February 27th, 2015

Get Process Owner and Other Info with WMI and PowerShell

Doctor Scripto
Scripter

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information.

Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores in preparation for the snowstorm of the century. Of course, the century is still not all that old, and the storm was not that big of a deal.

In fact, as it turned out, it really was not a big deal at all. We received less than a half-inch of snow, and even that did not stick around. So the kids were outside trying to make snow persons, but they did not have enough snow to do so. Perhaps they could have bought some via the Internet. It was all a non-event.

Something that is not a non-event is using Windows PowerShell to retrieve cool information. As I have mentioned, for basic process information, nothing beats the Get-Process cmdlet. It is fast, works remotely, and is really easy to use. But there are times I need to know more information.

First up, what file is open?

I like the detailed command information that is available in Windows PowerShell via WMI when I query the Win32_Process cmdlet. For example, I can often find out what file is open by looking at the command line. I use the Get-CimInstance cmdlet, and pipe the output to the Format-List cmdlet so I can see all of the properties. This command is shown here:

Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'" | fl *

In the following output, the CommandLine property shows me that I have a specific file open in Notepad.

Image of command output

By using a command like the following, I can find what process has a file locked or filter the results based on the file name:

PS C:\> Get-CimInstance Win32_Process | where commandline -match 'applog'

ProcessId            Name             HandleCount         WorkingSetSize      VirtualSize       

———            —-             ———–         ————–      ———–        

10076                notepad.exe      114                 9093120             2199130263552      

After I have this information, I can stop the process if I need to do so. This is shown here:

PS C:\> $proc = Get-CimInstance Win32_Process | where commandline -match 'applog'

PS C:\> Invoke-CimMethod -InputObject $proc -MethodName Terminate

                                   ReturnValue PSComputerName                              

                                   ———– ————–                               

                                             0                         

Get the owner of the process

To get the owner of the process, I use the GetOwner method from the Win32_Process class that I retrieve when I query for instances of Notepad. The first thing I do is use Get-CimInstance to retrieve instances of Notepad:

  Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"

Next, I store the returned object in a variable:

$proc = Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"

Now I call the GetOwner method from the Invoke-CimMethod cmdlet. The cool thing is that Tab completion works, so I can cycle through the available methods. The command is shown here:

Invoke-CimMethod -InputObject $proc -MethodName GetOwner

Here is the command and the output from the command:

Image of command output

That is all there is to using WMI methods and Windows PowerShell to retrieve information. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.

Feedback