Finding a process owner using PowerShell

The get-process cmdlet can be used to view processes. It works remotely too via the -ComputerName switch and for Unix aficionados there’s a handy ps alias. So it’s very easy to do something like the below to list all “explorer.exe” process on a remote computer “mango”.

Get-Process -ComputerName mango -Name explorer

1	Get-Process -ComputerName mango -Name explorer

The problem arises when you want to find the owner of such processes. Oddly enough the process objects returned by get-process don’t have a property or method to find the owner info so we have to resort to WMI to find that. Specifically, the WMI class Process.

Reformulating the above example in terms of WMI, we have the following:

Get-WmiObject Win32_Process -ComputerName mango | ?{ $_.ProcessName -match "explorer" }

1	Get-WmiObject Win32_Process -ComputerName mango \| ?{ $_.ProcessName -match "explorer" }

The output returned via WMI looks different compared to the output returned via get-process. If you pipe this output through the get-member cmdlet you’ll see there’s a method that lets you get the process owner.

PS> Get-WmiObject Win32_Process -ComputerName mango | ?{ $_.ProcessName -match "explorer" } | get-member

   TypeName: System.Management.ManagementObject#rootcimv2Win32_Process

Name                       MemberType     Definition
----                       ----------     ----------
Handles                    AliasProperty  Handles = Handlecount
ProcessName                AliasProperty  ProcessName = Name
PSComputerName             AliasProperty  PSComputerName = __SERVER
VM                         AliasProperty  VM = VirtualSize
WS                         AliasProperty  WS = WorkingSetSize
AttachDebugger             Method         System.Management.ManagementBaseObject AttachDebugger()
GetOwner                   Method         System.Management.ManagementBaseObject GetOwner()
GetOwnerSid                Method         System.Management.ManagementBaseObject GetOwnerSid()
...

PS> Get-WmiObject Win32_Process -ComputerName mango | ?{ $_.ProcessName -match "explorer" } | get-member

TypeName: System.Management.ManagementObject#rootcimv2Win32_Process

Name MemberType Definition

---- ---------- ----------

Handles AliasProperty Handles = Handlecount

ProcessName AliasProperty ProcessName = Name

PSComputerName AliasProperty PSComputerName = __SERVER

VM AliasProperty VM = VirtualSize

WS AliasProperty WS = WorkingSetSize

AttachDebugger Method System.Management.ManagementBaseObject AttachDebugger()

GetOwner Method System.Management.ManagementBaseObject GetOwner()

GetOwnerSid Method System.Management.ManagementBaseObject GetOwnerSid()

...

The GetOwner method is what we are interested in. Invoke it thus:

PS> (Get-WmiObject Win32_Process -ComputerName mango | ?{ $_.ProcessName -match "explorer" }).GetOwner()

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 3
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
Domain           : MANGO
ReturnValue      : 0
User             : rakhesh
PSComputerName   :

PS> (Get-WmiObject Win32_Process -ComputerName mango | ?{ $_.ProcessName -match "explorer" }).GetOwner()

__GENUS : 2

__CLASS : __PARAMETERS

__SUPERCLASS :

__DYNASTY : __PARAMETERS

__RELPATH :

__PROPERTY_COUNT : 3

__DERIVATION : {}

__SERVER :

__NAMESPACE :

__PATH :

Domain : MANGO

ReturnValue : 0

User : rakhesh

PSComputerName :

The method returns a list of properties, of which the User property is what we are after. So here’s how we extract just that in a one-liner.

PS> (Get-WmiObject Win32_Process | ?{ $_.ProcessName -match "explorer" }).GetOwner().User
rakhesh

1 2	PS> (Get-WmiObject Win32_Process \| ?{ $_.ProcessName -match "explorer" }).GetOwner().User rakhesh