Identify process with powershell -Query option satisfying CommandLine like '%pattern%'

Question

Recently I discovered that one can issue sql queries to WmiObject like this:

Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='java.exe'"

I would like to further limit the output containing the CommandLine arguments, something like:

Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='java.exe' AND CommandLine like '%glassfish%'"

or

Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='java.exe' AND CommandLine like '*glassfish*'"

However this does not return any answers back. How can I formulate approximate match queries there? Sure I can do

Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='java.exe'" | Where-Object { $_.CommandLine -match "glassfish" }

But that does not look elegant.

EDIT: There's a glassfish running among my processes (if I remove "CommandLine like ...":

`CommandLine like '%glassfish%'` is the correct syntax. Did you verify that the output of the first command actually had results where the `CommandLine` value contained `glassfish`? — Mathias R. Jessen, Oct 04 '21 at 15:44
As an aside, the language is actually called WQL (WMI Query Language) and while it has a non-coincidental resemblance to SQL there are substantial differences, particularly when joins are involved. (The docs flat out lie when the language is called a "subset" of ANSI SQL, which it most assuredly is not.) — Jeroen Mostert, Oct 04 '21 at 15:47
Thanks for the comments, yes I see glassfish among my processes (when I run without like '%glassfish%'), I updated the description with a screenshot — arthur, Oct 04 '21 at 15:50
Damn, I copy-pasted your line and it shows me a process. Why didn't it work for me to begin with? — arthur, Oct 04 '21 at 15:53
well, you are right, it works. Why don't you create an answer out of it, and click to make it an answer, and close the ticket — arthur, Oct 04 '21 at 15:55
As an aside: The CIM cmdlets (e.g., `Get-CimInstance`) superseded the WMI cmdlets (e.g., `Get-WmiObject`) in PowerShell v3 (released in September 2012). Therefore, the WMI cmdlets should be avoided, not least because PowerShell (Core) (v6+), where all future effort will go, doesn't even _have_ them anymore. Note that WMI still _underlies_ the CIM cmdlets, however. For more information, see [this answer](https://stackoverflow.com/a/54508009/45375). — mklement0, Oct 04 '21 at 18:15

score 3 · Accepted Answer · answered Oct 04 '21 at 16:10

This one:

Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='java.exe' AND CommandLine like '%glassfish%'"

... uses the correct syntax, the wildcard char in WQL is indeed %.

If you want to pass a variable substring to the query, make sure you escape quotation marks and backslashes with another backslash:

# define substring to looks for
$cmdLineSubstring = 'glassfish'

# escape quotes and backslashes
$cmdLineSubstring = $cmdLineSubstring -replace '[\\\p{Pi}\p{Pf}''"]','\$0'

$query = "SELECT * FROM Win32_Process WHERE Name = 'java.exe' AND CommandLine LIKE '%${cmdLineSubstring}%'"

Identify process with powershell -Query option satisfying CommandLine like '%pattern%'

1 Answers1