Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-netprocess executes a SELECT * FROM Win32_Process WMI query against a target Windows host to retrieve a full list of all currently running processes. The output includes process name, process ID (PID), parent PID, the executable path, and the account under which the process is running. This is particularly valuable during lateral movement reconnaissance to identify security tooling (AV, EDR agents), interesting applications that may hold credentials in memory, and privileged processes whose owners you may want to impersonate or whose sessions you want to target. Local credentials can be used in place of domain credentials.

Flags

--computername
string
required
IP address or hostname of the target Windows host to query for running processes.
-w, --workgroup
string
Name of the domain to authenticate with. Can be omitted when using local credentials.
-u, --user
string
Username for authentication. Accepts both domain accounts (DOMAIN\user) and local accounts.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH. The LM portion can be omitted or replaced with the empty LM hash.
-k
boolean
Use Kerberos authentication. Reads credentials from the ccache file pointed to by KRB5CCNAME. Falls back to the provided username and password if no valid ticket is found.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.

Examples

# List all running processes on a host using domain credentials
pywerview get-netprocess --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com

# Using local Administrator credentials
pywerview get-netprocess --computername 192.168.1.10 -u Administrator -p 'LocalP@ss'

# Pass-the-hash authentication
pywerview get-netprocess --computername 192.168.1.10 -u alice --hashes :a87f3a337d73085c45f9416be5787d86 -w contoso.com

# JSON output for piping into grep or jq
pywerview get-netprocess --computername 192.168.1.10 -u alice -p 'P@ssw0rd' -w contoso.com --json
WMI process enumeration requires the authenticating account to have local administrator privileges on the target host. Access will be denied for standard user accounts.
Pipe JSON output through jq to filter for specific processes of interest — for example, to check whether lsass.exe or security products like MsMpEng.exe are running: pywerview get-netprocess --computername 192.168.1.10 ... --json | jq '.[] | select(.name == "lsass.exe")'

Build docs developers (and LLMs) love

Get started for freeTalk to us