Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

Win32_Process class

The Win32_Process WMI class represents a process on an operating system.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Syntax

[Provider("CIMWin32")]class Win32_Process : CIM_Process
{
  string   Caption;
  string   CommandLine;
  string   CreationClassName;
  datetime CreationDate;
  string   CSCreationClassName;
  string   CSName;
  string   Description;
  string   ExecutablePath;
  uint16   ExecutionState;
  string   Handle;
  uint32   HandleCount;
  datetime InstallDate;
  uint64   KernelModeTime;
  uint32   MaximumWorkingSetSize;
  uint32   MinimumWorkingSetSize;
  string   Name;
  string   OSCreationClassName;
  string   OSName;
  uint64   OtherOperationCount;
  uint64   OtherTransferCount;
  uint32   PageFaults;
  uint32   PageFileUsage;
  uint32   ParentProcessId;
  uint32   PeakPageFileUsage;
  uint64   PeakVirtualSize;
  uint32   PeakWorkingSetSize;
  uint32   Priority = NULL;
  uint64   PrivatePageCount;
  uint32   ProcessId;
  uint32   QuotaNonPagedPoolUsage;
  uint32   QuotaPagedPoolUsage;
  uint32   QuotaPeakNonPagedPoolUsage;
  uint32   QuotaPeakPagedPoolUsage;
  uint64   ReadOperationCount;
  uint64   ReadTransferCount;
  uint32   SessionId;
  string   Status;
  datetime TerminationDate;
  uint32   ThreadCount;
  uint64   UserModeTime;
  uint64   VirtualSize;
  string   WindowsVersion;
  uint64   WorkingSetSize;
  uint64   WriteOperationCount;
  uint64   WriteTransferCount;
};

Members

The Win32_Process class has these types of members:

Methods

The Win32_Process class has these methods.

MethodDescription
AttachDebugger

Launches the currently registered debugger for a process.

Create

Creates a new process.

GetAvailableVirtualSize

Retrieves the current size, in bytes, of the free virtual address space available to the process.

GetOwner

Retrieves the user name and domain name under which the process is running.

GetOwnerSid

Retrieves the security identifier (SID) for the owner of a process.

SetPriority

Changes the execution priority of a process.

Terminate

Terminates a process and all of its threads.

 

Properties

The Win32_Process class has these properties.

Caption
Data type: string
Access type: Read-only
Qualifiers: MaxLen (64)

Short description of an object—a one-line string.

CommandLine
Data type: string
Access type: Read-only

Command line used to start a specific process, if applicable.

CreationClassName
Data type: string
Access type: Read-only
Qualifiers: Key, MaxLen (256)

Name of the first concrete class in the inheritance chain that is used to create an instance. You can use this property with other key properties of the class to uniquely identify all of the instances of the class and its subclasses. This property is inherited from CIM_System.

CreationDate
Data type: datetime
Access type: Read-only

Date the process begins executing.

CSCreationClassName
Data type: string
Access type: Read-only

Creation class name of the scoping computer system.

CSName
Data type: string
Access type: Read-only

Name of the scoping computer system.

Description
Data type: string
Access type: Read-only

Description of an object.

ExecutablePath
Data type: string
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege)

Path to the executable file of the process.

Example: "C:\WINDOWS\EXPLORER.EXE"

ExecutionState
Data type: uint16
Access type: Read-only

ValueMeaning
0

Unknown

1

Other

2

Ready

3

Running

4

Blocked

5

Suspended Blocked

6

Suspended Ready

 

Handle
Data type: string
Access type: Read-only
Qualifiers: Key

Process identifier.

HandleCount
Data type: uint32
Access type: Read-only

Total number of open handles owned by the process. HandleCount is the sum of the handles currently open by each thread in this process. A handle is used to examine or modify the system resources. Each handle has an entry in a table that is maintained internally. Entries contain the addresses of the resources and data to identify the resource type.

InstallDate
Data type: datetime
Access type: Read-only

Date an object is installed. The object may be installed without a value being written to this property.

KernelModeTime
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Milliseconds")

Time in kernel mode, in milliseconds. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

MaximumWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege) , Units (Kilobytes)

Maximum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident, and available for an application to use without triggering a page fault.

Example: 1413120

MinimumWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege) , Units (Kilobytes)

Minimum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault.

Example: 20480

Name
Data type: string
Access type: Read-only

Name of the executable file responsible for the process, equivalent to the Image Name property in Task Manager.

When inherited by a subclass, the property can be overridden to be a key property. The name is hard-coded into the application itself and is not affected by changing the file name. For example, even if you rename Calc.exe, the name Calc.exe will still appear in Task Manager and in any WMI scripts that retrieve the process name.

