ScanLegitsSvchost.ps1

1. Function ScanLegitsSvcHost() {
2. @'
3.                        ####################################################################
4.                               Please wait, scanning for legitimate svchost processes...    
5.                        ####################################################################
6. '@
7. Start-Sleep -Milliseconds 1500
8. $allsvchost = Get-WMIObject Win32_Process | Where-Object {($_.Name -eq "svchost.exe") -and ($_.CommandLine)}
9. $legitsvchost = $allsvchost | Where-Object {($_.ExecutablePath -eq "C:\Windows\system32\svchost.exe")}
10. $illegalsvchost = $allsvchost | Where-Object {($_.CommandLine) -and ($_.ExecutablePath -ne "C:\Windows\system32\svchost.exe")}
11. Clear-Host
12. "Number of all running svchost.exe instances: $(($allsvchost | measure-Object).Count)"
13. "Number of running legit svchost.exe instances: $(($legitsvchost | measure-Object).Count)"
14. "Number of running illegal/virus svchost.exe instances: $(($illegalsvchost | measure-Object).Count)"
15. @('All','Legit','Illegal') | Foreach {
16. "`n$($_) svchost instances"
17. "####################################################################`n"
18. invoke-Expression "`$$($_)svchost | format-Table ProcessName,ProcessId,Handle,commandline,ExecutablePath"
19. "`n"
20. }
21. read-host
22. }
23. ScanLegitsSVCHost