· PowerShell · 11 min read
PowerShell: Process Wrangling with Get-Process
The PowerShell command Get-Process will return all running processes similar to the tasklist command. In this article, we will explore all the powerful ways to use the Get-Process command. The Basics...
This post was originally published on jcutrer.com (WordPress) and has been migrated to the archive.
The PowerShell command Get-Process will return all running processes similar to the tasklist command. In this article, we will explore all the powerful ways to use the Get-Process command.
The Basics
Get-Process
List all running processes PS C:\dev\playground> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
479 45 72088 95316 5.05 16984 9 Adobe CEF Helper
901 56 84624 122208 38.19 11072 9 Adobe Desktop Service
244 18 5232 11524 7.73 9776 9 AdobeIPCBroker
267 17 3732 10908 0.66 3452 0 AdobeUpdateService
115 9 1828 2264 0.08 13584 0 svchost
134 9 1844 7640 0.06 14116 0 svchost
235 16 2856 10928 3.23 15936 0 svchost
4848 0 184 18136 3,883.41 4 0 System
483 37 9264 23040 1.78 10000 9 taskhostw
115 7 1696 7088 0.05 1536 9 unsecapp
668 22 10268 21888 21.17 5968 0 WmiPrvSE
378 17 26128 10260 2.16 1348 0 WUDFHost
328 19 6272 14144 5.94 4052 0 ZeroConfigService
### output truncatedGet-Process explorer
Get process(es) by name.Note: This command may return more than one result if multple instances of an application are running.
Get-Process a*
Wildcard Query search for processes by name PS C:\dev\playground> Get-Process a*
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
479 45 72208 95800 6.20 16984 9 Adobe CEF Helper
912 56 84628 122356 54.34 11072 9 Adobe Desktop Service
244 18 5584 11776 13.14 9776 9 AdobeIPCBroker
267 17 3732 10908 0.72 3452 0 AdobeUpdateService
205 13 4732 11212 24.34 3520 0 AGSService
219 20 3888 13388 6.70 16040 0 AppleMobileDeviceService
632 38 13168 37336 1.89 9912 9 ApplePhotoStreams
364 25 4984 17416 0.42 9764 9 APSDaemon
516 23 30828 35288 3,189.81 14576 0 audiodgGet-Process -Id 3916
Get process by id or PIDGet-Process -iD 3916 | Select-Object *
Get all available information about a single process. PS C:\dev\playground> Get-Process -iD 3916 | Select-Object *
Name : WavesSysSvc64
Id : 3916
PriorityClass : Normal
FileVersion : 1.1.6.0
HandleCount : 97
WorkingSet : 3276800
PagedMemorySize : 2433024
PrivateMemorySize : 2433024
VirtualMemorySize : 36986880
TotalProcessorTime : 00:00:00.0312500
SI : 0
Handles : 97
VM : 36986880
WS : 3276800
PM : 2433024
NPM : 8624
Path : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
Company : Waves Audio Ltd.
CPU : 0.03125
ProductVersion : 1.1.6.0
Description : WavesSysSvc Service Application
Product : Waves MaxxAudio
__NounName : Process
BasePriority : 8
ExitCode :
HasExited : False
ExitTime :
Handle : 1896
SafeHandle : Microsoft.Win32.SafeHandles.SafeProcessHandle
MachineName : .
MainWindowHandle : 0
MainWindowTitle :
MainModule : System.Diagnostics.ProcessModule (WavesSysSvc64.exe)
MaxWorkingSet : 1413120
MinWorkingSet : 204800
Modules : {System.Diagnostics.ProcessModule (WavesSysSvc64.exe), System.Diagnostics.ProcessModule (ntdll.dll),
System.Diagnostics.ProcessModule (KERNEL32.DLL), System.Diagnostics.ProcessModule (KERNELBASE.dll)...}
NonpagedSystemMemorySize : 8624
NonpagedSystemMemorySize64 : 8624
PagedMemorySize64 : 2433024
PagedSystemMemorySize : 62752
PagedSystemMemorySize64 : 62752
PeakPagedMemorySize : 5505024
PeakPagedMemorySize64 : 5505024
PeakWorkingSet : 8888320
PeakWorkingSet64 : 8888320
PeakVirtualMemorySize : 40390656
PeakVirtualMemorySize64 : 40390656
PriorityBoostEnabled : True
PrivateMemorySize64 : 2433024
PrivilegedProcessorTime : 00:00:00.0312500
ProcessName : WavesSysSvc64
ProcessorAffinity : 255
Responding : True
SessionId : 0
StartInfo : System.Diagnostics.ProcessStartInfo
StartTime : 9/30/2017 4:33:01 PM
SynchronizingObject :
Threads : {3920, 5108}
UserProcessorTime : 00:00:00
VirtualMemorySize64 : 36986880
EnableRaisingEvents : False
StandardInput :
StandardOutput :
StandardError :
WorkingSet64 : 3276800
Site :
Container :Get-Process explorer -IncludeUsername
Information about the process owner is not included in the output by default but can be by supplying the -IncludeUserName argument. PS C:\dev\playground> Get-Process explorer -IncludeUsername | Select-Object Id,Name,UserName
Id Name UserName
-- ---- --------
7628 explorer MYCOMPUTER\meGet-Process -FileVersionInfo explorer | Select-Object *
Use the -FileVersionInfo argument to get detailed information about a executable file for a given process.Note: Omitting | Select-Object * only returns ProductVersion,FileVersion,FileName.
PS C:\dev\playground> Get-Process -FileVersionInfo explorer | Select-Object *
FileVersionRaw : 10.0.15063.608
ProductVersionRaw : 10.0.15063.608
Comments :
CompanyName : Microsoft Corporation
FileBuildPart : 15063
FileDescription : Windows Explorer
FileMajorPart : 10
FileMinorPart : 0
FileName : C:\WINDOWS\Explorer.EXE
FilePrivatePart : 608
FileVersion : 10.0.15063.0 (WinBuild.160101.0800)
InternalName : explorer
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
Language : English (United States)
LegalCopyright : © Microsoft Corporation. All rights reserved.
LegalTrademarks :
OriginalFilename : EXPLORER.EXE.MUI
PrivateBuild :
ProductBuildPart : 15063
ProductMajorPart : 10
ProductMinorPart : 0
ProductName : Microsoft® Windows® Operating System
ProductPrivatePart : 608
ProductVersion : 10.0.15063.0
SpecialBuild :Working with multiple instances of an application
Get-Process notepad | Sort-Object StartTime | Select-Object Id,Name,StartTime
List all instances of an application sorted by StartTime. PS C:\dev\playground> Get-Process notepad | Sort-Object StartTime | Select-Object Id,Name,StartTime
Id Name StartTime
-- ---- ---------
12524 notepad 10/7/2017 1:35:24 PM
7708 notepad 10/7/2017 1:35:31 PM
5380 notepad 10/7/2017 1:35:37 PM
17424 notepad 10/7/2017 1:35:46 PM
11336 notepad 10/7/2017 1:35:53 PMGet-Process notepad | Sort-Object StartTime | Select-Object Id,Name,StartTime | Select -First 1
Get the longest running instances of an application. PS C:\dev\playground> Get-Process notepad | Sort-Object StartTime | Select-Object Id,Name,StartTime | Select -First 1