OSCreationClassName
Data type: string
Access type: Read-only

Creation class name of the scoping operating system.

OSName
Data type: string
Access type: Read-only

Name of the scoping operating system.

OtherOperationCount
Data type: uint64
Access type: Read-only

Number of I/O operations performed that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

OtherTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data transferred during operations that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

PageFaults
Data type: uint32
Access type: Read-only

Number of page faults that a process generates.

Example: 10

PageFileUsage
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Amount of page file space that a process is using currently. This value is consistent with the VMSize value in TaskMgr.exe.

Example: 102435

ParentProcessId
Data type: uint32
Access type: Read-only

Unique identifier of the process that creates a process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier. You can use the CreationDate property to determine whether the specified parent was created after the process represented by this Win32_Process instance was created.

PeakPageFileUsage
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Maximum amount of page file space used during the life of a process.

Example: 102367

PeakVirtualSize
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries.

For more information about using uint64 values in scripts, see Scripting in WMI.

PeakWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Peak working set size of a process.

Example: 1413120

Priority
Data type: uint32
Access type: Read-only

Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority.

Example: 7

PrivatePageCount
Data type: uint64
Access type: Read-only

Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance.

For more information about using uint64 values in scripts, see Scripting in WMI.

ProcessId
Data type: uint32
Access type: Read-only

Numeric identifier used to distinguish one process from another. ProcessIDs are valid from process creation time to process termination. Upon termination, that same numeric identifier can be applied to a new process.

This means that you cannot use ProcessID alone to monitor a particular process. For example, an application could have a ProcessID of 7, and then fail. When a new process is started, the new process could be assigned ProcessID 7. A script that checked only for a specified ProcessID could thus be "fooled" into thinking that the original application was still running.

QuotaNonPagedPoolUsage
Data type: uint32
Access type: Read-only

Quota amount of nonpaged pool usage for a process.

Example: 15

QuotaPagedPoolUsage
Data type: uint32
Access type: Read-only

Quota amount of paged pool usage for a process.

Example: 22

QuotaPeakNonPagedPoolUsage
Data type: uint32
Access type: Read-only

Peak quota amount of nonpaged pool usage for a process.

Example: 31

QuotaPeakPagedPoolUsage
Data type: uint32
Access type: Read-only

Peak quota amount of paged pool usage for a process.

Example: 31

ReadOperationCount
Data type: uint64
Access type: Read-only

Number of read operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

ReadTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data read.

For more information about using uint64 values in scripts, see Scripting in WMI.

SessionId
Data type: uint32
Access type: Read-only

Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system.

Status
Data type: string
Access type: Read-only
Qualifiers: MaxLen (10)

This property is not implemented and does not get populated for any instance of this class. It is always NULL.

TerminationDate
Data type: datetime
Access type: Read-only

Process was stopped or terminated. To get the termination time, a handle to the process must be held open. Otherwise, this property returns NULL.

ThreadCount
Data type: uint32
Access type: Read-only

Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread.

UserModeTime
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Milliseconds")

Time in user mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

VirtualSize
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries. This value is consistent with what you see in Perfmon.exe.

For more information about using uint64 values in scripts, see Scripting in WMI.

WindowsVersion
Data type: string
Access type: Read-only

Version of Windows in which the process is running.

Example: 4.0

WorkingSetSize
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Bytes")

Amount of memory in bytes that a process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero). If working set data is provided, you can monitor the information to understand the changing memory requirements of a process.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteOperationCount
Data type: uint64
Access type: Read-only

Number of write operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data written.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_Process class is derived from CIM_Process. The calling process that uses this class must have the SE_RESTORE_NAME privilege on the computer in which the registry resides. For more information, see Executing Privileged Operations.

Overview

Processes underlie almost everything that happens on a computer. In fact, the root cause of most computer problems can be traced to processes; for example, too many processes might be running on a computer (and contending for a finite set of resources), or a single process might be using more than its share of resources. These factors make it important to keep a close watch on the processes running on a computer. Process monitoring, the main activity in process management, allows you to determine what a computer actually does, what applications the computer runs, and how those applications are affected by changes in the computing environment.

Monitoring a Process

Monitoring processes on a regular basis helps you ensure that a computer runs at peak efficiency and that it carries out its appointed tasks as expected. For example, by monitoring processes you can be notified immediately of any application that has stopped responding, and then take steps to end that process. In addition, process monitoring enables you to identify problems before they occur. For example, by repeatedly checking the amount of memory used by a process, you can identify a memory leak. You can then stop the process before the errant application uses all of the available memory and brings the computer to a halt.

