Enumerate

tasklist

Displays a list of currently running processes on the local computer.

tasklist /FO [table OR list OR csv]

Format Process List

tasklist /s <servername>

Displays processes running on a remote computer.

tasklist /v

Displays detailed information about processes, including the username of the process owner.

tasklist /m

Displays all processes and the modules loaded by each process.

tasklist /FI "[FilterName] [Operator] [Value]"

Filter Process List

Get-Process

Process list (local or remote)

(GetProcess).Name

Returns only names of every process

Get-Process -Name <processname>

Gets a process with a specific name.

Get-Process -Id <processid>

Gets a process with a specific process ID.

Get-Process -ComputerName <computername>

Gets processes running on a specified remote computer.

Get-Process | where Handles -GE 1000

Process with 1000 or more handles

wmic process get /?

All available fields

wmic process list

Process list

wmic process list brief

Lists all processes with brief details.

wmic process get name,processid

Lists all processes with their names and process IDs.

wmic process where "name='processname.exe'" get *

Retrieves detailed information about a specific process.

wmic process get name,commandline

Command line for each process

wmic process get name,creationdate

Process creation time

Get-CimInstance Win32_Process

Retrieves a list of processes using CIM.

tasklist /FI "IMAGENAME eq explorer.exe" /V

Verbose process info

tasklist /V /FI "MODULES eq mswsock.dll"

Process associated with a DLL

tasklist /FI "IMAGENAME eq cmd.exe" /M

DLLs associated with a process

tasklist /svc /fi "services eq dnscache"

List Process responsible for a service

wmic process where processid="772" list brief

PID

wmic process where processid="772" list full

PID

wmic process where (processid=2000) get parentprocessid

PID get PPID

wmic process where (processid=1644) get commandline

PID get cmdline

wmic process where "name like '%.exe" call getowner

Get list of *.exe process owners

wmic process where name="explorer.exe" call getowner

Get ownder of process

wmic process where name='alg.exe' get executablepath,commandline

Process properties

wmic process where name='nc.exe' get installdate

Process properties

wmic process where name='apnmcp.exe' get executablepath

Process properties

wmic process where "caption like 'cmd.exe'" get /format:list

All process properties listed for exe

wmic datafile where name='c:\\\\pathto\\\\exe'

View file properties on a process

wmic datafile where name='c:\\pathto\\exe' get

Get info on unknown process.

tasklist /M

List the DLLs associated with each process

tasklist /FI "IMAGENAME eq cmd.exe" /M

Lists all DLLs for a process

tasklist /m /FI "modules eq mpr.dll" | more

Lists all DLLs for a process

tasklist /V /FI "MODULES eq mswsock.dll"

List all process associated with the Windows Socket DLL

listdlls -d msctf.dll -accepteula | more

Sysinternals

listdlls -accepteula | find "Command"

Lists all DLLs being used

listdlls -accepteula | find /I "Command"

listdlls -accepteula <processname

Lists DLLs of a process

pslist

Tasklist alternative, sysinternals (use -x, -t)

pslist -t

Find parent processes

autorunsc -s | find /I "nc.exe"

Checks autostart services and non-disabled drivers

autorunsc -w | find /I "nc.exe"

Checks winlogon entries

autorunsc -l | find /I "nc.exe"

Checks logon startups (default)

autorunsc -> autodump.txt

Output to txt

more autodump.txt | find /N /I "nc.exe"

Search contents

more /E autodump.txt

Press "=" to show line numbers

accesschk.exe /accepteula -uwcqv <user> <service>

Show permissions on a service/exe