Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Determine process svchost is running

Aug
1,917
68
Further to http://jpsoft.com/forums/threads/determine-process-svchost-is-running.5751/#post-33483 here is a PowerShell Script that I have used to get the process that SVCHOST is running;
Code:
<#
.Synopsis
  Provide a report on all SvcHost processes and embedded services.

.Description
  Gets the details on all services running inside of SvcHost processes along with memory
  consumption, page faults and command lines.

.Parameter computer
  The machine to test. Defaults to the current machine.

.Parameter outHTML
  A switch. Will return a HTML formatted output of the process & service details.

.Parameter outGrid
  A switch. Will return a GridView formatted output of the process & service details.

.INPUTS
  None. You cannot pipe objects to Invoke-Task.

.OUTPUTS
  A collection of PSObjects containing the details of each service.

.Example
  Get-ServiceDetails
  Gets the details for the current machine as a PSObject collection.

.Example
  Get-ServiceDetails "SERVER-001"
  Gets the details for the given machine as a PSObject collection.

.Example
  Get-ServiceDetails -outHTML
  Gets the details for the current machine as a PSObject collection and also displays the details in
  the current browser as an HTML formatted file. This file is also persisted to the current folder.

.Example
  Get-ServiceDetails -outGrid
  Gets the details for the current machine as a PSObject collection and also displays the details in
  a GridView.

#>
param (
  [string]$computer = ".",
  [switch]$outHTML,
  [switch]$outGrid
)

$results = (Get-WmiObject -Class Win32_Process -ComputerName $computer -Filter "Name='svchost.exe'" | % {
  $process = $_
  Get-WmiObject -Class Win32_Service -ComputerName $computer -Filter "ProcessId=$($_.ProcessId)" | % {
  New-Object PSObject -Property @{ProcessId=$process.ProcessId;
  CommittedMemory=$process.WS;
  PageFaults=$process.PageFaults;
  CommandLine=$_.PathName;
  ServiceName=$_.Name;
  State=$_.State;
  DisplayName=$_.DisplayName;
  StartMode=$_.StartMode}
  }
})

if ($outHTML)
{
  $results | ConvertTo-Html | Out-File ".\temp.html"
  & .\temp.html
}

if ($outGrid)
{
  $results | Out-GridView
}

$results

I got this script from Use PowerShell to Find Services Hiding in the SvcHost Process, and prefer to run it as;
Code:
.\get-servicedetails.ps1 -outGrid
as this creates a window from which I can create a filter to restrict the display to the ServiceName that I want information on.

Joe
 
You can use @WMI or the WMIQUERY command to make the same WMI queries. However it's a more manual process to gather the pieces parts.
Code:
wmiquery /a . "select PathName,Name,State,DisplayName,StartMode from Win32_Service where PathName LIKE '%%svchost.exe%%'"
 
Using the /B option makes the output a lot easier to read... and also such for such a simple way to get the necessary output
 
This will show the Pathname and group the service names under each
Code:
do p in /p wmiquery /a . "select processid from Win32_Process where name='svchost.exe'" (echo ^n%@wmi[.,"SELECT pathname FROM Win32_service where processid='%p'"] & wmiquery /a . "select name from Win32_Service where ProcessId='%p'")
 
You can use @WMI or the WMIQUERY command to make the same WMI queries. However it's a more manual process to gather the pieces parts.
Code:
wmiquery /a . "select PathName,Name,State,DisplayName,StartMode from Win32_Service where PathName LIKE '%%svchost.exe%%'"

I agree, Scott, that this is the way to go in TCC. However, as these commands are not available in TCC/LE, the PowerShell script is a solution to achieve similar results.

Joe
 
You can use the Windows WMIC command instead.
Code:
wmic service where (pathname like "%%svchost.exe%%" and state="Running") get PathName,Name,DisplayName,StartMode /format:csv
 
Thanks Scott, I totally forgot about wmic.

Looks like the more that I use PowerShell, the more I forgot about the "old ways".

Joe
 
Back
Top