Finding Powershell ProcessID using RunspaceID and Logs

Welcome Forums General PowerShell Q&A Finding Powershell ProcessID using RunspaceID and Logs

This topic contains 4 replies, has 3 voices, and was last updated by

 
Participant
2 months ago.

  • Author
    Posts
  • #111334

    Participant
    Points: 0
    Rank: Member

    I've recently started working with Powershell and WindowsEvent Logs so the answer to my problem might be something obvious to an experienced person
    I have been looking into Poweshell logs – Windows Powershell Logs(Event IDs 800,600etc.) and PowerShell Operational Logs (Microsoft-Windows-PowerShell%4Operational.evtx) (Event IDs –4104,4105,4106 etc.). I can see how to find all the Script Blocks that were executed from a particular RunspaceId using the operational logs.
    But, let's say if one PowerShell script (with Runspace Id 1) is calling another instance of PowerShell (with Runspace Id 2) using "PowerShell -nop -File C:\path to some script" for instance. If the process Id of first PowerShell is known, then it might be possible to find the child PowerShell process from Windows Security Log(%SystemRoot%\System32\Winevt\Logs\Security.evtx) using Event Id 4688.
    But if I only have the RunspaceId of a PowerShell instance, is there any way to find it's ProcessId just using any of the windows logs? The end goal is to connect the RunspaceIds of the Parent PowerShell Instance and the Child Instance. Is there any way to do this? Either through process id method or some other method that I'm missing?
    PS: I realize that you can find the process Id of a powershell using $PID when it's open. But I'm talking about finding it using Windows logs, when no one has used $PID variable during execution.
    I'm using PowerShell 5.1 on Windows 10. I have advanced logging enabled.
    Any help would be appreciated.

  • #114025

    Participant
    Points: 884
    Helping Hand
    Rank: Major Contributor

    @Deep – Did you get the solution for this ? if so please share it with us which will be helpful for others else please update this thread with latest update.

  • #114040

    Participant
    Points: 321
    Helping Hand
    Rank: Contributor

    No $PID are not recorded to these logs this way. If this is the kind of thing you are trying to correlate or join, it's something you have to directly do, by creating your own event logs for your scripts and writing to them the info you are after/want, or doing the same to any existing log.

    https://blogs.technet.microsoft.com/heyscriptingguy/2013/02/01/use-powershell-to-create-and-to-use-a-new-event-log

    https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/20/how-to-use-powershell-to-write-to-event-logs

    I've been a firm believe since my full time dev days, that all devs should have their own event logs that are centralized for correlation / SIEM efforts. I have carried this forward with all scripting efforts I've done, since it was made possible in the VBS days.

    All this is similar to getting the PID of remote sessions.

    • #114189

      Participant
      Points: 0
      Rank: Member

      Thank you for the very valuable input. I now understand that it is not possible to connect the Process ID with Runspace ID using native windows logs. The links you have provided regarding custom logs are really interesting but here's my problem:

      If I'm the one running a script then I can add a line to my script that'll include the required information like PID to the custom log, but what if I want to know the PID of any script that is executed in my machine?

      Is there anyway to execute the piece of script (that'll log PID) in every new Runspace before any other script/command is executed there?

      I've heard about profile script that's loaded when a Powershell instance gets started, maybe we can include this line of code to my profile script. But, will it get executed in every new Runspace? and more importantly, what if someone is executing a script using -noprofile flag, then profile script won't be loaded, as far as I understand right?

      So is there anyway to force the custom log line (that'll log PID) to run in every new Runspace before any other command?

       

  • #114321

    Participant
    Points: 321
    Helping Hand
    Rank: Contributor

    As for ...

    I've heard about profile script that's loaded when a Powershell instance gets started

    … There are 2 of these, 3 if you install VSCode and run stuff using it.

    • Microsoft.PowerShell_profile.ps1 for the consolehost which is also loaded in VSCode.
    • Microsoft.PowerShellISE_profile.ps1 for the ISE for the PSWin ISE
    • Microsoft.VSCode_profile.ps1 for the VSCode integrated console designed as a replacement for the ISE.

    None of these exist by default. You have to create them, then configure them. You simply start the console host, the ISE and VScode, then run command...

    if (!(Test-Path -Path $PROFILE ))
    { New-Item -Type File -Path $PROFILE -Force }
    

    … documented here:

    https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/ise/how-to-use-profiles-in-windows-powershell-ise?view=powershell-6

     

    Then open them in the ISE, VSCode or any other text editor to configure them as you'd like.

    See a discussion on the here:

    Persistent PowerShell: The PowerShell Profile

    You don't really need any of them, but it is a best practice to use them to set you environment up as you'd like to, so that it is always the same on each startup.

    Even if you have them configured, and don't want to use them for a particular script, you simply start PS using the -NoProfile switch.

    Yet, anything in the profile(s) will always run, but remember there are several profiles to setup.
    As documented here:

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6

You must be logged in to reply to this topic.