使用Register-WmiEvent通知脚本何时开始执行

Question

I'm totally new to PS and I've been trying to come up with a way to detected when a script, say Foo.(ps1 | pl | py | bar) begins execution so that I may run a powershell script upon that event. I've started with using the following example from MSDN and I've added an if statement to filter everything except PS executions.

$Query = 'SELECT * FROM Win32_ProcessStartTrace'            
$action = {            
    $e = $Event.SourceEventArgs.NewEvent 
    if($e.ProcessName -eq "powershell.exe") {           
        $fmt = 'ProcessStarted: (ID={0,5}, Parent={1,5}, Time={2,20}, Name="{3}")'            
        $msg = $fmt -f $e.ProcessId, $e.ParentProcessId, $event.TimeGenerated, $e.ProcessName            
        Write-host -ForegroundColor Red $msg            
    }
}            
Register-WmiEvent -Query $Query -SourceIdentifier ProcessStart -Action $Action  

The code now detects when powershell instance is started, but I haven't found a way to access and filter the arguments passed to the instance. I would like to ensure that I only take action for the Foo script not any other PS script. Is there a way to access the arguments for the started powershell process?

Answer 1

Give this a try, you can try to match your script against the CommandLine property of the new process:

Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance isa 'Win32_Process'" -SourceIdentifier NewPSProcess -Action {
    $e = $EventArgs.NewEvent.TargetInstance
    if($e.Name -eq 'powershell.exe')
    {
        #if($e.CommandLine -match 'yourScript') { ... }
        Write-host $e.CommandLine
    }
}

sleep 5
powershell -file c:\test.ps1

UPDATE
Here's an update code that captures only powershell.exe process creation (on the query level) and writes the commandLine value to a text file. I was able to view all powershell process creations (made from cmd) written to the file.

$query = 'Select * From __InstanceCreationEvent Within 2 Where TargetInstance Isa "Win32_Process" And TargetInstance.Name = "powershell.exe"'
Register-WMIEvent -Query $query -SourceIdentifier NewPSProcess -Action {
   $EventArgs.NewEvent.TargetInstance.CommandLine | Out-File D:\scripts\temp\psevent.txt -Append
}