Reputation: 8105
Given a process ID & command-line access on a remote Windows host, how can you find its parent's PID?
Given Marc B's answer, we can use WMIC (Command samples here) and do something like this:
wmic process where (processid=PROCID_HERE) get parentprocessid
Upvotes: 60
Views: 110539
Reputation: 336
Or you can do something like this in PowerShell:
Get-CimInstance -className win32_process | where-object {$_.ProcessId -eq processId_goes_here } | select ParentProcessId, Name
as well you can filter by name just substitute $_.ProcessId
with $_.Name
property
Upvotes: 4
Reputation: 187
In powershell:
PS> wmic process where '(processid=4632)' get 'processid,parentprocessid,executablepath'
ExecutablePath ParentProcessId ProcessId
C:\Program Files\Docker\Docker\Resources\com.docker.db.exe 4488 4632
Upvotes: 13
Reputation: 31407
Based on joslinm's solution in the question, here's a snippet of how to use this in a batch script:
set PID=<this is the child process ID>
for /f "usebackq tokens=2 delims==" %%a in (`wmic process where ^(processid^=%PID%^) get parentprocessid /value`) do (
set PARENT_PID=%%a
)
Upvotes: 8
Reputation: 360562
C:\> wmic process get processid,parentprocessid,executablepath|find "process id goes here"
Upvotes: 76