{"id":4094,"date":"2013-02-28T00:01:00","date_gmt":"2013-02-28T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/02\/28\/use-powershell-to-explore-process-threads-in-windows\/"},"modified":"2013-02-28T00:01:00","modified_gmt":"2013-02-28T00:01:00","slug":"use-powershell-to-explore-process-threads-in-windows","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-explore-process-threads-in-windows\/","title":{"rendered":"Use PowerShell to Explore Process Threads in Windows"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy talks about using Windows PowerShell to explore process threads in Windows.<\/p>\n

\"Hey, Hey, Scripting Guy! I have a problem. On our system, every once in a while, we have this application where the threads go crazy. I need an easy way to check threads. Can you help?<\/p>\n

—BC<\/p>\n

\"Hey, Hello BC,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Well it is official; there will be a Microsoft Scripting Guy booth at TechEd 2013 in New Orleans<\/a>. The Scripting Wife will also be at the booth. We are planning to share our booth with the Windows PowerShell community from PowerShell.org as well. It will be a lot of fun, and we are already looking forward to it. The dates for TechEd 2013 in New Orleans, by the way, are June 3 – June 6.<\/p>\n

Use WMI to find info about threads<\/h2>\n

To find information about threads, I use the Win32_Thread WMI class. I found this by using the Get-CimClass<\/strong> cmdlet as shown here.<\/p>\n

Get-CimClass *thread*<\/p>\n

The command and its associated output are shown in the following image.<\/p>\n

\"Image<\/a><\/p>\n

I can also do the same thing by using the Get-WmiObject<\/strong> cmdlet. This technique is shown here.<\/p>\n

Get-wmiobject -list *thread*<\/p>\n

So, I decide to query the WMI class. Here is the Windows PowerShell 2.0 version of the command.<\/p>\n

Get-WmiObject win32_thread<\/p>\n

I can do the same thing with the CIM cmdlets in Windows PowerShell 3.0. This command is shown here.<\/p>\n

Get-CimInstance win32_thread<\/p>\n

The command and the output from the command are shown here.<\/p>\n

 \"Image<\/a><\/p>\n

Find a specific thread<\/span><\/p>\n

The easiest way to find a specific thread is to first get the process handle, and then use that handle in a WMI filter. The following command obtains the handle for a running instance of Notepad, and then obtains the thread information.<\/p>\n

$handle = (Get-Process notepad).handle<\/p>\n

Get-WmiObject win32_thread -filter “handle = $handle”<\/p>\n

By using the Get-CimInstance<\/strong> Windows PowerShell 3.0 CIM cmdlet, I arrive at the following syntax.<\/p>\n

$handle = (Get-Process notepad).handle<\/p>\n

Get-CimInstance win32_thread -filter “handle = $handle”<\/p>\n

There is very little difference between the two commands. There is a bit of a difference between the output from the two commands. The output from the Get-CimInstance<\/strong> cmdlet is cleaner. The command and output from Get-CimInstance<\/strong> is shown here.<\/p>\n

\"Image<\/a><\/p>\n

To understand the thread state, it is necessary to look up the ThreadState<\/strong> property. I can do this in the MSDN article, Win32_Thread WMI class<\/a>. The ThreadState <\/strong>values are shown here.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\n

Value<\/strong><\/p>\n<\/td>\n

\n

Meaning<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

0<\/p>\n<\/td>\n

\n

  Initialized. It is recognized by the microkernel.<\/p>\n<\/td>\n<\/tr>\n

\n

1<\/p>\n<\/td>\n

\n

  Ready. It is prepared to run on the next available processor.<\/p>\n<\/td>\n<\/tr>\n

\n

2<\/p>\n<\/td>\n

\n

  Running. It is executing.<\/p>\n<\/td>\n<\/tr>\n

\n

3<\/p>\n<\/td>\n

\n

  Standby. It is about to run. Only one thread may be in this state at a time.<\/p>\n<\/td>\n<\/tr>\n

