Have you ever had a requirement to see when a process is started? I generally come across this requirement. Every time, I use process explorer to fetch this data, but today I decided to have my own powershell function.
The Get-Process cmdlet will not provide you any details about process creation time. You definitely need to rely on a WMI query against win32_process class for this information. So, here is the code.
function Get-ProcessCreationTime {
param(
[string]$Name,
$Processid,
$computer = $env:COMPUTERNAME
)
if($Name) {([wmi]””).ConvertToDateTime((gwmi -Class Win32_Process -computer $computer -Filter “Name=’$Name'”).CreationDate)
}
if($Processid) {
([wmi]””).ConvertToDateTime((gwmi -Class Win32_Process -computer $computer -Filter “handle=’$Processid'”).CreationDate)
}
}
Usage :
Get-ProcessCreationTime -Name notepad.exe
Get-ProcessCreationTime -ProcessId 1234
Use -Computer parameter if you want to query process creation time from remote computer.
Note: Currently this function won’t support if there is more than one instance of a given process. For example, this might throw errors if multiple notepad processes are running in computer and you query for notepad.exe process creation time. In such case I prefer using -ProcessID parameter. Soon I will update this function to handle multiple processes as well.
Hope this helps…. Happy learning…