Gathering Forensic Process Info

by Aug 10, 2022

In order to better understand the processes that run on a server, and possibly identify traces of unwanted processes, PowerShell can dump forensic process information to CSV file in a way that Excel (if installed) can open the file. This way it is easy to review the processes and their command lines and start parameters.

Here is the code:

$Path = "$env:temp\processList.csv"

# get all processes...
Get-CimInstance -ClassName Win32_Process | 
    # select forensic properties...
    Select-Object -Property Name, HandleCount, ProcessId, ParentProcessId, Path, CommandLine  | 
    # write to a CSV file
    Export-Csv -Path $Path -Encoding UTF8 -UseCulture -NoTypeInformation

# load CSV into Excel (needs to be installed of course)
Start-Process -FilePath excel -ArgumentList $Path

Note that you won’t get some process details for processes launched by someone else unless you run this with Administrator privileges.

Twitter This Tip! ReTweet this Tip!