如何从 powershell 过滤此输出?

如何从 powershell 过滤此输出?

这是我的 powershell 命令:powershell -noprofile -NonInteractive -Command "(gwmi win32_process | select ProcessID,ParentProcessID,@{e={$_.GetOwner().User}}, CommandLine) | ft -AutoSize"

当我运行它时我得到以下输出

C:\Users\Administrator>powershell -noprofile -NonInteractive -Command  "(gwmi win32_process | select ProcessID,ParentProcessID,@{e={$_.GetOwner().User}}, CommandLine) | ft -AutoSize"

ProcessID ParentProcessID $_.GetOwner().User CommandLine
--------- --------------- ------------------ -----------
        0               0
        4               0
      236               4 SYSTEM
      332             320 SYSTEM
      384             320 SYSTEM             wininit.exe
      392             376 SYSTEM
      420             376 SYSTEM             winlogon.exe
      476             384 SYSTEM
      484             384 SYSTEM             C:\Windows\system32\lsass.exe
      544             476 SYSTEM             C:\Windows\system32\svchost.exe -k DcomLaunch
      584             476 NETWORK SERVICE    C:\Windows\system32\svchost.exe -k RPCSS
      680             420 DWM-1              "dwm.exe"
...
     1256            1176 Administrator      "C:\cygwin64\bin\mintty.exe" -i /Cygwin-Terminal.ico -
     3052            3000 Administrator      \??\C:\Windows\system32\conhost.exe 0x4
     2760            2856 Administrator      "C:\cygwin64\bin\bash.exe"
     2104            1176 Administrator      "C:\Windows\system32\cmd.exe"
     1504            2104 Administrator      \??\C:\Windows\system32\conhost.exe 0x4
     2440            1108 Administrator      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
     1268            2440 Administrator      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="2440.0.15...
     2472            2440 Administrator      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image...
     1496            2440 Administrator      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image...
     2640            2840 user001             C:\Windows\system32\cmd.exe /c c:\windows\temp\tmpyaoyv0.bat
     1040            2640 user001             \??\C:\Windows\system32\conhost.exe 0x4

我希望能够过滤user001流程

如果我使用对象位置,我收到此错误:

+ ...  where-object {$.e -eq user001} | ft -AutoSize
+                    ~~~
    + CategoryInfo          : ObjectNotFound: ($.e:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

如果我使用在哪里, 我懂了:

}}, CommandLine) | where $_.GetOwner().User -eq 'user001' | ft -AutoSize"
You cannot call a method on a null-valued expression.
At line:1 char:1
+ (gwmi win32_process | select ProcessID,ParentProcessID,@{e={$_.GetOwner().User}} ..
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

那么正确的过滤方法是什么$_.GetOwner().User

答案1

你的错误只是由于未使用 而导致的标准语法错误$_。如果你确实使用了 propper,$_.attribute你会因为未引用 而收到另一个错误user001

忽略语法错误,您可能需要做的是为 Select-Object 表达式中的值设置一个名称。这样您以后就可以轻松使用它。

(gwmi win32_process | `
 Select-Object ProcessID, ParentProcessID, `
               @{Name='Owner';
                Expression={$_.GetOwner().User}}, `
               CommandLine) | `
Where-Object {$_.Owner -eq 'user001'}

相关内容