WEBVTT

00:00.000 --> 00:01.575
>> - Hello everyone.

00:01.575 --> 00:03.300
I'm instructor Gerri Roberts,

00:03.300 --> 00:05.565
and this is
PowerShell scripting.

00:05.565 --> 00:07.590
In this video we're
going to learn about

00:07.590 --> 00:10.440
managing processes
using Get-Process.

00:10.440 --> 00:12.570
We're going to learn
about Stop-Process

00:12.570 --> 00:15.190
and Start-Process.

00:15.320 --> 00:19.305
Get-Process is a CMD

00:19.305 --> 00:20.745
that allows you to manage

00:20.745 --> 00:23.415
local and remote
processes in PowerShell.

00:23.415 --> 00:25.755
If you don't specify
a computer name,

00:25.755 --> 00:27.810
it automatically assumes
that you're looking at

00:27.810 --> 00:29.760
your local process so

00:29.760 --> 00:32.950
it'll find everything that's
on your local machine.

00:32.950 --> 00:36.600
Stop-Process is another
command you can use to

00:36.600 --> 00:40.934
manage processes and it
allows you to kill a process.

00:40.934 --> 00:44.390
Start-Process is similar only it

00:44.390 --> 00:48.030
allows you to start
a stopped process.

00:48.620 --> 00:52.760
Let's actually take
a look at what that

00:52.760 --> 00:57.180
will look like when we
run it in PowerShell.

00:58.130 --> 01:00.745
In PowerShell,

01:00.745 --> 01:04.670
we can do a couple of different
things with processes.

01:04.670 --> 01:08.120
The first one we talked
about was Get-Process.

01:08.120 --> 01:13.160
We can do just Get-Process.

01:13.160 --> 01:15.530
It shows us a huge list

01:15.530 --> 01:17.870
and you'd be able
to scroll through,

01:17.870 --> 01:20.760
see the different processes.

01:20.760 --> 01:23.720
It'll tell you if it's running,

01:23.720 --> 01:25.790
what kind of CPU memory,

01:25.790 --> 01:28.230
all that good stuff
that it's using.

01:29.540 --> 01:32.550
That's obviously a lot.

01:32.550 --> 01:39.020
If you wanted to try to
find a process by say ID,

01:39.020 --> 01:45.090
which is this column right here,

01:45.090 --> 01:49.960
you would find the process
that you're looking for.

01:49.960 --> 01:53.735
Let's say for example,

01:53.735 --> 01:56.960
we wanted to bring up
one of the Firefox's.

01:56.960 --> 02:01.165
We have 2028 as a
Firefox process.

02:01.165 --> 02:03.270
We could go back down.

02:03.270 --> 02:04.550
Let's go ahead and clear

02:04.550 --> 02:06.830
our screen so it's a
little bit easier to read.

02:06.830 --> 02:10.030
We could [NOISE] do
get that process.

02:10.030 --> 02:12.240
Look up by ID.

02:12.240 --> 02:15.480
We have 2028 is our ID.

02:15.480 --> 02:17.570
There. That's much
better looking.

02:17.570 --> 02:19.640
You can see there's
our process and you

02:19.640 --> 02:22.280
can see the information
about the process.

02:22.280 --> 02:26.090
You can also look up
a process by name.

02:26.090 --> 02:30.500
You can do Get-Process
and then name.

02:30.500 --> 02:33.205
Then you just type in Firefox.

02:33.205 --> 02:35.160
There you go, you've
got your list.

02:35.160 --> 02:37.130
This one gives you

02:37.130 --> 02:41.195
a little more results
because it's by name.

02:41.195 --> 02:46.520
There's going to be usually
more than one of each name,

02:46.520 --> 02:50.570
or you might have quite
a few by a similar name.

02:50.570 --> 02:54.155
Say for example, I wasn't sure

02:54.155 --> 02:57.920
exactly what the name
of something was,

02:57.920 --> 03:03.485
but I knew for a fact
that it started with EX.

03:03.485 --> 03:05.060
So I could do EX and

03:05.060 --> 03:06.740
then we can actually
use a wildcard here.

03:06.740 --> 03:08.960
So we do the wildcard asterisk,

03:08.960 --> 03:11.450
Enter and it will pop

03:11.450 --> 03:13.969
up the name of the
item in the process.

03:13.969 --> 03:15.950
If there's more than one,

03:15.950 --> 03:19.690
you would get a list just
like you did with Firefox.

03:19.690 --> 03:24.680
You can also do multiple
values in the name parameter.

03:24.680 --> 03:29.675
You want to do
Get-Process dash name.

03:29.675 --> 03:34.385
We just say I'm going to do

03:34.385 --> 03:38.030
exp because I think one of

03:38.030 --> 03:42.030
them starts with the exp and
then I'm going to do power.

