analitics

Pages

Saturday, January 23, 2016

wmi python module - part 002.

According to MSDN Microsoft the Win32_Process WMI class represents a process on an operating system.
We can see all of the inherited properties of processes:

class Win32_Process : CIM_Process
{
  string   Caption;
  string   CommandLine;
  string   CreationClassName;
  datetime CreationDate;
  string   CSCreationClassName;
  string   CSName;
  string   Description;
  string   ExecutablePath;
  uint16   ExecutionState;
  string   Handle;
  uint32   HandleCount;
  datetime InstallDate;
  uint64   KernelModeTime;
  uint32   MaximumWorkingSetSize;
  uint32   MinimumWorkingSetSize;
  string   Name;
  string   OSCreationClassName;
  string   OSName;
  uint64   OtherOperationCount;
  uint64   OtherTransferCount;
  uint32   PageFaults;
  uint32   PageFileUsage;
  uint32   ParentProcessId;
  uint32   PeakPageFileUsage;
  uint64   PeakVirtualSize;
  uint32   PeakWorkingSetSize;
  uint32   Priority = NULL;
  uint64   PrivatePageCount;
  uint32   ProcessId;
  uint32   QuotaNonPagedPoolUsage;
  uint32   QuotaPagedPoolUsage;
  uint32   QuotaPeakNonPagedPoolUsage;
  uint32   QuotaPeakPagedPoolUsage;
  uint64   ReadOperationCount;
  uint64   ReadTransferCount;
  uint32   SessionId;
  string   Status;
  datetime TerminationDate;
  uint32   ThreadCount;
  uint64   UserModeTime;
  uint64   VirtualSize;
  string   WindowsVersion;
  uint64   WorkingSetSize;
  uint64   WriteOperationCount;
  uint64   WriteTransferCount;
};
Let's make one simple example with wmi python module.
import wmi
c = wmi.WMI()
for process in c.Win32_Process ():
 name = process.Properties_("Name").Value
 pid = process.Properties_('ProcessID').Value
 parent = process.Properties_('ParentProcessId')
 termination = process.Properties_('TerminationDate')
 print (name,' = pid -',pid,'+', parent,'|termination_date-',termination)
And the output of this script it's :
firefox.exe  = pid - 13788 + 2564 |termination_date- None
explorer.exe  = pid - 1048 + 772 |termination_date- None
sublime_text.exe  = pid - 11404 + 2564 |termination_date- None
plugin_host.exe  = pid - 7432 + 11404 |termination_date- None
cmd.exe  = pid - 9568 + 2564 |termination_date- None
conhost.exe  = pid - 14124 + 9568 |termination_date- None
conhost.exe  = pid - 9700 + 11208 |termination_date- None
Taskmgr.exe  = pid - 9424 + 13404 |termination_date- None
WmiPrvSE.exe  = pid - 9764 + 772 |termination_date- None
SpfService64.exe  = pid - 11908 + 684 |termination_date- None
python.exe  = pid - 1308 + 9568 |termination_date- None