4

Is there a way to find out which process started a other process even after the parent process is terminated?

I tried to find something in the Win32_Process class via PowerShell but I did not find anything relevant.

Marcel Janus
  • 1,115
  • 2
  • 14
  • 29
  • Have you tried SysInternals? Process Explorer or Process Monitor should help you out, or at least let you know if what you want is possible. – HopelessN00b Feb 11 '14 at 12:48
  • @HopelessN00b Yes I tried Process Explorer as first thing (because it is my default tool). But there is nothing from value for my problem. – Marcel Janus Feb 12 '14 at 09:03

2 Answers2

5

The Win32_Process WMI class does tell you the ID of the process that spawned the child process. However, the ParentProcessID is not part of the default property set; you have to specifically ask for it.

PS C:\> Get-WmiObject Win32_Process | Select ProcessID, ParentProcessID | FT -Auto

ProcessID ParentProcessID
--------- ---------------
        0               0
        4               0
      364               4
      520             452
      576             452
      592             584
      632             576
      640             576
      724             632
      776             632
      840             584
      932             632
      956             632
     1020             632
      324             840
      508             632
      436             632
     1120             632
     1276             632

It's worth noting however that grandparent process IDs are not tracked.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
2

To get details about any process, please run the following command:

C:\>wmic process list /format:list > process.txt

And then in process.txt we can locate the orphan processes by ProcessID and also get their ParentProcessID.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Imran
  • 21
  • 2