03:42.030 --> 03:43.670
Remember in an earlier video,

03:43.670 --> 03:45.890
we said if there
are multiple values

03:45.890 --> 03:48.335
inside of a parameter
you use a comma.

03:48.335 --> 03:50.450
Here you can see I'm
going to do a comma

03:50.450 --> 03:52.400
between exp and power to try to

03:52.400 --> 03:54.620
find the processes that

03:54.620 --> 03:58.520
start with exp and some
processes that start with power.

03:58.520 --> 04:02.400
I'll look at that. I've got
Explorer starts with exp,

04:02.400 --> 04:05.690
and now we have PowerShell
that starts with power.

04:05.690 --> 04:08.255
You can do that as well.

04:08.255 --> 04:13.640
That's pretty useful and
does help you find things

04:13.640 --> 04:16.280
instead of having to poke
around that giant list that you

04:16.280 --> 04:19.390
saw earlier if you
do just Get-Process.

04:19.390 --> 04:22.760
Another thing you can do is use

04:22.760 --> 04:24.890
computer name to get

04:24.890 --> 04:28.610
the process of a process
on a remote computer.

04:28.930 --> 04:32.015
I'm not connected to a
remote computer so if I

04:32.015 --> 04:35.240
tried to get a remote computer,
I wouldn't get anything.

04:35.240 --> 04:37.555
But I'm going to show you
what that might look like.

04:37.555 --> 04:40.670
You do Get-Process,

04:40.670 --> 04:43.085
and then you do the name or

04:43.085 --> 04:44.450
ID or whatever you wanted

04:44.450 --> 04:46.295
through the process
or all of them.

04:46.295 --> 04:48.580
I'm just going to
get PowerShell.

04:48.580 --> 04:51.350
Computer name would be

04:51.350 --> 04:53.390
the actual parameter that

04:53.390 --> 04:55.490
you would use to
find that computer,

04:55.490 --> 04:57.565
but I'm going to do local host.

04:57.565 --> 05:00.620
But whatever the
computer name is,

05:00.620 --> 05:03.290
you can use that like if
it's a server or whatnot,

05:03.290 --> 05:05.150
just put that name
there and as long

05:05.150 --> 05:07.370
as it's able to communicate
with that computer,

05:07.370 --> 05:09.755
you'll be able to
pull those processes.

05:09.755 --> 05:13.710
Local host just stands
for your local computer.

05:16.190 --> 05:19.635
Notice that when I put
it in, I get an error.

05:19.635 --> 05:21.795
That's okay, it happens.

05:21.795 --> 05:23.555
We're going to try with

05:23.555 --> 05:26.890
our actual computer name
to see if we can find it.

05:26.890 --> 05:29.500
The computer name,

05:29.540 --> 05:33.580
I'm going to put
my computer's name

05:34.580 --> 05:38.330
Gerri-PC2 because I don't
have anything I'm connected

05:38.330 --> 05:42.675
to and you can see
that it pops it up.

05:42.675 --> 05:44.930
If you were using
a remote computer,

05:44.930 --> 05:46.700
you could put another
computer name there.

05:46.700 --> 05:49.175
As long as you can
connect to that computer,

05:49.175 --> 05:50.570
you can go ahead and pull up

05:50.570 --> 05:52.385
information about that computer.

05:52.385 --> 05:54.830
You could do
Get-Process and not put

05:54.830 --> 05:57.745
a name or an ID and have
all of the processes,

05:57.745 --> 05:59.395
or you can put a name,

05:59.395 --> 06:00.755
or you can put in an ID.

06:00.755 --> 06:03.845
But the important part is
if you're doing remote,

06:03.845 --> 06:06.425
use a computer name parameter to

06:06.425 --> 06:07.880
actually connect
to that computer

06:07.880 --> 06:10.380
and get that information.

06:11.450 --> 06:14.450
The next command that
you'll want to look

06:14.450 --> 06:17.090
at is the Stop-Process command.

06:17.090 --> 06:19.369
Once you have your
list of processes,

06:19.369 --> 06:22.460
if you find that one is
using up too many resources,

06:22.460 --> 06:24.035
or if it has,

06:24.035 --> 06:26.045
for some reason locked up,

06:26.045 --> 06:28.250
you can use the
Stop-Process command to

06:28.250 --> 06:31.130
essentially kill that
particular process.

06:31.130 --> 06:33.440
This is similar to
the Kill command

06:33.440 --> 06:35.090
>> in Linux and is also

06:35.090 --> 06:37.340
>> similar to the
End Task button

06:37.340 --> 06:40.025
you get in Task
Manager in Windows.

06:40.025 --> 06:42.200
The first thing you
want to do is you

06:42.200 --> 06:43.970
want to find your process.

06:43.970 --> 06:45.920
We're going to use Notepad as

06:45.920 --> 06:48.695
an example because that's
an easy one to find.

06:48.695 --> 06:53.535
We do Get-Process,

06:53.535 --> 06:56.865
name and then Notepad.

06:56.865 --> 07:00.330
You see, there's our process.

07:00.330 --> 07:02.880
When using Stop-Process,

07:02.880 --> 07:06.480
you usually use the name Switch.

07:06.480 --> 07:09.480
What we do is we do
[NOISE] Stop-Process

07:09.480 --> 07:17.020
, name, Notepad.

07:17.020 --> 07:19.040
You notice you
don't get anything.

07:19.040 --> 07:20.360
A lot of times with PowerShell,

07:20.360 --> 07:22.535
you don't necessarily
get a confirmation.

07:22.535 --> 07:24.110
But we can tell
that this process

07:24.110 --> 07:25.790
has been completely
stopped because we

07:25.790 --> 07:30.315
try and we get the
process again.

07:30.315 --> 07:32.510
Red text, it can't find it.

07:32.510 --> 07:34.310
That's because it's
not running anymore.

07:34.310 --> 07:37.010
It's gone, it's disappeared.

07:37.010 --> 07:39.410
Once we stop a process,

07:39.410 --> 07:41.225
if we do want to start it again,

07:41.225 --> 07:44.630
or if we have a
process that maybe

07:44.630 --> 07:46.550
didn't start properly for

07:46.550 --> 07:48.555
like SQL Server or
something like that,

07:48.555 --> 07:50.820
we can restart that process

07:50.820 --> 07:53.370
using the Start-Process command.

07:53.370 --> 07:56.220
The difference with
Start-Process versus

07:56.220 --> 07:59.920
Get-Process and Stop-Process
is with Start-Process,

07:59.920 --> 08:01.580
you actually need to know

08:01.580 --> 08:05.300
where that particular
process is located.

08:05.300 --> 08:07.070
For our purposes here,

08:07.070 --> 08:09.445
Notepad it's pretty
easy to find.

08:09.445 --> 08:12.120
It's in the System32 folder.

08:12.120 --> 08:14.960
The reason we need to know
where it's located is

08:14.960 --> 08:17.570
the file path string

08:17.570 --> 08:19.970
that we need to put in
is actually required,

08:19.970 --> 08:21.950
it's a required parameter.

08:21.950 --> 08:25.955
That allows us to find
the particular process.

08:25.955 --> 08:33.925
You do Start-Process and
then you could do file path,

08:33.925 --> 08:36.485
and then you tell
it where it is.

08:36.485 --> 08:44.460
System32 is going to
be C Windows System32.

08:49.540 --> 08:54.930
Our Notepad is Notepad.exe.

08:56.690 --> 09:00.610
Then Notepad will pop up.

09:01.280 --> 09:04.390
Here you go, you got Notepad.

09:05.300 --> 09:08.450
You could go ahead and
close it normally.

09:08.450 --> 09:13.460
Stop-Process, easy,
Start-Process, not so easy.

09:13.460 --> 09:16.850
You have to find where

09:16.850 --> 09:21.440
that particular item
is using file path.

09:21.440 --> 09:24.200
If it's a normal process,

09:24.200 --> 09:28.399
it's usually in that
System32 folder.

09:28.399 --> 09:30.394
But if you don't know,

09:30.394 --> 09:32.180
you can search for using

09:32.180 --> 09:34.730
Windows Search and you can

09:34.730 --> 09:38.600
find it and be able
to restart it again.

09:38.600 --> 09:45.240
That is your Stop-Process
and your Start-Process.

09:45.320 --> 09:49.370
Now that we've gone through
our demo for Get-Process,

09:49.370 --> 09:51.635
Start-Process, and Stop-Process,

09:51.635 --> 09:53.735
it's time for a quiz.

09:53.735 --> 09:55.475
Our first assessment question.

09:55.475 --> 09:57.440
What command would
you use to find

09:57.440 --> 09:59.755
a process named "winlogin"?

09:59.755 --> 10:04.665
Would you do
Get-Process-ID winlogin?

10:04.665 --> 10:09.285
Would you do Get-Process
-Name winlogin?

10:09.285 --> 10:13.140
Would you do Get-Process
winlogin or would

10:13.140 --> 10:17.455
you do Get-Process-ID 000?

10:17.455 --> 10:19.160
I'll go ahead and
give you a second to

10:19.160 --> 10:19.894
>> think about that.

10:19.894 --> 10:25.040
>> You can also
pause if you want.

10:25.040 --> 10:29.225
The answer is B.
Get-Process -Name winlogin.

10:29.225 --> 10:31.730
Remember, whenever
we're using a name,

10:31.730 --> 10:36.120
we use the -Name
parameter to locate it.

10:37.240 --> 10:40.970
Today's lecture we talked
about getting processes using

10:40.970 --> 10:43.070
the Get-Process command as well

10:43.070 --> 10:46.620
some other commands we can
use to work with processes.