Get Process Owner

I've been working on my second training course for Train Signal on managing Windows Server 2008 with Windows PowerShell, specifically the lesson on managing processes. I thought I'd share a little tidbit I worked out. In fact, I hope you'll stay tuned for other little goodies over the next several weeks. The training video will have a large amount of demonstration and a lot of sample code and scripts. Here's one on finding the owner of a process.

We will need to use WMI for this task. The Win32_Process object has a GetOwner() method which returns an object with properties that reflect the identity of the process owner.

[cc lang="PowerShell"]
PS C:\> (get-wmiobject win32_process -filter "name='Notepad.exe'").GetOwner()

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 3
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
Domain : QUARK
ReturnValue : 0
User : Jeff
[/cc]

Here's how you might structure a PowerShell expression:

[cc lang="PowerShell"]
Get-WMIObject win32_Process -computername $Computername | Foreach {
$owner = $_.GetOwner()
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $("{0}\{1}" -f $owner.Domain, $owner.User) -passthru
} | Select Handle,Name,WorkingSetSize,Owner
[/cc]

Personally, that's a lot to keep re-typing. Although on a side note this would be a good candidate for a format and type extension. Or you could use a script block.

[cc lang="PowerShell"]
$GetOwner={
Param([system.management.managementobject]$wmi)
Process {
$owner=$_.GetOwner()
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $("{0}\{1}" -f $owner.Domain, $owner.User) -passthru
}
}
[/cc]

The script block takes a WMI object as a piped parameter value. Here's how you might use it:

[cc lang="PowerShell"]
get-wmiobject -class win32_process -computername $computername | &$getowner | Select Name,ProcessID,Path,Owner,
@{Name="Computername";Expression={$_.CSName}}
[/cc]

Personally, I find remembering to use the invoke operator (&) a bit cumbersome. So why not create a function?

[cc lang="PowerShell"]
Function Get-ProcessOwner {

[cmdletbinding()]

Param(
[Parameter(Position=0,ValuefromPipeline=$True)]
[ValidateScript({$_.__CLASS -eq "Win32_Process"})]
[System.Management.ManagementObject]$Inputobject
)

Begin {
Write-Verbose "Starting $($myinvocation.mycommand)"
}

Process {
Try {
Write-Verbose ("Process ID {0} {1}" -f $_.processID,$_.name)
$owner=$_.GetOwner()
if ($owner.user) {
#did we get a value back?
$ownername="{0}\{1}" -f $owner.Domain, $owner.User
Write-Verbose ("Adding owner {0}" -f $ownername)
}
else {
$ownername=$null
}
}
Catch {
write-warning "oops"
Write-Warning ("Failed to get an owner for process ID {0} {1}" -f $_.ProcessID,$_.name)
$ownername=$NULL
}
Finally {
$_ | Add-Member -MemberType "Noteproperty" -name "Computername" -value $_.CSName
$_ | Add-Member -MemberType "Noteproperty" -name "Owner" -value $ownername -passthru
}
}

End {
Write-Verbose "Ending $($myinvocation.mycommand)"
}

} #end function
[/cc]

This is essentially the same code as the script block but with some additional features such as verifying the incoming object win a Win32_Process. To use this function, pipe WMI objects to it.

[cc lang="PowerShell"]
PS C:\> get-wmiobject win32_process -comp quark | Get-ProcessOwner | Select Name,ProcessID,Path,Owner,Computername

Name : csrss.exe
ProcessID : 524
Path : C:\Windows\system32\csrss.exe
Owner : NT AUTHORITY\SYSTEM
Computername : QUARK

Name : wininit.exe
ProcessID : 580
Path : C:\Windows\system32\wininit.exe
Owner : NT AUTHORITY\SYSTEM
Computername : QUARK
...
Name : chrome.exe
ProcessID : 5512
Path : C:\Users\Jeff\AppData\Local\Google\Chrome\Application\chrome.exe
Owner : QUARK\Jeff
Computername : QUARK

Name : notepad.exe
ProcessID : 6032
Path : C:\Windows\system32\notepad.exe
Owner : QUARK\Jeff
Computername : QUARK
[/cc]

The download script has comment based help and an optional alias. One more thing, the function requires administrative credentials. Even using Get-ACL requires an elevated session locally.

Download Get-ProcessOwner and let me know what you think.

Update: I've revised this from the original post removing the Get-ACL references. I don't know what I was thinking, perhaps it was just wishful. Anyway, some of the comments might not make sense because of the edit. The bottom line is use WMI to get the process owner.

---

---