This post provides information on using WMI to provide a list of processes with additional information, including the full path to the executable and any parameters passed to the command-line. While this may not sound that useful, this can greatly assist when troubleshooting or just understanding how applications work.
You can run this command against one server, or specify multiple nodes with a control file:
wmic /node:"server01" path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
To filter the list, you could also add a where clause:
wmic /node:"server01" path win32_process Where "Caption Like '%cscript%'" get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
This information can be useful for diagnosing processes:
For example, Operations Manager 2007 uses cscript quite heavily, and at times I've seen many cscript processes running, but had no clear idea what they were doing.
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "CPUUtilization.vbs" 95 15 opsmgr01.test.local 100. 20080713130117.079481+600 9876 5820416
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "MemoryUtilization.vbs" 2.5 opsmgr01.test.local 114.66666666666667 20080713130301.876356+600 6832 2473984
cscript.exe "C:\WINDOWS\system32\cscript.exe" /nologo "DiscoverHealthServiceCommunicationRelationships.js" 20080713130337.876356+600 8484 2457600
cmd.exe CMD /D /S /Q /C""C:\Program Files (x86)\VERITAS\VxPBX\bin\pbxservice.cmd" "C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe""
C:\WINDOWS\system32\oobechk.exe /LaunchMYS
And screensavers are started with a /s parameter:
logon.scr logon.scr /s
It is easy to see which host groups are being run by which instance of svchost (tasklist /svc also shows this information):
svchost.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch 20080323192353.500000+600 C:\WINDOWS\system32\svchost.exe 676 5496832
svchost.exe C:\WINDOWS\system32\svchost.exe -k rpcss 20080323192354.187500+600 C:\WINDOWS\system32\svchost.exe 780 9392128
svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService 20080323192402.828125+600 C:\WINDOWS\system32\svchost.exe 1016 7897088
svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService 20080323192402.828125+600 C:\WINDOWS\system32\svchost.exe 1036 5959680
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
resrcmon.exe "C:\WINDOWS\SysWOW64\resrcmon.exe" -e 1464 -m 1468 -p 2744 20080323192505.936883+600 C:\WINDOWS\SysWOW64\resrcmon.exe 3652 5472256
ResrcMon.exe "C:\WINDOWS\cluster\resrcmon.exe" -e 1592 -m 1596 -p 2744 20080323192506.686004+600 C:\WINDOWS\cluster\resrcmon.exe 3716 8388608
Instances of rundll32 and similar launch methods, often showing up interesting things, eg a notification baloon launched through rundll32:
rundll32.exe RunDll32.exe wlnotify.dll,ShowNotificationBalloon Global\00000000f0357177_WlballoonKerberosNotificationEventName
Executing this command
Add as a doskey macro
Put the following line into a text file called macros.txt:
PSL=if "$1" EQU "" (wmic path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId) else (wmic /node:"$1" path win32_process get ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId)
Then run the following command, which will execute the doskey command to install the macro as a command prompt is started:
reg add "hklm\software\microsoft\command processor" /v AutoRun /t reg_sz /d "doskey /macrofile=%path%\macros.txt"
The command works either locally or with a parameter, so you can either run:
psl
psl server01
Call through Scripting
Instead of using wmic, you could also use scripting - either powershell or vbscript - to query the WMI instances.
eg, in PowerShell:
Get-WmiObject win32_process Format-Table ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId
1 comment:
Your site rocks! Thank You.
Post a Comment