Prof. Powershell

What's Not To Like? PowerShell's -Like Operator

The -Like operator (and its counterpart, -Notlike) can help you find exactly the information you seek.

• By Jeffery Hicks
• 07/31/2012

Even though I'm always talking about PowerShell objects, there are times when we try to find things based on an object property. Most often the property is a string, or a piece of text. There are a few ways you can accomplish this based on your requirements.

One of the simplest ways is use the -eq operator:

PS C:\> get-service | where {$_.status -eq 'running'}

In this type of situation, PowerShell is case insensitive. It doesn't matter if the status property is 'Running', 'running' or 'RUNNING'.

But there may be times when we want to match strings based on a wildcard. For those situations, we turn to the -Like operator:

PS C:\> get-acl c:\work | Select -ExpandProperty Access | where {$_.IdentityReference -like "nt authority*"}

When using -Like we can use the * wildcard character. In the example above, I'm getting all access control entries that start with "NT Authority". I could just as easily use a domain name. Now, this only works for properties that have a single value. It won't work if the property is an array or nested object:

PS C:\work> get-service | where {$_.DependentServices -like "app*"}

This won't work because the DependentServices property is nested. But if we check the name property, it works:

PS C:\work> get-service | where {$_.DependentServices.name -like "app*"}

Note that this particular example only works in PowerShell 3.0. The point I want to drive home is that you have to be comparing single values.

If we want to find items that don't match, we can use the -notlike operator and it works the same way. Let's go back to my ACL example and list all rules for everything but system accounts:

PS C:\> get-acl c:\work | Select -ExpandProperty Access | where {$_.IdentityReference -notlike "nt authority*"}

Or maybe you would like to combine the two!

PS C:\> get-acl c:\work | Select -ExpandProperty Access | where {$_.IdentityReference -notlike "nt authority*" -AND $_.FileSystemRights -like "*full*"}

This will display all non-system access rules that have full control.

It is also possible to perform a like operation with WMI and Get-WmiObject, although it is technically a different operator. We will still use the Like keyword in our WMI query, but the wildcard character is the % symbol:

PS C:\> Get-WmiObject -Query "Select * from win32_process where commandline like 'c:\\windows\\sys%'" | Select handle,name,commandline

Or writing it using the -filter parameter:

PS C:\> Get-WmiObject win32_process -filter "commandline like 'c:\\windows\\sys%'" | Select handle,name,commandline

These expressions will return all processes that started under C:\Windows\Sys*. Note that I have to escape the \ in a WMI query. You should also be aware that not every class or WMI provider supports the Like operator. This should be a rare occurrence but you can tell because you'll get an error about the provider unwilling or unable to process the request.

Unfortunately, to find the opposite with WMI there is no NotLike operator. But we can use the NOT keyword in the query. Although the placement may strike you as odd. Here's the previous command revised to show all processes started outside of C:\Windows\Sys*:

PS C:\> Get-WmiObject win32_process -filter "NOT commandline LIKE 'c:\\windows\\sys%'" | Select handle,name,commandline

The operators aren't case sensitive. I made them uppercase here so they would stand out.

Next time, we'll look at another way to match up strings with the -Match operator.