{"id":663,"date":"2014-09-18T00:01:00","date_gmt":"2014-09-18T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/09\/18\/use-powershell-to-monitor-specific-process-creation\/"},"modified":"2022-06-21T14:25:58","modified_gmt":"2022-06-21T21:25:58","slug":"use-powershell-to-monitor-specific-process-creation","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-monitor-specific-process-creation\/","title":{"rendered":"Use PowerShell to Monitor Specific Process Creation"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to monitor for the creation of specific processes.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. This morning it is beginning to look like autumn. Who knows, it may become really hot and humid over the weekend, but today I can delude myself into hearing the rustling of leaves, imagine cool breezes blowing across the yard, and think of squirrels as they quickly gather supplies for a long winter.<\/p>\n

All of these things are really quite simple, routine, and ordinary. And yet they demand a certain amount of preparation. If I don\u2019t clean the leaf troughs in the early autumn, winter rains and subsequent freezing could spell disaster for the roof. If I don\u2019t roll up hoses and bring them into the garage, pipes could freeze. If the squirrels don\u2019t gather enough supplies for a long winter, they will be out scampering in the snow and risk untoward dangers.<\/p>\n

And so it is with our computer systems\u2014they demand monitoring, planning, and preparation for contingencies.<\/p>\n

In yesterday\u2019s post, Use PowerShell to Monitor for Process Startup<\/a>, I talked about using the Register-CimIndicationEvent<\/strong> cmdlet to monitor for process startup. It worked well\u2014maybe a bit too well because it triggers an event for every new process that starts. And in a modern operating system like Windows\u00a08.1, there are all kinds of processes that start and stop all the time.<\/p>\n

Today I want to use a query to modify the behavior of Register-CimIndicationEvent<\/strong>. To do this, I will use the Windows Management Instrumentation Query Language (WQL). Don\u2019t worry. Because I am using the Win32_ProcessStartTrace WMI class, this will be really easy.<\/p>\n

\n Note<\/b>\u00a0 For more information about WMI event monitoring, see An Insider\u2019s Guide to Using WMI Events and PowerShell<\/a>. <\/i><\/b>\n<\/p>\n

Here are the steps I will take to permit me to monitor for the startup of a specific process:<\/p>\n

    \n
  1. Open the Windows PowerShell console with elevated rights.<\/li>\n
  2. Create a query that uses WQL syntax.<\/li>\n
  3. Register to receive events by using the Register-CimIndicationEvent<\/strong> cmdlet and supplying the query.<\/li>\n
  4. Use Get-Event<\/strong> to receive the events.<\/li>\n<\/ol>\n

    In addition, I will use the Get-EventSubscriber<\/strong> cmdlet to verify that the event was created properly, and I will use Remove-Event<\/strong> and Unregister-Event<\/strong> to perform cleanup.<\/p>\n

    Create the query<\/h2>\n

    I first create the query. It looks pretty much like a SQL query. I select everything from the win32_ProcessStartTrace WMI class, and I limit the results to processes that are named Notepad.exe.<\/p>\n

    \n Note\u00a0<\/b> When I use Get-Process<\/b> it tells me the ProcessName<\/b> property is equal to notepad. But WMI expects the ProcessName<\/b> property to be equal to notepad.exe. Keep in mind, no error generates if I use notepad, but I will not receive any events either.\n<\/p>\n

    I store my query string in a variable that I call $nq<\/strong> (for notepad query). Here is the query:<\/p>\n

    \n $nq = “Select * from win32_ProcessStartTrace where processname = ‘notepad.exe'”\n<\/p>\n

    Register to receive events<\/h2>\n

    Now I use the Register-CimIndicationEvent<\/strong> cmdlet to register to receive the events I defined in my query. I also specify a SourceIdentifier<\/strong> that I call nq<\/strong>. This makes it easy to receive only events generated by my specific notepad query. Here is the command:<\/p>\n

    \n Register-CimIndicationEvent -Query $nq -SourceIdentifier nq\n<\/p>\n

    Quick check<\/h2>\n

    Now I do a quick check. Did my registration work? I use Get-EventSubscriber<\/strong>. Are there any events? (There should not be at this point.) I use Get-Event<\/strong>.<\/p>\n

