {
            # Based on the OS architecture, we set the target program files directory
            if ($osprop[0].OSArchitecture -eq "64-bit")
            {
                $programfiles = "Program Files (x86)"
            } else {
                $programfiles = "Program Files"
            }
            # Now we are ready to build the full target path
            $appinipath = "\\" + $computer + "\" + ($osprop[0].SystemDrive -Replace ":","$") + "\" +  $programfiles + "\Mozilla Firefox\application.ini"
            # $appinipath
            if (Test-Path -Path $appinipath @otherparams)
            {
                try
                {
                    $content = Get-Content -Path $appinipath @otherparams
                } catch {
                    $reason  = $_.Exception.Message
                    Write-Host -ForegroundColor Yellow  -Object "Failed to use get-content against $computer because: $reason"
                }
                if ($content -ne $null)
                {
                    # Look for the SourceRepository into the application.ini file
                    $sourcerep = @($content | Select-String -Pattern "^SourceRepository=http")
    
                    if ($sourcerep.Count -ne 0)
                    {
                        # Cast the URL into a System.URI object and split its segments properties
                        $URL = ([System.URI](($sourcerep[0] -split "=")[1].ToString())).Segments[2]
                        if ($URL -eq "mozilla-release")
                        {
                            $channel = "release"
                        } elseif ($URL -match "mozilla-esr") {
                            $channel = "esr"
                        } else {
                            Write-Host -ForegroundColor Red -Object ("SourceRepository not recognised in $appinipath")
                            $channel = "Unknown"
                        }
                    } else {
                        Write-Host -ForegroundColor Red -Object ("SourceRepository not found in $appinipath")
                    }
    
                    # Look for the Version into the application.ini file
                    $sourcever = @($content | Select-String -Pattern "^Version=\d{2}\.\d{1}")
                    if ($sourcever.Count -ne 0)
                    {
                        $version = [system.version]($sourcever[0] -split "=")[1].ToString()
                    } else {
                        Write-Host -ForegroundColor Red -Object ("Version not found in $appinipath")
                        $version = "Unknown"
                    }
                    # Build a custom object
                    $MFobj = New-Object -TypeName PSObject -Property @{
                        Channel = $Channel
                        Version = $Version
                    }
                    # Return it
                    Write-Output -InputObject $MFobj
                } #end of if $content -ne $null
            } else {
                Write-Host -ForegroundColor Red -Object ("Cannot find a recent installed version of Firefox in $appinipath")
            } # end of test-path
        } # end of osprop is null
    } # end of foreach computer
} else {
    # No paramter has been passed, so we can use the new .Net 4 static property of system.environnemet for performance reasons compared to WMI
    if ([system.environment]::Is64BitOperatingSystem)
    {
        $programfiles = ${env:ProgramFiles(x86)}
    } else {
        $programfiles = $env:ProgramFiles
    }

    if (Test-Path -Path "$programfiles\Mozilla Firefox\application.ini")
    {
        $content = Get-Content -Path "$programfiles\Mozilla Firefox\application.ini"
    
        # Look for the SourceRepository into the application.ini file
        $sourcerep = @($content | Select-String -Pattern "^SourceRepository=http")
    
        if ($sourcerep.Count -ne 0)
        {
            # Cast the URL into a System.URI object and split its segments properties
            $URL = ([System.URI](($sourcerep[0] -split "=")[1].ToString())).Segments[2]
            if ($URL -eq "mozilla-release")
            {
                $channel = "release"
            } elseif ($URL -match "mozilla-esr") {
                $channel = "esr"
            } else {
                Write-Host -ForegroundColor Red -Object ("SourceRepository not recognised in your $programfiles\Mozilla Firefox\application.ini")
                $channel = "Unknown"
            }
        } else {
            Write-Host -ForegroundColor Red -Object ("SourceRepository not found in your $programfiles\Mozilla Firefox\application.ini")
        }
    
        # Look for the Version into the application.ini file
        $sourcever = @($content | Select-String -Pattern "^Version=\d{2}\.\d{1}")
        if ($sourcever.Count -ne 0)
        {
            $version = [system.version]($sourcever[0] -split "=")[1].ToString()
        } else {
            Write-Host -ForegroundColor Red -Object ("Version not found in your $programfiles\Mozilla Firefox\application.ini")
            $version = "Unknown"
        }
        # Build a custom object
        $MFobj = New-Object -TypeName PSObject -Property @{
            Channel = $Channel
            Version = $Version
        }
        # Return it
        Write-Output -InputObject $MFobj
    } else {
        Write-Host -ForegroundColor Red -Object ("Cannot find a recent installed version of Firefox in $programfiles")
    }
}

To help me translate those resource back into strings, I could have used Tobias Weltner’s brillant Get-ResourceString function available on this page but I wanted to dig further and learn more about timezones.

I know that there isn’t any simple way to set a timezone on a computer. Either you have a running computer and you should use the tzutil command or you have an offline image and you can use the dism command.

My goal wasn’t to set a timezone, but if you’re interested in performing this task, let me also mention that there’s a script available on the Technet script gallery that is a wrapper of the tzutil command called Set-TimeZone.ps1. Even more interesting, the DeploymentGuys posted a way to set a timezone in powershell on their blog.

