How do you list all processes on the command line in Windows?

Is there a command equivalent to ‘ps’ on Unix that can list all processes on a Windows machine?

15 Answers 15

Working with cmd.exe:

(you can query remote machines as well with /node:ComputerOrIP , and there are a LOT more ways to customize this command: link)

You can call wmic process list to see all processes.

I wanted to mention that WMIC (pam’s entry) can do a lot more. Have a look at my WMIC snippets page, which is a cheatsheet showing many of the common ways to use WMIC (with sample output shown) here

WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid

I tried on Windows 7. The command is: TASKLIST /FI «IMAGENAME eq application_name»

Eg: c:\>TASKLIST /FI «IMAGENAME eq notepad.exe»

To show all process with port details:

Also to kill the process you can use c:\> pskill or tskill processname

Eg: c:\> tskill notepad

tasklist or pslist from sysinternals. Also, get-process is amazing from PowerShell.

If you use Powershell, it has the ‘ps’ command (it is aliased to Get-Process)

To kill a process use:

If you running windows XP try using the ‘tasklist’ command. I tried it out with Vista and it seems to also work.

Use this command to see all the processes in windows machine

tasklist /svc

open windows command prompt

I had following problem on Windows 2003 SP2: Tasklist didn’t return any output on stdout or stderr, when called from a process started as Windows service (even under Local Account). Tasklist returned with the (undocumented) code 128.

Called from the same program started as a normal process (not as service), it did run.

No help to change it. I couldn’t find any reason or solution but use «pslist /accepteula» of sysinternal instead of it.

Same problem with taskkill: I had to replace it whith pskill.

I have done a msproject ( c source code) , archive is available at : lsproc.zip project archive

this is a command line tool output:

Using WMI and Powershell you can do:

Then you can filter properties using Select-Object and show in GUI using Out-GridView .

Process Explorer v16.32

By Mark Russinovich

Published: April 28, 2020

Download Process Explorer (2.5 MB)
Run now from Sysinternals Live.

Introduction

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

Related Links

• Windows Internals Book The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
• Windows Sysinternals Administrator’s Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.

Download

Download Process Explorer (2.5 MB)
Run now from Sysinternals Live.

Runs on:

• Client: Windows Vista and higher (Including IA64).
• Server: Windows Server 2008 and higher (Including IA64).

Installation

Simply run Process Explorer (procexp.exe).

The help file describes Process Explorer operation and usage. If you have problems or questions please visit the Process Explorer forum on Technet.

Note on use of symbols

When you configure the path to DBGHELP.DLL and the symbol path uses the symbol server, the location of DBGHELP.DLL also has to contain the SYMSRV.DLL supporting the server paths used. See SymSrv documentation or more information on how to use symbol servers.

Learn More

Here are some other handle and DLL viewing tools and information available at Sysinternals:

• The case of the Unexplained. In this video, Mark describes how he has solved seemingly unsolvable system and application problems on Windows.
• Handle — a command-line handle viewer
• ListDLLs — a command-line DLL viewer
• PsList — local/remote command-line process lister
• PsKill — local/remote command-line process killer
• Defrag Tools: #2 — Process Explorer In this episode of Defrag Tools, Andrew Richards and Larry Larsen show how to use Process Explorer to view the details of processes, both at a point in time and historically.
• Windows Sysinternals Primer: Process Explorer, Process Monitor and More Process Explorer gets a lot of attention in the first Sysinternals Primer delivered by Aaron Margosis and Tim Reckmeyer at TechEd 2010.

—>

tasklist

Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool.

This command replaces the tlist tool.

Syntax

Parameters

Parameter	Description
/s	Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u \	Runs the command with the account permissions of the user who is specified by or by \ . The /u parameter can be specified only if /s is also specified. The default is the permissions of the user who is currently logged on to the computer that is issuing the command.
/p

Specifies the password of the user account that is specified in the /u parameter. /m Lists all tasks with DLL modules loaded that match the given pattern name. If the module name is not specified, this option displays all modules loaded by each task. svc Lists all the service information for each process without truncation. Valid when the /fo parameter is set to table. /v Displays verbose task information in the output. For complete verbose output without truncation, use /v and /svc together. /fo

Specifies the format to use for the output. Valid values are table, list, and csv. The default format for output is table. /nh Suppresses column headers in the output. Valid when the /fo parameter is set to table or csv. /fi Specifies the types of processes to include in or exclude from the query. You can use more than one filter or use the wildcard character ( \ ) to specify all tasks or image names. The valid filters are listed in the Filter names, operators, and values section of this article. /? Displays help at the command prompt.

Filter names, operators, and values

Filter Name	Valid Operators	Valid Value(s)
STATUS	eq, ne	RUNNING | NOT RESPONDING | UNKNOWN . This filter isn’t supported if you specify a remote system.
IMAGENAME	eq, ne	Image name
PID	eq, ne, gt, lt, ge, le	PID value
SESSION	eq, ne, gt, lt, ge, le	Session number
SESSIONNAME	eq, ne	Session name
CPUtime	eq, ne, gt, lt, ge, le	CPU time in the format HH:MM:SS, where MM and SS are between 0 and 59 and HH is any unsigned number
MEMUSAGE	eq, ne, gt, lt, ge, le	Memory usage in KB
USERNAME	eq, ne	Any valid user name ( or )
SERVICES	eq, ne	Service name
WINDOWTITLE	eq, ne	Window title. This filter isn’t supported if you specify a remote system.
MODULES	eq, ne	DLL name

Examples

To list all tasks with a process ID greater than 1000, and display them in csv format, type:

To list the system processes that are currently running, type:

To list detailed information for all processes that are currently running, type:

To list all the service information for processes on the remote computer srvmain, which has a DLL name beginning with ntdll, type:

To list the processes on the remote computer srvmain, using the credentials of your currently logged-on user account, type:

To list the processes on the remote computer srvmain, using the credentials of the user account Hiropln, type:

AccessChk v6.13

By Mark Russinovich

Published: October 15, 2020

Download AccessChk (957 KB)
Run now from Sysinternals Live.

Introduction

As a part of ensuring that they’ve created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Installation

AccessChk is a console program. Copy AccessChk onto your executable path. Typing «accesschk» displays its usage syntax.

Using AccessChk

Parameter	Description
-a	Name is a Windows account right. Specify «*» as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c	Name is a Windows Service, e.g. ssdpsrv. Specify «*» as the name to show all services and «scmanager» to check the security of the Service Control Manager.
-d	Only process directories or top-level keys
-e	Only show explicitly set-Integrity Levels (Windows Vista and higher only)
-f	If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
-h	Name is a file or printer share. Specify ‘*’ as the name to show all shares.
-i	Ignore objects with only inherited ACEs when dumping full access control lists.
-k	Name is a Registry key, e.g. hklm\software
-l	Show full security descriptor. Add -i to ignore inherited ACEs.
-n	Show only objects that have no access
-o	Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p	Name is a process name or PID, e.g. cmd.exe (specify «*» as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q	Omit Banner
-r	Show only objects that have read access
-s	Recurse
-t	Object type filter, e.g. «section»
-u	Suppress errors
-v	Verbose (includes Windows Vista Integrity Level)
-w	Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the «\pipe\» prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

Examples

The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:

accesschk «power users» c:\windows\system32

This command shows which Windows services members of the Users group have write access to:

accesschk users -cw *

To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

accesschk -wuo everyone \basednamedobjects

Download AccessChk (957 KB)
Run now from Sysinternals Live.