    Here is what my Windows PowerShell console looks like at this point:<\/p>\n

    \"Image<\/a><\/p>\n

    Generate and receive events<\/h2>\n

    Now I generate an event by launching Notepad. When I do that, I use the Get-Event<\/strong> cmdlet to receive the event. Here is the command:<\/p>\n

    \n Get-Event -SourceIdentifier nq\n<\/p>\n

    The returned object contains a number of properties. These properties are shown in the image that follows:<\/p>\n

    \"Image<\/a><\/p>\n

    I know, from yesterday\u2019s post, that the information I am interested in obtaining is contained in the SourceEventArgs<\/strong> property and in the NewEvent<\/strong> property under that. I use dotted notation to gain access to the important properties:<\/p>\n

    \"Image<\/a><\/p>\n

    That was fun, do it again<\/h2>\n

    That worked well. I can see that with the ProcessID<\/strong> I received, I could manage the newly created process if I needed to do so. But what about monitoring for an additional process? One way is to simply create another event registration. This time I will do it for Calc.exe. Here is the command:<\/p>\n

    \n $cq = “Select * from win32_ProcessStartTrace where processname = ‘calc.exe'”\n<\/p>\n

    \n Register-CimIndicationEvent -Query $cq -SourceIdentifier cq\n<\/p>\n

    Now I launch Calculator (calc.exe) and retrieve the event. Here is the command that does that:<\/p>\n

    \n calc\n<\/p>\n

    \n (Get-Event -SourceIdentifier cq).SourceEventArgs.newevent\n<\/p>\n

    This command and the output from the command are shown in the following image:<\/p>\n

    \"Image<\/a><\/p>\n

    It still works with Notepad also. I simply use the nq<\/strong> source. I decide to clean up everything. Here are the commands I use:<\/p>\n

    \n get-event | Remove-Event\n<\/p>\n

    \n Get-EventSubscriber | Unregister-Event\n<\/p>\n

    Now there are no more events and no more event subscriptions.<\/p>\n

    A combined query<\/h2>\n

    I can, of course, combine my two event queries into a single query. To do this, I use a compound where<\/strong> clause. Here is my new query (this is a single line query that wraps due to the length. It includes no returns or line continuation marks):<\/p>\n

    \n $q = “Select * from win32_ProcessStartTrace where processname = ‘calc.exe’ OR processname = ‘notepad.exe'”\n<\/p>\n

    I register for events from this query just like I did for the other queries. Here is the command:<\/p>\n

    \n Register-CimIndicationEvent -Query $q -SourceIdentifier q\n<\/p>\n

    Now I launch both Notepad and Calculator, and I use Get-Event<\/strong> to retrieve my new events. Here is the command that does that:<\/p>\n

    \n notepad\n<\/p>\n

    \n calc\n<\/p>\n

    \n (Get-Event -SourceIdentifier q).SourceEventArgs.newevent\n<\/p>\n

    The commands and their associated output are shown here:<\/p>\n

    \"Image<\/a><\/p>\n

    That is all there is to using the Register-CimIndicationEvent<\/strong> cmdlet to monitor for a specific process. Join me tomorrow when I will talk about terminating a specific process when it starts up.<\/p>\n

    I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

    Ed Wilson, Microsoft Scripting Guy<\/strong>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to monitor for the creation of specific processes. Microsoft Scripting Guy, Ed Wilson, is here. This morning it is beginning to look like autumn. Who knows, it may become really hot and humid over the weekend, but today I can delude myself into hearing […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[385,42,41,31,3,4,45,6],"class_list":["post-663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-cim","tag-events-and-monitoring","tag-monitoring","tag-operating-system","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"

    Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to monitor for the creation of specific processes. Microsoft Scripting Guy, Ed Wilson, is here. This morning it is beginning to look like autumn. Who knows, it may become really hot and humid over the weekend, but today I can delude myself into hearing […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=663"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/663\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}