Useful PowerShell one-liners for IT Admins: A sysadmin’s take

Sysadmins are busy people, but there are tricks and shortcuts that we can rely on again and again to make the job a bit easier. That’s where PowerShell comes in. Here are a few short one-line PowerShell commands and scripts that always come in handy.

All of the following commands can be run from PDQ Connect's Commands view and from PDQ Inventory's Tools > Run command (Ctrl+Alt+C).

You can also create a package with a PowerShell step that you can run on multiple devices at once and see the result after clicking on the deployment status link in PDQ Connect.

What is a one-liner in programming?

A one-liner is a concise, witty, or clever remark or joke delivered in a single sentence. It is often used to make a sharp, memorable point or to deliver humor briefly and effectively.

Joking aside, in programming, a one-liner is a complete program or a functional snippet of code written in a single line that performs a specific task. Several unique commands can be chained together using operators like |, &&, and ;.

You can easily combine multiple commands into a one-liner by converting the new line into a semi-colon and by removing all of the unnecessary space/tab characters from a common script. You can use the search/replace functionality of your favorite text editor and its regular expressions part, i.e. Look for \n and replace it with ; (semicolon).

Now that we've covered the basics, let’s start with the one-liners and commands.

1) Update PowerShell

One of the things a beginner asks is: "How do I update PowerShell without the need to download and install the update manually?"

To do so, run the following command:

winget upgrade --id Microsoft.PowerShell --accept-source-agreements --accept-package-agreements

You can also automate this task using PDQ Connect and PDQ Deploy where a prebuilt package is ready to use in the Package Library provided by PDQ.

Check out the PowerShell update guide for even more ways to update PowerShell.

2) Discover who’s logged in

When troubleshooting or managing endpoints, it’s common to need information about the currently logged in user and the status of the session.

Is the user active? Is their session locked? Are they disconnected? (RDP session)

These are often questions you ask yourself when you need to perform some action on the remote device without disrupting the user who is working on the device.

To learn the user's session status, you have multiple options:

query user /server:$env:COMPUTERNAME

Here is also a very smart alternative that relies on the quser command:

(&quser) -replace '\s{2,}', ',' -replace '>', '' | ConvertFrom-Csv;

The advantage here is that it returns an object you can then pipe to other commands/actions.

This is very useful on a terminal server (Remote Desktop Services) where multiple sessions are active.

3) List local printers

Printers are the worst, but at least here’s how you can easily list all the local printers on a computer with a PowerShell one-liner.

Get-Printer | Format-Table Name, PrinterStatus, DriverName, PortName, Location, Shared, Published

To remove a printer, run:

Remove-Printer -Name "<printer name>"

Keep in mind, the printer will only be removed once its queue is clear. To clear the print spooler, run:

Stop-Service -Name spooler -Force; Remove-Item -Path "$env:SystemRoot\System32\spool\PRINTERS\*" -Recurse -Force; Start-Service -Name spooler

4) Track down specific Windows event logs

When you quickly need to check what is happening in the background on a system from a specific event log, you can run the following PowerShell command:

Get-EventLog -LogName "PDQ.com" -Newest 10 | Sort-Object Index | Format-Table -AutoSize -Wrap

This will return the last 10 events from the PDQ.com event log that is created by PDQ Connect.

It is very useful for diagnosing issues you encounter in your environment. You can change the number of listed events by changing the -Newest parameter. The events are listed from oldest to newest.

To list the last 50 system shutdown events, you can use the following command:

Get-WinEvent -FilterHashtable @{LogName='System';ID=@(1074,6013)} -MaxEvents 50 | Sort-Object TimeCreated | Format-Table -AutoSize -Wrap

Here is a list of events you can look for:

System shutdown events

Event ID 1074: User-initiated shutdown/restart
Event ID 6006: Critical system failure leading to shutdown
Event ID 6008: Unexpected system shutdown detected
Event ID 6013: System uptime recorded
Event ID 7034: Service termination due to system shutdown

Related administrative events

Event ID 4634: Logoff event (often precedes shutdown)
Event ID 4647: User initiated logoff (can lead to shutdown)
Event ID 513: Windows Update initiated restart
Event ID 515: Windows Update completed restart

Important notes

These events are recorded in the Windows system event log

Event ID 1074 specifically indicates who initiated the shutdown
Events 6006 and 6008 indicate unexpected system failures
Events 4634 and 4647 track user logoff activities
Events 513 and 515 track Windows Update-related restarts

5) Manage Microsoft Store apps

When Windows apps are updated (or not), it often happens that the old version is still present on the system. This can lead to a compromise of the system if not removed.

To list all packages available on the system use:

Get-AppxPackage -AllUsers

To list all provisioned Windows apps run:

Get-AppxProvisionedPackage -Online

Be careful though, the lists can be pretty long.

