How to find strange Windows executables running via WMIC

C:\wmic PROCESS GET ExecutablePath, Commandline, ProcessID, ParentProcessID

If you leave off everything after Process you can see all your searchable options.  > wmic Process |more  or

C:\wmic PROCESS GET /?    this will show all your options

C:\wmic PROCESS  or

wmic:root\cli>PROCESS     also gives the location of where the executable is running from as well.  Very Helpful.
wmic:root\cli>PROCESS LIST

To checkout whats running at startup do the following


For more info you can always use the windows help commands by issuing /? after the command.

wmic:root\cli>STARTUP /?

For really in depth knowledge of wmic I suggest checking out Ed Skoudis at or