Obtaining process that launched (for instance) iexplore with VBScript/JScript

Question

Is there a way to (ideally with a scripting language like VBScript / JScript) get details of a process that spawned a different program i.e., In the case when Computrace LoJack launches iexplore, to handle communications with the internet?

Answer 1

You can use WMI to check the ParentProcessId for the process you are interested in. In the case of "normal" user mode applications, the parent process should be explorer.exe.

strProcess = "iexplore.exe"
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery("Select * from Win32_Process " _
    & " Where name = '" & strProcess & "'")

For Each objProcess in colProcesses
    WScript.Echo objProcess.ParentProcessId
Next

In the case of Internet Explorer, make sure you check for the ID of IE as well since it will spawn multiple instances of itself. Try something like this:

strProcess = "iexplore.exe"
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colProcesses = objWMIService.ExecQuery("Select * from Win32_Process " _
    & " Where name = 'explorer.exe' OR name = 'iexplore.exe'")

i = 0
arrIds = Array()
For Each objProcess in colProcesses
    ReDim Preserve arrIds(i)
    arrIds(i) = objProcess.ProcessId
    i = i + 1
Next

Set colProcesses = objWMIService.ExecQuery("Select * from Win32_Process " _
    & " Where name = '" & strProcess & "'")

For Each objProcess in colProcesses
    intParentID = objProcess.ParentProcessId

    blnIsFound = False
    For Each intID in arrIds
        If intID = intParentID Then
            blnIsFound = True
            Exit For
        End If
    Next

    If blnIsFound = False Then
        WScript.Echo "Process " & objProcess.ProcessId & " spawned by process " & objProcess.ParentProcessId
    End If
Next