To check if a specific app is present use:

Get-AppxPackage -AllUsers | Where-Object { $_.PackageFullName -like "*Teams*" }

To remove a specific Windows app, you can use:

Get-AppxPackage -AllUsers | Where-Object { $_.PackageFullName -like "*Teams*" } | Remove-AppxPackage -AllUsers

Get-AppxPackage -AllUsers | Where-Object { $_.PackageFullName -like "MicrosoftTeams_24060.3102.2733.5911_x64__8wekyb3d8bbwe" } | Remove-AppxPackage -AllUsers

To make sure that a provisioned app is not installed when a new user logs in, run:

Get-AppxProvisionedPackage -Online | Where-Object {$_.DisplayName -eq "AdobeAcrobatReaderCoreApp"} | Remove-AppxProvisionedPackage -Online

Get-AppXProvisionedPackage -online | % {if ($_.DisplayName -eq "Microsoft.WebpImageExtension") {$_}} | Remove-AppxProvisionedPackage -online

Oh, you want to know how to install them? Alright then, let’s go over it. 😉

Note: Packages must be installed from a local computer. You cannot install them from a network path.

To provision a package**, run a command like:

$localPackage = "C:\Temp\ToDo.appxbundle"; DISM.EXE /Online /Add-ProvisionedAppxPackage /PackagePath:$localPackage /SkipLicense

On a user level, in PDQ Connect or PDQ Deploy, you can use the following commands within a PowerShell step, that is run as the logged in user:

add-appxpackage -path ./somepackage.msix

add-appxpackage -path ./somepackage.appxbundle

depending on the package type you have. These packages are not provisioned.

** Provisioning a package refers to the process of adding an app package (such as an .appx or .appxbundle) to a Windows image or operating system in a way that it becomes available for every new user profile created on that system.

6) WOL from PowerShell

Sometimes there is this $user who was told not to turn the computer off or put it to sleep, and you need to wake it up. If WOL (Wake-on-LAN) is enabled on the device and you have a computer on the same network that is online, you can run the following command if you know the MAC address of the network adapter.

$mac='12-34-56-78-9A-BC';[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() | Where-Object { $_.NetworkInterfaceType -ne [System.Net.NetworkInformation.NetworkInterfaceType]::Loopback -and $_.OperationalStatus -eq [System.Net.NetworkInformation.OperationalStatus]::Up } | ForEach-Object { $targetPhysicalAddressBytes = [System.Net.NetworkInformation.PhysicalAddress]::Parse(($mac.ToUpper() -replace '[^0-9A-F]','')).GetAddressBytes(); $packet = [byte[]](,0xFF * 102); 6..101 | Foreach-Object { $packet[$_] = $targetPhysicalAddressBytes[($_ % 6)] }; $client = [System.Net.Sockets.UdpClient]::new([System.Net.IPEndPoint]::new(($_.GetIPProperties().UnicastAddresses | Where-Object { $_.Address.AddressFamily -eq [System.Net.Sockets.AddressFamily]::InterNetwork })[0].Address, 0)); try { $client.Send($packet, $packet.Length,[System.Net.IPEndPoint]::new([System.Net.IPAddress]::Broadcast, 9)) | Out-Null } finally { $client.Dispose() } }

I know, it's a bit hard to read, but it is also a one-liner. Just replace the $mac variable with the MAC address from the system you want to wake up.

As always with WOL, this might or might not work, but is worth the try.

And if you want more information, check out these Wake-on-LAN and magic packet resources.

7) Check connectivity to the PDQ Connect server

If you need to verify that the PDQ Connect Agent is able to reach the PDQ Connect infrastructure (firewall or antivirus blocks), run:

Invoke-WebRequest -UseBasicParsing -Uri "https://app.pdq.com/v1/devices/release-channels/emergency/manifest.json"

If a result is returned, your connection is fine. If not, something in your environment is blocking the connection.

8) Return TPM info

As Windows 10 reached its end, many of us are still in the process of upgrading the systems to Windows 11.

One of the Windows 11 requirements is to have a TPM 2.0 module available. To check the module presence, use:

Get-CimInstance -Namespace ROOT/CIMV2/Security/MicrosoftTpm -ClassName Win32_Tpm

9) Check file version info

At times, you may need to verify an executable file’s version. There are several ways to do this, for example:

[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe").FileVersion

(Get-Command "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe").FileVersionInfo.FileVersion

(Get-Command "C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe").FileVersionInfo | Format-List

(Get-Item "C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe").VersionInfo | Format-List

10) Create a shortcut on the public desktop

This is not a one liner but certainly a very useful script when you need to create desktop shortcut for all users for a specific desktop app.

# Define the target file/folder path
$targetPath = "C:\Program Files\YourApp\YourApp.exe"

# Get the public desktop path
$publicDesktop = [Environment]::GetFolderPath("PublicDesktop")

# Create the shortcut
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("$publicDesktop\YourApp.lnk")

# Set shortcut properties
$shortcut.TargetPath = $targetPath
$shortcut.IconLocation = "$targetPath"
$shortcut.Description = "Your App Description"

# Save the shortcut
$shortcut.Save()

# Set access rights to read for all users
$acl = Get-Acl $shortcutPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "ReadAndExecute", "Allow")
$acl.SetAccessRuleProtection($true, $false) # Disable inheritance
$acl.SetAccessRule($rule)
Set-Acl $shortcutPath $acl

Check out the full desktop shortcut guide for more information.

Let us know if any of these were helpful to you. And for even more tips, join the PDQ Discord server.