2

I have a situation with processes a bit like below. We have 2 executables, foo.exe and bar.exe. bar.exe is always launched by foo.exe. I want to know how to find out which bar.exe has been spawned by which foo.exe. It's probably very simple but cannot work it out. 

Name      Pid

foo.exe   1
foo.exe   2
foo.exe   3

bar.exe   4
bar.exe   5
bar.exe   6

Happy for dos or powershell solutions.

eckes
  • 845
  • 9
  • 21
gnuchu
  • 131
  • 1
  • 4
  • 2
    What about showing only a bit of [research effort](http://www.google.com/search?q=powershell+find+parent+process)? – LotPings Jul 11 '17 at 12:18

2 Answers2

7

You can use wmic process get Caption,ParentProcessId,ProcessId for a list in command line. Or use Process Explorer from the SysInternals Suite for a GUI option.

Lenniey
  • 5,220
  • 2
  • 18
  • 29
0

Just to follow up on the answer from @Lenniey, the following is a nicely formatted process list with the parent ID and a filter condition:

$IsSee = {$_.CommandLine -match 'd:\\' -or $_.Path -match 'd:\\'};
Get-WmiObject win32_process | where -FilterScript $IsSee | 
    select @{l='PID';e={$_.ProcessId}},@{l='PPID';e={$_.ParentProcessId}},
      @{l='#Thrd';e={$_.ThreadCount}},
      @{l='vmGB';e={[math]::round($_.VM/1gb,2)}},CommandLine | 
    Format-Table -wrap -auto

(in this case commands related to drive D:)

eckes
  • 845
  • 9
  • 21