#6 PowerShell Learning: PowerShell Drives and Providers

Windows PowerShell is designed especially for system administration. In this section we will discuss some important PowerShell commands every system administrator must know to make their life easier.

One of the most powerful features of Windows PowerShell is that it lets you navigate through many different data stores by using the same familiar techniques that you use to navigate in the Windows file system.

PowerShell Drives (PSDrives)

In addition to the normal file system drives such as C: and D:, Windows PowerShell includes drives that represent the:

Environment Variables (Env:)
PowerShell Aliases (Alias:)
HKEY_LOCAL_MACHINE (HKLM:)
HKEY_CURRENT_USER (HKCU:)
Digital signature certificate store (Cert:)
Functions in the current session (Function:)

PS C:\Users\admin> cd env:
PS Env:\> cd alias:
PS Alias:\> cd HKLM:
PS HKLM:\> cd HKCU:
PS HKCU:\> cd cert:
PS Cert:\> cd function:
PS Function:\>

These are known as Windows PowerShell drives. To see a list of Windows PowerShell drives, use the following command:

PS C:\Users\admin> Get-PSDrive

Name     Used (GB) Free (GB) Provider    Root                    CurrentLocation
----     --------- --------- --------    ----                    ---------------
Alias                        Alias
C           420.47     42.98 FileSystem  C:\                         Users\admin
Cert                         Certificate \
D           872.08     59.43 FileSystem  D:\
Env                          Environment
F           837.81     93.70 FileSystem  F:\
Function                     Function
HKCU                         Registry    HKEY_CURRENT_USER
HKLM                         Registry    HKEY_LOCAL_MACHINE
J                            FileSystem  J:\
K                            FileSystem  K:\
P           704.52   1343.48 FileSystem  P:\
Variable                     Variable
W             0.00  10240.00 FileSystem  \\ExpanDrive\vdn6tyrg-1
WSMan                        WSMan

Windows PowerShell drives can be created in any data store that is available in Windows PowerShell, and they can have any valid name, such as “D” or “MyDrive“, followed by a colon (:). You can navigate in them by using that same methods that you would use in a file system drive.

However, the Windows PowerShell drives are visible only in Windows PowerShell. You cannot see them or gain access to them in File Explorer or cmd.exe.

You can even create your own Windows PowerShell drives by using the New-PsDrive cmdlet. For example, to create a new drive called MyDrive: with the root in your D:\Scripts directory, use the following command:

PS C:\> Remove-PSDrive -Name  MyDrive
PS C:\> New-PSDrive -Name MyDrive -PSProvider FileSystem -Root "D:\Scripts" 

Name    Used (GB) Free (GB) Provider   Root       CurrentLocation
----    --------- --------- --------   ----       ---------------
MyDrive      0.00     59.43 FileSystem D:\Scripts

PS C:\> Set-Location MyDrive:

PS MyDrive:\> Get-ChildItem

    Directory: D:\Scripts

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/9/2023   2:38 PM             48 myscript.ps1

Navigating the File System

If you are already familiar with other command-line shells such as cmd.exe and Linux command-line, you might be tempted to type the familiar commands such as cd, dir, ls, and cat after opening Windows PowerShell.

Well, you can use these commands since Windows PowerShell has built-in aliases created for most popular commands. The cd is an alias for the Set-Location cmdlet, the cmdlet that changes the current location to the specified path.

The cd is an alias for the Set-Location cmdlet, the cmdlet that changes the current location to the specified path.
The dir and ls are aliases for the Get-Childitem cmdlet, the cmdlet that lists the contents of a directory.
The cat is an alias for Get-Content cmdlet the cmdlet that prints the contents of a file.

To navigate within the file system drive, use the Set-Location (cd) and Get-Childitem (dir, ls) cmdlets. In Windows PowerShell, drives are indicated by the drive name followed by a colon (:), such as D:, and parent items are separated from child item by backslashes (\) or forward slashes (/), such as D:Scripts.

As in other command-line shells, you can change locations, create, delete, move, and copy directories and files, and change their properties. You can even use tab-completion feature for path names and cmdlet names. The built-in variables such as $home for your home directory, and $pshome for Windows PowerShell installation directory comes handy while using PowerShell. Windows PowerShell uses following cmdlets to work with files and folders.

PS MyDrive:\> Get-Command -Noun Item
CommandType Name        Version Source
----------- ----        ------- ------
Cmdlet      Clear-Item  3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Copy-Item   3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Get-Item    3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Invoke-Item 3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Move-Item   3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      New-Item    3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Remove-Item 3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Rename-Item 3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Set-Item    3.1.0.0 Microsoft.PowerShell.Management

The below mentioned commands change the current working directory to D:\Scripts, list the contents of current working directory then use the New-Item command to create a new file with the name TestFile.txt.

PS C:\Users\admin> Set-Location D:\scripts\
PS D:\scripts> Get-ChildItem
    Directory: D:\scripts
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/9/2023   2:38 PM             48 myscript.ps1

PS D:\scripts> New-Item TestFile.txt -ItemType File
    Directory: D:\scripts
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/10/2023   8:37 AM              0 TestFile.txt

To create the directory, you need to use New-Item cmdlet with ‘-ItemType Directory‘ parameter.

PS D:\scripts> New-Item TestFolder -ItemType Directory
    Directory: D:\scripts
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/10/2023   8:39 AM                TestFolder

PS D:\scripts> Get-ChildItem
    Directory: D:\scripts
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/10/2023   8:39 AM                TestFolder
-a----          8/9/2023   2:38 PM             48 myscript.ps1
-a----         8/10/2023   8:37 AM              0 TestFile.txt

To delete the file or directory, use Remove-Item cmdlet as shown below:

PS D:\scripts> Remove-Item TestFile.txt -Force
PS D:\scripts> Remove-Item TestFolder -Force
PS D:\scripts> Get-ChildItem
    Directory: D:\scripts
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/9/2023   2:38 PM             48 myscript.ps1

Navigating the Windows Registry

You can navigate through the Windows Registry by using the same techniques that you use to navigate in the file system drive. In Windows PowerShell, the HKEY_LOCAL_MACHINE hive maps to the Windows PowerShell HKLM: drive and the HKEY_CURRENT_USER hive maps to HKCU: drive.

PS D:\scripts> sl HKCU:
PS HKCU:\> cd .\Software\Microsoft\Windows\CurrentVersion\
PS HKCU:\Software\Microsoft\Windows\CurrentVersion\> gci

    Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

Name                           Property
----                           --------
AAD
AccountsService                State : {...
...

Notice that I have used sl (alias for Set-Location) to change the working directory to HKEY_CURRENT_USER registry hive. The gci (alias for Get-ChildItem) to list the contents for current working directory.

The entries in a registry key are considered to be properties of the key in which they are located. You can use the Get-ItemProperty cmdlet to retrieve the properties of a Registry Key.

For example, if you want to see the value of the Windows PowerShell execution policy, you can use the Get-ExecutionPolicy cmdlet or navigate to the ExecutionPolicy registry entry that stores the value in HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell.

PS C:\> Get-ExecutionPolicy
Unrestricted
PS C:\>
PS C:\> Set-Location hklm:
PS HKLM:\> cd .\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
PS HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell> Get-ItemProperty -Path . -name executionpolicy

ExecutionPolicy : Unrestricted
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\ShellIds\Micro
                  soft.PowerShell
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\ShellIds
PSChildName     : Microsoft.PowerShell
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry

The New-Item cmdlet is versatile and particularly good for creating files and folders. If you want to create the actual values or leaf items in the Windows registry, then use the cmdlet New-ItemProperty.

Let’s first navigate to HKEY_CURRENT_USER\SOFTWARE subkey and then create a new subkey with the name TestSoftware. Then we will create a new registry item with the name TestKey and then we will set the value of new registry item.

PS HKLM:\Software\Microsoft\PowerShell\> Set-Location HKCU:\Software\
PS HKCU:\Software\> New-Item TestSoftware -ItemType Directory

    Hive: HKEY_CURRENT_USER\Software

Name                           Property
----                           --------
TestSoftware


PS HKCU:\Software\> New-ItemProperty -Path .\TestSoftware -Name TestKey -PropertyType String -Value "1"

TestKey      : 1
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\TestSoftware
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software
PSChildName  : TestSoftware
PSDrive      : HKCU
PSProvider   : Microsoft.PowerShell.Core\Registry

After running the above commands, you can verify that the key and values are created in Windows Registry.

You can change the registry key values using Set-ItemProperty cmdlet as shown below.

PS HKCU:\Software\> Set-ItemProperty -Path .\TestSoftware -Name TestKey -Value "0"
PS HKCU:\Software\> Get-ItemProperty .\TestSoftware

TestKey      : 0
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\TestSoftware
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software
PSChildName  : TestSoftware
PSDrive      : HKCU
PSProvider   : Microsoft.PowerShell.Core\Registry

To remove the registry item, use Remove-Item cmdlet. Exercise caution while removing any registry item; you may crash your system if you delete any critical key or value. Fortunately, Windows PowerShell gives a -WhatIf parameter with every cmdlet which will tell you what would happen if you ran this command without actually running the command.

