Guy Leech
@guyrleech.bsky.social
PowerShell nut. Dog owner. Grandfather
Here's a typical use case for me using -Outvariable in an interactive PowerShell command line where I'm searching for a file so I want visual output as it searches but I also want the results in a variable so I can access more properties later if I need them without searching again
October 29, 2025 at 11:58 AM
Here's a typical use case for me using -Outvariable in an interactive PowerShell command line where I'm searching for a file so I want visual output as it searches but I also want the results in a variable so I can access more properties later if I need them without searching again
Note that the default in secpol.msc says "Not Configured" but it's on by default so enable auditing but don't enable Success. I don't believe that these events are useful - they cause log overwrite of ones that are like process creation & termination
October 1, 2025 at 9:44 AM
Note that the default in secpol.msc says "Not Configured" but it's on by default so enable auditing but don't enable Success. I don't believe that these events are useful - they cause log overwrite of ones that are like process creation & termination
Just dug this 2018 tweet out as seeing the issue at a customer:
#Windows Security event log being swamped by 4703 "A token right was adjusted" events? Disable "Audit Authorization Policy Change" by local or group policy. Common with #SCCM
learn.microsoft.com/en-us/previo...
#Windows Security event log being swamped by 4703 "A token right was adjusted" events? Disable "Audit Authorization Policy Change" by local or group policy. Common with #SCCM
learn.microsoft.com/en-us/previo...
October 1, 2025 at 9:44 AM
Just dug this 2018 tweet out as seeing the issue at a customer:
#Windows Security event log being swamped by 4703 "A token right was adjusted" events? Disable "Audit Authorization Policy Change" by local or group policy. Common with #SCCM
learn.microsoft.com/en-us/previo...
#Windows Security event log being swamped by 4703 "A token right was adjusted" events? Disable "Audit Authorization Policy Change" by local or group policy. Common with #SCCM
learn.microsoft.com/en-us/previo...
If you want to quickly figure out if & where a process is writing a logfile, create a filter (ctrl l) in @SysInternals procmon for your process(es) and also Category = Write & turn off registry & network capture in the toolbar
September 26, 2025 at 1:11 PM
If you want to quickly figure out if & where a process is writing a logfile, create a filter (ctrl l) in @SysInternals procmon for your process(es) and also Category = Write & turn off registry & network capture in the toolbar
Need to turn %USERDNSDOMAIN% into canonical form, eg for ADSI ?
"DC=$(($env:USERDNSDOMAIN -split '\.') -join ',DC=')"
"DC=$(($env:USERDNSDOMAIN -split '\.') -join ',DC=')"
September 25, 2025 at 3:43 PM
Need to turn %USERDNSDOMAIN% into canonical form, eg for ADSI ?
"DC=$(($env:USERDNSDOMAIN -split '\.') -join ',DC=')"
"DC=$(($env:USERDNSDOMAIN -split '\.') -join ',DC=')"
"We're going to need a bigger bed" ! 😂
I had 4 with me last night although they are smaller & my bed is bigger
I had 4 with me last night although they are smaller & my bed is bigger
September 23, 2025 at 11:43 AM
"We're going to need a bigger bed" ! 😂
I had 4 with me last night although they are smaller & my bed is bigger
I had 4 with me last night although they are smaller & my bed is bigger
It seems that the long standing PowerShell 7.5.* bug where Out-Gridview doesn't function properly is fixed in 7.5.3! Hurrah!
github.com/PowerShell/P...
github.com/PowerShell/P...
September 10, 2025 at 6:05 PM
It seems that the long standing PowerShell 7.5.* bug where Out-Gridview doesn't function properly is fixed in 7.5.3! Hurrah!
github.com/PowerShell/P...
github.com/PowerShell/P...
It may be fixed - I'll give it a go
September 10, 2025 at 5:32 PM
It may be fixed - I'll give it a go
Did you know that Entra ID SIDs start S-1-12-1 whereas (legacy?) AD domain and local normal accounts start S-1-5-21 ?
September 4, 2025 at 5:49 AM
Did you know that Entra ID SIDs start S-1-12-1 whereas (legacy?) AD domain and local normal accounts start S-1-5-21 ?
PowerShell 1 liner to clear all event logs
Get-WinEvent -ListLog * -EA 0 -PipelineVariable log | %{ $log.LogName ; wevtutil.exe clear-log "$($log.LogName)" }
Get-WinEvent -ListLog * -EA 0 -PipelineVariable log | %{ $log.LogName ; wevtutil.exe clear-log "$($log.LogName)" }
August 22, 2025 at 12:28 PM
PowerShell 1 liner to clear all event logs
Get-WinEvent -ListLog * -EA 0 -PipelineVariable log | %{ $log.LogName ; wevtutil.exe clear-log "$($log.LogName)" }
Get-WinEvent -ListLog * -EA 0 -PipelineVariable log | %{ $log.LogName ; wevtutil.exe clear-log "$($log.LogName)" }
and the furthest from me is in some place called New Zealand 🤔
August 20, 2025 at 4:08 PM
and the furthest from me is in some place called New Zealand 🤔
New PowerShell script to find your geographically closest Azure location. Uses geo location so may not be accurate!
Guess which of these I ran from a Windows 365/Cloud PC instance? 😂
Will prompt for login if not connected which may need tenant or subscription parameters
github.com/guyrleech/Az...
Guess which of these I ran from a Windows 365/Cloud PC instance? 😂
Will prompt for login if not connected which may need tenant or subscription parameters
github.com/guyrleech/Az...
