From 1cac3f7df5a4a4aff2f230eb53d1d733d72d4ea9 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 15 Apr 2025 06:59:30 -0700 Subject: [PATCH 1/2] Fix typo (#12006) --- .../Microsoft.PowerShell.Security/Set-ExecutionPolicy.md | 6 +++--- .../Microsoft.PowerShell.Security/Set-ExecutionPolicy.md | 9 +++++---- .../Microsoft.PowerShell.Security/Set-ExecutionPolicy.md | 4 ++-- .../Microsoft.PowerShell.Security/Set-ExecutionPolicy.md | 7 ++++--- 4 files changed, 14 insertions(+), 12 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md b/reference/5.1/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md index 174d41e53691..ccdb1928542f 100644 --- a/reference/5.1/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md +++ b/reference/5.1/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Security.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Security -ms.date: 03/04/2024 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 title: Set-ExecutionPolicy @@ -140,7 +140,7 @@ The effective execution policy for the user becomes `AllSigned`. ### Example 5: Remove the execution policy for the current user -This example shows how use the `Undefined` execution policy to remove an execution policy for a +This example shows how to use the `Undefined` execution policy to remove an execution policy for a specified scope. ```powershell @@ -231,7 +231,7 @@ policy. The policy is set for the default scope, `LocalMachine`. The `Get-ExecutionPolicy` cmdlet shows that `RemoteSigned` is the effective execution policy for the current PowerShell session. -The `Start-ActivityTracker.ps1 script is executed from the current directory. The script is blocked +The `Start-ActivityTracker.ps1` script is executed from the current directory. The script is blocked by `RemoteSigned` because the script isn't digitally signed. For this example, the script's code was reviewed and verified as safe to run. The `Unblock-File` diff --git a/reference/7.4/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md b/reference/7.4/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md index 2806ab25cb68..4a9295aa98a1 100644 --- a/reference/7.4/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md +++ b/reference/7.4/Microsoft.PowerShell.Security/Set-ExecutionPolicy.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Security.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Security -ms.date: 03/04/2024 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: Set-ExecutionPolicy @@ -25,7 +25,8 @@ Set-ExecutionPolicy [-ExecutionPolicy] [[-Scope] [[-Scope] Date: Tue, 15 Apr 2025 22:36:41 +0100 Subject: [PATCH 2/2] `Get-Process` fixes and refresh (#12007) * Fix process default display column list VM(M) was removed prior to Windows PowerShell v5.1. Handles was removed in v6.0. See: https://github.com/PowerShell/PowerShell/issues/1812 * Add module definition to Get-Process description * Add CIM alternative to Get-Process Example 8 This adds a Get-CimInstance/Invoke-CimMethod example as an alternative approach to Get-Process -IncludeUserName. It replaces the obsolete Get-WmiObject example that was present in the Windows PowerShell v5.1 doc. This also removes the incorrect assertion in the v7.x docs that -IncludeUserName requires elevation outright. That is only true for v5.1. * Improve Get-Process Ex 4 Priority grouping The Priority table view for Diagnostics.Process groups on the PriorityClass property. Format-Table expects input to already be sorted, but the original example used unsorted data, rendering it fairly unhelpful. This adds a call to Sort-Object and sorts on PriorityClass before calling Format-Table. This ensures all processes are correctly grouped by the Priority view. A script block is used in lieu of the property name directly, as the latter surfaces getter exceptions as a non-terminating error. This will occur with, e.g., PPL processes in Windows (even when elevated). Reference to PS home directory .ps1xml files is also removed from the v7.x docs. Format definitions were moved directly into source code in v6+. As a Format-* cmdlet is used, the term "display" is used to emphasize output is not intended for further processing. * Add concise alternative to Get-Process Example 3 * Refresh Get-Process style/formatting and examples This fixes incorrect markdown formatting and adds link references. This also ensures Get-Process output examples correctly reflect the PS version targeted by the doc. E.g., Windows PS v5.1 includes Handles in its default table view. This was removed in PS v6.0. See PS issue 1812. Windows PS v5.1 uses (K) in its table view; PS v6.0+ uses (M). Named parameters are added where appropriate. Minor verbiage changes and added notes have also been made. * Add warning about Get-Process in a 32-bit PS host * Remove link references * Fix links * Editorial changes and fix link issue --------- Co-authored-by: Sean Wheeler --- .../Get-Process.md | 334 ++++++++++-------- .../Get-Process.md | 295 +++++++++------- .../Get-Process.md | 294 ++++++++------- .../Get-Process.md | 294 ++++++++------- 4 files changed, 683 insertions(+), 534 deletions(-) diff --git a/reference/5.1/Microsoft.PowerShell.Management/Get-Process.md b/reference/5.1/Microsoft.PowerShell.Management/Get-Process.md index a2ec0d204405..a695cc559e54 100644 --- a/reference/5.1/Microsoft.PowerShell.Management/Get-Process.md +++ b/reference/5.1/Microsoft.PowerShell.Management/Get-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 07/03/2023 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/get-process?view=powershell-5.1&WT.mc_id=ps-gethelp schema: 2.0.0 title: Get-Process @@ -58,130 +58,151 @@ Get-Process -InputObject [-ComputerName ] [-Module] [-File The `Get-Process` cmdlet gets the processes on a local or remote computer. -Without parameters, this cmdlet gets all of the processes on the local computer. You can also -specify a particular process by process name or process ID (PID) or pass a process object through -the pipeline to this cmdlet. +Without parameters, this cmdlet gets all processes on the local computer. You can also specify a +specific process by process name or process ID (PID), or by piping a **System.Diagnostics.Process** +object to this cmdlet. -By default, this cmdlet returns a process object that has detailed information about the process and -supports methods that let you start and stop the process. You can also use the parameters of the -`Get-Process` cmdlet to get file version information for the program that runs in the process and to -get the modules that the process loaded. +By default, this cmdlet returns a **Process** object that has detailed information about the process +and supports methods that let you control it. With parameters, you can change the type of +information returned by this cmdlet. + +- **Module**: Retrieve information for each module loaded into the process. +- **FileVersionInfo**: Retrieve file version information for the main module of the process. + +> [!NOTE] +> A module is an executable file or a dynamic link library (DLL) loaded into a process. A process +> has one or more modules. The main module is the module used to initially start the process. For +> more information, see [ProcessModule Class](/dotnet/api/system.diagnostics.processmodule). ## EXAMPLES -### Example 1: Get a list of all active processes on the local computer +### Example 1: Get a list of all running processes on the local computer ```powershell Get-Process ``` -This command gets a list of all active processes running on the local computer. For a definition of -each column, see the [Notes](#notes) section. +This command gets a list of all running processes on the local computer. For a definition of each +display column, see the [NOTES](#notes) section. -### Example 2: Get all available data about one or more processes +To see all properties of a **Process** object, use `Get-Process | Get-Member`. By default, +PowerShell displays certain property values using units such as kilobytes (K) and megabytes (M). The +actual values when accessed with the member-access operator (`.`) are in bytes. + +### Example 2: Display detailed information about one or more processes ```powershell Get-Process winword, explorer | Format-List * ``` -This command gets all available data about the Winword and Explorer processes on the computer. It -uses the **Name** parameter to specify the processes, but it omits the optional parameter name. The -pipeline operator (`|`) passes the data to the `Format-List` cmdlet, which displays all available -properties (`*`) of the Winword and Explorer process objects. +This pipeline displays detailed information about the `winword` and `explorer` processes on the +computer. It uses the **Name** parameter to specify the processes, but it omits the optional +parameter name. The pipeline operator (`|`) pipes **Process** objects to the `Format-List` +cmdlet, which displays all available properties (`*`) and their values for each object. You can also identify the processes by their process IDs. For instance, `Get-Process -Id 664, 2060`. ### Example 3: Get all processes with a working set greater than a specified size ```powershell -Get-Process | Where-Object {$_.WorkingSet -gt 20000000} +Get-Process | Where-Object { $_.WorkingSet -gt 20971520 } +Get-Process | Where-Object WorkingSet -GT 20MB ``` -This command gets all processes that have a working set greater than 20 MB. It uses the -`Get-Process` cmdlet to get all running processes. The pipeline operator (`|`) passes the process -objects to the `Where-Object` cmdlet, which selects only the object with a value greater than -20,000,000 bytes for the **WorkingSet** property. +The `Get-Process` cmdlet returns the running processes. The output is piped to the `Where-Object` +cmdlet, which selects the objects with a **WorkingSet** value greater than 20,971,520 bytes. -**WorkingSet** is one of many properties of process objects. To see all of the properties, type -`Get-Process | Get-Member`. By default, the values of all amount properties are in bytes, even -though the default display lists them in kilobytes and megabytes. +In the first example, `Where-Object` uses a scriptblock to compare the **WorkingSet** property of +each **Process** object. In the second example, the `Where-Object` cmdlet uses the simplified syntax +to compare the **WorkingSet** property. In this case, `-GT` is a parameter, not a comparison +operator. The second example also uses a +[numeric literal suffix](../Microsoft.PowerShell.Core/About/about_Numeric_Literals.md) as a concise +alternative to `20971520`. In PowerShell, `MB` represents a mebibyte (MiB) multiplier. `20MB` is +equal to 20,971,520 bytes. -### Example 4: List processes on the computer in groups based on priority +### Example 4: Display processes on the computer in groups based on priority ```powershell -$A = Get-Process -$A | Get-Process | Format-Table -View Priority +$processes = Get-Process +$processes | Sort-Object { $_.PriorityClass } | Format-Table -View Priority ``` -These commands list the processes on the computer in groups based on their priority class. The first -command gets all the processes on the computer and then stores them in the `$A` variable. +These commands display processes on the computer in groups based on their +[priority class](/dotnet/api/system.diagnostics.processpriorityclass). The first command gets all +processes on the computer and stores them in the `$processes` variable. -The second command pipes the **Process** object stored in the `$A` variable to the `Get-Process` -cmdlet, then to the `Format-Table` cmdlet, which formats the processes by using the **Priority** -view. +The second command pipes the **Process** objects stored in the `$processes` variable to the +`Sort-Object` cmdlet, then to the `Format-Table` cmdlet, which formats the processes using the +**Priority** view. -The **Priority** view, and other views, are defined in the PS1XML format files in the PowerShell +The **Priority** view, and other views, are defined in the `.ps1xml` format files in the PowerShell home directory (`$PSHOME`). -### Example 5: Add a property to the standard Get-Process output display +### Example 5: Add a property to the default `Get-Process` output display ```powershell -Get-Process powershell | Format-Table ` - @{Label = "NPM(K)"; Expression = {[int]($_.NPM / 1024)}}, - @{Label = "PM(K)"; Expression = {[int]($_.PM / 1024)}}, - @{Label = "WS(K)"; Expression = {[int]($_.WS / 1024)}}, - @{Label = "VM(M)"; Expression = {[int]($_.VM / 1MB)}}, - @{Label = "CPU(s)"; Expression = {if ($_.CPU) {$_.CPU.ToString("N")}}}, - Id, ProcessName, StartTime -AutoSize +Get-Process -Name powershell | Format-Table -Property @( + 'Handles' + @{ Name = 'NPM(K)'; Expression = { [int] ($_.NPM / 1KB) } } + @{ Name = 'PM(K)'; Expression = { [int] ($_.PM / 1KB) } } + @{ Name = 'WS(K)'; Expression = { [int] ($_.WS / 1KB) } } + @{ Name = 'CPU(s)'; Expression = { if ($_.CPU) { $_.CPU.ToString('N') } } } + 'Id' + @{ Name = 'SI'; Expression = 'SessionId' } + 'ProcessName' + 'StartTime' +) -AutoSize ``` ```Output -NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName StartTime ------- ----- ----- ----- ------ -- ----------- --------- - 143 239540 259384 2366162 22.73 12720 powershell 12/5/2022 3:21:51 PM - 114 61776 104588 2366127 11.45 18336 powershell 12/5/2022 7:30:53 AM - 156 77924 82060 2366185 10.47 18812 powershell 12/5/2022 7:30:52 AM - 85 48216 115192 2366074 1.14 24428 powershell 12/8/2022 9:14:15 AM +Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName StartTime +------- ------ ----- ----- ------ -- -- ----------- --------- + 655 34 69424 83424 2.20 4240 1 powershell 4/14/2025 10:40:10 AM + 572 36 68768 57260 7.41 4968 1 powershell 4/13/2025 3:33:50 PM + 405 26 38144 30340 1.80 8776 1 powershell 4/14/2025 9:54:27 AM ``` -This example retrieves processes from the local computer. The retrieved processes are piped to the -`Format-Table` command that adds the **StartTime** property to the standard `Get-Process` output -display. +This example retrieves processes from the local computer and pipes each **Process** object to the +`Format-Table` cmdlet. `Format-Table` recreates the default output display of a **Process** object +using a mixture of property names and +[calculated properties](../Microsoft.PowerShell.Core/About/about_Calculated_Properties.md). The +display includes an additional **StartTime** property not present in the default display. ### Example 6: Get version information for a process ```powershell -Get-Process powershell -FileVersionInfo +Get-Process -Name powershell -FileVersionInfo ``` ```Output ProductVersion FileVersion FileName -------------- ----------- -------- -6.1.6713.1 6.1.6713.1 (f... C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe +10.0.19041.320 10.0.19041.32... C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ``` -This command uses the **FileVersionInfo** parameter to get the version information for the -`powershell.exe` file that is the main module for the PowerShell process. +This command uses the **FileVersionInfo** parameter to get file version information for the main +module of the `powershell` process. The main module is the file used to start the process, which +in this case is `powershell.exe`. -To run this command with processes that you do not own on Windows Vista and later versions of -Windows, you must open PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 7: Get modules loaded with the specified process ```powershell -Get-Process SQL* -Module +Get-Process -Name SQL* -Module ``` -This command uses the **Module** parameter to get the modules that have been loaded by the process. -This command gets the modules for the processes that have names that begin with `SQL`. +This command uses the **Module** parameter to get the modules loaded by all processes with a name +beginning with `SQL`. -To run this command on Windows Vista and later versions of Windows with processes that you do not -own, you must start PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 8: Find the owner of a process ```powershell -Get-Process pwsh -IncludeUserName +Get-Process -Name powershell -IncludeUserName ``` ```Output @@ -191,49 +212,36 @@ Handles WS(K) CPU(s) Id UserName ProcessName ``` ```powershell -$p = Get-WmiObject Win32_Process -Filter "name='powershell.exe'" -$p.GetOwner() +Get-CimInstance -ClassName Win32_Process -Filter "name='powershell.exe'" | + Invoke-CimMethod -MethodName GetOwner ``` ```Output -__GENUS : 2 -__CLASS : __PARAMETERS -__SUPERCLASS : -__DYNASTY : __PARAMETERS -__RELPATH : -__PROPERTY_COUNT : 3 -__DERIVATION : {} -__SERVER : -__NAMESPACE : -__PATH : -Domain : DOMAIN01 -ReturnValue : 0 -User : user01 -``` - -The first command shows how to find the owner of a process. The **IncludeUserName** parameter -requires elevated user rights (**Run as Administrator**). The output reveals that the owner is -`Domain01\user01`. - -The second and third command are another way to find the owner of a process. +Domain ReturnValue User PSComputerName +------ ----------- ---- -------------- +DOMAIN01 0 user01 +``` -The second command uses `Get-WmiObject` to get the PowerShell process. -It saves it in the `$p` variable. +The first command shows how to get the owner of a process. The **IncludeUserName** parameter +requires elevated user rights (**Run as Administrator**). The output reveals that the owner is +`DOMAIN01\user01`. -The third command uses the **GetOwner** method to get the owner of the process in `$p`. The output -reveals that the owner is `Domain01\user01`. +The second pipeline shows a different way to get the owner of a process using `Get-CimInstance` and +`Invoke-CimMethod`. The **Win32_Process** class with a filter retrieves `powershell` processes and +the invoked `GetOwner()` method returns information on the process's **Domain** and **User**. This +method doesn't require elevated user rights. ### Example 9: Use an automatic variable to identify the process hosting the current session ```powershell -Get-Process powershell +Get-Process -Name powershell ``` ```Output -Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName -------- ------ ----- ----- ----- ------ -- ----------- -308 26 52308 61780 567 3.18 5632 powershell -377 26 62676 63384 575 3.88 5888 powershell +Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName +------- ------ ----- ----- ------ -- -- ----------- + 561 44 47564 40740 6.48 2604 1 powershell + 642 40 72040 24372 23.53 3576 1 powershel ``` ```powershell @@ -241,44 +249,44 @@ Get-Process -Id $PID ``` ```Output -Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName -------- ------ ----- ----- ----- ------ -- ----------- -396 26 56488 57236 575 3.90 5888 powershell +Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName +------- ------ ----- ----- ------ -- -- ----------- + 647 40 72464 30716 23.67 3576 1 powershell ``` -These commands show how to use the `$PID` automatic variable to identify the process that is hosting +These commands show how to use the `$PID` automatic variable to identify the process that's hosting the current PowerShell session. You can use this method to distinguish the host process from other -PowerShell processes that you might want to stop or close. +`powershell` processes that you might want to control. -The first command gets all of the PowerShell processes in the current session. - -The second command gets the PowerShell process that is hosting the current session. +The first command gets all `powershell` processes running. The second command gets the `powershell` +process that's hosting the current session. ### Example 10: Get all processes that have a main window title and display them in a table ```powershell -Get-Process | Where-Object {$_.MainWindowTitle} | Format-Table Id, Name, MainWindowTitle -AutoSize +Get-Process | + Where-Object -Property MainWindowTitle | + Format-Table -Property Id, Name, MainWindowTitle -AutoSize ``` -This command gets all the processes that have a main window title, and it displays them in a table -with the process ID and the process name. +This pipeline gets all processes that have a main window title, and displays them in a table with +the process ID and name. -The **MainWindowTitle** property is just one of many useful properties of the **Process** object -that `Get-Process` returns. To view all of the properties, pipe the results of a `Get-Process` -command to the `Get-Member` cmdlet `Get-Process | Get-Member`. +**MainWindowTitle** is one of many useful properties of the **Diagnostics.Process** object type that +`Get-Process` returns. To view all properties, use `Get-Process | Get-Member`. ## PARAMETERS ### -ComputerName -Specifies the computers for which this cmdlet gets active processes. The default is the local +Specifies the computers for which this cmdlet gets running processes. The default is the local computer. -Type the NetBIOS name, an IP address, or a fully qualified domain name (FQDN) of one or more -computers. To specify the local computer, type the computer name, a dot (`.`), or `localhost`. +Specify the NetBIOS name, an IP address, or a fully qualified domain name (FQDN) of one or more +computers. To specify the local computer, use the computer name, a dot (`.`), or `localhost`. -This parameter does not rely on Windows PowerShell remoting. You can use the **ComputerName** -parameter of this cmdlet even if your computer is not configured to run remote commands. +This parameter doesn't rely on Windows PowerShell remoting. You can use the **ComputerName** +parameter of this cmdlet even if your computer isn't configured to run remote commands. ```yaml Type: System.String[] @@ -297,18 +305,17 @@ Accept wildcard characters: False Indicates that this cmdlet gets the file version information for the program that runs in the process. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you do not own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -You cannot use the **FileVersionInfo** and **ComputerName** parameters of the `Get-Process` -cmdlet in the same command. +You can't use the **FileVersionInfo** and **ComputerName** parameters together. To get file version information for a process on a remote computer, use the `Invoke-Command` cmdlet. -Using this parameter is equivalent to getting the **MainModule.FileVersionInfo** property of each -process object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** object -**System.Diagnostics.FileVersionInfo**, not a process object. So, you cannot pipe the output of the -command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **MainModule.FileVersionInfo** property of each +**Process** object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** +object, not a **Process** object. You can't pipe output produced using this parameter to a cmdlet +that expects a **Process** object, such as `Stop-Process`. ```yaml Type: System.Management.Automation.SwitchParameter @@ -324,8 +331,9 @@ Accept wildcard characters: False ### -Id -Specifies one or more processes by process ID (PID). To specify multiple IDs, use commas to separate -the IDs. To find the PID of a process, type `Get-Process`. +Specifies one or more processes by process ID (PID). You can specify multiple IDs separated by +commas. To get the PID of a process, use `Get-Process`. To get the PID of the current PowerShell +session, use `$PID`. ```yaml Type: System.Int32[] @@ -341,7 +349,10 @@ Accept wildcard characters: False ### -IncludeUserName -Indicates that the UserName value of the **Process** object is returned with results of the command. +Indicates that this command adds a **UserName** property to each returned **Process** object. + +You must run PowerShell with elevated user rights (**Run as administrator**) to use this +parameter. ```yaml Type: System.Management.Automation.SwitchParameter @@ -357,7 +368,7 @@ Accept wildcard characters: False ### -InputObject -Specifies one or more process objects. Enter a variable that contains the objects, or type a command +Specifies one or more **Process** objects. Use a variable that contains the objects, or a command or expression that gets the objects. ```yaml @@ -374,21 +385,20 @@ Accept wildcard characters: False ### -Module -Indicates that this cmdlet gets the modules that have been loaded by the processes. +Indicates that this cmdlet gets the modules that the process has loaded. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you do not own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -To get the modules that have been loaded by a process on a remote computer, use the `Invoke-Command` -cmdlet. +To get the modules loaded by a process on a remote computer, use the `Invoke-Command` cmdlet. -This parameter is equivalent to getting the **Modules** property of each process object. When you -use this parameter, this cmdlet returns a **ProcessModule** object -**System.Diagnostics.ProcessModule**, not a process object. So, you cannot pipe the output of the -command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **Modules** property of each **Process** object. +When you use this parameter, `Get-Process` returns a **ProcessModule** object, not a **Process** +object. You can't pipe output produced using this parameter to a cmdlet that expects a **Process** +object, such as `Stop-Process`. -When you use both the *Module* and **FileVersionInfo** parameters in the same command, this cmdlet -returns a **FileVersionInfo** object with information about the file version of all modules. +When you use both the **Module** and **FileVersionInfo** parameters together, this cmdlet returns a +**FileVersionInfo** object with information about the file version of all modules. ```yaml Type: System.Management.Automation.SwitchParameter @@ -404,8 +414,8 @@ Accept wildcard characters: False ### -Name -Specifies one or more processes by process name. You can type multiple process names (separated by -commas) and use wildcard characters. The parameter name (`Name`) is optional. +Specifies one or more processes by process name. You can specify multiple process names separated by +commas and use wildcard characters. Using the `-Name` parameter is optional. ```yaml Type: System.String[] @@ -430,7 +440,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ### System.Diagnostics.Process -You can pipe a process object to this cmdlet. +You can pipe **Process** objects to this cmdlet. ## OUTPUTS @@ -440,12 +450,13 @@ By default, this cmdlet returns a **System.Diagnostics.Process** object. ### System.Diagnostics.FileVersionInfo -If you use the **FileVersionInfo** parameter, this cmdlet returns a **FileVersionInfo** object. +If you use the **FileVersionInfo** parameter, this cmdlet returns a +**System.Diagnostics.FileVersionInfo** object. ### System.Diagnostics.ProcessModule - If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns -a **ProcessModule** object. +If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns +a **System.Diagnostics.ProcessModule** object. ## NOTES @@ -454,34 +465,43 @@ Windows PowerShell includes the following aliases for `Get-Process`: - `gps` - `ps` -On computers that are running a 64-bit version of Windows, the 64-bit version of PowerShell gets -only 64-bit process modules and the 32-bit version of PowerShell gets only 32-bit process modules. +On computers running 64-bit Windows, the 64-bit version of PowerShell gets the main module and +64-bit process modules. The 32-bit version of PowerShell gets only 32-bit process modules. + +> [!WARNING] +> When you use `Get-Process` to get a 64-bit process in the 32-bit version of PowerShell, properties +> such as `Path` and `MainModule` of the returned **Process** object are `$null`. You must use +> either the 64-bit version of PowerShell or the +> [Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class. To get process information from a remote computer, use the `Invoke-Command` cmdlet. For more -information, see [Invoke-Command](xref:Microsoft.PowerShell.Core.Invoke-Command). +information, see [Invoke-Command](../Microsoft.PowerShell.Core/Invoke-Command.md). -You can use the properties and methods of the Windows Management Instrumentation (WMI) -**Win32_Process** object in PowerShell. For information, see -[Win32_Process](/windows/win32/cimwin32prov/win32-process). +You can use the Windows Management Instrumentation (WMI) +[Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class in PowerShell as an alternative +to `Get-Process`. For more information, see: -The default display of a process is a table that includes the following columns. For a description -of all of the properties of process objects, see -[Process Properties](/dotnet/api/system.diagnostics.process). +- [Example 8: Find the owner of a process](#example-8-find-the-owner-of-a-process) +- [Get-CimInstance](../CimCmdlets/Get-CimInstance.md) + +The default display of a **Process** object is a table view that includes the following columns. - **Handles**: The number of handles that the process has opened. - **NPM(K)**: The amount of non-paged memory that the process is using, in kilobytes. - **PM(K)**: The amount of pageable memory that the process is using, in kilobytes. - **WS(K)**: The size of the working set of the process, in kilobytes. The working set consists of the pages of memory that were recently referenced by the process. -- **VM(M)**: The amount of virtual memory that the process is using, in megabytes. Virtual memory - includes storage in the paging files on disk. - **CPU(s)**: The amount of processor time that the process has used on all processors, in seconds. - **Id**: The process ID (PID) of the process. -- **ProcessName**: The name of the process. For explanations of the concepts related to processes, - see the Glossary in Help and Support Center and the Help for Task Manager. +- **SI**: The session ID of the process. +- **ProcessName**: The name of the process. + +You can use the built-in alternate views for **Process** objects available with `Format-Table`, such +as **StartTime** and **Priority**. You can also design your own views. -You can also use the built-in alternate views of the processes available with `Format-Table`, such -as **StartTime** and **Priority**, and you can design your own views. +For a description of all available **Process** object members, see +[Process Properties](xref:System.Diagnostics.Process#properties) and +[Process Methods](xref:System.Diagnostics.Process#methods). ## RELATED LINKS @@ -494,3 +514,5 @@ as **StartTime** and **Priority**, and you can design your own views. [Stop-Process](Stop-Process.md) [Wait-Process](Wait-Process.md) + +[Where-Object](../Microsoft.PowerShell.Core/Where-Object.md) diff --git a/reference/7.4/Microsoft.PowerShell.Management/Get-Process.md b/reference/7.4/Microsoft.PowerShell.Management/Get-Process.md index 228077bea8f2..40e0eaddbc60 100644 --- a/reference/7.4/Microsoft.PowerShell.Management/Get-Process.md +++ b/reference/7.4/Microsoft.PowerShell.Management/Get-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 07/03/2023 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: Get-Process @@ -55,147 +55,178 @@ Get-Process -InputObject -IncludeUserName [] The `Get-Process` cmdlet gets the processes on a local computer. -Without parameters, this cmdlet gets all of the processes on the local computer. You can also -specify a particular process by process name or process ID (PID) or pass a process object through -the pipeline to this cmdlet. +Without parameters, this cmdlet gets all processes on the local computer. You can also specify a +specific process by process name or process ID (PID), or by piping a **System.Diagnostics.Process** +object to this cmdlet. -By default, this cmdlet returns a process object that has detailed information about the process and -supports methods that let you start and stop the process. You can also use the parameters of the -`Get-Process` cmdlet to get file version information for the program that runs in the process and to -get the modules that the process loaded. +By default, this cmdlet returns a **Process** object that has detailed information about the process +and supports methods that let you control it. With parameters, you can change the type of +information returned by this cmdlet. + +- **Module**: Retrieve information for each module loaded into the process. +- **FileVersionInfo**: Retrieve file version information for the main module of the process. + +> [!NOTE] +> A module is an executable file or a dynamic link library (DLL) loaded into a process. A process +> has one or more modules. The main module is the module used to initially start the process. For +> more information, see [ProcessModule Class](/dotnet/api/system.diagnostics.processmodule). ## EXAMPLES -### Example 1: Get a list of all active processes on the local computer +### Example 1: Get a list of all running processes on the local computer ```powershell Get-Process ``` -This command gets a list of all active processes running on the local computer. For a definition of -each column, see the [Notes](#notes) section. +This command gets a list of all running processes on the local computer. For a definition of each +display column, see the [NOTES](#notes) section. -### Example 2: Get all available data about one or more processes +To see all properties of a **Process** object, use `Get-Process | Get-Member`. By default, +PowerShell displays certain property values using units such as kilobytes (K) and megabytes (M). The +actual values when accessed with the member-access operator (`.`) are in bytes. + +### Example 2: Display detailed information about one or more processes ```powershell Get-Process winword, explorer | Format-List * ``` -This command gets all available data about the Winword and Explorer processes on the computer. It -uses the **Name** parameter to specify the processes, but it omits the optional parameter name. The -pipeline operator (`|`) passes the data to the `Format-List` cmdlet, which displays all available -properties (`*`) of the Winword and Explorer process objects. +This pipeline displays detailed information about the `winword` and `explorer` processes on the +computer. It uses the **Name** parameter to specify the processes, but it omits the optional +parameter name. The pipeline operator (`|`) pipes **Process** objects to the `Format-List` +cmdlet, which displays all available properties (`*`) and their values for each object. You can also identify the processes by their process IDs. For instance, `Get-Process -Id 664, 2060`. ### Example 3: Get all processes with a working set greater than a specified size ```powershell -Get-Process | Where-Object {$_.WorkingSet -gt 20000000} +Get-Process | Where-Object { $_.WorkingSet -gt 20971520 } +Get-Process | Where-Object WorkingSet -GT 20MB ``` -This command gets all processes that have a working set greater than 20 MB. It uses the -`Get-Process` cmdlet to get all running processes. The pipeline operator (`|`) passes the process -objects to the `Where-Object` cmdlet, which selects only the object with a value greater than -20,000,000 bytes for the **WorkingSet** property. +The `Get-Process` cmdlet returns the running processes. The output is piped to the `Where-Object` +cmdlet, which selects the objects with a **WorkingSet** value greater than 20,971,520 bytes. -**WorkingSet** is one of many properties of process objects. To see all of the properties, type -`Get-Process | Get-Member`. By default, the values of all amount properties are in bytes, even -though the default display lists them in kilobytes and megabytes. +In the first example, `Where-Object` uses a scriptblock to compare the **WorkingSet** property of +each **Process** object. In the second example, the `Where-Object` cmdlet uses the simplified syntax +to compare the **WorkingSet** property. In this case, `-GT` is a parameter, not a comparison +operator. The second example also uses a +[numeric literal suffix](../Microsoft.PowerShell.Core/About/about_Numeric_Literals.md) as a concise +alternative to `20971520`. In PowerShell, `MB` represents a mebibyte (MiB) multiplier. `20MB` is +equal to 20,971,520 bytes. -### Example 4: List processes on the computer in groups based on priority +### Example 4: Display processes on the computer in groups based on priority ```powershell -$A = Get-Process -$A | Get-Process | Format-Table -View Priority +$processes = Get-Process +$processes | Sort-Object { $_.PriorityClass } | Format-Table -View Priority ``` -These commands list the processes on the computer in groups based on their priority class. The first -command gets all the processes on the computer and then stores them in the `$A` variable. - -The second command pipes the **Process** object stored in the `$A` variable to the `Get-Process` -cmdlet, then to the `Format-Table` cmdlet, which formats the processes by using the **Priority** -view. +These commands display processes on the computer in groups based on their +[priority class](/dotnet/api/system.diagnostics.processpriorityclass). The first command gets all +processes on the computer and stores them in the `$processes` variable. -The **Priority** view, and