PS HKCU:\Software\> Remove-Item -Path .\TestSoftware -WhatIf -Force
What if: Performing the operation "Remove Key" on target "Item: HKEY_CURRENT_USER\Software\TestSoftware".

PS HKCU:\Software\> Remove-Item -Path .\TestSoftware -Force

PS HKCU:\Software\> Get-ChildItem .\TestSoftware
Get-ChildItem : Cannot find path 'HKEY_CURRENT_USER\Software\TestSoftware' because it does not exist.
At line:1 char:1
+ Get-ChildItem .\TestSoftware

This is how you can work with Windows Registry. The process is pretty much same as working with file system, files and folders.

Navigating the Certificate Store

You can navigate the digital certificate store on your computer. The certificate store maps to the Windows PowerShell Cert: drive. The following example shows how to use Set-Location (cd) and Get-Childitem (dir, ls) to navigate the Cert: drive.

PS C:\> Set-Location cert:
PS Cert:\> Get-ChildItem

Location   : CurrentUser
StoreNames : {TrustedPublisher, ClientAuthIssuer, Root, UserDS...}

Location   : LocalMachine
StoreNames : {LocalMachine, AAD Token Issuer, AuthRoot, My...}

PS Cert:\> Set-Location .\\CurrentUser\
PS Cert:\CurrentUser\> Get-ChildItem

Name : TrustedPublisher
Name : ClientAuthIssuer
Name : CA
Name : REQUEST
Name : AuthRoot
Name : AdobeCertStore
Name : CurrentUser
...

PS Cert:\CurrentUser\> cd .\AuthRoot
PS Cert:\CurrentUser\AuthRoot> Get-ChildItem

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\AuthRoot

Thumbprint                                Subject
----------                                -------
F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7  CN=AffirmTrust Commercial, O=AffirmTrust, C=US
F40042E2E5F7E8EF8189FED15519AECE42C3BFA2  CN=Microsoft Identity Verification Root Certificate Authority 2020, O=Micr...
F373B387065A28848AF2F34ACE192BDDC78E9CAC  CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, ...
8782C6C304353BCFD29692D2593E7D44D934FF11  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
8094640EB5A7A1CA119C1FDDD59F810263A7FBD1  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
7E04DE896A3E666D00E687D33FFAD93BE83D349E  CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
...

PS Cert:\CurrentUser\AuthRoot> Get-ChildItem A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\AuthRoot\A8985D3A65E5E5C4B2D7D66D40C6
                           DD2FB19C5436
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\AuthRoot
PSChildName              : A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Code Signing (1.3.6.1.5.5.7.3.3), Secure Email
                           (1.3.6.1.5.5.7.3.4), Server Authentication (1.3.6.1.5.5.7.3.1)...}
...

You can use the same techniques to navigate in other PowerShell drives such as alias (Alias:), environment provider (Env:), function (Function:), and variable (Variable:) drives

PowerShell Providers

Windows PowerShell providers are Microsoft .NET Framework-based programs that make the data in a specialized data store available in Windows PowerShell so that you can view and manage it.

The data that a provider exposes appears in a drive, and you access the data in a path like you would on a hard disk drive. You can use any of the built-in cmdlets that the provider supports to manage the data in the provider drive. And, you can use custom cmdlets that are designed especially for the data.

The providers can also add dynamic parameters to the built-in cmdlets. These are parameters that are available only when you use the cmdlet with the provider data.

Windows PowerShell includes a set of built-in providers that you can use to access the different types of data stores. You can also create your own Windows PowerShell providers, and you can install providers developed by others. To list the providers that are available in your session, use Get-PSProvider cmdlet:

PS MyDrive:\> Get-PSProvider

Name                 Capabilities                                      Drives
----                 ------------                                      ------
Registry             ShouldProcess, Transactions                       {HKLM, HKCU}
Alias                ShouldProcess                                     {Alias}
Environment          ShouldProcess                                     {Env}
FileSystem           Filter, ShouldProcess, Credentials                {C, D, F, MyDrive...}
Function             ShouldProcess                                     {Function}
Variable             ShouldProcess                                     {Variable}
Certificate          ShouldProcess                                     {Cert}
WSMan                Credentials                                       {WSMan}

For getting Help about a particular provider, type the Get-Help cmdlet followed by the name of provider as shown below: