CMPivot Reference-A Square Dozen | A. Gross Blog

CMPivot Reference A Square Dozen | A. Gross Blog

The next examples have been compiled from the CMPivot House display examples and the PowerShell equal instructions have been extracted from the CMPivot PowerShell script that’s copied down domestically to C:WindowsCCMScriptStore. The purpose is the present a technique to perceive what every command is definitely doing if you run it.

Decoding this Reference

  • Question Kind

    • WMI – The command run domestically on the shopper is querying WMI. Any entity not listed right here however obtainable in CMPivot makes use of the identical WMI Class that ConfigMgr Consumer {Hardware} Stock makes use of.
    • Powershell – These are particular customized instructions distinctive to CMPivot. The included PowerShell Equal instance is taken immediately from the native CMPivot script.
  • WMI (Namespace, Class)

    • The WMI Namespace and Class of the Entity the place relevant. If not listed, then the entity makes use of customized PowerShell to question the info.
  • Native Question Title

    • That is the identify that the native CMPivot script makes use of to question this entity.
  • Syntax

    • A Kusto Syntax of the way to question the entity exhibiting any parameter choices.
  • Instance

    • Exhibits the way to question the Entity with examples of the parameter format the place required.
  • PowerShell Equal

    • PowerShell instance that can be utilized to validate that the info being queried is coming from a supply you count on.

AadStatus

Directors

AppCrash

AutoStartSoftware

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2/sms, SMS_AutoStartSoftware)

  • Syntax:

  • Instance:

    1
    
    AutoStartSoftware | summarize dcount( Machine ) by Product
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2/sms -Class SMS_AutoStartSoftware
    

Bios

CcmLog

  • Question Kind: Powershell

  • Native Question Title: CCMlog

  • Syntax:

    1
    
    CcmLog(,[])
    
  • Instance:

  • PowerShell Equal:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    
    $logFileName = 'Scripts'
    $secondsAgo = 86400
    
    $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
    $subKey =  $key.OpenSubKey("SOFTWAREMicrosoftCCMLogging@International")
    $ccmlogdir = $subKey.GetValue("LogDirectory")
    $key.Shut()
    $logPath = (join-path $ccmlogdir ($logFileName+".log"))
    
    #confirm format of file identify
    if(( $logFileName -match '[wd-_@]+' ) -and ([System.IO.File]::Exists($logPath)))
    {        
        $strains = (get-content -path $logpath -ErrorAction Cease)
    
        [regex]$ccmLog = '.*)]LOG]!>dd:dd:dd)[^"]+"s+dates*=s*"(?[^"]+)"s+elements*=s*"(?[^"]*)"s+contexts*=s*"(?[^"]*)"s+varieties*=s*"(?[^"]+)"s+threads*=s*"(?[^"]+)"s+information*=s*"(?[^"]+)"s*>'
    
        $outcomes = for( $index = $strains.Size-1; $index -ge 0; $index-- )
        {
            $line = $strains[$index]
    
            $m = $ccmLog.Match($line)
    
            if( $m.Success -eq $true )
            {
                $hash = @{
                    LogText = $m.Teams["logtext"].Worth
                    DateTime = ([DateTime]($m.Teams["date"].Worth +' '+ $m.Teams["time"].Worth)).ToUniversalTime()
                    Element = $m.Teams["component"].Worth
                    Context = $m.Teams["context"].Worth
                    Kind = $m.Teams["type"].Worth
                    Thread = $m.Teams["thread"].Worth
                    File = $m.Teams["file"].Worth
                }
    
                # Filter out logs based mostly on timespan
                if ( [System.DateTime]::Examine($hash.DateTime, (Get-Date).AddSeconds(-1*$secondsAgo).ToUniversalTime()) -lt 0 )
                {
                    break
                }
                else
                {
                    $hash
                }
            }   
        }
    
        # Reverse the outcomes listing to ascending datetime
        $outcomes.Reverse()
    }
    

Connection

Machine

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2, Win32_ComputerSystem)

  • Syntax:

  • Instance:

Disk

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2, Win32_LogicalDisk)

  • Syntax:

  • Instance:

    1
    
    Disk | summarize dcount( Machine ) by Description
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2 -Class Win32_LogicalDisk
    

EPStatus

  • WMI (Namespace, Class): EPStatus

  • Question Kind: Powershell

  • Native Question Title: EPStatus

  • Syntax:

  • Instance:

  • PowerShell Equal:

EventLog

File

  • Question Kind: Powershell

  • Native Question Title: File

  • Syntax:

  • Instance:

    1
    
    File('%windir%notepad.exe')
    
  • PowerShell Equal:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    
    $fileSpec = [System.Environment]::ExpandEnvironmentVariables( '%windirpercentnotepad.exe' )
    
    $outcomes = foreach( $file in (Get-Merchandise -Pressure -ErrorAction SilentlyContinue -Path $filespec))
    {
        $fileSHA256 = ""
        $fileMD5 = ""
    
        attempt {
            $fileSHA256 = (get-filehash -ErrorAction SilentlyContinue -Path $file).Hash 
            $fileMD5 = (get-filehash -ErrorAction SilentlyContinue -Path $file -Algorithm MD5).Hash
        }
        catch {}
    
        @{
            FileName = $file.FullName
            Mode = $file.Mode
            LastWriteTime = $file.LastWriteTime
            Measurement = $file.Size
            Model = $file.VersionInfo.ProductVersion
            SHA256Hash = $fileSHA256
            MD5Hash = $fileMD5
        }
    }
    $outcomes
    

FileContent

FileShare

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2, Win32_Share)

  • Syntax:

  • Instance:

    1
    
    FileShare | summarize dcount( Machine ) by Title
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2 -Class Win32_Share
    

InstalledSoftware

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2/sms, SMS_InstalledSoftware)

  • Syntax:

  • Instance:

    1
    
    InstalledSoftware | summarize dcount( Machine ) by ProductName
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2/sms -Class SMS_InstalledSoftware
    

IPConfig

OS

Course of

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2, Win32_Process)

  • Syntax:

  • Instance:

    1
    
    Course of | summarize dcount( Machine ) by Title
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2 -Class Win32_Process
    

ProcessModule

Registry

RegistryKey

Service

  • Question Kind: Wmi

  • WMI (Namespace, Class): (ROOT/cimv2, Win32_Service)

  • Syntax:

  • Instance:

    1
    
    Service | summarize dcount( Machine ) by Title
    
  • PowerShell Equal:

    1
    
    Get-WMIObject -Namespace ROOT/cimv2 -Class Win32_Service
    

SMBConfig

SoftwareUpdate

Person

  • Question Kind: Powershell

  • Native Question Title: Customers

  • Syntax:

  • Instance:

    1
    
    Person | summarize dcount( Machine ) by UserName
    
  • PowerShell Equal:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    
    $customers = New-Object System.Collections.Generic.Record[String]
    
    foreach( $person in (get-WmiObject -class Win32_LoggedOnUser -ErrorAction Cease | Choose Antecedent))
    {
        $elements = $person.Antecedent.Cut up("""")
    
        if(( $elements[1] -ne "Window Supervisor" ) -and (($elements[1] -ne $env:COMPUTERNAME) -or (($elements[3] -notlike "UMFD-*")) -and ($elements[3] -notlike "DWM-*")))
        {
            $customers.Add($elements[1] + "" + $elements[3])            
        }
    }
    
    $customers | sort-object -Distinctive
    

WinEvent

We use cookies to enable site functionality and collect data about user interactions. By clicking Accept, you agree to our use for advertising, analytics, and support.