Using PowerShell to obtain process information

You can use the Get-CimInstance cmdlet at a PowerShell prompt to obtain information on processes running on a Microsoft Windows system. E.g., to see a list of all the processes currently running on a system, the command gcim win32_process can be used; gcim is an alias for Get-CimInstance, so you can use the shorter alias or Get-CimInstance. The name of the process, its process identifier (PID), handle count, working set size, and virtual memory size are displayed.

Udemy - April2516-25off-sitewide120x600











PS C:\Users\Lila> gcim win32_process

ProcessId Name                         HandleCount WorkingSetSize VirtualSize
--------- ----                         ----------- -------------- -----------
0         System Idle Process          0           8192           65536
4         System                       3493        7573504        11452416
436       smss.exe                     55          1056768        2199029911552
644       csrss.exe                    765         5804032        2199086116864
756       csrss.exe                    641         4820992        2199085301760
780       wininit.exe                  141         5308416        2199078232064
828       winlogon.exe                 230         9785344        2199103651840
904       services.exe                 666         10571776       2199069249536
920       lsass.exe                    1487        17948672       2199079809024
1020      svchost.exe                  70          3522560        2199047536640
416       svchost.exe                  2776        31625216       2199139074048
552       fontdrvhost.exe              45          2801664        2199085924352
448       fontdrvhost.exe              45          7663616        2199219183616
872       svchost.exe                  980         16252928       2199123591168
1060      svchost.exe                  332         8470528        2199070224384
1160      svchost.exe                  844         66977792       2199259000832
1248      svchost.exe                  174         8486912        2199068123136
1312      svchost.exe                  106         5423104        2199065399296
1436      svchost.exe                  134         5173248        2199057866752
1508      dwm.exe                      483         62906368       2199289069568
1516      atiesrxx.exe                 120         3899392        28639232
1528      svchost.exe                  182         7053312        2199063388160
1536      svchost.exe                  125         7835648        2199061176320
1544      svchost.exe                  153         6725632        2199068176384
1576      svchost.exe                  144         11022336       2199070298112
1584      svchost.exe                  431         12627968       2199085236224
1732      svchost.exe                  192         5545984        2199060905984
1740      svchost.exe                  211         9924608        2199101943808
1748      svchost.exe                  158         7593984        2199067979776
1756      svchost.exe                  249         8749056        2199071862784
1816      svchost.exe                  233         16547840       2199098425344
1888      WUDFHost.exe                 388         7712768        2199076732928
1924      svchost.exe                  162         7622656        2199070228480
1968      svchost.exe                  174         7675904        2199068536832
1976      svchost.exe                  144         9510912        2199108993024
1456      svchost.exe                  191         7168000        2199064539136
2056      svchost.exe                  387         14811136       2199111286784
2156      svchost.exe                  368         12226560       2199079366656
2164      svchost.exe                  455         21647360       2199131877376
2268      svchost.exe                  286         12435456       2199083753472
2348      svchost.exe                  1172        9154560        2199077736448
2384      svchost.exe                  119         5820416        2199058989056
2392      svchost.exe                  384         11493376       2199090819072
2444      svchost.exe                  216         8863744        2199105306624
2640      svchost.exe                  172         6283264        2199068110848
2720      svchost.exe                  350         12480512       2199095590912
2732      svchost.exe                  200         9015296        2199074267136
2772      svchost.exe                  1240        8048640        2199064600576
2804      svchost.exe                  184         10129408       2199073574912
2860      svchost.exe                  232         9707520        2199105683456
3020      spoolsv.exe                  536         16814080       2199143129088
3028      svchost.exe                  143         10833920       2199074377728
3224      svchost.exe                  152         6852608        2199065890816
3248      svchost.exe                  378         15572992       2199137042432
3324      svchost.exe                  441         11489280       2199081918464
3344      svchost.exe                  151         8683520        2199074213888
3352      svchost.exe                  273         14614528       2199179874304
3360      svchost.exe                  116         5984256        2199057027072
3368      svchost.exe                  623         26607616       2199162109952
3376      svchost.exe                  311         24096768       2199137792000
3384      svchost.exe                  237         9072640        2199071485952
3476      svchost.exe                  305         9400320        2199084199936
3524      svchost.exe                  209         9277440        2199082557440
3580      svchost.exe                  188         7471104        2199070752768
3700      svchost.exe                  202         80707584       2203420794880
3708      svchost.exe                  128         5627904        2199057858560
3716      svchost.exe                  361         18440192       2199115366400
3732      AppleMobileDeviceService.exe 217         10457088       127602688
3740      mDNSResponder.exe            147         5570560        36573184
3748      schedul2.exe                 149         6127616        70488064
3764      PsiService_2.exe             104         4661248        30580736
3796      Fuel.Service.exe             228         11128832       102424576
3804      MsMpEng.exe                  769         161230848      2199590989824
3812      snmp.exe                     215         7020544        2199069216768
3836      Agent.exe                    494         19099648       225927168
3852      YahooAUService.exe           222         11296768       83034112
3864      GuardAgent.exe               79          4296704        26193920