Id Name StartTime
-- ---- ---------
12524 notepad 10/7/2017 1:35:24 PMGet-Process notepad | Sort-Object StartTime -Descending | Select-Object Id,Name,StartTime | Select -First 1
Get the most recent running instances of an application. PS C:\dev\playground> Get-Process notepad | Sort-Object StartTime -Descending | Select-Object Id,Name,StartTime | Select -First 1
Id Name StartTime
-- ---- ---------
11336 notepad 10/7/2017 1:35:53 PMUser Processes
Get Processes by Username
# Get Logged In User
$myuser = $(Get-WMIObject -class Win32_ComputerSystem | select username).username
# Query for User Processes
Get-Process -IncludeUserName | Where-Object {$_.UserName -eq $myuser}Process CPU and Memory Utilization
Get-Process | Sort-Object CPU -desc | Select-Object -first 5 | Format-Table Id,ProcessName,CPU
Get top 5 processes by CPU utilization PS C:\dev\playground> Get-Process | Sort-Object CPU -desc | Select-Object -first 5 | Format-Table Id,ProcessName,CPU
Id ProcessName CPU
-- ----------- ---
4 System 4038.09375
14576 audiodg 3016.0625
3608 KillerService 2674.9375
5632 WmiPrvSE 2331.890625
12156 chrome 1474.921875633.328125 KillerService
2303.109375 WmiPrvSE
1373.234375 chromegwmi Win32_PerfFormattedData_PerfProc_Process| sort PercentProcessorTime -desc | select IDProcess,Name,PercentProcessorTime | Select -First 7 | ft -auto
This alternative command does not use Get-Process but does show top 5 processes with percentage of CPU utilization. PS C:\dev\playground> gwmi Win32_PerfFormattedData_PerfProc_Process| sort PercentProcessorTime -desc | select IDProcess,Name,PercentProcessorTime | Select -First 7 | ft -auto
IDProcess Name PercentProcessorTime
--------- ---- --------------------
0 _Total 100
0 Idle 100
12156 chrome#20 17
17760 chrome#23 11
9880 chrome#24 11
14576 audiodg 11
1168 chrome#21 5get-process | Where-Object {$_.Responding -ne "True"}
List all process that are hung or not responding. PS C:\dev\playground> get-process | Where-Object {$_.Responding -ne "True"}
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1233 44 37768 92448 6.86 10804 9 ShellExperienceHost
667 35 15172 44736 0.88 6688 9 SystemSettingsGet-Process | Where-Object {$_.WorkingSet -gt 100000000}
Get all processes using more than 100MB of memory PS C:\dev\playground> Get-Process | Where-Object {$_.WorkingSet -gt 100000000}
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
909 56 84628 122312 48.98 11072 9 Adobe Desktop Service
448 65 234176 256376 244.64 1168 9 chrome
3253 123 289692 375732 970.67 3060 9 chrome
420 54 156236 187296 194.78 5056 9 chrome
279 55 174848 176724 48.19 5624 9 chrome
460 56 164316 182924 104.59 6224 9 chrome
319 36 95716 99716 26.48 8692 9 chrome
563 41 252896 251396 445.02 12104 9 chrome
444 56 193576 222024 1,357.28 12156 9 chrome
438 55 154580 177040 19.86 17760 9 chrome
2223 73 45192 113804 48.63 7628 9 explorer
834 85 232872 188256 1,123.73 3952 0 MsMpEng
1401 97 151420 198412 138.58 9768 9 PaintDotNet
1328 88 234760 279732 293.44 11016 9 powershell_ise
994 62 45524 98704 0.86 18308 9 SearchUIExecuting & Terminating Processes
`Start-Process`
Let's first learn how to launch a process from PowerShell. If we want to do anything interesting with our executing process we need use the -passthru argument so that the process id is pass back to our script. # Execute notepad and print the process id (PID)
