Trouble with WMI filter

Question

I've got a notepad.exe started in my session :

gwmi -Query "Select CommandLine from Win32_Process where CommandLine='C:\Windows\system32\notepad.exe'"

gives

Get-WmiObject : Demande non valide
Au niveau de ligne : 1 Caractère : 5
+ gwmi <<<<  -Query "Select CommandLine from Win32_Process where CommandLine='C:\Windows\system32\notepad.exe'"
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

I test :

gwmi -Query "Select CommandLine from Win32_Process where CommandLine='C:\\Windows\\system32\\notepad.exe'"

It gives nothing

gwmi -Query "Select CommandLine from Win32_Process where CommandLine LIKE '%C:\\Windows\\system32\\notepad.exe%'"

Works perfectly

__GENUS          : 2
__CLASS          : Win32_Process
__SUPERCLASS     :
__DYNASTY        :
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
CommandLine      : "C:\Windows\system32\notepad.exe"

Perhaps it's a trouble with wildcards caracters between PowerShell and WMI, but anyone can help me make filter CommandLine='C:\Windows\system32\notepad.exe' working

Answer 1

Get-Process | ? {$_.Path -eq 'C:\Windows\system32\notepad.exe'}

Get-Process | ? {$_.processname -eq 'notepad'}

Answer 2

You need to include the quotes, but as I can't recall how to escape them in WQL, I would do it in PSH:

gwmi -class Win32_Process -filter "CommandLine like '`"C:\\Windows\\system32\\notepad.exe`"'"

Filter expression is in double quotes, with the string argument to LIKE in single quotes. The double quotes that are part of that argument need to be quoted from PowerShell.

Answer 3

The value of the CommandLine property contains quotes, so they need to be escaped as well.

A working, but horrible string is:

gwmi -Query "Select * from Win32_Process where CommandLine = '`"c:\\windows\\system32\\notepad.exe`"'"