As humans, we normally have 10 fingers. Keeping these fingers in control is not an easy feat. That is why we invent things like aliases.
An alias shortens long functions or commands to just a few characters. For example “gin” becomes an alias of Get-ComputerInfo.
Gin is not the only alias we can use. Gal is another. Gal or Get-Alias displays all aliases in our current PowerShell session. However, I suspect there could be treasure hidden in aliases or functions that are not documented (but I could be wrong…).
Let’s do some brute-forcing
So, we don’t like typing too much. Why don’t we create a script that does the heavy lifting for us?
- Create an array of characters using [char]
- Loop through the array and try to execute every possible command (what could go wrong?)
# Creating an array of the alphabet$characters = 65..90 | % { [char]$_ }# Loop onceforeach ( $x in $characters ) {$command = $x powershell $command}# Looping twiceforeach ( $x in $characters ) {foreach ($y in $characters) {$command = $x + $y powershell $command}}
Found some gold?
Well… not yet.
However, I did find some interesting functions and commands this way.
h -> Get-History
This is a great tool in PowerShell. Get-History displays the list of commands entered during the current session.
Rami created a blog post on a persistent history of commands a while ago. Maybe we will give this a try too.
It -> This is not an alias?
Aha! Eureka! This command is not listed between the aliases on my system.
Our trusty Get-help command gives us more information.
Get-Help ItNAMEItSYNOPSISValidates the results of a test inside of a Describe block.SYNTAXIt [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [<CommonParameters>]It [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [-Pending] [<CommonParameters>]It [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [-Skip] [<CommonParameters>]DESCRIPTIONThe It command is intended to be used inside of a Describe or Context Block.If you are familiar with the AAA pattern (Arrange-Act-Assert), the body ofthe It block is the appropriate location for an assert. The convention is toassert a single expectation for each It block. The code inside of the It blockshould throw a terminating error if the expectation of the test is not met andthus cause the test to fail. The name of the It block should expressively statethe expectation of the test.
It seems to be well documented. The module can be found in “C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions” on Windows 10 machines.
Further investigation leads us to What is Pester and Why Should I Care? An article written by The Scripting Guys.
Pester is a test framework for PowerShell. It provides a language that allows you to define test cases, and the Invoke-Pester cmdlet to execute these tests and report the results.
WF -> A sudden surprise
Suddenly. A wild WINDOWS FIREWALL appears!
Oh right… I’m still running the script above.
WF is calling wf.msc. This displays the Windows firewall console. Nice to know.
Conclusion – More brute force needed
This is only layer 2 of our conquest.

Aliases can consist of 2, 3 or even more characters. Who knows what treasure is still hidden from our fingers. Keep posted for more.
If you have suggestions for a better way of testing all possibilities, without risking a corrupt OS, please leave a comment below!
Update:
Thanks to Lee a better (less risky) way of checking if a command exists. [grin]
The Get-Command cmdlet displays all information you’ll ever need.
# Loop onceforeach ( $x in $characters ) {$command = $xGet-Command -Name $command}