Author Posts

September 10, 2018 at 1:39 pm

I've recently started working with Powershell and WindowsEvent Logs so the answer to my problem might be something obvious to an experienced person
I have been looking into Poweshell logs – Windows Powershell Logs(Event IDs 800,600etc.) and PowerShell Operational Logs (Microsoft-Windows-PowerShell%4Operational.evtx) (Event IDs –4104,4105,4106 etc.). I can see how to find all the Script Blocks that were executed from a particular RunspaceId using the operational logs.
But, let's say if one PowerShell script (with Runspace Id 1) is calling another instance of PowerShell (with Runspace Id 2) using "PowerShell -nop -File C:\path to some script" for instance. If the process Id of first PowerShell is known, then it might be possible to find the child PowerShell process from Windows Security Log(%SystemRoot%\System32\Winevt\Logs\Security.evtx) using Event Id 4688.
But if I only have the RunspaceId of a PowerShell instance, is there any way to find it's ProcessId just using any of the windows logs? The end goal is to connect the RunspaceIds of the Parent PowerShell Instance and the Child Instance. Is there any way to do this? Either through process id method or some other method that I'm missing?
PS: I realize that you can find the process Id of a powershell using $PID when it's open. But I'm talking about finding it using Windows logs, when no one has used $PID variable during execution.
I'm using PowerShell 5.1 on Windows 10. I have advanced logging enabled.
Any help would be appreciated.