Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

invoke-processhunter uses WMI Win32_Process queries to search across all domain computers — or a specified subset — for running processes that match a given name or are owned by target users. The command first enumerates computers from the domain controller via LDAP, then dispatches workers to query each host in turn. This makes it useful for locating where a specific tool (such as mmc.exe or powershell.exe) is running, or confirming that a target user has an active process on a remote machine prior to lateral movement. Multi-threading is supported to speed enumeration across large environments.
Process enumeration relies on WMI Win32_Process queries, which require local administrator rights on the target host. Non-admin accounts will receive an access-denied error and the host will be skipped.

Flags

Domain Controller Connection

-t, --dc-ip
string
required
IP address of the domain controller used to enumerate target computers and users via LDAP.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username for authentication.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file.
--tls
boolean
Force a TLS connection to the domain controller.

Target Computer Selection

--computername
string[]
One or more specific hostnames or IPs to hunt against (space-separated). Skips LDAP computer enumeration when provided.
--computerfile
string
Path to a file containing hostnames or IPs to query, one per line.
--computer-filter
string
Custom LDAP filter applied when querying computers from the domain controller.
--computer-adspath
string
ADS path to use when searching for computers in LDAP.
-d, --domain
string
Domain to query for target machines.

Target User / Process Selection

--processname
string[]
One or more process names to search for (space-separated). Matching is case-insensitive and uses substring comparison. When omitted, all processes owned by target users are returned.
--groupname
string
Name of a domain group whose members to use as target users.
--username
string
Hunt for processes owned by this specific username.
--user-filter
string
Custom LDAP filter applied when querying target users from the domain controller.
--user-adspath
string
ADS path used when searching for target users in LDAP.
--userfile
string
Path to a file containing usernames to use as targets, one per line.
--targetserver
string
Use the local administrators of this server as the target user list.

Hunt Behaviour

--threads
integer
Number of parallel worker threads to use when querying target hosts. Default: 1.
--stop-on-success
boolean
Stop hunting as soon as the first matching process is found.
--show-all
boolean
Return all processes found, not just those matching target users or process names.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.

Examples

# Hunt for lsass.exe running on all domain hosts
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --processname lsass.exe

# Hunt for processes owned by a specific user
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob

# Hunt for multiple process names with 5 threads
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --processname powershell.exe mmc.exe --threads 5

# Stop after the first match
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --processname powershell.exe --stop-on-success

# Hunt against a specific subset of hosts
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --computername srv01.contoso.com srv02.contoso.com --processname powershell.exe

# JSON output
pywerview invoke-processhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --processname powershell.exe --json

Build docs developers (and LLMs) love

Get started for freeTalk to us