How to Get a List of Running Processes on Domain PCs

Author: Peter Barnett           Date: Oct 26, 2018


Getting a list of running processes on all endpoints is a very common task that is typically required in virus attack investigations, performance analysis and other projects. Win32 provides several ways to list running processes. Unfortunately, there is no single way to work on all Win32 platforms. Programmers have to combine several methods in one program so that it works on all versions of Windows. Information about running system processes should include Windows process name, process ID, executable file location and some other data.

System utilities, text and image editors, browsers and RSS aggregators, cryptographers and mail clients, all of these, and many other types of programs have one common function that does not depend on the purpose of the application, namely printing. For programs, one way or another dealing with content that can be displayed on analog media, the print function is considered almost non-mandatory.

But there are exceptions. Take, for example, the standard Windows Task Manager or process explorer remote computer. Despite the fact that the information displayed on processes tab may well be printed out, you will not find the usual 'Print' command in it. But what if you suddenly need to print a list of current processes? Do not rewrite them one by one into a text file! In fact, listing the processes, services, and other system information to a file (print) is very simple. The easiest way is to use special software, for example, Action1.

This manual describes actions to create a list of running processes.




Manually:

1. Execute WMI Query in ROOT\CIMV2 Namespace:

   - Launch WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Process

2. Open WMIC Command-line Interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command line tool type: /node:RemoteComputerName process

3. Run This Simple Windows Powershell Script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName

4. Use Following Code to Select Specific Columns:

   - execute: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName

5. Sort the Results Using the Line Below:

   - invoke command: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Sort-Object Name

6. The Next Code Helps to Filter Results:

   - use it: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Where-Object -FilterScript {$_.Name -like "putty.exe"}

7. Save Results to CSV File:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. The Next Step Is to Query Multiple Computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like 'Windows 10*'} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for Free:

  

Fully functional free edition for up to 10 endpoints with no expiration date. More details >

Step 2 - Type Your Question in Plain English:

How to get a list of running processes on all domain computers. Powershell get list of running processes and using wmi explorer to get all running processes - search query

Step 3 - Set Filters, If Necessary:

How to get a list of running processes on all domain computers. Powershell get list of running processes and using wmi explorer to get all running processes - set filters

Step 4 - See Results from All Endpoints in Seconds:

Endpoint NameNameCommand LineProcess Id
fred.widgets.localmalware.exec:\windows\system32\malware.exe /encrypt3593
mac.widgets.localdropbox.exec:\program files\dropbox\dropbox.exe1264
ray.widgets.localiis.exec:\program files\microsoft iis\iis.exe5343



Action1 is a cloud-based platform for patch management, software deployment, software/hardware inventory, endpoint management and endpoint configuration reporting. It is free with basic functionality.

  

Fully functional free edition for up to 10 endpoints with no expiration date. More details >



Other Relevant How To Articles:

By continuing to use our website, you agree with our use of cookies in accordance with our Privacy Policy. You can reject cookies by changing your browser settings.     
Ok, got it