Have you ever wondered how a particular Powershell Cmdlet works under the hood? Maybe you're trying to mimic a certain behavior of a Cmdlet, and you'd like to see how Microsoft did it.
Turns out, it's surprisingly easy. The first thing you need is a .NET decompiler. There are many to choose from, but I like DotPeek.
Next, pick a Cmdlet, such as Get-ADUser . To find the DLL that the Cmdlet comes from, do this:
If you add a | clip on the end there, the output will go straight to your clipboard.
(Did you know the hexadecimal color code for the Powershell background color is 012456?)
Anyhow, now that we know in what DLL the Cmdlet resides, we need to find out what method(s) within that DLL the Cmdlet is actually calling. We can do that with Trace-Command :
There's a little more output after that, but this last line here is what we want. Microsoft.ActiveDirectory.Management.Commands.GetADUser.
Now we know the actual .NET method being called, and which DLL it's in. All that's left to do is fire up your .NET decompiler and disassemble!