Scripts

Enumerating Running Process using VB Script and WMI

11/18/08

10:11:05 pm, by dave

, 693 words, 546 views

Categories: Windows Scripting, Wsh Scripts

Enumerating Running Process using VB Script and WMI

This script will use WMI to enumerate all running processes. The script then displays some basic information about the processes. The script also displays information about the executable file it self.

In the initial comment block inside the the code, you will see a listing of all the different attributes that are available when using WMI to get information about processes.

[More:]

Code:

'====================================================================
'== enum_processes.vbs    -  script to enumerate all the running 
'==                          processes and display information about
'==                          about the executable file
'==
'==  information available using the wmi provider
'==
'==  string Caption;
'==  string CommandLine;
'==  string CreationClassName;
'==  datetime CreationDate;
'==  string CSCreationClassName;
'==  string CSName;
'==  string Description;
'==  string ExecutablePath;
'==  uint16 ExecutionState;
'==  string Handle;
'==  uint32 HandleCount;
'==  datetime InstallDate;
'==  uint64 KernelModeTime;
'==  uint32 MaximumWorkingSetSize;
'==  uint32 MinimumWorkingSetSize;
'==  string Name;
'==  string OSCreationClassName;
'==  string OSName;
'==  uint64 OtherOperationCount;
'==  uint64 OtherTransferCount;
'==  uint32 PageFaults;
'==  uint32 PageFileUsage;
'==  uint32 ParentProcessId;
'==  uint32 PeakPageFileUsage;
'==  uint64 PeakVirtualSize;
'==  uint32 PeakWorkingSetSize;
'==  uint32 Priority;
'==  uint64 PrivatePageCount;
'==  uint32 ProcessId;
'==  uint32 QuotaNonPagedPoolUsage;
'==  uint32 QuotaPagedPoolUsage;
'==  uint32 QuotaPeakNonPagedPoolUsage;
'==  uint32 QuotaPeakPagedPoolUsage;
'==  uint64 ReadOperationCount;
'==  uint64 ReadTransferCount;
'==  uint32 SessionId;
'==  string Status;
'==  datetime TerminationDate;
'==  uint32 ThreadCount;
'==  uint64 UserModeTime;
'==  uint64 VirtualSize;
'==  string WindowsVersion;
'==  uint64 WorkingSetSize;
'==  uint64 WriteOperationCount;
'==  uint64 WriteTransferCount;
'====================================================================
option explicit
 
dim procList, objProc, outMsg1, indentStr, objWMI, fso
dim user, domain
 
indentStr = "      "
 
set fso = createobject("Scripting.FileSystemObject")
set objWMI = getobject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
 
' enumerate all processes
set procList = objWMI.execquery("Select * from Win32_Process")
 
for each objProc in procList
 
   outMsg1 = "Process:  " & objProc.Name & vbcrlf
  ' outMsg1 = outMsg1 & objProc.executablepath & " - "
  objProc.GetOwner user,domain
  outMsg1 = outMsg1 & "Owner:    " & domain & "\" & user & vbcrlf
  outMsg1 = outMsg1 & "File:     " & getfileinfo(objProc.executablepath) & vbcrlf
  
   wscript.echo outMsg1
 
next
 
set procList = nothing
set objWMI = nothing
set fso = nothing
 
'====================================================================
'==  function getFileInfo  -  get information about the file in
'==                           question
'==
'==  Normal      0     Normal file. No attributes are set.
'==  ReadOnly    1     Read-only file. Attribute is read/write.
'==  Hidden      2     Hidden file. Attribute is read/write.
'==  System      4     System file. Attribute is read/write.
'==  Volume      8     Disk drive volume label. Attribute is read-only.
'==  Directory   16    Folder or directory. Attribute is read-only.
'==  Archive     32    File has changed since last backup. Attribute is read/write.
'==  Alias       1024  Link or shortcut. Attribute is read-only.
'==  Compressed  2048  Compressed file. Attribute is read-only.
'==
'====================================================================
function getFileInfo(filePath)
 
   if filePath = "" then
      getFileInfo = ""
      exit function
   end if
 
   on error resume next
 
   dim fileObj, outMsg
 
   set fileObj = fso.getfile(filePath)
 
   outMsg = filePath & vbcrlf
 
   outMsg = outMsg & indentStr & "      Created: " & fileObj.DateCreated  & vbcrlf
 
   outMsg = outMsg & indentStr & "      Last Accessed: " & fileObj.DateLastAccessed & vbcrlf
 
