JumpCloud Community

ncarmichael · ‎03-09-2023

I have had an issue recently where I can see a PowerShell being run by JC is being a bit of a resource hog.

How can I see what commands are being currently run (and ideally the processid of the powershell they are running in)? When I use processexplorer all I can see is they are powershell sessions, not what they are doing/running.

Neil

JuergenKlaassen · ‎03-10-2023

Hi

For plain debugging purposes, you could enable Powershell Transcription on a machine level via Registry.
(I'm having this as a Custom Advanced Policy and make use of it once in a while).

If you have an EDR in place, this could also be a good angle to investigate.

View solution in original post

JuergenKlaassen · ‎03-10-2023

Hi

For plain debugging purposes, you could enable Powershell Transcription on a machine level via Registry.
(I'm having this as a Custom Advanced Policy and make use of it once in a while).

If you have an EDR in place, this could also be a good angle to investigate.

ncarmichael · ‎03-10-2023

That's pretty cool, I'll definatly be trying it out, I am also adding the following lines as a an experiment to see if changing the title of the windows (though invisible on the machine) might be able to be seen in process explorer, and too be able to see in the commands log afterward what process ID and powershell version something was running under.

$question="Daily housekeeping"
write-host "Running $question under process $pid" 
write-host $host.version.major
$host.ui.RawUI.WindowTitle=$question

JumpCloud Community

Understanding from information on the local machine what is the powershell command JC is running