$app = Start-Process notepad -passthru
echo $app.Id
# Launch 5 instances of notepad and keep track of the PIDs
$procs = @{}
1..5 | % { Start-Process notepad -passthru | ForEach-Object { $procs[$_.Id] = $_ }}
echo $procs`Stop-Process`
Next, lets review how Stop-Process works #Kill process by id
Stop-Process 19320
#Kill process by name
Stop-Process -processname notepad
#Kill process using wildcard search
Stop-Process -processname note*
#Force termnation a process that is not responding
Stop-Process -processname notepad -ForceCombining Get-Process and Stop-Process
# Passing a Get-Process returned object to Stop-Process
$p = Get-Process notepad
Stop-Process $p
# Same as above but combined into one line
Get-Process notepad | Stop-ProcessTerminate the most recent instance of an applicationGet-Process notepad | Sort-Object StartTime -Descending | Select-Object Id,Name,StartTime | Select -First 1 | Stop-Process
#Same command expanded for readability
Get-Process notepad `
| Sort-Object StartTime -Descending `
| Select-Object Id,Name,StartTime `
| Select -First 1 `
| Stop-ProcessTerminate the oldest instance of an applicationGet-Process notepad | Sort-Object StartTime | Select-Object Id,Name,StartTime | Select -First 1 | Stop-Process
#Same command expanded for readability
Get-Process notepad `
| Sort-Object StartTime `
| Select-Object Id,Name,StartTime `
| Select -First 1 `
| Stop-ProcessTerminate application instances in order, oldest to newest
In this example we also introduce a 2 second delay between each call to Stop-Process. # Terminal all instances of an application oldest to newest
# Introducing a delay of 2 seconds between each termination
Foreach( $p in Get-Process notepad | Sort-Object StartTime )
{
echo "Terminating $($p.Id)"
Stop-Process $p
echo "2 Second Delay"
Start-Sleep -s 2
}
# Script Output
Terminating 4824
2 Second Delay
Terminating 8416
2 Second Delay
Terminating 16460
2 Second Delay
Terminating 10300
2 Second Delay
Terminating 10040
2 Second Delay
#Start and Stop an Application# Launch Notepad, wait 5 seconds and close it
$app = Start-Process notepad -passthru
echo $app.Id
Start-Sleep -s 5
Stop-Process $app.IdStart a process and wait for it to terminate# Launch notepad and pause script until user closes it
$app = Start-Process notepad -passthru
echo "Notepad Launched"
Wait-Process $app.Id
echo "Notepad Closed"Launch an application and count how long it was running for
$StartTime = Get-Date
# Launch Notepad
$app = Start-Process notepad -passthru
echo "Notepad Launched"
# Wait for user to close application
Wait-Process $app.Id
echo "Notepad Closed"
$EndTime = Get-Date
echo "Notepad was running for $(($EndTime - $StartTime).Seconds) seconds"
# Script Output
Notepad Launched
Notepad Closed
Notepad was running for 17 seconds
#Executing & Terminating Multiple Processes
#Start 10 instances of notepad, wait 5 seconds, and then terminate each instance
$procs = New-Object System.Collections.ArrayList
1..10 | % { Start-Process notepad -passthru | ForEach-Object { $procs.Add($_) | Out-Null }}
Start-Sleep -s 5
Foreach($p in $procs)
{
echo $p.Id
Stop-Process $p
}I hope you have enjoyed this deep dive into the Get-Process command. If you have any suggestions or additions to this article please leave a comment down below.
Get-Process Properties Reference
PS C:\> Get-Process | Get-Member -MemberType Properties
TypeName: System.Diagnostics.Process
Name MemberType Definition
---- ---------- ----------
Handles AliasProperty Handles = Handlecount
Name AliasProperty Name = ProcessName
NPM AliasProperty NPM = NonpagedSystemMemorySize64
PM AliasProperty PM = PagedMemorySize64
SI AliasProperty SI = SessionId
VM AliasProperty VM = VirtualMemorySize64
WS AliasProperty WS = WorkingSet64
__NounName NoteProperty string __NounName=Process
BasePriority Property int BasePriority {get;}
Container Property System.ComponentModel.IContainer Container {get;}
EnableRaisingEvents Property bool EnableRaisingEvents {get;set;}
ExitCode Property int ExitCode {get;}
ExitTime Property datetime ExitTime {get;}
Handle Property System.IntPtr Handle {get;}
HandleCount Property int HandleCount {get;}
HasExited Property bool HasExited {get;}
Id Property int Id {get;}
MachineName Property string MachineName {get;}
MainModule Property System.Diagnostics.ProcessModule MainModule {get;}
MainWindowHandle Property System.IntPtr MainWindowHandle {get;}
MainWindowTitle Property string MainWindowTitle {get;}
MaxWorkingSet Property System.IntPtr MaxWorkingSet {get;set;}
MinWorkingSet Property System.IntPtr MinWorkingSet {get;set;}
Modules Property System.Diagnostics.ProcessModuleCollection Modules {get;}
NonpagedSystemMemorySize Property int NonpagedSystemMemorySize {get;}
NonpagedSystemMemorySize64 Property long NonpagedSystemMemorySize64 {get;}
PagedMemorySize Property int PagedMemorySize {get;}
PagedMemorySize64 Property long PagedMemorySize64 {get;}
PagedSystemMemorySize Property int PagedSystemMemorySize {get;}
PagedSystemMemorySize64 Property long PagedSystemMemorySize64 {get;}
PeakPagedMemorySize Property int PeakPagedMemorySize {get;}
PeakPagedMemorySize64 Property long PeakPagedMemorySize64 {get;}
PeakVirtualMemorySize Property int PeakVirtualMemorySize {get;}
PeakVirtualMemorySize64 Property long PeakVirtualMemorySize64 {get;}
PeakWorkingSet Property int PeakWorkingSet {get;}
PeakWorkingSet64 Property long PeakWorkingSet64 {get;}
PriorityBoostEnabled Property bool PriorityBoostEnabled {get;set;}
PriorityClass Property System.Diagnostics.ProcessPriorityClass PriorityClass {get;set;}
PrivateMemorySize Property int PrivateMemorySize {get;}
PrivateMemorySize64 Property long PrivateMemorySize64 {get;}
PrivilegedProcessorTime Property timespan PrivilegedProcessorTime {get;}
ProcessName Property string ProcessName {get;}
ProcessorAffinity Property System.IntPtr ProcessorAffinity {get;set;}
Responding Property bool Responding {get;}
SafeHandle Property Microsoft.Win32.SafeHandles.SafeProcessHandle SafeHandle {get;}
SessionId Property int SessionId {get;}
Site Property System.ComponentModel.ISite Site {get;set;}
StandardError Property System.IO.StreamReader StandardError {get;}
StandardInput Property System.IO.StreamWriter StandardInput {get;}
StandardOutput Property System.IO.StreamReader StandardOutput {get;}
StartInfo Property System.Diagnostics.ProcessStartInfo StartInfo {get;set;}
StartTime Property datetime StartTime {get;}
SynchronizingObject Property System.ComponentModel.ISynchronizeInvoke SynchronizingObject {get;set;}
Threads Property System.Diagnostics.ProcessThreadCollection Threads {get;}
TotalProcessorTime Property timespan TotalProcessorTime {get;}
UserProcessorTime Property timespan UserProcessorTime {get;}
VirtualMemorySize Property int VirtualMemorySize {get;}
VirtualMemorySize64 Property long VirtualMemorySize64 {get;}
WorkingSet Property int WorkingSet {get;}
WorkingSet64 Property long WorkingSet64 {get;}
Company ScriptProperty System.Object Company {get=$this.Mainmodule.FileVersionInfo.CompanyName;}
CPU ScriptProperty System.Object CPU {get=$this.TotalProcessorTime.TotalSeconds;}
Description ScriptProperty System.Object Description {get=$this.Mainmodule.FileVersionInfo.FileDescription;}
FileVersion ScriptProperty System.Object FileVersion {get=$this.Mainmodule.FileVersionInfo.FileVersion;}
Path ScriptProperty System.Object Path {get=$this.Mainmodule.FileName;}
Product ScriptProperty System.Object Product {get=$this.Mainmodule.FileVersionInfo.ProductName;}
ProductVersion ScriptProperty System.Object ProductVersion {get=$this.Mainmodule.FileVersionInfo.ProductVersion;}Reference
- (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-5.1)
-Comments are disabled (Giscus not yet configured).