NeuroAgent

How to Track PowerShell Processes with High CPU Usage

Learn how to identify the source of PowerShell processes consuming 10-12% CPU. Analysis methods, tracking tools, and malware detection techniques.

#cpu-analysis#malware-detection#powershell-monitoring#process-analysis#windows-security
Question

How can I track the source of PowerShell processes consuming 10-12% CPU?

I leave my computer running overnight, but in the morning I discover several PowerShell processes, each using 10-12% of CPU time. Could you advise on how to determine which applications or users are launching these processes, and whether this might be a sign of a miner or malicious software? What tools or programs would you recommend for analyzing and tracking the source of these processes?

NeuroAgent

Tracking PowerShell Processes Consuming 10-12% CPU

PowerShell processes consuming 10-12% CPU can be tracked using built-in Windows tools like Task Manager and Process Explorer, as well as specialized PowerShell scripts for analyzing parent-child process relationships. To identify the source of these processes, you should use cmdlets like Get-Process, Get-WmiObject, and network connection tracing, in addition to scanning for malicious code with antivirus scanners and security analysis tools.

Contents

Basic Methods for Tracking PowerShell Processes

To begin analyzing PowerShell processes consuming CPU resources, you should use standard Windows tools. Task Manager provides basic information about running processes, but more detailed analysis requires specialized utilities.

In Task Manager, you can:

  • Sort processes by CPU usage
  • Find all PowerShell processes (powershell.exe)
  • See the username that started the process
  • Determine the path to the executable file

However, this data is insufficient for complete analysis. As noted in process monitoring research, it’s necessary to track not only the current state but also launch history, analyze parent processes, and examine interactions between system components.

For deeper analysis, it’s recommended to use Process Explorer from Sysinternals, which shows:

  • Process trees with parent-child relationships
  • DLL modules loaded into the process
  • Open files and network connections
  • Detailed information about launch time and resource usage

Analyzing Parent-Child Process Relationships

A key aspect of identifying the source of PowerShell processes is analyzing their origin. As noted in security research, every process, including PowerShell, leaves traces of its origin (parent process) and spawns child processes.

To analyze parent processes in PowerShell, you can use the following commands:

powershell
# Get information about all PowerShell processes with parent information
Get-Process powershell | Select-Object Id, ProcessName, CPU, Path, @{Name="ParentId";Expression={(Get-CimInstance -ClassName Win32_Process -Filter "ProcessId=$($_.Id)").ParentProcessId}}

# Get full information about the process with parent process
Get-CimInstance -ClassName Win32_Process | Where-Object {$_.Name -eq "powershell.exe"} | Select-Object Name, ProcessId, ParentProcessId, CommandLine

These commands will help determine:

  • The parent process that started PowerShell
  • The command line with startup parameters
  • Process IDs for further analysis

It’s important to note that malware often disguises itself as legitimate processes, so you need to verify:

  • Whether the parent process is a known system component
  • Whether the startup parameters match expected values
  • Whether there are suspicious arguments in the command line

Tools for Deep Process Analysis

For effective analysis of PowerShell processes consuming CPU resources, a comprehensive approach with multiple tools is recommended:

1. Process Monitor (ProcMon)

Process Monitor from Sysinternals allows real-time tracking of:

  • All file and registry operations
  • Network requests
  • Process creation
  • Memory access

To analyze PowerShell processes, filter events by:

  • Process name (powershell.exe)
  • Process Create operations
  • Network activities

2. Autoruns

This tool shows all auto-starting system components, including:

  • Scheduled tasks
  • Services
  • Registry startup items
  • Drivers

As noted in monitoring research, many miners and malicious programs use hidden scheduled tasks for automatic startup.

3. PowerShell Scripts for Monitoring

Here are useful scripts for analysis:

powershell
# Script to track high-load PowerShell processes
Get-Process | Where-Object {$_.ProcessName -eq "powershell" -and $_.CPU -gt 5} | 
    Select-Object Id, ProcessName, CPU, WorkingSet, @{Name="Parent";Expression={(Get-Process -Id $_.ParentId).ProcessName}}

# Script to analyze PowerShell process network activity
Get-NetTCPConnection | Where-Object {$_.OwningProcess -in (Get-Process powershell).Id} | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State

These scripts will help identify processes with abnormal resource consumption and their network activity.

Detecting Miners and Malware

CPU consumption in the 10-12% range by each PowerShell process can indicate several scenarios:

Signs of Cryptocurrency Mining Operations

As shown in security research, modern miners often:

  • Use PowerShell for hidden execution
  • Operate in memory without leaving disk traces
  • Create multiple instances to distribute the load

Typical signs of mining include:

  • Multiple PowerShell processes with similar CPU usage
  • Network activity to mining pool ports
  • Launch from unusual locations
  • No visible windows or interfaces

Detection Methods

To check for miners, it’s recommended to:

  1. Check network connections:
powershell
Get-NetTCPConnection | Where-Object {$_.OwningProcess -in (Get-Process powershell).Id} | 
    Select-Object RemoteAddress, RemotePort, State, OwningProcess
  1. Analyze processes using VirusTotal:
  • Download suspicious.ps1 files and check them via VirusTotal API
  • Pay attention to processes with unknown digital signatures
  1. Use specialized scanners:
  • Windows Defender with deep scanning
  • Malwarebytes AdwCleaner for detecting adware
  • Autoruns for checking startup items

It’s important to note that some legitimate applications also use PowerShell for their tasks, so discovered processes need to be evaluated in context.

