Dig deep into system memory! Learn how to illustrate the memory layout of a basic program and use advanced PowerShell commands (WMI, security-focused queries) todebug, check process integrity, detect DLL injections, and identify suspicious processes on Windows Server 2022.

Commands:

• Get-Process | Where-Object { $_.ProcessName -eq "notepad" }
• Get-WmiObject -Class Win32_OperatingSystem | Select-Object TotalVisibleMemorySize, FreePhysicalMemory
• Get-Process
• Get-WmiObject -Class Win32_Process | Select Name, ProcessId, ExecutablePath. For new powershell version simply use: Get-Process | Select-Object Name, Id, Path
• Get-WmiObject -Class Win32_Process | Select-Object Name, ProcessId, ParentProcessId
• Get-WmiObject -Class Win32_Process -Filter "Name = 'notepad.exe'" | Select-Object ProcessId, Name, @{Name='Owner';Expression={$_.GetOwner().User}}
• Get-Process -Name notepad | Select-Object -ExpandProperty Modules | Select ModuleName, FileName
• Get-WmiObject Win32_Process | Where-Object { $_.ExecutablePath -and ($_.ExecutablePath -notlike "C:\Windows\*" -and $_.ExecutablePath -notlike "C:\Program Files\*") } | Select Name, ProcessId, ExecutablePath
• Get-Process | Where-Object { $_.Modules.ModuleName -contains "ntdll.dll" }
• Get-WmiObject Win32_Process | Select-Object Name, ProcessId, CommandLine
• Get-Process | Sort-Object StartTime -Descending | Select-Object Name, Id, StartTime | Select-Object -First 10