2

I am looking for a way to find processes that do not have a parent process running (orphaned processes). Im attempting to do this using win32_process. I have the query that returns the attributes needed, its the comparison im struggling with:

gwmi win32_process -ComputerName $hostname | select ProcessID,ParentProcessID,@{l="Username";e={$_.getowner().user}} | where{$_.Username -like $username}

I have tried compare-object -includeequal against the two arrays and get an overwhelming number of results- so much so i doubt truth of the operator given the arrays i'm feeding it. I think there is value added in the diff command, but am not familiar with the usage other than feeding it arrays as well. Does anyone have experience with the diff command and/or another solution?

The end goal is to compare or diff the two arrays from the above wmi call: 

$proc_all = gwmi win32_process -ComputerName $hostname | select ProcessID,ParentProcessID,@{l="Username";e={$_.getowner().user}} | where{$_.Username -like $username} $sub_procs = $proc_all.Processid #ARRAY1 $par_proces = $proc_all.ParentProcessId #ARRAY2

And then return only the ones that do not appear in both (orphaned). Thanks in advance!

Improve this question

2 Answers 2

Reset to default
1

I know this is an oldie, but following solution performs quite well:

function Get-OrphanedProcesses { $procsWithParent = Get-WmiObject -ClassName "win32_process" | Select-Object ProcessId,ParentProcessId $orphaned = $procsWithParent | Where-Object -Property ParentProcessId -NotIn $procsWithParent.ProcessId Get-Process | Where-Object -Property Id -In $orphaned.ProcessId }
Improve this answer
1
  • NOTE: you might want to use Get-CimInstance instead of Get-WmiObject Commented Oct 31, 2019 at 9:40
0

Probably not very efficient, but it seems to work:

$all_Processes = gwmi win32_process -ComputerName . | select ProcessID,ParentProcessID,Description,@{l="Username";e={$_.getowner().user}} | where{$_.Username -like $env:username} $all_processIDs = $all_Processes.Processid #ARRAY1 $parent_processIDs = $all_Processes.ParentProcessId #ARRAY2 # create a new Array for parents that are gone $gone = New-Object System.Collections.ArrayList # loop through all processes $parent_processIDs | Sort-Object -Unique | ForEach-Object { # find the ones where the current parent ID is not running if ($all_processIDs -notcontains $_) { $gone.Add($_) | Out-Null } } # now we have all parentIDs no longer running # loop through all processes and find those in that list $all_Processes | Where-Object {$gone -contains $_.ParentProcessId} | ForEach-Object {$_}
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.