Disassemble Powershell CMDlets

Hey community,

I am Helmut Wagensonner, a Customer Engineer at Microsoft and with today’s blog I show you, how to look behind the implementation of Powershell CMDLets.

Ever wondered how the Microsoft guys code their powershell Commands? Ever wanted to take a peek at the implementation of a Powershell command? “You take the red pill – you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember: all I’m offering is the truth. Nothing more.” (Matrix)

Everything starts with the Get-Command CMDlet.

Using Get-Command you can figure out a lot of properties of the command you want to look behind. The most important thing we need to know about a command is its type. The way to get to the script code is different for each command type. There are a lot of command types (https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.commandtypes?view=powershellsdk-1.1.0) but most Powershell commands are of type CMDLet or Function. Another command type is Alias. But this is just a refenrence to a CMDLet or a Function. So let’s focus on these two for now.

For this walkthrough I picked the GC (Get-Content) command as example for a CMDLet in a .NET binary and Get-WindowsUpdateLog as an example for a Function in a PowerShell module.

The CMDLet inside a .NET binary

Let’s start to x-ray Get-Content by opening a Powershell window in administrative mode and typing the following command:

Get-Command gc | fl *

GC as Get-Content alias

If you don’t elevate the Powershell window only a subset of the properties are shown.

In the Get-Command example above I’m using the short form GC instead of Get-Content as an example. This shows Alias as CommandType property. To figure out the full name of the command, take a look at the ResolvedCommand property and repeat Get-Command with its value. Using the long form shows the real command type, in this case a CMDLet.

Get-Command Get-Content | fl *

Get-Command output

The DLL property shows the implementation source of this CMDLet. Since this is a binary format (.DLL), you need a disassembler to continue. There are a lot of tools to disassemble a dotNet binaries. I use ILSpy (https://github.com/icsharpcode/ILSpy/releases). It’s fast and can be installed as a portable app (no installation necessary).

So let’s open the file from the DLL property (Microsoft.PowerShell.Commands.Management.dll) in ILSpy. Most times the command implementation is found in the Microsoft.PowerShell.Commands namespace.

The Microsoft.Powershell.Commands Namespace

Typically the command classes are named similar to the PowerShell command. In our case you find the implementation in the GetContentCommand class. Sometimes you need to dig a bit deeper but I’m quite sure you will find what you’re looking for.

From now on little knowledge about .NET programming is necessary but as a rough indication you can search for methods like ProcessRecord or BeginProcessing to get a starting point.

The Function way

It’s different when the source code for a command is implemented as a function. As mentioned at the beginning, I chose the Get-WindowsUpdateLog command as an example here. So let’s have a look at its members.

Get-Command Get-WindowsUpdateLog | fl *

Get-WindowsUpdateLog command properties

I shortened the output. In your case the ScriptBlock and Definition properties should be much larger. The source code of the function itself can be found in the Definition property. So it can easily be displayed using the command:

Get-Command Get-WindowsupdateLog | select -ExpandProperty Definition

However, in many cases, the function is using code parts or other functions from its parent module. To view the complete source code, you need to open the whole module in a text editor.

First, let’s find the parent module:

Get-Command Get-WindowsUpdateLog | select ModuleName

Find the module name

It’s part of the WindowsUpdate module. But where to find it? Well, that’s easy:

Get-Module -Name WindowsUpdate | select Path

Find the module path

This displays the path to the module definition file (*.psd1) or to the compiled module (*.dll) The compiled module can be opened with your favorite decompiler as shown earlier in this post. In this example we have a module definition file. So let’s open the PSD1 in a text editor.

The content of the PSD1 file

Find the line ModuleList or NestedModules. In both of them you can figure out the path to the module files (*.psm1).

The module files normally are located in the same directory. If not you will find a full path name after the ModuleList or NestedModules values in the PSD1 file. One of those files contains the implementation of the function, found in the definition property of the Get-Command output. In our case it’s easy because this psd1 only contains one module. Most times it contains more modules. So let’s go and open the PSM1 file in your favorite text editor.

Content of the module file

Here we have the complete implementation of our function.

You may have noticed, that I used the terms “normally” and “most times…” a few times in this blog post. This is because there are different ways for implementation of CMDLets. Disassembling other commands could slightly vary from the steps mentioned above.

Anyway this gives you a starting point and it works for most CMDLet implementations coming from Microsoft.






Leave a Reply