Traverse & Enumerate

You can traverse the Registry like a filesystem thanks to PSProviders.

Get-location

Present dir

Set-location

Change dir

cd HKLM:\\

Navigate the Windows registry

set-location -Path hkcu:

Change current location to the HCKU Hive

set-location -Path software

Change to the Software Key

dir /tc /od c:\\windows\\system32

List all order by date and list creation time

dir /q

Shows file owners

dir /a:h

Shows only hidden files

dir /t:a

Last access time

dir /o:

Filter's by extension, date, etc.

dir /s > dir.txt

Recursive dir to text file

Recursively list the paths of all files in a directory and its subdirectories:

forfiles /p "C:\path\to\directory" /s /c "cmd /c echo @path"

Find applications that begin with Google:

Get-WmiObject Win32_Product -computername win7 -credential fred -filter "Name like '%Google%'"

Lists the Name and MAC times of C:\Windows:

wmic fsdir where (name="C:\\\\Windows") get lastmodified, lastaccessed, creationdate, name

Show file renames that are pending:

reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations"

Show shell, default domain name, default user name, legal notice, etc.:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"

Shows relevant timestamps:

gci | select name,lastwritetime,creationtime,lastaccesstime

Last updated 1 year ago