3880      SecurityHealthService.exe    324         14397440       2199095042048
3968      svchost.exe                  89          4997120        2199057125376
4076      mqsvc.exe                    339         10694656       2199115403264
4164      dasHost.exe                  98          4325376        2199049117696
4264      svchost.exe                  214         8892416        2199072043008
4484      Memory Compression           0           511483904      564133888
4556      svchost.exe                  202         7282688        2199069704192
5316      svchost.exe                  125         6746112        2199065485312
5328      svchost.exe                  137         6262784        2199060594688
788       svchost.exe                  236         16289792       2199180906496
912       vds.exe                      212         9084928        2199075328000
5908      atieclxx.exe                 203         12357632       103923712
5684      NisSrv.exe                   291         3239936        2199096311808
5108      sihost.exe                   486         28184576       2199150542848
1352      svchost.exe                  240         17489920       2199122821120
6100      svchost.exe                  387         27021312       2199173885952
5384      svchost.exe                  282         15785984       2199096664064
6516      explorer.exe                 2206        122388480      2199596027904
6720      taskhostw.exe                490         26890240       2199211319296
6900      svchost.exe                  353         17469440       2199122931712
7384      ShellExperienceHost.exe      1094        63778816       2199399350272
7556      RuntimeBroker.exe            711         49692672       2199247142912
7948      svchost.exe                  273         19161088       2199103320064
8096      SkypeHost.exe                293         8921088        153907200
9096      MSASCuiL.exe                 144         13373440       2199116099584
9172      RAVCpl64.exe                 342         15376384       134459392
1204      schedhlp.exe                 153         11579392       83992576
2040      TrayMonitor.exe              183         14061568       94957568
2064      iTunesHelper.exe             269         17584128       153251840
3792      AllmyappsNotifier.exe        648         67137536       749137920
8544      iPodService.exe              142         7376896        54591488
9016      chrome.exe                   1593        78913536       2199444426752
6860      chrome.exe                   237         13615104       2199125897216
7200      winampa.exe                  130         11243520       81076224
6352      chrome.exe                   148         13516800       2199121522688
3996      chrome.exe                   390         25141248       2199384817664
8516      chrome.exe                   261         22810624       2199815888896
7644      chrome.exe                   288         25399296       2199829921792
8512      chrome.exe                   287         24301568       2199833853952
7816      chrome.exe                   253         21786624       2199812218880
7656      chrome.exe                   260         35004416       2199875141632
8500      chrome.exe                   280         24076288       2199834116096
7636      chrome.exe                   253         21598208       2199807500288
7888      chrome.exe                   270         20275200       2199812710400
9504      EuWatch.exe                  99          10543104       69201920
9544      TrayNotify.exe               223         17129472       102658048
9768      chrome.exe                   263         22581248       2199812358144
7588      ComicLife3.exe               3234        60350464       1206206464
7696      svchost.exe                  441         20226048       2199274377216
9088      PresentationFontCache.exe    216         15437824       550039552
10196     svchost.exe                  177         8372224        2199070498816
6628      OneDrive.exe                 551         37011456       241717248
5064      svchost.exe                  684         13754368       2199161389056
5188      svchost.exe                  258         10809344       2199085215744
4432      SettingSyncHost.exe          185         3227648        2199089606656
664       svchost.exe                  192         8343552        2199215951872
4452      svchost.exe                  178         8986624        2199069466624
1232      dllhost.exe                  168         14909440       2199100493824
2980      cmd.exe                      45          2793472        2199043596288
3928      conhost.exe                  232         15757312       2199134736384
8820      firefox.exe                  1971        1336586240     2601459712
8308      svchost.exe                  94          5259264        2199056556032
9828      SearchIndexer.exe            982         39849984       2199281152000
8472      plugin-container.exe         343         31727616       295370752
5040      OSPPSVC.EXE                  184         11952128       53395456
8712      splwow64.exe                 190         15126528       2199110000640
10096     notepad.exe                  220         16494592       2199159549952
7356      notepad.exe                  220         17403904       2199160598528
6104      svchost.exe                  171         5169152        2199107723264
4148      svchost.exe                  739         34598912       2199296479232
8532      svchost.exe                  133         5931008        2199058878464
9936      csrss.exe                    158         3457024        2199069282304
5168      winlogon.exe                 182         6111232        2199081562112
4852      LogonUI.exe                  419         33165312       2199273877504
3596      fontdrvhost.exe              45          2785280        2199083778048
7436      atieclxx.exe                 177         6778880        103718912
11212     dwm.exe                      384         21913600       2199206469632
5952      rdpclip.exe                  277         10940416       2199125721088
6320      taskhostw.exe                321         15900672       2199144755200
11240     putty.exe                    303         18280448       157700096
8320      SoftwareUpdate.exe           1268        991232         275869696
3604      powershell.exe               845         85270528       2199713677312
10324     conhost.exe                  233         15409152       2199155642368
6296      gvim.exe                     205         17526784       126078976
8572      Taskmgr.exe                  513         47742976       2199245176832
10032     SearchUI.exe                 856         102264832      2234067509248
9696      WmiPrvSE.exe                 148         9986048        2199065812992


