{"id":7591,"date":"2015-02-27T00:01:00","date_gmt":"2015-02-27T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/02\/27\/get-process-owner-and-other-info-with-wmi-and-powershell\/"},"modified":"2019-02-18T10:30:28","modified_gmt":"2019-02-18T17:30:28","slug":"get-process-owner-and-other-info-with-wmi-and-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/get-process-owner-and-other-info-with-wmi-and-powershell\/","title":{"rendered":"Get Process Owner and Other Info with WMI and PowerShell"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores in preparation for the snowstorm of the century. Of course, the century is still not all that old, and the storm was not that big of a deal.<\/p>\n

In fact, as it turned out, it really was not a big deal at all. We received less than a half-inch of snow, and even that did not stick around. So the kids were outside trying to make snow persons, but they did not have enough snow to do so. Perhaps they could have bought some via the Internet. It was all a non-event.<\/p>\n

Something that is not a non-event is using Windows PowerShell to retrieve cool information. As I have mentioned, for basic process information, nothing beats the Get-Process<\/b> cmdlet. It is fast, works remotely, and is really easy to use. But there are times I need to know more information.<\/p>\n

First up, what file is open?<\/h2>\n

I like the detailed command information that is available in Windows PowerShell via WMI when I query the Win32_Process cmdlet. For example, I can often find out what file is open by looking at the command line. I use the Get-CimInstance<\/b> cmdlet, and pipe the output to the Format-List<\/b> cmdlet so I can see all of the properties. This command is shown here:<\/p>\n

Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'" | fl *<\/p>\n

In the following output, the CommandLine<\/b> property shows me that I have a specific file open in Notepad.<\/p>\n

\"Image<\/a><\/p>\n

By using a command like the following, I can find what process has a file locked or filter the results based on the file name:<\/p>\n

PS C:\\> Get-CimInstance Win32_Process | where commandline -match 'applog'<\/p>\n

ProcessId            Name             HandleCount         WorkingSetSize      VirtualSize       <\/p>\n

———            —-             ———–         ————–      ———–        <\/p>\n

10076                notepad.exe      114                 9093120             2199130263552      <\/p>\n

After I have this information, I can stop the process if I need to do so. This is shown here:<\/p>\n

PS C:\\> $proc = Get-CimInstance Win32_Process | where commandline -match 'applog'<\/p>\n

PS C:\\> Invoke-CimMethod -InputObject $proc -MethodName Terminate<\/p>\n

                                   ReturnValue PSComputerName                              <\/p>\n

                                   ———– ————–                               <\/p>\n

                                             0                         <\/p>\n

Get the owner of the process<\/h2>\n

To get the owner of the process, I use the GetOwner<\/b> method from the Win32_Process class that I retrieve when I query for instances of Notepad. The first thing I do is use Get-CimInstance<\/b> to retrieve instances of Notepad:<\/p>\n

  Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"<\/p>\n

Next, I store the returned object in a variable:<\/p>\n

$proc = Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"<\/p>\n

Now I call the GetOwner<\/b> method from the Invoke-CimMethod<\/b> cmdlet. The cool thing is that Tab completion works, so I can cycle through the available methods. The command is shown here:<\/p>\n

Invoke-CimMethod -InputObject $proc -MethodName GetOwner<\/p>\n

Here is the command and the output from the command:<\/p>\n

\"Image<\/a><\/p>\n

That is all there is to using WMI methods and Windows PowerShell to retrieve information. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information. Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[3,4,45,6],"class_list":["post-7591","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information. Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/7591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=7591"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/7591\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=7591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=7591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=7591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}