Szerkesztés

Megosztás a következőn keresztül:

Win32_Process class

  • Cikk

The Win32_Process WMI class represents a process on an operating system.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Note

For a general discussion on Processes and Threads within Windows, please see the topic Processes and Threads.

Syntax

[Dynamic, Provider("CIMWin32"), SupportsCreate, CreateBy("Create"), SupportsDelete, DeleteBy("DeleteInstance"), UUID("{8502C4DC-5FBB-11D2-AAC1-006008C78BC7}"), DisplayName("Processes"), AMENDMENT]
class Win32_Process : CIM_Process
{
  string   CreationClassName;
  string   Caption;
  string   CommandLine;
  datetime CreationDate;
  string   CSCreationClassName;
  string   CSName;
  string   Description;
  string   ExecutablePath;
  uint16   ExecutionState;
  string   Handle;
  uint32   HandleCount;
  datetime InstallDate;
  uint64   KernelModeTime;
  uint32   MaximumWorkingSetSize;
  uint32   MinimumWorkingSetSize;
  string   Name;
  string   OSCreationClassName;
  string   OSName;
  uint64   OtherOperationCount;
  uint64   OtherTransferCount;
  uint32   PageFaults;
  uint32   PageFileUsage;
  uint32   ParentProcessId;
  uint32   PeakPageFileUsage;
  uint64   PeakVirtualSize;
  uint32   PeakWorkingSetSize;
  uint32   Priority;
  uint64   PrivatePageCount;
  uint32   ProcessId;
  uint32   QuotaNonPagedPoolUsage;
  uint32   QuotaPagedPoolUsage;
  uint32   QuotaPeakNonPagedPoolUsage;
  uint32   QuotaPeakPagedPoolUsage;
  uint64   ReadOperationCount;
  uint64   ReadTransferCount;
  uint32   SessionId;
  string   Status;
  datetime TerminationDate;
  uint32   ThreadCount;
  uint64   UserModeTime;
  uint64   VirtualSize;
  string   WindowsVersion;
  uint64   WorkingSetSize;
  uint64   WriteOperationCount;
  uint64   WriteTransferCount;
};

Members

The Win32_Process class has these types of members:

Methods

The Win32_Process class has these methods.

Method Description
AttachDebugger Launches the currently registered debugger for a process.
Create Creates a new process.
GetAvailableVirtualSize Retrieves the current size, in bytes, of the free virtual address space available to the process.
Windows Server 2012, Windows 8, Windows 7, Windows Server 2008 and Windows Vista: This method is not supported before Windows 8.1 and Windows Server 2012 R2.
GetOwner Retrieves the user name and domain name under which the process is running.
GetOwnerSid Retrieves the security identifier (SID) for the owner of a process.
SetPriority Changes the execution priority of a process.
Terminate Terminates a process and all of its threads.

 

Properties

The Win32_Process class has these properties.

Caption

Data type: string

Access type: Read-only

Qualifiers: MaxLen (64), DisplayName ("Caption")

Short description of an object—a one-line string.

This property is inherited from CIM_ManagedSystemElement.

CommandLine

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Command Line To Start Process")

Command line used to start a specific process, if applicable.

CreationClassName

Data type: string

Access type: Read-only

Qualifiers: CIM_Key, MaxLen (256), DisplayName ("Class Name")

Name of the class or subclass used in the creation of an instance. When used with other key properties of the class, this property allows all instances of the class and its subclasses to be uniquely identified.

This property is inherited from CIM_Process.

CreationDate

Data type: datetime

Access type: Read-only

Qualifiers: Fixed, DisplayName ("CreationDate")

Date the process begins executing.

This property is inherited from CIM_Process.

CSCreationClassName

Data type: string

Access type: Read-only

Qualifiers: Propagated ("CIM_OperatingSystem.CSCreationClassName"), CIM_Key, MaxLen (256), DisplayName ("Computer System Class Name")

Creation class name of the scoping computer system.

