Monthly Archive


Monthly Archives: November 2013

CDXML: Module Manifest

Last time we created a module using CDXML to wrap the Win32_Bios WMI class. This gave us a cmdlet – Get-Bios.  As the intention is to create a number of modules that expose the WMI classes related to hardware we need a module manifest file (.psd1) to load them so that we can take advantage of module auto-loading in PowerShell 3 & 4

Remember – one WMI class per CDXML file and each CDXML file is treated as a module

I find the easiest way to create new manifest is run New-ModuleManifest and give it the full path to the psd1 file you want to create


New-ModuleManifest -Path C:\scripts\Modules\Hardware\Hardware.psd1 –PassThru


You can then open the file in ISE and edit to give this:

# Module manifest for module 'Hardware'
# Generated by: richard
# Generated on: 30/11/2013


# Script module or binary module file associated with this manifest.
# RootModule = ''

# Version number of this module.
ModuleVersion = '1.0'

# ID used to uniquely identify this module
GUID = '55512ad7-c2aa-4678-818f-8f19b4f110dd'

# Author of this module
Author = 'Richard'

# Company or vendor of this module
CompanyName = 'Macdui'

# Copyright statement for this module
Copyright = '(c) 2013 Richard. All rights reserved.'

# Description of the functionality provided by this module
# Description = ''

# Minimum version of the Windows PowerShell engine required by this module
# PowerShellVersion = ''

# Name of the Windows PowerShell host required by this module
# PowerShellHostName = ''

# Minimum version of the Windows PowerShell host required by this module
# PowerShellHostVersion = ''

# Minimum version of Microsoft .NET Framework required by this module
# DotNetFrameworkVersion = ''

# Minimum version of the common language runtime (CLR) required by this module
# CLRVersion = ''

# Processor architecture (None, X86, Amd64) required by this module
# ProcessorArchitecture = ''

# Modules that must be imported into the global environment prior to importing this module
# RequiredModules = @()

# Assemblies that must be loaded prior to importing this module
# RequiredAssemblies = @()

# Script files (.ps1) that are run in the caller's environment prior to importing this module.
# ScriptsToProcess = @()

# Type files (.ps1xml) to be loaded when importing this module
# TypesToProcess = @()

# Format files (.ps1xml) to be loaded when importing this module
# FormatsToProcess = @()

# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
NestedModules = @('Win32_BIOS.cdxml')

# Functions to export from this module
FunctionsToExport = @('Get-Bios')

# Cmdlets to export from this module
CmdletsToExport = '*'

# Variables to export from this module
VariablesToExport = '*'

# Aliases to export from this module
AliasesToExport = '*'

# List of all modules packaged with this module
# ModuleList = @()

# List of all files packaged with this module
# FileList = @()

# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''

# HelpInfo URI of this module
# HelpInfoURI = ''

# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''



You can cut out the items you don’t need but I prefer to leave them as reminders of the commands.

Once the file is modified – save it back as Hardware.psd1

Start a new PowerShell console and your new module is available for use immediately.

This also means that you can add new CDXML files and test them independently of the module. Once you’re happy with the new functionality you add the appropriate lines to the module manifest.


Its been stated many times that over 60% of the modules in PowerShell 3 & 4 are created using CDXML – objects-over-cmdlets.

This involves taking a WMI class and wrapping it in XML to create a PowerShell module. At this time many admins are running for the door but it really isn’t that difficult.

Most admins will have used the Win32_Bios class

£> Get-CimInstance -ClassName Win32_Bios

SMBIOSBIOSVersion : 090006
Manufacturer      : American Megatrends Inc.
Name              : BIOS Date: 05/23/12 17:15:53  Ver: 09.00.06
SerialNumber      : 5518-5018-0990-2526-2313-2106-44
Version           : VRTUAL – 5001223


To create a CDXML file type this in ISE:

<?xml version="1.0" encoding="utf-8"?>
<PowerShellMetadata xmlns="">
  <Class ClassName="ROOT\cimv2\Win32_BIOS">

      <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">


Everything is boiler plate except two lines:

<Class ClassName="ROOT\cimv2\Win32_BIOS">
which shows the namespace and the class you are using



which sets the NOUN of the PowerShell cmdlet you are producing. The verb is automatically set to GET.

I keep all my scripts in a folder called c:\scripts – this has subfolders by category. I also amend my module path in my PowerShell profile

$env:PSModulePath = "C:\Scripts\Modules;" + $env:PSModulePath

to add the \scripts\modules folder. This folder has all of the module I develop to keep them separate from the Microsoft modules.


I’m creating a module called Hardware that will contain a suite of CDXML files for accessing WMI classes related to hardware.

I saved the XML above to C:\Scripts\Modules\Hardware\Win32_BIOS.cdxml

For testing I change directory the C:\Scripts\Modules\Hardware folder and I can test my new module.

£> Import-Module .\Win32_BIOS.cdxml
£> Get-Command -Module Win32_BIOS

CommandType     Name                   ModuleName
-----------     ----                   ----------
Function        Get-Bios               Win32_BIOS


Running Get-Bios produces:

£> get-bios

SMBIOSBIOSVersion : 090006
Manufacturer      : American Megatrends Inc.
Name              : BIOS Date: 05/23/12 17:15:53  Ver: 09.00.06
SerialNumber      : 5518-5018-0990-2526-2313-2106-44
Version           : VRTUAL – 5001223


Exactly the same as using Get-CimInstance.

You also get a set of free functionality (meaning you don’t have to do anything)

£> Get-Command Get-Bios -Syntax

Get-Bios [-CimSession <CimSession[]>] [-ThrottleLimit <int>] [-AsJob] [<CommonParameters>]

£> $sess = New-CimSession -ComputerName server02
£> Get-Bios -CimSession $sess

SMBIOSBIOSVersion : 6NET61WW (1.24 )
Manufacturer      : LENOVO
Name              : Ver 1.00PARTTBLX
SerialNumber      : R81BG3K
Version           : LENOVO - 1240
PSComputerName    : server02


The properties displayed are controlled by the PowerShell formatting system as with most WMI classes. You can display all data:

Get-Bios | Format-List *


Next time we’ll create a module manifest file to enable module auto-loading

Defender Module: Threat Catalog

You can see the threats that defender is testing against

Get-MpThreatCatalog | select SeverityID, ThreatName

You get a long list like this

5 TrojanDownloader:Win32/Agent.A
4 TrojanDownloader:Win32/Holistyc
2 Dialer:Win32/EPlugin
5 Backdoor:Win32/Fxsvc
2 Adware:Win32/Networkone

This is the important one:


You want this to return nothing i.e. no threats found

You can start a scan like this:

Start-MpScan -ScanType QuickScan

A progress bar will show how things are going -  again if your machine is clean you won’t get a return

Mac Address

No not where you go for a burger!

I saw a post on the forum about getting the MAC address fro remote machines. The original post was using a fixed filter on NetConnectionID which assumes that all of your machines are configured equally. I think a better approach is to gather all the data

function get-macaddress {
[string]$computername = $env:COMPUTERNAME
Get-WmiObject -Class Win32_NetworkAdapter -ComputerName $computername -Filter "NetConnectionID LIKE '%'" |
select  PSComputerName, Description, NetConnectionID, MACAddress


The WMI filter ensures that only adapters with a NetConnectionID are returned.

Once you have the data you can ensure your machines are configured the same

Clearing the Trusted Hosts list

This post rounds out the remoting series and shows you how to clear the trusted hosts list

Windows 8.1 Defender module

Windows 8.1 includes a module – Defender for working with the anti-malware engine on the machine.  I’m presuming this means Windows Defender only

The starting point is Get-MpComputerStatus

£> Get-MpComputerStatus

AMEngineVersion                 : 1.1.10100.0
AMProductVersion                : 4.3.9600.16384
AMServiceEnabled                : True
AMServiceVersion                : 4.3.9600.16384
AntispywareEnabled              : True
AntispywareSignatureAge         : 2
AntispywareSignatureLastUpdated : 27/11/2013 11:14:50
AntispywareSignatureVersion     : 1.163.737.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 2
AntivirusSignatureLastUpdated   : 27/11/2013 11:14:50
AntivirusSignatureVersion       : 1.163.737.0
BehaviorMonitorEnabled          : True
ComputerID                      : 10EEA25B-DB88-4238-BA5C-C500519F9C56
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : True
LastFullScanSource              : 0
LastQuickScanSource             : 2
NISEnabled                      : False
NISEngineVersion                : 2.1.10003.0
NISSignatureAge                 : 4294967295
NISSignatureLastUpdated         :
NISSignatureVersion             :
OnAccessProtectionEnabled       : True
QuickScanAge                    : 1
QuickScanEndTime                : 27/11/2013 21:48:57
QuickScanStartTime              : 27/11/2013 21:47:16
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
PSComputerName                  :


which shows a lot of useful data.

The cmdlet has a CimSession parameter so you can work with remote Windows 8.1 machines.  This module isn’t available on Windows 2012 R2.


Other cmdlets include:


If you think the output is reminiscent of a WMI class you’re right. The cmdlet is CDXML built from the ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus CIM class

Remoting series

My remoting series on the Scripting Guy blog has finished.  The full set of posts is:

PowerShell on Windows RT

PowerShell v4 contains a help file

get-help about_Windows_RT –showwindow

That explains the differences between PowerShell on a full Windows device and on a Windows RT device such as a Surface 2

Get-Process in PowerShell 4

If you use Get-Process in PowerShell v3

£> Get-Process powershell

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    516      17    49436      59220   233     8.86   7100 powershell


PowerShell v4 enables you to see the user account associated with the process

£> Get-Process powershell -IncludeUserName

Handles      WS(K) VM(M)   CPU(s)     Id UserName          ProcessName
-------      ----- -----   ------     -- --------          -----------
    593     214888   823    17.27   2148 MANTICORE\richard powershell


Now we have an easy way to discover who started a process

Capacity planning series finished

My capacity planning series on the Scripting Guy blog finished last week. Didn’t get chance to post about it as I was at Microsoft in Seattle.

Full series and associated powertip postings: