{"id":658,"date":"2010-05-21T10:04:45","date_gmt":"2010-05-21T15:04:45","guid":{"rendered":"http:\/\/jdhitsolutions.com\/blog\/2010\/05\/get-parent-process\/"},"modified":"2010-05-21T14:35:16","modified_gmt":"2010-05-21T19:35:16","slug":"get-parent-process","status":"publish","type":"post","link":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/","title":{"rendered":"Get Parent Process"},"content":{"rendered":"

\"parent-child\"<\/a> Recently I helping out on a post in the forums at ScriptingAnswers.com<\/a>. The question centered around identifying processes on a computer and their parent process. There are many ways you could slice and dice this problem using WMI and Get-WmiObject<\/a>. Getting the parent process ID is pretty simple, but going backwards from there to identify the parent process takes a little PowerShell jujitsu.<\/p>\n

Because I love objects (geeky, I know), one angle I pursued created a custom object for each parent process. The object included a few key (at least to me) properties as well as a property that held an array of all child processes.<\/p>\n

Here\u2019s an example.<\/p>\n

ParentID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 916
\nChildren\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {@{ProcessID=4068; ProcessName=Moe.exe; Description=Moe.exe
\n; Created=5\/19\/2010 8:52:59 AM}, @{ProcessID=4716; ProcessN
\name=SkypeNames2.exe; Description=SkypeNames2.exe; Created=5
\n\/20\/2010 8:13:47 AM}, @{ProcessID=1600; ProcessName=VBoxSVC
\n.exe; Description=VBoxSVC.exe; Created=5\/20\/2010 11:59:31 A
\nM}, @{ProcessID=6828; ProcessName=WmiPrvSE.exe; Description
\n=WmiPrvSE.exe; Created=5\/21\/2010 7:57:22 AM}}
\nNumberofChildren\u00a0 : 4
\nParentCreated\u00a0\u00a0\u00a0\u00a0 : 5\/19\/2010 8:51:46 AM
\nParentProcess\u00a0\u00a0\u00a0\u00a0 : svchost.exe
\nComputername\u00a0\u00a0\u00a0\u00a0\u00a0 : SERENITY
\n<\/span><\/p>\n

To get here, I called a function I wrote called Get-ParentProcess.<\/p>\n

function<\/span> Get-ParentProcess<\/span> {<\/span>\r\n    #requires -version 2.0<\/span>                       \r\n\r\n    [<\/span>cmdletBinding<\/span>(<\/span>)<\/span>]<\/span>            \r\n\r\n    Param<\/span>(<\/span>\r\n        [<\/span>Parameter<\/span>(<\/span>Position<\/span>=<\/span>0<\/span>,<\/span>ValueFromPipeline<\/span>=<\/span>$True<\/span>,<\/span><\/pre>\n
                   <\/span>HelpMessage<\/span>=<\/span>\"Enter a computername\"<\/span>)<\/span>]<\/span>\r\n        [string[]]<\/span>$computername<\/span>=<\/span>$env:computername<\/span>)<\/span>            \r\n\r\n    Begin<\/span> {<\/span>\r\n      write-verbose<\/span> \"Starting $($myinvocation.mycommand)\"<\/span>\r\n      #capture some performance metrics<\/span>\r\n      $start<\/span>=<\/span>Get-Date<\/span>\r\n      $total<\/span>=<\/span>0<\/span>\r\n    }<\/span>\r\n    Process<\/span> {<\/span>                \r\n\r\n
foreach<\/span> (<\/span>$computer<\/span> in<\/span> $computername<\/span>)<\/span> {<\/span>\r\n        Write-Verbose<\/span> \"Testing $computer\"<\/span>\r\n        if<\/span> (<\/span>Test-Connection<\/span> -ComputerName<\/span> $computer<\/span> -quiet<\/span>)<\/span> {<\/span>\r\n            #only process if ping returns true<\/span>\r\n            Write-Verbose<\/span> \"Connecting to $computer\"<\/span>            \r\n\r\n            Get-WmiObject<\/span> -Class<\/span> win32_process<\/span> -ComputerName<\/span> $computer<\/span> `<\/pre>\n
            -outvariable<\/span> data<\/span> |<\/span>\r\n            Sort-Object<\/span> -Property<\/span> ParentProcessID<\/span> |<\/span>\r\n            Group-Object<\/span> -Property<\/span> ParentProcessID<\/span>  |<\/span> foreach<\/span> {<\/span>            \r\n\r\n             $ParentID<\/span>=<\/span>$_<\/span>.<\/span>Name<\/span>\r\n             $ParentProcess<\/span>=<\/span>$data<\/span> |<\/span> where<\/span> {<\/span>$_<\/span>.<\/span>processID<\/span> -eq<\/span> $parentID<\/span>}<\/span>\r\n             if<\/span> (<\/span>-not<\/span> $parentProcess<\/span>)<\/span> {<\/span>\r\n                write-verbose<\/span> \"nothing found for $parentID\"<\/span>\r\n             }<\/span>            \r\n\r\n             Write-Verbose<\/span> \"Parent process $($parentProcess.name)\"<\/span>            \r\n\r\n             #convert creationdate to a friendly format if found<\/span>\r\n             if<\/span> (<\/span>$parentProcess<\/span>.<\/span>CreationDate<\/span>)<\/span> {<\/span>\r\n               $ParentCreation<\/span>=`<\/span><\/pre>\n
           <\/span>$ParentProcess<\/span>.<\/span>ConvertToDateTime<\/span>(<\/span>$parentProcess<\/span>.<\/span>CreationDate<\/span>)<\/span>\r\n             }<\/span>\r\n             else<\/span> {<\/span>\r\n               $ParentCreation<\/span>=<\/span>$null<\/span>\r\n             }<\/span>\r\n             #use computername from process object if it exists, <\/span>\r\n             #otherwise use the value from $computer<\/span>\r\n             if<\/span> (<\/span>$parentProcess<\/span>.<\/span>CSName<\/span>)<\/span> {<\/span>\r\n               $ParentComputerName<\/span>=<\/span>$parentProcess<\/span>.<\/span>CSName<\/span>\r\n             }<\/span>\r\n             else<\/span> {<\/span>\r\n                $ParentComputerName<\/span>=<\/span>$computer<\/span>\r\n             }<\/span>            \r\n\r\n             $NumberChildren<\/span>=<\/span>$_<\/span>.<\/span>group<\/span>.<\/span>count<\/span>\r\n             Write-Verbose<\/span> \"Found $NumberChildren child process(es)\"<\/span>\r\n             $Children<\/span>=<\/span>$_<\/span>.<\/span>group<\/span> |<\/span>\r\n              Select<\/span> -property<\/span> ProcessID<\/span>,<\/span>ProcessName<\/span>,<\/span>`\r\n<\/span>              @{<\/span>Name<\/span>=<\/span>\"Created\"<\/span>;<\/span>\r\n              Expression<\/span>=<\/span>{<\/span>$_<\/span>.<\/span>ConvertToDateTime<\/span>(<\/span>$_<\/span>.<\/span>CreationDate<\/span>)<\/span>}<\/span>}<\/span>            \r\n\r\n             Write-Verbose<\/span> \"Creating custom object\"<\/span>\r\n             New-Object<\/span> PSObject<\/span> -Property<\/span> @{<\/span>\r\n                Computername<\/span>=<\/span>$ParentComputerName<\/span>\r\n                ParentID<\/span>=<\/span>$ParentID<\/span>\r\n                ParentProcess<\/span>=<\/span>$ParentProcess<\/span>.<\/span>Name<\/span>\r\n                ParentCreated<\/span>=<\/span>$ParentCreation<\/span>\r\n                NumberofChildren<\/span>=<\/span>$NumberChildren<\/span>\r\n                Children<\/span>=<\/span>$Children<\/span>\r\n             }<\/span>\r\n           }<\/span> #end foreach<\/span>\r\n      }<\/span> #end if Test-Connection<\/span>\r\n      else<\/span> {<\/span>\r\n        Write-Warning<\/span> \"Failed to connect to $computer\"<\/span>\r\n      }<\/span>\r\n       $total<\/span>+=<\/span>$data<\/span>.<\/span>count<\/span>\r\n   }<\/span> #end foreach $computer<\/span><\/pre>\n
}<\/span>#Process<\/span>
\nEnd<\/span> {<\/span><\/p>\n
$finish<\/span>=<\/span>Get-Date<\/span><\/p>\n
\n
\r\n
     $msg<\/span>=<\/span>\"Processed {0} processes from {1} computers in {2}\"<\/span> -f<\/span> `<\/pre>\n
        $total<\/span>,<\/span>$computername<\/span>.<\/span>count<\/span>,<\/span>(<\/span>$finish<\/span>-<\/span>$start<\/span>)<\/span>\r\n     write-verbose<\/span> $msg<\/span><\/pre>\n<\/blockquote>\n
       write-verbose<\/span> \"Ending $($myinvocation.mycommand)\"<\/span>\r\n   }<\/span>\r\n}<\/span> #end Function<\/span><\/pre>\n
This is an advanced function so it requires PowerShell 2.0. The actual function includes comment based help. I\u2019ve omitted here.<\/p>\n
The function takes a computername as a parameter, defaulting to the local computer. You can pipe names to the function as well. Here\u2019s what happens when you connect to the remote computer using Get-WmiObject.\u00a0 The collection of Win32_Process objects is sorted by the ParentProcessID and then piped to Group-Object<\/a>. This created a GroupInfo object. The name property is the parent process ID and the corresponding group are all the child processes.<\/p>\n
Each group is then parsed and processed pulling out process information and defining new properties. To get the parent process name I search the saved WMI results looking for a process id that matches the parent process ID I\u2019m checking. If you look back at the Get-WmiObject expression you\u2019ll see I\u2019m taking advantage of the \u2013OutVariable common parameter. The cmdlet\u2019s result is not only passed down the pipeline but also stored in the variable. In this case, $data. When you use \u2013OutVariable just specify the variable name you want to use. You don\u2019t need the $.<\/p>\n
For the child processes that are in the group I select a few key properties. $Children will be a collection of custom process objects. This value is used as a property value, among others, in New-Object<\/a>.<\/p>\n
