2

I have a PowerShell script that can be started either by

  • running a shortcut on the desktop, OR
  • as a scheduled job from the windows Task Scheduler.

Is there any way within the script itself of identifying how it was started? In practice each method produces a slowly scrolling command window on screen, and once it's running I have no way of knowing how it was initiated. The script already logs some data about itself (name, date, time and $PID) but so far I've not found how to test the launch method i.e. task scheduler or manual run.

Improve this question
3
  • 1
    I would simply add a switch parameter like -scheduled, that I would pass when launching from Task Scheduler. Commented Jan 25, 2021 at 23:07
  • you can set a function within the script that tells you who runs it. In regards to who/how runs it, i would use event filtering. Commented Jan 25, 2021 at 23:34
  • Do you have PS auditing fully enabled and configured? Commented Jan 26, 2021 at 4:58

1 Answer 1

Reset to default
2

A script that is run by Task Scheduler has a parent process whose name is svchost, so you can use the following code in your script to detect this:

'svchost' -eq (Get-Process -Id (Get-CimInstance Win32_Process -Filter "ProcessID = $pid").ParentProcessId).Name
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.