Each PowerShell host running PowerShell 5 or better opens a “named pipe” that you can detect. The code below identifies these named pipes and returns the processes exposing the pipes:
Get-ChildItem -Path "\\.\pipe\" -Filter '*pshost*' | ForEach-Object { Get-Process -Id $_.Name.Split('.')[2] }
The result may look similar to this:
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1204 98 306220 66620 63,30 28644 1 powershell_ise
525 29 72604 12708 5,64 12188 1 powershell
741 41 125728 142656 11,52 27144 1 powershell
835 61 40836 82624 1,44 22412 1 pwsh
820 49 199680 230632 2,86 26500 1 powershell_ise
Any process listed here is hosting a PowerShell runspace, and you can use Enter-PSHostProcess -Id XXX to connect to the PowerShell process (provided you have local Administrator privileges).
psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!
