Jump to content

ProcessList - need full name of running program


Recommended Posts

I've searched the help file and the forums and haven't found anything that gives the name of the running program. I know ProcessList will give you the name and processID of each running program, but I need the full program name and path of each process, and as a bonus, any parameters passed to the process when launched.

Example from an AdAware report:

#:8 [svchost.exe] - I can get this from ProcessList

ModuleName : C:\WINDOWS\System32\svchost.exe - want this

Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService - would be nice

ProcessID : 1132 - I can get this from ProcessList

ThreadCreationTime : 08-08-2005 3:56:16 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

#:9 [svchost.exe] - I can get this from ProcessList

ModuleName : C:\WINDOWS\System32\svchost.exe - want this

Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService - would be nice

ProcessID : 1204 - I can get this from ProcessList

ThreadCreationTime : 08-08-2005 3:56:17 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

Obviously it can be done. I've seen the code here in the forums to extract the file and product version, etc from the file name once it has been identified and have used that in other code, but the identification is the bit I'm looking for.

I've been stumped where there are a number of processes running with different version names and file locations but the same process name - production and beta versions - and need to differentiate between them, hence just searching for the file from the process name is not going to solve my problem.

Any pointers and hints would be appreciated.

Link to comment
Share on other sites

Well... me and my "hard-headed" ways of getting there. After hours i got this for ya from services.exe

C:\WINDOWS\$NtServicePackUninstall$\services.exe

C:\WINDOWS\ServicePackFiles\i386\services.exe

C:\WINDOWS\system32\services.exe

File Name: services.exe

File ID: 748

Version: 5.1.2600.2180

Link info found**

C:\WINDOWS\system32\services.msc

%HOMEDRIVE%%HOMEPATH%

/s

Starts and stop services.

%SystemRoot%\system32\filemgmt.dll

0

1

this is how

#include <Array.au3>
Dim $hFile3A , $hFile3B , $prog[10], $details[10]


; List all processes
$list = ProcessList()
for $i = 1 to $list[0][0]
    
#Region --- CodeWizard generated code Start ---
;MsgBox features: Title=Yes, Text=Yes, Buttons=Yes, No, and Cancel, Icon=Question
    If Not IsDeclared("iMsgBoxAnswer") Then Dim $iMsgBoxAnswer
    $iMsgBoxAnswer = MsgBox(35,"Process Information","Press  *Yes*  to get Process information for   " & @CRLF & @CRLF & $list[$i][0]   & @CRLF & @CRLF & "Press  *No*   to see the next Process " & @CRLF)
        Select
            Case $iMsgBoxAnswer = 6;Yes
                SplashTextOn("Searching", @CRLF & "... Please Wait ...", 240, 60)
                Call("Get_info")
                
            Case $iMsgBoxAnswer = 7;No
                
            Case $iMsgBoxAnswer = 2;Cancel
                Exit
            
        EndSelect
#EndRegion --- CodeWizard generated code End ---
    
next


Func Get_info()

RunWait(@ComSpec & ' /c ' & 'dir "' & @HomeDrive & "\" & $list[$i][0] & '" /a :h /b /s' & ' > "' & @TempDir & "\dir_" & $i & ".txt", '', @SW_HIDE)
Sleep(2000)

$hFile = FileOpen(@TempDir & "\dir_"& $i &".txt", 1)
    
; Check if file opened for writting OK
    If $hFile = -1 Then
        MsgBox(0, "Write Error 1", "Unable to open file.")
        
