Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
791 views
in Technique[技术] by (71.8m points)

wmi - Querying process by CommandLine

I'm trying to do the following query in WMI:

SELECT ProcessID from Win32_Process where CommandLine='C:Windowssystem32calc.exe'

But I got an "Invalid query" error. I also tried with:

SELECT ProcessID from Win32_Process where CommandLine='C:\Windows\system32\calc.exe'

And still get the same error, also I tried to change the single quotes to double quotes but it didn't work.

Does anybody know if its possible to do that query?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes and No. Depends on how calc.exe is spawned. For instance, when I type calc into cmd.exe window, my calc gets a commandline of 'calc'. When I type calc into powershell.exe console, it get's a full path. The Win32_Process 'commandline' variable is not reliable IMO. Here are some differing result to prove my point.

cmd.exe                              4028 C:Windowssystem32cmd.exe  /K set
calc.exe                             2580 "C:Windowssystem32calc.exe"
notepad.exe                          3612 "C:Windowssystem32
otepad.exe"
cmd.exe                              2864 "C:Windowssystem32cmd.exe"
conhost.exe                           480 ??C:Windowssystem32conhost.exe
WMIC.exe                             3596 wmic
WmiPrvSE.exe                         2272 C:Windowssystem32wbemwmiprvse.exe
cmd.exe                              2296 "C:Windowssystem32cmd.exe"
conhost.exe                          3708 ??C:Windowssystem32conhost.exe
notepad.exe                          1284 "C:Windowssystem32
otepad.exe"
calc.exe                             1736 calc
powershell.exe                       3136 "C:WINDOWSsystem32WindowsPowerShellv1.0powershell.exe"

So to make it work you will need an OR clause in your SQL statement, matching 'calc' or "C:Windowssystem32calc.exe"


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...