Skip to content
Menu
The Lonely Administrator
  • PowerShell Tips & Tricks
  • Books & Training
  • Essential PowerShell Learning Resources
  • Privacy Policy
  • About Me
The Lonely Administrator

Get Process Owner

Posted on August 25, 2011August 27, 2011

I've been working on my second training course for Train Signal on managing Windows Server 2008 with Windows PowerShell, specifically the lesson on managing processes. I thought I'd share a little tidbit I worked out. In fact, I hope you'll stay tuned for other little goodies over the next several weeks. The training video will have a large amount of demonstration and a lot of sample code and scripts. Here's one on finding the owner of a process.

Manage and Report Active Directory, Exchange and Microsoft 365 with
ManageEngine ADManager Plus - Download Free Trial

Exclusive offer on ADManager Plus for US and UK regions. Claim now!

We will need to use WMI for this task. The Win32_Process object has a GetOwner() method which returns an object with properties that reflect the identity of the process owner.

[cc lang="PowerShell"]
PS C:\> (get-wmiobject win32_process -filter "name='Notepad.exe'").GetOwner()

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 3
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
Domain : QUARK
ReturnValue : 0
User : Jeff
[/cc]

Here's how you might structure a PowerShell expression:

[cc lang="PowerShell"]
Get-WMIObject win32_Process -computername $Computername | Foreach {
$owner = $_.GetOwner()
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $("{0}\{1}" -f $owner.Domain, $owner.User) -passthru
} | Select Handle,Name,WorkingSetSize,Owner
[/cc]

Personally, that's a lot to keep re-typing. Although on a side note this would be a good candidate for a format and type extension. Or you could use a script block.

[cc lang="PowerShell"]
$GetOwner={
Param([system.management.managementobject]$wmi)
Process {
$owner=$_.GetOwner()
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $("{0}\{1}" -f $owner.Domain, $owner.User) -passthru
}
}
[/cc]

The script block takes a WMI object as a piped parameter value. Here's how you might use it:

[cc lang="PowerShell"]
get-wmiobject -class win32_process -computername $computername | &$getowner | Select Name,ProcessID,Path,Owner,
@{Name="Computername";Expression={$_.CSName}}
[/cc]

Personally, I find remembering to use the invoke operator (&) a bit cumbersome. So why not create a function?

[cc lang="PowerShell"]
Function Get-ProcessOwner {

[cmdletbinding()]

Param(
[Parameter(Position=0,ValuefromPipeline=$True)]
[ValidateScript({$_.__CLASS -eq "Win32_Process"})]
[System.Management.ManagementObject]$Inputobject
)

Begin {
Write-Verbose "Starting $($myinvocation.mycommand)"
}

Process {
Try {
Write-Verbose ("Process ID {0} {1}" -f $_.processID,$_.name)
$owner=$_.GetOwner()
if ($owner.user) {
#did we get a value back?
$ownername="{0}\{1}" -f $owner.Domain, $owner.User
Write-Verbose ("Adding owner {0}" -f $ownername)
}
else {
$ownername=$null
}
}
Catch {
write-warning "oops"
Write-Warning ("Failed to get an owner for process ID {0} {1}" -f $_.ProcessID,$_.name)
$ownername=$NULL
}
Finally {
$_ | Add-Member -MemberType "Noteproperty" -name "Computername" -value $_.CSName
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $ownername -passthru
}
}

End {
Write-Verbose "Ending $($myinvocation.mycommand)"
}

} #end function
[/cc]

This is essentially the same code as the script block but with some additional features such as verifying the incoming object win a Win32_Process. To use this function, pipe WMI objects to it.

[cc lang="PowerShell"]
PS C:\> get-wmiobject win32_process -comp quark | Get-ProcessOwner | Select Name,ProcessID,Path,Owner,Computername

Name : csrss.exe
ProcessID : 524
Path : C:\Windows\system32\csrss.exe
Owner : NT AUTHORITY\SYSTEM
Computername : QUARK

Name : wininit.exe
ProcessID : 580
Path : C:\Windows\system32\wininit.exe
Owner : NT AUTHORITY\SYSTEM
Computername : QUARK
...
Name : chrome.exe
ProcessID : 5512
Path : C:\Users\Jeff\AppData\Local\Google\Chrome\Application\chrome.exe
Owner : QUARK\Jeff
Computername : QUARK

Name : notepad.exe
ProcessID : 6032
Path : C:\Windows\system32\notepad.exe
Owner : QUARK\Jeff
Computername : QUARK
[/cc]

The download script has comment based help and an optional alias. One more thing, the function requires administrative credentials. Even using Get-ACL requires an elevated session locally.

Download Get-ProcessOwner and let me know what you think.

Update: I've revised this from the original post removing the Get-ACL references. I don't know what I was thinking, perhaps it was just wishful. Anyway, some of the comments might not make sense because of the edit. The bottom line is use WMI to get the process owner.


Behind the PowerShell Pipeline

Share this:

  • Click to share on X (Opens in new window) X
  • Click to share on Facebook (Opens in new window) Facebook
  • Click to share on Mastodon (Opens in new window) Mastodon
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Pocket (Opens in new window) Pocket
  • Click to share on Reddit (Opens in new window) Reddit
  • Click to print (Opens in new window) Print
  • Click to email a link to a friend (Opens in new window) Email

Like this:

Like Loading...

Related

3 thoughts on “Get Process Owner”

  1. Ivan says:
    August 25, 2011 at 7:50 pm

    But this code
    get-process notepad | get-acl | select owner
    returns process’s executable file owner, not a user which started the process..

    1. Jeffery Hicks says:
      August 25, 2011 at 9:01 pm

      Sure. Now that you say it that makes sense.

      1. Ivan says:
        August 27, 2011 at 12:07 am

        Yep.. read post carelessly.

Comments are closed.

reports

Powered by Buttondown.

Join me on Mastodon

The PowerShell Practice Primer
Learn PowerShell in a Month of Lunches Fourth edition


Get More PowerShell Books

Other Online Content

github



PluralSightAuthor

Active Directory ADSI Automation Backup Books CIM CLI conferences console Friday Fun FridayFun Function functions Get-WMIObject GitHub hashtable HTML Hyper-V Iron Scripter ISE Measure-Object module modules MrRoboto new-object objects Out-Gridview Pipeline PowerShell PowerShell ISE Profile prompt Registry Regular Expressions remoting SAPIEN ScriptBlock Scripting Techmentor Training VBScript WMI WPF Write-Host xml

©2025 The Lonely Administrator | Powered by SuperbThemes!
%d