Last active
September 15, 2015 17:30
-
-
Save mattmcnabb/9844ba486b677c46775d to your computer and use it in GitHub Desktop.
Find Services Running in Service Host Processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-SvcHost | |
{ | |
<# | |
.SYNOPSIS | |
Returns information about the processes running under each instance of the service host process. | |
.DESCRIPTION | |
Returns information about the processes running under each instance of the service host process of local or remote computers. | |
Uses WMI as the source of this information. | |
.PARAMETER ComputerName | |
Specifies a remote computer to gather information about. Can be a fully-qualified domain name, NetBIOS name, or and IP address. | |
.PARAMETER Credential | |
Specifies a user account that has permission to gather WMI information from the remote computer. The default is the current user. | |
Type a user name, such as "User01", "Domain01\User01", or User@Contoso.com. Or, enter a PSCredential object, such as an object that | |
is returned by the Get-Credential cmdlet. When you type a user name, you are prompted for a password. | |
.EXAMPLE | |
Get-SvcHost | |
Return processes running under the service host process on the local computer. | |
.EXAMPLE | |
Get-SvcHost -ComputerName Server1 | |
Return processes running under the service host process on a remote computer using the current user's authorization. | |
.EXAMPLE | |
Get-SvcHost -ComputerName Server1 -Credential | |
Return processes running under the service host process on a remote computer with an alternate user account. | |
.NOTES | |
Initial idea taken from Powershell.com's PowerTip for 9/15/2015: | |
http://powershell.com/cs/blogs/tips/archive/2015/09/15/analyzing-svchost-processes.aspx | |
DISCLAIMER: This script is provided 'AS IS'. It has been tested for personal use, please | |
test in a lab environment before using in a production environment. | |
#> | |
#requires -version 3.0 | |
[CmdletBinding(DefaultParameterSetName = 'Local')] | |
param | |
( | |
[Parameter(ParameterSetName = 'Remote')] | |
[Parameter(Mandatory = $false)] | |
[string] | |
$ComputerName, | |
[Parameter(ParameterSetName = 'Remote')] | |
[Parameter(Mandatory = $false)] | |
[System.Management.Automation.CredentialAttribute()] | |
$Credential | |
) | |
$WmiSplat = @{ ErrorAction = 'Stop' } | |
if ($PSCmdlet.ParameterSetName -eq 'Remote') | |
{ | |
Write-Verbose -Message "Running against [$Computername]" | |
$WmiSplat.Add('ComputerName', $ComputerName) | |
if ($Credential) | |
{ | |
Write-Verbose -Message "Using credential [$($Credential.Username)]" | |
$WmiSplat.Add('Credential', $Credential) | |
} | |
} | |
else { Write-Verbose -Message 'Running against [localhost]'} | |
$Service = @{ | |
Name = 'Service' | |
Expression = { $ServiceList.$($_.ProcessID).Name -join ', ' } | |
} | |
$CpuTime = @{ | |
Name = 'CPU' | |
Expression = { [string] ($Perfdata.$($_.processID).PercentProcessorTime) } | |
} | |
$WS = @{ | |
Name = 'WS' | |
Expression = { '{0:N2}' -f ($Perfdata.($_.ProcessID).WorkingSet / 1MB) } | |
} | |
try | |
{ | |
Write-Verbose -Message 'Gathering service information...' | |
$ServiceList = Get-WmiObject -Class Win32_Service @WmiSplat | | |
Group-Object -Property ProcessID -AsString -AsHashTable | |
Write-Verbose -Message 'Gathering performance information...' | |
$PerfData = Get-WmiObject -Class win32_perfformatteddata_perfproc_process -Filter "name LIKE 'svchost%'" @WmiSplat | | |
Group-Object -Property IDProcess -AsString -AsHashTable | |
Get-WmiObject -Class Win32_Process -Filter "Name = 'svchost.exe'" @WmiSplat | | |
Select-Object -Property ProcessID, $CpuTime, $WS, $Service | |
} | |
catch {$_} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment