0

I have the following in a text file:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============

abc.exe                       9152 Console                    1     14,988 K
abc.exe                       7964 Console                    1     89,188 K

The important thing to note is that both the processes have the same name (abc.exe). Now I need to filter the PID of only one of the processes. I am thinking of outputting the contents of tasklist onto the text file and then filtering the PID from the line I want to. How do I go about doing this preferably using powershell scripting? I am thinking regular expressions but can't get the exact result I want to. This is the relationship between the two processes:

Parent.exe 
 ->abc.exe
   ->abc.exe
ssn
  • 2,631
  • 4
  • 24
  • 28
  • How do you determine which one you want? By the PID? is it different every time? The one using the most memory? What do you mean when you say you want to 'filter' the PID? Can you give us a sample expected output? – Tadgh Sep 24 '12 at 23:35
  • I have added the relationship between the processes in the descriptoin itself as it is more pictorial than just Parent.exe ->abc.exe ->abc.exe – ssn Sep 24 '12 at 23:41
  • Is it safe to assume the higher PID is the grandchild or no? alternatively, could you not simply grab the parentProcessID as per [here](http://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows) and compare it against the other line? – Tadgh Sep 24 '12 at 23:49
  • No the assumption that the parent has the higher PID is not valid at all times. – ssn Sep 24 '12 at 23:56
  • Or even if there is a way to find the PID of the grandchild process of Parent.exe, that would work. But i am not aware of any. – ssn Sep 25 '12 at 00:00
  • Then your input file does not provide sufficient information to determine the parent-child relationship between the processes. – Ansgar Wiechers Sep 25 '12 at 00:01
  • indeed. Getting the child PID is not easy after the fact as a parent may fork multiple children. Did you look at the link I threw there? To get parent PID? If you can do that, then it is trivial to compare it to the other instance of abc.exe, and if it matches, then you're good to go. If it doesn't match, then the other instance is the grandchild – Tadgh Sep 25 '12 at 00:11
  • But even to do that, I need the process ID of the child to get the process ID of the parent. If I have the process ID of the child already, I dnt need to find the parent process ID in the first place. – ssn Sep 25 '12 at 00:16
  • No no no, what i'm saying is you test an arbitrary PID of one of the abc.exe For example, arbitrarily check this one abc.exe 7964 Console 1 89,188 K check the parent PID of PID:7964 If the returned result is 9152 Then you know that that is the grandchild. If you get some other number, then you know that PID:9152 is the grandchild. – Tadgh Sep 25 '12 at 03:32

1 Answers1

1

What tool generates the text file? Can you modify the tool that generates the process info table?

Process parent/child hierarcy is not gathered with Get-Process cmdlet. Consider using Get-WMIObject win32_process instead, as its output contains field for the parent process, aptly named as ParentProcessId. Be aware that Windows recycles process IDs, so the field may point to non-existing process or another a process that has nothing to do with the process in hand. See the MS documentation at MSDN.

vonPryz
  • 22,996
  • 7
  • 54
  • 65