Get running processes via WMI activity

The Get Running Processes via WMI workflow activity retrieves the running processes of a configuration item on a Windows-based system. This activity can accelerate the investigation and remediation process.

The Get Running Processes via WMI activity can be used with any workflow to retrieve running processes on a Windows-based system.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables
Variable Description
target [string] The fully qualified domain name (FQDN) or IP address of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
response [string]

A JSON string representing the current running processes on the target system.

JSON data includes:

pid
The process identifier
name
The name of the process

Also, if available:

Owner
The name of the process owner
owner_sid
The system identifier of the process owner
owner_domain
The domain of the process owner
path
The file path of the process executable
hash
The hash value of the process executable. The hash is in SHA-256 for PowerShell V4 or higher. Otherwise, the hash is in MD5.

Restrictions

The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.