{"id":70613,"date":"2005-01-20T16:22:00","date_gmt":"2005-01-20T16:22:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/01\/20\/how-can-i-tell-which-switches-were-used-when-starting-an-executable-file\/"},"modified":"2005-01-20T16:22:00","modified_gmt":"2005-01-20T16:22:00","slug":"how-can-i-tell-which-switches-were-used-when-starting-an-executable-file","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-tell-which-switches-were-used-when-starting-an-executable-file\/","title":{"rendered":"How Can I Tell Which Switches Were Used When Starting an Executable File?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! Is there any way to tell which command-line arguments (if any) were used when starting an executable file?

— TO<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, TO. We don\u2019t mean to cause a scandal in the scripting world – well, OK, we don\u2019t mean to cause any more<\/I> scandals in the scripting world. But – gasp! – we\u2019re going to cheat a little bit here. This is the first time we\u2019ve ever been asked this question, and yet, to answer it, we\u2019re going to recycle an answer to a different question we were asked a few months ago.<\/P>\n

So here goes: as long as you\u2019re running Windows XP or Windows Server 2003, then, yes, it\u2019s very easy to tell which command-line arguments (if any) were used when starting an executable file. That\u2019s because in these two versions of Windows (but not in previous versions), the WMI class Win32_Process includes a property named CommandLine<\/B> that provides the complete command line (including switches) used to start an executable file.<\/P>\n

For example, suppose Netstat.exe is running on a computer, and you want to know which command-line switches were used to start the program. Here\u2019s a script that can tell you that:<\/P>

strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)\nSet colItems = objWMIService.ExecQuery _\n    (“Select * From Win32_Process Where Name = ‘netstat.exe'”)<\/p>\n
For Each objItem in colItems\n    Wscript.Echo objItem.CommandLine\nNext\n<\/PRE>\n
As you can see, a pretty simple little script: we return a collection of all the processes that have the name Netstat.exe, and then we echo the CommandLine property for each one. Suppose we started Netstat using this command: netstat.exe -a 30. In that case, here\u2019s what our script would report for the CommandLine property:<\/P>
netstat.exe -a 30\n<\/PRE>\n
Just what you hoped it would report.<\/P>\n
The interesting thing about the CommandLine property is that it will often give you useful information even if you never touch the command line. For example, suppose you have a script named C:\\Scripts\\Inventory.vbs, and suppose you right-click the file in My Computer and choose Edit<\/B>. That will open the script up in Notepad (assuming Notepad is your default script editor). And here\u2019s the CommandLine property for that instance of Notepad:<\/P>
C:\\WINDOWS\\System32\\Notepad.exe C:\\scripts\\inventory.vbs\n<\/PRE>\n
In other words, not only do we know that Notepad is open, but we know which file<\/I> (inventory.vbs) is open. This same approach will work will a number of different applications although, for some reason, it doesn\u2019t<\/I> work with Microsoft Word or Excel. (Interestingly enough, though, it will<\/I> with PowerPoint.) With Word and Excel applications, you get the CommandLine for starting the program, but no indication as to what document is open. Instead, you get back a generic command-line string like this:<\/P>
“C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE” \/e\n<\/PRE>\n
A mystery we\u2019ll have to investigate some other time.<\/P>\n
By the way, if the suspense is killing you, we used this same answer (the CommandLine property of the Win32_Process class) in response to this question: How can I tell which scripts are running on a computer? To do that, you look at the CommandLine property for any Wscript.exe and CScript.exe processes; the CommandLine will include the name of the script being run under one of those script hosts. Or, to put it programmatically:<\/P>
strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)\nSet colItems = objWMIService.ExecQuery _\n    (“Select * From Win32_Process Where Name = ‘wscript.exe’ OR Name = \u2018cscript.exe\u2019”)<\/p>\n
For Each objItem in colItems\n    Wscript.Echo objItem.CommandLine\nNext\n<\/PRE><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! Is there any way to tell which command-line arguments (if any) were used when starting an executable file?— TO Hey, TO. We don\u2019t mean to cause a scandal in the scripting world – well, OK, we don\u2019t mean to cause any more scandals in the scripting world. But – gasp! – we\u2019re […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[31,87,3,5],"class_list":["post-70613","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-operating-system","tag-processes","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! Is there any way to tell which command-line arguments (if any) were used when starting an executable file?— TO Hey, TO. We don\u2019t mean to cause a scandal in the scripting world – well, OK, we don\u2019t mean to cause any more scandals in the scripting world. But – gasp! – we\u2019re […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70613"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70613\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}