Given a PID on Windows - how do I find the command line instruction that executed it?
Solution 1:
Powershell and WMI.
Get-WmiObject Win32_Process | Select ProcessId,CommandLine
Or
Get-WmiObject -Query "SELECT CommandLine FROM Win32_Process WHERE ProcessID = 3352"
Note that you have to have permissions to access this information about a process. So you might have to run the command as admin if the process you want to know about is running in a privileged context.
Solution 2:
You can use the WMI subsystem, using WMIC.EXE to get to this information. Assuming a PID of 600:
wmic.exe path Win32_Process where handle='600' get name, commandline /format:list
You can also search for name, or other characteristic of the process. Use this command to list all attributes:
wmic.exe path Win32_Process get /format:list
Solution 3:
The other answers are certainly good options that will serve you well in an automated system because of their command line nature (and I see from the tag that that's what you wanted). Of course, some folks might want to explore this kind of info with a GUI, so here's an alternative along those lines.
Process Explorer is a Sysinternals tool maintained by Microsoft. It can display the command line of the process in the process's properties dialog as well as the parent that launched it, though the name of that process may no longer be available. Here's the process properties dialog:
If you want a more detailed audit trail of when a process was launched and under what conditions, you can turn to another Sysinternals tool called Process Monitor. Here you can filter for "Process started" events, learn about the environment the process was launched in, and see what other events were occurring around that time. It's quite a powerful program. Here's the event properties dialog:
Solution 4:
To complement Ryan Ries' helpful PowerShell answer with a shorter alternative via the -Filter
parameter that also uses Get-CimInstance
instead of the deprecated-since-v3 Get-WmiObject
cmdlet.
# Target a process by its PID (process ID) and report its command line,
# using the PowerShell session's own PID as an example ($PID).
(Get-CimInstance Win32_Process -Filter "ProcessId=$PID").CommandLine
# Alternatively, target process(es) by name (may return multiple processes),
# using Notepad.exe as an example.
# Select-Object is used to report both the PID and the command line.
Get-CimInstance Win32_Process -Filter "Name='Notepad.exe'" |
Select-Object ProcessId, CommandLine
The -Filter
parameter essentially allows you to pass the WHERE
clause of a WQL statement instead of passing a full query statement via -Query
.