API Reference
Command
Invoke-TestimoX
Runs the TestimoX engine once from the current PowerShell session.
Examples
Example 1: Run a focused set of typed rules and keep the interactive Spectre view
PS>
$cs = [TestimoX.Definitions.CSharpRule]; $ps = [TestimoX.RulesPowerShell.PowerShellRule]; Invoke-TestimoX -IncludeCSharpRules @($cs::ForestSystemStateBackups) -IncludePowerShellRules @($ps::ForestRecycleBinAndLifetimes) -Verbosity Detailed -View Standard
This is a good operator workflow when validating a small subset before widening scope.
Example 2: Run a curated profile and persist reusable results in the durable store
PS>
Invoke-TestimoX -Profile AdSecurityAssessment -StoreDir 'C:\Ops\TestimoX\Store' -StorePolicy ReadWrite -StoreTtl 7.00:00:00 -HtmlReportPath 'C:\Ops\TestimoX\Reports\AdSecurity.html'
The durable store enables later comparisons and lets future runs reuse matching snapshots.
Example 3: Resume a partially completed run after an interruption
PS>
Invoke-TestimoX -StoreDir 'C:\Ops\TestimoX\Store' -RunId '2026-04-04T0130' -ResumeFromRun '2026-04-04T0130' -IncludeCSharpRules ([TestimoX.Definitions.CSharpRule]::ForestPkiConfiguration)
Only rules already recorded in that run are skipped, which makes recovery from interrupted maintenance windows much simpler.
Example 4: Publish HTML from the store without executing any rules
PS>
Invoke-TestimoX -PublishFromStore -StoreDir 'C:\Ops\TestimoX\Store' -HtmlReportPath 'C:\Ops\TestimoX\Reports\TestimoX-FromStore.html'
This is useful when you want to regenerate a website artifact after tweaking report templates.
Example 5: Run from a checked-in configuration file and a reviewed rule-override set
PS>
Invoke-TestimoX -ConfigPath 'C:\Ops\TestimoX\Configs\run.json' -RuleConfigPath 'C:\Ops\TestimoX\Configs\rules-overrides.json'
This keeps rule selection and per-rule tuning under source control instead of baking them into an interactive shell.
Example 6: Sample only a few DCs per domain during large enterprise runs
PS>
Invoke-TestimoX -DomainControllerTargetingMode SamplePerDomain -DomainControllerTargetsPerDomain 3
This keeps DomainController-scoped rules representative without forcing every DC in a large domain to run every time.
Example 7: Use the interactive wizard to pick exact DC hosts for execution
PS>
Invoke-TestimoX -Interactive
The interactive configuration step now offers Sample, All, and Explicit DC targeting, including a picker for reviewed DC host lists. For non-interactive exact host selection, use C# or JSON config with ExplicitDomainControllerTargets.
Common Parameters
This command supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters.
Syntax
Invoke-TestimoX [-Baseline] [-ConfigPath <string>] [-DomainControllerTargetingMode <SamplePerDomain|All|Explicit>] [-DomainControllerTargetsPerDomain <int>] [-ExcludeCategories <Configuration>] [-ExcludeCSharpRules <CSharpRule[]>] [-ExcludeHeavy] [-ExcludeRules <string[]>] [-ExcludeTags <string[]>] [-Filter <string>] [-ForestName <string>] [-HtmlReportPath <string>] [-IncludeCategories <Configuration>] [-IncludeCSharpRules <CSharpRule[]>] [-IncludePowerShellRules <PowerShellRule[]>] [-IncludeRules <string[]>] [-IncludeSuperseded] [-IncludeTags <string[]>] [-Interactive] [-MachineName <string>] [-MaxCost <Trivial|Light|Moderate|Heavy|Extreme>] [-PowerShellCacheDirectory <string>] [-PowerShellCacheMode <Persistent|Temporary|Disabled>] [-PowerShellCatalogMode <Legacy|Auto|CompiledOnly>] [-PowerShellRulesDirectory <string>] [-Preflight <Enforce|Soft|Off>] [-Profile <AdSecurityAssessment>] [-PublishFromStore] [-ReportLanguages <English|Polish|German|Spanish>] [-ResumeFromRun <string>] [-RuleConfigPath <string>] [-RunId <string>] [-StoreAcceptStale] [-StoreComputersTtl <TimeSpan>] [-StoreDir <string>] [-StoreMatch <MatchPolicy>] [-StorePolicy <StoragePolicy>] [-StoreRaw <RawPolicy>] [-StoreTtl <TimeSpan>] [-StoreUsersTtl <TimeSpan>] [-StrictParity] [-Verbosity <Quiet|Normal|Detailed|Debug>] [-View <Auto|Standard|Ansi>] [<CommonParameters>]Parameters
- Baseline SwitchParameter
- Prefer a safe baseline selection (skips DomainController-scoped rules).