To learn what’s behind the scene, I fired up a procmon and checked what the tzutil.exe /l command does. As you can see, it reads the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones” and its subkeys. I decided that in addition to the translation of resources, the second feature of my powershell script would read this key and dump the same output as the tzutil.exe /l command. Exploring the registry subkeys also helped me brought all the pieces together, as well as link these two goals and gave me an alternative to Tobias Weltener’s Get-ResourceString function.

Along the learning path, I’ve discovered two useful links:

…and I’ve also learned 3 things:

The ‘New-Object System.DateTime 2006, 3, 21, 2, 0, 0′ that Thomas Lee uses, has an ‘unspecified’ kind whereas you’ll get a ‘Kind’ property set to ‘Local’ if you use the Get-Date cmdlet to create a datetime object. This has some importance to use the ConvertTimeToUtc method of the .net TimeZoneInfo object.

There’s a “General Date Short Time (“g”) Format Specifier” that can be used to format datetimes object.

# Method 1
(Get-Date).ToString('dd/MM/yyyy HH:mm')
# Method 2
Get-Date -Format g
# Method 3
$date = Get-Date
"{0:dd}/{1:MM}/{2:yyyy} {3:HH}:{4:mm}" -f $date, $date, $date, $date, $date
# so 'g' is actually this:
$host.CurrentCulture.DateTimeFormat.ShortDatePattern + " " + $host.CurrentCulture.DateTimeFormat.ShortTimePattern

Finally here’s my Get-TZ.ps1 script, enjoy

#Requires -Version 2.0

<#
 
.SYNOPSIS    
    Get either all timezones, the local timezone or timezone properties on remote computers
 
.DESCRIPTION  
    Get either all timezones, the local timezone or timezone properties on remote computers

.PARAMETER Local
    Shows the local timezone
 
.PARAMETER All
    Show all timezones the same way the tzutil /l command does

.PARAMETER Full
    Must be specified with the All parameter in order to show all timezones with 4 columns: CurrentTime,DisplayName,Id,TimeSpan

    CurrentTime: time at specified location formatted in dd/MM/yyyy HH:mm 
    DisplayName: (UTC +/- HH:mm) Location
    Id: the <time zone ID>, i.e., it's name
    TimeSpan: a timespan object of the timezone

.PARAMETER FindResource
    Specifies the array of strings to look for

.PARAMETER ComputerName
    Specifies the array of computername to use to read their timezone using WMI

.PARAMETER Credential
    Specifies the credential to use to query remote computers

.EXAMPLE    
    Get-TZ.ps1 -Local

    Id          : Romance Standard Time
    CurrentTime : 11/02/2012 16:27
    DisplayName : (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
    MUI_Std     : @tzres.dll,-302
    MUI_Display : @tzres.dll,-300
    MUI_Dlt     : @tzres.dll,-301
    TimeSpan    : 01:00:00
    Dlt         : Romance Daylight Time
    Std         : Romance Standard Time

    Returns the local timezone as a PSCustomObject

.EXAMPLE    
    Get-TZ.ps1 -All
    Retrieve all the timezones from the registry and display them the same way tzutil /l does.
 
.EXAMPLE    
    Get-TZ.ps1 -All -Full
    Retrieve all the timezones from the registry and display them the same way tzutil /l does, with two addtional columns: CurrentTime and TimeSpan
 
.EXAMPLE
    Get-TZ.ps1 "."
    Get the timezone of the local computer with WMI (the computername is the default parameter and it can be omitted)
 
.EXAMPLE    
    .\Get-Tz.ps1 -Computername remotecomputer1,remotecomputer2
    Get the timezone of two remote computers with WMI
  
.EXAMPLE    
    .\Get-Tz.ps1 -Computername remotecomputer1,remotecomputer2 -Credential (Get-Credential)
    Get the timezone of two remote computers with WMI using the specified prompter credential

.EXAMPLE
    .\Get-Tz.ps1 -FindResource "@tzres.dll,-300"

    Id          : Romance Standard Time
    CurrentTime : 11/02/2012 16:33
    DisplayName : (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
    MUI_Std     : @tzres.dll,-302
    MUI_Display : @tzres.dll,-300
    MUI_Dlt     : @tzres.dll,-301
    TimeSpan    : 01:00:00
    Dlt         : Romance Daylight Time
    Std         : Romance Standard Time
    
    Show all the timezones that have this specific resource.

