In a previous tip, you learned that there is a hidden host process named wsmprovhost.exe whenever someone else visits your computer using PowerShell remoting. Provided you have local admin rights, this piece of code creates a new function called Get-PSRemotingVisitor which lists who is actually running PowerShell remoting sessions on your machine and since when:
function Get-PSRemotingVisitor($computername='localhost') { gwmi Win32_Process -Filter 'Name="wsmprovhost.exe"' -computername $computername | Foreach-Object { $o = $_.GetOwner() $o=$o.Domain + "\" + $o.User $obj = $_ | Select-Object Name, CreationDate, Owner $obj.Owner = $o $obj.CreationDate = $_.ConvertToDateTime($_.CreationDate) $obj } }
You can even run this command against remote systems (provided you have sufficient access rights).
