Technical: Microsoft – Map Processes to Command Line Parameters

Technical: Microsoft – Map Processes to Command Line Parameters

We had a little problem associating high CPU processes to their associated command line parameters.

Historically, the Task Manager only shows each process’s executable name.  It does not even reveal the process’s full path name.

Sometimes with spawned processes such as cmd.exe or cscript.exe it is difficult to differentiate one process from another.  The ability to tell one process from another becomes important as one is trying to measure each payload’s resource uptake.

Here is a command shell \ batch file script that can be used:

Command File


@echo off
rem Creating and editing formats in WMIC
rem http://technet.microsoft.com/en-us/library/cc757287(WS.10).aspx
rem Examples of WMIC commands for Windows .NET SERVER Family
rem http://support.microsoft.com/servicedesks/webcasts/wc072402/listofsampleusage.asp
If not exist C:\Temp md C:\temp
WMIC /OUTPUT:C:\Temp\ProcessList.txt path win32_process get Caption,Processid,Commandline
WMIC /OUTPUT:C:\Temp\processList.xml path win32_process get Caption,Processid,Commandline   /format:rawxml
WMIC /OUTPUT:C:\Temp\processList.html path win32_process get Caption,Processid,Commandline   /format:hform

Explanation:

  • Uses WMI to query the process table
  • Three files containing the same extracted data are placed in C:\Temp
  • The format are txt (plain text), xml, and html

PowerShell File


###################################################################################################
# Use
#
#    A] List processes along with command line parameters#
#
#   Parameters:
#
#      Name :- $ProcessName
#            Mandatory - No
#            Default - Empty
#
#
#   To list all processes:
#      .\listProcesses.ps1
#
#   To list all cscript processes:
#      .\listProcesses.ps1 -ProcessName cscript
#
#   To list all Google's Chrome processes:
#      .\listProcesses.ps1 -ProcessName chrome
#      -- by the way you will be surely suprised as to what 
#         Chrome does with command line paramters
###################################################################################################

[CmdletBinding()]
param
(
	  [Parameter(Mandatory=$False)]
	  [string]$ProcessName

)

# set computer name
[String] $computerName = ".";

[String] $namespace = "root\cimv2";

if ($ProcessName)
{
  $ProcessNameClause = "*" + $ProcessName + "*";

  $objListofProcesses = Get-WmiObject
                            -Namespace $namespace 
                            -Class Win32_Process 
                          | where-Object  
                            {$_.name -like $ProcessNameClause}
}
else
{

   $objListofProcesses = Get-WmiObject 
                             -Namespace $namespace 
                             -Class Win32_Process
}

if (!$objListofProcesses)
{
	return;
}

$iNumberofProcesses = 0;

$strFormatProcess = "Process Name: {0}  ID:{1} CommandLine: {2}";

Foreach ($objProcess in $objListofProcesses)
{

 	$iNumberofProcesses = $iNumberofProcesses + 1;

	#How to format in PowerShell
	$strProcess = [String]::Format(
					  $strFormatProcess
					, $objProcess.Name
					, $objProcess.ProcessId
					, $objProcess.CommandLine
				       );

	$strProcess;

}

Explanation:

  • Uses WMI to query the process table
  • Result is displayed on the console

References

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s