This property is inherited from CIM_Process.

CSName

Data type: string

Access type: Read-only

Qualifiers: Propagated ("CIM_OperatingSystem.CSName"), CIM_Key, MaxLen (256), DisplayName ("Computer System Name")

Name of the scoping computer system.

This property is inherited from CIM_Process.

Description

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Description")

Description of an object.

This property is inherited from CIM_ManagedSystemElement.

ExecutablePath

Data type: string

Access type: Read-only

Qualifiers: Privileges ("SeDebugPrivilege"), MappingStrings ("Win32API|Tool Help Structures|MODULEENTRY32|szExePath"), DisplayName ("Executable Path")

Path to the executable file of the process.

Example: "C:\Windows\System\Explorer.Exe"

ExecutionState

Data type: uint16

Access type: Read-only

Qualifiers: DisplayName ("Execution State")

Current operating condition of the process.

This property is inherited from CIM_Process.

Unknown (0)

Unknown

Other (1)

Other

Ready (2)

Running (3)

Blocked (4)

Blocked

Suspended Blocked (5)

Suspended Ready (6)

Terminated (7)

Stopped (8)

Growing (9)

Handle

Data type: string

Access type: Read-only

Qualifiers: Key, MaxLen (256), DisplayName ("Handle")

Process identifier.

This property is inherited from CIM_Process.

HandleCount

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|HandleCount"), DisplayName ("Handle Count")

Total number of open handles owned by the process. HandleCount is the sum of the handles currently open by each thread in this process. A handle is used to examine or modify the system resources. Each handle has an entry in a table that is maintained internally. Entries contain the addresses of the resources and data to identify the resource type.

InstallDate

Data type: datetime

Access type: Read-only

Qualifiers: MappingStrings ("MIF.DMTF|ComponentID|001.5"), DisplayName ("Install Date")

Date an object is installed. The object may be installed without a value being written to this property.

This property is inherited from CIM_ManagedSystemElement.

KernelModeTime

Data type: uint64

Access type: Read-only

Qualifiers: Override ("KernelModeTime"), Units ("100 nanoseconds")

Time in kernel mode, in milliseconds. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

MaximumWorkingSetSize

Data type: uint32

Access type: Read-only

Qualifiers: Privileges ("SeDebugPrivilege"), MappingStrings ("Win32|WINNT.H|QUOTA_LIMITS|MaximumWorkingSetSize"), DisplayName ("Maximum Working Set Size"), Units ("kilobytes")

Maximum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident, and available for an application to use without triggering a page fault.

Example: 1413120

MinimumWorkingSetSize

Data type: uint32

Access type: Read-only

Qualifiers: Privileges ("SeDebugPrivilege"), MappingStrings ("Win32|WINNT.H|QUOTA_LIMITS|MinimumWorkingSetSize"), DisplayName ("Minimum Working Set Size"), Units ("kilobytes")

Minimum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault.

Example: 20480

Name

Data type: string

Access type: Read-only

Qualifiers: DisplayName ("Name")

Name of the executable file responsible for the process, equivalent to the Image Name property in Task Manager.

When inherited by a subclass, the property can be overridden to be a key property. The name is hard-coded into the application itself and is not affected by changing the file name. For example, even if you rename Calc.exe, the name Calc.exe will still appear in Task Manager and in any WMI scripts that retrieve the process name.

This property is inherited from CIM_ManagedSystemElement.

OSCreationClassName

Data type: string

Access type: Read-only

Qualifiers: Propagated ("CIM_OperatingSystem.CreationClassName"), CIM_Key, MaxLen (256), DisplayName ("Operating System Class Name")

Creation class name of the scoping operating system.

This property is inherited from CIM_Process.

OSName

Data type: string

Access type: Read-only

Qualifiers: Propagated ("CIM_OperatingSystem.Name"), CIM_Key, MaxLen (256), DisplayName ("Operating System Name")

Name of the scoping operating system.