- ConfigPath string
- Run from a JSON configuration file (service.json or run.json) and exit. When provided, other selection parameters are ignored.
- DomainControllerTargetingMode DomainControllerTargetingMode
- Controls whether DomainController-scoped rules sample a subset of DCs per domain or run against every discovered DC. Use Explicit through the interactive wizard or JSON/C# configuration when you need reviewed named DC targets. Possible values: SamplePerDomain, All, Explicit
- Possible values:
SamplePerDomain,All,Explicit - DomainControllerTargetsPerDomain int
- Maximum number of DCs per domain targeted by DomainController-scoped rules when sampling is enabled. Ignored when targeting mode is All or Explicit.
- ExcludeCategories Category[]
- Categories to exclude during rule selection. Possible values: Configuration, Health, Security, Cleanup, Performance, Maintenance, Vulnerability, Compliance, Monitoring, Backup, Network, Storage, Identity, Authentication, Authorization, Audit, Availability, Replication, DNS
- Possible values:
Configuration,Health,Security,Cleanup,Performance,Maintenance,Vulnerability,Compliance,Monitoring,Backup,Network,Storage,Identity,Authentication,Authorization,Audit,Availability,Replication,DNS - ExcludeCSharpRules CSharpRule[]
- Typed C# rules to exclude.
- ExcludeHeavy SwitchParameter
- Exclude Heavy/Extreme rules regardless of MaxCost.
- ExcludeRules string[]
- Rule names to exclude. Values may be supplied individually or as comma-separated lists.
- ExcludeTags string[]
- Tags to exclude (match any).
- Filter string
- Case-insensitive substring filter applied to rule names during selection.
- ForestName string
- Forest name to target for rules that support explicit forest scoping.
- HtmlReportPath string
- Optional path for the HTML report. When omitted, TestimoX generates a report file name in the default reports folder.
- IncludeCategories Category[]
- Categories to include during rule selection. Possible values: Configuration, Health, Security, Cleanup, Performance, Maintenance, Vulnerability, Compliance, Monitoring, Backup, Network, Storage, Identity, Authentication, Authorization, Audit, Availability, Replication, DNS
- Possible values:
Configuration,Health,Security,Cleanup,Performance,Maintenance,Vulnerability,Compliance,Monitoring,Backup,Network,Storage,Identity,Authentication,Authorization,Audit,Availability,Replication,DNS - IncludeCSharpRules CSharpRule[]
- Typed C# rules to include.
- IncludePowerShellRules PowerShellRule[]
- Typed embedded PowerShell rules to include. This can be combined with -IncludeRules; duplicates are ignored.
- IncludeRules string[]
- Rule names to include. Values may be supplied individually or as comma-separated lists.
- IncludeSuperseded SwitchParameter
- Include rules that are marked as superseded (run legacy/alternate implementations).
- IncludeTags string[]
- Tags to include (match any).
