Reputation: 746
Using a variable in Where statement
I have made a PowerShell script to report hourly/daily current running processes via email excluding known processes.
I now want to make this easier to update with new processes added to a list.
Below is an example of the current script:
$Yday = (Get-Date).AddDays(-1)
$pros = Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notmatch "chrome|outlook|powershell")}
Output of $pros will contain the results of processes started in the last 24 hours minus the processes chrome, outlook and powershell.
I would like to achieve:
A file called "Known_Processes.txt" containing a list of processes like
chrome outlook powershell
Then using the following script to create the same string of text used to pass through as a filter in the where statement.
$Yday = (Get-Date).AddDays(-1)
[string]$Known_Processes = (Get-Content -Path C:\PS\known_processes.txt | Out-String).Replace("`n", "|").TrimEnd("|")
$pros = Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Known_Processes)}
The output of this will show all processes including the processes I am trying to filter out even though the variable $known_processes is the same value as "chrome|outlook|powershell".
I have tried searching and the only alternative to getting this to work is to use regex. Whilst I could do this my fear is other admins that do not have PowerShell knowledge could make mistakes when attempting to update the where statement. As where it would be easier for them to insert process names into a text file in a list.
Upvotes: 2
Views: 3427
Answers (4)
Reputation: 3264
You can do this nicely as a single line:
$pros = Get-Process | ? {( $_.StartTime -GT $(Get-Date).AddDays(-1) -and $_.ProcessName -notmatch $([String]::Join("|",$(Get-Content -Path C:\PS\known_processes.txt))) )}
Or to basically mirror your original thought if it's easier to read:
$Yday = (Get-Date).AddDays(-1)
$Excludes = [String]::Join("|",$(Get-Content C:\PS\known_processes.txt))
$pros = Get-Process | ? {( $_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Excludes )}
Example Output of both:
PS C:\Admin> Get-Process | Where {( $_.StartTime -GT $Yday -and $_.ProcessName -notmatch $Excludes )}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
21 5 2192 3168 44 0.00 9272 cmd
54 7 198000 202140 251 2.78 4184 conhost
53 7 5352 9176 63 0.12 5204 conhost
100 9 2540 7100 49 0.00 15952 msiexec
868 35 44628 58828 210 3.39 12156 mstsc
913 35 202060 202688 351 17.18 14464 mstsc
90 8 2320 6616 52 0.03 15168 taskeng
194 21 36852 28332 274 0.20 5912 Teams
247 24 37268 56412 796 0.44 7328 Teams
863 62 70624 109184 916 9.72 9816 Teams
246 24 39908 56496 790 0.41 11816 Teams
971 98 299508 316804 1759 32.82 13144 Teams
PS C:\Admin> Get-Process | Where {( $_.StartTime -GT $(Get-Date).AddDays(-1) -and $_.ProcessName -notmatch $([String]::Join("|",$(Get-Content C:\PS\known_processes.txt))) )}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
21 5 2192 3168 44 0.00 9272 cmd
54 7 198000 202144 251 2.81 4184 conhost
53 7 5352 9176 63 0.12 5204 conhost
100 9 2512 7084 48 0.00 15952 msiexec
868 35 44628 58828 210 3.39 12156 mstsc
913 35 202060 202688 351 17.19 14464 mstsc
194 21 36852 28332 274 0.20 5912 Teams
247 24 37268 56412 796 0.44 7328 Teams
869 63 70664 109208 917 9.80 9816 Teams
246 24 39908 56496 790 0.41 11816 Teams
971 98 299064 315856 1761 33.13 13144 Teams
After chatting with you in the below comments here is your original "replace" code working by replacing the `r`n instead of `n, as in the comments below, Join is really the better option as it is intended to join strings by replacing the EOL characters.
$Yday = (Get-Date).AddDays(-1)
[string]$Known_Processes = (Get-Content -Path known_processes.txt | Out-String).Replace("`r`n", "|").TrimEnd("|")
$pros = Get-Process | Where {( $_.StartTime -GT $Yday -and $_.ProcessName -NotMatch $Known_Processes )}
Hope that helps :)
Note: This Version is Powershell 2.x through 5.x compliant, as it uses "NotMatch" instead of "NotIn", "-NotIn" was not originally a supported operand for where.
Upvotes: 1
Reputation: 17462
try this
$list=get-content c:\temp\known_processes.txt
$Yday = (Get-Date).AddDays(-1)
Get-Process | Where {($_.StartTime -GT $Yday -and $_.ProcessName -notin $list)}
Upvotes: 0
Reputation: 2342
# Making a file called Known_Processes.txt
@'
chrome
outlook
powershell
'@ | Set-Content Known_Processes.txt
# Main action performed
$Yesterday = (Get-Date).AddDays(-1)
$Known_Processes = Get-Content Known_Processes.txt
Get-Process | Where-Object -Property ProcessName -NotIn -Value $Known_Processes | Where-Object -Property StartTime -GT -Value $Yesterday
# Removing file for cleanup
Remove-Item Known_Processes.txt
This gets me the following output:
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
145 11 6676 11004 0.13 10120 0 audiodg
106 10 5240 7000 0.08 4680 1 conhost
731 70 181276 213872 391.86 9472 1 Google Play Music Desktop Player
348 37 52764 59612 322.28 10408 1 Google Play Music Desktop Player
174 13 4944 12980 0.06 11028 1 Google Play Music Desktop Player
966 77 62064 107048 357.63 13040 1 Google Play Music Desktop Player
180 13 2088 764 0.19 2164 0 GoogleUpdate
112 8 1468 6524 0.03 11452 1 LPlatSvc
231 12 3364 9460 0.06 9872 0 MpCmdRun
1174 44 170640 137568 19.34 13104 1 mstsc
364 18 8612 17488 0.61 1456 0 policyHost
1177 105 309768 367660 128.64 13920 1 powershell_ise
994 68 72328 66172 3.69 1760 1 SearchUI
93 7 1668 6396 0.03 2120 0 svchost
1307 125 393556 381216 1,529.28 5172 1 Teams
1132 63 80672 95644 175.88 7316 1 Teams
331 25 38372 38020 0.78 13072 1 Teams
376 25 71736 69744 24.83 13260 1 Teams
312 24 36872 34264 0.48 14120 1 Teams
98 7 1636 6508 0.02 13628 0 TrustedInstaller
511 34 42220 63268 1.20 13044 1 WINWORD
Upvotes: 1
Reputation: 72171
I think a better approach would be to iterate over list of known processes:
result = @()
$pcs = get-process
$known_process = Get-Content -Path C:\PS\known_processes.txt
$known_process | Foreach-Object {
$result += $pcs.Where({ $_.ProcessName -ne $_ })
}
Upvotes: 0
Related Questions
- Where object as variable
- Filtering SQL query in PowerShell with WHERE
- Simple Powershell where filter not working
- How do I use where condition in powershell
- How to use a variable in a filter parameter?
- Filter Where-Object on variable property
- Using Variable in Filter
- Filtering output using "Where-Object" in Powershell
- Powershell where clause filtering
- Powershell passing variable as a filter string