This property is inherited from CIM_Process.

OtherOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|OtherOperationCount"), DisplayName ("Other Operation Count")

Number of I/O operations performed that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

OtherTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|OtherTransferCount"), DisplayName ("Other Transfer Count"), Units ("bytes")

Amount of data transferred during operations that are not read or write operations.

For more information about using uint64 values in scripts, see Scripting in WMI.

PageFaults

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PageFaultCount"), DisplayName ("Number Of Page Faults")

Number of page faults that a process generates.

Example: 10

PageFileUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PagefileUsage"), DisplayName ("Page File Usage"), Units ("kilobytes")

Amount of page file space that a process is using currently. This value is consistent with the VMSize value in TaskMgr.exe.

Example: 102435

ParentProcessId

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|InheritedFromUniqueProcessId"), DisplayName ("Parent Process Id")

Unique identifier of the process that creates a process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier. You can use the CreationDate property to determine whether the specified parent was created after the process represented by this Win32_Process instance was created.

PeakPageFileUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakPagefileUsage"), DisplayName ("Peak Page File Usage"), Units ("kilobytes")

Maximum amount of page file space used during the life of a process.

Example: 102367

PeakVirtualSize

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakVirtualSize"), DisplayName ("Peak Virual Address Space Usage"), Units ("bytes")

Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries.

For more information about using uint64 values in scripts, see Scripting in WMI.

PeakWorkingSetSize

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PeakWorkingSetSize"), DisplayName ("Peak Working Set Size"), Units ("kilobytes")

Peak working set size of a process.

Example: 1413120

Priority

Data type: uint32

Access type: Read-only

Qualifiers: Override ("Priority"), MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|BasePriority"), DisplayName ("Priority")

Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority.

Example: 7

PrivatePageCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|PrivatePageCount"), DisplayName ("Private Page Count")

Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance.

For more information about using uint64 values in scripts, see Scripting in WMI.

ProcessId

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|PROCESS_INFORMATION|dwProcessId "), DisplayName ("Process Id")

Numeric identifier used to distinguish one process from another. ProcessIDs are valid from process creation time to process termination. Upon termination, that same numeric identifier can be applied to a new process.

This means that you cannot use ProcessID alone to monitor a particular process. For example, an application could have a ProcessID of 7, and then fail. When a new process is started, the new process could be assigned ProcessID 7. A script that checked only for a specified ProcessID could thus be "fooled" into thinking that the original application was still running.

QuotaNonPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaNonPagedPoolUsage"), DisplayName ("Non-Paged Pool Usage Quota")

Quota amount of nonpaged pool usage for a process.

Example: 15

QuotaPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPagedPoolUsage"), DisplayName ("Paged Pool Usage Quota")

Quota amount of paged pool usage for a process.

Example: 22

QuotaPeakNonPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPeakNonPagedPoolUsage"), DisplayName ("Peak Non-Paged Pool Usage Quota")

Peak quota amount of nonpaged pool usage for a process.

Example: 31

QuotaPeakPagedPoolUsage

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|QuotaPeakPagedPoolUsage"), DisplayName ("Peak Paged Pool Usage Quota")

Peak quota amount of paged pool usage for a process.

Example: 31

ReadOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|ReadOperationCount"), DisplayName ("Read Operation Count")

Number of read operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

ReadTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|ReadTransferCount"), DisplayName ("Read Transfer Count"), Units ("bytes")

Amount of data read.

For more information about using uint64 values in scripts, see Scripting in WMI.

SessionId

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|SessionId"), DisplayName ("Session Id")

Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system.

Status

Data type: string

Access type: Read-only

Qualifiers: MaxLen (10), DisplayName ("Status")

This property is not implemented and does not get populated for any instance of this class. It is always NULL.

This property is inherited from CIM_ManagedSystemElement.