When you run the function, you most likely will notice some parent processes with no name. More than likely this is because the parent process is no longer running.<\/p>\n
PS C:\\> $r=get-parentprocess<\/span><\/p>\n
PS C:\\Scripts> $r | where {-not $_.parentProcess} | select-object -ExpandProperty Children | Sort Created | format-table \u2013autosize<\/span><\/p>\n
ProcessID ProcessName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Created
\n--------- -----------\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -------
\n596 csrss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:51:43 AM <\/span><\/p>\n
 676 wininit.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:51:44 AM <\/span><\/p>\n
 696 csrss.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:51:44 AM <\/span><\/p>\n
 852 winlogon.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:51:45 AM <\/span><\/p>\n
 3396 explorer.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:52:39 AM <\/span><\/p>\n
 3988 ToshibaServiceStation.exe 5\/19\/2010 8:53:07 AM <\/span><\/p>\n
 3564 TWebCamera.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:53:12 AM <\/span><\/p>\n
 3792 TUSBSleepChargeSrv.exe\u00a0\u00a0\u00a0 5\/19\/2010 8:53:12 AM <\/span><\/p>\n
 2208 VCDDaemon.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:53:12 AM <\/span><\/p>\n
 4112 jusched.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:53:13 AM <\/span><\/p>\n
 4164 vmware-tray.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 8:53:14 AM <\/span><\/p>\n
 3656 SWin.exe\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5\/19\/2010 9:03:57 AM<\/span><\/p>\n
Even if you don\u2019t have a use for the function, I hope you find some useful scripting techniques.<\/p>\n
\n
Download Get-ParentProcess.ps1<\/a><\/div>\n
<\/div>\n
Update<\/strong><\/span>: I've been using the PowerShell ISE to create the script files on an x64 platform. The Unicode default can be problematic.\u00a0 Here is an ANSI version of the file<\/a>.\u00a0 I'll try to remember to stick to ANSI from now on.<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Recently I helping out on a post in the forums at ScriptingAnswers.com. The question centered around identifying processes on a computer and their parent process. There are many ways you could slice and dice this problem using WMI and Get-WmiObject. Getting the parent process ID is pretty simple, but going backwards from there to identify…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[75,8,19],"tags":[32,103,190,192,534,191,547],"class_list":["post-658","post","type-post","status-publish","format-standard","hentry","category-powershell-v2-0","category-scripting","category-wmi","tag-functions","tag-get-wmiobject","tag-new-object","tag-outvariable","tag-powershell","tag-win32_process","tag-wmi"],"yoast_head":"\nGet Parent Process • The Lonely Administrator<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Get Parent Process • The Lonely Administrator\" \/>\n<meta property=\"og:description\" content=\"Recently I helping out on a post in the forums at ScriptingAnswers.com. The question centered around identifying processes on a computer and their parent process. There are many ways you could slice and dice this problem using WMI and Get-WmiObject. Getting the parent process ID is pretty simple, but going backwards from there to identify...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/\" \/>\n<meta property=\"og:site_name\" content=\"The Lonely Administrator\" \/>\n<meta property=\"article:published_time\" content=\"2010-05-21T15:04:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2010-05-21T19:35:16+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png\" \/>\n<meta name=\"author\" content=\"Jeffery Hicks\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:site\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffery Hicks\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/\"},\"author\":{\"name\":\"Jeffery Hicks\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"headline\":\"Get Parent Process\",\"datePublished\":\"2010-05-21T15:04:45+00:00\",\"dateModified\":\"2010-05-21T19:35:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/\"},\"wordCount\":562,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/05\\\/parentchild_thumb.png\",\"keywords\":[\"functions\",\"Get-WMIObject\",\"new-object\",\"outvariable\",\"PowerShell\",\"Win32_process\",\"WMI\"],\"articleSection\":[\"PowerShell