   outMsg = outMsg & indentStr & "      Last Modified: " & fileObj.DateLastModified & vbcrlf
 
   outMsg = outMsg & indentStr & "      File Type: " & fileObj.Type & vbcrlf
 
   if fileObj.attributes and 0 then
 
      outMsg = outMsg & indentStr & "      File Attributes:  Normal file. No attributes are set"
 
   else
 
      outMsg = outMsg & indentStr & "      File Attributes:  "
 
      if fileObj.attributes and 1 then
         outMsg = outMsg & "Read Only "
      end if
 
      if fileObj.attributes and 2 then
         outMsg = outMsg & "Hidden "
      end if
 
      if fileObj.attributes and 4 then
         outMsg = outMsg & "System "
      end if
 
      if fileObj.attributes and 8 then
         outMsg = outMsg & "Volume "
      end if
 
      if fileObj.attributes and 16 then
         outMsg = outMsg & "Directory "
      end if
 
      if fileObj.attributes and 32 then
         outMsg = outMsg & "Archive - File has changed since last backup "
      end if
 
      if fileObj.attributes and 1024 then
         outMsg = outMsg & "Link or Shortcut "
      end if
 
      if fileObj.attributes and 2048 then
         outMsg = outMsg & "Compressed "
      end if
 
   end if
   
   set fileObj = nothing
 
   getFileInfo = outMsg
 
end function

Here is what this script will display.

Process: vmh.exe
Owner: NT AUTHORITY\SYSTEM
File: C:\Program Files\Microsoft Virtual Server\vmh.exe
Created: 5/24/2007 12:36:36 PM
Last Accessed: 11/13/2008 8:59:27 AM
Last Modified: 5/24/2007 12:36:36 PM
File Type: Application
File Attributes: Archive - File has changed since last backup

Process: vssrvc.exe
Owner: NT AUTHORITY\NETWORK SERVICE
File:
File Attributes: Normal file. No attributes are set

Process: mcrdsvc.exe
Owner: NT AUTHORITY\LOCAL SERVICE
File:
File Attributes: Normal file. No attributes are set

Process: dllhost.exe
Owner: NT AUTHORITY\SYSTEM
File: C:\WINDOWS\system32\dllhost.exe
Created: 4/13/2005 10:55:31 AM
Last Accessed: 11/13/2008 8:59:27 AM
Last Modified: 8/10/2004 1:00:00 PM
File Type: Application
File Attributes: Archive - File has changed since last backup

As always, I am always looking for new scripts to add to this site, so submit a request for your question or need and I will see if I can answer it.

Dave

Did you like this post? If so, Share it!

Pingbacks:

No Pingbacks for this post yet...

This is somewhere I can post interesting snippets as I come across them. Hopefully some folks out there will find this helpful.

Search

Follow Me:

Twitter
RSS 0.92: Posts, Comments
RSS 1.0: Posts, Comments
RSS 2.0: Posts, Comments
Atom: Posts, Comments

Amazon.com Widgets

	`'====================================================================`
	`'== enum_processes.vbs - script to enumerate all the running`
	`'== processes and display information about`
	`'== about the executable file`
	`'==`
	`'== information available using the wmi provider`
	`'==`
	`'== string Caption;`
	`'== string CommandLine;`
	`'== string CreationClassName;`
	`'== datetime CreationDate;`
	`'== string CSCreationClassName;`
	`'== string CSName;`
	`'== string Description;`
	`'== string ExecutablePath;`
	`'== uint16 ExecutionState;`
	`'== string Handle;`
	`'== uint32 HandleCount;`
	`'== datetime InstallDate;`
	`'== uint64 KernelModeTime;`
	`'== uint32 MaximumWorkingSetSize;`
	`'== uint32 MinimumWorkingSetSize;`
	`'== string Name;`
	`'== string OSCreationClassName;`
	`'== string OSName;`
	`'== uint64 OtherOperationCount;`
	`'== uint64 OtherTransferCount;`
	`'== uint32 PageFaults;`
	`'== uint32 PageFileUsage;`
	`'== uint32 ParentProcessId;`
	`'== uint32 PeakPageFileUsage;`
	`'== uint64 PeakVirtualSize;`
	`'== uint32 PeakWorkingSetSize;`
	`'== uint32 Priority;`
	`'== uint64 PrivatePageCount;`
	`'== uint32 ProcessId;`
	`'== uint32 QuotaNonPagedPoolUsage;`
	`'== uint32 QuotaPagedPoolUsage;`
	`'== uint32 QuotaPeakNonPagedPoolUsage;`
	`'== uint32 QuotaPeakPagedPoolUsage;`
	`'== uint64 ReadOperationCount;`
	`'== uint64 ReadTransferCount;`
	`'== uint32 SessionId;`
	`'== string Status;`
	`'== datetime TerminationDate;`
	`'== uint32 ThreadCount;`
	`'== uint64 UserModeTime;`
	`'== uint64 VirtualSize;`
	`'== string WindowsVersion;`
	`'== uint64 WorkingSetSize;`
	`'== uint64 WriteOperationCount;`
	`'== uint64 WriteTransferCount;`
	`'====================================================================`
	`option explicit`

