Posting again with a new focus

It’s been a while since I’ve had the energy or drive to update the blog. There’s been a lot going on between work, home and personal projects.

I’ve decided that I want to try and shift the focus of my blog posts. Instead of mostly reposting interesting news with my own commentary added, I’d like to produce more original content. I’ll start by updating one of my few posts with original content, my baselining code.

In that post I pointed out:

There are probably much more efficient ways of doing this

I’ve been learning PowerShell more thoroughly through a study group (#psstudy) led by @mwjcomputing (aka PowerShell Yoda), and yes, there is a far more efficient way to get system baselines and run regular comparisons.

To get the baselines:
Get-Service | Where-Object {$_.Status -eq 'Running'}`
| Export-Clixml C:\svcs.xml

Get-Process | Export-Clixml C:\procs.xml

The first line retrieves all running services and exports them to an xml format used by PowerShell.
The second line does the same for running processes.

Once the baseline xml files are established, a scheduled task can be created to run a line of PowerShell to compare the current state to the baseline.

Compare-Object -ReferenceObject `
(Import-Clixml C:\svcs.xml) -DifferenceObject `
(Get-Service | Where-Object {$_.Status -eq 'Running'} ) `
-property name

Compare-Object -ReferenceObject (Import-Clixml C:\procs.xml)`
-DifferenceObject (Get-Process) -property name

The Compare-Object cmdlet (which can also be accessed with the alias diff for anyone coming from the Linux world) takes the baseline in through the Import-Clixml cmdlet. Then it gets the current list of services or processes, and shows if there is a name missing from one side or the other. The output looks something like this:

name SideIndicator
---- -------------
taskeng <=

The SideIndicator will be ‘<=’ if the something in the baseline is missing and it will show ‘=>’ if the system is running a new service or process not in the baseline. We can take that output and format it to be more readable.

Compare-Object -ReferenceObject (Import-Clixml C:\procs.xml) `
-DifferenceObject (Get-Process) -property name | Format-List `
@{n=''; e={ `
if ($_.SideIndicator -eq '=>') {$ + ' is not in baseline' };`
if ($_.sideIndicator -eq '<='){ $ + ' is not running'} }}

Now we have a concise list showing what is different from the baseline which can be output to a text file, emailed, or even put up on a webpage.

*Apologies for the code readability. The width constraints required backticks, I tried to place them as logically as I could.


One response

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s