v2.0\",\"Scripting\",\"WMI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/\",\"name\":\"Get Parent Process • The Lonely Administrator\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/05\\\/parentchild_thumb.png\",\"datePublished\":\"2010-05-21T15:04:45+00:00\",\"dateModified\":\"2010-05-21T19:35:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/05\\\/parentchild_thumb.png\",\"contentUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/05\\\/parentchild_thumb.png\",\"width\":\"111\",\"height\":\"109\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/scripting\\\/658\\\/get-parent-process\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"PowerShell v2.0\",\"item\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/category\\\/powershell-v2-0\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Get Parent Process\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/\",\"name\":\"The Lonely Administrator\",\"description\":\"Practical Advice for the Automating IT Pro\",\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\",\"name\":\"Jeffery Hicks\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"caption\":\"Jeffery Hicks\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Get Parent Process • The Lonely Administrator","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/","og_locale":"en_US","og_type":"article","og_title":"Get Parent Process • The Lonely Administrator","og_description":"Recently I helping out on a post in the forums at ScriptingAnswers.com. The question centered around identifying processes on a computer and their parent process. There are many ways you could slice and dice this problem using WMI and Get-WmiObject. Getting the parent process ID is pretty simple, but going backwards from there to identify...","og_url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/","og_site_name":"The Lonely Administrator","article_published_time":"2010-05-21T15:04:45+00:00","article_modified_time":"2010-05-21T19:35:16+00:00","og_image":[{"url":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png","type":"","width":"","height":""}],"author":"Jeffery Hicks","twitter_card":"summary_large_image","twitter_creator":"@JeffHicks","twitter_site":"@JeffHicks","twitter_misc":{"Written by":"Jeffery Hicks","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#article","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/"},"author":{"name":"Jeffery Hicks","@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"headline":"Get Parent Process","datePublished":"2010-05-21T15:04:45+00:00","dateModified":"2010-05-21T19:35:16+00:00","mainEntityOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/"},"wordCount":562,"commentCount":3,"publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#primaryimage"},"thumbnailUrl":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png","keywords":["functions","Get-WMIObject","new-object","outvariable","PowerShell","Win32_process","WMI"],"articleSection":["PowerShell v2.0","Scripting","WMI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/","url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/","name":"Get Parent Process • The Lonely Administrator","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#primaryimage"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#primaryimage"},"thumbnailUrl":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png","datePublished":"2010-05-21T15:04:45+00:00","dateModified":"2010-05-21T19:35:16+00:00","breadcrumb":{"@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#primaryimage","url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png","contentUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/parentchild_thumb.png","width":"111","height":"109"},{"@type":"BreadcrumbList","@id":"https:\/\/jdhitsolutions.com\/blog\/scripting\/658\/get-parent-process\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"PowerShell v2.0","item":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell-v2-0\/"},{"@type":"ListItem","position":2,"name":"Get Parent Process"}]},{"@type":"WebSite","@id":"https:\/\/jdhitsolutions.com\/blog\/#website","url":"https:\/\/jdhitsolutions.com\/blog\/","name":"The Lonely Administrator","description":"Practical Advice for the Automating IT Pro","publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jdhitsolutions.