WMI 工作：進程

發行項
03/11/2025

進程的 WMI 工作會取得資訊，例如進程執行所在的帳戶。您可以執行像是建立進程的動作。如需其他範例，請參閱techNet ScriptCenter at https://www.microsoft.com/technet。

本主題中顯示的腳本範例只會從本機計算機取得數據。如需如何使用文稿從遠端電腦取得資料的詳細資訊，請參閱遠端電腦上連線到 WMI。

下列程式描述如何執行腳本。

執行腳本

複製程序代碼，並將它儲存在擴展名為 .vbs 的檔案中，例如 filename.vbs。請確定文字編輯器不會將 .txt 擴展名新增至檔案。
開啟命令提示字元視窗，並流覽至您儲存盤案的目錄。
在命令提示字元中輸入 cscript filename.vbs。
如果您無法存取事件記錄檔，請檢查您是否正在從提高許可權的命令提示字元執行。某些事件記錄檔，例如安全性事件記錄檔，可能會受到使用者訪問控制（UAC）的保護。

注意

根據預設，cscript 會在命令提示字元視窗中顯示文稿的輸出。由於 WMI 命令稿可能會產生大量的輸出，因此您可能會想要將輸出重新導向至檔案。在命令提示字元中輸入 cscript filename.vbs > outfile.txt，將 filename.v bs 的輸出重新導向至 outfile.txt。

下表列出可用來從本機計算機取得各種數據類型的腳本範例。

如何... WMI 類別或方法

...在隱藏的視窗中執行應用程式？

從使用 Win32_Process 和 Win32_ProcessStartup 類別的腳本呼叫應用程式。

Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create( "Notepad.exe", null, objConfig, intProcessID)

PowerShell
`$startup=[wmiclass]"Win32_ProcessStartup" $startup.Properties['ShowWindow'].value=$False ([wmiclass]"win32_Process").create('notepad.exe','C:\',$Startup)`

...判斷哪些腳本正在本機計算機上執行？

使用 Win32_Process 類別，並傳回名稱為 Cscript.exe 或 Wscript.exe的所有進程。若要判斷在這些進程中執行的個別腳本，請檢查 commandLine 屬性的值。

strComputer = "." 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process" & _
           " WHERE Name = 'cscript.exe'" & " OR Name = 'wscript.exe'",,48) 
For Each objItem in colItems 
    Wscript.Echo "-------------------------------------------"
    Wscript.Echo "CommandLine: " & objItem.CommandLine
    Wscript.Echo "Name: " & objItem.Name
Next

PowerShell
$strComputer = "." Get-WmiObject -Class "Win32_Process" -ComputerName "." \| ` where {($_.name -eq 'cscript.exe') -or ($_.name -eq 'wscript.exe') } \| ` Format-List -Property CommandLine, Name

...找出進程執行所在的帳戶名稱？

使用 Win32_Process 類別和 GetOwner 方法。

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery ("Select * from Win32_Process")
For Each objProcess in colProcessList
    colProperties = objProcess.GetOwner( strNameOfUser,strUserDomain)
    Wscript.Echo "Process " & objProcess.Name & " is owned by " & strUserDomain & "\" & strNameOfUser & "."
Next

PowerShell
`Get-WmiObject -class win32_process -ComputerName "." \| ForEach-Object { $_.GetOwner() \| Select -Property domain, user }`

...變更執行中進程的優先順序？

使用 Win32_Process 類別和 SetPriority 方法。

Const ABOVE_NORMAL = 32768
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = 'Notepad.exe'")
For Each objProcess in colProcesses
    objProcess.SetPriority(ABOVE_NORMAL) 
Next

PowerShell

$ABOVE_NORMAL = 32768
$strComputer = "."
$colProcesses = Get-WmiObject -Class Win32_Process -ComputerName $strComputer | Where-Object { $_.name -eq 'Notepad.exe' }
foreach ($objProcess in $colProcesses) { $objProcess.SetPriority($ABOVE_NORMAL) }

...使用文稿終止進程？

使用 Win32_Process 類別和 Terminate 方法。

strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = 'Notepad.exe'")
For Each objProcess in colProcessList
    objProcess.Terminate()
Next

PowerShell

$strComputer = "."
$colProcesses = Get-WmiObject -Class Win32_Process -ComputerName $strComputer | Where-Object { $_.name -eq 'Notepad.exe' }
foreach ($objProcess in $colProcesses) { $objProcess.Terminate() }

...判斷每個進程使用多少處理器時間和記憶體？

使用 Win32_Process 類別和屬性，例如 KernelModeTime、WorkingSetSize、PageFileUsage和 PageFaults。

strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery("Select * from Win32_Process")
For Each objProcess in colProcesses
    Wscript.Echo "Process: " & objProcess.Name
    sngProcessTime = (CSng(objProcess.KernelModeTime) + CSng(objProcess.UserModeTime)) / 10000000
    Wscript.Echo "Processor Time: " & sngProcessTime
    Wscript.Echo "Process ID: " & objProcess.ProcessID
    Wscript.Echo "Working Set Size: " & objProcess.WorkingSetSize
    Wscript.Echo "Page File Size: " & objProcess.PageFileUsage
    Wscript.Echo "Page Faults: " & objProcess.PageFaults
Next

PowerShell
$strComputer = "." Get-WmiObject -Class "Win32s_Process" -ComputerName $strComputer \| ` Format-List -Property Name, KernelModeTime, UserModeTime, ProcessID, WorkingSetSize, PageFileUsage, PageFaults

...告知哪些應用程式正在遠端電腦上執行？

使用 Win32_Process 類別。

strComputer = "atl-dc-01"
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery ("Select * from Win32_Process")
For Each objProcess in colProcessList
    Wscript.Echo "Process: " & objProcess.Name 
    Wscript.Echo "Process ID: " & objProcess.ProcessID 
    Wscript.Echo "Thread Count: " & objProcess.ThreadCount 
    Wscript.Echo "Page File Size: " & objProcess.PageFileUsage 
    Wscript.Echo "Page Faults: " & objProcess.PageFaults 
    Wscript.Echo "Working Set Size: " & objProcess.WorkingSetSize 
Next

PowerShell
strComputer = "atl-dc-01" get-wmiObject -class Win32_Process -Namespace "root\cimv2" -ComputerName $strComputer \| ` Format-list Name, ProcessID, ThreadCount, PageFileUsage, PageFaults, WorkingSetSize

文稿和應用程式的 WMI 工作
WMI C++應用程式範例
TechNet ScriptCenter

共用方式為

WMI 工作：進程

意見反應

其他資源

共用方式為

WMI 工作：進程

相關主題

意見反應

其他資源