Remote Wipe a Computer With PowerShell

Remote Wipe a Computer With PowerShell

by | Apr 7, 2023 | Deployments, Information Technology, PowerShell

Did you know you can wipe a computer using code? I didn’t realize this was an option until I needed to do it the other day. Well, I quickly found code to wipe a computer using PowerShell. It was pretty simple as a full Microsoft documentation page is dedicated to the wipe types. You can read about it here. The only problem I ran into was this code needs to be launched as a “System User” instead of a domain admin. This presented a problem if I wanted to use PowerShell for this task. However, psexec could launch scripts as a system user. That was my solution for running a Remote Wipe on a Computer with PowerShell.

The Script

Today we start out with a rough script. This script is designed to give you a rough idea of what I am thinking about and how I was able to do it. You can do additional items to this script like split the here-string and add options. However, most of my items have been from a clean local wipe idea. 

function Invoke-RemoteWipeComputer {
    param (
        [parameter(Mandatory = $true)][string[]]$ComputerName
    )
    begin {
        if (!(Test-Path -Path "$env:SystemDrive\Temp")) { New-Item -Path c:\ -Name Temp -ItemType Directory }
        if (!(Test-Path -Path "$env:SystemDrive\Temp\PsExec.exe")) { Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec.exe" -OutFile "$env:SystemDrive\Temp\PsExec.exe" }
        $WipeScript = @'

            $session = New-CimSession
            $params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
            $param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
            $params.Add($param)
            $CimSplat = @{
                Namespace = "root\cimv2\mdm\dmmap"
                ClassName = "MDM_RemoteWipe"
                Filter    = "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
            }

            try {
                $instance = Get-CimInstance @CimSplat
                $session.InvokeMethod($CimSplat["Namespace"], $instance, "doWipeMethod", $params)
            }
            catch {
                Write-Error $_
                exit 1
            }
'@ 
        $WipeScript > "$env:SystemDrive\Temp\WipeScript.ps1"
    }
    process {
        foreach ($Computer in $ComputerName) {
            if (Test-Connection -ComputerName $Computer -Count 2 -Quiet) {
                Copy-Item "$env:SystemDrive\Temp\WipeScript.ps1" -Destination "\\$Computer\c$\Temp\WipeScript.ps1" -Force
                & "$env:SystemDrive\Temp\PsExec.exe" -s \\$Computer PowerShell -ExecutionPolicy Bypass -File "\\$Computer\c$\Temp\WipeScript.ps1"
            }
        }
    }
    end {}
}

The Breakdown

Let’s break down this script. The first item is always the parameters. In this case, we are making a list of strings with computer names. We will use these later. This script is broken up into a begin and process. Remember, begin, process, end, and final are all simple organization tools. This makes life easier because we are going to need to download the psexec command from sysinternals life site. We also need to build out the main script and have a folder to add it all in.

Begin

The first thing we need to do is test if the c:\temp exists as we are going to download everything into it. This one liner makes life much easier. We test if the path doesn’t exist, then we make it if that is true. The ! mark indicates do the opposite of what is inside the (). Inside the () we are testing for c:\temp or local system drive temp in this case. If that doesn’t exist, we create a new item with a path of the system drive. We create a new item with new item and call it temp making sure it’s a directory flag in the item type. 

if (!(Test-Path -Path "$env:SystemDrive\Temp")) { New-Item -Path "$env:SystemDrive\" -Name Temp -ItemType Directory }

Next, we test if the psexec exists and download it accordingly. Once again, we are using the ! test. If the file doesn’t exist, we us invoke-webrequest to reach out to the live sysinternals site and download it to our c:\temp. 

if (!(Test-Path -Path "$env:SystemDrive\Temp\PsExec.exe")) { Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec.exe" -OutFile "$env:SystemDrive\Temp\PsExec.exe" }

Now we have downloaded and made all the required folders, it’s time to write the script. In this case, we are building the script with a here-string. This way, the data is the same no matter what we do. It’s a clone each time and we know what we are getting. Let’s break down the wipe script.

