HOWTO: Get a List of Running Processes on Domain Computers


Getting a list of running processes on all endpoints is a very common task that is typically required in virus attack investigations, performance analysis and other projects. Win32 provides several ways to list running processes. Unfortunately, there is no single way to work on all Win32 platforms. Programmers have to combine several methods in one program so that it works on all versions of Windows. Information about running system processes should include Windows process name, process ID, executable file location and some other data.

System utilities, text and image editors, browsers and RSS aggregators, cryptographers and mail clients, all of these, and many other types of programs have one common function that does not depend on the purpose of the application, namely printing. For programs, one way or another dealing with content that can be displayed on analog media, the print function is considered almost non-mandatory.

But there are exceptions. Take, for example, the standard Windows Task Manager or process explorer remote computer. Despite the fact that the information displayed on processes tab may well be printed out, you will not find the usual “Print” command in it. But what if you suddenly need to print a list of current processes? Do not rewrite them one by one into a text file! In fact, listing the processes, services, and other system information to a file (print) is very simple. The easiest way is to use special software, for example, Action1.

This manual describes actions to create a list of running processes.



Manually:

1. Execute WMI Query in ROOT\CIMV2 Namespace:

   - Launch WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Process

2. Open WMIC Command-line Interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command line tool type: /node:RemoteComputerName process

3. Run This Simple Windows Powershell Script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName

4. Use Following Code to Select Specific Columns:

   - execute: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName

5. Sort the Results Using the Line Below:

   - invoke command: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Sort-Object Name

6. The Next Code Helps to Filter Results:

   - use it: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Where-Object -FilterScript {$_.Name -like "putty.exe"}

7. Save Results to CSV File:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. The Next Step Is to Query Multiple Computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for Free:

 

Step 2 - Type Your Question in Plain English:

How to get a list of running processes on all domain computers. Powershell get list of running processes and using wmi explorer to get all running processes - search query

Step 3 - Set Filters, If Necessary:

How to get a list of running processes on all domain computers. Powershell get list of running processes and using wmi explorer to get all running processes - set filters

Step 4 - See Results from All Endpoints in Seconds:

Endpoint NameNameCommand LineProcess Id
fred.widgets.localmalware.exec:\windows\system32\malware.exe /encrypt3593
mac.widgets.localdropbox.exec:\program files\dropbox\dropbox.exe1264
ray.widgets.localiis.exec:\program files\microsoft iis\iis.exe5343

Do not have time to write scripts? Check out Action1 Endpoint Security Platform. Ask questions in plain English such as "list of installed software" or "all running processes".
Get answers instantly from live systems or subscribe to real-time alerts:


Other Relevant HOWTOs: