POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?

Query and kill a process on a remote computer using PowerShell and WMI

This tutorial discusses a few PowerShell scripts that allow you to query and kill a process on a remote computer using WMI (Windows Management Instrumentation).

Querying processes running on local and remote computers is one of the most common jobs of system administrators. We sometimes need to know which user is running some XYZ application. If you know the process name of the application, then you can quickly scan all your network computers to see how many hosts are running that particular process, and for how long, so that you can prepare an application usage report.

Query process information

Let’s first see how we can check if a process is running or not. For example, the following command checks if Notepad is running and, if so, displays information about the process:

Get-Process -Name notepad.exe

You will get information about the process, if it is running. You can use the -ComputerName parameter with the command to check if the process is running on a given remote computer. For example:

Get-Process -ComputerName PC1 -Name notepad.exe

You can get similar information with other scripting languages like VBScript and Perl. So what is so special about PowerShell? The answer is that it helps you to get granular information about processes you are querying, such as process creation time, the owner of a given process (with which account it is started), command line information about the process, the title of the application, and much more.

Below are a few example code snippets.

Process creation time

Get-ProcessCreationTime.ps1
[cmdletbinding()]
param(
$ComputerName=$env:COMPUTERNAME,
[parameter(Mandatory=$true)]
$ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"
if($Processes) {
foreach ($process in $processes) {
$processid = $process.handle
$processcreationtime = $Process.Converttodatetime($Process.creationdate)
write-host "`nThe $ProcessName `($processid`) process creation time is $processcreationtime"
}
} else {
write-host "`nNo Process found with name $ProcessName"
}
write-host ""

The above script takes computer name and process name as arguments. The computer name is optional and defaults to the local computer if not provided. The process name is mandatory, and the script will throw an error if you don’t provide it. After reading the arguments, a WMI query gets the list of processes using the names in the argument and iterates through each process to get its creation date.

Process creation time

Process owner

Get-ProcessOwner.ps1
[cmdletbinding()]
param(
$ComputerName=$env:COMPUTERNAME,
[parameter(Mandatory=$true)]
$ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"
if($Processes) {
foreach ($process in $processes) {
$UserName = $process.getowner().user
$DomainName = $process.getowner().domain
$processid = $process.handle
write-host "`nThe owner of $ProcessName `($processid`) process is $domainname`\$username"
}
} else {
write-host "`nNo Process found with the name"
}
write-host ""
This script executes in the same way as the Process creation time script.

Process owner

Process path

Get-Processpath.ps1


[cmdletbinding()]
param(
$ComputerName=$env:COMPUTERNAME,
[parameter(Mandatory=$true)]
$ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"
if($Processes) {
foreach ($process in $processes) {
$Executablepath = $process.ExecutablePath
$Commandline = $process.Commandline
$processid = $process.handle
Write-Host ""
Write-Host "Process Name = $ProcessName"
Write-Host "Process ID = $Processid"
Write-Host "Executable Path = $Executablepath"
Write-Host "Command Line = $Commandline"
Write-Host ""
}
} else {
write-host "`nNo Process found with the name $ProcessName"
}


This Powershell script displays the process path.

Process path

Though PowerShell has a built-in cmdlet (Get-Process) to retrieve process information, in all of the above examples I have used a WMI query to get process information from the Win32_Process class. The reason I did so is because Get-Process will not provide the owner, process path, and other values.

Kill a process

To terminate a process using PowerShell, you can either use the WMI interface or use the Stop-Process cmdlet, which comes by default with PowerShell.

Kill-ProcessusingWMI.ps1


[cmdletbinding()]
param(
$ComputerName=$env:COMPUTERNAME,
[parameter(Mandatory=$true)]
$ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"
if($processes) {
foreach ($process in $processes) {
$returnval = $process.terminate()
$processid = $process.handle
if($returnval.returnvalue -eq 0) {
write-host "`nThe process $ProcessName `($processid`) terminated successfully"
}
else {
write-host "`nThe process $ProcessName `($processid`) termination has some problems"
}
}
} else {
Write-host "`n No processes found with the name $ProcessName"
}
write-host ""


Kill a process

This script first queries the computer for a list of running processes and then terminates them using the terminate () method. This method will return a value of 0 if the termination is successful. Any non-zero value indicates some issues.

The second method terminates a process using the Stop-Process cmdlet. Below are some usage examples:

Get-Process -Name notepad | stop-Process

Stop-Process -Name notepad

Conclusion

Querying process information using PowerShell is pretty easy. You can use PowerShell for a variety of purposes, such as reporting application usage, querying the age or the start time of a process, or maximizing, minimizing, or restoring an application window.