1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Determine process svchost is running

Discussion in 'PowerShell' started by Joe Caverly, May 24, 2014.

  1. Joe Caverly

    Joined:
    Aug 28, 2009
    Messages:
    660
    Likes Received:
    8
    Further to http://jpsoft.com/forums/threads/determine-process-svchost-is-running.5751/#post-33483 here is a PowerShell Script that I have used to get the process that SVCHOST is running;
    Code:
    <#
    .Synopsis
      Provide a report on all SvcHost processes and embedded services.
    
    .Description
      Gets the details on all services running inside of SvcHost processes along with memory
      consumption, page faults and command lines.
    
    .Parameter computer
      The machine to test. Defaults to the current machine.
    
    .Parameter outHTML
      A switch. Will return a HTML formatted output of the process & service details.
    
    .Parameter outGrid
      A switch. Will return a GridView formatted output of the process & service details.
    
    .INPUTS
      None. You cannot pipe objects to Invoke-Task.
    
    .OUTPUTS
      A collection of PSObjects containing the details of each service.
    
    .Example
      Get-ServiceDetails
      Gets the details for the current machine as a PSObject collection.
    
    .Example
      Get-ServiceDetails "SERVER-001"
      Gets the details for the given machine as a PSObject collection.
    
    .Example
      Get-ServiceDetails -outHTML
      Gets the details for the current machine as a PSObject collection and also displays the details in
      the current browser as an HTML formatted file. This file is also persisted to the current folder.
    
    .Example
      Get-ServiceDetails -outGrid
      Gets the details for the current machine as a PSObject collection and also displays the details in
      a GridView.
    
    #>
    param (
      [string]$computer = ".",
      [switch]$outHTML,
      [switch]$outGrid
    )
    
    $results = (Get-WmiObject -Class Win32_Process -ComputerName $computer -Filter "Name='svchost.exe'" | % {
      $process = $_
      Get-WmiObject -Class Win32_Service -ComputerName $computer -Filter "ProcessId=$($_.ProcessId)" | % {
      New-Object PSObject -Property @{ProcessId=$process.ProcessId;
      CommittedMemory=$process.WS;
      PageFaults=$process.PageFaults;
      CommandLine=$_.PathName;
      ServiceName=$_.Name;
      State=$_.State;
      DisplayName=$_.DisplayName;
      StartMode=$_.StartMode}
      }
    })
    
    if ($outHTML)
    {
      $results | ConvertTo-Html | Out-File ".\temp.html"
      & .\temp.html
    }
    
    if ($outGrid)
    {
      $results | Out-GridView
    }
    
    $results
    I got this script from Use PowerShell to Find Services Hiding in the SvcHost Process, and prefer to run it as;
    Code:
    .\get-servicedetails.ps1 -outGrid
    as this creates a window from which I can create a filter to restrict the display to the ServiceName that I want information on.

    Joe
     
  2. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,188
    Likes Received:
    11
    You can use @WMI or the WMIQUERY command to make the same WMI queries. However it's a more manual process to gather the pieces parts.
    Code:
    wmiquery /a . "select PathName,Name,State,DisplayName,StartMode from Win32_Service where PathName LIKE '%%svchost.exe%%'"
    
     
  3. Charles G

    Joined:
    Apr 2, 2011
    Messages:
    1,012
    Likes Received:
    0
    Using the /B option makes the output a lot easier to read... and also such for such a simple way to get the necessary output
     
  4. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,188
    Likes Received:
    11
    This will show the Pathname and group the service names under each
    Code:
    do p in /p wmiquery /a . "select processid from Win32_Process where name='svchost.exe'" (echo ^n%@wmi[.,"SELECT pathname FROM Win32_service where processid='%p'"] & wmiquery /a . "select name from Win32_Service where ProcessId='%p'")
    
     
  5. Joe Caverly

    Joined:
    Aug 28, 2009
    Messages:
    660
    Likes Received:
    8
    I agree, Scott, that this is the way to go in TCC. However, as these commands are not available in TCC/LE, the PowerShell script is a solution to achieve similar results.

    Joe
     
  6. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,188
    Likes Received:
    11
    You can use the Windows WMIC command instead.
    Code:
    wmic service where (pathname like "%%svchost.exe%%" and state="Running") get PathName,Name,DisplayName,StartMode /format:csv
    
     
  7. Joe Caverly

    Joined:
    Aug 28, 2009
    Messages:
    660
    Likes Received:
    8
    Thanks Scott, I totally forgot about wmic.

    Looks like the more that I use PowerShell, the more I forgot about the "old ways".

    Joe
     

Share This Page