cancel
Showing results for 
Search instead for 
Did you mean: 

Understanding from information on the local machine what is the powershell command JC is running

ncarmichael
Rising Star II

I have had an issue recently where I can see a PowerShell being run by JC is being a bit of a resource hog.

How can I see what commands are being currently run (and ideally the processid of the powershell they are running in)? When I use processexplorer all I can see is they are powershell sessions, not what they are doing/running.

 

Neil

1 ACCEPTED SOLUTION

JuergenKlaassen
Rising Star III
Rising Star III

Hi

For plain debugging purposes, you could enable Powershell Transcription on a machine level via Registry. 
(I'm having this as a Custom Advanced Policy and make use of it once in a while). 

image (2).png

If you have an EDR in place, this could also be a good angle to investigate. 

View solution in original post

2 REPLIES 2

JuergenKlaassen
Rising Star III
Rising Star III

Hi

For plain debugging purposes, you could enable Powershell Transcription on a machine level via Registry. 
(I'm having this as a Custom Advanced Policy and make use of it once in a while). 

image (2).png

If you have an EDR in place, this could also be a good angle to investigate. 

ncarmichael
Rising Star II

That's pretty cool, I'll definatly be trying it out, I am also adding the following lines as a an experiment to see if changing the title of the windows (though invisible on the machine) might be able to be seen in process explorer, and too be able to see in the commands log afterward what process ID and powershell version something was running under.

$question="Daily housekeeping"
write-host "Running $question under process $pid" 
write-host $host.version.major
$host.ui.RawUI.WindowTitle=$question