The Wipe Script

As stated before, we are building out the script inside our here-string. This way, it is always the same. I prefer to know what is happening with any script I launch. So, it’s time to break it down.

We start off with a new cim session. This is a blank session, with nothing special about it. 

$session = New-CimSession

Next, we need to make some new objects. We need a cim method parameters container. So we do this with a new-object command. Then we add the parameters we need inside this new parameter container. Both of these commands use the Management > infrastructure objects as parents. Finally, we add the parameters to the parameters. yeah that sounds weird, but luckily we just change a s and it makes it much easier to understand. 

$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
$params.Add($param)

Now we have our parameter set for our invoke method, it’s time to create the splat. We need a remote wipe command. Viewing this documentation. We see our remote wipe is located inside the ./Device/Vendor/MSFT/RemoteWipe/. This is part of the MDM cim version 2 instance. So, our namespace will need to reflect that. We have a namespace of root\cimv2\mdm\dmmap. Our class name needs to be the MDM_Remotewipe. Finally, our filter needs to be show the vendor msft and the instanceId, the item we are after, is remoteWipe. 

$CimSplat = @{
    Namespace = "root\cimv2\mdm\dmmap"
    ClassName = "MDM_RemoteWipe"
    Filter    = "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
}

Now we start our try catch. Inside our try, we are call the get-ciminstance with the splat from before. This creates an instances on the computer that is talking directly to the wipe system. Now, we need to use the session we made at the beginning of this here-string. We invoke the method using invoke method. From there, we use the $cimsplat namespace, the instance of the cimsplat, the wipe method, in this case, a local wipe, and the parameters we made at the beginning. The system will trigger a wipe at this point. The catch just exits and sends the error it gets.

Now the here-string is built, we push that string into a PowerShell script on our freshly created temp folder. We use the single > to overwrite anything that is already there. This limits mistakes.

Process

Now it’s time for the process. Here we are going to copy the files and execute it with psexec. We are also going to loop through each computer during this process. The first step is to start a loop with a foreach loop. 

foreach ($Computer in $ComputerName) {
#            Do something
}

Up to this point, we have done everything on our computer. We have downloaded the psexec. We have created the required script. The next step starts to affect the end user’s computer. This is where the Remote comes into Remote Wipe a Computer. We are going to use the command test-connection and ping the computer twice. 

if (Test-Connection -ComputerName $Computer -Count 2 -Quiet) {
    #It was tested
}

If the computer is present, we attempt to copy the script over. We force the copy to overwrite anything with the same name. Finally, we use the local psexec to trigger powershell as the system. We use the -s for psexec to trigger the file that is on the remote computer that we copied. I want the output on my local screen of the psexec command. This is what we trigger it with the & instead of a start-process. Now, could you use the start process, yes, in fact, it would be quicker since you can set it as a job and put the PC name as the job, but you do lose the output information from psexec. So, if there is a problem, you wouldn’t know. 

Copy-Item "$env:SystemDrive\Temp\WipeScript.ps1" -Destination "\\$Computer\c$\Temp\WipeScript.ps1" -Force
& "$env:SystemDrive\Temp\PsExec.exe" -s \\$Computer PowerShell -ExecutionPolicy Bypass -File "\\$Computer\c$\Temp\WipeScript.ps1"

At this point, the computer will take a few seconds, and the reset process would start. After that, everything you will need to do will require a hand on the machine. So have fun and use wisely. Also, the script inside the script can be ran by other products like Continuum, ninja, pdq and more.

Continue Reading

As the tree grows

As the tree grows

by | Apr 4, 2023 | Blog, Mental Health

Welcome to another mental health Monday. I’m going to be talking to myself big time today. Here in South Carolina, springtime is often met with confusion and a sense of making up your mind. The older trees will stay dormant longer than the younger trees. This leaves us viewers with a unique chance to see the trees with leaves and without. We get to see a skeleton of the tree in sorts. As the tree grows, it moves in set patterns. Those patterns are amazing.

