HOWTO: Get a List of Running Processes on a Remote Computer


Getting a list of running processes on all endpoints is a very common task that is typically required in virus attack investigations, performance analysis and other projects. Information about running processes should include process name, process ID, executable file location and some other data. This HOWTO guides describes the basics of the process.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Process

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName process

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Class Win32_Process -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId

5. Sort results:

   - run: Get-WmiObject -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId | Sort-Object Name

6. Filter results:

   - run: Get-WmiObject -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId | Where-Object -FilterScript {$_.Name -like "putty.exe"}

7. Save to CSV file:

   - run: Get-WmiObject -Class Win32_Process -Computer RemoteComputerName | Select-Object Name, ProcessId | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Class Win32_Process -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Class Win32_Process -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameNameCommandLineProcessId
fred.widgets.localmalware.exec:\windows\system32\malware.exe /encrypt3593
mac.widgets.localdropbox.exec:\program files\dropbox\dropbox.exe1264
ray.widgets.localiis.exec:\program files\microsoft iis\iis.exe5343

Do not have time to write scripts? Check out Action1 Endpoint Security Platform.
Ask questions in plain English such as "list of installed software" or "all running processes". Get answers instantly from live systems:


Other Relevant HOWTOs: