How do I find out command line arguments of a running program?
Solution 1
You can do that using Process Explorer.
Just hover with your mouse over a process to see the command line arguments used to start it:
Alternatively, you can open the properties of the process and inspect the command line right there:
Solution 2
You can do it without Process Explorer, too, using Windows' WMI service. Run the following from the command prompt:
WMIC path win32_process get Caption,Processid,Commandline
If you want to dump the output to a file (makes it a bit easier to read), use the /OUTPUT switch:
WMIC /OUTPUT:C:\Process.txt path win32_process get Caption,Processid,Commandline
Solution 3
One can also achieve that by using Task Manager.
Open task manager (by CTRL-SHIFT-ESC, CTRL-ALT-DELETE or any other method).
For Windows 7 (and probably Windows XP):
- Go to "Processes" tab. The on the "View" menu, select "Select Columns...".
- Check the checkbox of "Command Line" and click OK. (You may have to scroll down to find it)
For Windows 8:
- Go to "Details" tab. Right-click on any of the columns (eg. Names, PID etc.) and select "Select columns".
- Check the checkbox of "Command Line" and click OK. (You may have to scroll down to find it)
A column of Command lines of will be added to the currently displayed columns.
Solution 4
PowerShell to the rescue.
Find:
Get-WmiObject Win32_Process -Filter "name = 'perl.exe'" | where {$_.CommandLine -eq '"C:\strawberry\perl\bin\perl.exe" t/Server_PreFork.t'}
And kill as bonus:
Get-WmiObject Win32_Process -Filter "name = 'perl.exe'" | where {$_.CommandLine -eq '"C:\strawberry\perl\bin\perl.exe" t/Server_PreFork.t'} | ForEach-Object { Invoke-WmiMethod -Path $_.__Path –Name Terminate }
You can run it from powershell directly or from a ps1 if you've got your system setup. I detail unrestricted script setup on i kill zombies with powershell as well as other powershell tricks...
Solution 5
Previous answers are great in case the process is already running and is not going to terminate any soon. However If you need (as I did) to do this perhaps with processses start up multiple times and/or quickly terminate, or perhaps log occurences in a longer period of time, there is a way to this using Process Monitor.
Basically it logs various events in the system, in this case we can just filter the "Process Start" event and the name of the process we want to monitor, as shown below:
Then just keep the process monitor running and do whatever you do to get the process you want to log running. You can see in either the "Detail" column or the "Command line" column (depends on how you configure those) the command line arguments. For example:
Of course this way you can extract much more related information such as what is the working directory, what environment variables have been passed on the process, etc... Also it is easy to export the results into a file.
Related videos on Youtube
Gepard
Updated on September 18, 2022Comments
-
Gepard almost 2 years
I'm looking for a tool or method to find out what command line parameters have been passed to a program, for example when it was run by another program (launcher-application scenario).
-
Admin almost 3 yearsHow can the question "Get the complete command line of a process", from Mar 21 '12, be a duplicate of this question here from Apr 22 '12?
-
-
cutrightjm about 12 yearsThat's really cool.
-
Gepard about 12 yearsUnfortunately, it doesn't seem to work with applications protected with WinLicense/Themida: oreans.com/winlicense.php Any other ideas?
-
Oliver Salzburg about 12 years@Gepard: How do you know it doesn't work? Are you sure the application was, in fact, called with command line arguments? Either way, PE uses the Windows way of determining that information. Anything else would have to be custom-tailored to a specific application, I assume.
-
Gepard about 12 yearsMy bad, it didn't run PE elevated. It's working as intended.
-
tvdo over 11 yearsThat does not show the calling command line.
/m
shows loaded modules (DLLs, etc.) and/svc
shows services hosted in each process. -
Pacerier over 9 years@OliverSalzburg, How did this program work? Can any normal C program achieve this?
-
Pacerier over 9 yearsIf you run as administrator you wouldn't be seeing
[Error opening process message]
-
Sopalajo de Arrierez over 9 yearsYou were right, @Pacerier . Too obvious to remember :-) . Thanks you. I have edited my post to reflect it.
-
Oliver Salzburg over 9 years@Pacerier I assume so. There's probably a Windows API to do this. I don't know the implementation though.