\n

4<\/p>\n<\/td>\n

\n

  Terminated. It is finished executing.<\/p>\n<\/td>\n<\/tr>\n

\n

5<\/p>\n<\/td>\n

\n

  Waiting. It is not ready for the processor. When ready, it will be rescheduled.<\/p>\n<\/td>\n<\/tr>\n

\n

6<\/p>\n<\/td>\n

\n

  Transition. The thread is waiting for resources other than the processor.<\/p>\n<\/td>\n<\/tr>\n

\n

7<\/p>\n<\/td>\n

\n

  Unknown. The thread state is unknown.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The ThreadWaitReason <\/strong>value codes are shown in the table that follows. <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Value<\/strong><\/p>\n<\/td>\n

\n

Meaning<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

0<\/p>\n<\/td>\n

\n

Executive<\/p>\n<\/td>\n<\/tr>\n

\n

1<\/p>\n<\/td>\n

\n

FreePage<\/p>\n<\/td>\n<\/tr>\n

\n

2<\/p>\n<\/td>\n

\n

PageIn<\/p>\n<\/td>\n<\/tr>\n

\n

3<\/p>\n<\/td>\n

\n

PoolAllocation<\/p>\n<\/td>\n<\/tr>\n

\n

4<\/p>\n<\/td>\n

\n

ExecutionDelay<\/p>\n<\/td>\n<\/tr>\n

\n

5<\/p>\n<\/td>\n

\n

FreePage<\/p>\n<\/td>\n<\/tr>\n

\n

6<\/p>\n<\/td>\n

\n

PageIn<\/p>\n<\/td>\n<\/tr>\n

\n

7<\/p>\n<\/td>\n

\n

Executive<\/p>\n<\/td>\n<\/tr>\n

\n

8<\/p>\n<\/td>\n

\n

FreePage<\/p>\n<\/td>\n<\/tr>\n

\n

9<\/p>\n<\/td>\n

\n

PageIn<\/p>\n<\/td>\n<\/tr>\n

\n

10<\/p>\n<\/td>\n

\n

PoolAllocation<\/p>\n<\/td>\n<\/tr>\n

\n

11<\/p>\n<\/td>\n

\n

ExecutionDelay<\/p>\n<\/td>\n<\/tr>\n

\n

12<\/p>\n<\/td>\n

\n

FreePage<\/p>\n<\/td>\n<\/tr>\n

\n

13<\/p>\n<\/td>\n

\n

PageIn<\/p>\n<\/td>\n<\/tr>\n

\n

14<\/p>\n<\/td>\n

\n

EventPairHigh<\/p>\n<\/td>\n<\/tr>\n

\n

15<\/p>\n<\/td>\n

\n

EventPairLow<\/p>\n<\/td>\n<\/tr>\n

\n

16<\/p>\n<\/td>\n

\n

LPCReceive<\/p>\n<\/td>\n<\/tr>\n

\n

17<\/p>\n<\/td>\n

\n

LPCReply<\/p>\n<\/td>\n<\/tr>\n

\n

18<\/p>\n<\/td>\n

\n

VirtualMemory<\/p>\n<\/td>\n<\/tr>\n

\n

19<\/p>\n<\/td>\n

\n

PageOut<\/p>\n<\/td>\n<\/tr>\n

\n

20<\/p>\n<\/td>\n

\n

Unknown<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

BC, that is all there is to using Windows PowerShell and WMI to find information about threads. Join me tomorrow when I will talk about more cool stuff.Therefore, the Notepad process is waiting and not ready for the processor. The reason it is waiting is EventPairLow<\/strong>.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy talks about using Windows PowerShell to explore process threads in Windows.  Hey, Scripting Guy! I have a problem. On our system, every once in a while, we have this application where the threads go crazy. I need an easy way to check threads. Can you help? —BC  Hello BC, Microsoft Scripting […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[31,87,3,4,45,6],"class_list":["post-4094","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-operating-system","tag-processes","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy talks about using Windows PowerShell to explore process threads in Windows.  Hey, Scripting Guy! I have a problem. On our system, every once in a while, we have this application where the threads go crazy. I need an easy way to check threads. Can you help? —BC  Hello BC, Microsoft Scripting […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4094"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4094\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}