86
35
I'm looking for a tool or method to find out what command line parameters have been passed to a program, for example when it was run by another program (launcher-application scenario).
86
35
I'm looking for a tool or method to find out what command line parameters have been passed to a program, for example when it was run by another program (launcher-application scenario).
73
You can do that using Process Explorer.
Just hover with your mouse over a process to see the command line arguments used to start it:
Alternatively, you can open the properties of the process and inspect the command line right there:
91
You can do it without Process Explorer, too, using Windows' WMI service. Run the following from the command prompt:
WMIC path win32_process get Caption,Processid,Commandline
If you want to dump the output to a file (makes it a bit easier to read), use the /OUTPUT switch:
WMIC /OUTPUT:C:\Process.txt path win32_process get Caption,Processid,Commandline
4Nice, how did you know this? – Pacerier – 2015-01-20T03:18:43.843
4@Pacerier: I'm not sure to be honest ;-) I think it came from digging around the WMI docs and playing around because I needed to use WMI for something at the time. – Andy E – 2015-01-20T09:06:14.167
3Which WMI docs are you referring to? – Pacerier – 2015-01-22T03:48:17.913
These ones. – Andy E – 2015-12-07T12:13:17.160
4This was a very helpful command line method for getting the command line of a running process. In my case, I was able to tweak this slightly to get output just for a specific process: WMIC path win32_process where "caption='cmd.exe'" get Commandline – chriv – 2016-03-30T17:32:28.883
2Great, and the where clause actually support some SQL features, e.g.,
where "name like 'cmd.%' – zhaorufei – 2016-08-31T06:25:10.817
can't fetch java cmd call for some reason ... – Yordan Georgiev – 2016-10-20T07:23:37.830
Running in cmd.exe the command "WMIC /OUTPUT:C:\Process.txt path win32_process get Caption,Processid,Commandline" complains "Invalid file name." So instead I use "WMIC /OUTPUT:Process.txt path win32_process get Caption,Processid,Commandline" to output to the current directory. – Yuci – 2016-11-18T12:36:52.260
1Just pointing out that if WMIC is called from the powershell quotes must be used around the get parameters: WMIC path win32_process get "Caption,Processid,Commandline" – capitano666 – 2016-12-01T13:52:27.680
Here's an example of SQL like filtering in the where clause: WMIC path win32_process where "name like '%cmd%'" get Caption,Processid,Commandline
– rleelr – 2019-11-12T08:45:36.530
41
One can also achieve that by using Task Manager.
Open task manager (by CTRL-SHIFT-ESC, CTRL-ALT-DELETE or any other method).
For Windows 7 (and probably Windows XP):
For Windows 8:
A column of Command lines of will be added to the currently displayed columns.
This only shows what will fit in the visible window area, so it's not helpful for long commands. – Jesse Barnum – 2015-11-09T19:47:08.820
1I don't really get you @JesseBarnum, one can always resize the column to have a complete view no matter how long the command line is, right? – Jeromy Adofo – 2015-12-07T00:35:07.933
1Only if the window is wide enough for the size of the command. If the command is something like a Java process with a long classpath, that won't fit in the window width. – Jesse Barnum – 2015-12-07T16:03:09.060
1Alright thanks, noted. I haven't had that problem though and by the way my task manager is scrollable - don't know about yours :-). I think if you can send me a sample program to try, that could settle it. – Jeromy Adofo – 2015-12-18T16:57:17.723
6This is a vastly underrated answer, had no idea this was possible. – Hashim – 2017-03-13T23:34:07.193
1@JesseBarnum is right, it does not work for really long command lines, the text is truncated at some fixed length even if you resize the column. My taskmgr is scrollable too, of course. – jmiserez – 2017-07-12T13:22:42.037
1@JesseBarnum it shows the tooltip as you hover on the command line text, just like Process Explorer in the accepted answer – phuclv – 2018-01-29T10:07:52.750
4I see a couple of comments above about the Windows Task Manager. Even if you set the 'Command line' column to show a Java process with a really long command line will get truncated. BUT, you can click on the row in the Task Manager and 'copy' (Ctrl-c) the whole row and paste this into a text editor to see the whole command line, no matter how long. – JohnD – 2018-02-21T02:43:48.633
That is an awesome find @JohnD! I thought copying was not possible because I didn't find it in the context menu after right-clicking. The only thing is that the copying is not working for a few processes, but I haven't figured out why yet. – Jeromy Adofo – 2018-02-21T11:29:23.073
1Awesome! Had no idea that option was there. Now that I know I figured there's also a 'Command line' option to select when you right-click on the top-row under 'Processes' tab. – baburao – 2018-05-01T13:11:16.997
1I like this answer best. It works with a standard windows installation (including windows 10). – Stragulus – 2018-12-08T16:04:21.957
6
PowerShell to the rescue.
Find:
Get-WmiObject Win32_Process -Filter "name = 'perl.exe'" | where {$_.CommandLine -eq '"C:\strawberry\perl\bin\perl.exe" t/Server_PreFork.t'}
And kill as bonus:
Get-WmiObject Win32_Process -Filter "name = 'perl.exe'" | where {$_.CommandLine -eq '"C:\strawberry\perl\bin\perl.exe" t/Server_PreFork.t'} | ForEach-Object { Invoke-WmiMethod -Path $_.__Path –Name Terminate }
You can run it from powershell directly or from a ps1 if you've got your system setup. I detail unrestricted script setup on i kill zombies with powershell as well as other powershell tricks...
1Whoa... the kill part is quite dangerous, given the title of the question ;) Otheriwse a very neat answer ;) – Tom – 2017-08-23T14:14:03.403
5
Previous answers are great in case the process is already running and is not going to terminate any soon. However If you need (as I did) to do this perhaps with processses start up multiple times and/or quickly terminate, or perhaps log occurences in a longer period of time, there is a way to this using Process Monitor.
Basically it logs various events in the system, in this case we can just filter the "Process Start" event and the name of the process we want to monitor, as shown below:
Then just keep the process monitor running and do whatever you do to get the process you want to log running. You can see in either the "Detail" column or the "Command line" column (depends on how you configure those) the command line arguments. For example:
Of course this way you can extract much more related information such as what is the working directory, what environment variables have been passed on the process, etc... Also it is easy to export the results into a file.
1
When using CygWin, if I start a Python process, this is an example of command line:
c:\CygWin\bin\python2.7.exe /usr/local/bin/sudoserver.py
But Process Explorer only sees the main exe:
(note the "path: [Error opening process message]" (see EDIT-1)).
Same results for tasklist
:
C:\>tasklist | find "python" /i
python2.7.exe 5740 Console 1 15.312 KB
So, the only trick I know until now, is finding it via CygWin Bash shell pgrep
:
Luis@Kenobi /cygdrive/c/
$ pgrep -f -l server.py
5740 /usr/bin/python2.7 /usr/local/bin/sudoserver.py
It is useful to know this, as long as CygWin cohabits with no problems in Windows, and you can use it to run many POSIX and Python programs.
EDIT: In Windows you don't seem to need administrator priviledges for tasklist. In CygWin you will need them to be able to view an administrator's process (what seems more logical to me: the full command-line could have some parameters like passwords inside), so we must run the CygWin Bash in elevated Administrator Mode.
EDIT-1: This problem will not happen if you run Process Explorer as administrator. Thanks you for pointing, @Pacerier.
3If you run as administrator you wouldn't be seeing [Error opening process message]
– Pacerier – 2015-01-20T03:20:38.850
You were right, @Pacerier . Too obvious to remember :-) . Thanks you. I have edited my post to reflect it. – Sopalajo de Arrierez – 2015-01-20T03:30:18.877
-3
go to run
or goto start
and search:
tasklist -m
tasklist -svc
5That does not show the calling command line. /m
shows loaded modules (DLLs, etc.) and /svc
shows services hosted in each process. – Bob – 2012-11-02T05:02:40.760
@OliverSalzburg, How did this program work? Can any normal C program achieve this? – Pacerier – 2015-01-20T03:17:48.660
@Pacerier I assume so. There's probably a Windows API to do this. I don't know the implementation though. – Der Hochstapler – 2015-01-20T07:42:37.593
@OliverSalzburg, So it looks like a virus could go undetected even with this. – Pacerier – 2015-01-22T03:49:35.630
2That's really cool. – cutrightjm – 2012-04-22T15:23:38.130
2
Unfortunately, it doesn't seem to work with applications protected with WinLicense/Themida: http://www.oreans.com/winlicense.php Any other ideas?
– Gepard – 2012-04-22T16:24:07.643@Gepard: How do you know it doesn't work? Are you sure the application was, in fact, called with command line arguments? Either way, PE uses the Windows way of determining that information. Anything else would have to be custom-tailored to a specific application, I assume. – Der Hochstapler – 2012-04-22T16:37:22.917
6My bad, it didn't run PE elevated. It's working as intended. – Gepard – 2012-04-22T16:46:49.597