PS C:\Users\Lila>

You can filter the output to a specific process or processes by piping the output to Where-Object with gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} as shown below:

PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'}

ProcessId Name      HandleCount WorkingSetSize VirtualSize
--------- ----      ----------- -------------- -----------
11240     putty.exe 303         17383424       157700096


PS C:\Users\Lila>

To use Where-Object to filter the output, you enclose a script block within curly brackets. There are three components to the script: the property on which to filter, in this case "Name", a comparison operator, which is -eq, i.e., "equals", and the value on which to filter, which in this case is putty.exe. Because it is a string, it must be enclosed in either single or double quotes.

Learning Windows PowerShell
Learning Windows PowerShell
1x1 px

You can use the following comparison operators:

-nenot equal to
-ltless than
-leless than or equal to
-gtgreater than
-gegreater than or equal to
-likelike - a wildcard comparison
-notlikenot like - a wildcard comparison
-containscontains the specified value
-notcontainsdoesn't contain the specified value

The $_ represents the current object in the pipeline. The process list from gcim will be passed through the Where-Object filter as objects line by line into the $_ variable. The property to filter on is specified by putting a period after $_ and then the property, i.e., $_.Name in this example. So Where-Object is determining if the name for the object is equal to 'putty.exe' in this example.

You can also obtain other information for a process by piping the output from Whre-Object to select. E.g., if I want to know the full command line for the proces, I can use select commandline as shown below:

PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} | select commandline

commandline
-----------
"C:\Program Files (x86)\PuTTY\putty.exe"


PS C:\Users\Lila>

You can select multiple parameters by separting them with a comma as shown below:

PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} | select processid, commandline

processid commandline
--------- -----------
    11240 "C:\Program Files (x86)\PuTTY\putty.exe"


PS C:\Users\Lila>

Another option for obtaining process information is to use the PowerShell get-process cmdlet.

References:

  1. What is a Process Handle?
    Posted: June 17, 2009
    Server Fault
  2. Pushing the Limits of Windows: Handles
    By: Mark Russinovich
    Date: September 29, 2009
    Mark's Blog
  3. What is "Working set" vs. "Virtual size"?
    Posted: March 4, 2009
    Sysinternals Forums
  4. PowerShell Basics: Filtering Objects
    By: Robert Sheldon
    Date: July 25, 2013
    Windows IT Pro | Microsoft Windows Information, Solutions, Tools