PowerShell v5: Class Support

This post is based on the September 2014 preview release of WMF 5.0. This is pre-release software, so this information may change.
One of the banner new features in PowerShell v5 is support for real live .NET Framework class creation in Windows PowerShell. The WMF 5.0 download’s release notes has some good examples of what classes look  like, but I wanted to briefly set some expectations for the feature, based on my own early experiences.
The primary use case for classes, at this point, is for DSC resources. Rather than creating a special PowerShell module that has specially named functions, live in a specially named folder, and work in a special way - that’s a lot of special, which means a lot of room for error - classes provide a more declarative way of creating DSC resources.
But we’re a bit ahead of ourselves. What’s a class?
In object-oriented programming, a class is a hunk of code that provides a specific interface. Everything in the .NET Framework is a class. When you run Get-Process in PowerShell, for example, you are returning objects of the type System.Diagnostics.Process - or, in other languages, objects of the class System.Diagnostics.Process. Each process is an instance of the class. The class describes all the standardized things that a process can show you (like its name or ID), or that it can do (like terminate). Programmers build the functionality into the class itself.
Classes can have static properties and methods - these are hunks of code that don’t require an actual instance of a process. For example, you can start a process without having a process in the first place. The System.Math class in .NET has lots of static members - the static property Pi, for example, contains the numeric value of pi to a certain number of decimal places. The static Abs() method returns the absolute value of a number.
PowerShell classes are designed to provide similar functionality. The trick with PowerShell classes, at least at this stage of their development, is that they don’t add their type name to any kind of global namespace. That is, let’s say you write a class named My.Cool.Thing, and you save it into a script module named MyCoolThing.psm1. You can’t just go into the shell and run New-Object -TypeName My.Cool.Thing to create an instance of the class, because there’s nothing in PowerShell (yet) that knows to go look for your script module to find the class. That’ll likely change in a future release, but for right now it means classes are kind of limited.
The basic rule is that you can only use a class _within the same module that contains the class. _That is, the class can only be “seen” from within the module. So, your MyCoolThing.psm1 module might define a class, and then might also define several commands (functions) that use the class - that’s legal, and it will work. You still can’t use New-Object; instead, you’d instantiate your class by using something like ClassName::new(), calling the static New() method of the class to instantiate it. I expect New-Object will get “hooked up” at some point, but it might not be until some future version of PowerShell.
Anyway, back to DSC.
DSC is a bit unique, because normally you don’t load resource modules; the Local Configuration Manager loads them. When you build a DSC resource class, you’re forced to provide three methods: Get(), Set(), and Test(). The LCM loads your module, instantiates the class, and then calls the three methods as needed. DSC resources built in this fashion can live in a plain old module .PSM1 file - there’s no need to create a DSCResources subfolder, no need to have an empty “root” module, or any of that. So it’s a more elegant solution all around. Aside from some structural differences, you code them the same as you always have. v5 still supports the old-style resources, for backward compatibility, but class-based resources are the “way forward.” I expect Microsoft will eventually refactor the DSC Resource Kit to be class-based resources, as soon as they get a minute and as soon as v5 is widely adopted.
So most of the “wiring” behind classes has, to this point, been designed to support that DSC use case. In other words, of all the things a PowerShell class will need to do, the team has so far focused mainly on those things that impact DSC. The rest will come later - the release notes use the phrase, “…in this release” a lot, meaning the team understands where the current weaknesses are. “This release” in some cases may simply mean _this current preview release, _meaning they’re targeting more features for v5’s final release; in other cases, more features will have to wait for v6 (or whatever) or a later version of PowerShell.
So there’s a little rambling on classes and what’s presently in PowerShell v5. If you haven’t already downloaded the preview and started playing with it, you should; _not in production, though. _Keep it in a test VM for the time being.

DenverPSUG – Keith Hill Presenting

Hello everyone,
The Denver PowerShell User Group will be meeting again on September 4th and we will have Keith Hill presenting. Keith has published an ebook, is a repeat Microsoft MVP, and has been heavily involved in writing and maintaining the PowerShell Community Extensions.
You can find more information on the event as well as RSVP here:

  Keith Hill - Effective PowerShell





  Thursday, Sep 4, 2014, 7:00 PM

899 Logan st

Quick Tip: WMI vs. CIM Syntax

# List all classes in a namespace Get-CimClass -Namespace root\CIMv2 Get-WmiObject -Namespace root\CIMv2 -List # list all classes containing “service” in their name
Get-CimClass -Namespace root\CIMv2 | Where CimClassName -like ‘*service*’ | Sort CimClassName
(or)
Get-CimClass -Namespace root\CIMv2 -Classname *service*
Get-WmiObject -Namespace root\CIMv2 -List | Where Name -like ‘*service*’ | Sort Name
# get all class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem
# filter class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_LogicalDisk -Filter “DriveType=3”
Get-WmiObject -Namespace root\CIMv2 -Class Win32_LogicalDisk -Filter “DriveType=3”
# show all properties
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | Get-Member
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | Get-Member
# show all properties and values
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | fl *
# remote computer
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_BIOS -ComputerName dc,win81
Get-WmiObject -Namespace root\CIMv2 -Class Win32_BIOS -ComputerName dc,win81
# use CIM command to talk to non-CIM computer
Get-CimInstance -Namespace root\CIMv2 -ClassName win32_BIOS -CimSession (
New-CimSession -ComputerName OLD-XP-PC -SessionOption (
New-CimSessionOption -Protocol Dcom
)
)

Analyzing the "Black Magic" PowerShell "Exploit" and Appropriate Actions

Trend Micro released a report on a new PowerShell-vectored exploit named Black Magic. I had a lovely Twitter conversation about what this means in terms of PowerShell’s vulnerability to attack, and what admins should do. Unfortunately Twitter sucks for carrying on that kind of conversation, so I wanted to post this to clarify a few things.
First, I’m going to write this article as if “you” were hit by this exploit. Don’t take it personally, it’s just an easier style of language for me - it’s not actually addressing you.
Second, when it comes to security, the goal is to stop attacks from happening. That means you have to consider all the ways something could nail you, and try to block as many of them as is practical. That’s called “defense in depth,” giving you multiple layers of defense. The corollary to that is that your environment must still be functional. I mean, from a secure standpoint, if I unplugged all the WiFi access points and Ethernet switches you have, you’d be pretty secure. And non-functional.
Third… and I don’t know how to be delicate about this, but a lot of admins out there aren’t very sophisticated about security. There’s sometimes a tendency to fix what they can get their hands on, whether or not that makes any impact on security or not. So let’s be very clear about what you do when it comes to security: You do as little as possible, and impinge as little functionality as possible, while achieving your security goals. That helps maintain a “functional” environment, and keeps the security aspect of it “maintainable.” Sometimes, “as little as possible” is quite a lot indeed - but you look for that balance. Finally, you almost never do anything to “improve” security if it is in fact a null improvement. That is, you don’t lock the doors if the windows can’t be closed. There’s no point.
Now, let’s look at how Black Magic operates.

Installing PowerShell v5? Be a Little Careful, OK?

I’m getting a lot of questions from folks, via Twitter and other venues, regarding Windows Management Framework 5.0 - which is where PowerShell v5 comes from. It’s awesome that people are installing v5 and kicking the tires - however, please help spread the word:

• v5 is a preview. It isn’t done, and it isn’t guaranteed bug-free. It shouldn’t be installed on production computers until it’s officially released.
• v5 doesn’t install ‘side by side’ with v3 or v4. You can’t run it with “-version 3” to “downgrade.” Now, v5 shouldn’t break anything - something that runs in v3 or v4 should still work fine - but there are no guarantees as it’s a preview and not released code at this stage.
• Server software (Exchange, SharePoint, etc) often has a hard dependency on a specific version of PowerShell. You need to look into that before you install v5.
• After installing v5, you might not be able to cleanly uninstall and revert to a prior version.

Generally speaking, v5 should be installed in a test virtual machine at the very least, not on a production computer. It’s great to play with it, and you should absolutely log bugs and suggestions to http://connect.microsoft.com.
This situation will be true for any pre-release preview of PowerShell or WMF going forward. “Preview” is the new Microsoft-speak for “beta,” and you should treat it as such. Play with it, yes - that’s the whole point, and it’s how we get a stable, clean release in the end. But play with caution, and never on production computers.

TechEd N.A. 2014 Session Recordings

There’s some great PowerShell content now online for your viewing pleasure.
Jeffrey Snover and I had a blast doing “Windows PowerShell Unplugged,” and I reviewed some best PowerShell practices (and hopefully provided a little inspiration for your career) in “Windows PowerShell Best Patterns and Practices: Time to Get Serious.” And the #2 overall session of TechEd? “DSC: A Practical Overview,” including a surprise demo (and announcement) from Snover showing DSC running on Linux.
Enjoy!

After all the DSC-related excitement this week, there have been a few online and Twitter-based discussions including Chef, Puppet, and similar solutions. Many of these discussions start off with a tone I suppose I should be used to: fanboy dissing. “Puppet already does this and is cross-platform! Why should I bother with DSC?” Those people, sadly, miss the point about as entirely as it’s possible to do.

Point 1: Coolness

First, what Microsoft has accomplished with DSC is cool. Star Wars Episode V was also cool. These facts do not prevent previous things - Puppet/Chef/etc and Episode IV - from being cool as well. Something new being cool does not make other things less cool. This shouldn’t be a discussion of, “Puppet did this first, so nothing else can possibly be interesting at the same time.” As IT professionals, we should be looking at everything with an eye toward what it does, and what new ideas it might offer than can be applied to existing approaches.

My TechEd 2014 "Patterns and Practices" Example Scripts

I’ll be using these examples in my TechEd 2014 session on PowerShell patterns and practices. They won’t make much sense, perhaps, until you see the session (live, or in the recordings - and I believe this session is one of the “Taste of TechEd” ones that will be live-streamed), but here are the scripts.
TechEd-NA-2014-Patterns-Examples

Code from this week's Oslo class

OSTools - download for my class in Oslo this week.
Here’s some more: share

We Want Your DSC Resource Wish List!

What sorts of things would you want to configure via DSC that don’t already have a resource?
NB: Focusing on the core Windows OS and its components only; Exchange, SharePoint, SQL Server, and other products are off the table for this discussion.
For example, I want a “log file rotator” resource, that lets me specify a log file folder, an archive folder, and a pair of dates. Files older than one date are moved from the log folder to the archive folder; archived files older than the second date are deleted.
I’d also like a File Permissions resource. Specify a folder or file, optional recursion, and a set of access control entries (in plain English terms), and it’ll make sure the permissions stay that way.
Maybe also a User Home Folder resource, which would (a) ensure a folder exists for a given set of user accounts, and (b) ensures a set of “template” permissions, so that each individual user has the rights to their folder, plus rights given to global users like admins.
What resources would YOU like to have to ease configuration and maintenance in YOUR environment? Drop a comment!