Values include the following:

OK ("OK")

Error ("Error")

Degraded ("Degraded")

Unknown ("Unknown")

Pred Fail ("Pred Fail")

Starting ("Starting")

Stopping ("Stopping")

Service ("Service")

Stressed ("Stressed")

NonRecover ("NonRecover")

No Contact ("No Contact")

Lost Comm ("Lost Comm")

TerminationDate

Data type: datetime

Access type: Read-only

Qualifiers: DisplayName ("Termination Date")

Process was stopped or terminated. To get the termination time, a handle to the process must be held open. Otherwise, this property returns NULL.

This property is inherited from CIM_Process.

ThreadCount

Data type: uint32

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|NumberOfThreads"), DisplayName ("Thread Count")

Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread.

UserModeTime

Data type: uint64

Access type: Read-only

Qualifiers: Override ("UserModeTime"), Units ("100 nanoseconds")

Time in user mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).

For more information about using uint64 values in scripts, see Scripting in WMI.

VirtualSize

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process Status|SYSTEM_PROCESS_INFORMATION|VirtualSize"), DisplayName ("Virtual Address Space Usage"), Units ("bytes")

Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries. This value is consistent with what you see in Perfmon.exe.

For more information about using uint64 values in scripts, see Scripting in WMI.

WindowsVersion

Data type: string

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Functions|GetProcessVersion"), DisplayName ("Windows Version")

Version of Windows in which the process is running.

Example: 4.0

WorkingSetSize

Data type: uint64

Access type: Read-only

Qualifiers: DisplayName ("Working Set Size"), Units ("bytes")

Amount of memory in bytes that a process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero). If working set data is provided, you can monitor the information to understand the changing memory requirements of a process.

For more information about using uint64 values in scripts, see Scripting in WMI.

This property is inherited from CIM_Process.

WriteOperationCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|WriteOperationCount"), DisplayName ("Write Operation Count")

Number of write operations performed.

For more information about using uint64 values in scripts, see Scripting in WMI.

WriteTransferCount

Data type: uint64

Access type: Read-only

Qualifiers: MappingStrings ("Win32API|Process and Thread Structures|SYSTEM_PROCESS_INFORMATION|WriteTransferCount"), DisplayName ("Write Transfer Count"), Units ("bytes")

Amount of data written.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_Process class is derived from CIM_Process. The calling process that uses this class must have the SE_RESTORE_NAME privilege on the computer in which the registry resides. For more information, see Executing Privileged Operations.

Overview

Processes underlie almost everything that happens on a computer. In fact, the root cause of most computer problems can be traced to processes; for example, too many processes might be running on a computer (and contending for a finite set of resources), or a single process might be using more than its share of resources. These factors make it important to keep a close watch on the processes running on a computer. Process monitoring, the main activity in process management, allows you to determine what a computer actually does, what applications the computer runs, and how those applications are affected by changes in the computing environment.

Monitoring a Process

Monitoring processes on a regular basis helps you ensure that a computer runs at peak efficiency and that it carries out its appointed tasks as expected. For example, by monitoring processes you can be notified immediately of any application that has stopped responding, and then take steps to end that process. In addition, process monitoring enables you to identify problems before they occur. For example, by repeatedly checking the amount of memory used by a process, you can identify a memory leak. You can then stop the process before the errant application uses all of the available memory and brings the computer to a halt.

Process monitoring also helps minimize the disruptions caused by planned outages for upgrades and maintenance. For example, by checking the status of a database application running on client computers, you can determine the impact of taking the database offline in order to upgrade the software.

Monitoring process availability. Measures the percentage of time that a process is available. Availability is typically monitored by use of a simple probe, which reports whether the process is still running. By keeping track of the results of each probe, you can calculate the availability of the process. For example, a process that is probed 100 times and responds on 95 of those occasions has an availability of 95 percent. This type of monitoring is typically reserved for databases, mail programs, and other applications that are expected to run at all times. It is not appropriate for word processing programs, spreadsheets, or other applications that are routinely started and stopped several times a day.

You can create an instance of the Win32_ProcessStartup class to configure the process.

You can monitor process performance with the Win32_PerfFormattedData_PerfProc_Process class and a WMI refresher object, such as SWbemRefresher. For more information, see Monitoring Performance Data.

Examples

In the Example: Calling a Provider Method topic, the code uses C++ to call Win32_Process to create a process.

Availability is the simplest form of process monitoring: with this approach, you simply ensure that the process is running. When you monitor for process availability, you typically retrieve a list of processes running on a computer and then verify that a particular process is still active. If the process is active, it is considered available. If the process is not active, it is not available. The following VBScript sample monitors process availability by checking the list of processes running on a computer and issuing a notification if the Database.exe process is not found.

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE Name = 'Database.exe'")
If colProcesses.Count = 0 Then
 Wscript.Echo "Database.exe is not running."
Else
 Wscript.Echo "Database.exe is running."
End If

The following VBScript sample monitors process creation using a temporary event consumer.

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colMonitoredProcesses = objWMIService.ExecNotificationQuery("SELECT * FROM __InstanceCreationEvent " _
                                                     & "WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'")
i = 0
Do While i = 0
 Set objLatestProcess = colMonitoredProcesses.NextEvent
 Wscript.Echo objLatestProcess.TargetInstance.Name, Now
Loop

The following VBScript monitors process performance information.

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("SELECT * FROM Win32_Process")
For Each objProcess in colProcessList
 Wscript.Echo "Process: " & objProcess.Name
 Wscript.Echo "Process ID: " & objProcess.ProcessID
 Wscript.Echo "Thread Count: " & objProcess.ThreadCount
 Wscript.Echo "Page File Size: " & objProcess.PageFileUsage
 Wscript.Echo "Page Faults: " & objProcess.PageFaults
 Wscript.Echo "Working Set Size: " & objProcess.WorkingSetSize
Next

The following VBScript code example shows how to obtain the owner of each process on a local computer. You can use this script to obtain data from a remote computer, for example, to determine which users have processes running terminal server, substitute the name of the remote computer for "." in the first line. You must also be an administrator on the remote machine.

strComputer = "." 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colProcesses = objWMIService.ExecQuery("select * from win32_process" )
For Each objProcess in colProcesses

  If objProcess.GetOwner ( User, Domain ) = 0 Then
    Wscript.Echo "Process " & objProcess.Caption & " belongs to " & Domain & "\" & User
  Else
    Wscript.Echo "Problem " & Rtn & " getting the owner for process " & objProcess.Caption
  End If
Next

The following VBScript code example shows how to obtain the logon session associated with a running process. A process must be running Notepad.exe before the script starts. The example locates the instances of Win32_LogonSession associated with the Win32_Process that represents Notepad.exe. Win32_SessionProcess is specified as the association class. For more information, see ASSOCIATORS OF Statement..

On error resume next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colProcesses = objWMIService.ExecQuery("Select * from Win32_Process Where Name = 'Notepad.exe'")
For Each objProcess in colProcesses
  ProcessId = objProcess.ProcessId
  Set colLogonSessions = objWMIService.ExecQuery("Associators of {Win32_Process='" & ProcessId & "'} " _
                                               & "Where Resultclass = Win32_LogonSession Assocclass = Win32_SessionProcess", "WQL", 48)
  If Err <> 0 Then
    WScript.Echo "Error on associators query= " & Err.number & " " & Err.Description
    WScript.Quit
  End If
  For Each LogonSession in colLogonSessions
    Wscript.Echo " Logon id is " & LogonSession.LogonId
  Next
Next

Requirements

Requirement Value
Minimum supported client
 Windows Vista
Minimum supported server
 Windows Server 2008
Namespace
 Root\CIMV2
MOF
CIMWin32.mof
DLL
CIMWin32.dll

See also

CIM_Process

Operating System Classes

WMI Tasks: Processes