    EndIf
    
    FileWriteLine($hFile, " ")
    FileWriteLine($hFile, "File Name: " & $list[$i][0])
    FileWriteLine($hFile, "File ID: " & $list[$i][1])
    
    $ver = FileGetVersion($list[$i][0])
    FileWriteLine($hFile, "Version: " & $ver)
    
    FileWriteLine($hFile, " ")
    
    FileClose($hFile)
    

    $result = StringReplace($list[$i][0], "exe", "lnk")
    
    RunWait(@ComSpec & ' /c ' & 'dir "' & @HomeDrive & "\" & $result & '" /a :h /b /s' & ' > "' & @TempDir & "\Link_" & $i & ".txt", '', @SW_HIDE)
    Sleep(2000)
    
    $hFile2 = FileOpen(@TempDir & "\Link_"& $i &".txt", 0)
    
; Check if file opened for reading OK
    If $hFile2 = -1 Then
        MsgBox(0, "Read Error 2", "Unable to open file.")
    EndIf
    
    $sLine = FileReadLine($hFile2)
    FileClose($hFile2)
    
    If FileExists($sline) Then
        
        $hFile3A = FileOpen(@TempDir & "\dir_"& $i &".txt", 1)
        
    ; Check if file opened for writting OK
        If $hFile3A = -1 Then
            MsgBox(0, "Write Error 3A", "Unable to open file.")
        EndIf
        
        FileWriteLine($hFile3A, "Link info found**")
        
        $prog = FileGetShortcut($sline)
        
        For $t = 0 to 6
            Sleep(200)
            FileWriteLine($hFile3A, $prog[$t])
        Next
        
        FileClose($hFile3B)
        
    Else
        $hFile3B = FileOpen(@TempDir & "\dir_"& $i &".txt", 1)
        
    ; Check if file opened for writting OK
        If $hFile3B = -1 Then
            MsgBox(0, "Write Error 3B", "Unable to open file.")
        EndIf
        
        FileWriteLine($hFile3B, "No link info found")
        FileClose($hFile3B)
    EndIf

SplashOff()
    
RunWait('Notepad "' & @TempDir & "\dir_"& $i &".txt"); for testing

EndFunc

I never claim to be the sharpest here.... but maybe it could help

( i'm sure there are easier ways)... but it worked

8)

NEWHeader1.png

Link to comment
Share on other sites

Well... me and my "hard-headed" ways of getting there. After hours i got this for ya from services.exe

this is how

Extract all process names
Search drive for all filenames that match

I never claim to be the sharpest here.... but maybe it could help

( i'm sure there are easier ways)... but it worked

8)

<{POST_SNAPBACK}>

Thanks,

I tried that and it seems to get a semblance of what I want, but it doesn't allow for other drives, etc, as it makes the assumption that the program names and the process names are the same, and they are resident on the homedrive. The other issue is doing a search of all files on the drive takes a while on my system.

Still looking...

Link to comment
Share on other sites

  • 3 weeks later...

Seems the solution was right under my nose: :whistle:

I ran AutoIt Scriptomatic and selected the root\CIMV2 WMI NameSpace and Win32_Process WMI Class and voila, instant code!

Results (indentation lost during cut-and-paste):

; Generated by AutoIt Scriptomatic

$wbemFlagReturnImmediately = 0x10

$wbemFlagForwardOnly = 0x20

$colItems = ""

$strComputer = "localhost"

$Output=""

$Output = $Output & "Computer: " & $strComputer & @CRLF

$Output = $Output & "==========================================" & @CRLF

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")

$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process", "WQL", _

$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then

For $objItem In $colItems

$Output = $Output & "Caption: " & $objItem.Caption & @CRLF

$Output = $Output & "CommandLine: " & $objItem.CommandLine & @CRLF

$Output = $Output & "CreationClassName: " & $objItem.CreationClassName & @CRLF

$Output = $Output & "CreationDate: " & WMIDateStringToDate($objItem.CreationDate) & @CRLF

$Output = $Output & "CSCreationClassName: " & $objItem.CSCreationClassName & @CRLF

$Output = $Output & "CSName: " & $objItem.CSName & @CRLF

$Output = $Output & "Description: " & $objItem.Description & @CRLF

$Output = $Output & "ExecutablePath: " & $objItem.ExecutablePath & @CRLF

$Output = $Output & "ExecutionState: " & $objItem.ExecutionState & @CRLF

$Output = $Output & "Handle: " & $objItem.Handle & @CRLF

$Output = $Output & "HandleCount: " & $objItem.HandleCount & @CRLF

$Output = $Output & "InstallDate: " & WMIDateStringToDate($objItem.InstallDate) & @CRLF

$Output = $Output & "KernelModeTime: " & $objItem.KernelModeTime & @CRLF

$Output = $Output & "MaximumWorkingSetSize: " & $objItem.MaximumWorkingSetSize & @CRLF

$Output = $Output & "MinimumWorkingSetSize: " & $objItem.MinimumWorkingSetSize & @CRLF

$Output = $Output & "Name: " & $objItem.Name & @CRLF

$Output = $Output & "OSCreationClassName: " & $objItem.OSCreationClassName & @CRLF

$Output = $Output & "OSName: " & $objItem.OSName & @CRLF

$Output = $Output & "OtherOperationCount: " & $objItem.OtherOperationCount & @CRLF

$Output = $Output & "OtherTransferCount: " & $objItem.OtherTransferCount & @CRLF

$Output = $Output & "PageFaults: " & $objItem.PageFaults & @CRLF

$Output = $Output & "PageFileUsage: " & $objItem.PageFileUsage & @CRLF

$Output = $Output & "ParentProcessId: " & $objItem.ParentProcessId & @CRLF

$Output = $Output & "PeakPageFileUsage: " & $objItem.PeakPageFileUsage & @CRLF

$Output = $Output & "PeakVirtualSize: " & $objItem.PeakVirtualSize & @CRLF

$Output = $Output & "PeakWorkingSetSize: " & $objItem.PeakWorkingSetSize & @CRLF

$Output = $Output & "Priority: " & $objItem.Priority & @CRLF

$Output = $Output & "PrivatePageCount: " & $objItem.PrivatePageCount & @CRLF

$Output = $Output & "ProcessId: " & $objItem.ProcessId & @CRLF

$Output = $Output & "QuotaNonPagedPoolUsage: " & $objItem.QuotaNonPagedPoolUsage & @CRLF

$Output = $Output & "QuotaPagedPoolUsage: " & $objItem.QuotaPagedPoolUsage & @CRLF

$Output = $Output & "QuotaPeakNonPagedPoolUsage: " & $objItem.QuotaPeakNonPagedPoolUsage & @CRLF

$Output = $Output & "QuotaPeakPagedPoolUsage: " & $objItem.QuotaPeakPagedPoolUsage & @CRLF

$Output = $Output & "ReadOperationCount: " & $objItem.ReadOperationCount & @CRLF

$Output = $Output & "ReadTransferCount: " & $objItem.ReadTransferCount & @CRLF

$Output = $Output & "SessionId: " & $objItem.SessionId & @CRLF

$Output = $Output & "Status: " & $objItem.Status & @CRLF

$Output = $Output & "TerminationDate: " & WMIDateStringToDate($objItem.TerminationDate) & @CRLF

$Output = $Output & "ThreadCount: " & $objItem.ThreadCount & @CRLF

$Output = $Output & "UserModeTime: " & $objItem.UserModeTime & @CRLF

$Output = $Output & "VirtualSize: " & $objItem.VirtualSize & @CRLF

$Output = $Output & "WindowsVersion: " & $objItem.WindowsVersion & @CRLF

$Output = $Output & "WorkingSetSize: " & $objItem.WorkingSetSize & @CRLF

$Output = $Output & "WriteOperationCount: " & $objItem.WriteOperationCount & @CRLF

$Output = $Output & "WriteTransferCount: " & $objItem.WriteTransferCount & @CRLF

if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop

$Output=""

Next

Else

Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_Process" )

Endif

Func WMIDateStringToDate($dtmDate)

Return (StringMid($dtmDate, 5, 2) & "/" & _

StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _

& " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))

EndFunc

This is the solution I was looking for. :dance:

Link to comment
Share on other sites

  • 3 weeks later...

$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process", "WQL", _

$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I get an error at this point in the script. My error reads:

Unable to parse line.:

$colProcess = $objWMIService.ExecQuery("Select * from Win32_Process")

$colProcess = $objWMIService.E^ ERROR

Does anybody have any insight into this error? Thanks.

Endgame

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...