info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Parent Process ID
598 views
Skip to first unread message
David
Feb 24, 2009, 5:56:01 PM2/24/09
to
I am attempting to determine if a process running locally is orphaned? It
looks like I need to access the th32ParentProcessID member of the
PROCESSENTRY32 structure. Is there a way to read the PROCESSENTRY32 structure
with PowerShell or another method to determine the process parent id?
looks like I need to access the th32ParentProcessID member of the
PROCESSENTRY32 structure. Is there a way to read the PROCESSENTRY32 structure
with PowerShell or another method to determine the process parent id?
Kiron
Feb 24, 2009, 10:49:37 PM2/24/09
to
Through WMI's Win32_Process' ParentProcessID property:
gwmi win32_process |ft Name, ProcessID, ParentProcessID -a
gwmi win32_process |? {$_.ParentProcessID} |ft Name,ParentProcessID -a
gwmi win32_process |? {!$_.ParentProcessID} |ft Name,ParentProcessID -a
# aliases used:
# gwmi = Get-WmiObject
# ? = Where-Object
# ! = -not (operator)
# ft = Format-Table
--
Kiron
gwmi win32_process |ft Name, ProcessID, ParentProcessID -a
gwmi win32_process |? {$_.ParentProcessID} |ft Name,ParentProcessID -a
gwmi win32_process |? {!$_.ParentProcessID} |ft Name,ParentProcessID -a
# aliases used:
# gwmi = Get-WmiObject
# ? = Where-Object
# ! = -not (operator)
# ft = Format-Table
--
Kiron
Kiron
Feb 25, 2009, 3:34:57 AM2/25/09
to
Ignore my previous post, I misunderstood your question and thought you just wanted to retrieve the ParentProcessID.
This will filter each process whose parent process is terminated or if its ParentProcessID inaccurately points to a 'parent' process created after it.
$wmi = [wmi]''
$col = gwmi win32_process | ? {
$parent = gwmi win32_process -f "ProcessID='$($_.parentProcessID)'"
$parentCreationDate, $creationDate = $(
if ($parent -and $_.parentProcessID) {
$wmi.ConvertToDateTime($parent.CreationDate),
$wmi.ConvertToDateTime($_.CreationDate)
} else {$null,$null})
!$parent -or $parentCreationDate -gt $creationDate
}
Remove-Variable wmi
$col | ps -ID {$_.processID}
--
Kiron
This will filter each process whose parent process is terminated or if its ParentProcessID inaccurately points to a 'parent' process created after it.
$wmi = [wmi]''
$col = gwmi win32_process | ? {
$parent = gwmi win32_process -f "ProcessID='$($_.parentProcessID)'"
$parentCreationDate, $creationDate = $(
if ($parent -and $_.parentProcessID) {
$wmi.ConvertToDateTime($parent.CreationDate),
$wmi.ConvertToDateTime($_.CreationDate)
} else {$null,$null})
!$parent -or $parentCreationDate -gt $creationDate
}
Remove-Variable wmi
$col | ps -ID {$_.processID}
--
Kiron
David
Feb 25, 2009, 6:47:03 PM2/25/09
to
Thank you Kiron! Checking the creation dates was an added feature I had not
thought of. I seem to alway overlook wmi when attempting to solve these types
of problems.
thought of. I seem to alway overlook wmi when attempting to solve these types
of problems.
forgiv...@gmail.com
Jul 6, 2012, 10:28:10 AM7/6/12
to
OP's question is over but this is for future reference. This is "another method to determine the process parent id":
(gwmi win32_process -filter "ProcessID=$pid").ParentProcessID
(gwmi win32_process -filter "ProcessID=$pid").ParentProcessID
0 new messages