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9","name":"Jeffery Hicks","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","caption":"Jeffery Hicks"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg"}}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":636,"url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/636\/select-wmi\/","url_meta":{"origin":658,"position":0},"title":"Select WMI","author":"Jeffery Hicks","date":"May 13, 2010","format":false,"excerpt":"I\u2019ve been helping out on some WMI and PowerShell issues in the forums at ScriptingAnswers.com. As I was working on a problem I ended up taking a slight detour to address an issue that has always bugged me. When I run a command like this: get-wmiobject -query \"Select Name,Description,Disabled from\u2026","rel":"","context":"In "PowerShell v2.0"","block_context":{"text":"PowerShell v2.0","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell-v2-0\/"},"img":{"alt_text":"selectwmi","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/selectwmi-300x89.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":654,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/654\/new-wmi-object\/","url_meta":{"origin":658,"position":1},"title":"New WMI Object","author":"Jeffery Hicks","date":"May 17, 2010","format":false,"excerpt":"I have one more variation on my recent theme of working with WMI objects. I wanted to come up with something flexible and re-usable where you could specify a WMI class and some properties and get a custom object with all the classes combined. My solution is a function called\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1625,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/1625\/get-process-owner\/","url_meta":{"origin":658,"position":2},"title":"Get Process Owner","author":"Jeffery Hicks","date":"August 25, 2011","format":false,"excerpt":"I've been working on my second training course for Train Signal on managing Windows Server 2008 with Windows PowerShell, specifically the lesson on managing processes. I thought I'd share a little tidbit I worked out. In fact, I hope you'll stay tuned for other little goodies over the next several\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8541,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8541\/getting-ciminstance-by-path\/","url_meta":{"origin":658,"position":3},"title":"Getting CIMInstance by Path","author":"Jeffery Hicks","date":"August 20, 2021","format":false,"excerpt":"I am a member of the PowerShell Cmdlet Working Group. We've been looking into this issue and it is an intriguing one. Enough so that I spent some time looking into it and writing up some test code. If you work with WMI\/CIM this might be of interest to you.\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":2241,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/2241\/skipping-wmi-system-properties-in-powershell\/","url_meta":{"origin":658,"position":4},"title":"Skipping WMI System Properties in PowerShell","author":"Jeffery Hicks","date":"April 25, 2012","format":false,"excerpt":"One of my favorite techniques when using WMI in PowerShell is to pipe an object to Select-Object and select all properties. Try this: get-wmiobject win32_bios | select * It works, but it also gets all of the system properties like __PATH which I rarely care about. I also get other\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1687,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/1687\/filter-left\/","url_meta":{"origin":658,"position":5},"title":"Filter Left","author":"Jeffery Hicks","date":"October 14, 2011","format":false,"excerpt":"When writing WMI queries expressions in Windows PowerShell, it is recommended to use WMI filtering, as opposed to getting objects and then filtering with Where-Object. I see expressions like this quite often: [cc lang=\"PowerShell\"] get-wmiobject win32_process -computer $c | where {$_.name -eq \"notepad.exe\"} [\/cc] In this situation, ALL process objects\u2026","rel":"","context":"In "Best Practices"","block_context":{"text":"Best Practices","link":"https:\/\/jdhitsolutions.com\/blog\/category\/best-practices\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2011\/10\/talkbubble.png?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/comments?post=658"}],"version-history":[{"count":0,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/658\/revisions"}],"wp:attachment":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/media?parent=658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/categories?post=658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/tags?post=658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}