Query and kill a process on a remote computer using PowerShell and WMI

• Author
• Recent Posts

Sitaram Pamarthi

Sitaram Pamarthi is working as a Windows Engineer and his special fields of interest are PowerShell, Active Directory, Exchange, and virtualization.

Latest posts by Sitaram Pamarthi (see all)

• Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
• Create a list of local administrators with PowerShell - Wed, Mar 5 2014
• Remotely query user profile information with PowerShell - Tue, Nov 26 2013

Querying processes running on local and remote computers is one of the most common jobs of system administrators. We sometimes need to know which user is running some XYZ application. If you know the process name of the application, then you can quickly scan all your network computers to see how many hosts are running that particular process, and for how long, so that you can prepare an application usage report.

Query process information

Let's first see how we can check if a process is running or not. For example, the following command checks if Notepad is running and, if so, displays information about the process:

Get-Process -Name notepad.exe

You will get information about the process, if it is running. You can use the -ComputerName parameter with the command to check if the process is running on a given remote computer. For example:

Get-Process -ComputerName PC1 -Name notepad.exe

You can get similar information with other scripting languages like VBScript and Perl. So what is so special about PowerShell? The answer is that it helps you to get granular information about processes you are querying, such as process creation time, the owner of a given process (with which account it is started), command line information about the process, the title of the application, and much more.

Below are a few example code snippets.

Process creation time

Get-ProcessCreationTime.ps1

[cmdletbinding()]
param(
	$ComputerName=$env:COMPUTERNAME,
	[parameter(Mandatory=$true)]
	$ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"
if($Processes) {
	foreach ($process in $processes) {
	$processid = $process.handle
	$processcreationtime = $Process.Converttodatetime($Process.creationdate)
	write-host "`nThe $ProcessName `($processid`) process creation time is $processcreationtime"
}
} else {
	write-host "`nNo Process found with name $ProcessName"
}
write-host ""

The above script takes computer name and process name as arguments. The computer name is optional and defaults to the local computer if not provided. The process name is mandatory, and the script will throw an error if you don’t provide it. After reading the arguments, a WMI query gets the list of processes using the names in the argument and iterates through each process to get its creation date.

Process creation time

Process owner

Get-ProcessOwner.ps1

[cmdletbinding()]
param(
  $ComputerName=$env:COMPUTERNAME,
  [parameter(Mandatory=$true)]
  $ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"

foreach ($process in $processes) {
  $UserName = $process.getowner().user
  $DomainName = $process.getowner().domain
  $processid = $process.handle

  write-host "The owner of $ProcessName `($processid`) process is $domainname`\$username"
}

This script executes in the same way as the Process creation time script.

Process owner

Process path

Get-Processpath.ps1

[cmdletbinding()]
param(
  $ComputerName=$env:COMPUTERNAME,
  [parameter(Mandatory=$true)]
  $ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"

foreach ($process in $processes) {
  $Executablepath = $process.ExecutablePath
  $Commandline = $process.Commandline
  $processid = $process.handle

  Write-Host ""
  Write-Host "Process Name = $ProcessName"
  Write-Host "Process ID = $Processid"
  Write-Host "Executable Path = $Executablepath"
  Write-Host "Command Line = $Commandline"
  Write-Host ""
}

This Powershell script displays the process path.

Process path

Though PowerShell has a built-in cmdlet (Get-Process) to retrieve process information, in all of the above examples I have used a WMI query to get process information from the Win32_Process class. The reason I did so is because Get-Process will not provide the owner, process path, and other values.

Kill a process

To terminate a process using PowerShell, you can either use the WMI interface or use the Stop-Process cmdlet, which comes by default with PowerShell.

Kill-ProcessusingWMI.ps1

[cmdletbinding()]
param(
  $ComputerName=$env:COMPUTERNAME,
  [parameter(Mandatory=$true)]
  $ProcessName
)
$Processes = Get-WmiObject -Class Win32_Process -ComputerName $ComputerName -Filter "name='$ProcessName'"

foreach ($process in $processes) {
  $returnval = $process.terminate()
  $processid = $process.handle

if($returnval.returnvalue -eq 0) {
  write-host "The process $ProcessName `($processid`) terminated successfully"
}
else {
  write-host "The process $ProcessName `($processid`) termination has some problems"
}
}

Kill a process

This script first queries the computer for a list of running processes and then terminates them using the terminate () method. This method will return a value of 0 if the termination is successful. Any non-zero value indicates some issues.

The second method terminates a process using the Stop-Process cmdlet. Below are some usage examples:

Get-Process -Name notepad | stop-Process

Stop-Process -Name notepad

Conclusion

Querying process information using PowerShell is pretty easy. You can use PowerShell for a variety of purposes, such as reporting application usage, querying the age or the start time of a process, or maximizing, minimizing, or restoring an application window.