other views, are defined in the PS1XML format files in the PowerShell -home directory (`$PSHOME`). +The second command pipes the **Process** objects stored in the `$processes` variable to the +`Sort-Object` cmdlet, then to the `Format-Table` cmdlet, which formats the processes using the +**Priority** view. -### Example 5: Add a property to the standard Get-Process output display +### Example 5: Add a property to the default `Get-Process` output display ```powershell -Get-Process pwsh | Format-Table ` - @{Label = "NPM(K)"; Expression = {[int]($_.NPM / 1024)}}, - @{Label = "PM(K)"; Expression = {[int]($_.PM / 1024)}}, - @{Label = "WS(K)"; Expression = {[int]($_.WS / 1024)}}, - @{Label = "VM(M)"; Expression = {[int]($_.VM / 1MB)}}, - @{Label = "CPU(s)"; Expression = {if ($_.CPU) {$_.CPU.ToString("N")}}}, - Id, ProcessName, StartTime -AutoSize +Get-Process -Name pwsh | Format-Table -Property @( + @{ Name = 'NPM(K)'; Expression = { [int] ($_.NPM / 1KB) } } + @{ Name = 'PM(M)'; Expression = { [int] ($_.PM / 1MB) } } + @{ Name = 'WS(M)'; Expression = { [int] ($_.WS / 1MB) } } + @{ Name = 'CPU(s)'; Expression = { if ($_.CPU) { $_.CPU.ToString('N') } } } + 'Id' + @{ Name = 'SI'; Expression = 'SessionId' } + 'ProcessName' + 'StartTime' +) -AutoSize ``` ```Output -NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName StartTime ------- ----- ----- ----- ------ -- ----------- --------- - 143 239540 259384 2366162 22.73 12720 pwsh 12/5/2022 3:21:51 PM - 114 61776 104588 2366127 11.45 18336 pwsh 12/5/2022 7:30:53 AM - 156 77924 82060 2366185 10.47 18812 pwsh 12/5/2022 7:30:52 AM - 85 48216 115192 2366074 1.14 24428 pwsh 12/8/2022 9:14:15 AM +NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName StartTime +------ ----- ----- ------ -- -- ----------- --------- + 84 46 79 18.297 3188 1 pwsh 4/14/2025 10:40:10 AM + 66 30 90 4.328 4640 1 pwsh 4/13/2025 3:33:50 PM + 66 30 90 4.516 9204 1 pwsh 4/14/2025 9:54:27 AM ``` -This example retrieves processes from the local computer. The retrieved processes are piped to the -`Format-Table` command that adds the **StartTime** property to the standard `Get-Process` output -display. +This example retrieves processes from the local computer and pipes each **Process** object to the +`Format-Table` cmdlet. `Format-Table` recreates the default output display of a **Process** object +using a mixture of property names and +[calculated properties](../Microsoft.PowerShell.Core/About/about_Calculated_Properties.md). The +display includes an additional **StartTime** property not present in the default display. ### Example 6: Get version information for a process ```powershell -Get-Process pwsh -FileVersionInfo +Get-Process -Name pwsh -FileVersionInfo ``` ```Output ProductVersion FileVersion FileName -------------- ----------- -------- -6.1.2 6.1.2 C:\Program Files\PowerShell\6\pwsh.exe +7.5.0 SHA: 99da… 7.5.0.500 C:\Program Files\PowerShell\7\pwsh.exe ``` -This command uses the **FileVersionInfo** parameter to get the version information for the -`pwsh.exe` file that is the main module for the PowerShell process. +This command uses the **FileVersionInfo** parameter to get file version information for the main +module of the `pwsh` process. The main module is the file used to start the process, which +in this case is `pwsh.exe`. -To run this command with processes that you do not own on Windows Vista and later versions of -Windows, you must open PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 7: Get modules loaded with the specified process ```powershell -Get-Process SQL* -Module +Get-Process -Name SQL* -Module ``` -This command uses the **Module** parameter to get the modules that have been loaded by the process. -This command gets the modules for the processes that have names that begin with `SQL`. +This command uses the **Module** parameter to get the modules loaded by all processes with a name +beginning with `SQL`. -To run this command on Windows Vista and later versions of Windows with processes that you do not -own, you must start PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 8: Find the owner of a process ```powershell -Get-Process pwsh -IncludeUserName +Get-Process -Name pwsh -IncludeUserName +``` + +```Output +WS(M) CPU(s) Id UserName ProcessName +----- ------ -- -------- ----------- +46.53 21.70 3188 DOMAIN01\user01 pwsh +``` + +```powershell +Get-CimInstance -ClassName Win32_Process -Filter "name='pwsh.exe'" | + Invoke-CimMethod -MethodName GetOwner ``` ```Output -Handles WS(K) CPU(s) Id UserName ProcessName -------- ----- ------ -- -------- ----------- - 782 132080 2.08 2188 DOMAIN01\user01 pwsh +Domain ReturnValue User PSComputerName +------ ----------- ---- -------------- +DOMAIN01 0 user01 ``` -This command shows how to find the owner of a process. -On Windows, the **IncludeUserName** parameter requires elevated user rights -(**Run as Administrator**). -The output reveals that the owner is `Domain01\user01`. +The first command shows how to get the owner of a process. The output reveals that the owner is +`DOMAIN01\user01`. + +The second pipeline shows a different way to get the owner of a process using `Get-CimInstance` and +`Invoke-CimMethod`. The **Win32_Process** class with a filter retrieves `pwsh` processes and the +invoked `GetOwner()` method returns information on the process's **Domain** and **User**. This +method is only available on Windows and doesn't require elevated user rights. ### Example 9: Use an automatic variable to identify the process hosting the current session ```powershell -Get-Process pwsh +Get-Process -Name pwsh ``` ```Output @@ -215,26 +246,26 @@ NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName 83 96.21 77.53 4.39 1192 10 pwsh ``` -These commands show how to use the `$PID` automatic variable to identify the process that is hosting +These commands show how to use the `$PID` automatic variable to identify the process that's hosting the current PowerShell session. You can use this method to distinguish the host process from other -PowerShell processes that you might want to stop or close. - -The first command gets all of the PowerShell processes in the current session. +`pwsh` processes that you might want to control. -The second command gets the PowerShell process that is hosting the current session. +The first command gets all `pwsh` processes running. The second command gets the `pwsh` process +that's hosting the current session. ### Example 10: Get all processes that have a main window title and display them in a table ```powershell -Get-Process | Where-Object {$_.MainWindowTitle} | Format-Table Id, Name, MainWindowTitle -AutoSize +Get-Process | + Where-Object -Property MainWindowTitle | + Format-Table -Property Id, Name, MainWindowTitle -AutoSize ``` -This command gets all the processes that have a main window title, and it displays them in a table -with the process ID and the process name. +This pipeline gets all processes that have a main window title, and displays them in a table with +the process ID and name. -The **MainWindowTitle** property is just one of many useful properties of the **Process** object -that `Get-Process` returns. To view all of the properties, pipe the results of a `Get-Process` -command to the `Get-Member` cmdlet `Get-Process | Get-Member`. +**MainWindowTitle** is one of many useful properties of the **Diagnostics.Process** object type that +`Get-Process` returns. To view all properties, use `Get-Process | Get-Member`. ## PARAMETERS @@ -243,13 +274,13 @@ command to the `Get-Member` cmdlet `Get-Process | Get-Member`. Indicates that this cmdlet gets the file version information for the program that runs in the process. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you do not own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -Using this parameter is equivalent to getting the **MainModule.FileVersionInfo** property of each -process object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** object -**System.Diagnostics.FileVersionInfo**, not a process object. So, you cannot pipe the output of the -command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **MainModule.FileVersionInfo** property of each +**Process** object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** +object, not a **Process** object. You can't pipe output produced using this parameter to a cmdlet +that expects a **Process** object, such as `Stop-Process`. ```yaml Type: System.Management.Automation.SwitchParameter @@ -265,8 +296,9 @@ Accept wildcard characters: False ### -Id -Specifies one or more processes by process ID (PID). To specify multiple IDs, use commas to separate -the IDs. To find the PID of a process, type `Get-Process`. +Specifies one or more processes by process ID (PID). You can specify multiple IDs separated by +commas. To get the PID of a process, use `Get-Process`. To get the PID of the current PowerShell +session, use `$PID`. ```yaml Type: System.Int32[] @@ -282,7 +314,7 @@ Accept wildcard characters: False ### -IncludeUserName -Indicates that the UserName value of the **Process** object is returned with results of the command. +Indicates that this command adds a **UserName** property to each returned **Process** object. ```yaml Type: System.Management.Automation.SwitchParameter @@ -298,7 +330,7 @@ Accept wildcard characters: False ### -InputObject -Specifies one or more process objects. Enter a variable that contains the objects, or type a command +Specifies one or more **Process** objects. Use a variable that contains the objects, or a command or expression that gets the objects. ```yaml @@ -315,18 +347,18 @@ Accept wildcard characters: False ### -Module -Indicates that this cmdlet gets the modules that have been loaded by the processes. +Indicates that this cmdlet gets the modules that the process has loaded. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you do not own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -This parameter is equivalent to getting the **Modules** property of each process object. When you -use this parameter, this cmdlet returns a **ProcessModule** object -**System.Diagnostics.ProcessModule**, not a process object. So, you cannot pipe the output of the -command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **Modules** property of each **Process** object. +When you use this parameter, `Get-Process` returns a **ProcessModule** object, not a **Process** +object. You can't pipe output produced using this parameter to a cmdlet that expects a **Process** +object, such as `Stop-Process`. -When you use both the **Module** and **FileVersionInfo** parameters in the same command, this cmdlet -returns a **FileVersionInfo** object with information about the file version of all modules. +When you use both the **Module** and **FileVersionInfo** parameters together, this cmdlet returns a +**FileVersionInfo** object with information about the file version of all modules. ```yaml Type: System.Management.Automation.SwitchParameter @@ -342,8 +374,8 @@ Accept wildcard characters: False ### -Name -Specifies one or more processes by process name. You can type multiple process names (separated by -commas) and use wildcard characters. The parameter name (`Name`) is optional. +Specifies one or more processes by process name. You can specify multiple process names separated by +commas and use wildcard characters. Using the `-Name` parameter is optional. ```yaml Type: System.String[] @@ -368,7 +400,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ### System.Diagnostics.Process -You can pipe a process object to this cmdlet. +You can pipe **Process** objects to this cmdlet. ## OUTPUTS @@ -378,12 +410,13 @@ By default, this cmdlet returns a **System.Diagnostics.Process** object. ### System.Diagnostics.FileVersionInfo -If you use the **FileVersionInfo** parameter, this cmdlet returns a **FileVersionInfo** object. +If you use the **FileVersionInfo** parameter, this cmdlet returns a +**System.Diagnostics.FileVersionInfo** object. ### System.Diagnostics.ProcessModule - If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns -a **ProcessModule** object. +If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns +a **System.Diagnostics.ProcessModule** object. ## NOTES @@ -394,34 +427,42 @@ PowerShell includes the following aliases for `Get-Process`: - Windows: - `ps` -On computers that are running a 64-bit version of