You can use the Get-CimInstance cmdlet at a
PowerShell prompt
to obtain information on processes running on a Microsoft Windows system.
E.g., to see a list of all the processes currently running on a system, the
command gcim win32_process can be used; gcim is an
alias for Get-CimInstance, so you can use the shorter alias or
Get-CimInstance. The name of the process, its
process identifier
(PID),
handle count, working
set size, and
virtual memory size are displayed.
PS C:\Users\Lila> gcim win32_process
ProcessId Name HandleCount WorkingSetSize VirtualSize
--------- ---- ----------- -------------- -----------
0 System Idle Process 0 8192 65536
4 System 3493 7573504 11452416
436 smss.exe 55 1056768 2199029911552
644 csrss.exe 765 5804032 2199086116864
756 csrss.exe 641 4820992 2199085301760
780 wininit.exe 141 5308416 2199078232064
828 winlogon.exe 230 9785344 2199103651840
904 services.exe 666 10571776 2199069249536
920 lsass.exe 1487 17948672 2199079809024
1020 svchost.exe 70 3522560 2199047536640
416 svchost.exe 2776 31625216 2199139074048
552 fontdrvhost.exe 45 2801664 2199085924352
448 fontdrvhost.exe 45 7663616 2199219183616
872 svchost.exe 980 16252928 2199123591168
1060 svchost.exe 332 8470528 2199070224384
1160 svchost.exe 844 66977792 2199259000832
1248 svchost.exe 174 8486912 2199068123136
1312 svchost.exe 106 5423104 2199065399296
1436 svchost.exe 134 5173248 2199057866752
1508 dwm.exe 483 62906368 2199289069568
1516 atiesrxx.exe 120 3899392 28639232
1528 svchost.exe 182 7053312 2199063388160
1536 svchost.exe 125 7835648 2199061176320
1544 svchost.exe 153 6725632 2199068176384
1576 svchost.exe 144 11022336 2199070298112
1584 svchost.exe 431 12627968 2199085236224
1732 svchost.exe 192 5545984 2199060905984
1740 svchost.exe 211 9924608 2199101943808
1748 svchost.exe 158 7593984 2199067979776
1756 svchost.exe 249 8749056 2199071862784
1816 svchost.exe 233 16547840 2199098425344
1888 WUDFHost.exe 388 7712768 2199076732928
1924 svchost.exe 162 7622656 2199070228480
1968 svchost.exe 174 7675904 2199068536832
1976 svchost.exe 144 9510912 2199108993024
1456 svchost.exe 191 7168000 2199064539136
2056 svchost.exe 387 14811136 2199111286784
2156 svchost.exe 368 12226560 2199079366656
2164 svchost.exe 455 21647360 2199131877376
2268 svchost.exe 286 12435456 2199083753472
2348 svchost.exe 1172 9154560 2199077736448
2384 svchost.exe 119 5820416 2199058989056
2392 svchost.exe 384 11493376 2199090819072
2444 svchost.exe 216 8863744 2199105306624
2640 svchost.exe 172 6283264 2199068110848
2720 svchost.exe 350 12480512 2199095590912
2732 svchost.exe 200 9015296 2199074267136
2772 svchost.exe 1240 8048640 2199064600576
2804 svchost.exe 184 10129408 2199073574912
2860 svchost.exe 232 9707520 2199105683456
3020 spoolsv.exe 536 16814080 2199143129088
3028 svchost.exe 143 10833920 2199074377728
3224 svchost.exe 152 6852608 2199065890816
3248 svchost.exe 378 15572992 2199137042432
3324 svchost.exe 441 11489280 2199081918464
3344 svchost.exe 151 8683520 2199074213888
3352 svchost.exe 273 14614528 2199179874304
3360 svchost.exe 116 5984256 2199057027072
3368 svchost.exe 623 26607616 2199162109952
3376 svchost.exe 311 24096768 2199137792000
3384 svchost.exe 237 9072640 2199071485952
3476 svchost.exe 305 9400320 2199084199936
3524 svchost.exe 209 9277440 2199082557440
3580 svchost.exe 188 7471104 2199070752768
3700 svchost.exe 202 80707584 2203420794880
3708 svchost.exe 128 5627904 2199057858560
3716 svchost.exe 361 18440192 2199115366400
3732 AppleMobileDeviceService.exe 217 10457088 127602688
3740 mDNSResponder.exe 147 5570560 36573184
3748 schedul2.exe 149 6127616 70488064
3764 PsiService_2.exe 104 4661248 30580736
3796 Fuel.Service.exe 228 11128832 102424576
3804 MsMpEng.exe 769 161230848 2199590989824
3812 snmp.exe 215 7020544 2199069216768
3836 Agent.exe 494 19099648 225927168
3852 YahooAUService.exe 222 11296768 83034112
3864 GuardAgent.exe 79 4296704 26193920
3880 SecurityHealthService.exe 324 14397440 2199095042048
3968 svchost.exe 89 4997120 2199057125376
4076 mqsvc.exe 339 10694656 2199115403264
4164 dasHost.exe 98 4325376 2199049117696
4264 svchost.exe 214 8892416 2199072043008
4484 Memory Compression 0 511483904 564133888
4556 svchost.exe 202 7282688 2199069704192
5316 svchost.exe 125 6746112 2199065485312
5328 svchost.exe 137 6262784 2199060594688
788 svchost.exe 236 16289792 2199180906496
912 vds.exe 212 9084928 2199075328000
5908 atieclxx.exe 203 12357632 103923712
5684 NisSrv.exe 291 3239936 2199096311808
5108 sihost.exe 486 28184576 2199150542848
1352 svchost.exe 240 17489920 2199122821120
6100 svchost.exe 387 27021312 2199173885952
5384 svchost.exe 282 15785984 2199096664064
6516 explorer.exe 2206 122388480 2199596027904
6720 taskhostw.exe 490 26890240 2199211319296
6900 svchost.exe 353 17469440 2199122931712
7384 ShellExperienceHost.exe 1094 63778816 2199399350272
7556 RuntimeBroker.exe 711 49692672 2199247142912
7948 svchost.exe 273 19161088 2199103320064
8096 SkypeHost.exe 293 8921088 153907200
9096 MSASCuiL.exe 144 13373440 2199116099584
9172 RAVCpl64.exe 342 15376384 134459392
1204 schedhlp.exe 153 11579392 83992576
2040 TrayMonitor.exe 183 14061568 94957568
2064 iTunesHelper.exe 269 17584128 153251840
3792 AllmyappsNotifier.exe 648 67137536 749137920
8544 iPodService.exe 142 7376896 54591488
9016 chrome.exe 1593 78913536 2199444426752
6860 chrome.exe 237 13615104 2199125897216
7200 winampa.exe 130 11243520 81076224
6352 chrome.exe 148 13516800 2199121522688
3996 chrome.exe 390 25141248 2199384817664
8516 chrome.exe 261 22810624 2199815888896
7644 chrome.exe 288 25399296 2199829921792
8512 chrome.exe 287 24301568 2199833853952
7816 chrome.exe 253 21786624 2199812218880
7656 chrome.exe 260 35004416 2199875141632
8500 chrome.exe 280 24076288 2199834116096
7636 chrome.exe 253 21598208 2199807500288
7888 chrome.exe 270 20275200 2199812710400
9504 EuWatch.exe 99 10543104 69201920
9544 TrayNotify.exe 223 17129472 102658048
9768 chrome.exe 263 22581248 2199812358144
7588 ComicLife3.exe 3234 60350464 1206206464
7696 svchost.exe 441 20226048 2199274377216
9088 PresentationFontCache.exe 216 15437824 550039552
10196 svchost.exe 177 8372224 2199070498816
6628 OneDrive.exe 551 37011456 241717248
5064 svchost.exe 684 13754368 2199161389056
5188 svchost.exe 258 10809344 2199085215744
4432 SettingSyncHost.exe 185 3227648 2199089606656
664 svchost.exe 192 8343552 2199215951872
4452 svchost.exe 178 8986624 2199069466624
1232 dllhost.exe 168 14909440 2199100493824
2980 cmd.exe 45 2793472 2199043596288
3928 conhost.exe 232 15757312 2199134736384
8820 firefox.exe 1971 1336586240 2601459712
8308 svchost.exe 94 5259264 2199056556032
9828 SearchIndexer.exe 982 39849984 2199281152000
8472 plugin-container.exe 343 31727616 295370752
