Fast ping

There are sometimes hidden gems on twitter in a single picture.

This guy shared a one liner that Lee Holmes showed at the PowerShell Summit 2015.

It’s still relevant. An IP subnet of 255 IP addresses can be pinged in about 458ms 🙂

Here’s how I’ve been taking advantage of this super fast way of pinging computers

Enjoy 😎


About KB4093118

The KB4093118 page has just been updated and states:


  • This update replaces update 4100480, Windows kernel update for CVE-2018-1038.
  • Resync is required to get newer revision of this KB for WSUS environment

What changed?

  • Before a WSUS sync:
  • (Get-WsusServer).SearchUpdates('2018-04 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4093118)') | 
    Select PublicationState,@{l='UpdateId';e={$_.Id.UpdateId}},
    @{l='RevisionNumber';e={$_.Id.RevisionNumber}},CreationDate,isApproved,isSuperseded | 
    ft -AutoSize

  • What’s the content of the patch
  • (Get-WsusServer).SearchUpdates('2018-04 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4093118)') |
    ForEach-Object {
     Select Name,Modified,Type,@{l='Size';e={'{0:N2} MB'-f($_.TotalBytes/1MB)}},
     @{l='SHA1Hash';e={-join ($_.Hash | ForEach-Object { '{0:X2}' -f $_ })}},

  • What was synchronized?
  • Using the code from this post,

    $SyncUpdates | Select Title,
    CreationDate,PublicationState,isApproved,isDeclined,isSuperseded,has* | 

  • After a WSUS sync:
  • What’s the content of the new patch
  • Notice that a file PCIClearStaleCache.exe has been added and the other files didn’t change (same hashes).

  • What has the new patch superseded?
  • Using this MSDN page to find out the UpdateRelationship value

    [Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesSupersededByThisUpdate.value__ -eq 6

    It’s possible to list what this new patch has susperseded:

    (Get-WsusServer).SearchUpdates('2018-04 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4093118)') |
    Where-Object { -not($_.isSuperseded)} |
    ForEach-Object {
     $_ | Add-Member -MemberType ScriptProperty -Name UpdatesSupersededByThisUpdate -Value {
     } -Force -PassThru 
    } | Select -Expand UpdatesSupersededByThisUpdate

It seems for sure that Microsoft has added another binary in the new patch to address the NIC card issue:

Fingers crossed 🙄

Get-WinEvent cmdlet tip to filter noise

I’ve been using Windows 10 and Applocker in ‘Allow mode’ for some time and I need to filter the noise left by the Constrained Mode from the event log.

Windows 10 and PowerShell 5.x introduce a way to protect the interactive shell from copy/paste. If you configure Applocker in ‘Allow mode’ (don’t use default rules when proposed by the GUI), your interactive shell starts in a different LanguageMode named ‘Constrained mode’. Want to read more, start with PowerShell ♥ the Blue Team and about_Language_Modes.

Here’s a quick demo in a picture is worth a thousand words:

Although I’m running an interactive shell with administrative privileges, I cannot use the ToXML() method. I get the symptomatic error message Cannot invoke method. Method invocation is supported only on core types in this language mode.

What’s the challenge here?
It should work in constrained mode and I should figure out the correct XML query 🙄

In other words, I need to find 8007 events from the ‘Microsoft-Windows-AppLocker/MSI and Script’ event log but not those that have the filehash (SHA256) set to: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
This hash is well known, it’s a file with only 1 as content.

Here’s the tip:

If you use the GUI, you can copy/paste the above XML query in the eventvwr