You can run this command against one server, or specify multiple nodes with a control file:
wmic /node:"server01" path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
To filter the list, you could also add a where clause:
wmic /node:"server01" path win32_process Where "Caption Like '%cscript%'" get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
This information can be useful for diagnosing processes:
For example, Operations Manager 2007 uses cscript quite heavily, and at times I've seen many cscript processes running, but had no clear idea what they were doing.
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "CPUUtilization.vbs" 95 15 opsmgr01.test.local 100. 20080713130117.079481+600 9876 5820416
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "MemoryUtilization.vbs" 2.5 opsmgr01.test.local 114.66666666666667 20080713130301.876356+600 6832 2473984
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "DiscoverHealthServiceCommunicationRelationships.js" 20080713130337.876356+600 8484 2457600
cmd.exe CMD /D /S /Q /C""C:\Program Files (x86)\VERITAS\VxPBX\bin\pbxservice.cmd" "C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe""
C:\WINDOWS\system32\oobechk.exe /LaunchMYS
And screensavers are started with a /s parameter:
logon.scr logon.scr /s
It is easy to see which host groups are being run by which instance of svchost (tasklist /svc also shows this information):
svchost.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch 20080323192353.500000+600 C:\WINDOWS\system32\svchost.exe 676 5496832
svchost.exe C:\WINDOWS\system32\svchost.exe -k rpcss 20080323192354.187500+600 C:\WINDOWS\system32\svchost.exe 780 9392128
svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService 20080323192402.828125+600 C:\WINDOWS\system32\svchost.exe 1016 7897088
svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService 20080323192402.828125+600 C:\WINDOWS\system32\svchost.exe 1036 5959680
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
resrcmon.exe "C:\WINDOWS\SysWOW64\resrcmon.exe" -e 1464 -m 1468 -p 2744 20080323192505.936883+600 C:\WINDOWS\SysWOW64\resrcmon.exe 3652 5472256
ResrcMon.exe "C:\WINDOWS\cluster\resrcmon.exe" -e 1592 -m 1596 -p 2744 20080323192506.686004+600 C:\WINDOWS\cluster\resrcmon.exe 3716 8388608
Instances of rundll32 and similar launch methods, often showing up interesting things, eg a notification baloon launched through rundll32:
rundll32.exe RunDll32.exe wlnotify.dll,ShowNotificationBalloon Global\00000000f0357177_WlballoonKerberosNotificationEventName
Executing this command
Add as a doskey macro
Put the following line into a text file called macros.txt:
PSL=if "$1" EQU "" (wmic path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId) else (wmic /node:"$1" path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId)
Then run the following command, which will execute the doskey command to install the macro as a command prompt is started:
reg add "hklm\software\microsoft\command processor" /v AutoRun /t reg_sz /d "doskey /macrofile=%path%\macros.txt"
The command works either locally or with a parameter, so you can either run:
psl
psl server01
Call through Scripting
Instead of using wmic, you could also use scripting - either powershell or vbscript - to query the WMI instances.
eg, in PowerShell:
Get-WmiObject win32_process Format-Table ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
1 comment:
Your site rocks! Thank You.
Post a Comment