August 20, 2025 at 3:59 PM
New PowerShell script to find your geographically closest Azure location. Uses geo location so may not be accurate!
Guess which of these I ran from a Windows 365/Cloud PC instance? 😂
Will prompt for login if not connected which may need tenant or subscription parameters
github.com/guyrleech/Az...
Guess which of these I ran from a Windows 365/Cloud PC instance? 😂
Will prompt for login if not connected which may need tenant or subscription parameters
github.com/guyrleech/Az...
New script, because Get-Hotfix is unhelpful, that uses Windows Update COM interface to show installed updates with various filtering options and raw/object or text output. Excludes Defender pattern updates by default
github.com/guyrleech/Mi...
github.com/guyrleech/Mi...
August 18, 2025 at 3:13 PM
New script, because Get-Hotfix is unhelpful, that uses Windows Update COM interface to show installed updates with various filtering options and raw/object or text output. Excludes Defender pattern updates by default
github.com/guyrleech/Mi...
github.com/guyrleech/Mi...
TIL that Get-Help (alias help) does not work in a remote PS session
August 18, 2025 at 2:34 PM
TIL that Get-Help (alias help) does not work in a remote PS session
Need the path to the user profile for the system account?
(Get-CimInstance -ClassName win32_userprofile -filter "sid = 'S-1-5-18'").LocalPath
Profiles for other special accounts also available that way
(Get-CimInstance -ClassName win32_userprofile -filter "sid = 'S-1-5-18'").LocalPath
Profiles for other special accounts also available that way
August 7, 2025 at 2:10 PM
Need the path to the user profile for the system account?
(Get-CimInstance -ClassName win32_userprofile -filter "sid = 'S-1-5-18'").LocalPath
Profiles for other special accounts also available that way
(Get-CimInstance -ClassName win32_userprofile -filter "sid = 'S-1-5-18'").LocalPath
Profiles for other special accounts also available that way
Came up with this 1 liner in my PowerShell workshop at @steelcon.info last week which finds any not validly signed modules (dlls) in running processes (excluding JIT'd ones). There are some 3rd parties (& LinkedIn app) but some Microsoft components too ☹️
July 14, 2025 at 9:34 AM
Came up with this 1 liner in my PowerShell workshop at @steelcon.info last week which finds any not validly signed modules (dlls) in running processes (excluding JIT'd ones). There are some 3rd parties (& LinkedIn app) but some Microsoft components too ☹️
My trip to @steelcon.info in Sheffield to give a workshop on PowerShell has commenced. T shirt selected because I will be covering a little #regex😄
July 11, 2025 at 5:54 AM
My trip to @steelcon.info in Sheffield to give a workshop on PowerShell has commenced. T shirt selected because I will be covering a little #regex😄
I don't think so - I don't scribble on anything, not that I use legacy paper or pen
July 10, 2025 at 8:45 PM
I don't think so - I don't scribble on anything, not that I use legacy paper or pen
Half a job😂
But I'm young yet so will probably grow out of it.
It adds a story to an otherwise boring and dull device
But I'm young yet so will probably grow out of it.
It adds a story to an otherwise boring and dull device
July 10, 2025 at 8:44 PM
Half a job😂
But I'm young yet so will probably grow out of it.
It adds a story to an otherwise boring and dull device
But I'm young yet so will probably grow out of it.
It adds a story to an otherwise boring and dull device
3 similar PowerShell 1 liners to search the registry for a value by name or content or for a key by name. Value search can be string (via regex which doesn't have to be scary😊) or numerical
July 10, 2025 at 2:24 PM
3 similar PowerShell 1 liners to search the registry for a value by name or content or for a key by name. Value search can be string (via regex which doesn't have to be scary😊) or numerical
Not all providers support -Filter. Here the registry provider shows that it doesn't but you can use -include
July 10, 2025 at 2:19 PM
Not all providers support -Filter. Here the registry provider shows that it doesn't but you can use -include
When using Get-ChildItem (alias dir & ls) to get specific files/folders recursively, use -Filter instead of -Include because it filters at the provider level rather then returning all data & then filtering
-Filter only takes 1 argument but -Include can be an array *.jpg,*.jpeg
-Filter only takes 1 argument but -Include can be an array *.jpg,*.jpeg
July 10, 2025 at 1:02 PM
When using Get-ChildItem (alias dir & ls) to get specific files/folders recursively, use -Filter instead of -Include because it filters at the provider level rather then returning all data & then filtering
-Filter only takes 1 argument but -Include can be an array *.jpg,*.jpeg
-Filter only takes 1 argument but -Include can be an array *.jpg,*.jpeg
For completeness, here's the #regex with named matching groups which makes the regex (even more?) hideous but saves you having to remember what $matches[1], 2, etc actually match so code is more readable at the expense of the regex (always put an example of the regex in a comment by its use)
July 10, 2025 at 12:41 PM
For completeness, here's the #regex with named matching groups which makes the regex (even more?) hideous but saves you having to remember what $matches[1], 2, etc actually match so code is more readable at the expense of the regex (always put an example of the regex in a comment by its use)
TIL PowerShell 7.x Get-Process (alias ps) returns the Parent process object which 5.x doesn't and you had to use WMI/CIM instead. It's a pity that 7.x isn't going to be standard/OOB for a while yet
July 10, 2025 at 10:18 AM
TIL PowerShell 7.x Get-Process (alias ps) returns the Parent process object which 5.x doesn't and you had to use WMI/CIM instead. It's a pity that 7.x isn't going to be standard/OOB for a while yet
