Skip to main content

PowerShell Get running processes and its command line path

How to get running processes with PowerShell using WMI and display its path.

PowerShell below will display the path and also the command line of the process on how the process was executed.

The code below will also display the process-id, the process-id or PID can also be supplied to an application called handle64 from SysInternal tools. This tool is quite cool since it will display more info about the PID supplied to handle application.

Download link for handle64: https://docs.microsoft.com/en-us/sysinternals/downloads/handle


Example output of handle64:

Skype.exe pid: 42360 DESKTOP-Name\iuser-xname

   40: File          C:\Windows

   84: File          C:\Program Files (x86)\Microsoft\Skype for Desktop

  24C: File          C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b23cb64144ccf1df_6.0.19041.1_none_fd031af4F787f5b0106f2

  380: File          C:\Windows\System32\en-US\mswsock.dll.mui

  3A0: File          C:\Users\iuser-~1\AppData\Local\Temp\skype-preview Crashes\operation_log.txt

  3C4: File          C:\Users\iuser-~1\AppData\Local\Temp\skype-preview Crashes\CrashpadMetrics-active.pma

  3D0: Section       \Windows\Theme2059671484

  3D4: Section       \Sessions\1\Windows\Theme3966775245c43435

PowerShell code to display processes:

Get-WmiObject -Query “SELECT * FROM Win32_Process” | Ft  ExecutablePath, ProcessId, CommandLine -wrap 

Sample output:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe  

697072 "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"     

--type=renderer --field-trial-handle=10572,1079634

77934539454521501883579,116308618535245426994419,131530072      

--lang=en-US --enable-auto-reload               

--device-scale-factor=1.25                      

--num-raster-threads=4                          

--enable-main-frame-before-activation           

--renderer-client-id=204                        

--no-v8-untrusted-code-mitigations              

--mojo-platform-channel-handle=697072 /prefetch:1  


That's it if need to troubleshoot or just need to peek around the running processes or application, above code will be able to do such task. Or if there is a need to check how the command line was launched, the PowerShell command line output displays on how the application was launch via command line.


To stop or terminate running processes via command line check out this link: https://quickbytesstuff.blogspot.com/2016/01/windows-get-running-processes.html


Cheers...till next time. Stay safe and keep praying that this pandemic will end.

================================

Free Android Apps:

Click  links below to find out more:

Excel Keyboard guide:

Heaven's Dew Fall  Prayer app for Android :



Catholic Rosary Guide  for Android:
Pray the Rosary every day, countless blessings will be showered upon your life if you recite the Rosary faithfully. 
https://play.google.com/store/apps/details?id=com.myrosaryapp

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

WMIC get computer name

WMIC get computer model, manufacturer, computer name and  username. WMIC is a command-line tool and that can generate information about computer model, its manufacturer, its username and other informations depending on the parameters provided. Why would you need a command line tool if there’s a GUI to check? If you have 20 or 100 computers, or even more. It’s quite a big task just checking the GUI to check the computer model and username. If you have remote computers, you need to delegate someone in the remote office or location to check. Or you can just write a batch file or script to automate the task. Here’s the code below on how get computer model, manufacturer and the username. Open an elevated command prompt and type:     wmic computersystem get "Model","Manufacturer", "Name", "UserName" Just copy and paste the code above, the word “computersystem” does not need to be change to a computer name. A...
Post a Comment
Read more

Print error 016-799 - Fuji Film Xerox

016-799 Fuji Xerox or Fuji Film print error code. That shows a description error as “Print instruction Fail detected in decomposer.” The error code and error description are alien languages for users and even system administrators who are not familiar with Fuji Xerox error code. The error code is quite simple and easy to fix, if the job print goes to the printer but print out doesn’t come out. So, basically the print job was received by the printer, but the printer just doesn’t know what type of paper or what size to use or which tray to utilize for the print out. In some instances, this is just a paper mismatch but the error description; if using Windows 10 to print does not exactly points to what is the issue. First thing to check, is the paper size selected by the user to print. Example, if the printer configuration is A3 and A4 sizes only. But then the person printing the file accidentally chooses “A4 Cover” then this error 016-799 will occur. ...
6 comments
Read more

How to check office version from command line

The are quite a few ways to check office version it can be done via registry, PowerShell or VBScript and of course, good old command line can also do it. Checking Windows office version whether it is Office 2010, Office, 2013, Office 2016 or other version is quite important to check compatibility of documents; or just a part of software inventory. For PowerShell this simple snippet can check the office version: $ol = New-Object -ComObject Excel.Application $ol . Version The command line option will tell you where’s the path located; the result will also tell whether office is 32-bit, 64-bit and of course the version of the office as well. Here’s the command that will check the office version and which program directory the file is located which will tell whether it’s 32-bit or 64-bit. Command to search for Excel.exe: DIR C:\ /s excel.exe | find   /i "Directory of"  Above command assumes that program files is on  C: drive. Sample O...
Post a Comment
Read more