5040 OSPPSVC.EXE 184 11952128 53395456
8712 splwow64.exe 190 15126528 2199110000640
10096 notepad.exe 220 16494592 2199159549952
7356 notepad.exe 220 17403904 2199160598528
6104 svchost.exe 171 5169152 2199107723264
4148 svchost.exe 739 34598912 2199296479232
8532 svchost.exe 133 5931008 2199058878464
9936 csrss.exe 158 3457024 2199069282304
5168 winlogon.exe 182 6111232 2199081562112
4852 LogonUI.exe 419 33165312 2199273877504
3596 fontdrvhost.exe 45 2785280 2199083778048
7436 atieclxx.exe 177 6778880 103718912
11212 dwm.exe 384 21913600 2199206469632
5952 rdpclip.exe 277 10940416 2199125721088
6320 taskhostw.exe 321 15900672 2199144755200
11240 putty.exe 303 18280448 157700096
8320 SoftwareUpdate.exe 1268 991232 275869696
3604 powershell.exe 845 85270528 2199713677312
10324 conhost.exe 233 15409152 2199155642368
6296 gvim.exe 205 17526784 126078976
8572 Taskmgr.exe 513 47742976 2199245176832
10032 SearchUI.exe 856 102264832 2234067509248
9696 WmiPrvSE.exe 148 9986048 2199065812992
PS C:\Users\Lila>You can filter the output to a specific process or processes by
piping the output to Where-Object with
gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'}
as shown below:
PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} ProcessId Name HandleCount WorkingSetSize VirtualSize --------- ---- ----------- -------------- ----------- 11240 putty.exe 303 17383424 157700096 PS C:\Users\Lila>
To use Where-Object to filter the output, you enclose a script
block within curly brackets. There are three components to the script:
the property on which to filter, in this case "Name", a comparison operator,
which is -eq, i.e., "equals", and the value on which to filter,
which in this case is putty.exe. Because it is a
string, it must be enclosed in either single or double
quotes.
You can use the following comparison operators:
| -ne | not equal to |
| -lt | less than |
| -le | less than or equal to |
| -gt | greater than |
| -ge | greater than or equal to |
| -like | like - a wildcard comparison |
| -notlike | not like - a wildcard comparison |
| -contains | contains the specified value |
| -notcontains | doesn't contain the specified value |
The $_ represents the current object in the pipeline. The
process list from gcim will be passed through the Where-Object filter as objects
line by line into the $_ variable. The property to filter on
is specified by putting a period after $_ and then the property,
i.e., $_.Name in this example. So Where-Object
is determining if the name for the object is equal to 'putty.exe' in this
example.
You can also obtain other information for a process by piping the output
from Whre-Object to select. E.g., if I want to
know the full command line for the proces, I can use select commandline
as shown below:
PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} | select commandline commandline ----------- "C:\Program Files (x86)\PuTTY\putty.exe" PS C:\Users\Lila>
You can select multiple parameters by separting them with a comma as shown below:
PS C:\Users\Lila> gcim win32_process | Where-Object {$_.Name -eq 'putty.exe'} | select processid, commandline processid commandline --------- ----------- 11240 "C:\Program Files (x86)\PuTTY\putty.exe" PS C:\Users\Lila>
Another option for obtaining process information is to use the PowerShell get-process cmdlet.
References:
