I am trying to figure out a way through the Windows command line to determine if a process has no parent.
I know all processes technically have a parent that is controlled by the OS or whatever, but for the sake of simplicity it "has no parent". For instance, if you open an explorer window, it will show up in Process Explorer at the top of its process tree.
When I do a wmic query on the process, however, I get a PID for 'parentProcessPID'. When I try and look up that PID using tasklist, it says that PID is not recognized. I have looked at a couple of processes like this and they seem to have different parent processes that are all inaccessible through tasklist. If a process has a parent process that is inaccessible through tasklist, does that mean it is at the "top" of its process tree?
I am asking because I am trying to differentiate between a program running by itself and the same program running as a child process of another program.
For example:
Let's say I go into the Windows start menu and open up an explorer window. Then, I open up a cmd window and type: explorer.exe
. I now have two explorer.exe processes. One is a child process of cmd.exe and one is a stand alone process. I want to be able, through a wmic or tasklist query, to single out all explorer.exe
processes that are a stand-alone process. So, the process I started through the Windows start menu should be returned and not the process started by cmd.exe.
I am running into the issue that every process has a parent process ID, and I do not know how to differentiate between a parent process coming from a program or the parent process coming from a process related to the OS. If I can do the following, that would be great:
Pseudocode:
wmic process where name=explorer.exe get parentProcessID,processID
tasklist /fi "PID eq <parentProcessID>" 2>&1> log.txt
if(log.txt contains "INFO: No tasks are running which match the specified criteria."){
// Parent PID is not recognized by tasklist
// Do something
}
But I am unsure if my logic is correct.