PowerShell data explanation and advice
Hi everyone. Not even sure how to ask and maybe it seems dramatic but I am reaching out for a little help here. Can someone help me understand this data I copied from PowerShell? I typed the same commands for user “smell” and user “Public”. I have a node in network probably and I really hope for the worse to be honest. Reading about it got me pumped. Of course I have no idea if this could be the small window sun shines through or just another big nothing. Anyway, thanks to anyone who sets me straight about it.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Userssmell> whoami / user
ERROR: Invalid argument/option – ‘/’.
Type “WHOAMI /?” for usage.
PS C:Userssmell> whoami /user
USER INFORMATION
—————-
User Name SID
=================== ============================================
thinkpadt16g2smell S-1-5-21-2399413288-642862217-314349489-1001
PS C:Userssmell> wmic useraccount where name=’%username%’ get domain,name,sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:Userssmell> wmic useraccount where name=’%username%’ get domain,name,sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:Userssmell> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)
Name User
—- —-
THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001
PS C:Userssmell> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
S-1-5-21-2399413288-642862217-314349489-1001
PS C:Userssmell> wmic useraccount where name=’smell’ get sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:Userssmell> wmic useraccount where sid='<sid>’ get domain,name
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:Userssmell> wmic useraccount where sid=’S-1-5-21-2399413288-642862217-314349489-1001′ get domain,name
Unexpected switch at this level.
PS C:Userssmell> wmic useraccount get domain,name,sid
Domain Name SID
ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500
ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501
ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001
ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:Userssmell> Get-WmiObject win32_useraccount | Select domain,name,sid
domain name sid
—— —- —
ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500
ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501
ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001
ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:Userssmell>
PS C:Userssmell> Get-LocalUser | Select-Object -Property @(‘Name’, ‘SID’)
Name SID
—- —
Administrator S-1-5-21-2399413288-642862217-314349489-500
DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
Guest S-1-5-21-2399413288-642862217-314349489-501
smell S-1-5-21-2399413288-642862217-314349489-1001
WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:Userssmell> Get-CimInstance -query ‘Select * from win32_useraccount’ | ft name, SID
name SID
—- —
Administrator S-1-5-21-2399413288-642862217-314349489-500
DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
Guest S-1-5-21-2399413288-642862217-314349489-501
smell S-1-5-21-2399413288-642862217-314349489-1001
WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:Userssmell> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)
Name User
—- —-
THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001
PS C:Userssmell> C:UsersPublic
C:UsersPublic : The term ‘C:UsersPublic’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ C:UsersPublic
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:UsersPublic:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssmell> C:UsersPublic>
C:UsersPublic> : The term ‘C:UsersPublic>’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ C:UsersPublic>
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:UsersPublic>:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssmell> C:Users
C:Users : The term ‘C:Users’ is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ C:Users
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:Users:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssmell> C:Users
C:Users : The term ‘C:Users’ is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ C:Users
+ ~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:Users:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssmell> PS C:> Set-Location -PathC:UsersPublic
Get-Process : A positional parameter cannot be found that accepts argument ‘Set-Location’.
At line:1 char:1
+ PS C:> Set-Location -PathC:UsersPublic
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand
PS C:Userssmell> Set-Location -Path C:UsersPublic
PS C:UsersPublic> whoami /user
USER INFORMATION
—————-
User Name SID
=================== ============================================
thinkpadt16g2smell S-1-5-21-2399413288-642862217-314349489-1001
PS C:UsersPublic> wmic useraccount where name=’%username%’ get domain,name,sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:UsersPublic> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)
Name User
—- —-
THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001
PS C:UsersPublic> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
S-1-5-21-2399413288-642862217-314349489-1001
PS C:UsersPublic> wmic useraccount where name=’username’ get sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:UsersPublic> wmic useraccount where name=’smell’ get sid
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:UsersPublic> wmic useraccount where sid='<sid>’ get domain,name
Node – THINKPADT16G2
ERROR:
Description = Invalid query
PS C:UsersPublic> wmic useraccount where sid=’S-1-5-21-2399413288-642862217-314349489-1001′ get domain,name
Unexpected switch at this level.
