Group processes by user with WMI

This snippet uses only WMI and CIM cmdlets to list all the processes and group them by the user that started said process.

Get-CimInstance -ClassName Win32_Account | ForEach-Object {
    $AccountName = $_.Name

    $AssociatedProcesses = Get-CimAssociatedInstance -InputObject $_ -Association Win32_LoggedOnUser | Get-CimAssociatedInstance -Association Win32_SessionProcess

    # don't list users that don't have associated processes
    if ($AssociatedProcesses) {
        [PSCustomObject] @{ Account = $AccountName; Processes = $AssociatedProcesses }
    }
}

References:

WMI - Windows Management Instrumentation

PreviousGet AMSI module NextHide processes from Get-Process

Last updated 1 year ago