Retrieving Windows Process Information using PowerShell and WMI Class

Windows PowerShell is a powerful tool for retrieving windows Process information. PowerShell provides easy command line parameters to retrieve / and arranging the output in desired format.
Below are the benefits of PowerShell over VBScript.
VBScript doesn't have a built-in method for sorting data we need to employ another scripting technology in order to do so. For example ActiveX Data Object (ADO) .
    
Another advantage of PoweShell is that you do not need to have PowerShell installed on the host for which you want to retrieve WMI information. You could use another host (remote host) with PowerShell installed to retrieve the WMI information by making WMI call to the host.

In this article we will show usage of Get-WmiObject command (which is a PowerShell command) for retrieving process objects.

Command:
(Retrieving information from local system)

C:\> get-wmiobject -class "Win32_Process" | sort -descending "WorkingSetSize" | select-object -last 5 | Select-Object Name, WorkingSetSize, Handle, HandleCount, MaximumWorkingSetSize, MinimumWorkingSetSize, PageFaults, PageFileUsage, ParentProcessId, PeakPageFileUsage, OSCreationClassName, OSName, OtherOperationCount, PrivatePageCount, QuotaNonPagedPoolUsage, QuotaPeakNonPagedPoolUsage, ReadTransferCount, SessionId

(Retrieving information from remote system)

C:\> get-wmiobject -class "Win32_Process" -credential Domain\administrator -computer HOSTNAME/IP | sort -descending "WorkingSetSize" | select-object -last 5 | Select-Object Name, WorkingSetSize, Handle, HandleCount, MaximumWorkingSetSize, MinimumWorkingSetSize, PageFaults, PageFileUsage, ParentProcessId, PeakPageFileUsage, OSCreationClassName, OSName, OtherOperationCount, PrivatePageCount, QuotaNonPagedPoolUsage, QuotaPeakNonPagedPoolUsage, ReadTransferCount, SessionId

In this example GET-WMIOBJECT is using -class  " WIN32_Process ".
We can sort the result by any of the process object. In this example we are sorting it by " WorkingSetSize " descending.
There are number of process running on machine. We can specify the number of process we want to list. In this example we are listing last 5 by specifying SELECT-OBJECT --last 5.
We can also specify which process object we need in the result. In this example we specified process object Name, WorkingSetSize, Handle, HandleCount etc.
WMI Win32_Process Class has many objects out of which few are mentioned below.
We can call these objects in our command.
1) Name: Label for an object.

2) ProcessId: Global process identifier that is used to identify a process.

3) ExecutablePath: Path to the executable file of the process (Example: C:\WINDOWS\EXPLORER.EXE).

4) WorkingSetSize: Amount of memory in bytes that a process needs to execute efficiently---for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs.

5) MaximumWorkingSetSize:Maximum working set size of the process.The working set of a process is the set of memory pages visible to the process in physical RAM

6) MinimumWorkingSetSize: Minimum working set size of the process

7) PeakWorkingSetSize: Peak working set size of a process

8) Handle: Process identifier

9) HandleCount: Total number of open handles owned by the process

10) ThreadCount: Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread

11) ReadOperationCount: Number of read operations performed

12) ReadTransferCount: Amount of data read
13) WriteOperationCount: Number of write operations performed

14) WriteTransferCount: Amount of data written

15) OtherTransferCount: Amount of data transferred during operations that are not read or write operations

16) OtherOperationCount: Number of I/O operations performed that are not read or write operations

17) PageFaults: Number of page faults that a process generates

18) PageFileUsage: Amount of page file space that a process is using currently

19) PeakPageFileUsage: Maximum amount of page file space used during the life of a process
20) PrivatePageCount: Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance

21) VirtualSize: Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries.

22) PeakVirtualSize: Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries
23) QuotaNonPagedPoolUsage: Quota amount of nonpaged pool usage for a process

24) QuotaPagedPoolUsage: Quota amount of paged pool usage for a process

25) QuotaPeakNonPagedPoolUsage: Peak quota amount of nonpaged pool usage for a process
26) QuotaPeakPagedPoolUsage: Peak quota amount of paged pool usage for a process

27) ParentProcessId: Unique identifier of the process that creates a process

28) SessionId: Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system

29) Priority: Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority
30) CreationDate: Date the process begins executing
31) InstallDate: Date an object is installed

32) Caption: Short description of an object

33) CommandLine: Command line used to start a specific process

34) CSName: Name of the scoping computer system

35) OSName: Name of the scoping operating system

36) WindowsVersion: Version of Windows in which the process is running

37) Description: Description of an object