To monitor for any process startup, I can use the WMI class Win32_ProcessStartTrace. When the event fires, the class provides information about the process ID, the parent process ID, the process name, the session ID, and even the SID for the user context that generates the event. This information becomes available after I retrieve the generated event. For more information, see MSDN: Win32_ProcessStartTrace class<\/a>.<\/p>\n Note <\/b> This procedure requires admin rights. To start an elevated Windows PowerShell console, right-click the Windows PowerShell console icon and select Run as Administrator<\/b> from the action menu.<\/p>\n The first thing I need to do is to register to receive events. To do this, I use the Register-CimIndicationEvent<\/b> cmdlet. When I do, I want to specify the WMI class to monitor and a name that I can use to track the generated event subscription. Here is the command I use:<\/p>\n Register-CimIndicationEvent -ClassName Win32_ProcessStartTrace -SourceIdentifier "ProcessStarted"<\/p>\n When I run the command, nothing returns. But I can use the Get-EventSubscriber<\/b> cmdlet to verify that something actually happened (such as creating a new event subscription). Here is the command and its associated output:<\/p>\n PS C:\\> Get-EventSubscriber<\/p>\n SubscriptionId : 7<\/p>\n SourceObject : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatcher<\/p>\n EventName : CimIndicationArrived<\/p>\n SourceIdentifier : ProcessStarted<\/p>\n Action :<\/p>\n HandlerDelegate :<\/p>\n SupportEvent : False<\/p>\n ForwardEvent : False<\/p>\n I have not deliberately started any processes yet (like Calculator or Notepad), but when I use the Get-Event <\/b>cmdlet, I see that the operating system generated a bunch of processes anyway. So there are already new processes starting up. The command with no parameters is shown here:<\/p>\n Get-Event<\/p>\n Here is what the output looks like at this point:<\/p>\n There is one property that I can basically understand and that is the TimeGenerated<\/b> property. Everything else is wrapped up in other objects. One thing I can do is take advantage of the ability of Windows PowerShell to do what I call “the automatic foreach.” That is, I can select a specific property from a collection of objects, and Windows PowerShell will display that object. Here, I choose the SourceEventArgs<\/b> property:<\/p>\n PS C:\\> (Get-Event).sourceeventargs<\/p>\n NewEvent MachineId Bookmark Context<\/p>\n ——– ——— ——– ——-<\/p>\n Win32_ProcessStartT…<\/p>\n Win32_ProcessStartT…<\/p>\n Win32_ProcessStartT…<\/p>\n Win32_ProcessStartT…<\/p>\n Win32_ProcessStartT…<\/p>\n <output truncated><\/p>\n Notice that each NewEvent<\/b> says that it is an instance of Win32_ProcessStartTrace. Remember the MSDN document I mentioned earlier? This is where that comes into play. I can now cherry pick which of the properties of Win32_ProcessStartTrace I want to see. First, I look at the NewEvent<\/b> property that contains instances of Win32_ProcessStartTrace. Here is the result:<\/p>\n PS C:\\> (Get-Event).sourceeventargs.newevent<\/p>\n SECURITY_DESCRIPTOR :<\/p>\n TIME_CREATED : 130552887343479772<\/p>\n ParentProcessID : 4512<\/p>\n ProcessID : 9304<\/p>\n ProcessName : SearchProtocolHost.exe<\/p>\n SessionID : 1<\/p>\n Sid : {1, 1, 0, 0…}<\/p>\n PSComputerName :<\/p>\n SECURITY_DESCRIPTOR :<\/p>\n TIME_CREATED : 130552887343479773<\/p>\n ParentProcessID : 4512<\/p>\n ProcessID : 3540<\/p>\n ProcessName : SearchFilterHost.exe<\/p>\n SessionID : 0<\/p>\n Sid : {1, 1, 0, 0…}<\/p>\n PSComputerName :<\/p>\n <output truncated><\/p>\n Yep. That is what I thought would be there. So now let me get a list for only the ProcessName<\/b> property to see what is actually starting up:<\/p>\n Cool. But when are these events happening? If I look at the Time_Created<\/b> property, all I get is a bunch of numbers. When I look at MSDN, it simply says it is a string that represents time created—not exactly the most helpful Help in the world. Here is the output:<\/p>\n PS C:\\> (Get-Event).sourceeventargs.newevent.Time_Created<\/p>\n 130552887343479772<\/p>\n 130552887343479773<\/p>\n 130552887430300826<\/p>\n 130552889482027640<\/p>\n 130552889482027641<\/p>\n <output truncated><\/p>\n So, I decide to try one of my favorite tricks to translate this. I use the [System.Management.ManagementDateTimeConverter] class. But no matter what I try, I get error messages. Here are some efforts that didn’t work:<\/p>\n [System.Management.ManagementDateTimeConverter]::ToDmtfdatetime(130552788310990332)<\/p>\n [System.Management.ManagementDateTimeConverter]::Totimespan(130552788310990332)<\/p>\n [System.Management.ManagementDateTimeConverter]::Todatetime(130552788310990332)<\/p>\n No, I don’t give up—not with Windows PowerShell. There is always a way to do what I need to do when using Windows PowerShell. I decide to pull out another one of my favorite tricks: the custom property with Select-Object<\/b>. Remember that earlier when I was looking at the output from Get-Event<\/b>, I saw the TimeGenerated<\/b> property.<\/p>\n This property comes from Get-Event<\/b> and is logged when the event generates. It does not come from WMI, so it is a proper DateTime<\/b> object. I need to pick the property from this value and then get the process name from the object held in the NewEvent<\/b> property. Here is the command I decided to use (this is a one-line command that I broke into two lines for readability online):<\/p>\n Get-Event |<\/p>\n select timegenerated, @{L='e'; E = {$_.sourceeventargs.newevent.processname}}<\/p>\n The output from this command is shown here:<\/p>\n Now I need to do a little bit of cleanup. First, I remove all of the events. To do this, I use Get-Event<\/b> and pipe the output to Remove-Event<\/b>. I next confirm that this worked by using Get-Event<\/b>:<\/p>\n get-event | Remove-Event<\/p>\n get-event<\/p>\n Second, I need to unregister the event subscribers. To do this, I use Get-EventSubscriber<\/b> and pipe the output to Unregister-Event<\/b>. Once again, I call the prior command to confirm. Here are the two lines of script:<\/p>\n Get-EventSubscriber | Unregister-Event<\/p>\n Get-EventSubscriber<\/p>\n That is all there is to using Register-CimIndicationEvent<\/b> to monitor for process startup. I will continue talking about processes tomorrow when I will talk about more groovy things.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to monitor for process startup. Microsoft Scripting Guy, Ed Wilson, is here. This morning, I spent a decent amount of time answering an email from a former colleague. I will actually share his email and my reply this coming weekend. In the meantime, I […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,31,87,3,4,45,6],"class_list":["post-669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-operating-system","tag-processes","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":" Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to monitor for process startup. Microsoft Scripting Guy, Ed Wilson, is here. This morning, I spent a decent amount of time answering an email from a former colleague. I will actually share his email and my reply this coming weekend. In the meantime, I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=669"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/669\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Register for the event<\/h2>\n
Hey, is anything happening?<\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-17-14-01.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-17-14-02.png\" "\\"Image")
<\/a><\/p>\nSo basically, I give up?<\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-17-14-03.png\" "\\"Image")
<\/a><\/p>\nCleanup work<\/h2>\n