Get Process Owner and Other Info with WMI and PowerShell


Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and WMI to retrieve process owner and other information.

Microsoft Scripting Guy, Ed Wilson, is here. We were supposed to receive seven inches of snow the other day. They closed schools and businesses, and the roads were swamped with people rushing to various stores in preparation for the snowstorm of the century. Of course, the century is still not all that old, and the storm was not that big of a deal.

In fact, as it turned out, it really was not a big deal at all. We received less than a half-inch of snow, and even that did not stick around. So the kids were outside trying to make snow persons, but they did not have enough snow to do so. Perhaps they could have bought some via the Internet. It was all a non-event.

Something that is not a non-event is using Windows PowerShell to retrieve cool information. As I have mentioned, for basic process information, nothing beats the Get-Process cmdlet. It is fast, works remotely, and is really easy to use. But there are times I need to know more information.

First up, what file is open?

I like the detailed command information that is available in Windows PowerShell via WMI when I query the Win32_Process cmdlet. For example, I can often find out what file is open by looking at the command line. I use the Get-CimInstance cmdlet, and pipe the output to the Format-List cmdlet so I can see all of the properties. This command is shown here:

Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'" | fl *

In the following output, the CommandLine property shows me that I have a specific file open in Notepad.

Image of command output

By using a command like the following, I can find what process has a file locked or filter the results based on the file name:

PS C:\> Get-CimInstance Win32_Process | where commandline -match 'applog'

ProcessId            Name             HandleCount         WorkingSetSize      VirtualSize       

---------            ----             -----------         --------------      -----------        

10076                notepad.exe      114                 9093120             2199130263552      

After I have this information, I can stop the process if I need to do so. This is shown here:

PS C:\> $proc = Get-CimInstance Win32_Process | where commandline -match 'applog'

PS C:\> Invoke-CimMethod -InputObject $proc -MethodName Terminate

                                   ReturnValue PSComputerName                              

                                   ----------- --------------                               

                                             0                         

Get the owner of the process

To get the owner of the process, I use the GetOwner method from the Win32_Process class that I retrieve when I query for instances of Notepad. The first thing I do is use Get-CimInstance to retrieve instances of Notepad:

  Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"

Next, I store the returned object in a variable:

$proc = Get-CimInstance Win32_Process -Filter "name = 'notepad.exe'"

Now I call the GetOwner method from the Invoke-CimMethod cmdlet. The cool thing is that Tab completion works, so I can cycle through the available methods. The command is shown here:

Invoke-CimMethod -InputObject $proc -MethodName GetOwner

Here is the command and the output from the command:

Image of command output

That is all there is to using WMI methods and Windows PowerShell to retrieve information. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (3)

  1. John says:

    As a long time Unix shell user, for something as simple as getting the owner of a process having to go through all that really tells me that Powershell has a long way to go in terms of achieving the elegance that bash, ksh, zsh, or even sh has.

    Get-process should include the owner as a property specifically so you DON’T have to go through all this to get such a basic piece of information. I hope the cmdlet is improved in the future.

  2. Boe Prox says:

    Starting with PowerShell V4, Get-Process has the -IncludeUserName parameter to list the owner of a process.

  3. John says:

    Thanks Bob, I appreciate the feedback.

    Unfortunately I can’t control the versions of PS on production servers at clients sites. Most of them would be lucky to be past V2 which means I am looking at using a variety of checks for capabilities or designing a layer (jquery style) of code that deals
    with those issues, instead of being able to focus on what I need to do.

    More than likely I’ll just use strategy and some browser style check techniques, still getting my feet wet at this stage.

Skip to main content