HOWTO: Get a List of Running Processes on Domain Computers


Getting a list of running processes on all endpoints is a very common task that is typically required in virus attack investigations, performance analysis and other projects. Information about running processes should include process name, process ID, executable file location and some other data. This HOWTO guides describes the basics of the process.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Process

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName process

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName

5. Sort results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Sort-Object Name

6. Filter results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Where-Object -FilterScript {$_.Name -like "putty.exe"}

7. Save to CSV file:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

 

Step 2 - Type your question in plain English:

How to get a list of running processes on all domain computers - search query

Step 3 - Set filters, if necessary:

How to get a list of running processes on all domain computers - set filters

Step 4 - See results from all endpoints in seconds:

Endpoint NameNameCommand LineProcess Id
fred.widgets.localmalware.exec:\windows\system32\malware.exe /encrypt3593
mac.widgets.localdropbox.exec:\program files\dropbox\dropbox.exe1264
ray.widgets.localiis.exec:\program files\microsoft iis\iis.exe5343

Do not have time to write scripts? Check out Action1 Endpoint Security Platform. Ask questions in plain English such as "list of installed software" or "all running processes".
Get answers instantly from live systems or subscribe to real-time alerts:


Other Relevant HOWTOs: