How to Get a Process's Command Line Arguments in a Batch Script

When troubleshooting a running application or auditing a system, simply knowing that a process like svchost.exe is running is not enough. You often need to know the full command line that was used to launch it, including any switches or arguments. This information can reveal which specific service is being hosted, what configuration file an application is using, or what task a generic host process is performing.

This guide will teach you the modern, standard method for retrieving the full command line of a running process using the powerful WMIC (Windows Management Instrumentation) utility. You will learn the correct query to use and how to parse its output to get this crucial diagnostic information from a batch script.

The Challenge: Task Manager Isn't Enough

The standard Task Manager (tasklist.exe) provides the process name and PID, but it does not show the command-line arguments. While the graphical Task Manager's "Details" view can be configured to show this column, you cannot get this information from the tasklist command. For scripting, we need a tool that can query this specific piece of process metadata.

Core Method: `WMIC PROCESS`

The WMIC (Windows Management Instrumentation Command-line) utility is the definitive tool for querying detailed system and process information. The PROCESS alias allows us to inspect all aspects of running processes.

Command: WMIC PROCESS WHERE "Name='process.exe'" GET CommandLine

PROCESS: The WMI class that represents running processes.
WHERE "Name='process.exe'": A filter to select only the processes with a specific executable name.
GET CommandLine: Specifies that we want to retrieve the CommandLine property.

Basic Example: Getting the Command Line for a Process

Let's find the full command line for all running svchost.exe processes. This is a classic example, as svchost.exe is a generic host, and its command line is the only way to know what it's actually doing.

@ECHO OFF
REM This script is most effective when run as an Administrator.

ECHO --- Getting command lines for all svchost.exe processes ---
ECHO.

WMIC PROCESS WHERE "Name='svchost.exe'" GET CommandLine

Output: this produces a list of the full command-line strings used to launch each instance.

CommandLine
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p
...

Parsing the Output with `FOR /F` for Scripting

To use this information in a script, you need to capture the output into a variable. A FOR /F loop is the standard method for this.

This script gets the command line for a single, specific process (notepad.exe) and stores it in a variable.

@ECHO OFF
SETLOCAL
SET "ProcessName=notepad.exe"
SET "CommandLine="

ECHO --- Capturing command line for %ProcessName% ---
ECHO.

REM 'skip=1' ignores the "CommandLine" header.
FOR /F "skip=1 tokens=*" %%C IN (
    'WMIC PROCESS WHERE "Name='%ProcessName%'" GET CommandLine'
) DO (
    SET "CommandLine=%%C"
    REM Use GOTO to grab only the first instance if multiple are running.
    GOTO :Found
)

:Found
REM Clean the variable of any invisible trailing characters (a WMIC bug).
FOR %%N IN ("%CommandLine%") DO SET "CommandLine=%%~N"

IF DEFINED CommandLine (
    ECHO The command line is:
    ECHO %CommandLine%
) ELSE (
    ECHO Process "%ProcessName%" not found.
)

ENDLOCAL

Key `WMIC PROCESS` Properties for Diagnostics

You can GET many other useful properties along with the command line:

ProcessId: The unique Process ID (PID).
ParentProcessId: The PID of the process that launched this one.
ExecutablePath: The full path to the executable file.
CreationDate: The exact time the process was started.
WorkingSetSize: The amount of memory the process is currently using.

Exmaple searching for "chrome.exe" process:

WMIC PROCESS WHERE "Name='chrome.exe'" GET ProcessId,CommandLine,WorkingSetSize

Common Pitfalls and How to Solve Them

Administrator Rights: A standard user can only see the processes running under their own account. To get a complete list of all processes on the system (including system services), you must run the script as an Administrator.
WMIC Output Quirks: WMIC often adds extra spaces and an invisible trailing carriage return to its output. This can interfere with string operations.
- Solution: As shown in the script above, always "clean" a variable captured from WMIC by re-assigning it in a simple FOR loop (FOR %%N IN ("%Var%") DO SET "Var=%%~N").
"No Instance(s) Available": This is not an error. It's the message WMIC returns when the WHERE clause finds no matching processes. Your script's FOR /F loop will simply not execute, which is why you must initialize your variable (SET "CommandLine=") and check it with IF DEFINED after the loop.

Practical Example: A "Process Investigator" Script

This script takes a process name as an argument and prints a detailed report about it, including its PID, parent process, and full command line.

@ECHO OFF
SETLOCAL
SET "ProcessName=%~1"

IF "%ProcessName%"=="" (
    ECHO [ERROR] Please provide a process name.
    ECHO Usage: %~n0 notepad.exe
    GOTO :End
)

ECHO --- Investigating process: %ProcessName% ---
ECHO.

REM Use the /FORMAT:LIST switch for clean Key=Value output.
FOR /F "tokens=1,* delims==" %%A IN (
    'WMIC PROCESS WHERE "Name='%ProcessName%'" GET ProcessId^,ParentProcessId^,CommandLine /FORMAT:LIST'
) DO (
    REM Clean the key and value of extra spaces/returns.
    FOR /F "tokens=*" %%K IN ("%%A") DO SET "Key=%%K"
    FOR /F "tokens=*" %%V IN ("%%B") DO SET "Value=%%V"
    
    REM Display the Key=Value pair.
    ECHO !Key! = !Value!
    
    REM Add a separator after each process instance.
    IF /I "!Key!"=="ProcessId" ECHO -------------------------------
)

:End
ENDLOCAL

note

This advanced script requires DelayedExpansion to handle the variables inside the loop.

Conclusion

The WMIC PROCESS command is the definitive and most powerful built-in tool for getting detailed information about running processes, including their full command-line arguments.

For effective use in a batch script:

The core command is WMIC PROCESS WHERE "Name='app.exe'" GET CommandLine.
Run your script as an Administrator to get a complete view of all system and user processes.
Use a FOR /F loop to parse the WMIC output and capture the command line into a variable.
Always be prepared to "clean" the variable captured from WMIC to remove extraneous characters.

By mastering this WMIC query, you can write powerful diagnostic and auditing scripts that give you a deep insight into what is running on your system.

The Challenge: Task Manager Isn't Enough​

Core Method: WMIC PROCESS​

Basic Example: Getting the Command Line for a Process​

Parsing the Output with FOR /F for Scripting​

Key WMIC PROCESS Properties for Diagnostics​

Common Pitfalls and How to Solve Them​

Practical Example: A "Process Investigator" Script​

Conclusion​

Table of Contents