This post is more a question and a on-going research. Thought I would share my findings so far. If you know the answer, please do share. 🙂 I’ve been trying understand why the three properties (Path, CommandLine, Executable) not exposed to non-Administrators. Here is information on the Win32_Process class. I suspect it’s a Security related design, which makes sense. I’ve not been able to find the root explanation. To reproduce the error, follow the steps below;
Log into your machine as a local administrator
Launch a Calculator instance
Run gwmi –query ‘select * from win32_process where name=”calc.exe”’ The results are listed below.
Then use the Runas command to launch another Powershell window as a normal user, (aka a non-administrator), follow the same procedure. Notice the Path, Commandline and Executable values are NULL.
I’ve ran Process Monitor and looked at security, I found a few posts on SeDebugPrivilege and adjusting access. I’m still searching for a clear explaination. If / when I have this, I’ll update my post. Stay tuned!
Results as a Administrator
ProcessName : calc.exe
Handles : 51
VM : 65687552
WS : 5050368
Path : C:Windowssystem32calc.exe
__GENUS : 2
__CLASS : Win32_Process
__SUPERCLASS : CIM_Process
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Process.Handle=”25048″
__PROPERTY_COUNT : 45
__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSyste
mElement}
__SERVER : PC1
__NAMESPACE : rootcimv2
__PATH : \PC1rootcimv2:Win32_Process.Handle=”25048“
Caption : calc.exe
CommandLine : “C:Windowssystem32calc.exe”
CreationClassName : Win32_Process
CreationDate : 20081109222814.158575-300
CSCreationClassName : Win32_ComputerSystem
CSName : PC1
Description : calc.exe
ExecutablePath : C:Windowssystem32calc.exe
ExecutionState :
Handle : 25048
HandleCount : 51
InstallDate :
KernelModeTime : 312500
MaximumWorkingSetSize : 1380
MinimumWorkingSetSize : 200
Name : calc.exe
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoftr Windows Serverr 2008 Enterprise |C:Win
dows|DeviceHarddisk0Partition1
OtherOperationCount : 70
OtherTransferCount : 204
PageFaults : 1245
PageFileUsage : 1884
ParentProcessId : 19884
PeakPageFileUsage : 1884
PeakVirtualSize : 65789952
PeakWorkingSetSize : 4932
Priority : 8
PrivatePageCount : 1929216
ProcessId : 25048
QuotaNonPagedPoolUsage : 5
QuotaPagedPoolUsage : 124
QuotaPeakNonPagedPoolUsage : 5
QuotaPeakPagedPoolUsage : 124
ReadOperationCount : 2
ReadTransferCount : 438
SessionId : 1
Status :
TerminationDate :
ThreadCount : 1
UserModeTime : 312500
VirtualSize : 65687552
WindowsVersion : 6.0.6001
WorkingSetSize : 5050368
WriteOperationCount : 0
WriteTransferCount : 0
Results as Non-Administrator
ProcessName : calc.exe
Handles : 51
VM : 65687552
WS : 5050368
Path :
__GENUS : 2
__CLASS : Win32_Process
__SUPERCLASS : CIM_Process
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Process.Handle=”25048″
__PROPERTY_COUNT : 45
__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSyste
mElement}
__SERVER : PC1
__NAMESPACE : rootcimv2
__PATH : \PC1rootcimv2:Win32_Process.Handle=”25048“
Caption : calc.exe
CommandLine :
CreationClassName : Win32_Process
CreationDate : 20081109222814.158575-300
CSCreationClassName : Win32_ComputerSystem
CSName : PC1
Description : calc.exe
ExecutablePath :
ExecutionState :
Handle : 25048
HandleCount : 51
InstallDate :
KernelModeTime : 312500
MaximumWorkingSetSize : 1380
MinimumWorkingSetSize : 200
Name : calc.exe
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoftr Windows Serverr 2008 Enterprise |C:Win
dows|DeviceHarddisk0Partition1
OtherOperationCount : 70
OtherTransferCount : 204
PageFaults : 1245
PageFileUsage : 1884
ParentProcessId : 19884
PeakPageFileUsage : 1884
PeakVirtualSize : 65789952
PeakWorkingSetSize : 4932
Priority : 8
PrivatePageCount : 1929216
ProcessId : 25048
QuotaNonPagedPoolUsage : 5
QuotaPagedPoolUsage : 124
QuotaPeakNonPagedPoolUsage : 5
QuotaPeakPagedPoolUsage : 124
ReadOperationCount : 2
ReadTransferCount : 438
SessionId : 1
Status :
TerminationDate :
ThreadCount : 1
UserModeTime : 312500
VirtualSize : 65687552
WindowsVersion : 6.0.6001
WorkingSetSize : 5050368
WriteOperationCount : 0
WriteTransferCount : 0
Pondering Thought 