You can follow the tree from the base, up the branches, and through the smaller branches. Each break-off shows a different adaptation to the world around it and itself. The tree reaches up for the sunlight. Its figures stretch out and grow leaves to catch as much sunlight as possible. This is important because the tree lives off the sunlight and the soil it is in. Much like us. During the fall time the trees’ leaves change color to catch the remaining sunlight, then it goes dormant during the winter months. Sunlight is the positive influence in the tree’s life that helps it grow.

You as a tree

Now, think about yourself. See yourself as a tree. In what ways are you growing? Are your branches facing downwards away from the sun or are they growing upwards towards the sun? What areas of your life are you dormant? What voices are you listening to? Are you stuck in the darkness of your own mind or are you listening to uplifting voices?

When you take the sunlight away from a tree, the branches start to droop. This is the same way in our lives, when we stop focusing on the positive things and only focus on the must, our branches start drooping. Depression starts to come in, and over time, we can barely move forward. We become trapped thinking. “This is all we can do.” We say this because all we can see is the ground. We can’t see the sun. It’s not until we start looking up do we see that sun. That positive influence in our lives.

However, always looking at the positive isn’t healthy either. A younger tree will quickly sprout leaves, but then the cold snap happens and it loses those leaves. It loses all that energy. Thankfully, the older trees are there helping them along the path. See the old trees have learned something too.

It’s ok to be dormant for a while. That’s the same way in our lives. It’s ok to go with the flow for a while, especially when the sun isn’t around. We all go through that time in our lives, sadness. There is only so much energy in a single day. So instead of using it all at the first sight of light, the older trees wait until the light is consent and then start growing. At the end of the day, it still is looking up and not down. It’s still waiting for that positivity to come back, that light. This is how we should be. A hope of good times. As the tree grows, so do we.

Applying to IT

Sometimes in the IT world all we see is problems. It’s part of our jobs to see and fix problems. Most of us enjoys doing this. I know I love the puzzlingness of the human behavior. So, how do you look up when there is only problems in your face? Well, the best way I can describe this is like having a bee in your car while you are driving down the road. You can swat at the bee and put your focus on the bee, or you can drive your car. Rolling down the window makes the bee stay where it should be because of the wind. Instead of focusing on the problems in front of you that will always be there, look forward. Look past them. Look past the person yelling. They are yelling for a reason. Lets that big brain of ours see the world instead of the problems of the world.

The same can be said for a fence. A fence is in front of you, a boundary, or you can look past the fence and see the ladder waiting on the other side that you can pull through. The illusion of boundaries keeps us standing still. We stare at what we have been trained to stare at instead of whats past it. Keeping your mind on positive things will help grow you.

Final thoughts

It’s ok not to have leaves right now. It’s your winter time. There is nothing wrong with you. It’s ok to be bare right now. On the same note, it’s ok to be full of leaves. Everyone goes through seasons. Embrace that season, and keep your hope up for spring. Be patient and enjoy the world around you. Don’t let that negative voice kill you. This is what I have to remind myself daily.

Useful Links

Clear Google Cache with Powershell

Clear Google Cache with Powershell

by | Mar 31, 2023 | Help Desk, Information Technology, PowerShell

Yesterday I had to clear out a few users’ google chrome cache. It was a little aggravating going computer by computer. We were doing this because recently a core web app was updated. The application left traces of itself in the Google Chrome Cache and it caused all kinds of problems. So the last few I looked for a way to do it with PowerShell. Long and behold you can Clear Google Cache with Powershell.

The Script

We are starting with the script, to begin with. We are doing this because the core of this script is wrapped around a remote template I use. I will cover the template later down the road. 

Function Clear-SHDGoogleCache {
    param (
        [parameter(
            ValueFromPipeline = $True,
            ValueFromPipelineByPropertyName = $True,    
            HelpMessage = "Hostname of target computer", 
            Mandatory = $true)][alias('ComputerName')][String[]]$Computer,
        [Parameter(
            HelpMessage = "Allows for custom Credential.")][string[]]$username,
        [Parameter(
            HelpMessage = "Allows for custom Credential.")][System.Management.Automation.PSCredential]$Credential
    )
    begin {
        if ($null -eq $username) { $username = "*" }
    }
    process {
        foreach ($PC in $Computer) {
            foreach ($user in $username) {
                $Parameters = @{
                    Computername = $PC
                    ScriptBlock  = {
                        if ($username -ne "*") {
                            if (Test-Path C:\Users\$user) {
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\code cache\js\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\media cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\Default\Service Worker\CacheStorage\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\Default\Service Worker\ScriptCache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                            }
                            else {
                                Write-Error "$user is not present."
                            }
                        }
                        else {
                            Remove-Item "c:\users\*\appdata\local\google\chrome\user data\default\cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                            Remove-Item "c:\users\*\appdata\local\google\chrome\user data\default\code cache\js\*" -Recurse -Force -ErrorAction SilentlyContinue 
                            Remove-Item "c:\users\*\appdata\local\google\chrome\user data\default\media cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                            Remove-Item "c:\users\*\appdata\local\google\chrome\user data\Default\Service Worker\CacheStorage\*" -Recurse -Force -ErrorAction SilentlyContinue 
                            Remove-Item "c:\users\*\appdata\local\google\chrome\user data\Default\Service Worker\ScriptCache\*" -Recurse -Force -ErrorAction SilentlyContinue   
                        }
                    }
                    Asjob        = $true
                    JobName      = $PC
                }
                if ($PSBoundParameters.ContainsKey('Credential')) {
                    $Parameters | Add-Member -MemberType NoteProperty -Name Credential -Value $Credential
                }
                if (Test-Connection -ComputerName $PC -Count 1 -Quiet) {
                    try {
                        Invoke-Command @Parameters
                    }
                    catch {
                        Write-Warning "$PC Invoke Command Failed"
                    }
                }
                else {
                    Write-Warning -Message "$PC is offline"
                }
            }
        }
    }
    end {}
}

The Breakdown

Let’s break down the script and see what is needed and how it is needed. The first thing you will notice is the computer and the user are both lists of strings. [String[]]. This means I will have to loop through each one. This is important because this means you can target a single user on multiple machines or multiple users on a single machine or both. The second thing I want to point out is the credentials. So, if you are not in admin mode, you can deploy the script with your admin creds, or with the local admin creds.

The Username is not a required item. Why did I do this? The simple answer is, if you don’t put a username, then it will clear every user’s google chrome cache. Notice in the “begin” area, we have if null is equal to username, then we want the username to be *. Later we ask, if the username is not equal to *, then we use the user. If not, we use the * which will go through all the users at once. Also notice in the do the user, we test if the user exists. If it doesn’t we deploy an error, if it does, we do our work. 

if ($null -eq $username) { $username = "*" }
if ($user-ne "*") { do the user
    if (Test-Path C:\Users\$user) { Its there, lets go for it.} else { Error will robison.}
} else {do everyone}

The Core

At the core of this script is the remove-item blurp. We are going through each user data area and clearing out the different types of cache. There is the default cache, code, media, storage, and script caches. Each of these folders will have folders inside of them. So we need to recurse. We want to force it and we don’t care about the errors as some cache will not delete while chrome is active. Could I have added a kill chrome, yes, but why? if the end-user is working in chrome, this is going to be disruptive and force them to restart chrome. Lets look at the code. 

Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\code cache\js\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\default\media cache\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\Default\Service Worker\CacheStorage\*" -Recurse -Force -ErrorAction SilentlyContinue 
                                Remove-Item "c:\users\$user\appdata\local\google\chrome\user data\Default\Service Worker\ScriptCache\*" -Recurse -Force -ErrorAction SilentlyContinue

That’s all the code you will need. If you selected not to use username the $user will turn into * which will do every user, including default. if you have something like sccm, pdq, intune, ninja, pulse, etc, then just user this part of the code with * instead of user. This will clear the cache as needed.

We close it all up and send it as a job to the machine in question. This way we are not stuck on each computer. It speeds things up. With Powershell 7, you can loop with a number of objects that you want which would speed this up even more.

Additional Reading

SSH with Powershell

SSH with Powershell

by | Mar 24, 2023 | Information Technology, PowerShell

Recently I went over how to get information from the Unifi Controller. Now I want to show you how to grab information from the unifi device itself. In this example, we are going to use SSH with Powershell to pull some basic information from an unifi AP.

SSH with Powershell

The first thing you will need is to make an ssh connection. Most computers have open ssh installed and you can type in ssh username@ipaddress and access it after inputting passwords and such. However, I want to work with powershell and not whatever shell the unifi will present me. Thus, we will run through a module called POSH-SSH by darkoperator.

Install Posh-ssh

The first thing you will need to do, if you haven’t already, is installing the module. This module lives in the standard repos, which makes life so much easier. Here is the command:

Install-Module -Name Posh-SSH

Once you have the command installed, that’s when we import with the import module command.

Making a connection

The next step is to make the connection. The feel of this command is just the same as that of enter-pssession. We call the computer name, normally an IP address, and we add the credentials. The biggest difference is we add an acceptkey flag. You can also give your session an ID number, this is good if you are doing more than one at a time. Today we are only focusing on one connection. So it’s not needed, but it becomes very useful with loops. Like always, these sessions start at 0. 

New-SSHSession -ComputerName 10.0.0.8 -AcceptKey -Credential (Get-Credential)

This creates a session of 0 which we can send commands to later. Remember, each session connection adds another session number. So the next one will be 1 and so on so forth. if you need more information or become lost with which sessions you are using, get-sshsession will help resolve this question.

Invoking SSH commands with Powershell

The next thing we need to do is invoke commands. What is the point of just connecting when we have the power of ssh and powershell? The command we can use is called invoke-sshcommand. When working with any system, you need to be mindful of that system’s shell. Ssh gives you the connection, and that system determines what you can use. This took me a while to figure out. One of the commands inside the unifi devices is info. This gives you useful information. So when you are connected, typing info will telling you IP addresses, mac address, inform statuses, and more. However, with the SSHcommand, it produces nothing useful. As the image below shows.

So, what is needed to do from here is adding a flag to let it know you are coming from somewhere else. This flag is “mca-cli-op” followed by the command you want. However, as the image below suggests, it parses the output as a single object. We need to go deeper by selecting the output. 

$Output = (Invoke-SSHCommand -Command "mca-cli-op info" -SessionId 0).output

This is nice to know, however… It’s a string. You will need to parse this data out accordingly. I do this by using select-string then from there working each item. When I select the string, for example, model. I take the output and select-string model. Then i convert that to a string as select string make it into an match info object. Which isn’t as helpful as you would think. Then from there, I replace any spaces and split from the : to get the information I need. Below is the code. 

$Return = [PSCustomObject]@{
        model = ($output | select-string model).tostring().replace(' ','').split(":")[1]
        version = ($output | select-string version).tostring().replace(' ','').split(":")[1]
        MacAddress = ($output | select-string mac).tostring().split(' ')[-1]
        IPaddress = ($output | select-string ip).tostring().replace(' ','').split(":")[1]
        Hostname = ($output | select-string hostname).tostring().replace(' ','').split(":")[1]
        UptimeSeconds = ($output | select-string uptime).tostring().replace(' ','').split(":")[1] -replace("\D",'')
        Status = ($output | select-string status).tostring().split(':').split('(').replace(' ','')[1]
        Inform = ($output | select-string status).tostring().split(' ')[-1] -replace('[()]','')
    }

From here you can change the inform, or other items using the flag and the command accordingly. Once you are finished with your session, make sure to remove it with the Remove-SSHSession command.

