1

I have a Windows 2016 Domain Controller and everytime the server is patched and restarted, a powershell process starts and consumes 100% of memory (CPU is OK).

The only thing I can do is to kill the process (if I can RDP) or reboot the server and jump onto the server quickly before the process starts.

How do I find out what kicked off the powershell process to and find out what it is doing?

Thanks.

rka257
  • 75
  • 2
  • 6
  • Possible dupe of https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows – veefu Aug 18 '18 at 06:58

1 Answers1

0

You can query wmi to figure out process details:

$ServerName = Read-Host -Prompt ComputerName
$gwmiArgs = @{
    Class        = 'Win32_Process'
    ComputerName = $ServerName
    Filter       = 'Name = "powershell.exe"'
}
$details = Get-WmiObject @gwmiArgs

foreach ($process in $details)
{
    $owner = $process.GetOwner()
    $owner = if ($owner.Domain)
    {
        '{0}\{1}' -f $owner.Domain, $owner.User
    }
    else
    {
        $owner.User
    }

    @"
Process:     powershell.exe
Owner:       $owner
PID:         $($process.ProcessId)
CommandLine: $($process.CommandLine)
"@
}
Maximilian Burszley
  • 18,243
  • 4
  • 34
  • 63