Windows, the 64-bit version of PowerShell gets -only 64-bit process modules and the 32-bit version of PowerShell gets only 32-bit process modules. +On computers running 64-bit Windows, the 64-bit version of PowerShell gets the main module and +64-bit process modules. The 32-bit version of PowerShell gets only 32-bit process modules. + +> [!WARNING] +> When you use `Get-Process` to get a 64-bit process in the 32-bit version of PowerShell, properties +> such as `Path` and `MainModule` of the returned **Process** object are `$null`. You must use +> either the 64-bit version of PowerShell or the +> [Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class. To get process information from a remote computer, use the `Invoke-Command` cmdlet. For more -information, see [Invoke-Command](xref:Microsoft.PowerShell.Core.Invoke-Command). +information, see [Invoke-Command](../Microsoft.PowerShell.Core/Invoke-Command.md). + +On Windows, you can use the Windows Management Instrumentation (WMI) +[Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class in PowerShell as an alternative +to `Get-Process`. For more information, see: -You can use the properties and methods of the Windows Management Instrumentation (WMI) -**Win32_Process** object in PowerShell. For information, see -[Win32_Process](/windows/win32/cimwin32prov/win32-process). +- [Example 8: Find the owner of a process](#example-8-find-the-owner-of-a-process) +- [Get-CimInstance](../CimCmdlets/Get-CimInstance.md) -The default display of a process is a table that includes the following columns. For a description -of all of the properties of process objects, see -[Process Properties](/dotnet/api/system.diagnostics.process). +The default display of a **Process** object is a table view that includes the following columns. -- **Handles**: The number of handles that the process has opened. - **NPM(K)**: The amount of non-paged memory that the process is using, in kilobytes. -- **PM(K)**: The amount of pageable memory that the process is using, in kilobytes. -- **WS(K)**: The size of the working set of the process, in kilobytes. The working set consists of +- **PM(M)**: The amount of pageable memory that the process is using, in megabytes. +- **WS(M)**: The size of the working set of the process, in megabytes. The working set consists of the pages of memory that were recently referenced by the process. -- **VM(M)**: The amount of virtual memory that the process is using, in megabytes. Virtual memory - includes storage in the paging files on disk. - **CPU(s)**: The amount of processor time that the process has used on all processors, in seconds. - **Id**: The process ID (PID) of the process. -- **ProcessName**: The name of the process. For explanations of the concepts related to processes, - see the Glossary in Help and Support Center and the Help for Task Manager. +- **SI**: The session ID of the process. +- **ProcessName**: The name of the process. -You can also use the built-in alternate views of the processes available with `Format-Table`, such -as **StartTime** and **Priority**, and you can design your own views. +You can use the built-in alternate views for **Process** objects available with `Format-Table`, such +as **StartTime** and **Priority**. You can also design your own views. + +For a description of all available **Process** object members, see +[Process Properties](xref:System.Diagnostics.Process#properties) and +[Process Methods](xref:System.Diagnostics.Process#methods). ## RELATED LINKS @@ -434,3 +475,5 @@ as **StartTime** and **Priority**, and you can design your own views. [Stop-Process](Stop-Process.md) [Wait-Process](Wait-Process.md) + +[Where-Object](../Microsoft.PowerShell.Core/Where-Object.md) diff --git a/reference/7.5/Microsoft.PowerShell.Management/Get-Process.md b/reference/7.5/Microsoft.PowerShell.Management/Get-Process.md index f53457e369c6..b74d0ef4ddfb 100644 --- a/reference/7.5/Microsoft.PowerShell.Management/Get-Process.md +++ b/reference/7.5/Microsoft.PowerShell.Management/Get-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 07/03/2023 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 title: Get-Process @@ -55,148 +55,178 @@ Get-Process -InputObject -IncludeUserName [] The `Get-Process` cmdlet gets the processes on a local computer. -Without parameters, this cmdlet gets all the processes on the local computer. You can also specify a -particular process by process name or process ID (PID) or pass a process object through the pipeline -to this cmdlet. +Without parameters, this cmdlet gets all processes on the local computer. You can also specify a +specific process by process name or process ID (PID), or by piping a **System.Diagnostics.Process** +object to this cmdlet. -By default, this cmdlet returns a process object that has detailed information about the process and -supports methods that let you start and stop the process. You can also use the parameters of the -`Get-Process` cmdlet to get file version information for the program that runs in the process and to -get the modules that the process loaded. +By default, this cmdlet returns a **Process** object that has detailed information about the process +and supports methods that let you control it. With parameters, you can change the type of +information returned by this cmdlet. + +- **Module**: Retrieve information for each module loaded into the process. +- **FileVersionInfo**: Retrieve file version information for the main module of the process. + +> [!NOTE] +> A module is an executable file or a dynamic link library (DLL) loaded into a process. A process +> has one or more modules. The main module is the module used to initially start the process. For +> more information, see [ProcessModule Class](/dotnet/api/system.diagnostics.processmodule). ## EXAMPLES -### Example 1: Get a list of all active processes on the local computer +### Example 1: Get a list of all running processes on the local computer ```powershell Get-Process ``` -This command gets a list of all active processes running on the local computer. For a definition of -each column, see the [Notes](#notes) section. +This command gets a list of all running processes on the local computer. For a definition of each +display column, see the [NOTES](#notes) section. -### Example 2: Get all available data about one or more processes +To see all properties of a **Process** object, use `Get-Process | Get-Member`. By default, +PowerShell displays certain property values using units such as kilobytes (K) and megabytes (M). The +actual values when accessed with the member-access operator (`.`) are in bytes. + +### Example 2: Display detailed information about one or more processes ```powershell Get-Process winword, explorer | Format-List * ``` -This command gets all available data about the Winword and Explorer processes on the computer. It -uses the **Name** parameter to specify the processes, but it omits the optional parameter name. The -pipeline operator (`|`) passes the data to the `Format-List` cmdlet, which displays all available -properties (`*`) of the Winword and Explorer process objects. +This pipeline displays detailed information about the `winword` and `explorer` processes on the +computer. It uses the **Name** parameter to specify the processes, but it omits the optional +parameter name. The pipeline operator (`|`) pipes **Process** objects to the `Format-List` +cmdlet, which displays all available properties (`*`) and their values for each object. You can also identify the processes by their process IDs. For instance, `Get-Process -Id 664, 2060`. ### Example 3: Get all processes with a working set greater than a specified size ```powershell -Get-Process | Where-Object {$_.WorkingSet -gt 20000000} +Get-Process | Where-Object { $_.WorkingSet -gt 20971520 } +Get-Process | Where-Object WorkingSet -GT 20MB ``` -This command gets all processes that have a working set greater than 20 MB. It uses the -`Get-Process` cmdlet to get all running processes. The pipeline operator (`|`) passes the process -objects to the `Where-Object` cmdlet, which selects only the object with a value greater than -20,000,000 bytes for the **WorkingSet** property. +The `Get-Process` cmdlet returns the running processes. The output is piped to the `Where-Object` +cmdlet, which selects the objects with a **WorkingSet** value greater than 20,971,520 bytes. -**WorkingSet** is one of many properties of process objects. To see all the properties, type -`Get-Process | Get-Member`. By default, the values of all amount properties are in bytes, even -though the default display lists them in kilobytes and megabytes. +In the first example, `Where-Object` uses a scriptblock to compare the **WorkingSet** property of +each **Process** object. In the second example, the `Where-Object` cmdlet uses the simplified syntax +to compare the **WorkingSet** property. In this case, `-GT` is a parameter, not a comparison +operator. The second example also uses a +[numeric literal suffix](../Microsoft.PowerShell.Core/About/about_Numeric_Literals.md) as a concise +alternative to `20971520`. In PowerShell, `MB` represents a mebibyte (MiB) multiplier. `20MB` is +equal to 20,971,520 bytes. -### Example 4: List processes on the computer in groups based on priority +### Example 4: Display processes on the computer in groups based on priority ```powershell -$A = Get-Process -$A | Get-Process | Format-Table -View Priority +$processes = Get-Process +$processes | Sort-Object { $_.PriorityClass } | Format-Table -View Priority ``` -These commands list the processes on the computer in groups based on their priority class. The first -command gets all the processes on the computer and then stores them in the `$A` variable. - -The second command pipes the **Process** object stored in the `$A` variable to the `Get-Process` -cmdlet, then to the `Format-Table` cmdlet, which formats the processes by using the **Priority** -view. +These commands display processes on the computer in groups based on their +[priority class](/dotnet/api/system.diagnostics.processpriorityclass). The first command gets all +processes on the computer and stores them in the `$processes` variable. -The **Priority** view, and other views, are defined in the PS1XML format files in the PowerShell -home directory (`$PSHOME`). +The second command pipes the **Process** objects stored in the `$processes` variable to the +`Sort-Object` cmdlet, then to the `Format-Table` cmdlet, which formats the processes using the +**Priority** view. -### Example 5: Add a property to the standard Get-Process output display +### Example 5: Add a property to the default `Get-Process` output display ```powershell -Get-Process pwsh | Format-Table ` - @{Label = "NPM(K)"; Expression = {[int]($_.NPM / 1024)}}, - @{Label = "PM(K)"; Expression = {[int]($_.PM / 1024)}}, - @{Label = "WS(K)"; Expression = {[int]($_.WS / 1024)}}, - @{Label = "VM(M)"; Expression = {[int]($_.VM / 1MB)}}, - @{Label = "CPU(s)"; Expression = {if ($_.CPU) {$_.CPU.ToString("N")}}}, - Id, ProcessName, StartTime -AutoSize +Get-Process -Name pwsh | Format-Table -Property @( + @{ Name = 'NPM(K)'; Expression = { [int] ($_.NPM / 1KB) } } + @{ Name = 'PM(M)'; Expression = { [int] ($_.PM / 1MB) } } + @{ Name = 'WS(M)'; Expression = { [int] ($_.WS / 1MB) } } + @{ Name = 'CPU(s)'; Expression = { if ($_.CPU) { $_.CPU.ToString('N') } } } + 'Id' + @{ Name = 'SI'; Expression = 'SessionId' } + 'ProcessName' + 'StartTime' +) -AutoSize ``` ```Output -NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName StartTime ------- ----- ----- ----- ------ -- ----------- --------- - 143 239540 259384 2366162 22.73 12720 pwsh 12/5/2022 3:21:51 PM - 114 61776 104588 2366127 11.45 18336 pwsh 12/5/2022 7:30:53 AM - 156 77924 82060 2366185 10.47 18812 pwsh 12/5/2022 7:30:52 AM - 85 48216 115192 2366074 1.14 24428 pwsh 12/8/2022 9:14:15 AM +NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName StartTime +------ ----- ----- ------ -- -- ----------- --------- + 84 46 79 18.297 3188 1 pwsh 4/14/2025 10:40:10 AM + 66 30 90 4.328 4640 1 pwsh 4/13/2025 3:33:50 PM + 66 30 90 4.516 9204 1 pwsh 4/14/2025 9:54:27 AM ``` -This example retrieves processes from the local computer. The retrieved processes are piped to the -`Format-Table` command that adds the **StartTime** property to the standard `Get-Process` output -display. +This example retrieves processes from the