Unit 4 Lab Assignment 1

1. Software that is installed on windows systems are recorded in

the registry the HKEY_LOCAL_MACHINE hive in the
Software\Microsoft\Windows\CurrentVersion\Uninstall
registry key.
1. Determine the number of software applications installed
(number of subkeys in this key)
The number of sub-keys in this key are 57.
2. Output the name of each of the applications to the
applications.txt file.
$keys | select-object PSChildname | out-file
c:\applications.txt
PSChildName
----------AddressBook
Connection Manager
DirectDrawEx
EA12B1FB53CE4E387C31A85236C
41EF559B5E392
EPSON NX230 Series
Fontcore
IE40
IE4Data
IE5BAKEX
IEData
KB968369
Lenovo EE Boot Optimizer
Microsoft .NET Framework 4 Client
Profile
Microsoft .NET Framework 4
Extended
Microsoft Help Viewer 1.0
Microsoft SQL Server 10
Microsoft SQL Server 10 Release
MobileOptionPack
SchedulingAgent
Sevinst
SynTPDeinstKey
WIC
{0826F9E4-787E-481D-83E0BC6A57B056D5}
{1D8E6291-B0D5-35EC-84416616F567A0F7}
{1F494B8A-D6E6-4540-9A74F773B63164A6}

{2F14965D-567B-4E59-ADEB0A2CC1E3ADDF}
{2F72F540-1F60-4266-9506952B21D6640D}
{2FD0FA0A-7A21-4C4A-B2681142B54E035E}
{46F4D124-20E5-4D12-BE52EC177A7A4B42}
{5340A3B5-3853-4745-BED2DD9FF5371331}
{5EEC477F-8E9B-4420-882916E7426227DB}
{6E3610B2-430D-4EB0-81E32B57E8B9DE8D}
{704C0303-D20C-45AF-BD2B556EAF31BE09}
{76FF0F03-B707-4332-B5D1A56C8303514E}
{7ACE202B-1B01-4B43-B6AE03D66D621CDE}
{893F27E6-D6BE-4B9F-80E60ADA694A31A8}
{89F4137D-6C26-4A84-BDB82E5A4BB71E00}
{8E34682C-8118-31F1-BC4C98CD9675E1C2}
{90120000-002A-0000-10000000000FF1CE}
{90120000-002A-0409-10000000000FF1CE}
{90120000-0116-0409-10000000000FF1CE}
{90140000-006D-0409-10000000000FF1CE}

{95120000-00B9-0409-10000000000FF1CE}
{A000F75A-A246-44A7-80799E9E7F9054B2}
{B40EE88B-400A-4266-A17BE3DE64E94431}
{BBDE8A3D-64A2-43A6-95F3C27B87DF7AC1}
{BCA26999-EC22-3007-BB79638913079C9A}
{CC8BA866-16A7-4667-BA0CC494A1E7B2BF}
{CE52672C-A0E9-4450-887588A221D5CD50}
{D4AD39AD-091E-4D33-BB2B59F6FCB8ADC3}

{DF167CE3-60E7-44EA-99EC2507C51F37AE}
{E9FA781F-3E80-4399-825AAD3E11C28C77}
{F5B09CFD-F0B2-36AF-8DF41DF6B63FC7B4}
{FA7394B8-CE65-4F9E-AC99F372AD365424}
{FBBC4667-2521-4E78-B1BD8706F774549B}
{FBD367D1-642F-47CF-B79B9BE48FB34007}
{FCADA26A-5672-31DD-BF0EBA76ECF9B02D}

2. Installed software can also be determined through WMI.

1. Use the Win32_Programs WMI object to determine how
many applications are installed on the local system.
There are 65 applications installed on the local system.
2. Explain why the number of installed applications determined
by the Win32_product WMI object is less that the number
of installed applications determined by reading the registry.
3. The Win32_NeworkProtocol, Win32_NetworkAdapter,
Win32_NetworkAdapterConfiguration, and
Win32_NetworkAdapterSetting WMI objects are used to extract
information from a computer system concerning network
protocol and adapters.
1. Use a WMI object to determine the number of network
adaters installed in your system. Record the command and
output.
PS C:\> $netadapter = gwmi win32_networkadapter
PS C:\> $netadapter.length
17

2. Use a WMI object to output to the screen IP addresses

assigned to the adapters. Record the command and the
output of the command.
PS C:\> foreach ($ip in $netadapterconf) {$ip.ipaddress}
PS C:\>
3. Use a WMI object to list the names of installed network
protocols. Record the command.
PS C:\> foreach($protocol in $proto) {$protocol.name}
4. Windows Security event logs can record successful and
unsuccessful logon events. For Windows Vista, Windows 7, and
Server2003, Even ID 4624 is success logon and Event ID
4625 is the failed logon.
1. Issue a command that will show the most recent entry in the
windows security event log. Pipe this command to getmember to view the properties and methods. Record this
command.
Get-eventlog logname security newest 1 | Get-member

2. Issue a command that will show the 100 most recent entries
in the Windows security event log showing only those
entries that were a successful logon event. Assign the
output of this command to $LogonEvent. Record the
command.
PS C:\> $LogonEvent=get-eventlog -logname "security"
-newest 100 -instanceid 4624
3. Issue a command that will show the Message of the first
event recorded in $LogonEvent. Record the command.
PS C:\> $LogonEvent[0].message
4. Note the Logon Type: Line. Note that there are threee
unspecified characters between Logon Type: and its code
number.
The Logon Type is code 7, which is Unlock (i.e. unattended
workstation with password protected screen saver)
5. Issue a command that will show the 100 recent entries in the
Windows security event log showing only those entries that
were a successful logon event by interactive logon. Assign the
output of this command to $InteractiveLogon. Record the
command (Hint: use regular expressions and string
comparison)
PS C:\> $interactivelogon=get-eventlog -logname "security"
-newest 100 -instanceid 4624 -message "*LogonType:???2*"
6. Use $InteractiveLogon, determine how many interactive logons
occurred during the newest 100 Security log entries. Record
the command used.
PS C:\> $interactivelogon.length