{"id":69353,"date":"2005-07-20T07:18:00","date_gmt":"2005-07-20T07:18:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/07\/20\/how-can-i-determine-the-date-and-time-that-a-process-started\/"},"modified":"2005-07-20T07:18:00","modified_gmt":"2005-07-20T07:18:00","slug":"how-can-i-determine-the-date-and-time-that-a-process-started","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-determine-the-date-and-time-that-a-process-started\/","title":{"rendered":"How Can I Determine the Date and Time that a Process Started?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I determine the date and time that a process started?

— BM<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, BM. We\u2019ve got good news for you: not only do we have an answer to your question, but we\u2019re not going to bore everyone with any more stories<\/B><\/A> regarding our Colt League All-Star team. Nope, we\u2019re no longer haunted by the fact that, in a tie game, we had the bases loaded, one out, and were unable to score a run, even though we have our three and four hitters up. We are no longer wondering what might have happened had we been able to get that bunt down early in the game. What if our third baseman hadn\u2019t lost that popup in the sun? Hey, it doesn\u2019t matter; it\u2019s just a game, right?<\/P>\n

OK, we don\u2019t believe that for a second. Therefore, maybe we better try to forget about baseball and answer your question for you. Here\u2019s a script that can tell you the date and time that Notepad.exe started:<\/P>

strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colProcessList = objWMIService.ExecQuery _\n    (“Select * from Win32_Process Where Name = ‘notepad.exe'”)<\/p>\n
For Each objProcess in colProcessList\n    Wscript.Echo objProcess.CreationDate\nNext\n<\/PRE>\n
Yes, very easy. We start off by binding to the WMI service, then use this query to return a collection of all the processes named notepad.exe:<\/P>
Set colProcessList = objWMIService.ExecQuery _\n    (“Select * from Win32_Process Where Name = ‘notepad.exe'”)\n<\/PRE>\n
We then set up a For Each loop to cycle through the collection, echoing the value of the CreationDate<\/B> property for each item in the collection. How complicated could something like that be?<\/P>\n
Well, OK, maybe a little more complicated than what we showed you. The preceding script works, but there is<\/I> a problem. The CreationDate property, like most WMI date-time values, is stored using the Universal Time Coordinate (UTC) format. That means that the process start time is going to be returned looking something like this:<\/P>
20050718095318.019149-420\n<\/PRE>\n
How\u2026nice\u2026.<\/P>\n
We won\u2019t go into all the gory details regarding the UTC time format; you can find a reasonably good discussion of that in the Microsoft Windows 2000 Scripting Guide<\/B><\/A>. Although it might not look like it, our return value actually has all the information we need; for example, the 2005<\/B> at the beginning of the string indicates the year (2005), the subsequent 07<\/B> indicates the month (July), and so on. All we have to do is parse the string and put the pieces back together in a more-recognizable format. <\/P>\n
One way to do that is to use the VBScript string manipulation functions to grab the individual date parts out of the return value and then rearrange them in a standard date-time format. (There\u2019s actually an easier way to do this on Windows XP and Windows Server 2003, but we\u2019ll show you a more generic approach for now.) For example, we know that characters 1 through 4 in our return value represent the year that the process started; therefore, we can use code like this to return just those four characters (assuming that we\u2019ve stored the return value in a variable named dtmStart):<\/P>
Left(dtmStart, 4)\n<\/PRE>\n
As you can see, we use the Left<\/B> function to grab the four leftmost characters (that is, the first four characters in the string). We also know that the month is represented by characters 5 and 6. Therefore we can use the Mid<\/B> functions to grab the two characters that begin at position 5 in the string:<\/P>
Mid(dtmStart, 5, 2)\n<\/PRE>\n
Carried all the way out, we end up with a function similar to this:<\/P>
Function WMIDateStringToDate(dtmStart)\n    WMIDateStringToDate = CDate(Mid(dtmStart, 5, 2) & “\/” & _\n        Mid(dtmStart, 7, 2) & “\/” & Left(dtmStart, 4) _\n            & ” ” & Mid (dtmStart, 9, 2) & “:” & _\n                Mid(dtmStart, 11, 2) & “:” & Mid(dtmStart, _\n                    13, 2))\nEnd Function\n<\/PRE>\n
All we have to do now is incorporate this function into our script. To do that we don\u2019t echo the value of the CreationDate property; instead, we store that value in a variable named dtmStartTime. We pass that value to our function, then echo the revised value returned by that function. Here\u2019s what our modified For Each loop looks like:<\/P>
For Each objProcess in colProcessList\n    dtmStartTime = objProcess.CreationDate\n    strReturn = WMIDateStringToDate(dtmStartTime)\n    Wscript.Echo strReturn \nNext\n<\/PRE>\n
And here\u2019s what the new and improved script looks like:<\/P>
strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colProcessList = objWMIService.ExecQuery _\n    (“Select * from Win32_Process Where Name = ‘notepad.exe'”)<\/p>\n
For Each objProcess in colProcessList\n    dtmStartTime = objProcess.CreationDate\n    strReturn = WMIDateStringToDate(dtmStartTime)\n    Wscript.Echo strReturn \nNext<\/p>\n
Function WMIDateStringToDate(dtmStart)\n    WMIDateStringToDate = CDate(Mid(dtmStart, 5, 2) & “\/” & _\n        Mid(dtmStart, 7, 2) & “\/” & Left(dtmStart, 4) _\n            & ” ” & Mid (dtmStart, 9, 2) & “:” & _\n                Mid(dtmStart, 11, 2) & “:” & Mid(dtmStart, _\n                    13, 2))\nEnd Function\n<\/PRE>\n
When we run this script we get back output that looks like this:<\/P>
7\/18\/2005 9:53:18 AM\n<\/PRE>\n
That\u2019s a little nicer, almost nice enough to make you wonder what would have happened had we changed pitchers one batter earlier, right before we gave up that bases-loaded triple\u2026.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I determine the date and time that a process started?— BM Hey, BM. We\u2019ve got good news for you: not only do we have an answer to your question, but we\u2019re not going to bore everyone with any more stories regarding our Colt League All-Star team. Nope, we\u2019re no longer […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[13,31,87,3,4,5,6],"class_list":["post-69353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-dates-and-times","tag-operating-system","tag-processes","tag-scripting-guy","tag-scripting-techniques","tag-vbscript","tag-wmi"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I determine the date and time that a process started?— BM Hey, BM. We\u2019ve got good news for you: not only do we have an answer to your question, but we\u2019re not going to bore everyone with any more stories regarding our Colt League All-Star team. Nope, we\u2019re no longer […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69353"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}