local computer and pipes each **Process** object to the +`Format-Table` cmdlet. `Format-Table` recreates the default output display of a **Process** object +using a mixture of property names and +[calculated properties](../Microsoft.PowerShell.Core/About/about_Calculated_Properties.md). The +display includes an additional **StartTime** property not present in the default display. ### Example 6: Get version information for a process ```powershell -Get-Process pwsh -FileVersionInfo +Get-Process -Name pwsh -FileVersionInfo ``` ```Output ProductVersion FileVersion FileName -------------- ----------- -------- -6.1.2 6.1.2 C:\Program Files\PowerShell\6\pwsh.exe +7.5.0 SHA: 99da… 7.5.0.500 C:\Program Files\PowerShell\7\pwsh.exe ``` -This command uses the **FileVersionInfo** parameter to get the version information for the -`pwsh.exe` file that's the main module for the PowerShell process. +This command uses the **FileVersionInfo** parameter to get file version information for the main +module of the `pwsh` process. The main module is the file used to start the process, which +in this case is `pwsh.exe`. -To run this command with processes that you don't own on Windows Vista and later versions of -Windows, you must open PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 7: Get modules loaded with the specified process ```powershell -Get-Process SQL* -Module +Get-Process -Name SQL* -Module ``` -This command uses the **Module** parameter to get the modules that have been loaded by the process. -This command gets the modules for the processes that have names that begin with `SQL`. +This command uses the **Module** parameter to get the modules loaded by all processes with a name +beginning with `SQL`. -To run this command on Windows Vista and later versions of Windows with processes that you don't -own, you must start PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 8: Find the owner of a process ```powershell -Get-Process pwsh -IncludeUserName +Get-Process -Name pwsh -IncludeUserName +``` + +```Output +WS(M) CPU(s) Id UserName ProcessName +----- ------ -- -------- ----------- +46.53 21.70 3188 DOMAIN01\user01 pwsh +``` + +```powershell +Get-CimInstance -ClassName Win32_Process -Filter "name='pwsh.exe'" | + Invoke-CimMethod -MethodName GetOwner ``` ```Output -Handles WS(K) CPU(s) Id UserName ProcessName -------- ----- ------ -- -------- ----------- - 782 132080 2.08 2188 DOMAIN01\user01 pwsh +Domain ReturnValue User PSComputerName +------ ----------- ---- -------------- +DOMAIN01 0 user01 ``` -This command shows how to find the owner of a process. -On Windows, the **IncludeUserName** parameter requires elevated user rights -(**Run as Administrator**) to view the users of processes that aren't running -as the current user. -The output reveals that the owner is `Domain01\user01`. +The first command shows how to get the owner of a process. The output reveals that the owner is +`DOMAIN01\user01`. + +The second pipeline shows a different way to get the owner of a process using `Get-CimInstance` and +`Invoke-CimMethod`. The **Win32_Process** class with a filter retrieves `pwsh` processes and the +invoked `GetOwner()` method returns information on the process's **Domain** and **User**. This +method is only available on Windows and doesn't require elevated user rights. ### Example 9: Use an automatic variable to identify the process hosting the current session ```powershell -Get-Process pwsh +Get-Process -Name pwsh ``` ```Output @@ -218,24 +248,24 @@ NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName These commands show how to use the `$PID` automatic variable to identify the process that's hosting the current PowerShell session. You can use this method to distinguish the host process from other -PowerShell processes that you might want to stop or close. - -The first command gets all the PowerShell processes in the current session. +`pwsh` processes that you might want to control. -The second command gets the PowerShell process that's hosting the current session. +The first command gets all `pwsh` processes running. The second command gets the `pwsh` process +that's hosting the current session. ### Example 10: Get all processes that have a main window title and display them in a table ```powershell -Get-Process | Where-Object {$_.MainWindowTitle} | Format-Table Id, Name, MainWindowTitle -AutoSize +Get-Process | + Where-Object -Property MainWindowTitle | + Format-Table -Property Id, Name, MainWindowTitle -AutoSize ``` -This command gets all the processes that have a main window title, and it displays them in a table -with the process ID and the process name. +This pipeline gets all processes that have a main window title, and displays them in a table with +the process ID and name. -The **MainWindowTitle** property is just one of many useful properties of the **Process** object -that `Get-Process` returns. To view all the properties, pipe the results of a `Get-Process` -command to the `Get-Member` cmdlet `Get-Process | Get-Member`. +**MainWindowTitle** is one of many useful properties of the **Diagnostics.Process** object type that +`Get-Process` returns. To view all properties, use `Get-Process | Get-Member`. ## PARAMETERS @@ -244,13 +274,13 @@ command to the `Get-Member` cmdlet `Get-Process | Get-Member`. Indicates that this cmdlet gets the file version information for the program that runs in the process. -On Windows, you must open PowerShell with the **Run as administrator** option to use this parameter -on processes that you don't own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -Using this parameter is equivalent to getting the **MainModule.FileVersionInfo** property of each -process object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** object -**System.Diagnostics.FileVersionInfo**, not a process object. Therefore, you can't pipe the output -of the command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **MainModule.FileVersionInfo** property of each +**Process** object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** +object, not a **Process** object. You can't pipe output produced using this parameter to a cmdlet +that expects a **Process** object, such as `Stop-Process`. ```yaml Type: System.Management.Automation.SwitchParameter @@ -266,8 +296,9 @@ Accept wildcard characters: False ### -Id -Specifies one or more processes by process ID (PID). To specify multiple IDs, use commas to separate -the IDs. To find the PID of a process, type `Get-Process`. +Specifies one or more processes by process ID (PID). You can specify multiple IDs separated by +commas. To get the PID of a process, use `Get-Process`. To get the PID of the current PowerShell +session, use `$PID`. ```yaml Type: System.Int32[] @@ -283,7 +314,7 @@ Accept wildcard characters: False ### -IncludeUserName -Indicates that the UserName value of the **Process** object is returned with results of the command. +Indicates that this command adds a **UserName** property to each returned **Process** object. ```yaml Type: System.Management.Automation.SwitchParameter @@ -299,7 +330,7 @@ Accept wildcard characters: False ### -InputObject -Specifies one or more process objects. Enter a variable that contains the objects, or type a command +Specifies one or more **Process** objects. Use a variable that contains the objects, or a command or expression that gets the objects. ```yaml @@ -316,18 +347,18 @@ Accept wildcard characters: False ### -Module -Indicates that this cmdlet gets the modules that have been loaded by the processes. +Indicates that this cmdlet gets the modules that the process has loaded. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you don't own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -This parameter is equivalent to getting the **Modules** property of each process object. When you -use this parameter, this cmdlet returns a **System.Diagnostics.ProcessModule** object , not a -process object. Therefore, you can't pipe the output of the command to a cmdlet that expects a -process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **Modules** property of each **Process** object. +When you use this parameter, `Get-Process` returns a **ProcessModule** object, not a **Process** +object. You can't pipe output produced using this parameter to a cmdlet that expects a **Process** +object, such as `Stop-Process`. -When you use both the **Module** and **FileVersionInfo** parameters in the same command, this cmdlet -returns a **FileVersionInfo** object with information about the file version of all modules. +When you use both the **Module** and **FileVersionInfo** parameters together, this cmdlet returns a +**FileVersionInfo** object with information about the file version of all modules. ```yaml Type: System.Management.Automation.SwitchParameter @@ -343,8 +374,8 @@ Accept wildcard characters: False ### -Name -Specifies one or more processes by process name. You can type multiple process names (separated by -commas) and use wildcard characters. The parameter name (`Name`) is optional. +Specifies one or more processes by process name. You can specify multiple process names separated by +commas and use wildcard characters. Using the `-Name` parameter is optional. ```yaml Type: System.String[] @@ -369,7 +400,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ### System.Diagnostics.Process -You can pipe a process object to this cmdlet. +You can pipe **Process** objects to this cmdlet. ## OUTPUTS @@ -379,12 +410,13 @@ By default, this cmdlet returns a **System.Diagnostics.Process** object. ### System.Diagnostics.FileVersionInfo -If you use the **FileVersionInfo** parameter, this cmdlet returns a **FileVersionInfo** object. +If you use the **FileVersionInfo** parameter, this cmdlet returns a +**System.Diagnostics.FileVersionInfo** object. ### System.Diagnostics.ProcessModule - If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns -a **ProcessModule** object. +If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns +a **System.Diagnostics.ProcessModule** object. ## NOTES @@ -395,34 +427,42 @@ PowerShell includes the following aliases for `Get-Process`: - Windows: - `ps` -On computers that are running a 64-bit version of Windows, the 64-bit version of PowerShell gets -only 64-bit process modules and the 32-bit version of PowerShell gets only 32-bit process modules. +On computers running 64-bit Windows, the 64-bit version of PowerShell gets the main module and +64-bit process modules. The 32-bit version of PowerShell gets only 32-bit process modules. + +> [!WARNING] +> When you use `Get-Process` to get a 64-bit process in the 32-bit version of PowerShell, properties +> such as `Path` and `MainModule` of the returned **Process** object are `$null`. You must use +> either the 64-bit version of PowerShell or the +> [Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class. To get process information from a remote computer, use the `Invoke-Command` cmdlet. For more -information, see [Invoke-Command](xref:Microsoft.PowerShell.Core.Invoke-Command). +information, see [Invoke-Command](../Microsoft.PowerShell.Core/Invoke-Command.md). + +On Windows, you can use the Windows Management Instrumentation (WMI) +[Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class in PowerShell as an alternative +to `Get-Process`. For more information, see: -You can use the properties and methods of the Windows Management Instrumentation (WMI) -**Win32_Process** object in PowerShell. For information, see -[Win32_Process](/windows/win32/cimwin32prov/win32-process). +- [Example 8: Find the owner of a process](#example-8-find-the-owner-of-a-process) +- [Get-CimInstance](../CimCmdlets/Get-CimInstance.md) -The default display of a process is a table that includes the following columns. For a description -of all the properties of process objects, see -[Process Properties](/dotnet/api/system.diagnostics.process). +The default display of a **Process** object is a table view that includes the following columns. -- **Handles**: The number of handles that the process has opened. - **NPM(K)**: The amount of non-paged memory that the process is using, in kilobytes. -- **PM(K)**: The amount of pageable memory that the process is using, in kilobytes. -- **WS(K)**: The size of the working set of the process, in kilobytes. The working set consists of +- **PM(M)**: The amount of pageable memory that the process is using, in megabytes. +- **WS(M)**: The size of the working set of the process, in megabytes. The working set consists of the pages of memory that were recently referenced by the process. -- **VM(M)**: The amount of virtual memory that the process is using, in megabytes. Virtual memory - includes storage in the paging files on disk. - **CPU(s)**: The amount of processor time that the process has used on all processors, in seconds. - **Id**: The process ID (PID) of the process. -- **ProcessName**: The name of the process. For explanations of the concepts related to processes, - see the Glossary in Help and Support Center and the Help for Task Manager. +- **SI**: The session ID of the process. +- **ProcessName**: The name of the process. -You can also use the built-in alternate views of the processes available with `Format-Table`, such -as **StartTime** and **Priority**, and you can design your own views. +You can use the built-in alternate views for **Process** objects available with `Format-Table`, such +as **StartTime** and **Priority**. You can also design your own views. + +For a description of all available **Process** object members, see +[Process Properties](xref:System.Diagnostics.Process#properties) and +[Process Methods](xref:System.Diagnostics.Process#methods). ## RELATED LINKS @@ -435,3 +475,5 @@ as **StartTime** and **Priority**, and you can design your own views. [Stop-Process](Stop-Process.md) [Wait-Process](Wait-Process.md) + +[Where-Object](../Microsoft.PowerShell.Core/Where-Object.md) diff --git a/reference/7.6/Microsoft.PowerShell.Management/Get-Process.md b/reference/7.6/Microsoft.PowerShell.Management/Get-Process.md index dc37a98e7fe9..e7064a8f748d 100644 --- a/reference/7.6/Microsoft.PowerShell.Management/Get-Process.md +++ b/reference/7.6/Microsoft.PowerShell.Management/Get-Process.