Windows – How to determine if a process on Windows “has no parent”

batchcommand lineprocesswindows

I am trying to figure out a way through the Windows command line to determine if a process has no parent.

I know all processes technically have a parent that is controlled by the OS or whatever, but for the sake of simplicity it "has no parent". For instance, if you open an explorer window, it will show up in Process Explorer at the top of its process tree.

When I do a wmic query on the process, however, I get a PID for 'parentProcessPID'. When I try and look up that PID using tasklist, it says that PID is not recognized. I have looked at a couple of processes like this and they seem to have different parent processes that are all inaccessible through tasklist. If a process has a parent process that is inaccessible through tasklist, does that mean it is at the "top" of its process tree?

I am asking because I am trying to differentiate between a program running by itself and the same program running as a child process of another program.

For example:

Let's say I go into the Windows start menu and open up an explorer window. Then, I open up a cmd window and type: explorer.exe. I now have two explorer.exe processes. One is a child process of cmd.exe and one is a stand alone process. I want to be able, through a wmic or tasklist query, to single out all explorer.exe processes that are a stand-alone process. So, the process I started through the Windows start menu should be returned and not the process started by cmd.exe.

I am running into the issue that every process has a parent process ID, and I do not know how to differentiate between a parent process coming from a program or the parent process coming from a process related to the OS. If I can do the following, that would be great:

Pseudocode:

wmic process where name=explorer.exe get parentProcessID,processID
tasklist /fi "PID eq <parentProcessID>" 2>&1> log.txt
if(log.txt contains "INFO: No tasks are running which match the specified criteria."){
    // Parent PID is not recognized by tasklist
    // Do something
}

But I am unsure if my logic is correct.

Best Answer

I am not sure how to do it from command line, but I wrote this to do some filtering of OS related processes from PowerShell. Maybe it will give you an idea. It skips items owned by service, system and null.

gwmi win32_process |select ProcessID,ParentProcessID,Name, @{l="Username";e={$_.getowner().user}}|where {$_.Username -ne "SYSTEM"} | where {$_.Username -ne "LOCAL SERVICE"} | where {$_.Username -ne "NETWORK SERVICE"} | where {$_.Username -ne $null} |Sort-Object ProcessID | ft -AutoSize
#

Output

    ProcessID ParentProcessID Name            Username
    --------- --------------- ----            --------
     2136     3460            notepad.exe     KNUCKLE-DRAGGER
     2504     3460            firefox.exe     KNUCKLE-DRAGGER
     2792      700            dllhost.exe     KNUCKLE-DRAGGER
     2816     4232            conhost.exe     KNUCKLE-DRAGGER
     2916     3460            powershell.exe  KNUCKLE-DRAGGER
     3128     3460            notepad.exe     KNUCKLE-DRAGGER
     3180      576            taskhost.exe    KNUCKLE-DRAGGER
     3196     4308            vmware-tray.exe KNUCKLE-DRAGGER
     3460     4392            explorer.exe    KNUCKLE-DRAGGER
     3644     4636            vmware-vmx.exe  KNUCKLE-DRAGGER
     3696     3460            mplayerc.exe    KNUCKLE-DRAGGER
     4636     3196            vmware.exe      KNUCKLE-DRAGGER
     4828     3460            notepad.exe     KNUCKLE-DRAGGER
Related Question