Finding Hidden PowerShell Applications

The most widely known PowerShell hosts are certainly powershell.exe and powershell_ise.exe because they ship out-of-the-box. However, there can be many more (and hidden) PowerShell hosts running. Any software that instantiates the PowerShell engine is a PowerShell host. This could be Visual Studio Code (with the PowerShell extension installed), Visual Studio, or any other similar software.

To find out all currently running PowerShell hosts, run this:

Get-ChildItem -Path "\.pipe" -Filter '*pshost*' |
    ForEach-Object {
        $id = $_.Name.Split('.')[2]
        if ($id -ne $pid)
        {
            Get-Process -ID $id
        }
    }

The result may look like this:

 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                      
-------  ------    -----      -----     ------     --  -- -----------                                      
   1131     101   628520      42440             11216   0 SupportAssistAgent                               
   1011      82   269920     299208      85,30  17420   1 powershell_ise                                   
    520      29    68012      75880       1,23  33532   1 powershell                                       
    590      31    69508      77712       2,02  36636   1 powershell                                       
    545      27    67952      76668       1,14  37584   1 powershell                                       
   4114     654   801136     965032     129,69  28968   1 devenv    
 

“SupportAssistAgent” was opened by Visual Studio Code, and “devenv” represents the internal PowerShell host launched by Visual Studio.


Twitter This Tip! ReTweet this Tip!

GD Star Rating
loading...