0

In powershell, I would like to kill all processes for all users, except explorer and processes used by the system

This is where I am including the errors that are given:

$Cred = Get-Credential;
Invoke-Command -ComputerName localhost -Credential $Cred -ScriptBlock { Get-Process $env:ALLUSERSPROFILE | Where-Object -FilterScript {$_.Name -ne "SYSTEM, NETWORK SERVICE, LOCAL SERVICE"} | Where-Object -filterscript {$_.Name -ne "explorer"} | Stop-Process -WhatIf }
Cannot find a process with the name "C:\ProgramData". Verify the process name and call the cmdlet again.
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData:String) [Get-Process], ProcessCommandException
    + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand
    + PSComputerName        : localhost
AbcAeffchen
  • 14,400
  • 15
  • 47
  • 66
Remyngton
  • 3
  • 2

1 Answers1

0

Here, this should work for you.

Function Stop-UserProcesses{
Param([string]$Computer = "localhost")
    $Cred = Get-Credential
    Invoke-Command -ComputerName $Computer -Credential $Cred -ScriptBlock { 
        Get-Process -IncludeUserName | Where{!($_.UserName -match "NT AUTHORITY\\(?:SYSTEM|(?:LOCAL|NETWORK) SERVICE)") -and !($_.ProcessName -eq "explorer")}|Stop-Process -WhatIf
    }
}

Once you are convinced that it is functional remove the -WhatIf. Then just call it as Stop-UserProcesses to end everything locally, or Stop-UserProcesses SomeComputer01 to end everything on a remote system (assuming you have remote sessions enabled in your environment).

Edit: Well then, evidently the -IncludeUserName switch is new in v4. So, in order to do what you want we have to jump through hoops and use Get-WMIObject on the win32_process class, then execute the GetOwner() method for each process. Probably want to filter it so we don't end up with things like Idle throwing errors when they don't have an owner, so we'll make sure that the CommandLine property exists.

Function Stop-UserProcesses{
Param([string]$Computer = "localhost")
    $Cred = Get-Credential
    Invoke-Command -ComputerName $Computer -Credential $Cred -ScriptBlock { 
        #Get all processes
        $Processes = get-wmiobject win32_process|Where{![string]::IsNullOrEmpty($_.commandline)}|Select *,@{l='Owner';e={$_.getowner().user}}
        #Filter out System and service processes
        $Processes = $Processes | Where { !($_.Owner -match "(?:SYSTEM|(?:LOCAL|NETWORK) SERVICE)") }
        #Get processes and filter on the Process ID and name = explorer, then pipe to stop-process
        Get-Process | Where { $Processes.ProcessID -contains $_.id -and $_.name -ne "explorer" } | Stop-Process -WhatIf
    }
}
TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56
  • Ok, I just copied that to my ISE, ran it, then typed `Stop-UserProcesses` and it first prompted me for credentials (which I entered my domain creds), and it told me a list of about 40 processes that it would have stopped. How are you running it? – TheMadTechnician Sep 10 '14 at 17:05
  • Thank you for the response! Now I get the error that IncludeUserName parameter cannot be found. – Remyngton Sep 10 '14 at 17:09
  • Sorry about that, I didn't realize that -IncludeUserName is a PowerShell v4 thing. Updated answer, and tested on my laptop with PS v3, and it is slower, but it works just fine. – TheMadTechnician Sep 10 '14 at 17:54
  • To be honest I just modified Example 8 in `Get-Help Get-Process -detailed` and added some filtering and piped it to stop-process. Then turned it into a function for easy usage. Glad it works for you though. – TheMadTechnician Sep 10 '14 at 18:14
  • Wow, I looked through the help and didn't see that. Thank you though! – Remyngton Sep 10 '14 at 18:53