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Management.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Management -ms.date: 07/03/2023 +ms.date: 04/15/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 title: Get-Process @@ -55,148 +55,178 @@ Get-Process -InputObject -IncludeUserName [] The `Get-Process` cmdlet gets the processes on a local computer. -Without parameters, this cmdlet gets all the processes on the local computer. You can also specify a -particular process by process name or process ID (PID) or pass a process object through the pipeline -to this cmdlet. +Without parameters, this cmdlet gets all processes on the local computer. You can also specify a +specific process by process name or process ID (PID), or by piping a **System.Diagnostics.Process** +object to this cmdlet. -By default, this cmdlet returns a process object that has detailed information about the process and -supports methods that let you start and stop the process. You can also use the parameters of the -`Get-Process` cmdlet to get file version information for the program that runs in the process and to -get the modules that the process loaded. +By default, this cmdlet returns a **Process** object that has detailed information about the process +and supports methods that let you control it. With parameters, you can change the type of +information returned by this cmdlet. + +- **Module**: Retrieve information for each module loaded into the process. +- **FileVersionInfo**: Retrieve file version information for the main module of the process. + +> [!NOTE] +> A module is an executable file or a dynamic link library (DLL) loaded into a process. A process +> has one or more modules. The main module is the module used to initially start the process. For +> more information, see [ProcessModule Class](/dotnet/api/system.diagnostics.processmodule). ## EXAMPLES -### Example 1: Get a list of all active processes on the local computer +### Example 1: Get a list of all running processes on the local computer ```powershell Get-Process ``` -This command gets a list of all active processes running on the local computer. For a definition of -each column, see the [Notes](#notes) section. +This command gets a list of all running processes on the local computer. For a definition of each +display column, see the [NOTES](#notes) section. -### Example 2: Get all available data about one or more processes +To see all properties of a **Process** object, use `Get-Process | Get-Member`. By default, +PowerShell displays certain property values using units such as kilobytes (K) and megabytes (M). The +actual values when accessed with the member-access operator (`.`) are in bytes. + +### Example 2: Display detailed information about one or more processes ```powershell Get-Process winword, explorer | Format-List * ``` -This command gets all available data about the Winword and Explorer processes on the computer. It -uses the **Name** parameter to specify the processes, but it omits the optional parameter name. The -pipeline operator (`|`) passes the data to the `Format-List` cmdlet, which displays all available -properties (`*`) of the Winword and Explorer process objects. +This pipeline displays detailed information about the `winword` and `explorer` processes on the +computer. It uses the **Name** parameter to specify the processes, but it omits the optional +parameter name. The pipeline operator (`|`) pipes **Process** objects to the `Format-List` +cmdlet, which displays all available properties (`*`) and their values for each object. You can also identify the processes by their process IDs. For instance, `Get-Process -Id 664, 2060`. ### Example 3: Get all processes with a working set greater than a specified size ```powershell -Get-Process | Where-Object {$_.WorkingSet -gt 20000000} +Get-Process | Where-Object { $_.WorkingSet -gt 20971520 } +Get-Process | Where-Object WorkingSet -GT 20MB ``` -This command gets all processes that have a working set greater than 20 MB. It uses the -`Get-Process` cmdlet to get all running processes. The pipeline operator (`|`) passes the process -objects to the `Where-Object` cmdlet, which selects only the object with a value greater than -20,000,000 bytes for the **WorkingSet** property. +The `Get-Process` cmdlet returns the running processes. The output is piped to the `Where-Object` +cmdlet, which selects the objects with a **WorkingSet** value greater than 20,971,520 bytes. -**WorkingSet** is one of many properties of process objects. To see all the properties, type -`Get-Process | Get-Member`. By default, the values of all amount properties are in bytes, even -though the default display lists them in kilobytes and megabytes. +In the first example, `Where-Object` uses a scriptblock to compare the **WorkingSet** property of +each **Process** object. In the second example, the `Where-Object` cmdlet uses the simplified syntax +to compare the **WorkingSet** property. In this case, `-GT` is a parameter, not a comparison +operator. The second example also uses a +[numeric literal suffix](../Microsoft.PowerShell.Core/About/about_Numeric_Literals.md) as a concise +alternative to `20971520`. In PowerShell, `MB` represents a mebibyte (MiB) multiplier. `20MB` is +equal to 20,971,520 bytes. -### Example 4: List processes on the computer in groups based on priority +### Example 4: Display processes on the computer in groups based on priority ```powershell -$A = Get-Process -$A | Get-Process | Format-Table -View Priority +$processes = Get-Process +$processes | Sort-Object { $_.PriorityClass } | Format-Table -View Priority ``` -These commands list the processes on the computer in groups based on their priority class. The first -command gets all the processes on the computer and then stores them in the `$A` variable. - -The second command pipes the **Process** object stored in the `$A` variable to the `Get-Process` -cmdlet, then to the `Format-Table` cmdlet, which formats the processes by using the **Priority** -view. +These commands display processes on the computer in groups based on their +[priority class](/dotnet/api/system.diagnostics.processpriorityclass). The first command gets all +processes on the computer and stores them in the `$processes` variable. -The **Priority** view, and other views, are defined in the PS1XML format files in the PowerShell -home directory (`$PSHOME`). +The second command pipes the **Process** objects stored in the `$processes` variable to the +`Sort-Object` cmdlet, then to the `Format-Table` cmdlet, which formats the processes using the +**Priority** view. -### Example 5: Add a property to the standard Get-Process output display +### Example 5: Add a property to the default `Get-Process` output display ```powershell -Get-Process pwsh | Format-Table ` - @{Label = "NPM(K)"; Expression = {[int]($_.NPM / 1024)}}, - @{Label = "PM(K)"; Expression = {[int]($_.PM / 1024)}}, - @{Label = "WS(K)"; Expression = {[int]($_.WS / 1024)}}, - @{Label = "VM(M)"; Expression = {[int]($_.VM / 1MB)}}, - @{Label = "CPU(s)"; Expression = {if ($_.CPU) {$_.CPU.ToString("N")}}}, - Id, ProcessName, StartTime -AutoSize +Get-Process -Name pwsh | Format-Table -Property @( + @{ Name = 'NPM(K)'; Expression = { [int] ($_.NPM / 1KB) } } + @{ Name = 'PM(M)'; Expression = { [int] ($_.PM / 1MB) } } + @{ Name = 'WS(M)'; Expression = { [int] ($_.WS / 1MB) } } + @{ Name = 'CPU(s)'; Expression = { if ($_.CPU) { $_.CPU.ToString('N') } } } + 'Id' + @{ Name = 'SI'; Expression = 'SessionId' } + 'ProcessName' + 'StartTime' +) -AutoSize ``` ```Output -NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName StartTime ------- ----- ----- ----- ------ -- ----------- --------- - 143 239540 259384 2366162 22.73 12720 pwsh 12/5/2022 3:21:51 PM - 114 61776 104588 2366127 11.45 18336 pwsh 12/5/2022 7:30:53 AM - 156 77924 82060 2366185 10.47 18812 pwsh 12/5/2022 7:30:52 AM - 85 48216 115192 2366074 1.14 24428 pwsh 12/8/2022 9:14:15 AM +NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName StartTime +------ ----- ----- ------ -- -- ----------- --------- + 84 46 79 18.297 3188 1 pwsh 4/14/2025 10:40:10 AM + 66 30 90 4.328 4640 1 pwsh 4/13/2025 3:33:50 PM + 66 30 90 4.516 9204 1 pwsh 4/14/2025 9:54:27 AM ``` -This example retrieves processes from the local computer. The retrieved processes are piped to the -`Format-Table` command that adds the **StartTime** property to the standard `Get-Process` output -display. +This example retrieves processes from the local computer and pipes each **Process** object to the +`Format-Table` cmdlet. `Format-Table` recreates the default output display of a **Process** object +using a mixture of property names and +[calculated properties](../Microsoft.PowerShell.Core/About/about_Calculated_Properties.md). The +display includes an additional **StartTime** property not present in the default display. ### Example 6: Get version information for a process ```powershell -Get-Process pwsh -FileVersionInfo +Get-Process -Name pwsh -FileVersionInfo ``` ```Output ProductVersion FileVersion FileName -------------- ----------- -------- -6.1.2 6.1.2 C:\Program Files\PowerShell\6\pwsh.exe +7.5.0 SHA: 99da… 7.5.0.500 C:\Program Files\PowerShell\7\pwsh.exe ``` -This command uses the **FileVersionInfo** parameter to get the version information for the -`pwsh.exe` file that's the main module for the PowerShell process. +This command uses the **FileVersionInfo** parameter to get file version information for the main +module of the `pwsh` process. The main module is the file used to start the process, which +in this case is `pwsh.exe`. -To run this command with processes that you don't own on Windows Vista and later versions of -Windows, you must open PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 7: Get modules loaded with the specified process ```powershell -Get-Process SQL* -Module +Get-Process -Name SQL* -Module ``` -This command uses the **Module** parameter to get the modules that have been loaded by the process. -This command gets the modules for the processes that have names that begin with `SQL`. +This command uses the **Module** parameter to get the modules loaded by all processes with a name +beginning with `SQL`. -To run this command on Windows Vista and later versions of Windows with processes that you don't -own, you must start PowerShell with the **Run as administrator** option. +To use this command with processes that you don't own on Windows Vista and later versions of +Windows, you must run PowerShell with elevated user rights (**Run as administrator**). ### Example 