e.g: if I run notepad.exe c:\autoexec.bat
,
How can I get c:\autoexec.bat
in Get-Process notepad
in PowerShell?
Or how can I get c:\autoexec.bat
in Process.GetProcessesByName("notepad");
in C#?
In PowerShell you can get the command line of a process via WMI:
$process = "notepad.exe"
Get-WmiObject Win32_Process -Filter "name = '$process'" | Select-Object CommandLine
Note that you need admin privileges to be able to access that information about processes running in the context of another user. As a normal user it's only visible to you for processes running in your own context.
There is a permissions aspect to this too. The Powershell process needs to have permissions at least equivalent to the target process. So a regular Powershell session won't be able to get such information for a process running elevated (e.g. as Administrator). in this case, CommandLine (the response) will just be blank.
@CJBS To be precise you need admin privileges to be able to access that information about processes running in the context of another user. As a normal user it's only visible to you for processes running in your own context.
The value is still truncated to a certain length of characters. You can work around it by piping the result to "out-string -Width 2000" or something similar.
@mbrownnyc Using
-Filter
does the filtering on the remote host if your runGet-WmiObject
against remote computers (using the-ComputerName
parameter), reducing the amount of data that is transferred over the network (thus improving performance). UsingWhere-Object
filters locally, after all WMI data was fetched from the remote host(s). It doesn't make a difference when runningGet-WmiObject
locally, though, like in this case. Also note that the syntaxwhere property <op> value
only works in PowerShell v3 or newer. Prior to that you must usewhere { $_.property <op> value }
.This didn't take much to figure out, but to save someone a few keystrokes, if you already have the process id (like from looking at CPU usage, etc) you can use
"processid = 1234"
- I use it for seeing which website is going rogue on our server (and there are 200w3wp.exe
processes)