artsec
asked on
PowerShell Script Running Processes with MD5 Hash
How can I get the list of running processes with their MD5 hash by PowerShell?
aikimark
what MD5 hash?
ASKER
MD5 Hash of file which initiated the process. like notepad.exe....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! this shows only PowerShell process and it's MD5. How can we expand the script to all running processes?
Oh. I thought you only wanted running applications. You can remove some of the filter conditions until you get the list you want
ASKER
Thanks! I got it to work! -
Function Get-FileHash1 {
<#
.SYNOPSIS
Outputs the MD5 or SHA1 hash for one or more files.
.DESCRIPTION
Outputs the MD5 or SHA1 hash for one or more files.
.PARAMETER Path
Specifies the path to one or more files. Wildcards are permitted.
.PARAMETER LiteralPath
Specifies a path to the file. Unlike Path, the value of LiteralPath is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks.
.PARAMETER HashType
The hash type to compute; either MD5 or SHA1. The default is MD5.
.INPUTS
System.String, System.IO.FileInfo
.OUTPUTS
PSObjects containing the file paths and hash values
.EXAMPLE
PS C:\> Get-FileHash1 C:\Windows\Notepad.exe
Outputs the MD5 hash for the specified file.
.EXAMPLE
PS C:\> Get-FileHash1 C:\Windows\Explorer.exe,C:\Windows\Notepad.exe -HashType SHA1
Outputs the SHA1 hash for the specified files.
.EXAMPLE
PS C:\> Get-ChildItem C:\Scripts\*.ps1 | Get-FileHash1
Outputs the MD5 hash for the specified files.
.EXAMPLE
PS C:\> Get-FileHash Download1.exe,Download2.exe -HashType SHA1
Outputs the SHA1 hash for two files. You can compare the hash values to determine if the files are identical.
#>
[CmdletBinding(DefaultParameterSetName="Path")]
param(
[Parameter(ParameterSetName="Path",Position=0,Mandatory=$TRUE,ValueFromPipeline=$TRUE)]
[String[]] $Path,
[Parameter(ParameterSetName="LiteralPath",Position=0,Mandatory=$TRUE)]
[String[]] $LiteralPath,
[Parameter(Position=1)]
[String] $HashType="MD5"
)
begin {
switch ($HashType) {
"MD5" {
$Provider = new-object System.Security.Cryptography.MD5CryptoServiceProvider
break
}
"SHA1" {
$Provider = new-object System.Security.Cryptography.SHA1CryptoServiceProvider
break
}
default {
throw "HashType must be one of the following: MD5 SHA1"
}
}
# If the Path parameter is not bound, assume input comes from the pipeline.
if ($PSCMDLET.ParameterSetName -eq "Path") {
$PIPELINEINPUT = -not $PSBOUNDPARAMETERS.ContainsKey("Path")
}
# Returns an object containing the file's path and its hash as a hexadecimal string.
# The Provider object must have a ComputeHash method that returns an array of bytes.
function get-filehash2($file) {
if ($file -isnot [System.IO.FileInfo]) {
write-error "'$($file)' is not a file."
return
}
$hashstring = new-object System.Text.StringBuilder
$stream = $file.OpenRead()
if ($stream) {
foreach ($byte in $Provider.ComputeHash($stream)) {
[Void] $hashstring.Append($byte.ToString("X2"))
}
$stream.Close()
}
"" | select-object @{Name="Path"; Expression={$file.FullName}},
@{Name="$($Provider.GetType().BaseType.Name) Hash"; Expression={$hashstring.ToString()}}
}
}
process {
if ($PSCMDLET.ParameterSetName -eq "Path") {
if ($PIPELINEINPUT) {
get-filehash2 $_
}
else {
get-item $Path -force | foreach-object {
get-filehash2 $_
}
}
}
else {
$file = get-item -literalpath $LiteralPath
if ($file) {
get-filehash2 $file
}
}
}
}
$processes = get-process
foreach ($process in $processes){
if($process.Path -ne $null){
if ($PSVersionTable.PSVersion.Major -ge 4)
{
$hash = (get-filehash $process.path -algorithm MD5 -ErrorAction SilentlyContinue).Hash
}
else
{
$hash = ((get-filehash1 -Path $process.Path -HashType MD5).'MD5 Hash')
}
write-output -InputObject ("{1} {0}" -f $process.Name,$hash)
}
}
I think Get-FileHash was incorporated into PS v4.
Yes it was incorporated in Version 4