GCIH · Question #751
Which PowerShell cmdlet will display the command line parameters used to launch a Windows process?
The correct answer is B. Get-CimInstance. Get-CimInstance queries the Win32_Process WMI class, which exposes a CommandLine property containing the exact parameters used to launch each running process.
Question
Which PowerShell cmdlet will display the command line parameters used to launch a Windows process?
Options
- AGet-Service
- BGet-CimInstance
- CGet-Process
- DGet ChildItem
How the community answered
(40 responses)- A3% (1)
- B90% (36)
- C5% (2)
- D3% (1)
Why each option
Get-CimInstance queries the Win32_Process WMI class, which exposes a CommandLine property containing the exact parameters used to launch each running process.
Get-Service retrieves information about Windows services such as status and display name, and does not provide details about process launch command line parameters.
The Get-CimInstance cmdlet queries WMI/CIM objects including Win32_Process, which has a CommandLine property containing the full command string used to start each process. Running 'Get-CimInstance Win32_Process | Select-Object Name, CommandLine' is the standard forensic method to retrieve process launch parameters and identify malicious executions.
Get-Process retrieves running process objects with properties like CPU and memory usage, but does not natively expose the CommandLine argument string used at process launch.
Get-ChildItem lists items in a file system path or registry location and has no capability to query or display process launch parameters.
Concept tested: PowerShell WMI - process command line forensic investigation
Source: https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance
Topics
Community Discussion
No community discussion yet for this question.