Practical PowerShell Scripts for Monitoring

For systematic monitoring and analysis of PowerShell processes, you can use the following ready-made scripts:

1. Script for Tracking High-Load Processes

powershell
# HighCPU_PowerShell_Monitor.ps1
param([int]$Threshold = 10)

while($true) {
    $highCPUProcesses = Get-Process | Where-Object {
        $_.ProcessName -eq "powershell" -and $_.CPU -gt $Threshold
    }
    
    if ($highCPUProcesses) {
        Write-Host "Detected PowerShell processes with high CPU usage:"
        $highCPUProcesses | ForEach-Object {
            $parent = Get-Process -Id $_.ParentId -ErrorAction SilentlyContinue
            Write-Host "PID: $($_.Id), CPU: $($_.CPU)% Parent: $($parent.ProcessName), Command: $($_.CommandLine)"
        }
        Write-Host "----------------------------------------"
    }
    
    Start-Sleep -Seconds 30
}

2. Script for Analyzing Process Origins

powershell
# Process_Tracker.ps1
Get-Process powershell | ForEach-Object {
    $process = $_
    $parentProcess = Get-Process -Id $process.ParentId -ErrorAction SilentlyContinue
    $wmiProcess = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId=$($process.Id)"
    
    [PSCustomObject]@{
        ProcessId = $process.Id
        ProcessName = $process.ProcessName
        CPU = $process.CPU
        Memory = $process.WorkingSet / 1MB
        ParentProcess = if($parentProcess) {$parentProcess.ProcessName} else {"Unknown"}
        ParentId = $process.ParentId
        Path = $process.Path
        CommandLine = $wmiProcess.CommandLine
        CreationDate = $wmiProcess.CreationDate
    }
} | Sort-Object CPU -Descending | Format-Table -AutoSize

3. Script for Detecting Suspicious Activity

powershell
# Suspicious_Activity_Detector.ps1
$suspiciousPatterns = @(
    "*bitcoin*",
    "*monero*",
    "*miner*",
    "*crypto*",
    "*xmrig*",
    "*cpuminer*"
)

Get-Process powershell | ForEach-Object {
    $process = $_
    $commandLine = (Get-CimInstance -ClassName Win32_Process -Filter "ProcessId=$($process.Id)").CommandLine
    
    foreach($pattern in $suspiciousPatterns) {
        if($commandLine -like $pattern) {
            Write-Warning "Detected suspicious process: $($process.Id) with command: $commandLine"
        }
    }
}

These scripts will help automatically track abnormal PowerShell process activity and provide detailed information for analysis.

Security Recommendations and Prevention

To prevent unwanted PowerShell processes and ensure system security, it’s recommended to implement the following measures:

1. Configure PowerShell Execution Policies

Enable the following policies to restrict script execution:

powershell
# Set execution policy for current user
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

# Check current policies
Get-ExecutionPolicy -List

2. Monitor Scheduled Tasks

Regularly check scheduled tasks for suspicious entries:

powershell
# Get all PowerShell tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*" -and $_.Actions.Execute -like "*powershell*"}

3. Filter Network Traffic

Use Windows Firewall to block suspicious connections commonly used by miners:

powershell
# Block known mining pools
$miningPools = @("stratum+tcp://pool.example.com:3333", "stratum+tcp://another-pool.com:4444")
foreach($pool in $miningPools) {
    New-NetFirewallRule -DisplayName "Block Mining Pool" -Direction Outbound -RemoteAddress ([System.Net.Dns]::GetHostAddresses($pool.Split('/')[2])[0].IPAddressToString) -Action Block
}

4. Regular System Updates

Ensure your system and all applications are updated to the latest versions, as many vulnerabilities are exploited to inject malicious code.

5. Use Antivirus Software

Install and regularly update reliable antivirus software, such as:

  • Windows Defender with advanced protection features
  • Kaspersky Total Security
  • ESET Internet Security
  • Bitdefender Total Security

These measures will help minimize the risk of malicious PowerShell processes and ensure your system’s security.

Sources

  1. Complete a System Performance Check with PowerShell | NinjaOne
  2. PowerShell for Hackers-Survival Edition, Part 3: Know Your Enemy - Hackers Arise
  3. Start a Windows Defender Scan with PowerShell | NinjaOne
  4. TikTok Videos Weaponized to Deliver Self-Compiling PowerShell Malware - GBHackers
  5. How to Create a Scheduled Task Alert with PowerShell | NinjaOne
  6. PostMessage Vulnerabilities: Cross-Window Security Risks | InstaTunnel Blog
  7. PowerShell for Hackers, Part 6: Evading Detection - Hackers Arise

Conclusion

To effectively track PowerShell processes consuming 10-12% CPU, a comprehensive approach is needed, including analysis of parent-child relationships, network activity monitoring, and the use of specialized tools. The main steps include:

  1. Using Process Explorer and PowerShell to analyze process origins
  2. Applying scripts to automatically monitor high CPU usage
  3. Scanning the system for miners and malware using antivirus scanners
  4. Regular monitoring of scheduled tasks and startup items
  5. Implementing security policies to restrict script execution

If you detect suspicious activity after analysis, it’s recommended to immediately isolate the system, remove malicious components, and change passwords. To prevent future incidents, regularly update software and use multi-layered security protection.

What PowerShell scripts can be used for automatic monitoring of processes with high CPU usage?How to distinguish legitimate PowerShell processes from malicious ones consuming CPU resources?How to check if high CPU usage is a sign of cryptomining activity?How to configure PowerShell execution policies to prevent malicious script execution?Which network ports are most commonly used by miners and how to block them?How to analyze parent PowerShell processes to determine their source?
Ask NeuroAgent