56

Problem

Given a process ID & command-line access on a remote Windows host, how can you find its parent's PID?

Solution

Given Marc B's answer, we can use WMIC (Command samples here) and do something like this:

wmic process where (processid=PROCID_HERE) get parentprocessid

golimar
  • 2,419
  • 1
  • 22
  • 33
joslinm
  • 7,845
  • 6
  • 49
  • 72
  • 1
    If your paths are messed up (like me), then you will enjoy knowing that the wmic.exe is in "C:\Windows\System32\wbem" – Vaccano Jan 25 '13 at 17:24
  • It should be noted that process IDs are reused, so if the parent of a process has exited, you might incorrectly identify an unrelated process as being the parent. (I guess you could detect this by comparing the run times for the two processes.) – Harry Johnston Oct 11 '20 at 00:44
  • Are there plans adding this as a column in Windows Task Manager? – Dominique Nov 17 '22 at 14:17

4 Answers4

72
C:\> wmic process get processid,parentprocessid,executablepath|find "process id goes here"
Marc B
  • 356,200
  • 43
  • 426
  • 500
  • 1
    You're awesome, thank you. Correct me if I'm wrong, but this returns its parent on first line on LHS & itself on RHS. Then if it is a parent itself, it will show more processes with itself on LHS & children on RHS. – joslinm Sep 20 '11 at 14:39
  • it should return things in columnar format, in the order you specified them on the command line. You can strip off the executablepath bit to reduce it to just the pid/ppid numbers, which does make it a lot more compact. – Marc B Sep 20 '11 at 14:42
  • Hey Marc, Played around with a bit, it doesn't adhere to the manner in which you specified them on the cmd line. get parentprocessid, processid & get processid, parentprocessid both spit out ParentProcessId on the lhs and processid on rhs – joslinm Sep 20 '11 at 15:05
  • 2
    Wouldn't surprise me. Consistency isn't exactly a signature characteristic of BillCo. – Marc B Sep 20 '11 at 15:08
  • Since `find` will match a substring, this will often generate extraneous data. Use a `where` clause instead as shown in the other two answers. – Harry Johnston Oct 11 '20 at 00:46
  • 1
    I got this error: FIND: Parameter format not correct Tried with both "18640" and 18640 (without "s) – Ismail Yavuz Sep 19 '22 at 12:11
11

In powershell:

PS> wmic process  where '(processid=4632)' get 'processid,parentprocessid,executablepath'
ExecutablePath                                              ParentProcessId  ProcessId
C:\Program Files\Docker\Docker\Resources\com.docker.db.exe  4488             4632
uffe hellum
  • 167
  • 1
  • 4
8

Based on joslinm's solution in the question, here's a snippet of how to use this in a batch script:

set PID=<this is the child process ID>
for /f "usebackq tokens=2 delims==" %%a in (`wmic process where ^(processid^=%PID%^) get parentprocessid /value`) do (
    set PARENT_PID=%%a
)
Community
  • 1
  • 1
robinst
  • 30,027
  • 10
  • 102
  • 108
4

Or you can do something like this in PowerShell:

Get-CimInstance -className win32_process | where-object {$_.ProcessId -eq processId_goes_here } | select ParentProcessId, Name

as well you can filter by name just substitute $_.ProcessId with $_.Name property

knile
  • 318
  • 3
  • 15
  • all the other answer are deprecated in Windows 11 Insider Preview 22494.1000 WMIC is deleted, so thx for this answer – H3r3zy Nov 10 '21 at 16:22