2

I have made a PowerShell script to report hourly/daily current running processes via email excluding known processes.

I now want to make this easier to update with new processes added to a list.

Below is an example of the current script:

$Yday = (Get-Date).AddDays(-1)
$pros = Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notmatch "chrome|outlook|powershell")}

Output of $pros will contain the results of processes started in the last 24 hours minus the processes chrome, outlook and powershell.

I would like to achieve:

A file called "Known_Processes.txt" containing a list of processes like

chrome
outlook
powershell

Then using the following script to create the same string of text used to pass through as a filter in the where statement.

$Yday = (Get-Date).AddDays(-1) 
[string]$Known_Processes = (Get-Content -Path C:\PS\known_processes.txt | Out-String).Replace("`n", "|").TrimEnd("|")
$pros = Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Known_Processes)}

The output of this will show all processes including the processes I am trying to filter out even though the variable $known_processes is the same value as "chrome|outlook|powershell".

I have tried searching and the only alternative to getting this to work is to use regex. Whilst I could do this my fear is other admins that do not have PowerShell knowledge could make mistakes when attempting to update the where statement. As where it would be easier for them to insert process names into a text file in a list.

Improve this question

4 Answers 4

Reset to default
1 
# Making a file called Known_Processes.txt
@'
chrome
outlook
powershell
'@ | Set-Content Known_Processes.txt

# Main action performed
$Yesterday = (Get-Date).AddDays(-1)
$Known_Processes = Get-Content Known_Processes.txt
Get-Process | Where-Object -Property ProcessName -NotIn -Value $Known_Processes | Where-Object -Property StartTime -GT -Value $Yesterday

# Removing file for cleanup
Remove-Item Known_Processes.txt

This gets me the following output:

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                                                                                                            
-------  ------    -----      -----     ------     --  -- -----------                                                                                                                                                                                            
    145      11     6676      11004       0.13  10120   0 audiodg                                                                                                                                                                                                
    106      10     5240       7000       0.08   4680   1 conhost                                                                                                                                                                                                
    731      70   181276     213872     391.86   9472   1 Google Play Music Desktop Player                                                                                                                                                                       
    348      37    52764      59612     322.28  10408   1 Google Play Music Desktop Player                                                                                                                                                                       
    174      13     4944      12980       0.06  11028   1 Google Play Music Desktop Player                                                                                                                                                                       
    966      77    62064     107048     357.63  13040   1 Google Play Music Desktop Player                                                                                                                                                                       
    180      13     2088        764       0.19   2164   0 GoogleUpdate                                                                                                                                                                                           
    112       8     1468       6524       0.03  11452   1 LPlatSvc                                                                                                                                                                                               
    231      12     3364       9460       0.06   9872   0 MpCmdRun                                                                                                                                                                                               
   1174      44   170640     137568      19.34  13104   1 mstsc                                                                                                                                                                                                  
    364      18     8612      17488       0.61   1456   0 policyHost                                                                                                                                                                                             
   1177     105   309768     367660     128.64  13920   1 powershell_ise                                                                                                                                                                                                                                                                                                                                                  
    994      68    72328      66172       3.69   1760   1 SearchUI                                                                                                                                                                                               
     93       7     1668       6396       0.03   2120   0 svchost                                                                                                                                                                                                
   1307     125   393556     381216   1,529.28   5172   1 Teams                                                                                                                                                                                                  
   1132      63    80672      95644     175.88   7316   1 Teams                                                                                                                                                                                                  
    331      25    38372      38020       0.78  13072   1 Teams                                                                                                                                                                                                  
    376      25    71736      69744      24.83  13260   1 Teams                                                                                                                                                                                                  
    312      24    36872      34264       0.48  14120   1 Teams                                                                                                                                                                                                                                                                                                                                                                                           
     98       7     1636       6508       0.02  13628   0 TrustedInstaller                                                                                                                                                                                       
    511      34    42220      63268       1.20  13044   1 WINWORD
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

oh yeah, my bad, get-process accepts array, this is definitely better
Hi Shawn I think this is doing the opposite of what I would like to achieve as it is only filtering the known processes as the output. As where I would like the output of get-process minus the known processes. Thanks
@CraftyB Sure. Updated
@ShawnEsterman I have tried the updated version, its now not filtering the processes at all. Thanks
@ShawnEsterman I am using PS Version 5.1, if that would make any difference?
|
1

You can do this nicely as a single line:

$pros = Get-Process | ? {( $_.StartTime -GT $(Get-Date).AddDays(-1) -and $_.ProcessName -notmatch $([String]::Join("|",$(Get-Content -Path C:\PS\known_processes.txt))) )}

Or to basically mirror your original thought if it's easier to read:

$Yday = (Get-Date).AddDays(-1) 
$Excludes = [String]::Join("|",$(Get-Content C:\PS\known_processes.txt))

$pros = Get-Process | ? {( $_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Excludes )}

Example Output of both:

PS C:\Admin> Get-Process | Where {( $_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Excludes )}

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     21       5     2192       3168    44     0.00   9272 cmd
     54       7   198000     202140   251     2.78   4184 conhost
     53       7     5352       9176    63     0.12   5204 conhost
    100       9     2540       7100    49     0.00  15952 msiexec
    868      35    44628      58828   210     3.39  12156 mstsc
    913      35   202060     202688   351    17.18  14464 mstsc
     90       8     2320       6616    52     0.03  15168 taskeng
    194      21    36852      28332   274     0.20   5912 Teams
    247      24    37268      56412   796     0.44   7328 Teams
    863      62    70624     109184   916     9.72   9816 Teams
    246      24    39908      56496   790     0.41  11816 Teams
    971      98   299508     316804  1759    32.82  13144 Teams


PS C:\Admin> Get-Process | Where {( $_.StartTime -GT $(Get-Date).AddDays(-1) -and $_.ProcessName -notmatch $([String]::Join("|",$(Get-Content C:\PS\known_processes.txt))) )}

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     21       5     2192       3168    44     0.00   9272 cmd
     54       7   198000     202144   251     2.81   4184 conhost
     53       7     5352       9176    63     0.12   5204 conhost
    100       9     2512       7084    48     0.00  15952 msiexec
    868      35    44628      58828   210     3.39  12156 mstsc
    913      35   202060     202688   351    17.19  14464 mstsc
    194      21    36852      28332   274     0.20   5912 Teams
    247      24    37268      56412   796     0.44   7328 Teams
    869      63    70664     109208   917     9.80   9816 Teams
    246      24    39908      56496   790     0.41  11816 Teams
    971      98   299064     315856  1761    33.13  13144 Teams

After chatting with you in the below comments here is your original "replace" code working by replacing the `r`n instead of `n, as in the comments below, Join is really the better option as it is intended to join strings by replacing the EOL characters.

$Yday = (Get-Date).AddDays(-1) 
[string]$Known_Processes = (Get-Content -Path known_processes.txt | Out-String).Replace("`r`n", "|").TrimEnd("|")

$pros = Get-Process | Where {( $_.StartTime -GT $Yday  -and $_.ProcessName -NotMatch $Known_Processes )}

Hope that helps :)

Note: This Version is Powershell 2.x through 5.x compliant, as it uses "NotMatch" instead of "NotIn", "-NotIn" was not originally a supported operand for where.

Improve this answer

6 Comments

Nicely done. I am still learning the basics of powershell. Just out of curiosity how/why does this work and why is it not essentially the same as replacing the new lines with pipes the same as the join method? I ask this as I wasn't aware of the join method. I would up vote by not high enough rep yet. Thanks
"Join" is made specifically to deal with the nuances of joining strings by removing the EOL (End of Line) Character(s). For most intents and purposes you could have amended your original code to use `r`n for the same result since your source file was from Windows. If the source file was UNIX then `n, as you had, would typically work, while some systems only use `r. -Join was created specifically for handling this, it will take the guesswork out of the process of parsing the EOL and make the result consistent. (It's also much easier on the eyes to parse the join then the replace)
Not sure why but stack exchange is treating back as a code indicator and so far I'm not figuring out how to escape it correctly ` -- ahh, figured it out, good 'ol backslash :)
Here is your original code working with the replace, but it is clearer and quicker to use the join. [string]$KP2 = (Get-Content -Path known_processes.txt | Out-String).Replace("`r`n", "|").TrimEnd("|") Then matching works: Get-Process | Where {( $_.StartTime -GT $(Get-Date).AddDays(-1) -and $_.ProcessName -match $KP2 )}
Anyway, if useful, don;t be afraid to give my answer an upvote :)
|
0

I think a better approach would be to iterate over list of known processes:

result = @()
$pcs = get-process
$known_process = Get-Content -Path C:\PS\known_processes.txt
$known_process | Foreach-Object {
    $result += $pcs.Where({ $_.ProcessName -ne $_ })
}
Improve this answer

2 Comments

Ehhh, that's going to add all non-excluded processes multiple times
This wouldn't be useful, as the Op mentions you end up with duplicates and then have to filter those. Where is very powerful in PowerShell. An alternate Ide would be to filter it by date to a variable, and then use the where to filter that variable, but that is only a good alternative when you want to get a few views of the procs without re-running the query multiple times.
0

try this

$list=get-content c:\temp\known_processes.txt
$Yday = (Get-Date).AddDays(-1)
Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notin $list)}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.