ScreenShare/SSITAProcessInfo.ps1 at main · ScreenShareITA/ScreenShare · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
$ErrorActionPreference = "SilentlyContinue";
$boot = (gcim Win32_OperatingSystem).LastBootUpTime;
function TimeRelToStartString {
    param ([DateTime]$time)
    return TimeConfrontString $time (Get-Date);
}
function TimeRelToBootString {
    param ([DateTime]$time)
    return TimeConfrontString ($boot) $time;
}
function TimeConfrontString {
    param(
        [DateTime]$time,
        [Datetime]$time2
        )
    $rtime=$time2-$time;
    $rstring = "";
    $rdays = $rtime.Days;
    $rhours = $rtime.Hours;
    $rminutes = $rtime.Minutes;
    if ($rdays) {
        $rstring += "$rdays days, ";
    }
    if ($rhours) {
        $rstring += "$rhours hours, ";
    }
    if ($rminutes) {
        $rstring += "$rminutes minutes, ";
    }
    $rstring += "$($rtime.Seconds).$($rtime.Milliseconds) seconds";
    return $rstring;
}

$starttime = (Get-Date);
$result = [System.Collections.ArrayList]@();
$cdpu = Get-Service|Where-Object{$_.Name -like "CDPUserSvc_*"};
#processes to add maybe AggregatorHost WmiPrvSE taskhostw nvcontainer SearchHost StartMenuExperienceHost CHXSmartScreen SmartScreen OpenWith (maybe conhost consent)
$servicenames = "AHCache","Appinfo","AUEPLauncher","BAM","BFE",$cdpu.Name,"CryptSvc","CTFMon","DiagTrack","Dnscache","DPS","DusmSvc","EventLog","Explorer","InventorySvc","MDCoreSvc","mpsdrv","mpssvc","Ndu","PcaSvc","PlugPlay","Schedule","SIHost","StorSvc","SysMain","volsnap","WdFilter","WdNisDrv","WinDefend","WSearch";
#other services too $servicenames="AHCache","Appinfo","AUEPLauncher","BAM","BFE","CryptSvc","CTFMon","DiagTrack","Dnscache","DPS","DusmSvc","EventLog","Explorer","InventorySvc","MDCoreSvc","mpsdrv","mpssvc","Ndu","PcaSvc","PlugPlay","Schedule","SgrmAgent","SgrmBroker","SIHost","StorSvc","swprv","SysMain","vmicvss","volsnap","VSS","VSStandardCollectorService150","W32Time","WdBoot","WdFilter","WdNisDrv","WinDefend","WSearch"
Write-Host -ForegroundColor DarkRed "STARTING THE WMI REQUEST...`nIt should take less than 1 second; if the request takes too long, one or more services are likely suspended, or their main thread is suspended."
$services = Get-WmiObject win32_service|Where-Object{$_.Name -in $servicenames};
if($services){
    Write-Host -ForegroundColor Green "WMI Request completed successfully!!"
}else{
    Write-Host -ForegroundColor Red "The WMI Request returned no results. Information related to the services process will not be provided."
}
foreach($name in $servicenames){
    $ogg = [PSCustomObject]@{
        Name=$name;
        Status=$null;
        Type=$null;
        "Start Mode"=$null;
        "Process Name"="//";
        PID="//";
        "Start Time"="//";
        "Relative Start Time"="//";
        "Boot Relative Start Time"="//";
        "Suspended Threads"="//";
    }
    $processi = $null;$service=$null;$wmisv=$null;
    Write-Host -ForegroundColor blu "Checking $name"
    $service = Get-Service $name;
    if($service){
        $ogg."Start Mode"=$service.StartType;
        $ogg.Status=$service.status;
        $wmisv = $services| Where-Object {$_.name -eq $name}
        if($wmisv){
            $ogg.Type="Service";
            if($ogg.Status -ne "Stopped"){
                $processi = Get-Process -id $wmisv.ProcessId;
            }
        }else{
            $ogg.Type="Driver";
            $wmisv = $drivers|Where-Object{$_.name -eq $name}
        }
    }else{
        $processi = Get-Process $name;
        if($processi){
            $ogg.Type="Process";
            $ogg.Status="Running";
            $ogg."Start Mode"="??"
        }else{
            Write-Host -ForegroundColor DarkRed "PROCESS $name NOT FOUND --> STOPPED OR UNEXISTING"
            $ogg.Type = "Process";
            $ogg.Status = "Stopped";
        }
    }


    if($processi){
        $processi=$processi|Sort-Object StartTime
        $ogg.PID = $processi.Id-join"`n";
        $ogg."Process Name" = $processi.Name-join"`n";
        $ogg."Start Time" = $processi.StartTime-join"`n";
        $ogg."Relative Start Time" = ($processi|ForEach-Object{"Process has been running for "+(TimeRelToStartString $_.StartTime)})-join"`n"
        $ogg."Boot Relative Start Time" = ($processi|ForEach-Object{TimeRelToBootString $_.StartTime})-join"`n"
        $threads=$processi.Threads;
        $susthreads=$threads|Where-Object{$_.waitreason -eq "Suspended"}
        <#$processi|ForEach-Object{
            $m=$_.MainModule
            if($m){
                # description fileversionifo ecc.. also size in fileversion info original name ecc..
                $fl=$_.Path.tolower()
                $ofl=$m.Filename.tolower()
                Write-Host "$fl $ofl"
                if($fl -ne $ofl){
                    Write-Host -ForegroundColor Red "Filepath mismatch found:`nOriginal filepath --> $ofl`nCurrent filepath --> $fl"
                }
            }else{
                Write-Host -ForegroundColor Red "I'm not able to find the main module for $($_.Name)"
            }
        }#>

        if($susthreads){
            $ids = $susthreads.id-join', '
            Write-Host -ForegroundColor Red "Found suspended threads for $name - $($ogg."Process Name") $($susthreads.Count)/$($threads.Count):",$ids;
            $ogg."Suspended Threads" = $ids
        }

    }
    $result.add($ogg)|Out-Null
}
$result = $result|Sort-Object "Start Time",Status,Type
#$result|ft -a
$result|Out-GridView -Title "SSITA Service Informer | Developed by KernelCore (https://discord.gg/ssita) | Elapsed Time: $(TimeRelToStartString $starttime) - Boot RelTime: $(TimeRelToStartString $boot)";
Read-Host