Get Process Owner and Other Info with WMI and PowerShell
Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information.
Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores in preparation for the snowstorm of the century. Of course, the century is still not all that old, and the storm was not that big of a deal.
In fact, as it turned out, it really was not a big deal at all. We received less than a half-inch of snow, and even that did not stick around. So the kids were outside trying to make snow persons, but they did not have enough snow to do so. Perhaps they could have bought some via the Internet. It was all a non-event.
Something that is not a non-event is using Windows PowerShell to retrieve cool information. As I have mentioned, for basic process information, nothing beats the Get-Process cmdlet. It is fast, works remotely, and is really easy to use. But there are times I need to know more information.
First up, what file is open?
I like the detailed command information that is available in Windows PowerShell via WMI when I query the Win32_Process cmdlet. For example, I can often find out what file is open by looking at the command line. I use the Get-CimInstance cmdlet, and pipe the output to the Format-List cmdlet so I can see all of the properties. This command is shown here:
Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'" | fl *
In the following output, the CommandLine property shows me that I have a specific file open in Notepad.
By using a command like the following, I can find what process has a file locked or filter the results based on the file name:
PS C:\> Get-CimInstance Win32_Process | where commandline -match 'applog'
ProcessId Name HandleCount WorkingSetSize VirtualSize
——— —- ———– ————– ———–
10076 notepad.exe 114 9093120 2199130263552
After I have this information, I can stop the process if I need to do so. This is shown here:
PS C:\> $proc = Get-CimInstance Win32_Process | where commandline -match 'applog'
PS C:\> Invoke-CimMethod -InputObject $proc -MethodName Terminate
Get the owner of the process
To get the owner of the process, I use the GetOwner method from the Win32_Process class that I retrieve when I query for instances of Notepad. The first thing I do is use Get-CimInstance to retrieve instances of Notepad:
Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"
Next, I store the returned object in a variable:
$proc = Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"
Now I call the GetOwner method from the Invoke-CimMethod cmdlet. The cool thing is that Tab completion works, so I can cycle through the available methods. The command is shown here:
Invoke-CimMethod -InputObject $proc -MethodName GetOwner
Here is the command and the output from the command:
That is all there is to using WMI methods and Windows PowerShell to retrieve information. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at email@example.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy