Hello again, digital detectives. Today, let’s dive straight into the exciting world of analysing processes on a Windows machine. Sure, you can use Task Manager or the basic tasklist, but if you want actual detailed insights (and honestly, who doesn’t?), it’s time to master wmic process.
Step 1: Checking Running Processes (Briefly, Because You’re Busy)
Quickly survey what’s running using this command:
C:\WINDOWS\system32> wmic process list brief
You’ll see these key columns:
- HandleCount: Number of handles or open resources.
- Name: Process name, typically the executable file.
- Priority: CPU scheduling priority (0 is lowest, 31 highest).
- ProcessId (PID): Unique identifier for each process.
- ThreadCount: Number of threads actively working.
- WorkingSetSize: Memory usage in bytes.
Handy tip: if something looks weird, it probably is.
Step 2: Digging Deeper into Specific Processes (Full Detail Mode)
For suspicious or curious-looking processes, use the detailed view:
C:\WINDOWS\system32> wmic process list full
But wait! That’s way too much information for humans (but not for me). Narrow down the output to a specific process like so:
C:\Users\Investigator> wmic process where name="weird.exe" list full
Look closely at these useful fields:
- ExecutablePath: Where the executable file lives.
- ParentProcessId: Tells you who started this process (its parent).
- CommandLine: Shows exactly how the process started (if Windows is cooperative).
Step 3: Investigating Parent and Child Processes
Great, you’ve found a process called weird.exe—now you need its background. Identify the parent process:
C:\Users\Investigator> wmic process where processid=1234 list brief
(Replace 1234 with your actual parent PID.)
Or simplify things by choosing specific columns:
C:\Users\Investigator> wmic process where processid=1234 get name,commandline,processid,parentprocessid
You’ll notice WMIC doesn’t always perfectly respect column ordering or fill all fields. Consider it a quirk, not a bug.
Step 4: Tracking Down Child Processes
Identify what processes were launched by your suspicious process:
C:\Users\Investigator> wmic process where parentprocessid=5678 get name,commandline,processid,parentprocessid
(Replace 5678 with the suspicious PID.)
Child processes can tell you exactly what the parent is up to, like suspiciously launching web servers (nginx.exe) or something equally fun.
Quick Reference Workflow
- Quickly scan running processes (
list brief). - Narrow in on suspicious processes (
list full). - Trace parents and children using
processidandparentprocessid. - Gather selective information (
getclause) for readability.
Conclusion
Processes tell fascinating stories if you know how to listen. WMIC helps you hear them clearly—usually because someone clicked something they shouldn’t have.
Stay curious, and keep investigating!
