ansible/windows_find-all-adminprocesses.yml

---
- name: run automation for windows
  gather_facts: no
  hosts: all
  become_method: runas
  tasks:
    - name: Domain Administrator Inspection via PowerShell
      ansible.windows.win_powershell:
        script: |
          Get-WmiObject win32_service | Where-Object {
            $_.StartName -Match "Administrator"
          } | Select-Object SystemName,Name,StartName,State
          Get-WmiObject win32_process | Where-Object {
            $_.GetOwner().User -Match "Administrator" -And`
            $_.ProcessName -NotMatch "cmd.exe|powershell.exe|winrshost.exe|conhost.exe"
          } | Select-Object CSName,ProcessName,@{Name="User"; Expression={ $_.GetOwner().User }}
          Get-ScheduledTask | Where-Object {
            $_.Principal.UserId -Match "Administrator" -And`
            $_.Principal.LogonType -Eq "Password"
          } | Select-Object TaskName,State,TaskPath,@{Name="User"; Expression={ $_.Principal.UserId }}
      register: script_return
    - name: Output
      debug:
        msg: "{{ script_return.output }}"
      when: script_return.output