Home / server / Questions / 696460
Accepted
Hawkeye
Asked: 2015-06-04 14:55:25 +0800 CST

Given a PID on Windows - how do I find the command line instruction that executed it?

  • 772

On a database, I can get a list of all the currently running processes, and the sql command that kicked them off.

I'd like to do a similar thing on a windows box.

I can get the list of processes, but not the command line that kicked them off.

My question is: Given a PID on Windows - how do I find the command line instruction that executed it?

Assumptions:

  • Windows 7 and equivalent servers
windows

4 Answers

  1. Best Answer

    Powershell and WMI.

    Get-WmiObject Win32_Process | Select ProcessId,CommandLine

    Or

    Get-WmiObject -Query "SELECT CommandLine FROM Win32_Process WHERE ProcessID = 3352"

    Note that you have to have permissions to access this information about a process. So you might have to run the command as admin if the process you want to know about is running in a privileged context.

    • 44

  2. You can use the WMI subsystem, using WMIC.EXE to get to this information. Assuming a PID of 600:

    wmic.exe path Win32_Process where handle='600' get name, commandline  /format:list

    You can also search for name, or other characteristic of the process. Use this command to list all attributes:

    wmic.exe path Win32_Process get  /format:list
    • 22

  3. The other answers are certainly good options that will serve you well in an automated system because of their command line nature (and I see from the tag that that's what you wanted). Of course, some folks might want to explore this kind of info with a GUI, so here's an alternative along those lines.

    Process Explorer is a Sysinternals tool maintained by Microsoft. It can display the command line of the process in the process's properties dialog as well as the parent that launched it, though the name of that process may no longer be available. Here's the process properties dialog:

    process properties dialog

    If you want a more detailed audit trail of when a process was launched and under what conditions, you can turn to another Sysinternals tool called Process Monitor. Here you can filter for "Process started" events, learn about the environment the process was launched in, and see what other events were occurring around that time. It's quite a powerful program. Here's the event properties dialog:

    event properties dialog

    • 16

  4. To complement Ryan Ries' helpful PowerShell answer with a shorter alternative via the -Filter parameter that also uses Get-CimInstance instead of the deprecated-since-v3 Get-WmiObject cmdlet.

    # Target a process by its PID (process ID) and report its command line, 
# using the PowerShell session's own PID as an example ($PID).
(Get-CimInstance Win32_Process -Filter "ProcessId=$PID").CommandLine

# Alternatively, target process(es) by name (may return multiple processes), 
# using Notepad.exe as an example.
# Select-Object is used to report both the PID and the command line.
Get-CimInstance Win32_Process -Filter "Name='Notepad.exe'" |
  Select-Object ProcessId, CommandLine

    The -Filter parameter essentially allows you to pass the WHERE clause of a WQL statement instead of passing a full query statement via -Query.

    • 4