# encoding: ascii # api: powershell # title: Watch-Process # description: Creates an event handler for monitoring either process creation or deletion. This requires to be run as administrator. # version: 0.1 # type: function # author: Ravikanth # license: CC0 # function: Watch-Process # x-poshcode-id: 2560 # x-archived: 2016-08-11T17:17:58 # x-published: 2011-03-15T06:07:00 # # Function Watch-Process { <# .DESCRIPTION Creates an event handler for monitoring either process creation or deletion. This requires to be run as administrator. .SYNOPSIS Watches for process creation or deletion. .PARAMETER computerName Name of the remote computer. Make sure you have privileges to access remote WMI namespaces. The default value is local computer. .PARAMETER Name Name of the process to monitor. .PARAMETER Id Processs ID of the process to monitor. .PARAMETER Creation Switch Parameter. Use this to start process creation monitor. .PARAMETER Deletion Switch Parameter. Use this to start process deletion monitor. .PARAMETER Timeout By default there is no timeout. The process monitor will wait forever. You can specify the maximum timeout period in seconds. .OUTPUTS Returns a process object in case of process creation and returns process exit status in case of process deletion .EXAMPLE Watch-Process -computerName TestServer01 -Name "Notepad.exe" -Creation Description ----------- The above example demonstrates to how to start a process creation monitor for a remote process .EXAMPLE Watch-Process -computerName TestServer01 -Name "notepad.exe" -Deletion Watch-Process -computerName TestServer01 -Id 3123 -Deletion Description ----------- The above creates process deletion monitor for notepad.exe on computer TestServer01 and also creates a process deletion monitor for process ID 3123 on the remote computer. .LINK Online version: http://www.ravichaganti.com/blog #> [CmdletBinding()] param ( [Parameter(ParameterSetName="pCreation",Mandatory=$false)] [Parameter(ParameterSetName="pDeletion",Mandatory=$false)] [String]$computerName=".", [Parameter(ParameterSetName="pCreation",Mandatory=$true)] [Parameter(ParameterSetName="pDeletion",Mandatory=$false)] [String]$name, [Parameter(ParameterSetName="pDeletion",Mandatory=$false)] [int]$Id, [Parameter(ParameterSetName="pCreation",Mandatory=$false)] [Switch]$creation, [Parameter(ParameterSetName="pDeletion",Mandatory=$false)] [Switch]$deletion, [Parameter(ParameterSetName="pDeletion",Mandatory=$false)] [Parameter(ParameterSetName="pCreation",Mandatory=$false)] [int]$timeout=-1 ) if ($deletion) { if (($PSBoundParameters.Keys -contains "Name") -and ($PSBoundParameters.Keys -Contains "Id")) { Write-Error "Both Name and Id parameters are specified. Specify any of these parameters." return } elseif ($name) { $query = "SELECT * FROM Win32_ProcessStopTrace WHERE ProcessName='$($name)'" Write-Verbose $query } elseif ($id) { $query = "SELECT * FROM Win32_ProcessStopTrace WHERE ProcessID='$($Id)'" Write-Verbose $query } else { Write-Error "Neither -Name nor -Id provided. You must provide one of these parameters." return } } elseif ($creation) { $query = "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='$($name)'" Write-Verbose $query } else { Write-Error "You must specify an event to monitor. The valid parameters are -deletion or -creation" return } if ($query) { $srcId = [guid]::NewGuid() #Register a WMI event for process creation or deletion Write-Verbose "Registering a WMI event" Register-WmiEvent -ComputerName $computerName -Query $query -SourceIdentifier $srcID #Wait for the event to trigger Wait-Event -SourceIdentifier $srcID -Timeout $timeout #Unregister the event. We don't need it anymore Write-Verbose "Unregistering a WMI event" Unregister-Event -SourceIdentifier $srcID } }