8: Find the owner of a process ```powershell -Get-Process pwsh -IncludeUserName +Get-Process -Name pwsh -IncludeUserName +``` + +```Output +WS(M) CPU(s) Id UserName ProcessName +----- ------ -- -------- ----------- +46.53 21.70 3188 DOMAIN01\user01 pwsh +``` + +```powershell +Get-CimInstance -ClassName Win32_Process -Filter "name='pwsh.exe'" | + Invoke-CimMethod -MethodName GetOwner ``` ```Output -Handles WS(K) CPU(s) Id UserName ProcessName -------- ----- ------ -- -------- ----------- - 782 132080 2.08 2188 DOMAIN01\user01 pwsh +Domain ReturnValue User PSComputerName +------ ----------- ---- -------------- +DOMAIN01 0 user01 ``` -This command shows how to find the owner of a process. -On Windows, the **IncludeUserName** parameter requires elevated user rights -(**Run as Administrator**) to view the users of processes that aren't running -as the current user. -The output reveals that the owner is `Domain01\user01`. +The first command shows how to get the owner of a process. The output reveals that the owner is +`DOMAIN01\user01`. + +The second pipeline shows a different way to get the owner of a process using `Get-CimInstance` and +`Invoke-CimMethod`. The **Win32_Process** class with a filter retrieves `pwsh` processes and the +invoked `GetOwner()` method returns information on the process's **Domain** and **User**. This +method is only available on Windows and doesn't require elevated user rights. ### Example 9: Use an automatic variable to identify the process hosting the current session ```powershell -Get-Process pwsh +Get-Process -Name pwsh ``` ```Output @@ -218,24 +248,24 @@ NPM(K) PM(M) WS(M) CPU(s) Id SI ProcessName These commands show how to use the `$PID` automatic variable to identify the process that's hosting the current PowerShell session. You can use this method to distinguish the host process from other -PowerShell processes that you might want to stop or close. - -The first command gets all the PowerShell processes in the current session. +`pwsh` processes that you might want to control. -The second command gets the PowerShell process that's hosting the current session. +The first command gets all `pwsh` processes running. The second command gets the `pwsh` process +that's hosting the current session. ### Example 10: Get all processes that have a main window title and display them in a table ```powershell -Get-Process | Where-Object {$_.MainWindowTitle} | Format-Table Id, Name, MainWindowTitle -AutoSize +Get-Process | + Where-Object -Property MainWindowTitle | + Format-Table -Property Id, Name, MainWindowTitle -AutoSize ``` -This command gets all the processes that have a main window title, and it displays them in a table -with the process ID and the process name. +This pipeline gets all processes that have a main window title, and displays them in a table with +the process ID and name. -The **MainWindowTitle** property is just one of many useful properties of the **Process** object -that `Get-Process` returns. To view all the properties, pipe the results of a `Get-Process` -command to the `Get-Member` cmdlet `Get-Process | Get-Member`. +**MainWindowTitle** is one of many useful properties of the **Diagnostics.Process** object type that +`Get-Process` returns. To view all properties, use `Get-Process | Get-Member`. ## PARAMETERS @@ -244,13 +274,13 @@ command to the `Get-Member` cmdlet `Get-Process | Get-Member`. Indicates that this cmdlet gets the file version information for the program that runs in the process. -On Windows, you must open PowerShell with the **Run as administrator** option to use this parameter -on processes that you don't own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -Using this parameter is equivalent to getting the **MainModule.FileVersionInfo** property of each -process object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** object -**System.Diagnostics.FileVersionInfo**, not a process object. Therefore, you can't pipe the output -of the command to a cmdlet that expects a process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **MainModule.FileVersionInfo** property of each +**Process** object. When you use this parameter, `Get-Process` returns a **FileVersionInfo** +object, not a **Process** object. You can't pipe output produced using this parameter to a cmdlet +that expects a **Process** object, such as `Stop-Process`. ```yaml Type: System.Management.Automation.SwitchParameter @@ -266,8 +296,9 @@ Accept wildcard characters: False ### -Id -Specifies one or more processes by process ID (PID). To specify multiple IDs, use commas to separate -the IDs. To find the PID of a process, type `Get-Process`. +Specifies one or more processes by process ID (PID). You can specify multiple IDs separated by +commas. To get the PID of a process, use `Get-Process`. To get the PID of the current PowerShell +session, use `$PID`. ```yaml Type: System.Int32[] @@ -283,7 +314,7 @@ Accept wildcard characters: False ### -IncludeUserName -Indicates that the UserName value of the **Process** object is returned with results of the command. +Indicates that this command adds a **UserName** property to each returned **Process** object. ```yaml Type: System.Management.Automation.SwitchParameter @@ -299,7 +330,7 @@ Accept wildcard characters: False ### -InputObject -Specifies one or more process objects. Enter a variable that contains the objects, or type a command +Specifies one or more **Process** objects. Use a variable that contains the objects, or a command or expression that gets the objects. ```yaml @@ -316,18 +347,18 @@ Accept wildcard characters: False ### -Module -Indicates that this cmdlet gets the modules that have been loaded by the processes. +Indicates that this cmdlet gets the modules that the process has loaded. -On Windows Vista and later versions of Windows, you must open PowerShell with the **Run as -administrator** option to use this parameter on processes that you don't own. +On Windows Vista and later versions of Windows, you must run PowerShell with elevated user rights +(**Run as administrator**) to use this parameter on processes that you don't own. -This parameter is equivalent to getting the **Modules** property of each process object. When you -use this parameter, this cmdlet returns a **System.Diagnostics.ProcessModule** object , not a -process object. Therefore, you can't pipe the output of the command to a cmdlet that expects a -process object, such as `Stop-Process`. +Using this parameter is the same as accessing the **Modules** property of each **Process** object. +When you use this parameter, `Get-Process` returns a **ProcessModule** object, not a **Process** +object. You can't pipe output produced using this parameter to a cmdlet that expects a **Process** +object, such as `Stop-Process`. -When you use both the **Module** and **FileVersionInfo** parameters in the same command, this cmdlet -returns a **FileVersionInfo** object with information about the file version of all modules. +When you use both the **Module** and **FileVersionInfo** parameters together, this cmdlet returns a +**FileVersionInfo** object with information about the file version of all modules. ```yaml Type: System.Management.Automation.SwitchParameter @@ -343,8 +374,8 @@ Accept wildcard characters: False ### -Name -Specifies one or more processes by process name. You can type multiple process names (separated by -commas) and use wildcard characters. The parameter name (`Name`) is optional. +Specifies one or more processes by process name. You can specify multiple process names separated by +commas and use wildcard characters. Using the `-Name` parameter is optional. ```yaml Type: System.String[] @@ -369,7 +400,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ### System.Diagnostics.Process -You can pipe a process object to this cmdlet. +You can pipe **Process** objects to this cmdlet. ## OUTPUTS @@ -379,12 +410,13 @@ By default, this cmdlet returns a **System.Diagnostics.Process** object. ### System.Diagnostics.FileVersionInfo -If you use the **FileVersionInfo** parameter, this cmdlet returns a **FileVersionInfo** object. +If you use the **FileVersionInfo** parameter, this cmdlet returns a +**System.Diagnostics.FileVersionInfo** object. ### System.Diagnostics.ProcessModule - If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns -a **ProcessModule** object. +If you use the **Module** parameter, without the **FileVersionInfo** parameter, this cmdlet returns +a **System.Diagnostics.ProcessModule** object. ## NOTES @@ -395,34 +427,42 @@ PowerShell includes the following aliases for `Get-Process`: - Windows: - `ps` -On computers that are running a 64-bit version of Windows, the 64-bit version of PowerShell gets -only 64-bit process modules and the 32-bit version of PowerShell gets only 32-bit process modules. +On computers running 64-bit Windows, the 64-bit version of PowerShell gets the main module and +64-bit process modules. The 32-bit version of PowerShell gets only 32-bit process modules. + +> [!WARNING] +> When you use `Get-Process` to get a 64-bit process in the 32-bit version of PowerShell, properties +> such as `Path` and `MainModule` of the returned **Process** object are `$null`. You must use +> either the 64-bit version of PowerShell or the +> [Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class. To get process information from a remote computer, use the `Invoke-Command` cmdlet. For more -information, see [Invoke-Command](xref:Microsoft.PowerShell.Core.Invoke-Command). +information, see [Invoke-Command](../Microsoft.PowerShell.Core/Invoke-Command.md). + +On Windows, you can use the Windows Management Instrumentation (WMI) +[Win32_Process](/windows/desktop/CIMWin32Prov/win32-process) class in PowerShell as an alternative +to `Get-Process`. For more information, see: -You can use the properties and methods of the Windows Management Instrumentation (WMI) -**Win32_Process** object in PowerShell. For information, see -[Win32_Process](/windows/win32/cimwin32prov/win32-process). +- [Example 8: Find the owner of a process](#example-8-find-the-owner-of-a-process) +- [Get-CimInstance](../CimCmdlets/Get-CimInstance.md) -The default display of a process is a table that includes the following columns. For a description -of all the properties of process objects, see -[Process Properties](/dotnet/api/system.diagnostics.process). +The default display of a **Process** object is a table view that includes the following columns. -- **Handles**: The number of handles that the process has opened. - **NPM(K)**: The amount of non-paged memory that the process is using, in kilobytes. -- **PM(K)**: The amount of pageable memory that the process is using, in kilobytes. -- **WS(K)**: The size of the working set of the process, in kilobytes. The working set consists of +- **PM(M)**: The amount of pageable memory that the process is using, in megabytes. +- **WS(M)**: The size of the working set of the process, in megabytes. The working set consists of the pages of memory that were recently referenced by the process. -- **VM(M)**: The amount of virtual memory that the process is using, in megabytes. Virtual memory - includes storage in the paging files on disk. - **CPU(s)**: The amount of processor time that the process has used on all processors, in seconds. - **Id**: The process ID (PID) of the process. -- **ProcessName**: The name of the process. For explanations of the concepts related to processes, - see the Glossary in Help and Support Center and the Help for Task Manager. +- **SI**: The session ID of the process. +- **ProcessName**: The name of the process. -You can also use the built-in alternate views of the processes available with `Format-Table`, such -as **StartTime** and **Priority**, and you can design your own views. +You can use the built-in alternate views for **Process** objects available with `Format-Table`, such +as **StartTime** and **Priority**. You can also design your own views. + +For a description of all available **Process** object members, see +[Process Properties](xref:System.Diagnostics.Process#properties) and +[Process Methods](xref:System.Diagnostics.Process#methods). ## RELATED LINKS @@ -435,3 +475,5 @@ as **StartTime** and **Priority**, and you can design your own views. [Stop-Process](Stop-Process.md) [Wait-Process](Wait-Process.md) + +[Where-Object](../Microsoft.PowerShell.Core/Where-Object.md)