Get running processes via WMI activity The Get Running Processes via WMI workflow activity retrieves the running processes of a configuration item on a Windows-based system. This activity can accelerate the investigation and remediation process. The Get Running Processes via WMI activity can be used with any workflow to retrieve running processes on a Windows-based system. Input variables Input variables determine the initial behavior of the activity. Table 1. Input variables Variable Description target [string] The fully qualified domain name (FQDN) or IP address of the target system. Output variables The output variables contain data that can be used in subsequent activities. Table 2. Output variables Variable Description response [string] A JSON string representing the current running processes on the target system. JSON data includes: pid The process identifier name The name of the process Also, if available: Owner The name of the process owner owner_sid The system identifier of the process owner owner_domain The domain of the process owner path The file path of the process executable hash The hash value of the process executable. The hash is in SHA-256 for PowerShell V4 or higher. Otherwise, the hash is in MD5. Restrictions The MID Server must support PowerShell. SHA-256 hash requires PowerShell V4.