The Script

Here is the script. This script allows you to do more than one IP address. 

function Get-UnifiSSHDeviceInformation {
    param (
        [parameter(
            ValueFromPipeline = $True,
            ValueFromPipelineByPropertyName = $True,    
            HelpMessage = "Unifi Username and Password", 
            Mandatory = $true)][alias('IP')][ipaddress[]]$IPaddress,
        [parameter( 
            HelpMessage = "Unifi Username and Password", 
            Mandatory = $true)][alias('UserNamePassword')][System.Management.Automation.PSCredential]$Credential
    )
    $return = @()
    foreach ($IP in $IPaddress) {
        New-SSHSession -ComputerName $IP -AcceptKey -Credential $Credential
        $Output = (Invoke-SSHCommand -Command "mca-cli-op info" -SessionId 0).output
        Remove-SSHSession -SessionId 0
        $Return += [PSCustomObject]@{
            model = ($output | select-string model).tostring().replace(' ','').split(":")[1]
            version = ($output | select-string version).tostring().replace(' ','').split(":")[1]
            MacAddress = ($output | select-string mac).tostring().split(' ')[-1]
            IPaddress = ($output | select-string ip).tostring().replace(' ','').split(":")[1]
            Hostname = ($output | select-string hostname).tostring().replace(' ','').split(":")[1]
            UptimeSeconds = ($output | select-string uptime).tostring().replace(' ','').split(":")[1] -replace("\D",'')
            Status = ($output | select-string status).tostring().split(':').split('(').replace(' ','')[1]
            Inform = ($output | select-string status).tostring().split(' ')[-1] -replace('[()]','')
        }
    }
    $Return
}

Additional Reading

Auto 365 Licensing with Groups

Auto 365 Licensing with Groups

by | Mar 17, 2023 | Azure, Information Technology

I was working with a client a few months ago, and they needed me to set up auto licensing. The idea is that the helpdesk right-clicks on a user and clicks copy. That user will get all the groups inside the template user. This also includes licensing for O365. Believe it or not, this is super easy to do.

The client’s structure was as such, They had a local active directory that uses ad connect to sync all the user information. The ad sync occurred every 30 minutes.

Local AD

The first step is to create the licensing groups in local AD. In this case, I named them “Microsoft Office 365 E3” and “Microsoft Office 365 F3”. This way it’s super clear. These will be security groups. I have them in an OU that is synced with AD Connect.

Only users that will get E3 will be in the E3 group and the ones getting F3 will be in the F3 group. Once again, very clear.

Now I have created the groups, I complete an AD sync or I wait for the ADSync to be completed. To force an ad sync, you will need to log into the AD sync server. Normally this is a DC, it doesn’t have to be, but normally from my experience, it is. 

Start-ADSyncSyncCycle -PolicyType Initial

You can view your sync by loading the Synchronization Service Manager and watching the sync. Once the sync is complete, move to the next step, Azure AD.

Azure AD Licensing Assignments.

Log into azure ad at https://entra.microsoft.com. On the left side, You will see Groups. Expand Groups and Click all Groups. Then search for the group you are looking for. In this case we want the Microsoft Office 365 E3 Group.

Now its time to add the license for anyone who joins this group.

  • Click on the Group
  • Under Manage click Licenses
  • In The middle Click Assignment
  • Add the desired licenses and applications associated with the licenses, See the image below.
  • Click Save.

The final step is to add users accordingly. After they sync, they will receive the licensing accordingly. Now you have a fully automated method of assigning licenses.

Additional Reading