Use PowerShell to Obtain a List of Processes Where the Executable has been Modified in the Past 90 Days

Use PowerShell to obtain a list of currently running processes where the executable file has been modified in the past 90 days.

The number of days is a parameterized value so it can be specified when running the script without having to manually modify the script each time you want to change the value. The script uses a foreach loop to iterate through each individual process that is returned by the Get-Process cmdlet. The process’s path property must contain a value or it will not be listed. Each process is only returned once even if the same executable is running multiple times as a separate process. A new PSObject is created to combine the properties from both Get-Process and Get-ChildItem in the same output. This script uses PowerShell version 3 simplified syntax for Where-Object (It will only work using PowerShell version 3 unless it is modified).

param (
$days = '90'
foreach($process in Get-Process |
where Path |
select -Unique) {
$dir = $process |
New-Object -TypeName PSObject -Property @{'Name' = $;
'Description' = $process.Description;
'File Version' = $process.FileVersion;
'Product' = $process.Product;
'Path' = $process.Path;
'Modified Date' = $dir.LastWriteTime;} |
where 'Modified Date' -gt (Get-Date).AddDays(-$days)}


Does this look interesting? Want to learn how to decrypt the PowerShell Help and PowerShell objects to determine if one cmdlet can be piped to another ByValue or ByPropertyName? Join me in Atlanta on October 27th at PowerShell Saturday 003 where I’ll be covering those concepts along with many more in my PowerShell Fundamentals for Beginners session.