PowerShell and Process Owners

Posted on by Alan

If you are running as an administrator, it is easy to get the owner associated with a process using PowerShell: Get-Process -IncludeUserName. Get-Process gets information from System.Diagnostics.Process, not WMI. But you can get similar information from WMI, even if you aren’t an administrator. We had a little debate about this in our last Charlotte PowerShell Meetup. Here is my solution to the issue:

<#
.Synopsis
   Add the process owner information to WMI Win32_Process object
.DESCRIPTION
   This advanced function adds the process owners User Domain and User Name to a Win32_Process object.  
   It is does not change the default display for the object, so you have to use Select-Object to see in output.
   You must "dot source" this prior to use 
.PARAMETER ProcessObject
A WMI Process object, ex: Get-CimInstance -classname Win32_Process
.EXAMPLE
Get-CimInstance -classname Win32_Process -Filter "ProcessID = $pid" |Get-ProcessOwner |  
select-object ProcessId, Name, UserDomain, UserName
Find the PID, Process name, and owner information for this instance of PowerShell
.EXAMPLE
Get-CimInstance -classname Win32_Process  |Get-ProcessOwner |  
select-object ProcessId, Name, UserDomain, UserName | Out-GridView
Find the PID, Process name, and owner information for all running processes, display in out-gridview
.NOTES
Alan Kaplan 2/8/2019 for the Charlotte PowerShell User Group MeetUp.
This does not work with Get-Process which comes from System.Diagnostics.Process, not WMI
Get-Process supports return of Username when running as an administrator with Get-Process -IncludeUserName
See https://powershelladministrator.com/tag/get-session-id/
Based on former member Ed Wilson's post:
https://blogs.technet.microsoft.com/heyscriptingguy/2015/02/27/~
get-process-owner-and-other-info-with-wmi-and-powershell/
#>
function Get-ProcessOwner {
    [CmdletBinding()]
    Param
    (  # Microsoft.Management.Infrastructure.CimInstance#root/cimv2/Win32_Process
        [Parameter(Mandatory = $true, 
            ValueFromPipeline = $true)]
        $ProcessObject
    )
    Begin { }
    Process {
        Try {
            $o = Invoke-CimMethod -InputObject $ProcessObject -MethodName GetOwner -ErrorAction Stop 
            $DomUser = $o.Domain
            $NameUser = $o.User
        }
        Catch {
            $o = $null
        }
        $_ |    add-member -NotePropertyName 'UserName' -NotePropertyValue $NameUser -PassThru |
            add-member -NotePropertyName 'UserDomain' -NotePropertyValue $DomUser -PassThru
    }
    End { }
}

This function uses the GetOwner method of Win32_Process, and adds the user domain and user SamAccountName to the object in the pipeline.

Leave a Reply

Terms and Conditions - Privacy Policy