Monday, September 15, 2008

Retrieving Remote Processes with PowerShell

Keeping in line with my current theme of retrieving useful information from a compromised PC, below is a simple one-line that will grab the running processes from a remote host.

Get-WmiObject win32_process -ComputerName . | Select-Object CSName,Description,Processid,WS,Path | Sort-Object WS -Descending | Format-Table * -AutoSize

This is the full cmdlets rather than the aliases or shortened version, but for anyone reading this who might be wondering, that command would be:

gwmi win32_process -Co . | Select CSName,Description,Processid,WS,Path | Sort WS -Desc | Ft * -Au

And the output would be something like this.

Again, this can be run on an remote host by substituting . after -ComputerName to a remote computer name. The output can be exported straight to CSV by removing the Format-Table command and using Export-CSV cmdlet.

No comments: