{"id":219,"date":"2014-12-10T00:01:00","date_gmt":"2014-12-10T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/12\/10\/use-powershell-and-wmi-to-explore-threads\/"},"modified":"2019-02-18T10:36:39","modified_gmt":"2019-02-18T17:36:39","slug":"use-powershell-and-wmi-to-explore-threads","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-and-wmi-to-explore-threads\/","title":{"rendered":"Use PowerShell and WMI to Explore Threads"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to explore processes and threads.<\/span><\/p>\n

\"Hey, Hey, Scripting Guy! I need to find information about threads that are related to a specific process. I am wondering how I can do this by using Windows PowerShell. Can you help me?<\/p>\n

—CP<\/p>\n

\"Hey, Hello CP,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. This morning I have a couple of meetings. I like meetings because it is a great chance to interact with other people from Microsoft—and that is always a good thing when one works from home. It is one of the things I miss most about working on campus. Of course, working remotely has a number of advantages, such as getting a whole lot more work done in a given period of time—but still, I do miss the interaction. So I have something to look forward today.<\/p>\n

Well CP, threads are sort of like meetings in that one process can spawn numerous threads and one meeting often spawns other meetings. The trick is keeping track of everything.<\/p>\n

Find the process ID<\/h2>\n

The first thing I need to do is to find a way to keep track of everything. Every process has a process ID, and I can find it by using the Win32_Process WMI class. I can also filter by the name of the process. For an example, I am going to use the facebook.exe process that starts on my laptop running Windows 8.1 when I launch the Facebook <\/i>application. I use the Get-CimInstance<\/b> cmdlet to query for the Facebook process. Here is the command I use:<\/p>\n

$name = "facebook.exe"<\/p>\n

$processHandle = (Get-CimInstance Win32_Process -Filter "Name = '$name'").ProcessId<\/p>\n

   Note<\/b>  I am assuming that there is one instance of a process named facebook.exe. <\/i>If there were multiple processes
   with the same name, I would need to cycle through them.<\/p>\n

Query for threads related to a process<\/h2>\n

To query for threads, I use the Win32_Thread WMI class. There are hundreds of threads running on a computer at any given time, and so this can be a rather expensive WMI query. To reduce the impact of the WMI query, I filter by the ProcessHandle<\/b> property. In this case, the ProcessHandle<\/b> <\/i>property has the same value as the ProcessID<\/b> <\/i>I obtained in the previous query. I can therefore filter out threads by using this process ID. As shown here, I store the results of the query in a variable I call $threads<\/b>:<\/p>\n

$Threads = Get-CimInstance -Class Win32_Thread -Filter "ProcessHandle = $processHandle" <\/p>\n

Produce the output<\/h2>\n

As far as output goes, I can do anything I want. Here, I decided to send the output to the Out-GridView<\/b> cmdlet, so that I could filter if I want to. The easy way to do this is to first use the Select-Object<\/b> cmdlet to select the properties I want to display. I decided to produce a custom title on the output from Out-GridView<\/b> by specifying a string value for the –Title<\/b> parameter. Here is that portion of the script:<\/p>\n

$threads | Select-Object priority, thread*, User*Time, kernel*Time |<\/p>\n

Out-GridView -Title "The $name process has $($threads.count) threads"<\/p>\n

I am simply displaying the output. I could cause the Out-GridView<\/b> cmdlet to pause, and then I could select specific items in the output pane and send the selected output back to the Windows PowerShell console. In this way, I could kill processes that had too many threads in a wait state (for example). Here is my complete script:<\/p>\n

$name = "facebook.exe"<\/p>\n

$processHandle = (Get-CimInstance Win32_Process -Filter "Name = '$name'").ProcessId<\/p>\n

$Threads = Get-CimInstance -Class Win32_Thread -Filter "ProcessHandle = $processHandle"<\/p>\n

$threads | Select-Object priority, thread*, User*Time, kernel*Time |<\/p>\n

Out-GridView -Title "The $name process has $($threads.count) threads"<\/p>\n

The GridView control produced by the script is shown here:<\/p>\n

\"Image<\/a><\/p>\n

CP, that is all there is to using Windows PowerShell and WMI to find thread information. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to explore processes and threads.  Hey, Scripting Guy! I need to find information about threads that are related to a specific process. I am wondering how I can do this by using Windows PowerShell. Can you help me? —CP  Hello CP, Microsoft […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[385,31,485,3,4,45],"class_list":["post-219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-cim","tag-operating-system","tag-process","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to explore processes and threads.  Hey, Scripting Guy! I need to find information about threads that are related to a specific process. I am wondering how I can do this by using Windows PowerShell. Can you help me? —CP  Hello CP, Microsoft […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=219"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/219\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}