Process monitoring also helps minimize the disruptions caused by planned outages for upgrades and maintenance. For example, by checking the status of a database application running on client computers, you can determine the impact of taking the database offline in order to upgrade the software.

Monitoring process availability. Measures the percentage of time that a process is available. Availability is typically monitored by use of a simple probe, which reports whether the process is still running. By keeping track of the results of each probe, you can calculate the availability of the process. For example, a process that is probed 100 times and responds on 95 of those occasions has an availability of 95 percent. This type of monitoring is typically reserved for databases, mail programs, and other applications that are expected to run at all times. It is not appropriate for word processing programs, spreadsheets, or other applications that are routinely started and stopped several times a day.

You can create an instance of the Win32_ProcessStartup class to configure the process.

You can monitor process performance with the Win32_PerfFormattedData_PerfProc_Process class and a WMI refresher object, such as SWbemRefresher. For more information, see Monitoring Performance Data.

Examples

The List the Properties of WMI Classes PowerShell code sample on TechNet Gallery describes the Win32_Process class, and outputs the results in Excel format.

The Terminate running process on multiple servers terminates a process running on a single or multiple computers.

In the Example: Calling a Provider Method topic, the code uses C++ to call Win32_process to create a process.

Availability is the simplest form of process monitoring: with this approach, you simply ensure that the process is running. When you monitor for process availability, you typically retrieve a list of processes running on a computer and then verify that a particular process is still active. If the process is active, it is considered available. If the process is not active, it is not available. The following VBScript sample monitors process availability by checking the list of processes running on a computer and issuing a notification if the Database.exe process is not found.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_Process WHERE Name = 'Database.exe'")
If colProcesses.Count = 0 Then
 Wscript.Echo "Database.exe is not running."
Else
 Wscript.Echo "Database.exe is running."
End If

The following VBScript sample monitors process creation using a temporary event consumer.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colMonitoredProcesses = objWMIService. _ 
 ExecNotificationQuery("SELECT * FROM __InstanceCreationEvent " _
 & "WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'")
i = 0
Do While i = 0
 Set objLatestProcess = colMonitoredProcesses.NextEvent
 Wscript.Echo objLatestProcess.TargetInstance.Name, Now
Loop

The following VBScript monitors process performance information.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_Process")
For Each objProcess in colProcessList
 Wscript.Echo "Process: " & objProcess.Name
 Wscript.Echo "Process ID: " & objProcess.ProcessID
 Wscript.Echo "Thread Count: " & objProcess.ThreadCount
 Wscript.Echo "Page File Size: " & objProcess.PageFileUsage
 Wscript.Echo "Page Faults: " & objProcess.PageFaults
 Wscript.Echo "Working Set Size: " & objProcess.WorkingSetSize
Next

The following VBScript code example shows how to obtain the owner of each process on a local computer. You can use this script to obtain data from a remote computer, for example, to determine which users have processes running terminal server, substitute the name of the remote computer for "." in the first line. You must also be an administrator on the remote machine.



strComputer = "." 
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")

Set colProcesses = objWMIService.ExecQuery( _
    "select * from win32_process" )
For Each objProcess in colProcesses
   
    If objProcess.GetOwner ( User, Domain ) = 0 Then
          Wscript.Echo "Process " & _
              objProcess.Caption & _
              " belongs to " & Domain & _
              "\" & User
    Else
          Wscript.Echo "Problem " & Rtn & _
              " getting the owner for process " _
              & objProcess.Caption
    End If
Next

The following VBScript code example shows how to obtain the logon session associated with a running process. A process must be running Notepad.exe before the script starts. The example locates the instances of Win32_LogonSession associated with the Win32_Process that represents Notepad.exe. Win32_SessionProcess is specified as the association class. For more information, see ASSOCIATORS OF Statement.


On error resume next
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & "." & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery( _
    "Select * from Win32_Process " _
    & "Where Name = 'Notepad.exe'")
For Each objProcess in colProcesses
    ProcessId = objProcess.ProcessId
    Set colLogonSessions = objWMIService.ExecQuery _
       ("Associators of {Win32_Process='" _
          & ProcessId & "'} Where" _
          & " Resultclass = Win32_LogonSession" _
          & " Assocclass = Win32_SessionProcess", "WQL", 48)
             If Err <> 0 Then
                WScript.Echo "Error on associators query= " _
                   & Err.number _ 
                   & " " & Err.Description
                WScript.Quit
             End If
   For Each LogonSession in colLogonSessions    
      Wscript.Echo " Logon id is " & LogonSession.LogonId
   Next 
Next

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

CIMWin32.mof

DLL

CIMWin32.dll

See also

Operating System Classes
WMI Tasks: Processes

 

 

Show:
© 2014 Microsoft