Get Parent Process

parent-child Recently I helping out on a post in the forums at ScriptingAnswers.com. The question centered around identifying processes on a computer and their parent process. There are many ways you could slice and dice this problem using WMI and Get-WmiObject. Getting the parent process ID is pretty simple, but going backwards from there to identify the parent process takes a little PowerShell jujitsu.

Because I love objects (geeky, I know), one angle I pursued created a custom object for each parent process. The object included a few key (at least to me) properties as well as a property that held an array of all child processes.

Here’s an example.

ParentID          : 916
Children          : {@{ProcessID=4068; ProcessName=Moe.exe; Description=Moe.exe
; Created=5/19/2010 8:52:59 AM}, @{ProcessID=4716; ProcessN
ame=SkypeNames2.exe; Description=SkypeNames2.exe; Created=5
/20/2010 8:13:47 AM}, @{ProcessID=1600; ProcessName=VBoxSVC
.exe; Description=VBoxSVC.exe; Created=5/20/2010 11:59:31 A
M}, @{ProcessID=6828; ProcessName=WmiPrvSE.exe; Description
=WmiPrvSE.exe; Created=5/21/2010 7:57:22 AM}}
NumberofChildren  : 4
ParentCreated     : 5/19/2010 8:51:46 AM
ParentProcess     : svchost.exe
Computername      : SERENITY

To get here, I called a function I wrote called Get-ParentProcess.

}#Process
End {

$finish=Get-Date

This is an advanced function so it requires PowerShell 2.0. The actual function includes comment based help. I’ve omitted here.

The function takes a computername as a parameter, defaulting to the local computer. You can pipe names to the function as well. Here’s what happens when you connect to the remote computer using Get-WmiObject.  The collection of Win32_Process objects is sorted by the ParentProcessID and then piped to Group-Object. This created a GroupInfo object. The name property is the parent process ID and the corresponding group are all the child processes.

Each group is then parsed and processed pulling out process information and defining new properties. To get the parent process name I search the saved WMI results looking for a process id that matches the parent process ID I’m checking. If you look back at the Get-WmiObject expression you’ll see I’m taking advantage of the –OutVariable common parameter. The cmdlet’s result is not only passed down the pipeline but also stored in the variable. In this case, $data. When you use –OutVariable just specify the variable name you want to use. You don’t need the $.

For the child processes that are in the group I select a few key properties. $Children will be a collection of custom process objects. This value is used as a property value, among others, in New-Object.

When you run the function, you most likely will notice some parent processes with no name. More than likely this is because the parent process is no longer running.

PS C:\> $r=get-parentprocess

PS C:\Scripts> $r | where {-not $_.parentProcess} | select-object -ExpandProperty Children | Sort Created | format-table –autosize

ProcessID ProcessName               Created
——— ———–               ——-
596 csrss.exe                 5/19/2010 8:51:43 AM

676 wininit.exe               5/19/2010 8:51:44 AM

696 csrss.exe                 5/19/2010 8:51:44 AM

852 winlogon.exe              5/19/2010 8:51:45 AM

3396 explorer.exe              5/19/2010 8:52:39 AM

3988 ToshibaServiceStation.exe 5/19/2010 8:53:07 AM

3564 TWebCamera.exe            5/19/2010 8:53:12 AM

3792 TUSBSleepChargeSrv.exe    5/19/2010 8:53:12 AM

2208 VCDDaemon.exe             5/19/2010 8:53:12 AM

4112 jusched.exe               5/19/2010 8:53:13 AM

4164 vmware-tray.exe           5/19/2010 8:53:14 AM

3656 SWin.exe                  5/19/2010 9:03:57 AM

Even if you don’t have a use for the function, I hope you find some useful scripting techniques.

Update: I’ve been using the PowerShell ISE to create the script files on an x64 platform. The Unicode default can be problematic.  Here is an ANSI version of the file.  I’ll try to remember to stick to ANSI from now on.

3 thoughts on “Get Parent Process

  1. Jeff – Nice function. Good demo of how to build a full function.

    The text file is in unicode format with no line feeds. Very hard to translates on non-64 bit platforms for some reason.

    • The file is created in the PowerShell ISE which I think is Unicode by default. Let me see if I can post an ASCII version.

Comments are closed.