Find Services Running in Service Host Processes

Get-SvcHost.ps1

function Get-SvcHost
{
    <#
            .SYNOPSIS
            Returns information about the processes running under each instance of the service host process.
            .DESCRIPTION
            Returns information about the processes running under each instance of the service host process of local or remote computers. 
            Uses WMI as the source of this information.
            .PARAMETER ComputerName
            Specifies a remote computer to gather information about. Can be a fully-qualified domain name, NetBIOS name, or and IP address.
            .PARAMETER Credential
            Specifies a user account that has permission to gather WMI information from the remote computer.  The default is the current user.
            Type a user name, such as "User01", "Domain01\User01", or User@Contoso.com. Or, enter a PSCredential object, such as an object that 
            is returned by the Get-Credential cmdlet. When you type a user name, you are prompted for a password.
            .EXAMPLE
            Get-SvcHost

            Return processes running under the service host process on the local computer.
            .EXAMPLE
            Get-SvcHost -ComputerName Server1

            Return processes running under the service host process on a remote computer using the current user's authorization.
            .EXAMPLE
            Get-SvcHost -ComputerName Server1 -Credential

            Return processes running under the service host process on a remote computer with an alternate user account.

            .NOTES
            Initial idea taken from Powershell.com's PowerTip for 9/15/2015:
            http://powershell.com/cs/blogs/tips/archive/2015/09/15/analyzing-svchost-processes.aspx

            DISCLAIMER: This script is provided 'AS IS'. It has been tested for personal use, please 
            test in a lab environment before using in a production environment.
    #>
    #requires -version 3.0
    
    [CmdletBinding(DefaultParameterSetName = 'Local')]
    param
    (
        [Parameter(ParameterSetName = 'Remote')]
        [Parameter(Mandatory = $false)]
        [string]
        $ComputerName,
        
        [Parameter(ParameterSetName = 'Remote')]
        [Parameter(Mandatory = $false)]
        [System.Management.Automation.CredentialAttribute()]
        $Credential
    )

    $WmiSplat = @{ ErrorAction = 'Stop' }
    
    if ($PSCmdlet.ParameterSetName -eq 'Remote')
    {
        Write-Verbose -Message "Running against [$Computername]"
        $WmiSplat.Add('ComputerName', $ComputerName)
        if ($Credential)
        {
            Write-Verbose -Message "Using credential [$($Credential.Username)]"
            $WmiSplat.Add('Credential', $Credential)
        }
    }
    else { Write-Verbose -Message 'Running against [localhost]'}
    
    $Service = @{
        Name = 'Service'
        Expression = { $ServiceList.$($_.ProcessID).Name -join ', ' }
    }

    $CpuTime = @{
        Name = 'CPU'
        Expression = { [string] ($Perfdata.$($_.processID).PercentProcessorTime) }
    }
    
    $WS = @{
        Name = 'WS'
        Expression = { '{0:N2}' -f ($Perfdata.($_.ProcessID).WorkingSet / 1MB) }
    }

    try
    {
        Write-Verbose -Message 'Gathering service information...'
        $ServiceList = Get-WmiObject -Class Win32_Service @WmiSplat |
        Group-Object -Property ProcessID -AsString -AsHashTable
    
        Write-Verbose -Message 'Gathering performance information...'
        $PerfData = Get-WmiObject -Class win32_perfformatteddata_perfproc_process -Filter "name LIKE 'svchost%'" @WmiSplat |
        Group-Object -Property IDProcess -AsString -AsHashTable
    
        Get-WmiObject -Class Win32_Process -Filter "Name = 'svchost.exe'" @WmiSplat |
        Select-Object -Property ProcessID, $CpuTime, $WS, $Service
    }
    catch {$_}
}