Lab: Enumeration with PowerShell

Goals
- Determine and see how many processes named “svchost” are running
on the system
- Learn how to quickly enumerate processes that would help during
incident handling.

Scenario

- We were asked to conduct a quick analysis on the Windows machine

that includes svchost.exe process. We need to identify how many
svchost.exe process is running so we can proceed on the next step
of investigation

Requirements
- Windows VM
- PowerShell

GUIDEM I.T. TRAINING CENTER ENUMERATION WITH POWERSHELL 1 | PAGE

 Walkthrough

1. Open PowerShell

- Open a command prompt and start PowerShell.

2. Counting Processes

- For the first goal, you want to see how many processes named
“svchost” are running on the host. To do this, you can use the
Get-Process command to list all processes
- If you want to see how many processes are running, you can use
the pipeline and pass Get-Process to the measure command

GUIDEM I.T. TRAINING CENTER ENUMERATION WITH POWERSHELL 2 | PAGE

 This will tell you how many processes are running on the host.

3. Filter Processes

- To filter the process name down, you can pipe Get-

Process to Where-Object. The command might look similar to
this: Get-Process | Where-Object{$_.Id -eq "380"}

- This will return any process that has a Process ID or (Id) of

"380"

- The $_.Id part in the above command references the column we are
filtering on the PowerShell object. These columns are displayed
when you run Get-Process by itself. You can filter on any of
these columns.

GUIDEM I.T. TRAINING CENTER ENUMERATION WITH POWERSHELL 3 | PAGE

 4. Answer the following

How would you go about identifying how many svchost processes are
running on the machine?

Solution

1. Open PowerShell

- "Powershell.exe" is located in
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", or
use the Start menu to search for PowerShell

2. List Processes

- To list the processes on the host, you can use

- Get-Process

3. Filter Processes

- To filter the process name down, you can pipe Get-Process to

Where-Object. The command might look similar to this:
- Get-Process | Where-Object{$_.Id -eq “360”}
- Since we want any processes named “svchost”, we want to our
command to be:
- Get-Process | Where-Object{$_.ProcessName -eq "svchost"}

Remember, the $- is a representation for the current object in the

PowerShell pipeline.

GUIDEM I.T. TRAINING CENTER ENUMERATION WITH POWERSHELL 4 | PAGE

 4. Filter and count SVCHOST Processes

- Great, so we are able to filter all the processes to

just svchost. Now we need to count them. To do this, you can pipe
the previous command to the measure command. The measure command
will simply return the number of objects that match our filter.
The final command will look like this:
- Get-Process | Where-Object{$_.ProcessName -eq "svchost"} |
measure

This tells us that there are 14 processes named ‘svchost’ on the

Windows machine.

GUIDEM I.T. TRAINING CENTER ENUMERATION WITH POWERSHELL 5 | PAGE