PS C:UsersPublic> wmic useraccount get domain,name,sid
Domain Name SID
ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500
ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501
ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001
ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:UsersPublic> Get-WmiObject win32_useraccount | Select domain,name,sid
domain name sid
—— —- —
ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500
ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501
ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001
ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:UsersPublic> Get-LocalUser | Select-Object -Property @(‘Name’, ‘SID’)
Name SID
—- —
Administrator S-1-5-21-2399413288-642862217-314349489-500
DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
Guest S-1-5-21-2399413288-642862217-314349489-501
smell S-1-5-21-2399413288-642862217-314349489-1001
WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:UsersPublic> Get-CimInstance -query ‘Select * from win32_useraccount’ | ft name, SID
name SID
—- —
Administrator S-1-5-21-2399413288-642862217-314349489-500
DefaultAccount S-1-5-21-2399413288-642862217-314349489-503
Guest S-1-5-21-2399413288-642862217-314349489-501
smell S-1-5-21-2399413288-642862217-314349489-1001
WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504
PS C:UsersPublic>
Hi everyone. Not even sure how to ask and maybe it seems dramatic but I am reaching out for a little help here. Can someone help me understand this data I copied from PowerShell? I typed the same commands for user “smell” and user “Public”. I have a node in network probably and I really hope for the worse to be honest. Reading about it got me pumped. Of course I have no idea if this could be the small window sun shines through or just another big nothing. Anyway, thanks to anyone who sets me straight about it. Windows PowerShellCopyright (C) Microsoft Corporation. All rights reserved.Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindowsPS C:Userssmell> whoami / userERROR: Invalid argument/option – ‘/’.Type “WHOAMI /?” for usage.PS C:Userssmell> whoami /userUSER INFORMATION—————-User Name SID=================== ============================================thinkpadt16g2smell S-1-5-21-2399413288-642862217-314349489-1001PS C:Userssmell> wmic useraccount where name=’%username%’ get domain,name,sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:Userssmell> wmic useraccount where name=’%username%’ get domain,name,sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:Userssmell> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)Name User—- —-THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001PS C:Userssmell> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.ValueS-1-5-21-2399413288-642862217-314349489-1001PS C:Userssmell> wmic useraccount where name=’smell’ get sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:Userssmell> wmic useraccount where sid='<sid>’ get domain,nameNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:Userssmell> wmic useraccount where sid=’S-1-5-21-2399413288-642862217-314349489-1001′ get domain,nameUnexpected switch at this level.PS C:Userssmell> wmic useraccount get domain,name,sidDomain Name SIDThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:Userssmell> Get-WmiObject win32_useraccount | Select domain,name,siddomain name sid—— —- —ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:Userssmell>PS C:Userssmell> Get-LocalUser | Select-Object -Property @(‘Name’, ‘SID’)Name SID—- —Administrator S-1-5-21-2399413288-642862217-314349489-500DefaultAccount S-1-5-21-2399413288-642862217-314349489-503Guest S-1-5-21-2399413288-642862217-314349489-501smell S-1-5-21-2399413288-642862217-314349489-1001WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:Userssmell> Get-CimInstance -query ‘Select * from win32_useraccount’ | ft name, SIDname SID—- —Administrator S-1-5-21-2399413288-642862217-314349489-500DefaultAccount S-1-5-21-2399413288-642862217-314349489-503Guest S-1-5-21-2399413288-642862217-314349489-501smell S-1-5-21-2399413288-642862217-314349489-1001WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:Userssmell> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)Name User—- —-THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001PS C:Userssmell> C:UsersPublicC:UsersPublic : The term ‘C:UsersPublic’ is not recognized as the name of a cmdlet, function, script file, oroperable program. Check the spelling of the name, or if a path was included, verify that the path is correct and tryagain.At line:1 char:1+ C:UsersPublic+ ~~~~~~~~~~~~~~~+ CategoryInfo : ObjectNotFound: (C:UsersPublic:String) [], CommandNotFoundException+ FullyQualifiedErrorId : CommandNotFoundExceptionPS C:Userssmell> C:UsersPublic>C:UsersPublic> : The term ‘C:UsersPublic>’ is not recognized as the name of a cmdlet, function, script file, oroperable program. Check the spelling of the name, or if a path was included, verify that the path is correct and tryagain.At line:1 char:2+ C:UsersPublic>+ ~~~~~~~~~~~~~~~~+ CategoryInfo : ObjectNotFound: (C:UsersPublic>:String) [], CommandNotFoundException+ FullyQualifiedErrorId : CommandNotFoundExceptionPS C:Userssmell> C:UsersC:Users : The term ‘C:Users’ is not recognized as the name of a cmdlet, function, script file, or operableprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:2+ C:Users+ ~~~~~~~~~+ CategoryInfo : ObjectNotFound: (C:Users:String) [], CommandNotFoundException+ FullyQualifiedErrorId : CommandNotFoundExceptionPS C:Userssmell> C:UsersC:Users : The term ‘C:Users’ is not recognized as the name of a cmdlet, function, script file, or operable program.Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:2+ C:Users+ ~~~~~~~~+ CategoryInfo : ObjectNotFound: (C:Users:String) [], CommandNotFoundException+ FullyQualifiedErrorId : CommandNotFoundExceptionPS C:Userssmell> PS C:> Set-Location -PathC:UsersPublicGet-Process : A positional parameter cannot be found that accepts argument ‘Set-Location’.At line:1 char:1+ PS C:> Set-Location -PathC:UsersPublic+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommandPS C:Userssmell> Set-Location -Path C:UsersPublicPS C:UsersPublic> whoami /userUSER INFORMATION—————-User Name SID=================== ============================================thinkpadt16g2smell S-1-5-21-2399413288-642862217-314349489-1001PS C:UsersPublic> wmic useraccount where name=’%username%’ get domain,name,sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:UsersPublic> [Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object -Property @(‘Name’, ‘User’)Name User—- —-THINKPADT16G2smell S-1-5-21-2399413288-642862217-314349489-1001PS C:UsersPublic> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.ValueS-1-5-21-2399413288-642862217-314349489-1001PS C:UsersPublic> wmic useraccount where name=’username’ get sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:UsersPublic> wmic useraccount where name=’smell’ get sidNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:UsersPublic> wmic useraccount where sid='<sid>’ get domain,nameNode – THINKPADT16G2ERROR:Description = Invalid queryPS C:UsersPublic> wmic useraccount where sid=’S-1-5-21-2399413288-642862217-314349489-1001′ get domain,nameUnexpected switch at this level.PS C:UsersPublic> wmic useraccount get domain,name,sidDomain Name SIDThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:UsersPublic> Get-WmiObject win32_useraccount | Select domain,name,siddomain name sid—— —- —ThinkPadT16G2 Administrator S-1-5-21-2399413288-642862217-314349489-500ThinkPadT16G2 DefaultAccount S-1-5-21-2399413288-642862217-314349489-503ThinkPadT16G2 Guest S-1-5-21-2399413288-642862217-314349489-501ThinkPadT16G2 smell S-1-5-21-2399413288-642862217-314349489-1001ThinkPadT16G2 WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:UsersPublic> Get-LocalUser | Select-Object -Property @(‘Name’, ‘SID’)Name SID—- —Administrator S-1-5-21-2399413288-642862217-314349489-500DefaultAccount S-1-5-21-2399413288-642862217-314349489-503Guest S-1-5-21-2399413288-642862217-314349489-501smell S-1-5-21-2399413288-642862217-314349489-1001WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:UsersPublic> Get-CimInstance -query ‘Select * from win32_useraccount’ | ft name, SIDname SID—- —Administrator S-1-5-21-2399413288-642862217-314349489-500DefaultAccount S-1-5-21-2399413288-642862217-314349489-503Guest S-1-5-21-2399413288-642862217-314349489-501smell S-1-5-21-2399413288-642862217-314349489-1001WDAGUtilityAccount S-1-5-21-2399413288-642862217-314349489-504PS C:UsersPublic> Read More