Get-Process, basic explanation

On a Window’s based system, there are a plethora of methods to ascertain process information – task manager, namely being the common. In my time as a system administrator, I had the agenda to try to automate everything, and become as “efficient” as possible in all tasks – not a good idea! Whilst there are a number of tools readily available, I opted for the “in-built” and actively developed tool, and as such, PowerShell became my go to.

Gathering Process Information

To ascertain process running on a Windows device, you can run the following command:

Get-Process

This will simply return an unfiltered table of all running process on an end-point. Whilst useful, on a “busy” system, it’s too hard to monitor anything.

For me, I’d like to manipulate the data to perform the following:

– Sort the CPU Utilization;
– Only select the top $x process’ on the host;
– Return the Process ID, Name and CPU usage

This is quite simple to perform in a “one-liner”, or even storing it as a variable for your PowerShell Profile:

# Storing this as a variable:
$proc = Get-Process | Sort CPU -descending | Select -first 5 -Property ID,ProcessName,CPU

# Calling the above mentioned variable, as opposed to the command:
$proc

This seems like a lot of work, just to get some process information back – but when trying to fault-find, or look at compromised systems, this can be a great starting point to finding out what went wrong on a system.

The other handy thing is that you can take this data, and pipe in additional (or supplementary) commands to make things easier. For example, to make viewing easier, you could format the output as a table:

Get-Process | Sort CPU -descending | Select -first 5 -Property ID,ProcessName,CPU | Format-Table -Wide

Terminating Process with Filters

Now the fun comes into play. Using some ‘logic’ (i.e. RAM utilization) we can automatically end process we deem as non-important. Let’s say Google Chrome Update Services or OneDrive as an alternative. Of course, I’m not going to dive into detail here on how to do this – but I will supply a GitLab repository for this later.

For now, let’s assume we simply wish to kill the top 5 CPU process’ on a device in real time. The command remains the same as before, however we pipe in a Stop-Process to terminate each item.

Get-Process | Sort CPU -descending | Select -first 5 -Property ID,ProcessName,CPU | Stop-Process -Verbose

This will, unless you add parameters, prompt you for confirmation as required (because, well, we don’t necessarily trust it otherwise).

Leave a Reply