Use PowerShell to Explore Process Threads in Windows
Summary: Microsoft Scripting Guy talks about using Windows PowerShell to explore process threads in Windows.
Hey, Scripting Guy! I have a problem. On our system, every once in a while, we have this application where the threads go crazy. I need an easy way to check threads. Can you help?
—BC
Hello BC,
Microsoft Scripting Guy, Ed Wilson, is here. Well it is official; there will be a Microsoft Scripting Guy booth at TechEd 2013 in New Orleans. The Scripting Wife will also be at the booth. We are planning to share our booth with the Windows PowerShell community from PowerShell.org as well. It will be a lot of fun, and we are already looking forward to it. The dates for TechEd 2013 in New Orleans, by the way, are June 3 – June 6.
Use WMI to find info about threads
To find information about threads, I use the Win32_Thread WMI class. I found this by using the Get-CimClass cmdlet as shown here.
Get-CimClass *thread*
The command and its associated output are shown in the following image.
I can also do the same thing by using the Get-WmiObject cmdlet. This technique is shown here.
Get-wmiobject -list *thread*
So, I decide to query the WMI class. Here is the Windows PowerShell 2.0 version of the command.
Get-WmiObject win32_thread
I can do the same thing with the CIM cmdlets in Windows PowerShell 3.0. This command is shown here.
Get-CimInstance win32_thread
The command and the output from the command are shown here.
Find a specific thread
The easiest way to find a specific thread is to first get the process handle, and then use that handle in a WMI filter. The following command obtains the handle for a running instance of Notepad, and then obtains the thread information.
$handle = (Get-Process notepad).handle
Get-WmiObject win32_thread -filter “handle = $handle”
By using the Get-CimInstance Windows PowerShell 3.0 CIM cmdlet, I arrive at the following syntax.
$handle = (Get-Process notepad).handle
Get-CimInstance win32_thread -filter “handle = $handle”
There is very little difference between the two commands. There is a bit of a difference between the output from the two commands. The output from the Get-CimInstance cmdlet is cleaner. The command and output from Get-CimInstance is shown here.
To understand the thread state, it is necessary to look up the ThreadState property. I can do this in the MSDN article, Win32_Thread WMI class. The ThreadState values are shown here.
|
Value |
Meaning |
|
0 |
Initialized. It is recognized by the microkernel. |
|
1 |
Ready. It is prepared to run on the next available processor. |
|
2 |
Running. It is executing. |
|
3 |
Standby. It is about to run. Only one thread may be in this state at a time. |
|
4 |
Terminated. It is finished executing. |
|
5 |
Waiting. It is not ready for the processor. When ready, it will be rescheduled. |
|
6 |
Transition. The thread is waiting for resources other than the processor. |
|
7 |
Unknown. The thread state is unknown. |
The ThreadWaitReason value codes are shown in the table that follows.
|
Value |
Meaning |
|
0 |
Executive |
|
1 |
FreePage |
|
2 |
PageIn |
|
3 |
PoolAllocation |
|
4 |
ExecutionDelay |
|
5 |
FreePage |
|
6 |
PageIn |
|
7 |
Executive |
|
8 |
FreePage |
|
9 |
PageIn |
|
10 |
PoolAllocation |
|
11 |
ExecutionDelay |
|
12 |
FreePage |
|
13 |
PageIn |
|
14 |
EventPairHigh |
|
15 |
EventPairLow |
|
16 |
LPCReceive |
|
17 |
LPCReply |
|
18 |
VirtualMemory |
|
19 |
PageOut |
|
20 |
Unknown |
BC, that is all there is to using Windows PowerShell and WMI to find information about threads. Join me tomorrow when I will talk about more cool stuff.Therefore, the Notepad process is waiting and not ready for the processor. The reason it is waiting is EventPairLow.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
Light
Dark
0 comments