0

I've 2 questions regarding the code below :

Question 1:

For some unknown reason, the following code does not retrieve information from certain processes. However, he manages to recover the sha256 Could you please explain why this behavior and how to fix address this behavior ?

Path is Null
WmiPrvSE
- [(PID=5356) () Description=]
-- Path="None (SHA256=AD938C303F12EA8D164433CC7BA46FC7B9AE00F6F899E308D4317DAB46E25642)

-----
Get-FileHash : Impossible de lier l'argument au paramètre « Path », car il a la valeur Null.
Au caractère C:\Users\LEFBE\Desktop\Klic-20-12-2021\Process.ps1:4 : 33
+ $FileHash = (Get-FileHash -Path $_.Path -Algorithm SHA256 -ErrorActio ...
+                                 ~~~~~~~
    + CategoryInfo          : InvalidData : (:) [Get-FileHash], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Get-FileHash

Question 2:

I'm having trouble retrieving the command line launched by the process. Could you please help me to get this information?

The code :

get-process | ForEach-Object {
$Name = $_.Name
$Desc = $_.Description
$FileHash = (Get-FileHash -Path $_.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).hash 
$ID = $_.ID
$Path = $_.Path
$CP = $_.Company
$CL = $_.Commandline

if ($Path -eq $null)
    {
    Write-Host "Path is Null"
    $Path = "None"
    Write-Host "$Name" 
    Write-Host "- [(PID=$ID) ($CP) Description=$Desc]" 
    Write-Host "-- Path=""$Path (SHA256=$FileHash)"
    Write-Host $CL
    Write-Host "-----"
    }
    else 
    {
    Write-Host "$Name" 
    Write-Host "- [(PID=$ID) ($CP) Description=$Desc]" 
    Write-Host "-- Path=""$Path (SHA256=$FileHash)"
    Write-Host $CL
    Write-Host "-----"
    }
}

Update 23/12/2021

The updated code works better than the first. (manage Null $Path value) On the other hand, no command line can be obtained yet.

get-process | ForEach-Object {
$Name = $_.Name
$Desc = $_.Description
$ID = $_.ID
$Path = $_.Path
$CP = $_.Company
$CL = $_.Commandline

IF([string]::IsNullOrEmpty($Path)) {            
    $Path = "None"
    $FileHash = "None"
    write-Host "$Name" 
    Write-Host "- [(PID=$ID) ($CP) Description=$Desc]" 
    Write-Host "-- Path=""$Path (SHA256=$FileHash)"
    Write-Host $CL
    Write-Host "-----"
} else {
    $FileHash = (Get-FileHash -LiteralPath $_.Path  -Algorithm SHA256 -ErrorAction SilentlyContinue).hash         
    Write-Host "$Name" 
    Write-Host "- [(PID=$ID) ($CP) Description=$Desc]" 
    Write-Host "-- Path=""$Path (SHA256=$FileHash)"
    Write-Host $CL
    Write-Host "-----"
}
}

Thanks for your help, LEFBE

LEFBE
  • 125
  • 1
  • 9
  • [`$null` should be on the left side of the equality comparison](https://stackoverflow.com/a/60996703/1701026) – iRon Dec 22 '21 at 11:11
  • Like that : ($null -eq $Path) ? If yes, the same error as question 1 appear – LEFBE Dec 22 '21 at 11:24
  • Yes, also use the [`-LiteralPath`](https://stackoverflow.com/a/60177977/1701026) parameter – iRon Dec 22 '21 at 11:40
  • These are two known PowerShell gotchas, from a windows point of view, I question if you have always access to the `.path` property/file. – iRon Dec 22 '21 at 11:56
  • @iRon: Not sure if it's here that I need to add lateralpath it is correct ? - (Get-FileHash -LiteralPath $_.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).hash – LEFBE Dec 22 '21 at 12:34
  • 2
    @LEFBE - i suspect that you are seeing a _leftover_ value. try clearing the `$FileHash` variable before you try to set it. ///// also, why don't you test for the `$_.Path` value BEFORE you try to use it? [*grin*] ///// also also, the `$_.Path` value is hidden for a large number of processes when you grab the info _without_ admin privs. plus, there are still some that will not report the path at all. – Lee_Dailey Dec 22 '21 at 13:08
  • @Lee_Dailey I've updated the original code with your suggestion and it work as expected. I try to find a way to address the second part of my question regarding commandline information. Thanks to you and Iron :) – LEFBE Dec 23 '21 at 09:19
  • @LEFBE - kool! [*grin*] glad to have helped a little bit ... – Lee_Dailey Dec 23 '21 at 15:00

1 Answers1

0

You can use a calculated property with Select-Object to generate your new object. As for "having trouble retrieving the command line", I'm assuming you're unable to capture the output of your script with Out-File or similar, this is because Write-Host sends the output to the Information Stream and it's output can't be captured unless redirected (6>&1).

Get-Process | Select-Object Name, Description, @{
    Name = 'Hash'
    Expression = { (Get-FileHash $_.Path -Algorithm SHA256).Hash }
}, ID, Path, Company, CommandLine
Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37