- AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
- Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
- Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023
PsList has several options for showing different types of characteristics. To display the options, run pslist /?.
PsList is available in both 32-bit (pslist.exe) and 64-bit versions (pslist64.exe). Both versions provide the same results. Obviously, you can run pslist.exe on both architectures, but you cannot run pslist64.exe on a 32-bit system.
List local Windows processes
By default, PsList lists information from a local computer and does not require administrative rights to do so. To get information from remote systems, administrative rights are required, which will be covered later in the post. To list Windows processes from a local computer, simply run pslist from a command line.
The default output of PsList shows the following information: process ID (PID), priority (PRI), number of threads (THD), number of handles (HND), total amount of CPU time charged to the process, and elapsed time since the process started.
Note: Unlike Task Manager and other tools, PsList does not show pseudo-processes named System Idle Process and System Interrupts but combines these two values into one value named Idle.
To list Windows processes in a tree view, use the -t option. With this option, the child processes will be listed below their parent process. Also notice that the process CPU information is replaced by memory information: reserved virtual memory (VM), working set (WS), and private virtual memory (Priv).
Memory-related information is displayed with the use of the -m option. This will show the three memory indicators already mentioned in the -t option, plus peak private virtual memory (Priv Pk), page faults (Faults), nonpaged (NonP), and paged (Page) pool sizes. All sizes are shown in kilobytes.
Another possibility is to display information about each thread in the system. This is done using the -d option. The output is quite excessive and shows, for example, the number of context switches (Cswtch), its current state (State), and much more.
To combine all the information in one view, use the -x option. This will show the CPU, memory, and thread information for each process. However, it is not possible to use -t (process tree) together with -x. Again, the output is very excessive and not very user-friendly on the command line.
Filtering and refreshing the output
As previously mentioned, the PsList output can be very large and unreadable. Therefore, you can limit the command to list only information about one or more specific Windows processes. Filtering can be done using process ID (PID) and partial or exact names. Add the -e option to match the name exactly. See the screenshot below for examples.
The last option to mention is PsList's ability to refresh the results periodically. This is done using the -s option. The default refresh rate is 1 second, and the results are refreshed until canceled by the Escape key. You can change the refresh rate by adding the -r option, and you can limit the duration of the data collection by adding a number of seconds after the -s option. For example, pslist -s 600 -r 5 will run for 10 minutes with a refresh rate of five seconds. You can combine the -s option with -m (memory information) or -t (process tree).
List remote Windows processes
All the PsTools utilities support remote operations using a syntax that is consistent across the entire suite. Not all the utilities perform the operation the same way; there might be different requirements. PsList has the following system requirements for remote systems:
- Requires an Admin$ share to be accessible
- Requires the Remote Registry service
PsList does not support querying multiple computer names in one command. To query information from a remote system:
pslist \\ws2022 or pslist \\192.168.1.10
To filter the results, use the same syntax as locally. The command below will show all information related to process svchost.exe, matching the name exactly.
pslist \\ws2022 -e svchost
Another common feature across PsTools is the use of alternate credentials on the remote system. As you may imagine, this is handy when you run the query from an account that does not have administrative permissions on the remote systems. The syntax is as follows:
pslist \\ws2022 -u LAB\Administrator -p Passw0rd
If you have a space in the username, simply use the "LAB\User Name" syntax. If you omit the -p, the tool will prompt for the password. All the utilities use the WNetAddConnection2 API, so the passwords are not sent in clear text over the network.
Create TXT output
Unlike some other tools, PsList has no built-in export options available. The only option is to use the standard console redirection syntax.
pslist \\ws2022 -e svchost >> result.txt
Copying the results to an Excel sheet requires a bit more effort, as each line is inserted into one cell with multiple spaces between each value.
PsList is a useful tool from the Sysinternals suite to list Windows processes. It allows you to retrieve all information about the running processes that you need for your daily work as a Windows admin.
Want to write for 4sysops? We are looking for new authors.