.NOTES    
    Name: Get-TZ
    Author: Emin Atac
    DateCreated: 11/02/2012
 
.LINK    
    http://p0w3rsh3ll.wordpress.com
 
#>

[CmdletBinding(DefaultParameterSetName='GetRemoteTZ', SupportsTransactions=$false)]
param(
   [Parameter(ParameterSetName='LocalTZ', Mandatory=$false, Position=0)]
    [System.Management.Automation.SwitchParameter]${Local},

    [Parameter(ParameterSetName='Tzutil', Mandatory=$false, Position=0)]
    [System.Management.Automation.SwitchParameter]${All},

    [Parameter(ParameterSetName='Tzutil', Mandatory=$false, Position=1)]
    [switch]${Full},

    [Parameter(ParameterSetName='Find', Mandatory=$true, Position=0)]
    [string[]]${FindResource},

    [Parameter(ParameterSetName='GetRemoteTZ', Mandatory=$true, Position=0)]
    [string[]]${Computername},

    [Parameter(ParameterSetName='GetRemoteTZ', Mandatory=$false, Position=1)]
    [System.Management.Automation.PSCredential]${Credential}
)

# Build a hashtable for splatting
$otherparams = @{}
if ($credential)
{
    $otherparams += @{Credential = $Credential}
}

# Read the main key where all time zones are stored
$root = Get-Childitem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"

# Get the current local date time
$mydatetime = [datetime]::Now

# Initialize an empty array
$allTZobj = @()

# Loop into each subkey representing a timezone
foreach ($i in $root)
{
    # Write-Verbose -Message "Dealing with $($i.Name)" -Verbose:$true

    # Build the subkey path    
    $subkey = Join-Path -Path $i.PSParentPath -ChildPath $i.PSChildName

    # Get its properties
    $subkeyproperties = Get-ItemProperty -Path $subkey

    # There isn't any IsObsolete value, ie, it's null, then it's what we are looking for
    if ($subkeyproperties.IsObsolete -eq $null)
    {
        $Object = $null
        # Build an object to store all the properties we are interested in
        $Object = New-Object -TypeName PSObject -Property @{
            Id = $i.PSChildName
            Std = $subkeyproperties.Std
            TimeSpan = [System.TimeZoneInfo]::FindSystemTimeZoneById($i.PSChildName).BaseUtcOffset
            CurrentTime = ([System.TimeZoneinfo]::ConvertTime($mydatetime,([System.TimeZoneInfo]::FindSystemTimeZoneById($i.PSChildName)))).tostring('g')
            DisplayName = $subkeyproperties.Display
            Dlt = $subkeyproperties.Dlt
            MUI_Display = $subkeyproperties.MUI_Display
            MUI_Std = $subkeyproperties.MUI_Std
            MUI_Dlt = $subkeyproperties.MUI_Dlt
            }
    # Add this new object to our main array
    $allTZobj += $Object
    }
}

switch ($PsCmdlet.ParameterSetName)
{ 
    Tzutil {
        # If the additional Full switch was specified, display two additional columns
        if($PSBoundParameters['Full'])
        {
            $allTZObj | Select-Object -Property CurrentTime,DisplayName,Id,TimeSpan | Sort-Object -Descending:$false -Property TimeSpan
        } else {
            # Display the same output as tzutil /l
            # Use timespan to sort like tzutil /l but only display the same 2 properties as tzutil /l
        $allTZObj | Sort-Object -Descending:$false -Property TimeSpan | Select-Object -Property DisplayName,Id
        }
    } # end of Tzutil

    Find {
        # Parse our array and find any timezone that matches the string we specified
        foreach ($Resource in $FindResource)
        {
            $allTZObj | Where-Object { ($_.MUI_Std -eq $Resource) -or ($_.MUI_Display -eq $Resource) -or ($_.MUI_Dlt -eq $Resource)}
        }
    } # end of Find
    
    LocalTZ {
        # Parse our array and find the current time on the local computer
        $allTZObj | Where-Object { $_.Displayname -eq ([System.TimeZoneInfo]::Local).ToString()}
    } # end of LocalTZ
    
    GetRemoteTZ {
        # Read the timezone of remote computers using WMI and parse our array to display their timezone properties
        foreach ($Computer in $ComputerName)
        {
            # Define the  HKLM Constant and the Key we are looking for
            $HKLM = 2147483650
            $Key = "SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
            try
            {
                $result = Invoke-WmiMethod -Path "ROOT\DEFAULT:StdRegProv" -ComputerName $Computer -Name GetStringValue -ArgumentList $HKLM,$Key,"StandardName"  -ErrorAction Stop @otherparams
            }
            catch
            {
                # WMI was unable to retrieve the information
                switch ($_)
                {
                    {$_.Exception.ErrorCode -eq 0x800706ba} { $reason =  "Unavailable (offline, firewall)" }
                    {$_.CategoryInfo.Reason -eq 'UnauthorizedAccessException' } { $reason = "Access denied" }
                    default { $reason  = $_.Exception.Message }
                }
                Write-Host -ForegroundColor Yellow  -Object "Failed to connect to WMI on $Computer because: $reason"
            }
            if ($result.sValue -ne $null)
            {
                $allTZObj | Where-Object { ($_.MUI_Std -eq $result.sValue) -or ($_.MUI_Display -eq $result.sValue) -or ($_.MUI_Dlt -eq $result.sValue)}
            }
        }
    } # end of GetRemoteTZ
} # end of switch

    

Import-Module -Name "GroupPolicy"
Import-Module -Name "Applocker"

# Read the GPO and store it as an XML object
$GPO = [xml](Get-AppLockerPolicy -Ldap ("LDAP://" + (Get-GPO -Name "Computers Parameters").path) -Domain -XML)

(($GPO.AppLockerPolicy.RuleCollection | Where-Object { $_.Type -eq "Exe"}).FilePathRule) | ForEach-Object {

        $string = $_.Conditions.FilePathCondition.Path

        # Use a regular expression that represents 
        # \\servername\share\* or \\servername\share$\* or
        # \\server.fqdn.domain.suffix\share\* or \\server.fqdn.domain.suffix\share$\*
        $pattern = '^\\\\\b([A-Za-z0-9_\.\-]+)\\\b([A-Za-z0-9_\.\-]+(\$)?)\\\*$'
        if ($string -match $pattern)
        {
                if (Test-Path -Path ($string -replace "\*","") -ErrorAction SilentlyContinue)
                {
                    Write-Host -ForegroundColor Green -Object ($string + " -> ok")
                } else {
                    Write-Host -ForegroundColor Red -Object ($string + " -> not resolved !")
                }
        } else {
            Write-Host -ForegroundColor Yellow -Object ($string + " -> ignored / not verified")
        }
    }    

and got the following result displayed

My original idea was actually to be able to replace our brave old (and still working) rmtshare.exe from the NT4.0 resource kit. In other words I wanted to be able to provide the same functionnalities as the ‘net share’ command and the ‘rmtshare’ commmand.

Here are some examples of what I wanted to achieve:

WMI is very resourceful in this case but it’s unfortunately unable to get the caching mode of each share. The only way to do it that I found on the web is by using the code provided on this page. (NB: I’ve not tested it). Of course, using the WMI approach will be much slower than using API calls, but it’s not the main goal.

To be able to display the users currently accessing the share I’ve used the Win32_ConnectionShare class and the [WMI] type accelerator. The power of WMI is that the Dependent key contains a full path including the computername and the WMI accelerator is able to work accross the network. The only drawback of the WMI accelerator is that you can’t specify a credential to access a remote computer.

For share permissions, I took a different approach than Richard’s one. I query the Win32_LogicalShareAccess class, its AccessMask and Trustee properties. I don’t test the binary to translate it into all the subatomic permissions granted. I’ve simplified it to display only the 3 “Read”,”Change” and “Full control” available both in the UI and the output of the ‘net share’ command.

The script below can run on a local computer and target remote computers as well (specified as an array, see help)
You can use credentials to access remote computers if required.
The script will work both on Windows 7 or Windows XP.

Enjoy

    

#Requires -Version 2.0

<#
 
.SYNOPSIS    
    Get share related info from WMI
 
.DESCRIPTION  
    Get share related info from WMI
 
.PARAMETER ComputerName
    Non mandatory parameter, array of computernames, the default value is "." which means localhost in WMI.
 
.PARAMETER ShareName
    Non mandatory parameter, array of share names, when not specified, all shares are returned like the net share command
    When a share name is specified, it will return the output of the 'net share sharename' command

.PARAMETER Credential
    Non mandatory parameter, credential used to contact remote computer

.NOTES    
    Name: Get-Share
    Author: Emin Atac
    DateCreated: 05/02/2012
 
.LINK    
    http://p0w3rsh3ll.wordpress.com
 
.EXAMPLE    
    .\Get-Share.ps1 
    Returns all the shares on the local computer with the same output as the 'net share' command
 
.EXAMPLE    
    .\Get-Share.ps1 -ShareName ADMIN$
    Get the properties of the ADMIN$ share with the same output as the 'net share ADMIN$' command
 
.EXAMPLE
    .\Get-Share.ps1 -ShareName test-share$ | Select-Object -ExpandProperty Permissions
    Get the permissions on the 'test-share$' in a more readable format by piping it into the select-object cmdlet
    The same can be achieved with:
    (.\Get-Share -sharename "test-share$").Permissions
 
.EXAMPLE    
    .\Get-Share.ps1 -ShareName test-share$ -ComputerName remotecomputer1,remotecomputer2
    Get the share properties of test-share$ on remote computers
 
.EXAMPLE
    $cred = (Get-Credential)
    .\Get-Share.ps1 -ShareName "test-share1","test-share2" -ComputerName remotecomputer1,remotecomputer2 -Credential $cred
    Get the share properties of 2 shares specified as an array on 2 remote computers specified as an array by using another credential
    NB: Users and Caching mode will be returned as "unknown".
 
#>
 
[CmdletBinding(SupportsShouldProcess=$True)]
param (
[parameter(Mandatory=$false,Position=0)][system.array]$ShareName=$null,
[parameter(Mandatory=$false,Position=1)][system.array]$ComputerName=".",
[parameter(Mandatory=$false,Position=2)][System.Management.Automation.PSCredential]$Credential = $null
)


function ConvertTo-NtAccount
{
<#
 
.SYNOPSIS    
    Translate a SID to its displayname
 
.DESCRIPTION  
    Translate a SID to its displayname
 
.PARAMETER Sid
    Provide a SID
 
.NOTES    
    Name: ConvertTo-NtAccount
    Author: thepowershellguy
 
.LINK    
    http://thepowershellguy.com/blogs/posh/archive/2007/01/23/powershell-converting-accountname-to-sid-and-vice-versa.aspx
 
.EXAMPLE
    ConvertTo-NtAccount S-1-1-0
    Convert a well-known SID to its displayname
 
#>
 
param(
[parameter(Mandatory=$true,Position=0)][system.string]$Sid = $null
)
 begin
 {
    $obj = new-object system.security.principal.securityidentifier($sid)
 }
 process
 {
    try
    {
        $obj.translate([system.security.principal.ntaccount])
    }
    catch
    {
        # To remove the silent fail, uncomment next line
        # $_
    }
 }
 end {}
}

# Handle the sharename parameter and build a unique WMI with all share names in the array
if (-not($sharename))
{
    $Query = "Select * FROM Win32_Share" 
} else {

    for ( $i=0 ; $i -lt $sharename.Count ; $i++)
    {
        if ($i -eq 0)
        {
            $Query = "Select * FROM Win32_Share WHERE " + "Name = '" + $sharename[$i] + "'"
        } else {
            $Query = $Query + " OR Name = '" + $sharename[$i] + "'"
        }
    } # end of for loop
}

# Build a hashtable for splatting
$otherparams = @{}
if ($credential)
{
    $otherparams += @{Credential = $Credential}
}

# Prepare global script variable
$consoleoutput = @()

foreach ($computer in $computername)
{
    try
    {
        $shares = @(Get-WmiObject -ComputerName $computer -Query $Query -ErrorAction Stop @otherparams)
    }
    catch
    {
        # WMI was unable to retrieve the information
        switch ($_)
        {
            {$_.Exception.ErrorCode -eq 0x800706ba} { $reason =  "Unavailable (offline, firewall)" }
            {$_.CategoryInfo.Reason -eq 'UnauthorizedAccessException' } { $reason = "Access denied" }
            default { $reason  = $_.Exception.Message }
        }
        Write-Host -ForegroundColor Yellow  -Object "Failed to connect to WMI on $Computer because: $reason"
        # break
    }

    # If we have shares returned by the above WMI query
    if ($shares.Count -ne 0)
    {
        # Loop
        foreach ($shareitem in $shares)
        {
            # Get the Maximum users properties
            if ($shareitem.AllowMaximum -eq $true)
            {
                $Max = "No limit"
            } else {
                $Max = $shareitem.MaximumAllowed
            }

            # Replace some special characters in the share name to use it as a regular expression pattern with the match operator
            $pattern = $shareitem.Name -replace "\$","\$"
            $pattern = $pattern -replace "\-","\-"
            $pattern = $pattern -replace "\.","\."

            # Get connected users to the share
            $Users = @()
            $shareconnections = @(Get-WmiObject -Class Win32_ConnectionShare -ComputerName  $computer -ErrorAction SilentlyContinue @otherparams)
            if ($shareconnections.Count -ne 0)
            {
                if (-not($credential))
                {
                    ForEach ($share in $shareconnections)
                    {
                        $allconnectedusers = @([wmi]$share.Dependent | Where-Object {$_.ShareName -match $pattern})
                        foreach ($user in $allconnectedusers)
                        {
                            $Users += (New-Object -TypeName PSObject -Property @{Username = $User.Username})
                        }
                    } # end of foreach
                } else {
                    ForEach ($share in $shareconnections)
                    {
                        if ($share.Dependent -match $pattern)
                        {
                            $Users += (New-Object -TypeName PSObject -Property @{Username = $(($share.Dependent  -split "=")[-1] -replace "`"","")})
                        }
                    } # end of foreach
                }
            }

            # Get the caching mode of the share

            # Define the  HKLM Constant and the Key we are looking for
            $HKLM = 2147483650
            $Key = "SYSTEM\CurrentControlSet\services\LanmanServer\Shares"

            $result = Invoke-WmiMethod -Path "ROOT\DEFAULT:StdRegProv" -ComputerName $computer -Name GetMultiStringValue -ArgumentList $HKLM,$Key,$($shareitem.Name)  -ErrorAction SilentlyContinue @otherparams
            
            if ($result.sValue -ne $null)
            {
                # We split the multiline string and just look for the CSCFlags string
                $CSCFlag = $null
                $CSCFlag = ((($result.svalue -split "`n") | Where-Object {$_ -match "^CSCFlags"}) -split "=")[1]
                
                switch($CSCFlag)
                {
                    0  {$Caching = "Manual caching of documents"}
                    16 {$Caching = "Automatic caching of documents"}
                    32 {$Caching = "Automatic caching of programs and documents"}
                    48 {$Caching = "Caching disabled"}
                    default {$Caching = "Unknown"}
                }
            } else {
                    # If we don't find it in the registry, it means it's the default value
                    $Caching = "Manual caching of documents"
            }
           
            # Get Permissions of the share

            # Change a little bit our pattern
            $pattern = $pattern + "`"$"

            # Reset array
            $Permissions = @()
                    
            # Now get the permissions for our share
            $shareperms = @(Get-WmiObject -Class Win32_LogicalShareAccess -ComputerName  $computer -ErrorAction SilentlyContinue @otherparams| Where-Object {$_.SecuritySetting -match $pattern})
                    