- Interactive SwitchParameter
- Runs the interactive selection and execution wizard instead of relying entirely on command-line parameters.
- MachineName string
- Reserved machine selector retained for compatibility with older automation.
- MaxCost RuleCost
- Maximum rule cost to include. When omitted, includes all costs. Possible values: Trivial, Light, Moderate, Heavy, Extreme
- Possible values:
Trivial,Light,Moderate,Heavy,Extreme - PowerShellCacheDirectory string
- Overrides the root directory used for extracted PowerShell scripts.
- PowerShellCacheMode PowerShellCacheMode
- Controls how legacy PowerShell scripts are cached on disk when used. Possible values: Persistent, Temporary, Disabled
- Possible values:
Persistent,Temporary,Disabled - PowerShellCatalogMode PowerShellCatalogMode
- Controls how compiled PowerShell catalogs are used (Legacy, Auto, or CompiledOnly). Possible values: Legacy, Auto, CompiledOnly
- Possible values:
Legacy,Auto,CompiledOnly - PowerShellRulesDirectory string
- Path to a directory containing user PowerShell rules (.ps1). Overrides TESTIMOX_PS_RULES_DIR.
- Preflight PreflightMode
- LDAP preflight behavior: Enforce, Soft, or Off. Possible values: Enforce, Soft, Off
- Possible values:
Enforce,Soft,Off - Profile RuleSelectionProfile
- Optional curated rule-selection profile to apply before explicit filters. Possible values: None, AdSecurityAssessment, DnsSecurityAudit, NistDnsAudit, GeneralDnsConfigurationAudit, AdDnsCleanupAudit
- Possible values:
AdSecurityAssessment,DnsSecurityAudit,NistDnsAudit,GeneralDnsConfigurationAudit,AdDnsCleanupAudit - PublishFromStore SwitchParameter
- Generate HTML from an existing store without executing rules. Requires -StoreDir.
- ReportLanguages ReportLanguage[]
- Report output languages to generate. When omitted, TestimoX generates English output only. Possible values: English, Polish, German, Spanish
- Possible values:
English,Polish,German,Spanish - ResumeFromRun string
- Resume from a previously started run identified by this ID. Rules already recorded in that run are skipped.
- RuleConfigPath string
- Optional path to a rules configuration file (overrides RuleConfigPath in the JSON config).
- RunId string
- Optional explicit run identifier. When set, results are grouped under this ID and can be resumed later.
- StoreAcceptStale SwitchParameter
- Allows reuse of entries that are older than the configured TTL.
- StoreComputersTtl TimeSpan
- Overrides the TTL for Computers snapshots. When omitted, TestimoX uses -StoreTtl.
- StoreDir string
- Enables the durable store and points TestimoX at the directory that should hold reusable results.
- StoreMatch MatchPolicy
- Match policy for reuse, typically Config or Strict.
- StorePolicy StoragePolicy
- Durable store policy: Off, Read, Write, or ReadWrite.
- StoreRaw RawPolicy
- Raw payload policy for persisted data: Smart, All, or None.
- StoreTtl TimeSpan
- Default reuse TTL for cached results, for example 7.00:00:00 for seven days.
- StoreUsersTtl TimeSpan
- Overrides the TTL for Users snapshots. When omitted, TestimoX uses -StoreTtl.
- StrictParity SwitchParameter
- When set, selects all rules after filtering, skipping interactive selection.
- Verbosity VerbosityLevel
- Verbosity level for engine output: Quiet, Normal, Detailed, or Debug. Possible values: Quiet, Normal, Detailed, Debug
- Possible values:
Quiet,Normal,Detailed,Debug - View ConsoleView
- Console rendering view: Auto, Standard, or Ansi. Possible values: Auto, Standard, Ansi
- Possible values:
Auto,Standard,Ansi
Outputs
TestimoX.Definitions.RuleComplete, TestimoX.PowerShell.StoreReportResult