This repository has been archived by the owner on May 31, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 44
/
ProcessLogger.ps1
53 lines (39 loc) · 2.04 KB
/
ProcessLogger.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#Sunny Chakraborty (@sunnyc7)([email protected])
#License: MIT-3 > Use as you please + Don't Sue Me.
#FileMon tricks
Function Get-ProcessLaunches([string[]]$computer) {
BEGIN {
Function Write-Log([string]$info){
if($loginitialized -eq $false){
$FileHeader > $logfile
$script:loginitialized = $True
}
$info >> $logfile
} # End of Function Write-Log
#Logfile Path
$script:logfile = "c:\scripts\procmonlog.txt"
}
PROCESS {
#WQL on InstanceCreationEvent
$query = "Select * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_Process'"
#Delete Previously Loaded Jobs
Get-Job -Name RemoteProcMon | Remove-Job | Out-Null
#WMI Event Monitor
Register-WmiEvent <#-ComputerName $computer#> -Query $query -SourceIdentifier RemoteProcMon -Action{
$Global:RemoteProcMon=$event
Write-Host "$((get-date).ToLongTimeString()), $($Event.SourceEventArgs.NewEvent.TargetInstance.Name) started on $($Event.SourceEventArgs.NewEvent.TargetInstance.PSComputerName) with PID=$($Event.SourceEventArgs.NewEvent.TargetInstance.ProcessID) and ParentPID=$($Event.SourceEventArgs.NewEvent.TargetInstance.ParentProcessId)"
# You can change Write-Host to Write-Log, and edit the log-path above to have the events logged to a file.
}
} # End Process
} # End of Function.
<# COMMENTS / Annotations.
02.11.2013 -Sunny:
I was going with a logging to a file, instead of building up Objects in memory to be processed by something in pipeline.
IMHO File / Database Logging is more appropriate in this situation.
I kept it at Write-host so that you can see the magic. You can use -Computername parameter in Register-WMI to run this against multiple computers
and have all of them log to one common path like c:\log\something
** Logging and other functions can be vastly improved.
This is really really rough draft.
** Running this program wont in production wont harm your computer with Write-Host intact.
If you use logging funtionality, it will log stuff. **
#>