            # If we don't find it in the class, it means it's the default "everyone, full control"
            if ($shareperms.Count -eq 0)
            {
                    $Permissions = New-Object -TypeName PSObject -Property @{            
                            Username = "Everyone" 
                            AccessMask = "Full Control"
                    }
            } else {
                # Loop foreach permission returned by the WMI query of the Win32_LogicalShareAccess class
                ForEach ($perm in $shareperms)
                {
                    # Convert the SID property to a username
                    $Username = $Permission = $null
                    $Username = ConvertTo-NtAccount -SID (($perm.Trustee -split "=")[1] -replace "`"","")

                    # Change the binary to a human readable string
                    switch($perm.AccessMask)
                    {
                        1179817 { $Mask = "Read"}
                        1245631 { $Mask = "Change"}
                        2032127 { $Mask = "Full Control"}
                        default { $Mask = "Unknown"}
                    }

                    # Add to a custom object
                    $Permission = New-Object -TypeName PSObject -Property @{            
                            Username = $Username
                            AccessMask = $Mask
                    }

                    # Add the permission to our permissions array
                    $Permissions += $Permission

                } # end of foreach shareperms
            } # end of if shareperms.count

            # Display diffently the share name on a remote computer
            $formattedshare = $null
            if ($computer -ne ".")
            {
                $formattedshare = "\\$Computer\" + $shareitem.Name
            } else {
                $formattedshare = $shareitem.Name
            }

            # Build a final share object with all its properties
            $ShareObject = $null
            $ShareObject = New-Object -TypeName PSObject -Property @{
                "Share name" = $formattedshare
                Path = $shareitem.Path
                Remark = $shareitem.Description
                "Maximum Users" = $Max
                Users = $Users
                Caching = $Caching
                Permissions = $Permissions
                }

            # We can return it now, if we aren't listing all shares
            if (-not($sharename))
            {
                # Format the console output to display the same properties as the 'net share' command
                $consoleoutput += $ShareObject 
            } else {
                # Output the object with all its properties
                Write-Output -InputObject $ShareObject                
            }
        } # end of foreach shares

        # Console output that lists all shares
        if (-not($sharename))
        {
            Write-Output -InputObject $consoleoutput | Select-Object -Property "Share Name",Path,Remark
        }
    } else {
        Write-Host -ForegroundColor Yellow "$sharename share name not found on computer $computer"
    } # end of if shares
} # end of foreach $computername

But, how do we get only users who logged on interactively ?

(get-wmiobject -class Win32_ComputerSystem).Username

Name of a user that is logged on currently. This property must have a value. In a terminal services session, UserName returns the name of the user that is logged on to the console—not the user logged on during the terminal service session.

It is also not as reliable as it seems. It may return an empty value if the user is connected using remote desktop.

We could also query the Win32_LoggedOnUser which seems to be promising.

# To obtain Domain\Username format, we can do:
Get-WmiObject -Class Win32_LoggedOnUser | ForEach-Object { 
    Write-Host -Object (($_.Antecedent.ToString() -split '[\=\"]')[2] + "\" +  ($_.Antecedent.ToString() -split '[\=\"]')[5])
}

# Or more simply if we don't care too much about the format being displayed
Get-WmiObject -Class Win32_LoggedOnUser | ForEach-Object { Write-Host -NoNewline -Object (($_.Antecedent.ToString() -split '[\=\"]')[2,5] + "`n")}

Well, in this case, what I prefer to do is the following. If someone opened an interactive session on a computer, I can assume that the explorer was loaded. So the idea is to get the owner of each explorer.exe process and voilà.

$explorerprocesses = @(Get-WmiObject -Query "Select * FROM Win32_Process WHERE Name='explorer.exe'" -ErrorAction SilentlyContinue)
if ($explorerprocesses.Count -eq 0)
{
    "No explorer process found / Nobody interactively logged on"
} else {
    foreach ($i in $explorerprocesses)
    {
        $Username = $i.GetOwner().User
        $Domain = $i.GetOwner().Domain
        $Domain + "\" + $Username + " logged on since: " + ($i.ConvertToDateTime($i.CreationDate))
    }
}

The problem is that it’s a false positive that Microsoft reintroduced in Windows 7 SP1
Microsoft still only gives us a workaround based on an old fashioned vbscript.

So, here’s how to achieve the same thing as the vbscript by using powershell:

# 
# Delete the eventID 10
#
# http://support.microsoft.com/kb/950375

$obj1  = @(Get-WmiObject -Namespace "root\subscription"  -Query "Select * FROM __EventFilter WHERE Name='BVTFilter'" -ErrorAction SilentlyContinue)
$obj2 = @(Get-WmiObject -Namespace "root\subscription"  -Query "Associators Of {__EventFilter.Name='BVTFilter'} WHERE AssocClass=__FilterToConsumerBinding" -ErrorAction SilentlyContinue)
if ($obj2.Count -eq 0)
{
    Write-Warning -Message "obj2 not found"
} else {

    foreach ($obj in $obj2)
    {
        try 
        {
            $obj.delete()
        }
        catch
        {
            Write-Warning -Message "Failed to delete $obj"
            $_.Exception.ErrorCode 
            $_.CategoryInfo.Reason
            $_.Exception.Message
        }
    }
}

$obj3 = @(Get-WmiObject -Namespace "root\subscription"  -Query "References Of {__EventFilter.Name='BVTFilter'} WHERE ResultClass=__FilterToConsumerBinding" -ErrorAction SilentlyContinue)
if ($obj3.Count -eq 0)
{
    Write-Warning -Message "obj3 not found"
} else {
    foreach ($obj in $obj3)
    {
        try 
        {
            $obj.delete()
        }
        catch
        {
            Write-Warning -Message "Failed to delete $obj"
            $_.Exception.ErrorCode 
            $_.CategoryInfo.Reason
            $_.Exception.Message
        }
    }
}

if ($obj1.Count -eq 0)
{
    Write-Warning -Message "obj1 not found"
} else {
    $obj1[0].delete()    
}

Precisely, I have to create a list of computers and their random 10 characters long passwords that mixes upper and lower case letters compatible with a qwerty and azerty keyboard layout and that doesn’t match a word in a dictionary. The computer names and passwords should be tab separated so that it could be appended to our global passwords file a.xls in order to be readable in Excel (if necessary). Using a tab separated file also allows us to use this file in a scripted manner. It’s being parsed by a central custom script that checks if the password didn’t change on a daily basis.

So here’s the result of my quick and dirty approach for computer names from PTV800 to PTV899.

# Get a list of characters
$list = [Char[]]'bcdefhijklnoprstuvxBCDEFHIJKLNOPRSTUVX'

# Loop 
0..99 | % {
 # Get a 10 characters long random password where each characters is picked up from our list of characters
 $pw = (-join (1..10 | Foreach-Object { Get-Random $list -count 1 }))
 # Build our computername matching our naming convention
 $pcname = "PTV8" + ("{0:00}" -f $_)
 Write-Host -Object ($pcname + "`t" + $pw)
 # Append to our global tab separated file
 Write-Output -InputObject ($pcname + "`t" + $pw)  | Out-File -filepath .\a.xls -Append -NoClobber -Encoding ASCII
}

So I started digging into this subject and found that there are many ways to get the user locale.
You can query the $host variable in your powrshell session:

$host.CurrentCulture

$PSCulture
get-item variable:\PSCulture

[System.Threading.Thread]::CurrentThread.CurrentCulture

(Get-ItemProperty 'HKCU:\Control Panel\International').Locale
(Get-ItemProperty 'HKCU:\Control Panel\International').LocaleName

But, the user locale isn’t what I was looking for. The only way I found to query the System locale is by using WMI:

(Get-WmiObject Win32_OperatingSystem).locale

The WMI query returns a system string that is actually the hexadecimal number of the system locale. I was close to the result and finally used the System.Globalization.CultureInfo .Net object preloaded in the session.

The tip of the week page about Formatting Numbers and Dates Using the CultureInfo Object has a link to the .net object system.globalization.cultureinfo.

Here is how to use it

[System.Globalization.CultureInfo]("en-US")
# The object accepts also a decimal number or a decimal number written in hexadecimal:
[System.Globalization.CultureInfo](1033)
[System.Globalization.CultureInfo](0x409)

Now, I’ve just got to convert the system.string to either a decimal number or a decimal number written in hexadecimal like this:

# Using decimal number written in hexadecimal
[System.Globalization.CultureInfo]([int]("0x" + (Get-WmiObject Win32_OperatingSystem).locale))
# Using a decimal number, i.e, a system.int32
[System.Globalization.CultureInfo]([Convert]::ToInt32((Get-WmiObject Win32_OperatingSystem).locale,16))

Here are additional pages that could be as well useful resources:

This great page speaks also about the system.globalization.cultureinfo and much more:
http://powershell.com/cs/blogs/ebook/archive/2009/03/08/chapter-6-using-objects.aspx

This one shows how to Convert decimal to binary to hexadecimal and vice versa

This page explains precisely what Locale Names are.

And finally this page shows the full list of hexadecimal values and their Locale ID displayname: http://msdn.microsoft.com/en-us/library/cc233968.aspx

#Requires -Version 3.0

<#
    
.SYNOPSIS    
    Download sysinternals tools
   
.DESCRIPTION  
    Download all sysinternal tools to .\live.sysinternals.com directory and update previous files located in current path

.PARAMETER Proxy
    Set the proxy address to use to download
     
.NOTES    
    Name: Get-SysinternalsTools
    Author: Emin Atac
    DateCreated: 14/01/2012
     
.LINK    
    http://p0w3rsh3ll.wordpress.com
     
.EXAMPLE
    .\Get-SysinternalsTools
    Download all the sysinternals tools without a proxy

.EXAMPLE
    .\Get-SysinternalsTools -proxy "http://my.internal.proxy.address"
    Download all the sysinternals tools with a proxy

#>

param
(
[parameter(Mandatory=$false)][System.URI]$Proxy=$null,
[parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$ProxyCredential=$null
)
$otherparams = @{}
if ($proxy)
{
    $otherparams += @{Proxy = $Proxy}
    if ($ProxyCredential)
    {
       $otherparams += @{ProxyCredentials = $ProxyCredential}
    }
}

# Define the download URL
$URL = "http://live.sysinternals.com"

# Make sure we can download into the current path + the "live.sysinternals.com" directory 
$targetdir = Join-path -Path (Get-item $pwd) -ChildPath "live.sysinternals.com"
if (-not(Test-path -path $targetdir))
{
    # Create directory
    try
    {
        New-Item -Path $targetdir -itemtype directory -force -ErrorAction SilentlyContinue | Out-Null
    } 
    catch
    {
        Write-Host -ForegroundColor Red -Object ("Error cannot create destination directory live.sysinternals.com into current path $pwd")
        exit 1
    }
}

# Make sure it is a directory
if ((Get-item -Path $targetdir) -isnot [System.IO.DirectoryInfo])
{
    Write-Host -ForegroundColor Red -Object ("Oops, $targetdir exits but it is not a directory")
    exit 1
}

# Here we go: get all the links from the main page
try
{
    $wr = (Invoke-WebRequest -Uri $URL -ErrorAction SilentlyContinue @otherparams)
}
catch
{
    $_
    exit 1
}

$links = $wr.Links

# Cycle through all these links
foreach ($link in $links)
{
    # Show some progress activity as it can be quiet long...
    $i++
    Write-Progress -activity "Dealing with link: $($link.href)" -status "Percent added: " -PercentComplete (($i/$links.Count)*100)

    # Make sure we avoid directories and download a file
    if ($link.href -notmatch "^/.*/$")
    {
        $content = $wrq = $null
        # Write-Host -ForegroundColor DarkCyan -Object ("Downloading $($link.InnerText)")
        
        try
        {
            $wrq = (Invoke-WebRequest -Uri ($URL+$link.href) -Method GET -ErrorAction SilentlyContinue @otherparams)
        } 
        catch
        {
            # Write-Host -ForegroundColor Red -Object ("Failed to download $($link.InnerText)")
        }
        
        if ($wrq.StatusCode -eq 200)
        {
            $content = $wrq.Content
            $encoding = $null
            # http://en.wikipedia.org/wiki/Mime_type
            # http://technet.microsoft.com/en-us/library/dd347719.aspx
            switch ($wrq.Headers['Content-Type'])
            {
                "text/plain"               { $encoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::string  ; break }
                "application/octet-stream" { $encoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::byte    ; break }
                default                    { $encoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::unknown ; break }
            } # end of switch

            # Save the content that is a system.byte array to a file
            Set-content -value $content -encoding $encoding -path ($targetdir + $link.href)
        }
    }
}

# Now loop and let us know what file is being updated and those remaining identical
Get-ChildItem $targetdir | ForEach-Object {
    if (Test-path (Join-path -path (Get-item $targetdir).PSParentPath -ChildPath $_.Name))
    {
        $newfileversion = $_.VersionInfo.Fileversion
        $oldfileversion = (Get-item (Join-path -path (Get-item $targetdir).PSParentPath -ChildPath $_.Name)).VersionInfo.Fileversion

        if ($newfileversion -ne $oldfileversion)
        {
            Copy-Item -Path $_.Fullname -Destination (Get-item $targetdir).PSParentPath -Force # -Confirm:$true
            Write-Host -ForegroundColor Green -Object ($_.Name + " updated from " + $oldfileversion + " -> " + $newfileversion)
        } else {
            Write-Host -ForegroundColor Green -Object ($_.Name + " identical")
        }
    }
} # end of foreach

The interesting thing with this script is that we can see “nested” (let’s say more than 1) write-progress bars in the console output while it downloads files. Among other interesting things, you have the splatting technique to handle script arguments and the ‘[system.URI]‘ .net object being preserved that nicely handles the port specified in the URL.

The following image shows the final output we get:

I’ve also left inside the script a link to the get-content cmdlet help page where Joel -Jaykul- Bennett and Thomas Lee updated the documentation about the -encoding parameter of the set-content cmdlet. Jason Fossen also shows on this page how to use the set-content cmdlet with the -encoding parameter:
http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert.
So let me say, Thank you guys .

I’ve been able to figure out the above by counting the total number of GPO in the domain:

Import-Module -Name "GroupPolicy"
Import-Module -Name "Applocker"

# Running as user who is not domain admin
(Get-GPO -All -Domain "FQDN.of.my.domain" ).Count
32

# Running as domain admin
(Get-GPO -All -Domain "FQDN.of.my.domain" ).Count
33

So, now that I know that I need to run powershell with domain admin credentials, I was able to export the settings of the GPO I was looking for. Here’s how I did it:

# Read the GPO and store it as an XML object
$GPO = [xml](Get-AppLockerPolicy -Ldap ("LDAP://" + (Get-GPO -Name "Computers Parameters").path) -Domain -XML

# Now, I can display only Publisher based rules for executables
($GPO.AppLockerPolicy.RuleCollection | Where-Object { $_.Type -eq "Exe"}).FilePublisherRule | ft -HideTableHeaders -AutoSize -Property Name,Action