Windows Fundamentals · beginner · ~11 min
Use PowerShell's object pipeline for enumeration and understand its security controls.
PowerShell is the object-oriented Windows shell. Cmdlets (Verb-Noun) pipe objects, so you filter on properties — ideal for native enumeration (services, users, ACLs, logs). Execution Policy is safety, not security; AMSI/script-block logging are the real controls.
PowerShell is the standard way to enumerate and operate on Windows without dropping external tools. Knowing its logging/AMSI controls tells you what defenders see, and recognising that Execution Policy isn't a security boundary is a common report correction.
Cmdlets. Verb-Noun (Get-Service, Get-LocalUser, Get-Acl). Object pipeline. Filter on properties, not text. Execution Policy. Safety feature, not a boundary. AMSI / script-block logging. What defenders use to detect PowerShell abuse.
PowerShell is the Windows automation shell and the primary tool for both administering and assessing Windows — the rough equivalent of bash on Linux, but object-oriented.
Commands are cmdlets in Verb-Noun form: Get-Process, Get-Service, Get-LocalUser, Get-ChildItem. Unlike bash (which pipes text), PowerShell pipes objects, so you filter on properties:
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, StartType
Native, present on every modern Windows host, and great for enumeration without dropping tools: list services, users, ACLs (Get-Acl), scheduled tasks, and network config. Get-WinEvent reads logs.
-ExecutionPolicy Bypass); don't treat it as protection in a report.Constrained Language Mode, AMSI, and logging are the recommended hardening; flag their absence.
PowerShell's object pipeline makes it the go-to for native Windows enumeration; its real security controls are AMSI and logging (not Execution Policy), and their presence determines how visible activity is.