Finding PowerShell Named Pipes

by May 6, 2019

Each PowerShell host running PowerShell 5 or better opens a “named pipe” that you can detect. The code below identifies these named pipes and returns the processes exposing the pipes:

Get-ChildItem -Path "\\.\pipe\" -Filter '*pshost*' |
ForEach-Object {
    Get-Process -Id $_.Name.Split('.')[2]
}

The result may look similar to this:

 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                    
-------  ------    -----      -----     ------     --  -- -----------                                                                                                    
   1204      98   306220      66620      63,30  28644   1 powershell_ise                                                                                                 
    525      29    72604      12708       5,64  12188   1 powershell                                                                                                     
    741      41   125728     142656      11,52  27144   1 powershell                                                                                                     
    835      61    40836      82624       1,44  22412   1 pwsh                                                                                                           
    820      49   199680     230632       2,86  26500   1 powershell_ise 
 

Any process listed here is hosting a PowerShell runspace, and you can use Enter-PSHostProcess -Id XXX to connect to the PowerShell process (provided you have local Administrator privileges).


psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!