Enumerate
Process List
tasklist
Displays a list of currently running processes on the local computer.
tasklist /FO [table OR list OR csv]
Format Process List
tasklist /s <servername>
Displays processes running on a remote computer.
tasklist /v
Displays detailed information about processes, including the username of the process owner.
tasklist /m
Displays all processes and the modules loaded by each process.
tasklist /FI "[FilterName] [Operator] [Value]"
Filter Process List
Get-Process
Process list (local or remote)
(GetProcess).Name
Returns only names of every process
Get-Process -Name <processname>
Gets a process with a specific name.
Get-Process -Id <processid>
Gets a process with a specific process ID.
Get-Process -ComputerName <computername>
Gets processes running on a specified remote computer.
Get-Process | where Handles -GE 1000
Process with 1000 or more handles
wmic process get /?
All available fields
wmic process list
Process list
wmic process list brief
Lists all processes with brief details.
wmic process get name,processid
Lists all processes with their names and process IDs.
wmic process where "name='processname.exe'" get *
Retrieves detailed information about a specific process.
wmic process get name,commandline
Command line for each process
wmic process get name,creationdate
Process creation time
Get-CimInstance Win32_Process
Retrieves a list of processes using CIM.
Shows pertinent process info:
Retrieves detailed information about a specific process using CIM:
Processes that have > 1000 Handles:
Retrieves the specific properties for every process in list format:
Show Process Path:
Remote:
Specific Processes
tasklist /FI "IMAGENAME eq explorer.exe" /V
Verbose process info
tasklist /V /FI "MODULES eq mswsock.dll"
Process associated with a DLL
tasklist /FI "IMAGENAME eq cmd.exe" /M
DLLs associated with a process
tasklist /svc /fi "services eq dnscache"
List Process responsible for a service
wmic process where processid="772" list brief
PID
wmic process where processid="772" list full
PID
wmic process where (processid=2000) get parentprocessid
PID get PPID
wmic process where (processid=1644) get commandline
PID get cmdline
wmic process where "name like '%.exe" call getowner
Get list of *.exe process owners
wmic process where name="explorer.exe" call getowner
Get ownder of process
wmic process where name='alg.exe' get executablepath,commandline
Process properties
wmic process where name='nc.exe' get installdate
Process properties
wmic process where name='apnmcp.exe' get executablepath
Process properties
wmic process where "caption like 'cmd.exe'" get /format:list
All process properties listed for exe
wmic datafile where name='c:\\\\pathto\\\\exe'
View file properties on a process
wmic datafile where name='c:\\pathto\\exe' get
Get info on unknown process.
Show process properties:
Show Process Paths:
DLLs
tasklist /M
List the DLLs associated with each process
tasklist /FI "IMAGENAME eq cmd.exe" /M
Lists all DLLs for a process
tasklist /m /FI "modules eq mpr.dll" | more
Lists all DLLs for a process
tasklist /V /FI "MODULES eq mswsock.dll"
List all process associated with the Windows Socket DLL
listdlls -d msctf.dll -accepteula | more
Sysinternals
Check for AppInit_DLL's (possible rootkit):
SysInternals
listdlls -accepteula | find "Command"
Lists all DLLs being used
listdlls -accepteula | find /I "Command"
listdlls -accepteula <processname
Lists DLLs of a process
pslist
Tasklist alternative, sysinternals (use -x, -t)
pslist -t
Find parent processes
autorunsc -s | find /I "nc.exe"
Checks autostart services and non-disabled drivers
autorunsc -w | find /I "nc.exe"
Checks winlogon entries
autorunsc -l | find /I "nc.exe"
Checks logon startups (default)
autorunsc -> autodump.txt
Output to txt
more autodump.txt | find /N /I "nc.exe"
Search contents
more /E autodump.txt
Press "=" to show line numbers
accesschk.exe /accepteula -uwcqv <user> <service>
Show permissions on a service/exe
Last updated
Was this helpful?