List processes with optional name or PID filter. Returns handles, threads, working set, path, parent PID, start time.

Deep process details: modules, handle count, threads, command line, memory breakdown. May warn on protected processes.

Point-in-time snapshot of matching processes: processes, modules, network connections.

Repeated snapshots over a duration with optional shell trigger command launched at start.

Start a kernel ETW trace via logman (requires elevation). providers are Microsoft-Windows-Kernel-* names or GUID strings.

Stop ETW trace, run tracerpt to CSV and summary, return parsed preview (requires elevation).

Parse logman query providers with optional keyword filter.

TCP and/or UDP endpoints with owning process. protocol: tcp, udp, both, all.

Enumerate services via Win32_Service (name, state, start mode, display name, path).

Enumerate kernel drivers via Win32_SystemDriver.

Run fltmc filters and instances and return raw parsed lines.

Parse a PE file with pefile: imports, exports, category summary.

Recursively discover PE files under a directory.

Query a Windows event log via Get-WinEvent FilterHashtable.

Security log convenience: IDs 4688, 4624, 4672, 4648 (requires elevation).

OS build, architecture, hostname, SecurityCenter2 AV products, PowerShell version.

Whether the server is elevated plus a capability matrix for all tools.

Launch a cmd script via UAC (Start-Process -Verb RunAs) to run the given command.