The Processes tab of the Windows Task Manager shows several columns with information, one of which being User Name of the user that owns the process.
Using the command WMIC process (from an administrator-started cmd.exe) gives me the same sort of information, but I can not find any column for the user name. How can I find out which user started the process with WMIC?
Owner can be retrieved using GetOwner method on win32_process class instances. I would suggest using PowerShell for that, where it's pretty simple:
Get-WmiObject -Class Win32_Process |
Select-Object Name, @{
Name = 'Owner'
Expression = {
$_.GetOwner().User
}
}
If you have to use wmic, than you can hack your way through by mixing results of:
wmic process get Name
...with call GetOwner e.g:
@echo off
echo Domain\User,Machine,ProcessName,ProcessID,WorkingSetSize
(for /f "skip=2 tokens=2 delims=, eol= " %%P in ('wmic process get ProcessId /format:csv') do @call :AddOwner %%P) 2> nul
goto :EOF
:AddOwner
SET Process=%1
(for /f "skip=5 tokens=1,2 delims==; " %%O in ('wmic process WHERE ProcessID^=%Process% Call GetOwner') do @call :BuildOwner %%O %%P) > nul
for /f "skip=1 tokens=* eol= " %%L in ('wmic process WHERE ProcessID^=%Process% GET Name^, ProcessID^, WorkingSetSize /format:csv') do @SET INFO=%%L
echo %DOMAIN%\%USER%,%INFO%
goto :EOF
:BuildOwner
SET PARAM=%1
SET VALUE=%~2
IF [%PARAM%]==[Domain] SET DOMAIN=%VALUE%
IF [%PARAM%]==[User] SET USER=%VALUE%
goto :EOF