I'm trying to monitor the functioning of an older app. There might be many instances of this app, but the only one I care about runs in a specific user context - all of the others will be running in the localsystem context, and do not reliably indicate whether the app is healthy. If there are no instances of the app running in this specific user context, we must be alerted so that we can correct the problem.
I've been able to run a manual WMIC query (wmic /node:computer1 /user:"kurt-server@example.com" process where name="foo.exe" call getowner) to list the process with that name and their respective owners, but am not seeing how to narrow down the output to determine if the particular foo.exe is being run by user baz.
We've go PRTG 14.4.12.3510+ running on Win 2008 R2. I've upgraded powershell on it to v4, if that's any help.
Any help in configuring this would be much appreciated.
Kurt
Article Comments
Thanks. I will investigate writing this up in PowerShell, and will post back a sample once I get it working.
Kurt
Jan, 2015 - Permalink
Gave up on powershell. Instead, I'm using a very simple batch file, and still can't get it to work.
I've put together a batchfile, and it works just fine when run manually (that is, it does return 0 when at least one instance of the executable is in memory running in the context of the stated user), but fails with the following message:
"\Windows\system32>wmic /node:computer process where name="example.exe" call getowner | findstr username ERROR: Description = Access is denied. 1 was unexpected at this time. C:\Windows\system32>if 1 1 goto SendMessage"
The batchfile looks like this (send-message.cmd uses blat to send an email to several people):
---------- wmic /node:computer process where name="example.exe" call getowner | findstr username if %errorlevel% 1 goto SendMessage if %errorlevel% 0 goto ExitClean
:SendMessage "c:\program files (x86)\prtg network monitor\custom sensors\exe\send-message.cmd" echo 2:example.exe Not Running Exit 2
:ExitClean echo 0:ok Exit 0 ----------
Jan, 2015 - Permalink
Please check if you set the proper security context for the script. This can be done in the sensor configuration tab.
Jan, 2015 - Permalink
I have tried both settings: "Use security context of probe service" (the service runs under localsystem) and "Use Windows credentials of parent device" (which inherits all the way from the device group of which the monitored server is a member, and that account has local admin rights on the monitored machines.)
Neither works.
Kurt
Jan, 2015 - Permalink
Dear Kurt
Please try Powershell for these kind of queries. When you set the correct executionpolicy, the script should run.
Jan, 2015 - Permalink
Did you ever get a powershell script to accomplish this? I'm looking for the same result and my powershell abilities are not getting me to the right solution.
Apr, 2017 - Permalink
Here is an (extremely simple) example, using local WMI, which just lists the owner name of each process:
$processes=Get-WmiObject win32_process
foreach ($process in $processes)
{
$owner=$process.GetOwner()
write-host $process.Name "is owned by" $owner.User
}
Apr, 2017 - Permalink
Dear kurtbuff
This can only be done if you write a complete script, not with a single WMI query. Please have a look at the getowner() method of the Get-WmiObject win32_process query.
Jan, 2015 - Permalink