	`dim procList, objProc, outMsg1, indentStr, objWMI, fso`
	`dim user, domain`

	`indentStr = " "`

	`set fso = createobject("Scripting.FileSystemObject")`
	`set objWMI = getobject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")`

	`' enumerate all processes`
	`set procList = objWMI.execquery("Select * from Win32_Process")`

	`for each objProc in procList`

	`outMsg1 = "Process: " & objProc.Name & vbcrlf`
	`' outMsg1 = outMsg1 & objProc.executablepath & " - "`
	`objProc.GetOwner user,domain`
	`outMsg1 = outMsg1 & "Owner: " & domain & "\" & user & vbcrlf`
	`outMsg1 = outMsg1 & "File: " & getfileinfo(objProc.executablepath) & vbcrlf`

	`wscript.echo outMsg1`

	`next`

	`set procList = nothing`
	`set objWMI = nothing`
	`set fso = nothing`

	`'====================================================================`
	`'== function getFileInfo - get information about the file in`
	`'== question`
	`'==`
	`'== Normal 0 Normal file. No attributes are set.`
	`'== ReadOnly 1 Read-only file. Attribute is read/write.`
	`'== Hidden 2 Hidden file. Attribute is read/write.`
	`'== System 4 System file. Attribute is read/write.`
	`'== Volume 8 Disk drive volume label. Attribute is read-only.`
	`'== Directory 16 Folder or directory. Attribute is read-only.`
	`'== Archive 32 File has changed since last backup. Attribute is read/write.`
	`'== Alias 1024 Link or shortcut. Attribute is read-only.`
	`'== Compressed 2048 Compressed file. Attribute is read-only.`
	`'==`
	`'====================================================================`
	`function getFileInfo(filePath)`

	`if filePath = "" then`
	`getFileInfo = ""`
	`exit function`
	`end if`

	`on error resume next`

	`dim fileObj, outMsg`

	`set fileObj = fso.getfile(filePath)`

	`outMsg = filePath & vbcrlf`

	`outMsg = outMsg & indentStr & " Created: " & fileObj.DateCreated & vbcrlf`

	`outMsg = outMsg & indentStr & " Last Accessed: " & fileObj.DateLastAccessed & vbcrlf`

	`outMsg = outMsg & indentStr & " Last Modified: " & fileObj.DateLastModified & vbcrlf`

	`outMsg = outMsg & indentStr & " File Type: " & fileObj.Type & vbcrlf`

	`if fileObj.attributes and 0 then`

	`outMsg = outMsg & indentStr & " File Attributes: Normal file. No attributes are set"`

	`else`

	`outMsg = outMsg & indentStr & " File Attributes: "`

	`if fileObj.attributes and 1 then`
	`outMsg = outMsg & "Read Only "`
	`end if`

	`if fileObj.attributes and 2 then`
	`outMsg = outMsg & "Hidden "`
	`end if`

	`if fileObj.attributes and 4 then`
	`outMsg = outMsg & "System "`
	`end if`

	`if fileObj.attributes and 8 then`
	`outMsg = outMsg & "Volume "`
	`end if`

	`if fileObj.attributes and 16 then`
	`outMsg = outMsg & "Directory "`
	`end if`

	`if fileObj.attributes and 32 then`
	`outMsg = outMsg & "Archive - File has changed since last backup "`
	`end if`

	`if fileObj.attributes and 1024 then`
	`outMsg = outMsg & "Link or Shortcut "`
	`end if`

	`if fileObj.attributes and 2048 then`
	`outMsg = outMsg & "Compressed "`
	`end if`

	`end if`

	`set fileObj = nothing`

	`getFileInfo = outMsg`

	`end function`

Enumerating Running Process using VB Script and WMI

11/18/08

Enumerating Running Process using VB Script and WMI

Pingbacks:

Scripts

Search

Follow Me:

Categories

Archives

Misc

Who's Online?