Sunday, April 24, 2011

The 2011 Scripting Games Advanced Event 4: Use PowerShell to Investigate the SvcHost Process

The 2011 Scripting Games Advanced Event 4: Use PowerShell to Investigate the SvcHost Process

My personal script:
http://2011sg.poshcode.org/1268
Average Rating: 2.00 by 2 users.
(Download it)


#
#
# 2011 Scripting Games Advanced Event 4: Use PowerShell to Investigate the SvcHost Process
#
# by F.Richard 2011-04
#
#

#Requires -Version 2.0

Param(
[Parameter(Mandatory = $false, Position = 0, ValueFromPipeLine = $true, ValueFromPipelineByPropertyName = $true)]
[ValidateNotNullOrEmpty()]
[String] $computername = $Env:COMPUTERNAME,

[Parameter(Mandatory = $false, Position = 1)]
[ValidateNotNullOrEmpty()]
[String] $processname = "svchost.exe",

[Parameter(Mandatory = $false, Position = 2)]
[ValidateNotNullOrEmpty()]
[String] $ReportFile = "report.txt"
)


Function Get-ProcService {
<#
.SYNOPSIS
Get Process and service associated
.DESCRIPTION
Use PowerShell to Investigate the SvcHost Process
.PARAMETER $computername
computer name ex: mycomputer default:localhost
.PARAMETER processname
process name ex: myprocess.exe default:svchost.exe
.EXAMPLE
Get-ProcService
Investigate the SvcHost.exe Process
.EXAMPLE
Get-ProcService -processname myprocess.exe
Investigate the myprocess.exe Process
#>
Param(
[Parameter(Mandatory = $false, Position = 0, ValueFromPipeLine = $true, ValueFromPipelineByPropertyName = $true)]
[ValidateNotNullOrEmpty()]
[String] $computername = $Env:COMPUTERNAME,

[Parameter(Mandatory = $false, Position = 1)]
[ValidateNotNullOrEmpty()]
[String] $processname = "svchost.exe"
)
# Get processes containing processname
$objProcesses = Get-WmiObject -ComputerName $computername Win32_Process | Where-Object { $_.Name -eq $processname }

# Get services containing processname
$objServices = Get-WmiObject -ComputerName $computername Win32_Service | Where-Object { $_.PathName.contains($processname) }

# Loop into all processname
[Array] $arrObj = @( )
Foreach($objProcess in $objProcesses) {
$objParent = New-Object PSObject
$objParent | Add-Member -MemberType noteproperty -Name "ProcessId" -Value $objProcess.ProcessId
$objParent | Add-Member -MemberType noteproperty -Name "PrivatePageCount" -Value ($objProcess.PrivatePageCount/1KB) # PageFileUsage = PrivatePageCount / 1024 only in W2K8 not in XP = Memory Commit Size in Task Manager
$objParent | Add-Member -MemberType noteproperty -Name "PageFaults" -Value $objProcess.PageFaults
$objParent | Add-Member -MemberType noteproperty -Name "CommandLine" -Value $objProcess.CommandLine # work only in W2K8 not XP

# for each processname get services associated
[Array] $arrObjChild = @( )
$processid = $objProcess.ProcessId
Foreach($objService in $objServices) {
if ($objService.ProcessId -eq $processid) {
$objParent | Add-Member -MemberType noteproperty -Name "CommandLine" -Value $objService.PathName -Force # work in XP
$objChild = New-Object PSObject
$objChild | Add-Member -MemberType noteproperty -Name "StartMode" -Value $objService.StartMode
$objChild | Add-Member -MemberType noteproperty -Name "State" -Value $objService.State
$objChild | Add-Member -MemberType noteproperty -Name "ServiceName" -Value $objService.Name
$arrObjChild += $objChild
}
}
$objParent | Add-Member -MemberType noteproperty -Name "objService" -Value $arrObjChild
$arrObj += $objParent

}
return $arrObj
}


# Main Program

# Get all process and services associated
[Array] $arrObj = @( )
$arrObj = Get-ProcService -computername $computername -processname $processname

# Display Informations and produce a written report
$report = "There are " + ($arrObj.Count) + " instances of " + $processname + " running"
$report
$report | Out-File $ReportFile

$report = $arrObj | select ProcessId -ExpandProperty objService | Select processId, StartMode, State, ServiceName | Sort-Object ProcessId | Format-Table -AutoSize
$report
$report | Out-File $ReportFile -Append

$report = $arrObj | Select ProcessId, PrivatePageCount, PageFaults, CommandLine | Sort-Object ProcessId | Format-Table -AutoSize
$report
$report | Out-File $ReportFile -Append

No comments: