as far as i know, the following code can get files like dll, exe etc. but files like docx, xlsx can not be obtained by the following code, what should i do.
$process=Get-Process -Name
$process.modules.filename
it seems i need import certain .net module to do that.
Hey @leo_Smith I am not aware of any specific out-of-the-box PowerShell module that will do exactly what you are looking for. I’ve seen a few open-source projects but never used them. You can also use the cmd command openfiles as well.
If you got this to work can you share you code?
hi, psjamesp @psjamesp , thanks for your reply. Yes, openfiles can check which file was opened, but can not get the process that is visiting a certain file. And i’m sorry to tell you that i haven’t gotten this to work. Maybe this feature is not A easy task which involves a lot in basic knowledge of computers LOL.
I’m not aware of anything you can do with PowerShell on its own to get this information although you might find the MainWindowTitle property returned by Get-Process gets you sufficiently close:
PS E:\Temp> Get-Process Excel | Select-Object -ExpandProperty MainWindowTitle
prize-march-2023 - Excel
Depending on how you opened the file, it may also be possible to get the filename from the CommandLine property:
PS E:\Temp> Get-Process Excel | Select-Object -ExpandProperty CommandLine
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "E:\Temp\prize-march-2023.xlsx"
For non-PowerShell solutions, then the tool to use is Handle from the Sysinternals suite
All open ‘xlsx’ files:
PS E:\Temp> .\handle.exe 'xlsx'
Nthandle v5.0 - Handle viewer
Copyright (C) 1997-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
EXCEL.EXE pid: 24092 type: File 12C8: E:\Temp\prize-march-2023.xlsx
EXCEL.EXE pid: 24092 type: File 1418: E:\Temp\~$prize-march-2023.xlsx
All handles by named process:
PS E:\Temp> .\handle.exe -p 'Excel'
1 Like
Thank you, Matt @matt-bloomfield . You saved me a lot of time!
Not PowerShell and the return is text which you can parse … but it will get you the PID and Document name via the PID column and the Window Title column.
%comspec% /c tasklist /v /fi "imagename eq excel.exe"
FWIW
Or turn it into powershell worthy objects by using powershell and a few more characters!
tasklist /v /fi "imagename eq excel.exe" /FO csv | ConvertFrom-Csv
Image Name : EXCEL.EXE
PID : 5588
Session Name : Console
Session# : 1
Mem Usage : 10,004 K
Status : Running
User Name : ComputerName\UserName
CPU Time : 0:00:00
Window Title : Microsoft Excel
Nicely done Crazy Doug 
it is so cooool @krzydoug , and it would be much better if we can get the fullname of the file excel.exe is opening. but it is not easy i guess.
You can use this to get the full path to any open excel workbooks.
$excelapp = [Runtime.Interopservices.Marshal]::GetActiveObject('Excel.Application')
foreach($workbook in $excelapp.workbooks){
$workbook.FullName
}
Please note that if excel is running as admin, powershell will need to be run as admin. Since this is unlikely, a normal powershell session would be required (not run as admin)
Same process works for word
$wordapp = [Runtime.Interopservices.Marshal]::GetActiveObject('Word.Application')
foreach($document in $wordapp.Documents){
$document.FullName
}
1 Like
ohhhhhhh, thank you, Mr @krzydoug . It works like exactly what i want. You are a Prometheus!