As we can see in the screenshot below, there is a value named PowerShellVersion that will tell us the version of PowerShell installed on the machine.Ī second subkey named "3" shows a different, more recent version of PowerShell Within the "1" subkey is yet another subkey named PowerShellEngine. James noted that he found a subkey named " 1" inside.
Right off the bat, Jared suggested that there had to be something in the registry related to this information and subsequently pointed us to the following registry key: HKLM\SOFTWARE\Microsoft\PowerShell. you are working off of a forensic image - not a live machine). You want to determine the version of PowerShell installed on a machine, but don't have a means by which to run t he $PSVersionTablePowerShell command (e.g. I was chatting with Jared Atkinson and James Habben about PowerShell today and a question emerged from the discussion: is there way to determine the version of PowerShell installed on a given machine without using the $PSVersionTable PowerShell command? We all agreed that it would be nice to have an offline source for finding this information. FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.
0 kommentar(er)
