Win32_Process class

The Win32_Process WMI class represents a process on an operating system.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Syntax

[Provider("CIMWin32")]class Win32_Process : CIM_Process
{
  string   Caption;
  string   CommandLine;
  string   CreationClassName;
  datetime CreationDate;
  string   CSCreationClassName;
  string   CSName;
  string   Description;
  string   ExecutablePath;
  uint16   ExecutionState;
  string   Handle;
  uint32   HandleCount;
  datetime InstallDate;
  uint64   KernelModeTime;
  uint32   MaximumWorkingSetSize;
  uint32   MinimumWorkingSetSize;
  string   Name;
  string   OSCreationClassName;
  string   OSName;
  uint64   OtherOperationCount;
  uint64   OtherTransferCount;
  uint32   PageFaults;
  uint32   PageFileUsage;
  uint32   ParentProcessId;
  uint32   PeakPageFileUsage;
  uint64   PeakVirtualSize;
  uint32   PeakWorkingSetSize;
  uint32   Priority = NULL;
  uint64   PrivatePageCount;
  uint32   ProcessId;
  uint32   QuotaNonPagedPoolUsage;
  uint32   QuotaPagedPoolUsage;
  uint32   QuotaPeakNonPagedPoolUsage;
  uint32   QuotaPeakPagedPoolUsage;
  uint64   ReadOperationCount;
  uint64   ReadTransferCount;
  uint32   SessionId;
  string   Status;
  datetime TerminationDate;
  uint32   ThreadCount;
  uint64   UserModeTime;
  uint64   VirtualSize;
  string   WindowsVersion;
  uint64   WorkingSetSize;
  uint64   WriteOperationCount;
  uint64   WriteTransferCount;
};

Members

The Win32_Process class has these types of members:

Methods

The Win32_Process class has these methods.

MethodDescription
AttachDebugger

Launches the currently registered debugger for a process.

Create

Creates a new process.

GetAvailableVirtualSize

Retrieves the current size, in bytes, of the free virtual address space available to the process.

GetOwner

Retrieves the user name and domain name under which the process is running.

GetOwnerSid

Retrieves the security identifier (SID) for the owner of a process.

SetPriority

Changes the execution priority of a process.

Terminate

Terminates a process and all of its threads.

 

Properties

The Win32_Process class has these properties.

Caption
Data type: string
Access type: Read-only
Qualifiers: MaxLen (64)

Short description of an object—a one-line string.

CommandLine
Data type: string
Access type: Read-only

Command line used to start a specific process, if applicable.

CreationClassName
Data type: string
Access type: Read-only
Qualifiers: Key, MaxLen (256)

Name of the first concrete class in the inheritance chain that is used to create an instance. You can use this property with other key properties of the class to uniquely identify all of the instances of the class and its subclasses. This property is inherited from CIM_System.

CreationDate
Data type: datetime
Access type: Read-only

Date the process begins executing.

CSCreationClassName
Data type: string
Access type: Read-only

Creation class name of the scoping computer system.

CSName
Data type: string
Access type: Read-only

Name of the scoping computer system.

Description
Data type: string
Access type: Read-only

Description of an object.

ExecutablePath
Data type: string
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege)

Path to the executable file of the process.

Example: "C:\WINDOWS\EXPLORER.EXE"

ExecutionState
Data type: uint16
Access type: Read-only

This property is not implemented and does not get populated for any instance of this class. This property is always NULL.

Handle
Data type: string
Access type: Read-only
Qualifiers: Key

Process identifier.

HandleCount
Data type: uint32
Access type: Read-only

Total number of open handles owned by the process. HandleCount is the sum of the handles currently open by each thread in this process. A handle is used to examine or modify the system resources. Each handle has an entry in a table that is maintained internally. Entries contain the addresses of the resources and data to identify the resource type.

InstallDate
Data type: datetime
Access type: Read-only

Date an object is installed. The object may be installed without a value being written to this property.

KernelModeTime
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Milliseconds")

Time in kernel mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

MaximumWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege) , Units (Kilobytes)

Maximum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident, and available for an application to use without triggering a page fault.

Example: 1413120

MinimumWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Privileges (SeDebugPrivilege) , Units (Kilobytes)

Minimum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault.

Example: 20480

Name
Data type: string
Access type: Read-only

Label for an object. When inherited by a subclass, the property can be overridden to be a key property.

OSCreationClassName
Data type: string
Access type: Read-only

Creation class name of the scoping operating system.

OSName
Data type: string
Access type: Read-only

Name of the scoping operating system.

OtherOperationCount
Data type: uint64
Access type: Read-only

Number of I/O operations performed that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

OtherTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data transferred during operations that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

PageFaults
Data type: uint32
Access type: Read-only

Number of page faults that a process generates.

Example: 10

PageFileUsage
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Amount of page file space that a process is using currently. This value is consistent with the VMSize value in TaskMgr.exe.

Example: 102435

ParentProcessId
Data type: uint32
Access type: Read-only

Unique identifier of the process that creates a process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier. You can use the CreationDate property to determine whether the specified parent was created after the process represented by this Win32_Process instance was created.

PeakPageFileUsage
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Maximum amount of page file space used during the life of a process.

Example: 102367

PeakVirtualSize
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries.

For more information about using uint64 values in scripts, see Scripting in WMI.

PeakWorkingSetSize
Data type: uint32
Access type: Read-only
Qualifiers: Units (Kilobytes)

Peak working set size of a process.

Example: 1413120

Priority
Data type: uint32
Access type: Read-only

Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority.

Example: 7

PrivatePageCount
Data type: uint64
Access type: Read-only

Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance.

For more information about using uint64 values in scripts, see Scripting in WMI.

ProcessId
Data type: uint32
Access type: Read-only

Global process identifier that is used to identify a process. The value is valid from the time a process is created until it is terminated.

QuotaNonPagedPoolUsage
Data type: uint32
Access type: Read-only

Quota amount of nonpaged pool usage for a process.

Example: 15

QuotaPagedPoolUsage
Data type: uint32
Access type: Read-only

Quota amount of paged pool usage for a process.

Example: 22

QuotaPeakNonPagedPoolUsage
Data type: uint32
Access type: Read-only

Peak quota amount of nonpaged pool usage for a process.

Example: 31

QuotaPeakPagedPoolUsage
Data type: uint32
Access type: Read-only

Peak quota amount of paged pool usage for a process.

Example: 31

ReadOperationCount
Data type: uint64
Access type: Read-only

Number of read operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

ReadTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data read.

For more information about using uint64 values in scripts, see Scripting in WMI.

SessionId
Data type: uint32
Access type: Read-only

Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system.

Status
Data type: string
Access type: Read-only
Qualifiers: MaxLen (10)

This property is not implemented and does not get populated for any instance of this class. It is always NULL.

TerminationDate
Data type: datetime
Access type: Read-only

Process was stopped or terminated. To get the termination time, a handle to the process must be held open. Otherwise, this property returns NULL.

ThreadCount
Data type: uint32
Access type: Read-only

Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread.

UserModeTime
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Milliseconds")

Time in user mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

VirtualSize
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries. This value is consistent with what you see in Perfmon.exe.

For more information about using uint64 values in scripts, see Scripting in WMI.

WindowsVersion
Data type: string
Access type: Read-only

Version of Windows in which the process is running.

Example: 4.0

WorkingSetSize
Data type: uint64
Access type: Read-only
Qualifiers: Units ("Bytes")

Amount of memory in bytes that a process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero). If working set data is provided, you can monitor the information to understand the changing memory requirements of a process.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteOperationCount
Data type: uint64
Access type: Read-only

Number of write operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteTransferCount
Data type: uint64
Access type: Read-only
Qualifiers: Units (Bytes)

Amount of data written.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_Process class is derived from CIM_Process. The calling process that uses this class must have the SE_RESTORE_NAME privilege on the computer in which the registry resides. For more information, see Executing Privileged Operations.

You can create an instance of the Win32_ProcessStartup class to configure the process.

You can monitor process performance with the Win32_PerfFormattedData_PerfProc_Process class and a WMI refresher object, such as SWbemRefresher. For more information, see Monitoring Performance Data.

Examples

For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.

For C++ code examples, see WMI C++ Application Examples.

The following VBScript code example shows how to obtain the owner of each process on a local computer. You can use this script to obtain data from a remote computer, for example, to determine which users have processes running terminal server, substitute the name of the remote computer for "." in the first line. You must also be an administrator on the remote machine.


strComputer = "." 
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")

Set colProcesses = objWMIService.ExecQuery( _
    "select * from win32_process" )
For Each objProcess in colProcesses
   
    If objProcess.GetOwner ( User, Domain ) = 0 Then
          Wscript.Echo "Process " & _
              objProcess.Caption & _
              " belongs to " & Domain & _
              "\" & User
    Else
          Wscript.Echo "Problem " & Rtn & _
              " getting the owner for process " _
              & objProcess.Caption
    End If
Next

The following VBScript code example shows how to obtain the logon session associated with a running process. A process must be running Notepad.exe before the script starts. The example locates the instances of Win32_LogonSession associated with the Win32_Process that represents Notepad.exe. Win32_SessionProcess is specified as the association class. For more information, see ASSOCIATORS OF Statement.

On error resume next
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & "." & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery( _
    "Select * from Win32_Process " _
    & "Where Name = 'Notepad.exe'")
For Each objProcess in colProcesses
    ProcessId = objProcess.ProcessId
    Set colLogonSessions = objWMIService.ExecQuery _
       ("Associators of {Win32_Process='" _
          & ProcessId & "'} Where" _
          & " Resultclass = Win32_LogonSession" _
          & " Assocclass = Win32_SessionProcess", "WQL", 48)
             If Err <> 0 Then
                WScript.Echo "Error on associators query= " _
                   & Err.number _ 
                   & " " & Err.Description
                WScript.Quit
             End If
   For Each LogonSession in colLogonSessions    
      Wscript.Echo " Logon id is " & LogonSession.LogonId
   Next 
Next

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

CIMWin32.mof

DLL

CIMWin32.dll

See also

Operating System Classes

 

 

Show:
© 2014 Microsoft. All rights reserved.