{"id":17491,"date":"2010-08-08T00:01:00","date_gmt":"2010-08-08T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/08\/08\/weekend-scripter-automatically-collecting-process-snapshots\/"},"modified":"2010-08-08T00:01:00","modified_gmt":"2010-08-08T00:01:00","slug":"weekend-scripter-automatically-collecting-process-snapshots","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-automatically-collecting-process-snapshots\/","title":{"rendered":"Weekend Scripter: Automatically Collecting Process Snapshots"},"content":{"rendered":"

 \nMicrosoft Scripting Guy Ed Wilson here. It may seem like a “well duh” thing for a Scripting Guy to say, but I love writing scripts. In particular, I love writing Windows PowerShell<\/a> scripts. One problem with sharing everything I write is that people always have a better idea about how to do things. But better can be relative. In my mind, shorter is not always better, especially for scripts. If I am working interactively at the Windows PowerShell console—oh wait, that is next week’s article.\nAnyway, after I wrote yesterday’s Weekend Scripter article<\/a>, I decided to write a script that would automate collecting four process snapshots on a computer after it had rebooted and logged on. I was a little carried away and spent all day on the script. It is actually a fun script to play around with, and the information that it returns is simply fascinating.\nThe first function I create is the Get-ProcessStartUp<\/b> function. After defining the parameters for the function, I create the path that will be used for saving the process information. To create the path, I use the format specifier to substitute values in a string. The $path<\/b> variable goes in the first position and is followed by a backslash and the word Process<\/i>. The $pass<\/b> variable value goes into the second position followed by an underscore. Lastly, the computer name (contained in the $computer<\/b> variable goes into the last position, followed by a period and the letters xml<\/i>. In this manner, the path to the file that will contain the process information (in xml format obviously) is created. (I could have used the Join-Path<\/b> cmdlet to create the path to the file, but because I wanted to use a combination of three different values from three different variables, I decided this approach was best). This line of code is shown here:<\/p>\n

$ppath<\/span> <\/span>=<\/span> <\/span>(<\/span>“{0}Process{1}_{2}.xml” <\/span>-f<\/span> <\/span>$path<\/span>,<\/span>$pass<\/span>,<\/span>$computer<\/span>)<\/span>\nAfter the path has been created, I check to see if there is an old file in the location. If an older file exists, I delete it and write an entry into a custom event log by calling the Add-EventLogEntry<\/b> function. This section of the Get-ProcessStartUp<\/b> function is shown here:<\/p>\n

if<\/span>(<\/span>Test-Path<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>)<\/span> 
<\/span>{<\/span>
<\/span>Remove-Item<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>
<\/span>Add-EventLogEntry<\/span> <\/span>-source<\/span> <\/span>gpst<\/span> <\/span>-eventType<\/span> <\/span>information<\/span> <\/span>-eventID<\/span> <\/span>4<\/span> <\/span>`<\/span>
<\/span>-message<\/span> “$ppath exists and is being removed” <\/span>-logName<\/span> <\/span>ForScripting<\/span>
<\/span>}<\/span>\nI now use the Get-Process<\/b> cmdlet to retrieve process information from the computer. The System.Diagnostics.Process<\/b> .NET Framework object is passed to the Export-CliXML<\/b> cmdlet with the path we created earlier. The XML file will be used later to “reconstitute” the Process<\/b> object. This behavior is just like saving the result of running the Get-Process<\/b> cmdlet into a variable so that it can be worked with later. The difference is we are saving the process object into an XML file for later use. After the XML file is reconstituted, I can work with it in exactly the same way as if I had stored it in a variable. In this way, they behave like “freeze-dried<\/a> objects.” I pause the script for 60 seconds between passes. If the script has completed the fourth pass, there is no need to pause the script. This portion of the Get-ProcessStartUp<\/b> function is seen here:<\/p>\n

Get-Process<\/span> <\/span>-ComputerName<\/span> <\/span>$computer<\/span>|<\/span> 
<\/span>Export-Clixml<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>
<\/span>if<\/span>(<\/span>$pass<\/span> <\/span>-ne<\/span> <\/span>4<\/span>)<\/span>
<\/span>{<\/span>Start-Sleep<\/span> <\/span>-Seconds<\/span> <\/span>60<\/span>}<\/span>
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>function<\/span> <\/span>Get-ProcessStartUp<\/span>\nThe Add-EventLogEntry<\/b> function is used to create a new EventLog and define a new EventLog source. In reality, I guess I should check to see if the EventLog exists. I should also check to see if the EventLog source exists. If these things exist, I should go ahead and use the EventLog and the EventLog source instead of trying to create new ones. If you are interested in this technique, I have an entire chapter in the Microsoft Press Windows PowerShell Scripting Guide<\/a>.\nBecause it is the weekend, I decided to use a little structured error handling<\/a>, specify the error action preference<\/a> on the New-EventLog<\/b> cmdlet to silentlycontinue<\/b>, and catch the errors that arise. After the new EventLog and EventLog source has been created, the finally<\/b> block writes the entry to the new EventLog. The Add-EventLogEntry<\/b> function is seen here:<\/p>\n

Function<\/span> <\/span>Add-EventLogEntry<\/span>
<\/span>{<\/span>
<\/span>param(<\/span>$source<\/span>,<\/span> <\/span>$eventType<\/span>,<\/span> <\/span>$eventID<\/span>,<\/span> <\/span>$message<\/span>,<\/span> <\/span>$logName<\/span>)<\/span>
<\/span>try<\/span>
<\/span>{<\/span>
<\/span>New-EventLog<\/span> <\/span>-source<\/span> <\/span>$source<\/span> <\/span>-logname<\/span> <\/span>$logName<\/span> <\/span>-EA<\/span> <\/span>silentlyContinue<\/span>
<\/span>}<\/span>
<\/span>Catch{<\/span> <\/span>[System.Exception]<\/span> <\/span>}<\/span>
<\/span>Finally<\/span>
<\/span>{<\/span> 
<\/span>Write-EventLog<\/span> <\/span>-LogName<\/span> <\/span>$logName<\/span> <\/span>-Source<\/span> <\/span>$source<\/span> <\/span>`<\/span>
<\/span>-EntryType<\/span> <\/span>$eventType<\/span> <\/span>`<\/span>
<\/span>-EventId<\/span> <\/span>$eventID<\/span> <\/span>`<\/span>
<\/span>-Message<\/span> <\/span>$message<\/span>
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>catch<\/span>
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>function<\/span> <\/span>add-eventlogEntry<\/span>\nThe ForScripting<\/b> event log that is created is shown in the following image.\n\"Image\nTo create a new EventLog or to retrieve process information from certain protected system processes requires that the script runs with administrator rights. This is one of the things I kept forgetting to do when I was writing the Get-ProcessStartUpTimes.ps1 script. I decided to copy the Test-IsAdministrator<\/strong> function from my MonitorDiskFormatDrive.ps1<\/a> script that I wrote about in Hey, Scripting Guy! Can I Format a Portable Drive When It Is Inserted Into a Computer?<\/a> (a way cool article by the way). Anyway, the whole idea of the Test-IsAdministrator<\/strong> function is to tell you if you are running with admin rights. If you are, it returns True; otherwise, it returns false. The complete function is shown here. If you want to know more about it, refer to the previously mentioned Hey, Scripting Guy! Blog post. <\/p>\n

function<\/span> <\/span>Test-IsAdministrator<\/span>
<\/span>{<\/span>
<\/span><<\/span>#<\/span>
<\/span>.Synopsis<\/span>
<\/span>Tests<\/span> <\/span>if<\/span> <\/span>the<\/span> <\/span>user<\/span> <\/span>is<\/span> <\/span>an<\/span> <\/span>administrator<\/span>
<\/span>.Description<\/span>
<\/span>Returns<\/span> <\/span>true<\/span> <\/span>if<\/span> <\/span>a<\/span> <\/span>user<\/span> <\/span>is<\/span> <\/span>an<\/span> <\/span>administrator,<\/span> <\/span>false<\/span> <\/span>if<\/span> <\/span>the<\/span> <\/span>user<\/span> 
<\/span>is<\/span> <\/span>not<\/span> <\/span>an<\/span> <\/span>administrator<\/span>
<\/span>.Example<\/span>
<\/span>Test-IsAdministrator<\/span>
<\/span>.Notes<\/span>
<\/span>NAME:<\/span> <\/span>Test-IsAdministrator<\/span>
<\/span>AUTHOR:<\/span> <\/span>Ed<\/span> <\/span>Wilson<\/span>
<\/span>LASTEDIT:<\/span> <\/span>5<\/span>\/<\/span>20<\/span>\/<\/span>2009<\/span>
<\/span>KEYWORDS:<\/span>
<\/span>.Link<\/span>
<\/span>Http:\/\/www.ScriptingGuys.com<\/span>
<\/span>#<\/span>Requires<\/span> <\/span>-Version<\/span> <\/span>2<\/span>.<\/span>0<\/span>
<\/span>#<\/span>><\/span>
<\/span>param()<\/span> 
<\/span>$currentUser<\/span> <\/span>=<\/span> <\/span>[Security.Principal.WindowsIdentity]::GetCurrent()<\/span>
<\/span>(<\/span>New-Object<\/span> <\/span>Security.Principal.WindowsPrincipal<\/span> <\/span>$currentUser<\/span>).IsInRole(`<\/span>
<\/span>[Security.Principal.WindowsBuiltinRole]::Administrator)<\/span>
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>function<\/span> <\/span>Test-IsAdministrator<\/span>\nThe entry point to the script first calls the Test-IsAdministrator<\/b> function. If the function returns true, the script calls the Add-EventLogEntry<\/b> function and writes an event that the script is starting. This is shown here:<\/p>\n

If<\/span>(<\/span>-not<\/span> <\/span>(Test-IsAdministrator))<\/span> 
<\/span>{<\/span> “Admin rights are required for this script” <\/span>;<\/span> <\/span>exit<\/span> <\/span>}<\/span>
<\/span>Add-EventLogEntry<\/span> <\/span>-source<\/span> <\/span>gpst<\/span> <\/span>-eventType<\/span> <\/span>information<\/span> <\/span>-eventID<\/span> <\/span>1<\/span> <\/span>`<\/span>
<\/span>-message<\/span> “beginning $($MyInvocation.InvocationName) at $(get-date)” <\/span>`<\/span>
<\/span>-logName<\/span> <\/span>ForScripting<\/span>\nThe script then makes four passes. On each pass, it writes a new EventLog entry with the pass number and current time. Next, it calls the Get-ProcessStartup<\/b> function and passes the path, pass number, and computer name. The pass number comes from the pipeline<\/a>. The path is a hard-coded UNC path on my network. You should modify it to fit your needs. Because the script is running locally, I pick up the computer name from the environment variables. When the pass is completed, another EventLog entry is added that states the script completed and adds the date to the entry. By the way, eventID 1 is starting the script. EventID 2 is starting the pass, and eventID 3 is completing the script. You can make up your own event ID numbers if you do not like mine. Here is this portion of the script:<\/p>\n

1<\/span>..<\/span>4<\/span> <\/span>|<\/span> <\/span>ForEach-Object<\/span> <\/span>{<\/span>
<\/span>Add-EventLogEntry<\/span> <\/span>-source<\/span> <\/span>gpst<\/span> <\/span>-eventType<\/span> <\/span>information<\/span> <\/span>-eventID<\/span> <\/span>2<\/span> <\/span>`<\/span>
<\/span>-message<\/span> “Starting pass $_ at $(get-date)” <\/span>-logName<\/span> <\/span>ForScripting<\/span>
<\/span>Get-ProcessStartup<\/span> <\/span>-path<\/span> “\\hyperv-boxshared” <\/span>-pass<\/span> <\/span>$_<\/span> <\/span>-computer<\/span> <\/span>(<\/span>$env<\/span>:COMPUTERNAME)<\/span> 
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>foreach-object<\/span>
<\/span>Add-EventLogEntry<\/span> <\/span>-source<\/span> <\/span>gpst<\/span> <\/span>-eventType<\/span> <\/span>information<\/span> <\/span>-eventID<\/span> <\/span>3<\/span> <\/span>`<\/span>
<\/span>-message<\/span> “Completed $($MyInvocation.InvocationName) at $(get-date)” <\/span>`<\/span>
<\/span>-logName<\/span> <\/span>ForScripting<\/span>\nThe complete Get-ProcessStartUpTimes.ps1 script is shown here. <\/p>\n

Get-ProcessStartUpTimes.ps1<\/strong><\/p>\n

Function<\/span> <\/span>Get-ProcessStartUp<\/span> 
<\/span>{<\/span>
<\/span>Param(<\/span> 
<\/span>$path<\/span>,<\/span>
<\/span>$pass<\/span>,<\/span>
<\/span>$computer<\/span>
<\/span>)<\/span>
<\/span>$ppath<\/span> <\/span>=<\/span> <\/span>(<\/span>“{0}Process{1}_{2}.xml” <\/span>-f<\/span> <\/span>$path<\/span>,<\/span>$pass<\/span>,<\/span>$computer<\/span>)<\/span>
<\/span>if<\/span>(<\/span>Test-Path<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>)<\/span> 
<\/span>{<\/span>
<\/span>Remove-Item<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>
<\/span>Add-EventLogEntry<\/span> <\/span>-source<\/span> <\/span>gpst<\/span> <\/span>-eventType<\/span> <\/span>information<\/span> <\/span>-eventID<\/span> <\/span>4<\/span> <\/span>`<\/span>
<\/span>-message<\/span> “$ppath exists and is being removed” <\/span>-logName<\/span> <\/span>ForScripting<\/span>
<\/span>}<\/span>
<\/span>Get-Process<\/span> <\/span>-ComputerName<\/span> <\/span>$computer<\/span>|<\/span> 
<\/span>Export-Clixml<\/span> <\/span>-Path<\/span> <\/span>$ppath<\/span>
<\/span>if<\/span>(<\/span>$pass<\/span> <\/span>-ne<\/span> <\/span>4<\/span>)<\/span>
<\/span>{<\/span>Start-Sleep<\/span> <\/span>-Seconds<\/span> <\/span>60<\/span>}<\/span>
<\/span>}<\/span> <\/span>#<\/span>end<\/span> <\/span>function<\/span> <\/span>Get-ProcessStartUp<\/span>
<\/span>Function<\/span> <\/span>Add-EventLogEntry<\/span>
<\/span>{<\/span>
<\/span>param(<\/span>$source<\/span>,<\/span> <\/span>$eventType<\/span>,<\/span> <\/span>$eventID<\/span>,<\/span> <\/span>$message<\/span>,<\/span> <\/span>$logName<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

  Microsoft Scripting Guy Ed Wilson here. It may seem like a “well duh” thing for a Scripting Guy to say, but I love writing scripts. In particular, I love writing Windows PowerShell scripts. One problem with sharing everything I write is that people always have a better idea about how to do things. But […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[31,87,3,61,45],"class_list":["post-17491","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-operating-system","tag-processes","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Microsoft Scripting Guy Ed Wilson here. It may seem like a “well duh” thing for a Scripting Guy to say, but I love writing scripts. In particular, I love writing Windows PowerShell scripts. One problem with sharing everything I write is that people always have a better idea about how to do things. But […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=17491"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17491\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=17491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=17491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=17491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}