-
Manoj Sheth over 9 years@Pacerier: I'm not sure to be honest ;-) I think it came from digging around the WMI docs and playing around because I needed to use WMI for something at the time.
-
Pacerier over 9 yearsWhich WMI docs are you referring to?
-
Pacerier over 9 years@OliverSalzburg, So it looks like a virus could go undetected even with this.
-
Jesse Barnum over 8 yearsThis only shows what will fit in the visible window area, so it's not helpful for long commands.
-
Jeromy Adofo over 8 yearsI don't really get you @JesseBarnum, one can always resize the column to have a complete view no matter how long the command line is, right?
-
Manoj Sheth over 8 years
-
Jesse Barnum over 8 yearsOnly if the window is wide enough for the size of the command. If the command is something like a Java process with a long classpath, that won't fit in the window width.
-
Jeromy Adofo over 8 yearsAlright thanks, noted. I haven't had that problem though and by the way my task manager is scrollable - don't know about yours :-). I think if you can send me a sample program to try, that could settle it.
-
chriv about 8 yearsThis was a very helpful command line method for getting the command line of a running process. In my case, I was able to tweak this slightly to get output just for a specific process: WMIC path win32_process where "caption='cmd.exe'" get Commandline
-
zhaorufei almost 8 yearsGreat, and the where clause actually support some SQL features, e.g., where "name like 'cmd.%'
-
Yordan Georgiev over 7 yearscan't fetch java cmd call for some reason ...
-
Yuci over 7 yearsRunning in cmd.exe the command "WMIC /OUTPUT:C:\Process.txt path win32_process get Caption,Processid,Commandline" complains "Invalid file name." So instead I use "WMIC /OUTPUT:Process.txt path win32_process get Caption,Processid,Commandline" to output to the current directory.
-
capitano666 over 7 yearsJust pointing out that if WMIC is called from the powershell quotes must be used around the get parameters: WMIC path win32_process get "Caption,Processid,Commandline"
-
Hashim Aziz over 7 yearsThis is a vastly underrated answer, had no idea this was possible.
-
jmiserez almost 7 years@JesseBarnum is right, it does not work for really long command lines, the text is truncated at some fixed length even if you resize the column. My taskmgr is scrollable too, of course.
-
Tom almost 7 yearsWhoa... the kill part is quite dangerous, given the title of the question ;) Otheriwse a very neat answer ;)
-
phuclv over 6 years@JesseBarnum it shows the tooltip as you hover on the command line text, just like Process Explorer in the accepted answer
-
JohnD over 6 yearsI see a couple of comments above about the Windows Task Manager. Even if you set the 'Command line' column to show a Java process with a really long command line will get truncated. BUT, you can click on the row in the Task Manager and 'copy' (Ctrl-c) the whole row and paste this into a text editor to see the whole command line, no matter how long.
-
Jeromy Adofo over 6 yearsThat is an awesome find @JohnD! I thought copying was not possible because I didn't find it in the context menu after right-clicking. The only thing is that the copying is not working for a few processes, but I haven't figured out why yet.
-
Neeraj about 6 yearsAwesome! Had no idea that option was there. Now that I know I figured there's also a 'Command line' option to select when you right-click on the top-row under 'Processes' tab.
-
Stragulus over 5 yearsI like this answer best. It works with a standard windows installation (including windows 10).
-
rleelr over 4 yearsHere's an example of SQL like filtering in the where clause:
WMIC path win32_process where "name like '%cmd%'" get Caption,Processid,Commandline
-
Mark Jeronimus over 3 yearsDoes this still work? Process Explorer is/was my favorite Windows tool, but I can't get it working at all on two W10 machines. It's as if all rows are there but all columns have disappeared, and sometimes all rows disappear too.
-
Noman_1 over 2 years@MarkJeronimus On my current computer with W10 professional y get the exe file properties, not the process, but I'm on an office computer and some functionalities may be restricted by the company directives on active directory. Andy's answer worked out for me using the WMIC command with /OUTPUT switch
-
Noman_1 over 2 yearsYou still can highligh an entry and do Ctrl + C to get the content into the clipboard